[release 3.2] cherry pick #6223 to release 3.2 (#6234 )

cherry pick 6223 to release 3.2 Signed-off-by: dongjiang1989 <dongjiang1989@126.com>
Merge pull request #4473 from ks-ci-bot/cherry-pick-4471-to-release-3.2
2024-10-23 17:00:48 +08:00 · 2021-11-29 16:03:52 +08:00 · 2021-11-25 06:41:54 +00:00 · 2021-11-18 20:13:13 +08:00 · 2021-11-18 11:54:42 +00:00 · 2021-11-15 14:21:11 +08:00
10567 changed files with 1532930 additions and 532915 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,4 @@
-tmp/
+# exclude all files and folders except bin folder
+!bin
+.idea/
+.vscode/
--- a/.github/.stale.yaml
+++ b/.github/.stale.yaml
@@ -1,16 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 30
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 14
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - frozen
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Any further update will
-  cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: >
-  This issue is being automatically closed due to inactivity.
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -3,40 +3,39 @@ name: Bug report
 about: Create a report to help us improve
 ---

- 
-**General remarks**
+<!--
+You don't need to remove this comment section, it's invisible on the issues page.

-> Please delete this section including header before submitting
-> 也可以使用中文
->
-> This form is to report bugs. For general usage questions refer to our Slack channel
->        [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTdkNTc3OTdmNzdiODViZjViNTU5ZDY3M2I2MzY4MTI4OGZlOTJmMDg5ZTFiMDAwYzNlZDY5NjA0NzZlNDU5NmY)
+## General remarks

-**Describe the bug(描述下问题)**
+* Attention, please fill out this issues form using English only!
+* 注意！GitHub Issue 仅支持英文，中文 Issue 请在 [论坛](https://kubesphere.com.cn/forum/) 提交。
+* This form is to report bugs. For general usage questions you can join our Slack channel
+       [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+-->
+
+**Describe the Bug**
 A clear and concise description of what the bug is.

 For UI issues please also add a screenshot that shows the issue.

-**Versions used(KubeSphere/Kubernetes的版本)**
+**Versions Used**
 KubeSphere:
 Kubernetes: (If KubeSphere installer used, you can skip this)


-**Environment(环境的硬件配置)**
-How many nodes and their hardware configuration: 
-
-For example:
-3 masters:  8cpu/8g
-3 nodes: 8cpu/16g
+**Environment**
+How many nodes and their hardware configuration:

+For example: CentOS 7.5 / 3 masters:  8cpu/8g; 3 nodes: 8cpu/16g
 (and other info are welcomed to help us debugging)

-**To Reproduce(复现步骤)**
+**How To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error

-**Expected behavior(预期行为)**
+**Expected behavior**
 A clear and concise description of what you expected to happen.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,69 @@
+---
+name: Feature Request
+about: Have a good idea? Please don't hesitate to write it down, describe the new feature.
+---
+
+<!--
+You don't need to remove this comment section, it's invisible on the issues page.
+
+## General remarks
+
+* Attention, please fill out this issues form using English only!
+* 注意！GitHub Issue 仅支持英文，中文 Issue 请在 [论坛](https://kubesphere.com.cn/forum/) 提交。
+* This form is to report bugs. For general usage questions, you can join our Slack channel
+       [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+-->
+
+**What's it about?**
+<!--
+A clear and concise description of what this feature request is.
+-->
+
+**What's the reason why we need it?**
+<!--
+Please tell us if you think it's a necessary feature for Kubesphere. Give us as many details about it as you can. 
+Two or more use cases might be very helpful when other contributors try to go through this request. If you have some references,
+please just add it below.
+-->
+
+I believe this is an important feature for Kubesphere. There're a few use cases:
+
+* case one
+* case two
+* ...
+
+Please leave your comments below if there's anyone agrees with me. Or just give me a thumb up.
+
+**Area Suggestion**
+<!--
+In order to have a clear issue list, giving an accuracy area is necessary. If you are not sure about it, please just leave it alone.
+
+You can find some possible areas below. Please attention, sometimes crossing multiple areas might be possible. So, you 
+can keep one or more areas in this issue.
+
+> /area alerting
+> /area api
+> /area apiserver
+> /area app-management
+> /area audit
+> /area console
+> /area devops
+> /area documentation
+> /area edge
+> /area iam
+> /area installation
+> /area logging
+> /area microservice
+> /area monitoring
+> /area multicluster
+> /area networking
+> /area notification
+> /area observability
+> /area performance
+> /area security
+> /area storage
+> /area test
+> /area upgrade
+-->
+
+/kind feature-request
--- a/.github/ISSUE_TEMPLATE/installation_failure.md
+++ b/.github/ISSUE_TEMPLATE/installation_failure.md
@@ -1,16 +1,30 @@
 ---
-name: 安装问题
-about: Create a report to help us improve
+name: Installation Issue
+about: Create an issue to help us improve installation
 ---

-[备注]: <> (请补全下面信息，帮助我们更快地定位问题。提交问题前预览下issue，看下是否有格式错误)
+## English only!

-**问题描述**
+**注意！GitHub Issue 仅支持英文，中文 Issue 请在 [论坛](https://kubesphere.com.cn/forum/) 提交。**

-**安装环境的硬件配置**
+**General remarks**

-[备注]: <> (请说明节点的运行环境，是否是物理机，云主机，VMware虚拟机)
+> Please delete this section including header before submitting
+>
+> This form is to report installation issues. For general usage questions you can refer to [KubeSphere Documentation](https://kubesphere.io/docs) or join our Slack channel
+>        [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)

-**错误信息或截图**
+**What's your question**

-**Installer版本**
+
+**Environment: OS & Hardware Information**
+
+> Important: You must describe your environment clearly, e.g. VMware or Bare Metal, CentOS 7.5, 8 C / 16 G (If you install on Linux), Or Kubernetes v1.16 (If you install on K8s).
+
+
+**Error logs or message (Attach logs or screenshot)**
+
+
+**Installer Version**
+
+> e.g. v2.1.0, v2.1.1, v3.0.0
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,30 +1,54 @@
-**What type of PR is this?**
-> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
->
-> /kind api-change
-> /kind bug
-> /kind cleanup
-> /kind design
-> /kind documentation
-> /kind failing-test
-> /kind feature
-> /kind flake
+<!-- Thanks for sending a pull request! Here are some tips for you:

-**What this PR does / why we need it**:
+1. If you want **faster** PR reviews, read how: https://github.com/kubesphere/community/blob/master/developer-guide/development/the-pr-author-guide-to-getting-through-code-review.md
+2. In case you want to know how your PR got reviewed, read: https://github.com/kubesphere/community/blob/master/developer-guide/development/code-review-guide.md
+3. Here are some coding convetions followed by KubeSphere community: https://github.com/kubesphere/community/blob/master/developer-guide/development/coding-conventions.md
+-->

-**Which issue(s) this PR fixes**:
+### What type of PR is this?
+<!-- 
+Add one of the following kinds:
+/kind bug
+/kind cleanup
+/kind documentation
+/kind feature
+/kind design
+
+Optionally add one or more of the following kinds if applicable:
+/kind api-change
+/kind deprecation
+/kind failing-test
+/kind flake
+/kind regression
+-->
+
+
+### What this PR does / why we need it:
+
+### Which issue(s) this PR fixes:
 <!--
 Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
 _If PR is about `failing-tests or flakes`, please post the related issues/tests in a comment and do not use `Fixes`_*
 -->
 Fixes #

-**Special notes for reviewers**:
+### Special notes for reviewers:
 ```
 ```

-**Additional documentation, usage docs, etc.**:
+### Does this PR introduced a user-facing change?
+<!--
+If no, just write "None" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".

+For more information on release notes see: https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md
+-->
+```release-note
+
+```
+
+### Additional documentation, usage docs, etc.:
 <!--
 This section can be blank if this pull request does not require a release note.
 Please use the following format for linking documentation or pass the
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,20 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 90
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 30
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - frozen
+  - kind/feature-request
+  - kind/feature
+  - kind/security
+  - kind/design
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Any further update will
+  cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: >
+  This issue is being automatically closed due to inactivity.
--- a/.github/workflows/build-multiarch.yaml
+++ b/.github/workflows/build-multiarch.yaml
@@ -0,0 +1,42 @@
+name: BuildContainerImage
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'release-*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'release-*'
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push docker images
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name == 'push'
+        run: |
+          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+          REPO=kubespheredev TAG="${GITHUB_REF#refs/*/}" make container-cross-push
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -0,0 +1,44 @@
+name: e2e
+
+on:
+  schedule:
+    # run e2e test every 4 hours
+    - cron: 0 */4 * * *
+  workflow_dispatch:
+jobs:
+  build:
+    name: Test
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.2.0
+        with:
+          config: .github/workflows/kind/kind.yaml
+
+      - name: Deploy KubeSphere to Kind
+        run: KIND_CLUSTER_NAME=chart-testing hack/deploy-kubesphere.sh
+
+      - name: Run e2e testing
+        run: go test ./test/e2e
+
+      - name: slack
+        uses: 8398a7/action-slack@v3
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        with:
+          status: ${{ job.status }}
+          fields: repo,message,commit,author,action,eventName,ref,workflow,job,took
+        if: failure()
+
--- a/.github/workflows/kind/kind.yaml
+++ b/.github/workflows/kind/kind.yaml
@@ -0,0 +1,11 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  image: kindest/node:v1.19.7
+  extraMounts:
+  - hostPath: /etc/localtime
+    containerPath: /etc/localtime
+  extraPortMappings:
+  - containerPort: 30881
+    hostPort: 9090
--- a/.github/workflows/nightly-builds.yml
+++ b/.github/workflows/nightly-builds.yml
@@ -0,0 +1,53 @@
+name: NightlyBuild
+
+on:
+  schedule:
+    # This is a UTC time
+    - cron: "0 16 * * *"
+  # Keep it only for test purpose, comment it once everything is ok
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push docker images
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        run: |
+          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+          tag=nightly-$(date '+%Y%m%d')
+          REPO=kubespheredev TAG=${tag} make container-cross-push
+
+      - name: slack
+        uses: 8398a7/action-slack@v3
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        with:
+          status: ${{ job.status }}
+          fields: repo,message,commit,author,action,eventName,ref,workflow,job,took
+        if: failure()
--- a/.gitignore
+++ b/.gitignore
@@ -19,14 +19,17 @@ bin/

 # Vscode files
 .vscode/
-
-tmp/
-
-apiserver.local.config
+__debug_bin

 # OSX trash
 .DS_Store
 api.json
 *.coverprofile
+cover.out
+coverage.txt

-kustomize/network/etcd
+kustomize/network/etcd
+apiserver.local.config
+tmp/
+kubesphere.yaml
+testbin/
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,36 +0,0 @@
-services:
-  - docker
-
-language: go
-
-dist: xenial
-
-git:
-  depth: false
-
-go:
-  - "1.12.x"
-env:
-  - GO111MODULE=on
-cache:
-  directories:
-    - $HOME/gopath/pkg/mod
-
-before_script:
-  - docker --version
-  - bash hack/install_kubebuilder.sh
-
-script:
-  - diff -u <(echo -n) <(gofmt -d ./pkg ./cmd ./tools)
-  - make openapi
-  - make all
-
-install:
-  - go get golang.org/x/lint/golint
-
-deploy:
-  skip_cleanup: true
-  provider: script
-  script: bash hack/docker_build.sh 
-  on:
-    branch: master
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,221 +1,3 @@
-# Development Guide
+# Guide

-This document walks you through how to get started developing KubeSphere and development workflow.
-
-## Preparing the environment
-
-### Go
-
-KubeSphere development is based on [Kubernetes](https://github.com/kubernetes/kubernetes), both of them are written in [Go](http://golang.org/). If you don't have a Go development environment, please [set one up](http://golang.org/doc/code.html).
-
-| Kubernetes     | requires Go |
-|----------------|-------------|
-| 1.13+          | >= 1.12     |
-
-> Tips:
-> - Ensure your GOPATH and PATH have been configured in accordance with the Go
-environment instructions.
-> - It's recommended to install [macOS GNU tools](https://www.topbug.net/blog/2013/04/14/install-and-use-gnu-command-line-tools-in-mac-os-x) for Mac OS.
-
-### Docker
-
-KubeSphere components are often deployed as containers in Kubernetes. If you need to rebuild the KubeSphere components in the Kubernetes cluster, you will need to [install Docker](https://docs.docker.com/install/).
-
-
-### Dependency management
-
-KubeSphere uses [Go Modules](https://github.com/golang/go/wiki/Modules) to manage dependencies in the `vendor/` tree.
-
-#### Dependencies
-
-[kubesphere/kubesphere](https://github.com/kubesphere/kubesphere) repository contains the source code . If you're looking for its dependent components, they live in their own repositories since they can be individual and universal.
-
- [Alert](https://github.com/kubesphere/alert): Alert is an enterprise-grade general-purpose high-performance alerting system.
- [Notification](https://github.com/openpitrix/notification): Notification is an enterprise-grade general-purpose high-performance notification system, it provides email notification service for KubeSphere currently.
- [OpenPitrix](https://github.com/openpitrix/openpitrix): Application management platform on multi-cloud environment, it provides application template and application management for KubeSphere currently.
- [SonarQube](https://github.com/SonarSource/sonarqube): Integrated in KubeSphere DevOps, it provides the capability to not only show health of an application but also to highlight issues newly introduced.
-
-## Building KubeSphere on a local OS/shell environment
-
-### For Quick Taste Binary
-
-```bash
-mkdir ks-tmp
-cd ks-tmp
-echo 'module kubesphere' > go.mod
-echo 'replace (
-        github.com/Sirupsen/logrus v1.4.1 => github.com/sirupsen/logrus v1.4.1
-      	github.com/kiali/kiali => github.com/kubesphere/kiali v0.15.1-0.20190407071308-6b5b818211c3
-      	github.com/kubernetes-sigs/application => github.com/kubesphere/application v0.0.0-20190518133311-b9d9eb0b5cf7
-      )' >> go.mod
-
-GO111MODULE=on go get kubesphere.io/kubesphere@d649e3d0bbc64bfba18816c904819e4850d021e0
-GO111MODULE=on go build -o ks-apiserver kubesphere.io/kubesphere/cmd/ks-apiserver # build ks-apiserver
-GO111MODULE=on go build -o ks-apigateway kubesphere.io/kubesphere/cmd/ks-apigateway # build ks-apigateway
-GO111MODULE=on go build -o ks-controller-manager kubesphere.io/kubesphere/cmd/controller-manager # build ks-controller-manager
-GO111MODULE=on go build -o ks-iam kubesphere.io/kubesphere/cmd/ks-iam # build ks-iam
-```
-
-### For Building KubeSphere Images
-
-KubeSphere components are often deployed as a container in a kubernetes cluster, you may need to build a Docker image locally.
-
-1. Clone repo to local
-
-```bash
-git clone https://github.com/kubesphere/kubesphere.git
-```
-
-2. Run Docker command to build image
-
-```bash
-# $REPO is the docker registry to push to
-# $Tag is the tag name of the docker image
-# The full go build process will be executed in the Dockerfile, so you may need to set GOPROXY in it.
-docker build -f build/ks-apigateway/Dockerfile -t $REPO/ks-apigateway:$TAG .
-docker build -f build/ks-apiserver/Dockerfile -t $REPO/ks-apiserver:$TAG .
-docker build -f build/ks-iam/Dockerfile -t $REPO/ks-account:$TAG .
-docker build -f build/ks-controller-manager/Dockerfile -t $REPO/ks-controller-manager:$TAG .
-docker build -f ./pkg/db/Dockerfile -t $REPO/ks-devops:flyway-$TAG ./pkg/db/
-```
-
-### Test
-
-In the development process, it is recommended to use local Kubernetes clusters, such as [minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/), or to install an single-node [all-in-one](https://github.com/kubesphere/kubesphere#all-in-one) environment (Kubernetes-based) for quick testing.
-
-> Tip: It also supports to use Docker for Desktop ships with Kubernetes as the test environment.
-
-## Development Workflow
-
-![ks-workflow](docs/images/ks-workflow.png)
-
-### 1 Fork in the cloud
-
-1. Visit https://github.com/kubesphere/kubesphere
-2. Click `Fork` button to establish a cloud-based fork.
-
-### 2 Clone fork to local storage
-
-Per Go's [workspace instructions](https://golang.org/doc/code.html#Workspaces), place KubeSphere' code on your `GOPATH` using the following cloning procedure.
-
-1. Define a local working directory:
-
-```bash
-$ export working_dir=$GOPATH/src/kubesphere.io
-$ export user={your github profile name}
-```
-
-2. Create your clone locally:
-
-```bash
-$ mkdir -p $working_dir
-$ cd $working_dir
-$ git clone https://github.com/$user/kubesphere.git
-$ cd $working_dir/kubesphere
-$ git remote add upstream https://github.com/kubesphere/kubesphere.git
-
-# Never push to upstream master
-$ git remote set-url --push upstream no_push
-
-# Confirm that your remotes make sense:
-$ git remote -v
-```
-
-### 3 Keep your branch in sync
-
-```bash
-git fetch upstream
-git checkout master
-git rebase upstream/master
-```
-
-### 4 Add new features or fix issues
-
-Branch from it:
-
-```bash
-$ git checkout -b myfeature
-```
-
-Then edit code on the myfeature branch.
-
-**Test and build**
-
-Currently, make rules only contain simple checks such as vet, unit test, will add e2e tests soon.
-
-**Using KubeBuilder**
-
- For Linux OS, you can download and execute this [KubeBuilder script](https://raw.githubusercontent.com/kubesphere/kubesphere/master/hack/install_kubebuilder.sh).
-
- For MacOS, you can install KubeBuilder by following this [guide](https://book.kubebuilder.io/quick-start.html).
-
-**Run and test**
-
-```bash
-$ make all
-# Run every unit test
-$ make test
-```
-
-Run `make help` for additional information on these make targets.
-
-### 5 Development in new branch
-
-**Sync with upstream**
-
-After the test is completed, suggest you to keep your local in sync with upstream which can avoid conflicts.
-
-```
-# Rebase your the master branch of your local repo.
-$ git checkout master
-$ git rebase upstream/master
-
-# Then make your development branch in sync with master branch
-git checkout new_feature
-git rebase -i master
-```
-**Commit local changes**
-
-```bash
-$ git add <file>
-$ git commit -s -m "add your description"
-```
-
-### 6 Push to your folk
-
-When ready to review (or just to establish an offsite backup or your work), push your branch to your fork on github.com:
-
-```
-$ git push -f ${your_remote_name} myfeature
-```
-
-### 7 Create a PR
-
- Visit your fork at https://github.com/$user/kubesphere
- Click the` Compare & Pull Request` button next to your myfeature branch.
- Check out the [pull request process](pull-request.md) for more details and advice.
-
-
-## CI/CD
-
-KubeSphere uses [Travis CI](https://travis-ci.org/) as a CI/CD tool.
-
-The components of KubeSphere need to be compiled and build include following:
-
-`ks-apiserver, ks-controller-manager, ks-account, ks-apigateway, ks-devops`
-
-After your PR is merged，Travis CI will compile the entire project and build the image, and push the image `kubespheredev/[component-name]:latest` to Dockerhub (e.g. `kubespheredev/ks-apiserver:latest`)
-
-## API Reference
-
-KubeSphere provides standard RESTFul API and detailed API documentations for developers, see [KubeSphere API Reference](https://docs.kubesphere.io/advanced-v2.0/zh-CN/api-reference/api-docs/) for more information.
-
-## Code conventions
-
-Please reference [Code conventions](https://github.com/kubernetes/community/blob/master/contributors/guide/coding-conventions.md) and follow with the rules.
-
-**Note:**
-
-> - All new packages and most new significant functionality must come with unit tests
-> - Comment your code in English, see [Go's commenting conventions
-](http://blog.golang.org/godoc-documenting-go-code)
+This [document](https://github.com/kubesphere/community) walks you through how to get started contributing KubeSphere.
--- a/168
+++ b/168
@@ -2,12 +2,12 @@
 # Use of this source code is governed by a Apache license
 # that can be found in the LICENSE file.

-# The binary to build 
-BIN ?= ks-apiserver

 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true"

+GV="network:v1alpha1 servicemesh:v1alpha2 tenant:v1alpha1 tenant:v1alpha2 devops:v1alpha1 iam:v1alpha2 devops:v1alpha3 cluster:v1alpha1 storage:v1alpha1 auditing:v1alpha1 types:v1beta1 quota:v1alpha2 application:v1alpha1 notification:v2beta1"
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -15,10 +15,11 @@ else
 GOBIN=$(shell go env GOBIN)
 endif

-
-IMG ?= kubespheredev/ks-apiserver
 OUTPUT_DIR=bin
-GOFLAGS=-mod=vendor
+ifeq (${GOFLAGS},)
+	# go build with vendor by default.
+	export GOFLAGS=-mod=vendor
+endif
 define ALL_HELP_INFO
 # Build code.
 #
@@ -39,96 +40,121 @@ define ALL_HELP_INFO
 #           debugging tools like delve.
 endef
 .PHONY: all
-all: hypersphere ks-apiserver ks-apigateway ks-iam controller-manager
+all: test ks-apiserver ks-controller-manager;$(info $(M)...Begin to test and build all of binary.) @ ## Test and build all of binary.
+
+help:
+	@grep -hE '^[ a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-17s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: binary
+# Build all of binary
+binary: | ks-apiserver ks-controller-manager; $(info $(M)...Build all of binary.) @ ## Build all of binary.

 # Build ks-apiserver binary
-ks-apiserver: test
-	hack/gobuild.sh cmd/ks-apiserver
+ks-apiserver: ; $(info $(M)...Begin to build ks-apiserver binary.)  @ ## Build ks-apiserver.
+	 hack/gobuild.sh cmd/ks-apiserver; 

-# Build ks-apigateway binary
-ks-apigateway: test
-	hack/gobuild.sh cmd/ks-apigateway
-
-# Build ks-iam binary
-ks-iam: test
-	hack/gobuild.sh cmd/ks-iam
-
-# Build controller-manager binary
-controller-manager: test
+# Build ks-controller-manager binary
+ks-controller-manager: ; $(info $(M)...Begin to build ks-controller-manager binary.)  @ ## Build ks-controller-manager.
 	hack/gobuild.sh cmd/controller-manager

-# Build hypersphere binary
-hypersphere: test
-	hack/gobuild.sh cmd/hypersphere
+# Run all verify scripts hack/verify-*.sh
+verify-all: ; $(info $(M)...Begin to run all verify scripts hack/verify-*.sh.)  @ ## Run all verify scripts hack/verify-*.sh.
+	hack/verify-all.sh
+
+# Build e2e binary
+e2e: ;$(info $(M)...Begin to build e2e binary.)  @ ## Build e2e binary.
+	hack/build_e2e.sh test/e2e
+
+kind-e2e: ;$(info $(M)...Run e2e test.) @ ## Run e2e test in kind.
+	hack/kind_e2e.sh

 # Run go fmt against code 
-fmt: generate
+fmt: ;$(info $(M)...Begin to run go fmt against code.)  @ ## Run go fmt against code.
 	gofmt -w ./pkg ./cmd ./tools ./api

+# Format all import, `goimports` is required.
+goimports: ;$(info $(M)...Begin to Format all import.)  @ ## Format all import, `goimports` is required.
+	@hack/update-goimports.sh
+
 # Run go vet against code
-vet: generate
+vet: ;$(info $(M)...Begin to run go vet against code.)  @ ## Run go vet against code.
 	go vet ./pkg/... ./cmd/...

 # Generate manifests e.g. CRD, RBAC etc.
-manifests:
-	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all
+manifests: ;$(info $(M)...Begin to generate manifests e.g. CRD, RBAC etc..)  @ ## Generate manifests e.g. CRD, RBAC etc.
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/application/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/cluster/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/devops/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/iam/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/network/v1alpha1/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/quota/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/storage/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=kubesphere.io/api/tenant/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds

-deploy: manifests
+deploy: manifests ;$(info $(M)...Begin to deploy.)  @ ## Deploy.
 	kubectl apply -f config/crds
 	kustomize build config/default | kubectl apply -f -

-# generate will generate crds' deepcopy & go openapi structs
-# Futher more about go:genreate . https://blog.golang.org/generate
-generate:
-	go generate ./pkg/... ./cmd/...
+mockgen: ;$(info $(M)...Begin to mockgen.)  @ ## Mockgen.
+	mockgen -package=openpitrix -source=pkg/simple/client/openpitrix/openpitrix.go -destination=pkg/simple/client/openpitrix/mock.go

-deepcopy:
-	GO111MODULE=on go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
-	${GOPATH}/bin/deepcopy-gen -i kubesphere.io/kubesphere/pkg/apis/... -h ./hack/boilerplate.go.txt -O zz_generated.deepcopy
+deepcopy: ;$(info $(M)...Begin to deepcopy.)  @ ## Deepcopy.
+	hack/generate_group.sh "deepcopy" kubesphere.io/api kubesphere.io/api ${GV} --output-base=staging/src/  -h "hack/boilerplate.go.txt"

-openapi:
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/tenant/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/servicemesh/v1alpha2 -p kubesphere.io/kubesphere/pkg/apis/servicemesh/v1alpha2 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/api/networking/v1,./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/network/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/devops/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/devops/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+openapi: ;$(info $(M)...Begin to openapi.)  @ ## Openapi.
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/tenant/v1alpha1 -p kubesphere.io/api/tenant/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/network/v1alpha1 -p kubesphere.io/api/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/servicemesh/v1alpha2 -p kubesphere.io/api/servicemesh/v1alpha2 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/api/networking/v1,./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/k8s.io/apimachinery/pkg/util/intstr,./vendor/kubesphere.io/api/network/v1alpha1 -p kubesphere.io/api/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/devops/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/api/devops/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/cluster/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/api/cluster/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/devops/v1alpha3,./vendor/k8s.io/apimachinery/pkg/runtime -p kubesphere.io/api/devops/v1alpha3 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
 	go run ./tools/cmd/crd-doc-gen/main.go
-# Build the docker image
-docker-build: all
-	docker build . -t ${IMG}
+	go run ./tools/cmd/doc-gen/main.go
+
+container: ;$(info $(M)...Begin to build the docker image.)  @ ## Build the docker image.
+	DRY_RUN=true hack/docker_build.sh
+
+container-push: ;$(info $(M)...Begin to build and push.)  @ ## Build and Push.
+	hack/docker_build.sh
+
+container-cross: ; $(info $(M)...Begin to build container images for multiple platforms.)  @ ## Build container images for multiple platforms. Currently, only linux/amd64,linux/arm64 are supported.
+	DRY_RUN=true hack/docker_build_multiarch.sh
+
+container-cross-push: ; $(info $(M)...Begin to build and push.)  @ ## Build and Push.
+	hack/docker_build_multiarch.sh
+
+helm-package: ; $(info $(M)...Begin to helm-package.)  @ ## Helm-package.
+	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
+	helm package config/ks-core --app-version=v3.1.0 --version=0.1.0 -d ./bin
+
+helm-deploy: ; $(info $(M)...Begin to helm-deploy.)  @ ## Helm-deploy.
+	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
+	- kubectl create ns kubesphere-controls-system
+	helm upgrade --install ks-core ./config/ks-core -n kubesphere-system --create-namespace
+	kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml
+
+helm-uninstall: ; $(info $(M)...Begin to helm-uninstall.)  @ ## Helm-uninstall.
+	- kubectl delete ns kubesphere-controls-system
+	helm uninstall ks-core -n kubesphere-system
+	kubectl delete -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml

 # Run tests
-test: fmt vet
-	export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT=1m; go test ./pkg/... ./cmd/... -coverprofile cover.out
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+test: vet test-env ;$(info $(M)...Begin to run tests.)  @ ## Run tests.
+	export KUBEBUILDER_ASSETS=$(shell pwd)/testbin/bin; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt
+	cd staging/src/kubesphere.io/api ; GOFLAGS="" go test ./...
+	cd staging/src/kubesphere.io/client-go ; GOFLAGS="" go test ./...
+
+.PHONY: test-env
+test-env: ;$(info $(M)...Begin to setup test env) @ ## Download unit test libraries e.g. kube-apiserver etcd.
+	@hack/setup-kubebuilder-env.sh

 .PHONY: clean
-clean:
+clean: ;$(info $(M)...Begin to clean.)  @ ## Clean.
 	-make -C ./pkg/version clean
 	@echo "ok"

-# find or download controller-gen
-# download controller-gen if necessary
-clientset: 
-	./hack/generate_client.sh
-
-
-# Currently in the upgrade phase of controller tools.
-# But the new controller tools are not compatible with the old version.
-# With these commands you may need to manually modify the generated code
-# So don't use it unless you know it very deeply
-internal-crds:
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/network/..." output:crd:artifacts:config=config/crd/bases
-
-internal-generate-apis: internal-controller-gen
-	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths=./pkg/apis/network/...
-
-internal-controller-gen:
-ifeq (, $(shell which controller-gen))
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.4
-CONTROLLER_GEN=$(GOBIN)/controller-gen
-else
-CONTROLLER_GEN=$(shell which controller-gen)
-endif
-
-network-rbac:
-	$(CONTROLLER_GEN) paths=./pkg/controller/network/provider/ paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-k8s
-	$(CONTROLLER_GEN) paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-etcd
+clientset:  ;$(info $(M)...Begin to find or download controller-gen.)  @ ## Find or download controller-gen,download controller-gen if necessary.
+	./hack/generate_client.sh ${GV}
--- a/20
+++ b/20
@@ -1,6 +1,9 @@
 approvers:
    - zryfish #oncall
    - rayzhou2017
+    - wansir
+    - zheng1
+    - benjaminhuo

 reviewers:
    - rayzhou2017
@@ -8,13 +11,16 @@ reviewers:
    - benjaminhuo
    - calvinyv
    - FeynmanZhou
-    - huanggze
-    - huojiao2006
-    - Ma-Dan
-    - magicsong
    - pixiake
-    - runzexia
    - wansir
-    - wnxn
    - zheng1
-    - soulseen
+    - stoneshi-yunify
+    - linuxsuren
+    - RolandMa1986
+    - wanjunlei
+    - xyz-li
+    - junotx
+    - yuswift
+    - zhu733756
+    - JohnNiang
+    - dkeven
--- a/README.md
+++ b/README.md
@@ -1,9 +1,20 @@
-# KubeSphere
-[![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
-[![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
-[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/advanced-2.0.2)
+<p align="center">
+<img src="docs/images/kubesphere-logo.png" alt="banner" width="200px">
+</p>
+
+<p align="center">
+<b>The container platform tailored for <i>Kubernetes multi-cloud, datacenter, and edge</i> management</b>
+</p>
+
+<p align=center>
+<a href="https://goreportcard.com/report/github.com/kubesphere/kubesphere"><img src="https://goreportcard.com/badge/github.com/kubesphere/kubesphere" alt="A+"></a>
+<a href="https://hub.docker.com/r/kubesphere/ks-installer"><img src="https://img.shields.io/docker/pulls/kubesphere/ks-installer"></a>
+<a href="https://github.com/search?q=user%3Akubesphere+user%3Akubesphere-sigs+label%3A%22good+first+issue%22+state%3Aopen&type=Issues&ref=advsearch&l=&l="><img src="https://img.shields.io/github/issues/badges/shields/good%20first%20issue" alt="good first"></a>
+<a href="https://twitter.com/intent/follow?screen_name=KubeSphere"><img src="https://img.shields.io/twitter/follow/KubeSphere?style=social" alt="follow on Twitter"></a>
+<a href="https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE"><img src="https://img.shields.io/badge/Slack-600%2B-blueviolet?logo=slack&amp;logoColor=white"></a>
+<a href="https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw"><img src="https://img.shields.io/youtube/channel/subscribers/UCyTdUQUYjf7XLjxECx63Hpw?style=social"></a>
+</p>

-![logo](docs/images/kubesphere-logo.png)

 ----

@@ -11,172 +22,155 @@

 > English | [中文](README_zh.md)

-[KubeSphere](https://kubesphere.io/) is an enterprise-grade multi-tenant container management platform that built on [Kubernetes](https://kubernetes.io). It provides an easy-to-use UI for users to manage computing resources with a few clicks, which reduces the learning curve and empowers the DevOps teams. It greatly reduces the complexity of the daily work of development, testing, operation and maintenance, aiming to alleviate the pain points of Kubernetes' storage, network, security and ease of use, etc.
-
-
-## Screenshots
-
-> Note: See the [Screenshots](docs/screenshots.md) of KubeSphere to have a most intuitive understanding of KubeSphere dashboard and features.
+[KubeSphere](https://kubesphere.io/) is a **distributed operating system for cloud-native application management**, using [Kubernetes](https://kubernetes.io) as its kernel. It provides a plug-and-play architecture, allowing third-party applications to be seamlessly integrated into its ecosystem. KubeSphere is also a multi-tenant container platform with full-stack automated IT operation and streamlined DevOps workflows. It provides developer-friendly wizard web UI, helping enterprises to build out a more robust and feature-rich platform, which includes most common functionalities needed for enterprise Kubernetes strategy, see [Feature List](#features) for details.

+The following screenshots give a close insight into KubeSphere. Please check [What is KubeSphere](https://kubesphere.io/docs/introduction/what-is-kubesphere/) for further information.

 <table>
  <tr>
-      <td width="50%" align="center"><b>KubeSphere Dashboard</b></td>
+      <td width="50%" align="center"><b>Workbench</b></td>
      <td width="50%" align="center"><b>Project Resources</b></td>
  </tr>
  <tr>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112094014.png"/></td>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112094426.png"/></td>
+     <td><img src="docs/images/console.png"/></td>
+     <td><img src="docs/images/project.png"/></td>
  </tr>
  <tr>
      <td width="50%" align="center"><b>CI/CD Pipeline</b></td>
-      <td width="50%" align="center"><b>Application Store</b></td>
+      <td width="50%" align="center"><b>App Store</b></td>
  </tr>
  <tr>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20190925000712.png"/></td>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112095006.png"/></td>
+     <td><img src="docs/images/cicd.png"/></td>
+     <td><img src="docs/images/app-store.png"/></td>
  </tr>
 </table>

-## Video on Youtube
+## Demo Environment

-[![KubeSphere](https://pek3b.qingstor.com/kubesphere-docs/png/20191112093503.png)](https://youtu.be/u5lQvhi_Xlc)
+🎮 Using the account `demo1 / Demo123` to log in the [demo environment](https://demo.kubesphere.io/). Please note the account is granted view access. 
+
+🖥 You can also have a quick view of [Demo video](https://youtu.be/YxZ1YUv0CYs).

 ## Features

-KubeSphere provides an easy-to-use console with the awesome user experience that allows you to quickly get started with a container management platform. KubeSphere provides and supports following core features:
+<details>
+  <summary><b>🕸 Provisioning Kubernetes Cluster</b></summary>
+  Support deploy Kubernetes on any infrastructure, support online and air-gapped installation, <a href="https://kubesphere.io/docs/installing-on-linux/introduction/intro/">learn more</a>.
+  </details>

+<details>
+  <summary><b>🔗 Kubernetes Multi-cluster Management</b></summary>
+  Provide a centralized control plane to manage multiple Kubernetes clusters, support propagate an app to multiple K8s clusters across different cloud providers.
+  </details>

- Workload management
- Service mesh (Istio-based)
- DevOps
- Source to Image
- Multi-tenant management
- Multi-dimensional and Multi-tenant Monitoring, Logging, Alerting, Notification
- Service and network management
- Application template and repository
- Infrastructure management, image registry management
- Integrate Harbor and GitLab
- LB controller for Kubernetes on bare metal ([Porter](https://github.com/kubesphere/porter)), [cloud LB plugin](https://github.com/yunify/qingcloud-cloud-controller-manager)
- Support GPU node
+<details>
+  <summary><b>🤖 Kubernetes DevOps</b></summary>
+  Provide out-of-box CI/CD based on Jenkins, and offers automated workflow tools including binary-to-image (B2I) and source-to-image (S2I), <a href="https://kubesphere.io/devops/">learn more</a>.
+  </details>

+<details>
+  <summary><b>🔎 Cloud Native Observability</b></summary>
+  Multi-dimensional monitoring, events and auditing logs are supported; multi-tenant log query and collection, alerting and notification are built-in, <a href="https://kubesphere.io/observability/">learn more</a>.
+  </details>

-It also supports multiple open source storage and high-performance cloud storage as the persistent storage services, as well as supports multiple open source network plugins.
+<details>
+  <summary><b>🧩 Service Mesh (Istio-based)</b></summary>
+  Provide fine-grained traffic management, observability and tracing for distributed microservice applications, provides visualization for traffic topology, <a href="https://kubesphere.io/service-mesh/">learn more</a>.
+  </details>

-> Note: See this [document](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/features/) that elaborates on the KubeSphere features and services from a professional point of view.
+<details>
+  <summary><b>💻 App Store</b></summary>
+  Provide an App Store for Helm-based applications, and offer application lifecycle management on Kubernetes platform, <a href="https://kubesphere.io/docs/pluggable-components/app-store/">learn more</a>.
+  </details>

----
+<details>
+  <summary><b>💡 Edge Computing Platform</b></summary>
+  KubeSphere integrates <a href="https://kubeedge.io/en/">KubeEdge</a> to enable users to deploy applications on the edge devices and view logs and monitoring metrics of them on the console, <a href="https://kubesphere.io/docs/pluggable-components/kubeedge/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>📊 Metering and Billing</b></summary>
+  Track resource consumption at different levels on a unified dashboard, which helps you make better-informed decisions on planning and reduce the cost, <a href="https://kubesphere.io/docs/toolbox/metering-and-billing/view-resource-consumption/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>🗃 Support Multiple Storage and Networking Solutions</b></summary>
+  <li>Support GlusterFS, CephRBD, NFS, LocalPV solutions, and provide CSI plugins to consume storage from multiple cloud providers.</li><li>Provide Load Balancer Implementation <a href="https://github.com/kubesphere/openelb">OpenELB</a> for Kubernetes in bare-metal, edge, and virtualization.</li><li> Provides network policy and Pod IP pools management, support Calico, Flannel, Kube-OVN</li>.</li>.
+  </details>
+
+<details>
+  <summary><b>🏘 Multi-tenancy</b></summary>
+  Provide unified authentication with fine-grained roles and three-tier authorization system, and support AD/LDAP authentication.
+  </details>

 ## Architecture

-KubeSphere adopts the separation of front and back ends, each component is drawn in the architecture diagram below. KubeSphere can run anywhere from on-premise datacenter to any cloud to edge. In addition, it can be deployed on any Kubernetes distribution.
+KubeSphere uses a loosely-coupled architecture that separates the [frontend](https://github.com/kubesphere/console) from the [backend](https://github.com/kubesphere/kubesphere). External systems can access the components of the backend through the REST APIs. 

-![](https://pek3b.qingstor.com/kubesphere-docs/png/20190810073322.png)
+![Architecture](docs/images/architecture.png)
+
+----

 ## Latest Release

-KubeSphere 2.1.0 was released on **November 12nd, 2019**. See the [Release Notes For 2.1.0](https://kubesphere.io/docs/v2.1/zh-CN/release/release-v210/) to preview the updates.
+🎉 KubeSphere 3.1.1 is now available! See the [Release Notes For 3.1.1](https://kubesphere.io/docs/release/release-v311/) for the updates.

 ## Installation

-> Attention: Following section is only used for minimal installation by default, KubeSphere has decoupled some core components in v2.1.0, for more pluggable components installation, see `Enable Pluggable Components` below.
-
-### Deploy On Kubernetes
-
-**Prerequisites**
-
-> - `Kubernetes version`： `1.13.0 ≤ K8s version < 1.16`;
-> - `Helm version` >= `2.10.0`，see [Install and Configure Helm in Kubernetes](https://devopscube.com/install-configure-helm-kubernetes/);
-> - CPU > 1 Core，Memory > 2 G;
-> - An existing Storage Class in your Kubernetes clusters, use `kubectl get sc` to verify it.
-
-When all Pods of KubeSphere are running, it means the installation is successsful. Then you can use `http://IP:30880` to access the dashboard with default account `admin/P@88w0rd`.
-
-```yaml
-$ kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-minimal.yaml
-```
-
-
-### Deploy on Linux
-
- Operating Systems
-   - CentOS 7.5 (64 bit)
-   - Ubuntu 16.04/18.04 LTS (64 bit)
-   - Red Hat Enterprise Linux Server 7.4 (64 bit)
-   - Debian Stretch 9.5 (64 bit)
- Hardware
-   - CPU：2 Core,  Memory：4 G, Disk Space：100 G
-
-### All-in-One
-
-For those who are new to KubeSphere and looking for the fastest way to install and experience the dashboard. Execute following commands to download and install KubeSphere in a single node.
-
-```bash
-$ curl -L https://kubesphere.io/download/stable/v2.1.0 > installer.tar.gz \
-&& tar -zxf installer.tar.gz && cd kubesphere-all-v2.1.0/scripts
-$ ./install.sh
-```
-
-Choose `"1) All-in-one"` to trigger the installation. Generally, you can install it directly without any configuration..
-
-> Note: In a formal environment, it's highly recommended to install KubeSphere with Multi-Node Installation.
-
-### Enable Pluggable Components
-
-The above two methods is only used for minimal installation by default, execute following command to enable more pluggable components installation, make sure your cluster has enough CPU and memory in advance.
-
-```
-$ kubectl edit cm -n kubesphere-system ks-installer
-```
-
-## To start using KubeSphere
+KubeSphere can run anywhere from on-premise datacenter to any cloud to edge. In addition, it can be deployed on any version-compatible Kubernetes cluster.

 ### Quick Start

-KubeSphere provides 12 quick-start tutorials to walk you through the process and common manipulation, with a quick overview of the core features of KubeSphere that helps you to get familiar with it.
+1. Run the following commands to install KubeSphere on an exiting Kubernetes cluster:

- [Get Started - En](https://github.com/kubesphere/kubesphere.github.io/tree/master/blog/advanced-2.0/en)
- [Get Started - 中](https://kubesphere.io/docs/advanced-v2.0/zh-CN/quick-start/quick-start-guide/)
+```yaml
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.1.1/kubesphere-installer.yaml
+   
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.1.1/cluster-configuration.yaml
+```

+2. You can run the following command to view the installation logs. After KubeSphere is successfully installed, you can use `http://IP:30880` to access the KubeSphere Console with the default account and password (admin/P@88w0rd).

-### Documentation
+```yaml
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+```

- [KubeSphere Documentation (En/中) ](https://kubesphere.io/docs)
- [API Documentation](https://kubesphere.io/docs/advanced-v2.0/zh-CN/api-reference/api-docs/)
+> 👨‍💻 No Kubernetes cluster? Try [All-in-one](https://kubesphere.io/docs/quick-start/all-in-one-on-linux/) to install a single-node Kubernetes and KubeSphere on your Linux machine. 

+### KubeSphere for hosted Kubernetes services

-## To start developing KubeSphere
+KubeSphere is hosted on the following cloud providers, you can try KubeSphere by one-click installation on their hosted Kubernetes services. 

-The [development guide](CONTRIBUTING.md) hosts all information about building KubeSphere from source, git workflow, how to contribute code and how to test.
+- [KubeSphere for Amazon EKS](https://aws.amazon.com/quickstart/architecture/qingcloud-kubesphere/)
+- [KubeSphere for Azure AKS](https://market.azure.cn/marketplace/apps/qingcloud.kubesphere)
+- [KubeSphere for DigitalOcean Kubernetes](https://marketplace.digitalocean.com/apps/kubesphere)
+- [KubeSphere on QingCloud AppCenter(QKE)](https://www.qingcloud.com/products/kubesphereqke)

-## RoadMap
+You can also install KubeSphere on other hosted Kubernetes services within minutes, see the [step-by-step guides](https://kubesphere.io/docs/installing-on-kubernetes/) to get started.

-Currently, KubeSphere has released the following 4 major editions. The future releases will include Multicluster, Big data, AI, SDN, etc.
+> 👨‍💻 No internet access? Refer to the [Air-gapped Installation on Kubernetes](https://kubesphere.io/docs/installing-on-kubernetes/on-prem-kubernetes/install-ks-on-linux-airgapped/) or [Air-gapped Installation on Linux](https://kubesphere.io/docs/installing-on-linux/introduction/air-gapped-installation/) for instructions on how to use private registry to install KubeSphere.

-**Express Edition** => **v1.0.x** => **v2.0.x**  => **v2.1.0**
+## Contributing, Support, Discussion, and Community

-![](https://pek3b.qingstor.com/kubesphere-docs/png/20190926000413.png)
+We :heart: your contribution. The [community](https://github.com/kubesphere/community) walks you through how to get started contributing KubeSphere. The [development guide](https://github.com/kubesphere/community/tree/master/developer-guide/development) explains how to set up development environment.
+
+- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+- [Youtube](https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw)
+- [Follow us on Twitter](https://twitter.com/KubeSphere)
+
+Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
+
+## Who are using KubeSphere
+
+The [user case studies](https://kubesphere.io/case/) page includes the user list of the project. You can [leave a comment](https://github.com/kubesphere/kubesphere/issues/4123) to let us know your use case.

 ## Landscapes

 <p align="center">
 <br/><br/>
-<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;
 <br/><br/>
 KubeSphere is a member of CNCF and a <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes Conformance Certified platform
-</a>, which enriches the <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF CLOUD NATIVE Landscape.
+</a>, which enriches the <a href="https://landscape.cncf.io/?landscape=observability-and-analysis&license=apache-license-2-0">CNCF CLOUD NATIVE Landscape.
 </a>
 </p>
-
-
-## Support, Discussion, and Community
-
-If you need any help with KubeSphere, please join us at [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE).
-
-Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
-
-## Contributing to the project
-
-All members of the KubeSphere community must abide by [Code of Conduct](docs/code-of-conduct.md). Only by respecting each other can we develop a productive, collaborative community.
-
-How to submit a pull request to KubeSphere? See [Pull Request Instruction](docs/pull-requests.md).
--- a/README_zh.md
+++ b/README_zh.md
@@ -1,9 +1,20 @@
-# KubeSphere
-[![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
-[![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
-[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/advanced-2.0.2)
+<p align="center">
+<img src="docs/images/kubesphere-logo.png" alt="banner" width="200px">
+</p>
+
+<p align="center">
+<b>为<i> Kubernetes 多云、数据中心和边缘 </i>管理而定制的容器平台</b>
+</p>
+
+<p align=center>
+<a href="https://goreportcard.com/report/github.com/kubesphere/kubesphere"><img src="https://goreportcard.com/badge/github.com/kubesphere/kubesphere" alt="A+"></a>
+<a href="https://hub.docker.com/r/kubesphere/ks-installer"><img src="https://img.shields.io/docker/pulls/kubesphere/ks-installer"></a>
+<a href="https://github.com/search?q=user%3Akubesphere+user%3Akubesphere-sigs+label%3A%22good+first+issue%22+state%3Aopen&type=Issues&ref=advsearch&l=&l="><img src="https://img.shields.io/github/issues/badges/shields/good%20first%20issue" alt="good first"></a>
+<a href="https://twitter.com/intent/follow?screen_name=KubeSphere"><img src="https://img.shields.io/twitter/follow/KubeSphere?style=social" alt="follow on Twitter"></a>
+<a href="https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE"><img src="https://img.shields.io/badge/Slack-600%2B-blueviolet?logo=slack&amp;logoColor=white"></a>
+<a href="https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw"><img src="https://img.shields.io/youtube/channel/subscribers/UCyTdUQUYjf7XLjxECx63Hpw?style=social"></a>
+</p>

-![logo](docs/images/kubesphere-logo.png)

 ----

@@ -11,162 +22,157 @@

 > [English](README.md) | 中文

-[KubeSphere](https://kubesphere.io/) 是在 [Kubernetes](https://kubernetes.io) 之上构建的以**应用为中心的**多租户**容器管理平台**，支持部署和运行在**任何基础设施之上**，提供**简单易用的操作界面**以及**向导式操作**方式，在降低用户使用容器调度平台学习成本的同时，极大减轻开发、测试、运维的日常工作的复杂度，旨在解决 Kubernetes 本身存在的存储、网络、安全和易用性等痛点。帮助企业轻松应对**敏捷开发、自动化运维、应用快速交付、微服务治理、多租户管理、监控日志告警、服务与网络管理、镜像仓库**等业务场景。
+[KubeSphere](https://kubesphere.io/zh/) 愿景是打造一个以 [Kubernetes](https://kubernetes.io/zh/) 为内核的 **云原生分布式操作系统**，它的架构可以非常方便地使第三方应用与云原生生态组件进行即插即用（plug-and-play）的集成，支持云原生应用在多云与多集群的统一分发和运维管理。 KubeSphere 也是一个多租户容器平台，提供全栈的 IT 自动化运维的能力，简化企业的 DevOps 工作流。KubeSphere 提供了运维友好的向导式操作界面，帮助企业快速构建一个强大和功能丰富的容器云平台，详情请参阅 [平台功能](#平台功能) 。

-KubeSphere 已大规模服务于社区用户，广泛地应用在以容器为中心的开发测试及生产环境，大量服务平稳地运行在 KubeSphere 之上。
-
-> 说明：KubeSphere 目前最新的版本为高级版 2.0.2，并且所有版本 100% 开源，关于 KubeSphere 更详细的介绍与说明请参阅 [产品介绍](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/intro/)。
-
-
-点击 [KubeSphere 快览](docs/screenshots.md) 快速查看 KubeSphere UI；
+下面的屏幕截图让我们进一步了解 KubeSphere，关于 KubeSphere 更详细的介绍与说明请参阅 [什么是 KubeSphere](https://kubesphere.io/zh/docs/introduction/what-is-kubesphere/) 。

 <table>
  <tr>
-      <td width="50%" align="center"><b>KubeSphere Dashboard</b></td>
-      <td width="50%" align="center"><b>Project Resources</b></td>
+      <td width="50%" align="center"><b>工作台</b></td>
+      <td width="50%" align="center"><b>项目资源</b></td>
  </tr>
  <tr>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112094014.png"/></td>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112094426.png"/></td>
+     <td><img src="docs/images/console.png"/></td>
+     <td><img src="docs/images/project.png"/></td>
  </tr>
  <tr>
-      <td width="50%" align="center"><b>CI/CD Pipeline</b></td>
-      <td width="50%" align="center"><b>Application Store</b></td>
+      <td width="50%" align="center"><b>CI/CD 流水线</b></td>
+      <td width="50%" align="center"><b>应用商店</b></td>
  </tr>
  <tr>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20190925000712.png"/></td>
-     <td><img src="https://pek3b.qingstor.com/kubesphere-docs/png/20191112095006.png"/></td>
+     <td><img src="docs/images/cicd.png"/></td>
+     <td><img src="docs/images/app-store.png"/></td>
  </tr>
 </table>

-## Video on Youtube
+## Demo 环境

-[![KubeSphere](https://pek3b.qingstor.com/kubesphere-docs/png/20191112093503.png)](https://youtu.be/u5lQvhi_Xlc)
+🎮 使用账号 `demo1 / Demo123` 登录 [Demo 环境](https://demo.kubesphere.io/) 。请注意，该帐户仅授予了 view 权限。

-## 核心功能
+🖥 您还可以快速查看[Demo 视频](https://youtu.be/YxZ1YUv0CYs) 。

- Kubernetes 资源管理：纳管多种类型的 K8s 资源，提供易用友好的向导式 UI
- 应用编排与管理：包括**一键部署应用**、**Helm Chart 可视化管理**、**应用生命周期管理**，后续将支持计量计费
- 微服务治理：基于 Istio 提供可视化无代码侵入的**灰度发布、熔断、流量管控、Tracing**，兼容**Spring Cloud & Dubbo**
- 一站式 DevOps：提供**可视化编辑 CI/CD 流水线**，包括从开发测试到持续部署上线的**全流程管理**，提供 [S2i](https://kubesphere.io/docs/v2.0/zh-CN/quick-start/source-to-image/)、[B2i](https://kubesphere.io/docs/v2.1/zh-CN/quick-start/b2i-war/)
- 多租户管理：提供基于角色的细粒度 [多租户统一认证](https://kubesphere.io/docs/v2.1/zh-CN/multi-tenant/intro/)，支持**对接企业 LDAP/AD**，提供多层级的权限管理满足多组织架构的企业用户
- 日志查询与收集：提供基于多租户和多维度的 [日志查询](https://kubesphere.io/docs/v2.1/zh-CN/toolbox/log-search/)，并支持快速对接多种日志收集平台
- 多维度监控：提供集群与应用级别多项监控指标，提供按节点、企业空间、项目等资源用量的排行
- 多租户告警系统：支持基于多租户、多维度的告警，提供丰富的监控告警指标，可自定义告警策略，支持邮件通知
- 基础设施管理：提供主机管理、存储类型管理、CPU 与内存等资源配额管理
- 支持多种网络方案：支持 Calico、Flannel，提供面向物理部署 Kubernetes 的 LB 插件 [Porter](https://github.com/kubesphere/porter) 和云上[负载均衡器插件](https://github.com/yunify/qingcloud-cloud-controller-manager)
- 支持多种存储：支持 GlusterFS、CephRBD、NFS，支持 [企业级分布式存储 NeonSAN](https://www.qingcloud.com/products/qingstor-neonsan/) 和 [QingCloud 云平台块存储](https://docs.qingcloud.com/product/storage/volume/)
- 支持 GPU 节点
+## 平台功能

+<details>
+  <summary><b>🕸 部署 Kubernetes 集群</b></summary>
+  支持在任何基础设施上部署 Kubernetes，支持在线安装和离线安装，<a href="https://kubesphere.io/zh/docs/installing-on-linux/introduction/intro/">了解更多</a> 。
+  </details>

-> 更多详细的功能解读与说明，请查阅 [产品功能](https://kubesphere.io/docs/v2.1/zh-CN/introduction/features/)。
+<details>
+  <summary><b>🔗 Kubernetes 多集群管理</b></summary>
+  提供集中控制平台来管理多个 Kubernetes 集群，支持将应用程序发布到跨不同云供应商的多个k8集群上。
+  </details>
+
+<details>
+  <summary><b>🤖 Kubernetes DevOps</b></summary>
+  提供开箱即用的基于 Jenkins 的 CI/CD，并内置自动化流水线插件，包括Binary-to-Image (B2I) 和Source-to-Image (S2I)，<a href="https://kubesphere.io/zh/devops/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>🔎 云原生可观测性</b></summary>
+  支持多维度监控、事件和审计日志；内置多租户日志查询和收集，告警和通知，<a href="https://kubesphere.io/zh/observability/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>🧩 基于 Istio 的微服务治理</b></summary>
+  为分布式微服务应用程序提供细粒度的流量管理、可观测性和服务跟踪，支持可视化的流量拓扑，<a href="https://kubesphere.io/zh/service-mesh/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>💻 应用商店</b></summary>
+  为基于 Helm 的应用程序提供应用商店，并在 Kubernetes 平台上提供应用程序生命周期管理功能，<a href="https://kubesphere.io/zh/docs/pluggable-components/app-store/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>💡 Kubernetes 边缘节点管理</b></summary>
+  基于 <a href="https://kubeedge.io/zh/">KubeEdge</a> 实现应用与工作负载在云端与边缘节点的统一分发与管理，解决在海量边、端设备上完成应用交付、运维、管控的需求，<a href= "https://kubesphere.io/zh/docs/pluggable-components/kubeedge/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>📊 多维度计量与计费</b></summary>
+  提供基于集群与租户的多维度资源计量与计费的监控报表，让 Kubernetes 运营成本更透明，<a href="https://kubesphere.io/zh/docs/toolbox/metering-and-billing/view-resource-consumption/">了解更多</a> 。
+  </details>
+
+<details>
+  <summary><b>🗃 支持多种存储和网络解决方案</b></summary>
+  <li>支持 GlusterFS、CephRBD、NFS、LocalPV ，并提供多个 CSI 插件对接公有云与企业级存储。</li><li>提供Kubernetes在裸机、边缘和虚拟化中的负载均衡器实现 <a href="https://github.com/kubesphere/openelb">OpenELB</a> 。</li><li>提供网络策略和容器组 IP 池管理，支持 Calico、Flannel、Kube-OVN。</li>
+  </details>
+
+<details>
+  <summary><b>🏘 多租户</b></summary>
+  提供统一的认证鉴权与细粒度的基于角色的授权系统，支持对接 AD/LDAP 。
+  </details>
+
+## 架构说明
+
+KubeSphere 使用前后端分离的架构，将 [前端](https://github.com/kubesphere/console) 与 [后端](https://github.com/kubesphere/kubesphere) 分开。后端的各个功能组件可通过 REST API 对接外部系统。
+
+![Architecture](docs/images/architecture.png)

 ----

-## 架构
+## 最新版本

-KubeSphere 采用了前后端分离的架构设计，后端的各个功能组件可通过 REST API 对接外部系统，KubeSphere 可以运行在任何 Kubernetes、私有云、公有云、VM 或物理环境之上。
+🎉 KubeSphere 3.1.1 全新发布！相关更新信息，请参阅 [Release Notes For 3.1.1](https://kubesphere.io/zh/docs/release/release-v311/) 。

-![](docs/images/architecture-zh.png)
+## 安装

-## 最新发布
-
-KubeSphere 2.1.0 已于 2019 年 11 月 12 日 正式发布，点击 [Release Notes For 2.1.0](https://kubesphere.io/docs/v2.1/zh-CN/release/release-v210/) 查看 2.1.0 版本的更新详情。
-
-## 快速安装
-
-### 部署在 Linux
-
- 操作系统
-   - CentOS 7.5 (64 bit)
-   - Ubuntu 16.04/18.04 LTS (64 bit)
-   - Red Hat Enterprise Linux Server 7.4 (64 bit)
-   - Debian Stretch 9.5 (64 bit)
- 配置规格（最低）
-   - CPU：2 Core， 内存：4 G， 硬盘：100 G
-
-#### All-in-One
-
-[All-in-One](https://kubesphere.io/docs/v2.1/zh-CN/installation/all-in-one/): 对于首次接触 KubeSphere 高级版的用户，想寻找一个最快安装和体验 KubeSphere 高级版核心功能的方式，All-in-one 模式支持一键安装 KubeSphere 至一台目标机器，建议使用干净的机器安装。
-
-```bash
-$ curl -L https://kubesphere.io/download/stable/v2.1.0 > installer.tar.gz \
-&& tar -zxf installer.tar.gz && cd kubesphere-all-v2.1.0/scripts
-$ ./install.sh
-```
-
-直接选择 `"1) All-in-one"` 即可开始快速安装。
-
-> 注意：All-in-One 仅适用于**测试体验**，**正式环境** 安装和使用请参考 [安装说明](https://kubesphere.io/docs/v2.1/zh-CN/installation/intro/#%E6%AD%A3%E5%BC%8F%E7%8E%AF%E5%A2%83%E5%AE%89%E8%A3%85)。
-
-### 部署在 Kubernetes
-
-**前提条件**
-
-> - `Kubernetes` 版本： `1.13.0 ≤ K8s version < 1.16`；
-> - `Helm`，版本 `>= 2.10.0`，且已安装了 Tiller，参考 [如何安装与配置 Helm](https://devopscube.com/install-configure-helm-kubernetes/)；
-> - 集群的可用 CPU > 1 C，可用内存 > 2 G；且集群能够访问外网
-> - 集群已有存储类型（StorageClass）；
-
-可参考 [前提条件](https://kubesphere.io/docs/v2.1/zh-CN/installation/prerequisites/) 验证，若待安装的环境满足以上条件则可以开始部署 KubeSphere，当 KubeSphere 的所有 Pod 都为 RRunning 则说明安装成功。使用 `http://IP:30880` 访问 Dashboard，默认账号为 `admin/P@88w0rd`。
-
-```yaml
-$ kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-minimal.yaml
-```
-
-注意，以上两种安装方式默认是 **最小化安装**，由于 2.1.0 已对大部分功能组件解耦，实现了功能组件的可插拔，因此可在 **安装完成后** 执行以下命令开启可插拔功能组件的安装，开启安装前确认您的机器资源已符合 [资源最低要求](https://kubesphere.io/docs/v2.1/zh-CN/installation/intro/#%E5%8F%AF%E6%8F%92%E6%8B%94%E5%8A%9F%E8%83%BD%E7%BB%84%E4%BB%B6%E5%88%97%E8%A1%A8)。
-
-```
-$ kubectl edit cm -n kubesphere-system ks-installer
-```
-
-## 开始使用 KubeSphere
+KubeSphere 支持在任意平台运行，从本地数据中心到混合多云再走向边缘。此外，KubeSphere 可以部署在任何版本兼容的 Kubernetes 集群上。

 ### 快速入门

-[KubeSphere 快速入门](https://kubesphere.io/docs/v2.1/zh-CN/quick-start/quick-start-guide/) 通过 14 个 Step-by-Step 的快速入门的示例教程帮助您了解 KubeSphere 容器平台的基本使用流程，带您快速上手 KubeSphere。
+1. 运行以下命令以在现有 Kubernetes 集群上安装 KubeSphere：

-### 文档
+```yaml
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.1.1/kubesphere-installer.yaml
+   
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.1.1/cluster-configuration.yaml
+```

- [KubeSphere 文档中心 (En/中) ](https://kubesphere.io/docs/)
- [API 文档](https://kubesphere.io/docs/advanced-v2.0/zh-CN/api-reference/api-docs/)
+2. 您可以运行以下命令查看安装日志。 KubeSphere 安装成功后，您可以使用`http://IP:30880` 以默认账号和密码（admin/P@88w0rd）访问KubeSphere 控制台。

+```yaml
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+```

-## 开发 KubeSphere
+> 👨‍💻 没有 Kubernetes 集群? 可以尝试在 Linux 上以[All-in-one](https://kubesphere.io/zh/docs/quick-start/all-in-one-on-linux/) 模式来安装单节点 Kubernetes 和 KubeSphere。

-[开发指南](CONTRIBUTING.md) 详细说明了如何从源码编译、KubeSphere 的 GitHub 工作流、如何贡献代码以及如何测试等。
+### 在托管 Kubernetes 上部署 KubeSphere

+KubeSphere 托管在以下云供应商上，您可以通过在其托管的 Kubernetes 服务上一键安装来部署 KubeSphere。

-## 路线图
+- [在 Amazon EKS 上部署 KubeSphere](https://aws.amazon.com/quickstart/architecture/qingcloud-kubesphere/)
+- [在 Azure AKS 上部署 KubeSphere](https://market.azure.cn/marketplace/apps/qingcloud.kubesphere)
+- [在 DigitalOcean 上部署 KubeSphere](https://marketplace.digitalocean.com/apps/kubesphere)
+- [在青云QingCloud QKE 上部署 KubeSphere](https://www.qingcloud.com/products/kubesphereqke)

-目前，KubeSphere 已发布了 4 个大版本和 3 个小版本，所有版本都是完全开源的，为 KubeSphere 社区用户提供服务。
+您还可以在几分钟内在其他托管的 Kubernetes 服务上安装 KubeSphere，请参阅 [官方文档](https://kubesphere.io/zh/docs/installing-on-kubernetes/) 以开始使用。

-**Express Edition** => **v1.0.x** => **v2.0.x**  => **v2.1.0**
+> 👨‍💻 不能访问网络？参考 [在Kubernetes上离线安装](https://kubesphere.io/zh/docs/installing-on-kubernetes/on-prem-kubernetes/install-ks-on-linux-airgapped/) 或者 [在 Linux 上离线安装](https://kubesphere.io/zh/docs/installing-on-linux/introduction/air-gapped-installation/) 了解如何使用私有仓库来安装 KubeSphere。

-![](https://pek3b.qingstor.com/kubesphere-docs/png/20190926000514.png)
+## 贡献、支持、讨论和社区
+
+我们 :heart: 您的贡献。[社区](https://github.com/kubesphere/community) 将引导您了解如何开始贡献 KubeSphere。[开发指南](https://github.com/kubesphere/community/tree/master/developer-guide/development) 说明了如何安装开发环境。
+
+- [中文论坛](https://kubesphere.com.cn/forum/)
+- [社区微信群（见官网底部）](https://kubesphere.com.cn/)
+- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+- [Youtube](https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw)
+- [在推特上关注我们](https://twitter.com/KubeSphere)
+
+请将任何 KubeSphere 错误、问题和功能请求提交到 [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues) 。
+
+## 谁在使用 KubeSphere
+
+[用户案例学习](https://kubesphere.com.cn/case/) 列出了哪些企业在使用 KubeSphere。欢迎 [发表评论](https://github.com/kubesphere/kubesphere/issues/4123) 来分享您的使用案例。

 ## Landscapes

 <p align="center">
 <br/><br/>
-<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;
 <br/><br/>
 KubeSphere 是 CNCF 基金会成员并且通过了 <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes 一致性认证
-</a>，进一步丰富了 <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF 云原生的生态。
+</a>，进一步丰富了 <a href="https://landscape.cncf.io/?landscape=observability-and-analysis&license=apache-license-2-0">CNCF 云原生的生态。
 </a>
 </p>
-
-## 技术社区
-
- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
-
- [技术论坛](https://kubesphere.io/forum/)
-
- 微信群 (与工程师和用户们交流云原生技术，请备注 “公司 - 名字”）
-
-<img width="150px" src="https://pek3b.qingstor.com/kubesphere-docs/png/20190902002055.png" />
-
-
-## Bug 与建议反馈
-
-KubeSphere 的日益完善与快速发展离不开社区用户的支持，KubeSphere 也一直在反哺社区，为开源用户提供更多的支持。若您安装使用时有任何建议问题、反馈或发现的 Bug，欢迎在 [GitHub Issue](https://github.com/kubesphere/kubesphere/issues) 提交 Issue。
--- a/api/api-rules/violation_exceptions.list
+++ b/api/api-rules/violation_exceptions.list
@@ -1,3 +1,31 @@
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroupList,Groups
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,Categories
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,ShortNames
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ApplyOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,CreateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,DeleteOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,FieldsV1,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelector,MatchExpressions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelectorRequirement,Values
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,Finalizers
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,ManagedFields
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,OwnerReferences
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PatchOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,RootPaths,Paths
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,StatusDetails,Causes
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,ColumnDefinitions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,Rows
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Cells
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Conditions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,UpdateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,RawExtension,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: list_type_missing,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,Parameters
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
@@ -5,4 +33,63 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEve
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
-API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha1,S2iBinarySpec,MD5
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,DiscarderProperty,DaysToKeep
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,DiscarderProperty,NumToKeep
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ServerName
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchJobTrigger,CreateActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchJobTrigger,DeleteActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,BitbucketServerSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitHubSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitlabSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,MultiBranchJobTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,ScriptPath
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SingleSvnSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SourceType
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SvnSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,DisableConcurrent
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,RemoteTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,Parameter,DefaultValue
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,PipelineSpec,MultiBranchPipeline
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SingleSvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SingleSvnSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SvnSource,ScmId
--- a/api/ks-openapi-spec/swagger.json
+++ b/api/ks-openapi-spec/swagger.json
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
--- a/build/hypersphere/Dockerfile
+++ b/build/hypersphere/Dockerfile
@@ -1,18 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-FROM golang:1.12 as hypersphere-builder
-
-COPY / /go/src/kubesphere.io/kubesphere
-
-WORKDIR /go/src/kubesphere.io/kubesphere
-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 GOFLAGS=-mod=vendor go build -i -ldflags '-w -s' -o hypersphere cmd/hypersphere/hypersphere.go
-
-FROM alpine:3.9
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=hypersphere-builder /go/src/kubesphere.io/kubesphere/hypersphere /usr/local/bin/
-CMD ["sh"]
--- a/build/ks-apigateway/Dockerfile
+++ b/build/ks-apigateway/Dockerfile
@@ -1,20 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM golang:1.12 as ks-apigateway-builder
-
-COPY / /go/src/kubesphere.io/kubesphere
-WORKDIR /go/src/kubesphere.io/kubesphere
-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 GOFLAGS=-mod=vendor go build -i -ldflags '-w -s' -o ks-apigateway cmd/ks-apigateway/apiserver.go && \
-    go run tools/cmd/doc-gen/main.go --output=install/swagger-ui/api.json
-
-FROM alpine:3.9
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/ks-apigateway /usr/local/bin/
-COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/install/swagger-ui /var/static/swagger-ui
-CMD ["sh"]
--- a/build/ks-apiserver/Dockerfile
+++ b/build/ks-apiserver/Dockerfile
@@ -1,18 +1,48 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
+# Copyright 2020 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by an Apache license
 # that can be found in the LICENSE file.

-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-FROM golang:1.12 as ks-apiserver-builder
+# Download dependencies
+FROM alpine:3.11 as base_os_context

-COPY / /go/src/kubesphere.io/kubesphere
+ARG TARGETARCH
+ARG TARGETOS
+ARG HELM_VERSION=v3.5.2

-WORKDIR /go/src/kubesphere.io/kubesphere
-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 GOFLAGS=-mod=vendor go build -i -ldflags '-w -s' -o ks-apiserver cmd/ks-apiserver/apiserver.go
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/

-FROM alpine:3.9
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=ks-apiserver-builder /go/src/kubesphere.io/kubesphere/ks-apiserver /usr/local/bin/
+WORKDIR /tmp
+
+RUN apk add --no-cache ca-certificates
+
+# install helm
+ADD https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/${TARGETOS}-${TARGETARCH}/helm ${OUTDIR}/usr/local/bin/
+
+# Build 
+FROM golang:1.16.3 as build_context
+
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/
+
+WORKDIR /workspace
+ADD . /workspace/
+
+RUN make ks-apiserver
+RUN mv /workspace/bin/cmd/ks-apiserver ${OUTDIR}/usr/local/bin/
+
+##############
+# Final image
+#############
+
+FROM alpine:3.11 
+
+COPY --from=base_os_context /out/ /
+COPY --from=build_context /out/ /
+
+WORKDIR /
+
+EXPOSE 9090
 CMD ["sh"]
--- a/build/ks-controller-manager/Dockerfile
+++ b/build/ks-controller-manager/Dockerfile
@@ -1,18 +1,67 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
+# Copyright 2020 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by an Apache license
 # that can be found in the LICENSE file.

-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-FROM golang:1.12 as controller-manager-builder
+# Download dependencies
+FROM alpine:3.11 as base_os_context

-COPY / /go/src/kubesphere.io/kubesphere
-WORKDIR /go/src/kubesphere.io/kubesphere
+ARG TARGETARCH
+ARG TARGETOS
+ARG HELM_VERSION=v3.5.2
+ARG KUSTOMIZE_VERSION=v4.2.0
+ARG INGRESS_NGINX_VERSION=3.35.0

-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 GOFLAGS=-mod=vendor go build --ldflags "-extldflags -static" -o controller-manager ./cmd/controller-manager/
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin
+RUN mkdir -p ${OUTDIR}/var/helm-charts

-FROM alpine:3.7
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=controller-manager-builder /go/src/kubesphere.io/kubesphere/controller-manager /usr/local/bin/
-CMD controller-manager
+WORKDIR /tmp
+
+RUN apk add --no-cache ca-certificates
+
+# Install helm
+ADD https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/${TARGETOS}-${TARGETARCH}/helm ${OUTDIR}/usr/local/bin/
+
+# install kustomize
+ADD https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/kustomize_${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/kustomize ${OUTDIR}/usr/local/bin/
+
+
+# Install Nginx Ingress Helm Chart
+ADD https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-${INGRESS_NGINX_VERSION}/ingress-nginx-${INGRESS_NGINX_VERSION}.tgz /tmp
+RUN tar xvzf /tmp/ingress-nginx-${INGRESS_NGINX_VERSION}.tgz -C /tmp
+RUN mv /tmp/ingress-nginx ${OUTDIR}/var/helm-charts/
+
+# Build
+
+FROM golang:1.16.3 as build_context
+
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/
+RUN mkdir -p ${OUTDIR}/var/helm-charts
+
+WORKDIR /workspace
+ADD . /workspace/
+
+RUN make ks-controller-manager
+RUN mv /workspace/bin/cmd/controller-manager ${OUTDIR}/usr/local/bin/
+
+# Copy gateway config and helm chart
+RUN mv /workspace/config/gateway ${OUTDIR}/var/helm-charts/
+RUN mv /workspace/config/watches.yaml ${OUTDIR}/var/helm-charts/
+
+# Final Image
+
+FROM alpine:3.11 
+
+COPY --from=base_os_context /out/ /
+COPY --from=build_context /out/ /
+
+WORKDIR /
+
+EXPOSE 8443 8080
+
+CMD ["sh"]
--- a/build/ks-iam/Dockerfile
+++ b/build/ks-iam/Dockerfile
@@ -1,18 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-FROM golang:1.12 as ks-iam-builder
-
-COPY / /go/src/kubesphere.io/kubesphere
-
-WORKDIR /go/src/kubesphere.io/kubesphere
-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 GOFLAGS=-mod=vendor go build -i -ldflags '-w -s' -o ks-iam cmd/ks-iam/apiserver.go
-
-FROM alpine:3.9
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=ks-iam-builder /go/src/kubesphere.io/kubesphere/ks-iam /usr/local/bin/
-CMD ["sh"]
--- a/build/ks-network/Dockerfile
+++ b/build/ks-network/Dockerfile
@@ -1,4 +0,0 @@
-FROM gcr.io/distroless/static:latest
-WORKDIR /
-COPY ks-network .
-ENTRYPOINT ["/ks-network"]
--- a/cmd/controller-manager/app/controllers.go
+++ b/cmd/controller-manager/app/controllers.go
@@ -1,154 +1,240 @@
 /*
+Copyright 2019 The KubeSphere Authors.

- Copyright 2019 The KubeSphere Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+    http://www.apache.org/licenses/LICENSE-2.0

+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */
+
 package app

 import (
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-	"kubesphere.io/kubesphere/pkg/controller/application"
-	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
-	"kubesphere.io/kubesphere/pkg/controller/job"
-	"kubesphere.io/kubesphere/pkg/controller/s2ibinary"
-	"kubesphere.io/kubesphere/pkg/controller/s2irun"
-	"kubesphere.io/kubesphere/pkg/controller/storage/expansion"
-
-	//"kubesphere.io/kubesphere/pkg/controller/job"
-	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"time"
+	"sigs.k8s.io/kubefed/pkg/controller/util"

-	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"kubesphere.io/kubesphere/pkg/controller/storage/snapshotclass"

-	istioclientset "github.com/knative/pkg/client/clientset/versioned"
-	istioinformers "github.com/knative/pkg/client/informers/externalversions"
-	applicationclientset "github.com/kubernetes-sigs/application/pkg/client/clientset/versioned"
-	applicationinformers "github.com/kubernetes-sigs/application/pkg/client/informers/externalversions"
-	s2iclientset "github.com/kubesphere/s2ioperator/pkg/client/clientset/versioned"
-	s2iinformers "github.com/kubesphere/s2ioperator/pkg/client/informers/externalversions"
-	kubesphereclientset "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
-	kubesphereinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication"
+
+	iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
+
+	"kubesphere.io/kubesphere/pkg/controller/certificatesigningrequest"
+	"kubesphere.io/kubesphere/pkg/controller/cluster"
+	"kubesphere.io/kubesphere/pkg/controller/clusterrolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
+	"kubesphere.io/kubesphere/pkg/controller/globalrole"
+	"kubesphere.io/kubesphere/pkg/controller/globalrolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/group"
+	"kubesphere.io/kubesphere/pkg/controller/groupbinding"
+	"kubesphere.io/kubesphere/pkg/controller/job"
+	"kubesphere.io/kubesphere/pkg/controller/loginrecord"
+	"kubesphere.io/kubesphere/pkg/controller/network/ippool"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy/provider"
+	"kubesphere.io/kubesphere/pkg/controller/notification"
+	"kubesphere.io/kubesphere/pkg/controller/storage/capability"
+	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/multicluster"
+	"kubesphere.io/kubesphere/pkg/simple/client/network"
+	ippoolclient "kubesphere.io/kubesphere/pkg/simple/client/network/ippool"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
 )

-const defaultResync = 600 * time.Second
+func addControllers(
+	mgr manager.Manager,
+	client k8s.Client,
+	informerFactory informers.InformerFactory,
+	devopsClient devops.Interface,
+	s3Client s3.Interface,
+	ldapClient ldapclient.Interface,
+	options *k8s.KubernetesOptions,
+	authenticationOptions *authentication.Options,
+	multiClusterOptions *multicluster.Options,
+	networkOptions *network.Options,
+	serviceMeshEnabled bool,
+	kubectlImage string,
+	stopCh <-chan struct{}) error {

-var log = logf.Log.WithName("controller-manager")
+	kubernetesInformer := informerFactory.KubernetesSharedInformerFactory()
+	istioInformer := informerFactory.IstioSharedInformerFactory()
+	kubesphereInformer := informerFactory.KubeSphereSharedInformerFactory()

-func AddControllers(mgr manager.Manager, cfg *rest.Config, stopCh <-chan struct{}) error {
+	multiClusterEnabled := multiClusterOptions.Enable

-	kubeClient, err := kubernetes.NewForConfig(cfg)
-	if err != nil {
-		log.Error(err, "building kubernetes client failed")
+	var vsController, drController manager.Runnable
+	if serviceMeshEnabled {
+		vsController = virtualservice.NewVirtualServiceController(kubernetesInformer.Core().V1().Services(),
+			istioInformer.Networking().V1alpha3().VirtualServices(),
+			istioInformer.Networking().V1alpha3().DestinationRules(),
+			kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
+			client.Kubernetes(),
+			client.Istio(),
+			client.KubeSphere())
+
+		drController = destinationrule.NewDestinationRuleController(kubernetesInformer.Apps().V1().Deployments(),
+			istioInformer.Networking().V1alpha3().DestinationRules(),
+			kubernetesInformer.Core().V1().Services(),
+			kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
+			client.Kubernetes(),
+			client.Istio(),
+			client.KubeSphere())
 	}

-	istioclient, err := istioclientset.NewForConfig(cfg)
-	if err != nil {
-		log.Error(err, "create istio client failed")
-		return err
+	jobController := job.NewJobController(kubernetesInformer.Batch().V1().Jobs(), client.Kubernetes())
+
+	storageCapabilityController := capability.NewController(
+		client.Kubernetes().StorageV1().StorageClasses(),
+		kubernetesInformer.Storage().V1().StorageClasses(),
+		kubernetesInformer.Storage().V1().CSIDrivers(),
+	)
+
+	volumeSnapshotController := snapshotclass.NewController(
+		kubernetesInformer.Storage().V1().StorageClasses(),
+		client.Snapshot().SnapshotV1().VolumeSnapshotClasses(),
+		informerFactory.SnapshotSharedInformerFactory().Snapshot().V1().VolumeSnapshotClasses(),
+	)
+
+	var fedGlobalRoleBindingCache, fedGlobalRoleCache cache.Store
+	var fedGlobalRoleBindingCacheController, fedGlobalRoleCacheController cache.Controller
+
+	if multiClusterEnabled {
+		fedGlobalRoleClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+		fedGlobalRoleBindingClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleBindingResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+
+		fedGlobalRoleCache, fedGlobalRoleCacheController = util.NewResourceInformer(fedGlobalRoleClient, "", &iamv1alpha2.FedGlobalRoleResource, func(object runtimeclient.Object) {})
+		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController = util.NewResourceInformer(fedGlobalRoleBindingClient, "", &iamv1alpha2.FedGlobalRoleBindingResource, func(object runtimeclient.Object) {})
+
+		go fedGlobalRoleCacheController.Run(stopCh)
+		go fedGlobalRoleBindingCacheController.Run(stopCh)
 	}

-	applicationClient, err := applicationclientset.NewForConfig(cfg)
-	if err != nil {
-		log.Error(err, "create application client failed")
-		return err
-	}
-	s2iclient, err := s2iclientset.NewForConfig(cfg)
-	if err != nil {
-		log.Error(err, "create s2i client failed")
-		return err
-	}
-	kubesphereclient, err := kubesphereclientset.NewForConfig(cfg)
-	if err != nil {
-		log.Error(err, "create kubesphere client failed")
-		return err
+	loginRecordController := loginrecord.NewLoginRecordController(
+		client.Kubernetes(),
+		client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().LoginRecords(),
+		kubesphereInformer.Iam().V1alpha2().Users(),
+		authenticationOptions.LoginHistoryRetentionPeriod,
+		authenticationOptions.LoginHistoryMaximumEntries)
+
+	csrController := certificatesigningrequest.NewController(client.Kubernetes(),
+		kubernetesInformer.Certificates().V1().CertificateSigningRequests(),
+		kubernetesInformer.Core().V1().ConfigMaps(), client.Config())
+
+	clusterRoleBindingController := clusterrolebinding.NewController(client.Kubernetes(),
+		kubernetesInformer.Rbac().V1().ClusterRoleBindings(),
+		kubernetesInformer.Apps().V1().Deployments(),
+		kubernetesInformer.Core().V1().Pods(),
+		kubesphereInformer.Iam().V1alpha2().Users(),
+		kubectlImage)
+
+	globalRoleController := globalrole.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().GlobalRoles(), fedGlobalRoleCache, fedGlobalRoleCacheController)
+
+	globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
+		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController,
+		multiClusterEnabled)
+
+	groupBindingController := groupbinding.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().GroupBindings(),
+		kubesphereInformer.Types().V1beta1().FederatedGroupBindings(),
+		multiClusterEnabled)
+
+	groupController := group.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().Groups(),
+		kubesphereInformer.Types().V1beta1().FederatedGroups(),
+		multiClusterEnabled)
+
+	var clusterController manager.Runnable
+	if multiClusterEnabled {
+		clusterController = cluster.NewClusterController(
+			client.Kubernetes(),
+			client.Config(),
+			kubesphereInformer.Cluster().V1alpha1().Clusters(),
+			client.KubeSphere().ClusterV1alpha1().Clusters(),
+			multiClusterOptions.ClusterControllerResyncPeriod,
+			multiClusterOptions.HostClusterName)
 	}

-	informerFactory := informers.NewSharedInformerFactory(kubeClient, defaultResync)
-	istioInformer := istioinformers.NewSharedInformerFactory(istioclient, defaultResync)
-	applicationInformer := applicationinformers.NewSharedInformerFactory(applicationClient, defaultResync)
-	s2iInformer := s2iinformers.NewSharedInformerFactory(s2iclient, defaultResync)
+	var nsnpController manager.Runnable
+	if networkOptions.EnableNetworkPolicy {
+		nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
+		if err != nil {
+			return err
+		}

-	kubesphereInformer := kubesphereinformers.NewSharedInformerFactory(kubesphereclient, defaultResync)
+		nsnpController = nsnetworkpolicy.NewNSNetworkPolicyController(client.Kubernetes(),
+			client.KubeSphere().NetworkV1alpha1(),
+			kubesphereInformer.Network().V1alpha1().NamespaceNetworkPolicies(),
+			kubernetesInformer.Core().V1().Services(),
+			kubernetesInformer.Core().V1().Nodes(),
+			kubesphereInformer.Tenant().V1alpha1().Workspaces(),
+			kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions)
+	}

-	vsController := virtualservice.NewVirtualServiceController(informerFactory.Core().V1().Services(),
-		istioInformer.Networking().V1alpha3().VirtualServices(),
-		istioInformer.Networking().V1alpha3().DestinationRules(),
-		kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
-		kubeClient,
-		istioclient,
-		kubesphereclient)
-
-	drController := destinationrule.NewDestinationRuleController(informerFactory.Apps().V1().Deployments(),
-		istioInformer.Networking().V1alpha3().DestinationRules(),
-		informerFactory.Core().V1().Services(),
-		kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
-		kubeClient,
-		istioclient,
-		kubesphereclient)
-
-	apController := application.NewApplicationController(informerFactory.Core().V1().Services(),
-		informerFactory.Apps().V1().Deployments(),
-		informerFactory.Apps().V1().StatefulSets(),
-		kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
-		kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
-		applicationInformer.App().V1beta1().Applications(),
-		kubeClient,
-		applicationClient)
-
-	jobController := job.NewJobController(informerFactory.Batch().V1().Jobs(), kubeClient)
-
-	s2iBinaryController := s2ibinary.NewController(kubesphereclient,
-		kubeClient,
-		kubesphereInformer.Devops().V1alpha1().S2iBinaries())
-
-	s2iRunController := s2irun.NewController(kubesphereclient, s2iclient, kubeClient,
-		kubesphereInformer.Devops().V1alpha1().S2iBinaries(),
-		s2iInformer.Devops().V1alpha1().S2iRuns())
-
-	volumeExpansionController := expansion.NewVolumeExpansionController(
-		kubeClient,
-		informerFactory.Core().V1().PersistentVolumeClaims(),
-		informerFactory.Storage().V1().StorageClasses(),
-		informerFactory.Core().V1().Pods(),
-		informerFactory.Apps().V1().Deployments(),
-		informerFactory.Apps().V1().ReplicaSets(),
-		informerFactory.Apps().V1().StatefulSets())
-
-	kubesphereInformer.Start(stopCh)
-	istioInformer.Start(stopCh)
-	informerFactory.Start(stopCh)
-	applicationInformer.Start(stopCh)
-	s2iInformer.Start(stopCh)
+	var ippoolController manager.Runnable
+	ippoolProvider := ippoolclient.NewProvider(kubernetesInformer, client.KubeSphere(), client.Kubernetes(), networkOptions.IPPoolType, options)
+	if ippoolProvider != nil {
+		ippoolController = ippool.NewIPPoolController(kubesphereInformer, kubernetesInformer, client.Kubernetes(), client.KubeSphere(), ippoolProvider)
+	}

 	controllers := map[string]manager.Runnable{
-		"virtualservice-controller":  vsController,
-		"destinationrule-controller": drController,
-		"application-controller":     apController,
-		"job-controller":             jobController,
-		"s2ibinary-controller":       s2iBinaryController,
-		"s2irun-controller":          s2iRunController,
-		"volumeexpansion-controller": volumeExpansionController,
+		"virtualservice-controller":     vsController,
+		"destinationrule-controller":    drController,
+		"job-controller":                jobController,
+		"storagecapability-controller":  storageCapabilityController,
+		"volumesnapshot-controller":     volumeSnapshotController,
+		"loginrecord-controller":        loginRecordController,
+		"cluster-controller":            clusterController,
+		"nsnp-controller":               nsnpController,
+		"csr-controller":                csrController,
+		"clusterrolebinding-controller": clusterRoleBindingController,
+		"globalrolebinding-controller":  globalRoleBindingController,
+		"ippool-controller":             ippoolController,
+		"groupbinding-controller":       groupBindingController,
+		"group-controller":              groupController,
+	}
+
+	if multiClusterEnabled {
+		controllers["globalrole-controller"] = globalRoleController
+		notificationController, err := notification.NewController(client.Kubernetes(), mgr.GetClient(), mgr.GetCache())
+		if err != nil {
+			return err
+		}
+		controllers["notification-controller"] = notificationController
 	}

 	for name, ctrl := range controllers {
-		err = mgr.Add(ctrl)
-		if err != nil {
-			log.Error(err, "add controller to manager failed", "name", name)
+		if ctrl == nil {
+			klog.V(4).Infof("%s is not going to run due to dependent component disabled.", name)
+			continue
+		}
+
+		if err := mgr.Add(ctrl); err != nil {
+			klog.Error(err, "add controller to manager failed", "name", name)
 			return err
 		}
 	}
--- a/cmd/controller-manager/app/helper.go
+++ b/cmd/controller-manager/app/helper.go
@@ -1,21 +1,39 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package app

 import (
+	"context"
 	"fmt"
+	"net/http"
+	"time"
+
 	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog"
-	"net/http"
-	"time"
 )

-// WaitForAPIServer waits for the API Server's /healthz endpoint to report "ok" with timeout.
+// WaitForAPIServer waits for the API Server's /healthz endpoint to report "ok" before timeout.
 func WaitForAPIServer(client clientset.Interface, timeout time.Duration) error {
 	var lastErr error

 	err := wait.PollImmediate(time.Second, timeout, func() (bool, error) {
 		healthStatus := 0
-		result := client.Discovery().RESTClient().Get().AbsPath("/healthz").Do().StatusCode(&healthStatus)
+		result := client.Discovery().RESTClient().Get().AbsPath("/healthz").Do(context.Background()).StatusCode(&healthStatus)
 		if result.Error() != nil {
 			lastErr = fmt.Errorf("failed to get apiserver /healthz status: %v", result.Error())
 			return false, nil
--- a/cmd/controller-manager/app/options/options.go
+++ b/cmd/controller-manager/app/options/options.go
@@ -1,65 +1,125 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package options

 import (
 	"flag"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	apiserverconfig "k8s.io/apiserver/pkg/apis/config"
-	cliflag "k8s.io/component-base/cli/flag"
-	"k8s.io/klog"
-	"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
-	kubesphereconfig "kubesphere.io/kubesphere/pkg/server/config"
-	"kubesphere.io/kubesphere/pkg/simple/client/devops"
-	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
-	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
-	"kubesphere.io/kubesphere/pkg/simple/client/s2is3"
 	"strings"
 	"time"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication"
+
+	"k8s.io/apimachinery/pkg/labels"
+
+	"github.com/spf13/pflag"
+	"k8s.io/client-go/tools/leaderelection"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog"
+
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/gateway"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/multicluster"
+	"kubesphere.io/kubesphere/pkg/simple/client/network"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	"kubesphere.io/kubesphere/pkg/simple/client/servicemesh"
 )

 type KubeSphereControllerManagerOptions struct {
-	KubernetesOptions *k8s.KubernetesOptions
-	DevopsOptions     *devops.DevopsOptions
-	S3Options         *s2is3.S3Options
-	OpenPitrixOptions *openpitrix.OpenPitrixOptions
+	KubernetesOptions     *k8s.KubernetesOptions
+	DevopsOptions         *jenkins.Options
+	S3Options             *s3.Options
+	AuthenticationOptions *authentication.Options
+	LdapOptions           *ldapclient.Options
+	OpenPitrixOptions     *openpitrix.Options
+	NetworkOptions        *network.Options
+	MultiClusterOptions   *multicluster.Options
+	ServiceMeshOptions    *servicemesh.Options
+	GatewayOptions        *gateway.Options
+	LeaderElect           bool
+	LeaderElection        *leaderelection.LeaderElectionConfig
+	WebhookCertDir        string

-	LeaderElection *apiserverconfig.LeaderElectionConfiguration
+	// KubeSphere is using sigs.k8s.io/application as fundamental object to implement Application Management.
+	// There are other projects also built on sigs.k8s.io/application, when KubeSphere installed along side
+	// them, conflicts happen. So we leave an option to only reconcile applications  matched with the given
+	// selector. Default will reconcile all applications.
+	//    For example
+	//      "kubesphere.io/creator=" means reconcile applications with this label key
+	//      "!kubesphere.io/creator" means exclude applications with this key
+	ApplicationSelector string
 }

 func NewKubeSphereControllerManagerOptions() *KubeSphereControllerManagerOptions {
 	s := &KubeSphereControllerManagerOptions{
-		KubernetesOptions: k8s.NewKubernetesOptions(),
-		DevopsOptions:     devops.NewDevopsOptions(),
-		S3Options:         s2is3.NewS3Options(),
-		OpenPitrixOptions: openpitrix.NewOpenPitrixOptions(),
-		LeaderElection: &apiserverconfig.LeaderElectionConfiguration{
-			LeaderElect:   false,
-			LeaseDuration: v1.Duration{Duration: 30 * time.Second},
-			RenewDeadline: v1.Duration{Duration: 15 * time.Second},
-			RetryPeriod:   v1.Duration{Duration: 5 * time.Second},
-			ResourceLock:  "ks-controller-manager-leader-election",
+		KubernetesOptions:     k8s.NewKubernetesOptions(),
+		DevopsOptions:         jenkins.NewDevopsOptions(),
+		S3Options:             s3.NewS3Options(),
+		LdapOptions:           ldapclient.NewOptions(),
+		OpenPitrixOptions:     openpitrix.NewOptions(),
+		NetworkOptions:        network.NewNetworkOptions(),
+		MultiClusterOptions:   multicluster.NewOptions(),
+		ServiceMeshOptions:    servicemesh.NewServiceMeshOptions(),
+		AuthenticationOptions: authentication.NewOptions(),
+		GatewayOptions:        gateway.NewGatewayOptions(),
+		LeaderElection: &leaderelection.LeaderElectionConfig{
+			LeaseDuration: 30 * time.Second,
+			RenewDeadline: 15 * time.Second,
+			RetryPeriod:   5 * time.Second,
 		},
+		LeaderElect:         false,
+		WebhookCertDir:      "",
+		ApplicationSelector: "",
 	}

 	return s
 }

-func (s *KubeSphereControllerManagerOptions) ApplyTo(conf *kubesphereconfig.Config) {
-	s.S3Options.ApplyTo(conf.S3Options)
-	s.KubernetesOptions.ApplyTo(conf.KubernetesOptions)
-	s.DevopsOptions.ApplyTo(conf.DevopsOptions)
-	s.OpenPitrixOptions.ApplyTo(conf.OpenPitrixOptions)
-}
-
 func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
 	fss := cliflag.NamedFlagSets{}

-	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"))
-	s.DevopsOptions.AddFlags(fss.FlagSet("devops"))
-	s.S3Options.AddFlags(fss.FlagSet("s3"))
-	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"))
-
+	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
+	s.DevopsOptions.AddFlags(fss.FlagSet("devops"), s.DevopsOptions)
+	s.S3Options.AddFlags(fss.FlagSet("s3"), s.S3Options)
+	s.AuthenticationOptions.AddFlags(fss.FlagSet("authentication"), s.AuthenticationOptions)
+	s.LdapOptions.AddFlags(fss.FlagSet("ldap"), s.LdapOptions)
+	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"), s.OpenPitrixOptions)
+	s.NetworkOptions.AddFlags(fss.FlagSet("network"), s.NetworkOptions)
+	s.MultiClusterOptions.AddFlags(fss.FlagSet("multicluster"), s.MultiClusterOptions)
+	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"), s.ServiceMeshOptions)
+	s.GatewayOptions.AddFlags(fss.FlagSet("gateway"), s.GatewayOptions)
 	fs := fss.FlagSet("leaderelection")
-	leaderelectionconfig.BindFlags(s.LeaderElection, fs)
+	s.bindLeaderElectionFlags(s.LeaderElection, fs)
+
+	fs.BoolVar(&s.LeaderElect, "leader-elect", s.LeaderElect, ""+
+		"Whether to enable leader election. This field should be enabled when controller manager"+
+		"deployed with multiple replicas.")
+
+	fs.StringVar(&s.WebhookCertDir, "webhook-cert-dir", s.WebhookCertDir, ""+
+		"Certificate directory used to setup webhooks, need tls.crt and tls.key placed inside."+
+		"if not set, webhook server would look up the server key and certificate in"+
+		"{TempDir}/k8s-webhook-server/serving-certs")
+
+	gfs := fss.FlagSet("generic")
+	gfs.StringVar(&s.ApplicationSelector, "application-selector", s.ApplicationSelector, ""+
+		"Only reconcile application(sigs.k8s.io/application) objects match given selector, this could avoid conflicts with "+
+		"other projects built on top of sig-application. Default behavior is to reconcile all of application objects.")

 	kfs := fss.FlagSet("klog")
 	local := flag.NewFlagSet("klog", flag.ExitOnError)
@@ -78,5 +138,32 @@ func (s *KubeSphereControllerManagerOptions) Validate() []error {
 	errs = append(errs, s.KubernetesOptions.Validate()...)
 	errs = append(errs, s.S3Options.Validate()...)
 	errs = append(errs, s.OpenPitrixOptions.Validate()...)
+	errs = append(errs, s.NetworkOptions.Validate()...)
+	errs = append(errs, s.LdapOptions.Validate()...)
+	errs = append(errs, s.MultiClusterOptions.Validate()...)
+
+	if len(s.ApplicationSelector) != 0 {
+		_, err := labels.Parse(s.ApplicationSelector)
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	return errs
 }
+
+func (s *KubeSphereControllerManagerOptions) bindLeaderElectionFlags(l *leaderelection.LeaderElectionConfig, fs *pflag.FlagSet) {
+	fs.DurationVar(&l.LeaseDuration, "leader-elect-lease-duration", l.LeaseDuration, ""+
+		"The duration that non-leader candidates will wait after observing a leadership "+
+		"renewal until attempting to acquire leadership of a led but unrenewed leader "+
+		"slot. This is effectively the maximum duration that a leader can be stopped "+
+		"before it is replaced by another candidate. This is only applicable if leader "+
+		"election is enabled.")
+	fs.DurationVar(&l.RenewDeadline, "leader-elect-renew-deadline", l.RenewDeadline, ""+
+		"The interval between attempts by the acting master to renew a leadership slot "+
+		"before it stops leading. This must be less than or equal to the lease duration. "+
+		"This is only applicable if leader election is enabled.")
+	fs.DurationVar(&l.RetryPeriod, "leader-elect-retry-period", l.RetryPeriod, ""+
+		"The duration the clients should wait between attempting acquisition and renewal "+
+		"of a leadership. This is only applicable if leader election is enabled.")
+}
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -1,19 +1,17 @@
 /*
+Copyright 2019 The KubeSphere Authors.

- Copyright 2019 The KubeSphere Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+    http://www.apache.org/licenses/LICENSE-2.0

+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */

 package app
@@ -21,52 +19,90 @@ package app
 import (
 	"context"
 	"fmt"
+	"os"
+
+	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
+
 	"github.com/spf13/cobra"
-	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	"k8s.io/apimachinery/pkg/util/uuid"
-	"k8s.io/client-go/tools/leaderelection"
-	"k8s.io/client-go/tools/leaderelection/resourcelock"
-	"k8s.io/client-go/tools/record"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
 	"kubesphere.io/kubesphere/cmd/controller-manager/app/options"
 	"kubesphere.io/kubesphere/pkg/apis"
-	"kubesphere.io/kubesphere/pkg/client/clientset/versioned/scheme"
-	"kubesphere.io/kubesphere/pkg/controller"
-	controllerconfig "kubesphere.io/kubesphere/pkg/server/config"
-	"kubesphere.io/kubesphere/pkg/simple/client"
+	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/controller/application"
+	"kubesphere.io/kubesphere/pkg/controller/helm"
+	"kubesphere.io/kubesphere/pkg/controller/namespace"
+	"kubesphere.io/kubesphere/pkg/controller/network/webhooks"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmapplication"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmcategory"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrelease"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrepo"
+	"kubesphere.io/kubesphere/pkg/controller/quota"
+	"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
+	"kubesphere.io/kubesphere/pkg/controller/user"
+	"kubesphere.io/kubesphere/pkg/controller/workspace"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerole"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/workspacetemplate"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	"kubesphere.io/kubesphere/pkg/utils/metrics"
 	"kubesphere.io/kubesphere/pkg/utils/term"
-	"os"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+	"kubesphere.io/kubesphere/pkg/version"
 )

 func NewControllerManagerCommand() *cobra.Command {
 	s := options.NewKubeSphereControllerManagerOptions()
+	conf, err := controllerconfig.TryLoadFromDisk()
+	if err == nil {
+		// make sure LeaderElection is not nil
+		s = &options.KubeSphereControllerManagerOptions{
+			KubernetesOptions:     conf.KubernetesOptions,
+			DevopsOptions:         conf.DevopsOptions,
+			S3Options:             conf.S3Options,
+			AuthenticationOptions: conf.AuthenticationOptions,
+			LdapOptions:           conf.LdapOptions,
+			OpenPitrixOptions:     conf.OpenPitrixOptions,
+			NetworkOptions:        conf.NetworkOptions,
+			MultiClusterOptions:   conf.MultiClusterOptions,
+			ServiceMeshOptions:    conf.ServiceMeshOptions,
+			GatewayOptions:        conf.GatewayOptions,
+			LeaderElection:        s.LeaderElection,
+			LeaderElect:           s.LeaderElect,
+			WebhookCertDir:        s.WebhookCertDir,
+		}
+	} else {
+		klog.Fatal("Failed to load configuration from disk", err)
+	}

 	cmd := &cobra.Command{
 		Use:  "controller-manager",
 		Long: `KubeSphere controller manager is a daemon that`,
 		Run: func(cmd *cobra.Command, args []string) {
-
-			err := controllerconfig.Load()
-			if err != nil {
-				klog.Fatal(err)
-				os.Exit(1)
-			}
-
-			s = Complete(s)
-
 			if errs := s.Validate(); len(errs) != 0 {
 				klog.Error(utilerrors.NewAggregate(errs))
 				os.Exit(1)
 			}

-			if err = Run(s, signals.SetupSignalHandler()); err != nil {
+			if err = run(s, signals.SetupSignalHandler()); err != nil {
+				klog.Error(err)
 				os.Exit(1)
 			}
 		},
+		SilenceUsage: true,
 	}

 	fs := cmd.Flags()
@@ -79,135 +115,258 @@ func NewControllerManagerCommand() *cobra.Command {
 	usageFmt := "Usage:\n  %s\n"
 	cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
 	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
-		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
+		_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
 	})
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version of KubeSphere controller-manager",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(version.Get())
+		},
+	}
+
+	cmd.AddCommand(versionCmd)
+
 	return cmd
 }

-func Complete(s *options.KubeSphereControllerManagerOptions) *options.KubeSphereControllerManagerOptions {
-	conf := controllerconfig.Get()
+func run(s *options.KubeSphereControllerManagerOptions, ctx context.Context) error {

-	conf.Apply(&controllerconfig.Config{
-		DevopsOptions:     s.DevopsOptions,
-		KubernetesOptions: s.KubernetesOptions,
-		S3Options:         s.S3Options,
-		OpenPitrixOptions: s.OpenPitrixOptions,
-	})
-
-	out := &options.KubeSphereControllerManagerOptions{
-		KubernetesOptions: conf.KubernetesOptions,
-		DevopsOptions:     conf.DevopsOptions,
-		S3Options:         conf.S3Options,
-		OpenPitrixOptions: conf.OpenPitrixOptions,
-		LeaderElection:    s.LeaderElection,
-	}
-
-	return out
-}
-
-func CreateClientSet(conf *controllerconfig.Config, stopCh <-chan struct{}) error {
-	csop := &client.ClientSetOptions{}
-
-	csop.SetKubernetesOptions(conf.KubernetesOptions).
-		SetDevopsOptions(conf.DevopsOptions).
-		SetS3Options(conf.S3Options).
-		SetOpenPitrixOptions(conf.OpenPitrixOptions).
-		SetKubeSphereOptions(conf.KubeSphereOptions)
-	client.NewClientSetFactory(csop, stopCh)
-
-	return nil
-}
-
-func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{}) error {
-	err := CreateClientSet(controllerconfig.Get(), stopCh)
+	kubernetesClient, err := k8s.NewKubernetesClient(s.KubernetesOptions)
 	if err != nil {
-		klog.Error(err)
+		klog.Errorf("Failed to create kubernetes clientset %v", err)
 		return err
 	}

-	config := client.ClientSets().K8s().Config()
-
-	run := func(ctx context.Context) {
-		klog.V(0).Info("setting up manager")
-		mgr, err := manager.New(config, manager.Options{})
+	var devopsClient devops.Interface
+	if s.DevopsOptions != nil && len(s.DevopsOptions.Host) != 0 {
+		devopsClient, err = jenkins.NewDevopsClient(s.DevopsOptions)
 		if err != nil {
-			klog.Fatalf("unable to set up overall controller manager: %v", err)
+			return fmt.Errorf("failed to connect jenkins, please check jenkins status, error: %v", err)
 		}
-
-		klog.V(0).Info("setting up scheme")
-		if err := apis.AddToScheme(mgr.GetScheme()); err != nil {
-			klog.Fatalf("unable add APIs to scheme: %v", err)
-		}
-
-		klog.V(0).Info("Setting up controllers")
-		if err := controller.AddToManager(mgr); err != nil {
-			klog.Fatalf("unable to register controllers to the manager: %v", err)
-		}
-
-		if err := AddControllers(mgr, config, stopCh); err != nil {
-			klog.Fatalf("unable to register controllers to the manager: %v", err)
-		}
-
-		klog.V(0).Info("Starting the Cmd.")
-		if err := mgr.Start(stopCh); err != nil {
-			klog.Fatalf("unable to run the manager: %v", err)
-		}
-
-		select {}
 	}

-	if !s.LeaderElection.LeaderElect {
-		run(context.TODO())
+	var ldapClient ldapclient.Interface
+	// when there is no ldapOption, we set ldapClient as nil, which means we don't need to sync user info into ldap.
+	if s.LdapOptions != nil && len(s.LdapOptions.Host) != 0 {
+		if s.LdapOptions.Host == ldapclient.FAKE_HOST { // for debug only
+			ldapClient = ldapclient.NewSimpleLdap()
+		} else {
+			ldapClient, err = ldapclient.NewLdapClient(s.LdapOptions, ctx.Done())
+			if err != nil {
+				return fmt.Errorf("failed to connect to ldap service, please check ldap status, error: %v", err)
+			}
+		}
+	} else {
+		klog.Warning("ks-controller-manager starts without ldap provided, it will not sync user into ldap")
 	}

-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	var s3Client s3.Interface
+	if s.S3Options != nil && len(s.S3Options.Endpoint) != 0 {
+		s3Client, err = s3.NewS3Client(s.S3Options)
+		if err != nil {
+			return fmt.Errorf("failed to connect to s3, please check s3 service status, error: %v", err)
+		}
+	}

-	go func() {
-		<-stopCh
-		cancel()
-	}()
+	informerFactory := informers.NewInformerFactories(
+		kubernetesClient.Kubernetes(),
+		kubernetesClient.KubeSphere(),
+		kubernetesClient.Istio(),
+		kubernetesClient.Snapshot(),
+		kubernetesClient.ApiExtensions(),
+		kubernetesClient.Prometheus())

-	id, err := os.Hostname()
+	mgrOptions := manager.Options{
+		CertDir: s.WebhookCertDir,
+		Port:    8443,
+	}
+
+	if s.LeaderElect {
+		mgrOptions = manager.Options{
+			CertDir:                 s.WebhookCertDir,
+			Port:                    8443,
+			LeaderElection:          s.LeaderElect,
+			LeaderElectionNamespace: "kubesphere-system",
+			LeaderElectionID:        "ks-controller-manager-leader-election",
+			LeaseDuration:           &s.LeaderElection.LeaseDuration,
+			RetryPeriod:             &s.LeaderElection.RetryPeriod,
+			RenewDeadline:           &s.LeaderElection.RenewDeadline,
+		}
+	}
+
+	klog.V(0).Info("setting up manager")
+	ctrl.SetLogger(klogr.New())
+	// Use 8443 instead of 443 cause we need root permission to bind port 443
+	mgr, err := manager.New(kubernetesClient.Config(), mgrOptions)
 	if err != nil {
-		return err
+		klog.Fatalf("unable to set up overall controller manager: %v", err)
 	}

-	// add a uniquifier so that two processes on the same host don't accidentally both become active
-	id = id + "_" + string(uuid.NewUUID())
+	if err = apis.AddToScheme(mgr.GetScheme()); err != nil {
+		klog.Fatalf("unable add APIs to scheme: %v", err)
+	}

-	// TODO: change lockType to lease
-	// once we finished moving to Kubernetes v1.16+, we
-	// change lockType to lease
-	lock, err := resourcelock.New("endpoints",
-		"kubesphere-system",
-		s.LeaderElection.ResourceLock,
-		client.ClientSets().K8s().Kubernetes().CoreV1(),
-		resourcelock.ResourceLockConfig{
-			Identity: id,
-			EventRecorder: record.NewBroadcaster().NewRecorder(scheme.Scheme, v1.EventSource{
-				Component: "ks-controller-manager",
-			}),
-		})
+	// register common meta types into schemas.
+	metav1.AddToGroupVersion(mgr.GetScheme(), metav1.SchemeGroupVersion)
+
+	kubeconfigClient := kubeconfig.NewOperator(kubernetesClient.Kubernetes(),
+		informerFactory.KubernetesSharedInformerFactory().Core().V1().ConfigMaps().Lister(),
+		kubernetesClient.Config())
+	userController := user.Reconciler{
+		MultiClusterEnabled:     s.MultiClusterOptions.Enable,
+		MaxConcurrentReconciles: 4,
+		LdapClient:              ldapClient,
+		DevopsClient:            devopsClient,
+		KubeconfigClient:        kubeconfigClient,
+		AuthenticationOptions:   s.AuthenticationOptions,
+	}
+
+	if err = userController.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create user controller: %v", err)
+	}
+
+	workspaceTemplateReconciler := &workspacetemplate.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
+	if err = workspaceTemplateReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create workspace template controller: %v", err)
+	}
+
+	workspaceReconciler := &workspace.Reconciler{}
+	if err = workspaceReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create workspace controller: %v", err)
+	}
+
+	workspaceRoleReconciler := &workspacerole.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
+	if err = workspaceRoleReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create workspace role controller: %v", err)
+	}
+
+	workspaceRoleBindingReconciler := &workspacerolebinding.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
+	if err = workspaceRoleBindingReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create workspace role binding controller: %v", err)
+	}
+
+	namespaceReconciler := &namespace.Reconciler{}
+	if err = namespaceReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create namespace controller: %v", err)
+	}
+
+	err = helmrepo.Add(mgr)
+	if err != nil {
+		klog.Fatal("Unable to create helm repo controller")
+	}
+
+	err = helmcategory.Add(mgr)
+	if err != nil {
+		klog.Fatal("Unable to create helm category controller")
+	}
+
+	var opS3Client s3.Interface
+	if !s.OpenPitrixOptions.AppStoreConfIsEmpty() {
+		opS3Client, err = s3.NewS3Client(s.OpenPitrixOptions.S3Options)
+		if err != nil {
+			klog.Fatalf("failed to connect to s3, please check openpitrix s3 service status, error: %v", err)
+		}
+		err = (&helmapplication.ReconcileHelmApplication{}).SetupWithManager(mgr)
+		if err != nil {
+			klog.Fatalf("Unable to create helm application controller, error: %s", err)
+		}
+
+		err = (&helmapplication.ReconcileHelmApplicationVersion{}).SetupWithManager(mgr)
+		if err != nil {
+			klog.Fatalf("Unable to create helm application version controller, error: %s ", err)
+		}
+	}
+
+	err = (&helmrelease.ReconcileHelmRelease{
+		// nil interface is valid value.
+		StorageClient:      opS3Client,
+		KsFactory:          informerFactory.KubeSphereSharedInformerFactory(),
+		MultiClusterEnable: s.MultiClusterOptions.Enable,
+		WaitTime:           s.OpenPitrixOptions.ReleaseControllerOptions.WaitTime,
+		MaxConcurrent:      s.OpenPitrixOptions.ReleaseControllerOptions.MaxConcurrent,
+		StopChan:           ctx.Done(),
+	}).SetupWithManager(mgr)

 	if err != nil {
-		klog.Fatalf("error creating lock: %v", err)
+		klog.Fatalf("Unable to create helm release controller, error: %s", err)
 	}

-	leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
-		Lock:          lock,
-		LeaseDuration: s.LeaderElection.LeaseDuration.Duration,
-		RenewDeadline: s.LeaderElection.RenewDeadline.Duration,
-		RetryPeriod:   s.LeaderElection.RetryPeriod.Duration,
-		Callbacks: leaderelection.LeaderCallbacks{
-			OnStartedLeading: run,
-			OnStoppedLeading: func() {
-				klog.Errorf("leadership lost")
-				os.Exit(0)
-			},
-		},
-	})
+	selector, _ := labels.Parse(s.ApplicationSelector)
+	applicationReconciler := &application.ApplicationReconciler{
+		Scheme:              mgr.GetScheme(),
+		Client:              mgr.GetClient(),
+		Mapper:              mgr.GetRESTMapper(),
+		ApplicationSelector: selector,
+	}
+	if err = applicationReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create application controller: %v", err)
+	}
+
+	saReconciler := &serviceaccount.Reconciler{}
+	if err = saReconciler.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create ServiceAccount controller: %v", err)
+	}
+
+	resourceQuotaReconciler := quota.Reconciler{}
+	if err := resourceQuotaReconciler.SetupWithManager(mgr, quota.DefaultMaxConcurrentReconciles, quota.DefaultResyncPeriod, informerFactory.KubernetesSharedInformerFactory()); err != nil {
+		klog.Fatalf("Unable to create ResourceQuota controller: %v", err)
+	}
+
+	if !s.GatewayOptions.IsEmpty() {
+		helmReconciler := helm.Reconciler{GatewayOptions: s.GatewayOptions}
+		if err := helmReconciler.SetupWithManager(mgr); err != nil {
+			klog.Fatalf("Unable to create helm controller: %v", err)
+		}
+	}
+
+	// TODO(jeff): refactor config with CRD
+	servicemeshEnabled := s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.IstioPilotHost) != 0
+	if err = addControllers(mgr,
+		kubernetesClient,
+		informerFactory,
+		devopsClient,
+		s3Client,
+		ldapClient,
+		s.KubernetesOptions,
+		s.AuthenticationOptions,
+		s.MultiClusterOptions,
+		s.NetworkOptions,
+		servicemeshEnabled,
+		s.AuthenticationOptions.KubectlImage, ctx.Done()); err != nil {
+		klog.Fatalf("unable to register controllers to the manager: %v", err)
+	}
+
+	// Start cache data after all informer is registered
+	klog.V(0).Info("Starting cache resource from apiserver...")
+	informerFactory.Start(ctx.Done())
+
+	// Setup webhooks
+	klog.V(2).Info("setting up webhook server")
+	hookServer := mgr.GetWebhookServer()
+
+	klog.V(2).Info("registering webhooks to the webhook server")
+	hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
+	hookServer.Register("/validate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.ValidatingHandler{C: mgr.GetClient()}})
+	hookServer.Register("/mutate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.MutatingHandler{C: mgr.GetClient()}})
+
+	resourceQuotaAdmission, err := quota.NewResourceQuotaAdmission(mgr.GetClient(), mgr.GetScheme())
+	if err != nil {
+		klog.Fatalf("unable to create resource quota admission: %v", err)
+	}
+	hookServer.Register("/validate-quota-kubesphere-io-v1alpha2", &webhook.Admission{Handler: resourceQuotaAdmission})
+
+	klog.V(2).Info("registering metrics to the webhook server")
+	// Add an extra metric endpoint, so we can use the the same metric definition with ks-apiserver
+	// /kapis/metrics is independent of controller-manager's built-in /metrics
+	mgr.AddMetricsExtraHandler("/kapis/metrics", metrics.Handler())
+
+	klog.V(0).Info("Starting the controllers.")
+	if err = mgr.Start(ctx); err != nil {
+		klog.Fatalf("unable to run the manager: %v", err)
+	}

 	return nil
 }
--- a/cmd/controller-manager/controller-manager.go
+++ b/cmd/controller-manager/controller-manager.go
@@ -1,8 +1,25 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main

 import (
-	"kubesphere.io/kubesphere/cmd/controller-manager/app"
 	"os"
+
+	"kubesphere.io/kubesphere/cmd/controller-manager/app"
 )

 func main() {
--- a/cmd/hypersphere/hypersphere.go
+++ b/cmd/hypersphere/hypersphere.go
@@ -1,75 +0,0 @@
-package main
-
-import (
-	goflag "flag"
-	cliflag "k8s.io/component-base/cli/flag"
-	"path/filepath"
-
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	controllermanager "kubesphere.io/kubesphere/cmd/controller-manager/app"
-	ksapigateway "kubesphere.io/kubesphere/cmd/ks-apigateway/app"
-	ksapiserver "kubesphere.io/kubesphere/cmd/ks-apiserver/app"
-	ksaiam "kubesphere.io/kubesphere/cmd/ks-iam/app"
-	"os"
-)
-
-func main() {
-	hypersphereCommand, allCommandFns := NewHyperSphereCommand()
-
-	pflag.CommandLine.SetNormalizeFunc(cliflag.WordSepNormalizeFunc)
-	pflag.CommandLine.AddGoFlagSet(goflag.CommandLine)
-
-	basename := filepath.Base(os.Args[0])
-	if err := commandFor(basename, hypersphereCommand, allCommandFns).Execute(); err != nil {
-		os.Exit(1)
-	}
-}
-
-func commandFor(basename string, defaultCommand *cobra.Command, commands []func() *cobra.Command) *cobra.Command {
-	for _, commandFn := range commands {
-		command := commandFn()
-		if command.Name() == basename {
-			return command
-		}
-
-		for _, alias := range command.Aliases {
-			if alias == basename {
-				return command
-			}
-		}
-	}
-
-	return defaultCommand
-}
-
-func NewHyperSphereCommand() (*cobra.Command, []func() *cobra.Command) {
-	apiserver := func() *cobra.Command { return ksapiserver.NewAPIServerCommand() }
-	controllermanager := func() *cobra.Command { return controllermanager.NewControllerManagerCommand() }
-	iam := func() *cobra.Command { return ksaiam.NewAPIServerCommand() }
-	apigateway := func() *cobra.Command { return ksapigateway.NewAPIGatewayCommand() }
-
-	commandFns := []func() *cobra.Command{
-		apiserver,
-		controllermanager,
-		iam,
-		apigateway,
-	}
-
-	cmd := &cobra.Command{
-		Use:   "hypersphere",
-		Short: "Request a new project",
-		Run: func(cmd *cobra.Command, args []string) {
-			if len(args) != 0 {
-				cmd.Help()
-				os.Exit(0)
-			}
-		},
-	}
-
-	for i := range commandFns {
-		cmd.AddCommand(commandFns[i]())
-	}
-
-	return cmd, commandFns
-}
--- a/cmd/ks-apigateway/apiserver.go
+++ b/cmd/ks-apigateway/apiserver.go
@@ -1,32 +0,0 @@
-/*
-
- Copyright 2019 The KubeSphere Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-package main
-
-import (
-	"kubesphere.io/kubesphere/cmd/ks-apigateway/app"
-	"os"
-)
-
-func main() {
-
-	cmd := app.NewAPIGatewayCommand()
-
-	if err := cmd.Execute(); err != nil {
-		os.Exit(1)
-	}
-}
--- a/cmd/ks-apigateway/app/server.go
+++ b/cmd/ks-apigateway/app/server.go
@@ -1,53 +0,0 @@
-package app
-
-import (
-	"flag"
-	"github.com/mholt/caddy/caddy/caddymain"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
-	"github.com/spf13/cobra"
-	apiserverconfig "kubesphere.io/kubesphere/pkg/server/config"
-	"kubesphere.io/kubesphere/pkg/simple/client"
-	"kubesphere.io/kubesphere/pkg/utils/signals"
-
-	"kubesphere.io/kubesphere/pkg/apigateway"
-)
-
-func NewAPIGatewayCommand() *cobra.Command {
-
-	cmd := &cobra.Command{
-		Use: "ks-apigateway",
-		Long: `The KubeSphere API Gateway, which is responsible 
-for proxy request to the right backend. API Gateway also proxy 
-Kubernetes API Server for KubeSphere authorization purpose.
-`,
-		RunE: func(cmd *cobra.Command, args []string) error {
-
-			err := apiserverconfig.Load()
-			if err != nil {
-				return err
-			}
-
-			apigateway.RegisterPlugins()
-
-			return Run(signals.SetupSignalHandler())
-		},
-	}
-
-	cmd.Flags().AddGoFlagSet(flag.CommandLine)
-
-	return cmd
-}
-
-func Run(stopCh <-chan struct{}) error {
-
-	csop := &client.ClientSetOptions{}
-	csop.SetKubernetesOptions(apiserverconfig.Get().KubernetesOptions)
-	client.NewClientSetFactory(csop, stopCh)
-
-	httpserver.RegisterDevDirective("authenticate", "jwt")
-	httpserver.RegisterDevDirective("authentication", "jwt")
-	httpserver.RegisterDevDirective("swagger", "jwt")
-	caddymain.Run()
-
-	return nil
-}
--- a/cmd/ks-apiserver/apiserver.go
+++ b/cmd/ks-apiserver/apiserver.go
@@ -1,25 +1,25 @@
 /*
+Copyright 2019 The KubeSphere Authors.

- Copyright 2019 The KubeSphere Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+    http://www.apache.org/licenses/LICENSE-2.0

+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */
+
 package main

 import (
-	"kubesphere.io/kubesphere/cmd/ks-apiserver/app"
 	"log"
+
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app"
 )

 func main() {
--- a/cmd/ks-apiserver/app/options/options.go
+++ b/cmd/ks-apiserver/app/options/options.go
@@ -1,68 +1,97 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package options

 import (
+	"crypto/tls"
 	"flag"
+	"fmt"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
+
+	"k8s.io/client-go/kubernetes/scheme"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"
+	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"kubesphere.io/kubesphere/pkg/apis"
+	"kubesphere.io/kubesphere/pkg/apiserver"
+	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/informers"
 	genericoptions "kubesphere.io/kubesphere/pkg/server/options"
-	"kubesphere.io/kubesphere/pkg/simple/client/devops"
-	esclient "kubesphere.io/kubesphere/pkg/simple/client/elasticsearch"
-	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
-	"kubesphere.io/kubesphere/pkg/simple/client/mysql"
-	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
-	"kubesphere.io/kubesphere/pkg/simple/client/prometheus"
-	"kubesphere.io/kubesphere/pkg/simple/client/s2is3"
-	"kubesphere.io/kubesphere/pkg/simple/client/servicemesh"
-	"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
+	"kubesphere.io/kubesphere/pkg/simple/client/alerting"
+	auditingclient "kubesphere.io/kubesphere/pkg/simple/client/auditing/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/cache"
+
+	"net/http"
 	"strings"
+
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	eventsclient "kubesphere.io/kubesphere/pkg/simple/client/events/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	esclient "kubesphere.io/kubesphere/pkg/simple/client/logging/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/monitoring/metricsserver"
+	"kubesphere.io/kubesphere/pkg/simple/client/monitoring/prometheus"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	fakes3 "kubesphere.io/kubesphere/pkg/simple/client/s3/fake"
+	"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
 )

 type ServerRunOptions struct {
+	ConfigFile              string
 	GenericServerRunOptions *genericoptions.ServerRunOptions
+	*apiserverconfig.Config

-	KubernetesOptions  *k8s.KubernetesOptions
-	DevopsOptions      *devops.DevopsOptions
-	SonarQubeOptions   *sonarqube.SonarQubeOptions
-	ServiceMeshOptions *servicemesh.ServiceMeshOptions
-	MySQLOptions       *mysql.MySQLOptions
-	MonitoringOptions  *prometheus.PrometheusOptions
-	S3Options          *s2is3.S3Options
-	OpenPitrixOptions  *openpitrix.OpenPitrixOptions
-	LoggingOptions     *esclient.ElasticSearchOptions
+	//
+	DebugMode bool
 }

 func NewServerRunOptions() *ServerRunOptions {
-
-	s := ServerRunOptions{
+	s := &ServerRunOptions{
 		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
-		KubernetesOptions:       k8s.NewKubernetesOptions(),
-		DevopsOptions:           devops.NewDevopsOptions(),
-		SonarQubeOptions:        sonarqube.NewSonarQubeOptions(),
-		ServiceMeshOptions:      servicemesh.NewServiceMeshOptions(),
-		MySQLOptions:            mysql.NewMySQLOptions(),
-		MonitoringOptions:       prometheus.NewPrometheusOptions(),
-		S3Options:               s2is3.NewS3Options(),
-		OpenPitrixOptions:       openpitrix.NewOpenPitrixOptions(),
-		LoggingOptions:          esclient.NewElasticSearchOptions(),
+		Config:                  apiserverconfig.New(),
 	}

-	return &s
+	return s
 }

 func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
+	fs := fss.FlagSet("generic")
+	fs.BoolVar(&s.DebugMode, "debug", false, "Don't enable this if you don't know what it means.")
+	s.GenericServerRunOptions.AddFlags(fs, s.GenericServerRunOptions)
+	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
+	s.AuthenticationOptions.AddFlags(fss.FlagSet("authentication"), s.AuthenticationOptions)
+	s.AuthorizationOptions.AddFlags(fss.FlagSet("authorization"), s.AuthorizationOptions)
+	s.DevopsOptions.AddFlags(fss.FlagSet("devops"), s.DevopsOptions)
+	s.SonarQubeOptions.AddFlags(fss.FlagSet("sonarqube"), s.SonarQubeOptions)
+	s.RedisOptions.AddFlags(fss.FlagSet("redis"), s.RedisOptions)
+	s.S3Options.AddFlags(fss.FlagSet("s3"), s.S3Options)
+	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"), s.OpenPitrixOptions)
+	s.NetworkOptions.AddFlags(fss.FlagSet("network"), s.NetworkOptions)
+	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"), s.ServiceMeshOptions)
+	s.MonitoringOptions.AddFlags(fss.FlagSet("monitoring"), s.MonitoringOptions)
+	s.LoggingOptions.AddFlags(fss.FlagSet("logging"), s.LoggingOptions)
+	s.MultiClusterOptions.AddFlags(fss.FlagSet("multicluster"), s.MultiClusterOptions)
+	s.EventsOptions.AddFlags(fss.FlagSet("events"), s.EventsOptions)
+	s.AuditingOptions.AddFlags(fss.FlagSet("auditing"), s.AuditingOptions)
+	s.AlertingOptions.AddFlags(fss.FlagSet("alerting"), s.AlertingOptions)

-	s.GenericServerRunOptions.AddFlags(fss.FlagSet("generic"))
-	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"))
-	s.MySQLOptions.AddFlags(fss.FlagSet("mysql"))
-	s.DevopsOptions.AddFlags(fss.FlagSet("devops"))
-	s.SonarQubeOptions.AddFlags(fss.FlagSet("sonarqube"))
-	s.S3Options.AddFlags(fss.FlagSet("s3"))
-	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"))
-	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"))
-	s.MonitoringOptions.AddFlags(fss.FlagSet("monitoring"))
-	s.LoggingOptions.AddFlags(fss.FlagSet("logging"))
-
-	fs := fss.FlagSet("klog")
+	fs = fss.FlagSet("klog")
 	local := flag.NewFlagSet("klog", flag.ExitOnError)
 	klog.InitFlags(local)
 	local.VisitAll(func(fl *flag.Flag) {
@@ -72,3 +101,151 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {

 	return fss
 }
+
+const fakeInterface string = "FAKE"
+
+// NewAPIServer creates an APIServer instance using given options
+func (s *ServerRunOptions) NewAPIServer(stopCh <-chan struct{}) (*apiserver.APIServer, error) {
+	apiServer := &apiserver.APIServer{
+		Config: s.Config,
+	}
+
+	kubernetesClient, err := k8s.NewKubernetesClient(s.KubernetesOptions)
+	if err != nil {
+		return nil, err
+	}
+	apiServer.KubernetesClient = kubernetesClient
+
+	informerFactory := informers.NewInformerFactories(kubernetesClient.Kubernetes(), kubernetesClient.KubeSphere(),
+		kubernetesClient.Istio(), kubernetesClient.Snapshot(), kubernetesClient.ApiExtensions(), kubernetesClient.Prometheus())
+	apiServer.InformerFactory = informerFactory
+
+	if s.MonitoringOptions == nil || len(s.MonitoringOptions.Endpoint) == 0 {
+		return nil, fmt.Errorf("moinitoring service address in configuration MUST not be empty, please check configmap/kubesphere-config in kubesphere-system namespace")
+	} else {
+		monitoringClient, err := prometheus.NewPrometheus(s.MonitoringOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to prometheus, please check prometheus status, error: %v", err)
+		}
+		apiServer.MonitoringClient = monitoringClient
+	}
+
+	apiServer.MetricsClient = metricsserver.NewMetricsClient(kubernetesClient.Kubernetes(), s.KubernetesOptions)
+
+	if s.LoggingOptions.Host != "" {
+		loggingClient, err := esclient.NewClient(s.LoggingOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.LoggingClient = loggingClient
+	}
+
+	if s.S3Options.Endpoint != "" {
+		if s.S3Options.Endpoint == fakeInterface && s.DebugMode {
+			apiServer.S3Client = fakes3.NewFakeS3()
+		} else {
+			s3Client, err := s3.NewS3Client(s.S3Options)
+			if err != nil {
+				return nil, fmt.Errorf("failed to connect to s3, please check s3 service status, error: %v", err)
+			}
+			apiServer.S3Client = s3Client
+		}
+	}
+
+	if s.DevopsOptions.Host != "" {
+		devopsClient, err := jenkins.NewDevopsClient(s.DevopsOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to jenkins, please check jenkins status, error: %v", err)
+		}
+		apiServer.DevopsClient = devopsClient
+	}
+
+	if s.SonarQubeOptions.Host != "" {
+		sonarClient, err := sonarqube.NewSonarQubeClient(s.SonarQubeOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connecto to sonarqube, please check sonarqube status, error: %v", err)
+		}
+		apiServer.SonarClient = sonarqube.NewSonar(sonarClient.SonarQube())
+	}
+
+	var cacheClient cache.Interface
+	if s.RedisOptions != nil && len(s.RedisOptions.Host) != 0 {
+		if s.RedisOptions.Host == fakeInterface && s.DebugMode {
+			apiServer.CacheClient = cache.NewSimpleCache()
+		} else {
+			cacheClient, err = cache.NewRedisClient(s.RedisOptions, stopCh)
+			if err != nil {
+				return nil, fmt.Errorf("failed to connect to redis service, please check redis status, error: %v", err)
+			}
+			apiServer.CacheClient = cacheClient
+		}
+	} else {
+		klog.Warning("ks-apiserver starts without redis provided, it will use in memory cache. " +
+			"This may cause inconsistencies when running ks-apiserver with multiple replicas.")
+		apiServer.CacheClient = cache.NewSimpleCache()
+	}
+
+	if s.EventsOptions.Host != "" {
+		eventsClient, err := eventsclient.NewClient(s.EventsOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.EventsClient = eventsClient
+	}
+
+	if s.AuditingOptions.Host != "" {
+		auditingClient, err := auditingclient.NewClient(s.AuditingOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.AuditingClient = auditingClient
+	}
+
+	if s.AlertingOptions != nil && (s.AlertingOptions.PrometheusEndpoint != "" || s.AlertingOptions.ThanosRulerEndpoint != "") {
+		alertingClient, err := alerting.NewRuleClient(s.AlertingOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to init alerting client: %v", err)
+		}
+		apiServer.AlertingClient = alertingClient
+	}
+
+	server := &http.Server{
+		Addr: fmt.Sprintf(":%d", s.GenericServerRunOptions.InsecurePort),
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 {
+		certificate, err := tls.LoadX509KeyPair(s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey)
+		if err != nil {
+			return nil, err
+		}
+
+		server.TLSConfig = &tls.Config{
+			Certificates: []tls.Certificate{certificate},
+		}
+		server.Addr = fmt.Sprintf(":%d", s.GenericServerRunOptions.SecurePort)
+	}
+
+	sch := scheme.Scheme
+	if err := apis.AddToScheme(sch); err != nil {
+		klog.Fatalf("unable add APIs to scheme: %v", err)
+	}
+
+	apiServer.RuntimeCache, err = runtimecache.New(apiServer.KubernetesClient.Config(), runtimecache.Options{Scheme: sch})
+	if err != nil {
+		klog.Fatalf("unable to create controller runtime cache: %v", err)
+	}
+
+	apiServer.RuntimeClient, err = runtimeclient.New(apiServer.KubernetesClient.Config(), runtimeclient.Options{Scheme: sch})
+	if err != nil {
+		klog.Fatalf("unable to create controller runtime client: %v", err)
+	}
+
+	apiServer.Issuer, err = token.NewIssuer(s.AuthenticationOptions)
+	if err != nil {
+		klog.Fatalf("unable to create issuer: %v", err)
+	}
+
+	apiServer.Server = server
+
+	return apiServer, nil
+}
--- a/cmd/ks-apiserver/app/options/validation.go
+++ b/cmd/ks-apiserver/app/options/validation.go
@@ -1,3 +1,19 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package options

 // Validate validates server run options, to find
@@ -5,15 +21,21 @@ package options
 func (s *ServerRunOptions) Validate() []error {
 	var errors []error

+	errors = append(errors, s.GenericServerRunOptions.Validate()...)
 	errors = append(errors, s.DevopsOptions.Validate()...)
 	errors = append(errors, s.KubernetesOptions.Validate()...)
-	errors = append(errors, s.MySQLOptions.Validate()...)
 	errors = append(errors, s.ServiceMeshOptions.Validate()...)
 	errors = append(errors, s.MonitoringOptions.Validate()...)
 	errors = append(errors, s.SonarQubeOptions.Validate()...)
 	errors = append(errors, s.S3Options.Validate()...)
 	errors = append(errors, s.OpenPitrixOptions.Validate()...)
+	errors = append(errors, s.NetworkOptions.Validate()...)
 	errors = append(errors, s.LoggingOptions.Validate()...)
+	errors = append(errors, s.AuthenticationOptions.Validate()...)
+	errors = append(errors, s.AuthorizationOptions.Validate()...)
+	errors = append(errors, s.EventsOptions.Validate()...)
+	errors = append(errors, s.AuditingOptions.Validate()...)
+	errors = append(errors, s.AlertingOptions.Validate()...)

 	return errors
 }
--- a/cmd/ks-apiserver/app/server.go
+++ b/cmd/ks-apiserver/app/server.go
@@ -1,75 +1,69 @@
 /*
+Copyright 2019 The KubeSphere Authors.

- Copyright 2019 The KubeSphere Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at

- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+    http://www.apache.org/licenses/LICENSE-2.0

+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 */
+
 package app

 import (
+	"context"
 	"fmt"
-	kconfig "github.com/kiali/kiali/config"
+
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"
-	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
-	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
-	"kubesphere.io/kubesphere/pkg/apiserver/servicemesh/tracing"
-	"kubesphere.io/kubesphere/pkg/informers"
-	"kubesphere.io/kubesphere/pkg/server"
-	apiserverconfig "kubesphere.io/kubesphere/pkg/server/config"
-	"kubesphere.io/kubesphere/pkg/server/filter"
-	"kubesphere.io/kubesphere/pkg/simple/client"
-	"kubesphere.io/kubesphere/pkg/utils/signals"
-	"kubesphere.io/kubesphere/pkg/utils/term"
-	"net/http"

-	"kubesphere.io/kubesphere/pkg/apis"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
+	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/utils/term"
+	"kubesphere.io/kubesphere/pkg/version"
 )

 func NewAPIServerCommand() *cobra.Command {
 	s := options.NewServerRunOptions()

+	// Load configuration from file
+	conf, err := apiserverconfig.TryLoadFromDisk()
+	if err == nil {
+		s = &options.ServerRunOptions{
+			GenericServerRunOptions: s.GenericServerRunOptions,
+			Config:                  conf,
+		}
+	} else {
+		klog.Fatal("Failed to load configuration from disk", err)
+	}
+
 	cmd := &cobra.Command{
 		Use: "ks-apiserver",
-		Long: `The KubeSphere API server validates and configures data for the api objects. 
+		Long: `The KubeSphere API server validates and configures data for the API objects. 
 The API Server services REST operations and provides the frontend to the
 cluster's shared state through which all other components interact.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			err := apiserverconfig.Load()
-			if err != nil {
-				return err
-			}
-
-			err = Complete(s)
-			if err != nil {
-				return err
-			}
-
 			if errs := s.Validate(); len(errs) != 0 {
 				return utilerrors.NewAggregate(errs)
 			}

 			return Run(s, signals.SetupSignalHandler())
 		},
+		SilenceUsage: true,
 	}

 	fs := cmd.Flags()
 	namedFlagSets := s.Flags()
-
 	for _, f := range namedFlagSets.FlagSets {
 		fs.AddFlagSet(f)
 	}
@@ -80,274 +74,31 @@ cluster's shared state through which all other components interact.`,
 		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
 	})
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version of KubeSphere ks-apiserver",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(version.Get())
+		},
+	}
+
+	cmd.AddCommand(versionCmd)
+
 	return cmd
 }

-func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
+func Run(s *options.ServerRunOptions, ctx context.Context) error {

-	err := CreateClientSet(apiserverconfig.Get(), stopCh)
+	apiserver, err := s.NewAPIServer(ctx.Done())
 	if err != nil {
 		return err
 	}

-	err = WaitForResourceSync(stopCh)
+	err = apiserver.PrepareRun(ctx.Done())
 	if err != nil {
 		return err
 	}

-	initializeServicemeshConfig(s)
-
-	err = CreateAPIServer(s)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func initializeServicemeshConfig(s *options.ServerRunOptions) {
-	// Initialize kiali config
-	config := kconfig.NewConfig()
-
-	tracing.JaegerQueryUrl = s.ServiceMeshOptions.JaegerQueryHost
-
-	// Exclude system namespaces
-	config.API.Namespaces.Exclude = []string{"istio-system", "kubesphere*", "kube*"}
-	config.InCluster = true
-
-	// Set default prometheus service url
-	config.ExternalServices.PrometheusServiceURL = s.ServiceMeshOptions.ServicemeshPrometheusHost
-	config.ExternalServices.PrometheusCustomMetricsURL = config.ExternalServices.PrometheusServiceURL
-
-	// Set istio pilot discovery service url
-	config.ExternalServices.Istio.UrlServiceVersion = s.ServiceMeshOptions.IstioPilotHost
-
-	kconfig.Set(config)
-}
-
-//
-func CreateAPIServer(s *options.ServerRunOptions) error {
-	var err error
-
-	container := runtime.Container
-	container.DoNotRecover(false)
-	container.Filter(filter.Logging)
-	container.RecoverHandler(server.LogStackOnRecover)
-
-	apis.InstallAPIs(container)
-
-	// install config api
-	apiserverconfig.InstallAPI(container)
-
-	if s.GenericServerRunOptions.InsecurePort != 0 {
-		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
-		if err == nil {
-			klog.V(0).Infof("Server listening on insecure port %d.", s.GenericServerRunOptions.InsecurePort)
-		}
-	}
-
-	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
-		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
-		if err == nil {
-			klog.V(0).Infof("Server listening on secure port %d.", s.GenericServerRunOptions.SecurePort)
-		}
-	}
-
-	return err
-}
-
-func CreateClientSet(conf *apiserverconfig.Config, stopCh <-chan struct{}) error {
-	csop := &client.ClientSetOptions{}
-
-	csop.SetDevopsOptions(conf.DevopsOptions).
-		SetSonarQubeOptions(conf.SonarQubeOptions).
-		SetKubernetesOptions(conf.KubernetesOptions).
-		SetMySQLOptions(conf.MySQLOptions).
-		SetLdapOptions(conf.LdapOptions).
-		SetS3Options(conf.S3Options).
-		SetOpenPitrixOptions(conf.OpenPitrixOptions).
-		SetPrometheusOptions(conf.MonitoringOptions).
-		SetKubeSphereOptions(conf.KubeSphereOptions).
-		SetElasticSearchOptions(conf.LoggingOptions)
-
-	client.NewClientSetFactory(csop, stopCh)
-
-	return nil
-}
-
-func WaitForResourceSync(stopCh <-chan struct{}) error {
-	klog.V(0).Info("Start cache objects")
-
-	discoveryClient := client.ClientSets().K8s().Discovery()
-	apiResourcesList, err := discoveryClient.ServerResources()
-	if err != nil {
-		return err
-	}
-
-	isResourceExists := func(resource schema.GroupVersionResource) bool {
-		for _, apiResource := range apiResourcesList {
-			if apiResource.GroupVersion == resource.GroupVersion().String() {
-				for _, rsc := range apiResource.APIResources {
-					if rsc.Name == resource.Resource {
-						return true
-					}
-				}
-			}
-		}
-		return false
-	}
-
-	informerFactory := informers.SharedInformerFactory()
-
-	// resources we have to create informer first
-	k8sGVRs := []schema.GroupVersionResource{
-		{Group: "", Version: "v1", Resource: "namespaces"},
-		{Group: "", Version: "v1", Resource: "nodes"},
-		{Group: "", Version: "v1", Resource: "resourcequotas"},
-		{Group: "", Version: "v1", Resource: "pods"},
-		{Group: "", Version: "v1", Resource: "services"},
-		{Group: "", Version: "v1", Resource: "persistentvolumeclaims"},
-		{Group: "", Version: "v1", Resource: "secrets"},
-		{Group: "", Version: "v1", Resource: "configmaps"},
-
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "roles"},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "rolebindings"},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"},
-
-		{Group: "apps", Version: "v1", Resource: "deployments"},
-		{Group: "apps", Version: "v1", Resource: "daemonsets"},
-		{Group: "apps", Version: "v1", Resource: "replicasets"},
-		{Group: "apps", Version: "v1", Resource: "statefulsets"},
-		{Group: "apps", Version: "v1", Resource: "controllerrevisions"},
-
-		{Group: "storage.k8s.io", Version: "v1", Resource: "storageclasses"},
-
-		{Group: "batch", Version: "v1", Resource: "jobs"},
-		{Group: "batch", Version: "v1beta1", Resource: "cronjobs"},
-
-		{Group: "extensions", Version: "v1beta1", Resource: "ingresses"},
-
-		{Group: "autoscaling", Version: "v2beta2", Resource: "horizontalpodautoscalers"},
-	}
-
-	for _, gvr := range k8sGVRs {
-		if !isResourceExists(gvr) {
-			klog.Warningf("resource %s not exists in the cluster", gvr)
-		} else {
-			_, err := informerFactory.ForResource(gvr)
-			if err != nil {
-				klog.Errorf("cannot create informer for %s", gvr)
-				return err
-			}
-		}
-	}
-
-	informerFactory.Start(stopCh)
-	informerFactory.WaitForCacheSync(stopCh)
-
-	s2iInformerFactory := informers.S2iSharedInformerFactory()
-
-	s2iGVRs := []schema.GroupVersionResource{
-		{Group: "devops.kubesphere.io", Version: "v1alpha1", Resource: "s2ibuildertemplates"},
-		{Group: "devops.kubesphere.io", Version: "v1alpha1", Resource: "s2iruns"},
-		{Group: "devops.kubesphere.io", Version: "v1alpha1", Resource: "s2ibuilders"},
-	}
-
-	for _, gvr := range s2iGVRs {
-		if !isResourceExists(gvr) {
-			klog.Warningf("resource %s not exists in the cluster", gvr)
-		} else {
-			_, err := s2iInformerFactory.ForResource(gvr)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	s2iInformerFactory.Start(stopCh)
-	s2iInformerFactory.WaitForCacheSync(stopCh)
-
-	ksInformerFactory := informers.KsSharedInformerFactory()
-
-	ksGVRs := []schema.GroupVersionResource{
-		{Group: "tenant.kubesphere.io", Version: "v1alpha1", Resource: "workspaces"},
-		{Group: "devops.kubesphere.io", Version: "v1alpha1", Resource: "s2ibinaries"},
-
-		{Group: "servicemesh.kubesphere.io", Version: "v1alpha2", Resource: "strategies"},
-		{Group: "servicemesh.kubesphere.io", Version: "v1alpha2", Resource: "servicepolicies"},
-	}
-
-	for _, gvr := range ksGVRs {
-		if !isResourceExists(gvr) {
-			klog.Warningf("resource %s not exists in the cluster", gvr)
-		} else {
-			_, err := ksInformerFactory.ForResource(gvr)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	ksInformerFactory.Start(stopCh)
-	ksInformerFactory.WaitForCacheSync(stopCh)
-
-	appInformerFactory := informers.AppSharedInformerFactory()
-
-	appGVRs := []schema.GroupVersionResource{
-		{Group: "app.k8s.io", Version: "v1beta1", Resource: "applications"},
-	}
-
-	for _, gvr := range appGVRs {
-		if !isResourceExists(gvr) {
-			klog.Warningf("resource %s not exists in the cluster", gvr)
-		} else {
-			_, err := appInformerFactory.ForResource(gvr)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	appInformerFactory.Start(stopCh)
-	appInformerFactory.WaitForCacheSync(stopCh)
-
-	klog.V(0).Info("Finished caching objects")
-
-	return nil
-
-}
-
-// apply server run options to configuration
-func Complete(s *options.ServerRunOptions) error {
-
-	// loading configuration file
-	conf := apiserverconfig.Get()
-
-	conf.Apply(&apiserverconfig.Config{
-		MySQLOptions:       s.MySQLOptions,
-		DevopsOptions:      s.DevopsOptions,
-		SonarQubeOptions:   s.SonarQubeOptions,
-		KubernetesOptions:  s.KubernetesOptions,
-		ServiceMeshOptions: s.ServiceMeshOptions,
-		MonitoringOptions:  s.MonitoringOptions,
-		S3Options:          s.S3Options,
-		OpenPitrixOptions:  s.OpenPitrixOptions,
-		LoggingOptions:     s.LoggingOptions,
-	})
-
-	*s = options.ServerRunOptions{
-		GenericServerRunOptions: s.GenericServerRunOptions,
-		KubernetesOptions:       conf.KubernetesOptions,
-		DevopsOptions:           conf.DevopsOptions,
-		SonarQubeOptions:        conf.SonarQubeOptions,
-		ServiceMeshOptions:      conf.ServiceMeshOptions,
-		MySQLOptions:            conf.MySQLOptions,
-		MonitoringOptions:       conf.MonitoringOptions,
-		S3Options:               conf.S3Options,
-		OpenPitrixOptions:       conf.OpenPitrixOptions,
-		LoggingOptions:          conf.LoggingOptions,
-	}
-
-	return nil
+	return apiserver.Run(ctx)
 }
--- a/cmd/ks-iam/apiserver.go
+++ b/cmd/ks-iam/apiserver.go
@@ -1,32 +0,0 @@
-/*
-
- Copyright 2019 The KubeSphere Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-package main
-
-import (
-	"kubesphere.io/kubesphere/cmd/ks-iam/app"
-	"log"
-)
-
-func main() {
-
-	cmd := app.NewAPIServerCommand()
-
-	if err := cmd.Execute(); err != nil {
-		log.Fatalln(err)
-	}
-}
--- a/cmd/ks-iam/app/options/options.go
+++ b/cmd/ks-iam/app/options/options.go
@@ -1,86 +0,0 @@
-/*
-
- Copyright 2019 The KubeSphere Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-package options
-
-import (
-	"flag"
-	cliflag "k8s.io/component-base/cli/flag"
-	"k8s.io/klog"
-	genericoptions "kubesphere.io/kubesphere/pkg/server/options"
-	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
-	"kubesphere.io/kubesphere/pkg/simple/client/ldap"
-	"kubesphere.io/kubesphere/pkg/simple/client/mysql"
-	"kubesphere.io/kubesphere/pkg/simple/client/redis"
-	"strings"
-	"time"
-)
-
-type ServerRunOptions struct {
-	GenericServerRunOptions *genericoptions.ServerRunOptions
-	KubernetesOptions       *k8s.KubernetesOptions
-	LdapOptions             *ldap.LdapOptions
-	RedisOptions            *redis.RedisOptions
-	MySQLOptions            *mysql.MySQLOptions
-	AdminEmail              string
-	AdminPassword           string
-	TokenIdleTimeout        time.Duration
-	JWTSecret               string
-	AuthRateLimit           string
-	EnableMultiLogin        bool
-	GenerateKubeConfig      bool
-}
-
-func NewServerRunOptions() *ServerRunOptions {
-	s := &ServerRunOptions{
-		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
-		KubernetesOptions:       k8s.NewKubernetesOptions(),
-		LdapOptions:             ldap.NewLdapOptions(),
-		MySQLOptions:            mysql.NewMySQLOptions(),
-		RedisOptions:            redis.NewRedisOptions(),
-	}
-	return s
-}
-
-func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
-
-	fs := fss.FlagSet("generic")
-
-	s.GenericServerRunOptions.AddFlags(fs)
-	fs.StringVar(&s.AdminEmail, "admin-email", "admin@kubesphere.io", "default administrator's email")
-	fs.StringVar(&s.AdminPassword, "admin-password", "passw0rd", "default administrator's password")
-	fs.DurationVar(&s.TokenIdleTimeout, "token-idle-timeout", 30*time.Minute, "tokens that are idle beyond that time will expire,0s means the token has no expiration time. valid time units are \"ns\",\"us\",\"ms\",\"s\",\"m\",\"h\"")
-	fs.StringVar(&s.JWTSecret, "jwt-secret", "", "jwt secret")
-	fs.StringVar(&s.AuthRateLimit, "auth-rate-limit", "5/30m", "specifies the maximum number of authentication attempts permitted and time interval,valid time units are \"s\",\"m\",\"h\"")
-	fs.BoolVar(&s.EnableMultiLogin, "enable-multi-login", false, "allow one account to have multiple sessions")
-	fs.BoolVar(&s.GenerateKubeConfig, "generate-kubeconfig", true, "generate kubeconfig for new users, kubeconfig is required in devops pipeline, set to false if you don't need devops.")
-
-	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"))
-	s.LdapOptions.AddFlags(fss.FlagSet("ldap"))
-	s.RedisOptions.AddFlags(fss.FlagSet("redis"))
-	s.MySQLOptions.AddFlags(fss.FlagSet("mysql"))
-
-	kfs := fss.FlagSet("klog")
-	local := flag.NewFlagSet("klog", flag.ExitOnError)
-	klog.InitFlags(local)
-	local.VisitAll(func(fl *flag.Flag) {
-		fl.Name = strings.Replace(fl.Name, "_", "-", -1)
-		kfs.AddGoFlag(fl)
-	})
-
-	return fss
-}
--- a/cmd/ks-iam/app/options/validation.go
+++ b/cmd/ks-iam/app/options/validation.go
@@ -1,11 +0,0 @@
-package options
-
-func (s *ServerRunOptions) Validate() []error {
-	errs := []error{}
-
-	errs = append(errs, s.KubernetesOptions.Validate()...)
-	errs = append(errs, s.GenericServerRunOptions.Validate()...)
-	errs = append(errs, s.LdapOptions.Validate()...)
-
-	return errs
-}
--- a/cmd/ks-iam/app/server.go
+++ b/cmd/ks-iam/app/server.go
@@ -1,161 +0,0 @@
-/*
-
- Copyright 2019 The KubeSphere Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-*/
-package app
-
-import (
-	"fmt"
-	"github.com/spf13/cobra"
-	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	cliflag "k8s.io/component-base/cli/flag"
-	"k8s.io/klog"
-	"kubesphere.io/kubesphere/cmd/ks-iam/app/options"
-	"kubesphere.io/kubesphere/pkg/apis"
-	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
-	"kubesphere.io/kubesphere/pkg/informers"
-	"kubesphere.io/kubesphere/pkg/models/iam"
-	"kubesphere.io/kubesphere/pkg/server"
-	apiserverconfig "kubesphere.io/kubesphere/pkg/server/config"
-	"kubesphere.io/kubesphere/pkg/server/filter"
-	"kubesphere.io/kubesphere/pkg/simple/client"
-	"kubesphere.io/kubesphere/pkg/utils/jwtutil"
-	"kubesphere.io/kubesphere/pkg/utils/signals"
-	"kubesphere.io/kubesphere/pkg/utils/term"
-	"net/http"
-)
-
-func NewAPIServerCommand() *cobra.Command {
-	s := options.NewServerRunOptions()
-
-	cmd := &cobra.Command{
-		Use: "ks-iam",
-		Long: `The KubeSphere account server validates and configures data
-for the api objects. The API Server services REST operations and provides the frontend to the
-cluster's shared state through which all other components interact.`,
-		RunE: func(cmd *cobra.Command, args []string) error {
-
-			err := apiserverconfig.Load()
-			if err != nil {
-				return err
-			}
-
-			err = Complete(s)
-			if err != nil {
-				return err
-			}
-
-			if errs := s.Validate(); len(errs) != 0 {
-				return utilerrors.NewAggregate(errs)
-			}
-
-			return Run(s, signals.SetupSignalHandler())
-		},
-	}
-
-	fs := cmd.Flags()
-	namedFlagSets := s.Flags()
-
-	for _, f := range namedFlagSets.FlagSets {
-		fs.AddFlagSet(f)
-	}
-
-	usageFmt := "Usage:\n  %s\n"
-	cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
-	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
-		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
-		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
-	})
-
-	return cmd
-}
-
-func Run(s *options.ServerRunOptions, stopChan <-chan struct{}) error {
-	csop := client.NewClientSetOptions()
-	csop.SetKubernetesOptions(s.KubernetesOptions).
-		SetLdapOptions(s.LdapOptions).
-		SetRedisOptions(s.RedisOptions).
-		SetMySQLOptions(s.MySQLOptions)
-
-	client.NewClientSetFactory(csop, stopChan)
-
-	waitForResourceSync(stopChan)
-
-	err := iam.Init(s.AdminEmail, s.AdminPassword, s.AuthRateLimit, s.TokenIdleTimeout, s.EnableMultiLogin, s.GenerateKubeConfig)
-
-	jwtutil.Setup(s.JWTSecret)
-
-	if err != nil {
-		return err
-	}
-
-	container := runtime.Container
-	container.Filter(filter.Logging)
-	container.DoNotRecover(false)
-	container.RecoverHandler(server.LogStackOnRecover)
-
-	apis.InstallAuthorizationAPIs(container)
-
-	if s.GenericServerRunOptions.InsecurePort != 0 {
-		klog.Infof("Server listening on %s:%d ", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort)
-		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
-	}
-
-	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
-		klog.Infof("Server listening on %s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort)
-		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
-	}
-
-	return err
-}
-
-func Complete(s *options.ServerRunOptions) error {
-	conf := apiserverconfig.Get()
-
-	conf.Apply(&apiserverconfig.Config{
-		KubernetesOptions: s.KubernetesOptions,
-		LdapOptions:       s.LdapOptions,
-		RedisOptions:      s.RedisOptions,
-		MySQLOptions:      s.MySQLOptions,
-	})
-
-	s.KubernetesOptions = conf.KubernetesOptions
-	s.LdapOptions = conf.LdapOptions
-	s.RedisOptions = conf.RedisOptions
-	s.MySQLOptions = conf.MySQLOptions
-
-	return nil
-}
-
-func waitForResourceSync(stopCh <-chan struct{}) {
-
-	informerFactory := informers.SharedInformerFactory()
-	informerFactory.Rbac().V1().Roles().Lister()
-	informerFactory.Rbac().V1().RoleBindings().Lister()
-	informerFactory.Rbac().V1().ClusterRoles().Lister()
-	informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
-
-	informerFactory.Core().V1().Namespaces().Lister()
-
-	informerFactory.Start(stopCh)
-	informerFactory.WaitForCacheSync(stopCh)
-
-	ksInformerFactory := informers.KsSharedInformerFactory()
-	ksInformerFactory.Tenant().V1alpha1().Workspaces().Lister()
-
-	ksInformerFactory.Start(stopCh)
-	ksInformerFactory.WaitForCacheSync(stopCh)
-}
--- a/cmd/ks-network/main.go
+++ b/cmd/ks-network/main.go
@@ -1,25 +0,0 @@
-package main
-
-import (
-	"flag"
-
-	"k8s.io/klog"
-	"kubesphere.io/kubesphere/pkg/controller/network/runoption"
-)
-
-var opt runoption.RunOption
-
-func init() {
-	flag.StringVar(&opt.ProviderName, "np-provider", "calico", "specify the network policy provider, k8s or calico")
-	flag.BoolVar(&opt.AllowInsecureEtcd, "allow-insecure-etcd", false, "specify allow connect to etcd using insecure http")
-	flag.StringVar(&opt.DataStoreType, "datastore-type", "k8s", "specify the datastore type of calico")
-	//TODO add more flags
-}
-
-func main() {
-	klog.InitFlags(nil)
-	flag.Set("logtostderr", "true")
-	flag.Parse()
-	klog.V(1).Info("Preparing kubernetes client")
-	klog.Fatal(opt.Run())
-}
--- a/config/crds/app_v1beta1_application.yaml
+++ b/config/crds/app_v1beta1_application.yaml
@@ -1,236 +1,529 @@
-apiVersion: apiextensions.k8s.io/v1beta1
+# Copyright 2020 The Kubernetes Authors.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/application/pull/2
+    controller-gen.kubebuilder.io/version: v0.4.0
  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
  name: applications.app.k8s.io
 spec:
  group: app.k8s.io
  names:
+    categories:
+    - all
    kind: Application
+    listKind: ApplicationList
    plural: applications
+    shortNames:
+    - app
+    singular: application
  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          type: string
-        kind:
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            assemblyPhase:
-              type: string
-            componentKinds:
-              items:
-                type: object
-              type: array
-            descriptor:
-              properties:
-                description:
-                  type: string
-                icons:
-                  items:
-                    properties:
-                      size:
-                        type: string
-                      src:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                    - src
-                    type: object
-                  type: array
-                keywords:
-                  items:
-                    type: string
-                  type: array
-                links:
-                  items:
-                    properties:
-                      description:
-                        type: string
-                      url:
-                        type: string
-                    type: object
-                  type: array
-                maintainers:
-                  items:
-                    properties:
-                      email:
-                        type: string
-                      name:
-                        type: string
-                      url:
-                        type: string
-                    type: object
-                  type: array
-                notes:
-                  type: string
-                owners:
-                  items:
-                    properties:
-                      email:
-                        type: string
-                      name:
-                        type: string
-                      url:
-                        type: string
-                    type: object
-                  type: array
-                type:
-                  type: string
-                version:
-                  type: string
-              type: object
-            info:
-              items:
+  versions:
+  - additionalPrinterColumns:
+    - description: The type of the application
+      jsonPath: .spec.descriptor.type
+      name: Type
+      type: string
+    - description: The creation date
+      jsonPath: .spec.descriptor.version
+      name: Version
+      type: string
+    - description: The application object owns the matched resources
+      jsonPath: .spec.addOwnerRef
+      name: Owner
+      type: boolean
+    - description: Numbers of components ready
+      jsonPath: .status.componentsReady
+      name: Ready
+      type: string
+    - description: The creation date
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Application is the Schema for the applications API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ApplicationSpec defines the specification for an Application.
+            properties:
+              addOwnerRef:
+                description: AddOwnerRef objects - flag to indicate if we need to
+                  add OwnerRefs to matching objects Matching is done by using Selector
+                  to query all ComponentGroupKinds
+                type: boolean
+              assemblyPhase:
+                description: AssemblyPhase represents the current phase of the application's
+                  assembly. An empty value is equivalent to "Succeeded".
+                type: string
+              componentKinds:
+                description: ComponentGroupKinds is a list of Kinds for Application's
+                  components (e.g. Deployments, Pods, Services, CRDs). It can be used
+                  in conjunction with the Application's Selector to list or watch
+                  the Applications components.
+                items:
+                  description: GroupKind specifies a Group and a Kind, but does not
+                    force a version.  This is useful for identifying concepts during
+                    lookup stages without having partially valid types
+                  properties:
+                    group:
+                      type: string
+                    kind:
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  type: object
+                type: array
+              descriptor:
+                description: Descriptor regroups information and metadata about an
+                  application.
                properties:
-                  name:
+                  description:
+                    description: Description is a brief string description of the
+                      Application.
                    type: string
+                  icons:
+                    description: Icons is an optional list of icons for an application.
+                      Icon information includes the source, size, and mime type.
+                    items:
+                      description: ImageSpec contains information about an image used
+                        as an icon.
+                      properties:
+                        size:
+                          description: (optional) The size of the image in pixels
+                            (e.g., 25x25).
+                          type: string
+                        src:
+                          description: The source for image represented as either
+                            an absolute URL to the image or a Data URL containing
+                            the image. Data URLs are defined in RFC 2397.
+                          type: string
+                        type:
+                          description: (optional) The mine type of the image (e.g.,
+                            "image/png").
+                          type: string
+                      required:
+                      - src
+                      type: object
+                    type: array
+                  keywords:
+                    description: Keywords is an optional list of key words associated
+                      with the application (e.g. MySQL, RDBMS, database).
+                    items:
+                      type: string
+                    type: array
+                  links:
+                    description: Links are a list of descriptive URLs intended to
+                      be used to surface additional documentation, dashboards, etc.
+                    items:
+                      description: Link contains information about an URL to surface
+                        documentation, dashboards, etc.
+                      properties:
+                        description:
+                          description: Description is human readable content explaining
+                            the purpose of the link.
+                          type: string
+                        url:
+                          description: Url typically points at a website address.
+                          type: string
+                      type: object
+                    type: array
+                  maintainers:
+                    description: Maintainers is an optional list of maintainers of
+                      the application. The maintainers in this list maintain the the
+                      source code, images, and package for the application.
+                    items:
+                      description: ContactData contains information about an individual
+                        or organization.
+                      properties:
+                        email:
+                          description: Email is the email address.
+                          type: string
+                        name:
+                          description: Name is the descriptive name.
+                          type: string
+                        url:
+                          description: Url could typically be a website address.
+                          type: string
+                      type: object
+                    type: array
+                  notes:
+                    description: Notes contain a human readable snippets intended
+                      as a quick start for the users of the Application. CommonMark
+                      markdown syntax may be used for rich text representation.
+                    type: string
+                  owners:
+                    description: Owners is an optional list of the owners of the installed
+                      application. The owners of the application should be contacted
+                      in the event of a planned or unplanned disruption affecting
+                      the application.
+                    items:
+                      description: ContactData contains information about an individual
+                        or organization.
+                      properties:
+                        email:
+                          description: Email is the email address.
+                          type: string
+                        name:
+                          description: Name is the descriptive name.
+                          type: string
+                        url:
+                          description: Url could typically be a website address.
+                          type: string
+                      type: object
+                    type: array
                  type:
+                    description: Type is the type of the application (e.g. WordPress,
+                      MySQL, Cassandra).
                    type: string
-                  value:
+                  version:
+                    description: Version is an optional version indicator for the
+                      Application.
                    type: string
-                  valueFrom:
-                    properties:
-                      configMapKeyRef:
-                        properties:
-                          apiVersion:
+                type: object
+              info:
+                description: Info contains human readable key,value pairs for the
+                  Application.
+                items:
+                  description: InfoItem is a human readable key,value pair containing
+                    important information about how to access the Application.
+                  properties:
+                    name:
+                      description: Name is a human readable title for this piece of
+                        information.
+                      type: string
+                    type:
+                      description: Type of the value for this InfoItem.
+                      type: string
+                    value:
+                      description: Value is human readable content.
+                      type: string
+                    valueFrom:
+                      description: ValueFrom defines a reference to derive the value
+                        from another source.
+                      properties:
+                        configMapKeyRef:
+                          description: Selects a key of a ConfigMap.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            fieldPath:
+                              description: 'If referring to a piece of an object instead
+                                of an entire object, this string should contain a
+                                valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                For example, if the object reference is to a container
+                                within a pod, this would take on a value like: "spec.containers{name}"
+                                (where "name" refers to the name of the container
+                                that triggered the event) or if no container name
+                                is specified "spec.containers[2]" (container with
+                                index 2 in this pod). This syntax is chosen only to
+                                have some well-defined way of referencing a part of
+                                an object. TODO: this design is not final and this
+                                field is subject to change in the future.'
+                              type: string
+                            key:
+                              description: The key to select.
+                              type: string
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                              type: string
+                            namespace:
+                              description: 'Namespace of the referent. More info:
+                                https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                              type: string
+                            resourceVersion:
+                              description: 'Specific resourceVersion to which this
+                                reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                              type: string
+                          type: object
+                        ingressRef:
+                          description: Select an Ingress.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            fieldPath:
+                              description: 'If referring to a piece of an object instead
+                                of an entire object, this string should contain a
+                                valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                For example, if the object reference is to a container
+                                within a pod, this would take on a value like: "spec.containers{name}"
+                                (where "name" refers to the name of the container
+                                that triggered the event) or if no container name
+                                is specified "spec.containers[2]" (container with
+                                index 2 in this pod). This syntax is chosen only to
+                                have some well-defined way of referencing a part of
+                                an object. TODO: this design is not final and this
+                                field is subject to change in the future.'
+                              type: string
+                            host:
+                              description: The optional host to select.
+                              type: string
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                              type: string
+                            namespace:
+                              description: 'Namespace of the referent. More info:
+                                https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                              type: string
+                            path:
+                              description: The optional HTTP path.
+                              type: string
+                            protocol:
+                              description: Protocol for the ingress
+                              type: string
+                            resourceVersion:
+                              description: 'Specific resourceVersion to which this
+                                reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                              type: string
+                          type: object
+                        secretKeyRef:
+                          description: Selects a key of a Secret.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            fieldPath:
+                              description: 'If referring to a piece of an object instead
+                                of an entire object, this string should contain a
+                                valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                For example, if the object reference is to a container
+                                within a pod, this would take on a value like: "spec.containers{name}"
+                                (where "name" refers to the name of the container
+                                that triggered the event) or if no container name
+                                is specified "spec.containers[2]" (container with
+                                index 2 in this pod). This syntax is chosen only to
+                                have some well-defined way of referencing a part of
+                                an object. TODO: this design is not final and this
+                                field is subject to change in the future.'
+                              type: string
+                            key:
+                              description: The key to select.
+                              type: string
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                              type: string
+                            namespace:
+                              description: 'Namespace of the referent. More info:
+                                https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                              type: string
+                            resourceVersion:
+                              description: 'Specific resourceVersion to which this
+                                reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                              type: string
+                          type: object
+                        serviceRef:
+                          description: Select a Service.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            fieldPath:
+                              description: 'If referring to a piece of an object instead
+                                of an entire object, this string should contain a
+                                valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                For example, if the object reference is to a container
+                                within a pod, this would take on a value like: "spec.containers{name}"
+                                (where "name" refers to the name of the container
+                                that triggered the event) or if no container name
+                                is specified "spec.containers[2]" (container with
+                                index 2 in this pod). This syntax is chosen only to
+                                have some well-defined way of referencing a part of
+                                an object. TODO: this design is not final and this
+                                field is subject to change in the future.'
+                              type: string
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                              type: string
+                            namespace:
+                              description: 'Namespace of the referent. More info:
+                                https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                              type: string
+                            path:
+                              description: The optional HTTP path.
+                              type: string
+                            port:
+                              description: The optional port to select.
+                              format: int32
+                              type: integer
+                            protocol:
+                              description: Protocol for the service
+                              type: string
+                            resourceVersion:
+                              description: 'Specific resourceVersion to which this
+                                reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                              type: string
+                          type: object
+                        type:
+                          description: Type of source.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+              selector:
+                description: 'Selector is a label query over kinds that created by
+                  the application. It must match the component objects'' labels. More
+                  info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
                            type: string
-                          fieldPath:
-                            type: string
-                          key:
-                            type: string
-                          kind:
-                            type: string
-                          name:
-                            type: string
-                          namespace:
-                            type: string
-                          resourceVersion:
-                            type: string
-                          uid:
-                            type: string
-                        type: object
-                      ingressRef:
-                        properties:
-                          apiVersion:
-                            type: string
-                          fieldPath:
-                            type: string
-                          host:
-                            type: string
-                          kind:
-                            type: string
-                          name:
-                            type: string
-                          namespace:
-                            type: string
-                          path:
-                            type: string
-                          resourceVersion:
-                            type: string
-                          uid:
-                            type: string
-                        type: object
-                      secretKeyRef:
-                        properties:
-                          apiVersion:
-                            type: string
-                          fieldPath:
-                            type: string
-                          key:
-                            type: string
-                          kind:
-                            type: string
-                          name:
-                            type: string
-                          namespace:
-                            type: string
-                          resourceVersion:
-                            type: string
-                          uid:
-                            type: string
-                        type: object
-                      serviceRef:
-                        properties:
-                          apiVersion:
-                            type: string
-                          fieldPath:
-                            type: string
-                          kind:
-                            type: string
-                          name:
-                            type: string
-                          namespace:
-                            type: string
-                          path:
-                            type: string
-                          port:
-                            format: int32
-                            type: integer
-                          resourceVersion:
-                            type: string
-                          uid:
-                            type: string
-                        type: object
-                      type:
-                        type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
                    type: object
                type: object
-              type: array
-            selector:
-              type: object
-          type: object
-        status:
-          properties:
-            components:
-              items:
-                properties:
-                  group:
-                    type: string
-                  kind:
-                    type: string
-                  link:
-                    type: string
-                  name:
-                    type: string
-                  status:
-                    type: string
-                type: object
-              type: array
-            conditions:
-              items:
-                properties:
-                  lastTransitionTime:
-                    format: date-time
-                    type: string
-                  lastUpdateTime:
-                    format: date-time
-                    type: string
-                  message:
-                    type: string
-                  reason:
-                    type: string
-                  status:
-                    type: string
-                  type:
-                    type: string
-                required:
-                - type
-                - status
-                type: object
-              type: array
-            observedGeneration:
-              format: int64
-              type: integer
-          type: object
-  version: v1beta1
+            type: object
+          status:
+            description: ApplicationStatus defines controller's the observed state
+              of Application
+            properties:
+              components:
+                description: Object status array for all matching objects
+                items:
+                  description: ObjectStatus is a generic status holder for objects
+                  properties:
+                    group:
+                      description: Object group
+                      type: string
+                    kind:
+                      description: Kind of object
+                      type: string
+                    link:
+                      description: Link to object
+                      type: string
+                    name:
+                      description: Name of object
+                      type: string
+                    status:
+                      description: 'Status. Values: InProgress, Ready, Unknown'
+                      type: string
+                  type: object
+                type: array
+              componentsReady:
+                description: 'ComponentsReady: status of the components in the format
+                  ready/total'
+                type: string
+              conditions:
+                description: Conditions represents the latest state of the object
+                items:
+                  description: Condition describes the state of an object at a certain
+                    point.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    lastUpdateTime:
+                      description: Last time the condition was probed
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the most recent generation observed.
+                  It corresponds to the Object's generation, which is updated on mutation
+                  by the API Server.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/application.kubesphere.io_helmapplications.yaml
+++ b/config/crds/application.kubesphere.io_helmapplications.yaml
@@ -0,0 +1,101 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: helmapplications.application.kubesphere.io
+spec:
+  group: application.kubesphere.io
+  names:
+    kind: HelmApplication
+    listKind: HelmApplicationList
+    plural: helmapplications
+    shortNames:
+    - happ
+    singular: helmapplication
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: application name
+      type: string
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: workspace
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HelmApplication is the Schema for the helmapplications API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmApplicationSpec defines the desired state of HelmApplication
+            properties:
+              abstraction:
+                description: info from frontend
+                type: string
+              appHome:
+                type: string
+              attachments:
+                description: attachments id
+                items:
+                  type: string
+                type: array
+              description:
+                description: description from chart's description or frontend
+                type: string
+              icon:
+                description: The attachment id of the icon
+                type: string
+              name:
+                description: the name of the helm application
+                type: string
+            required:
+            - name
+            type: object
+          status:
+            description: HelmApplicationStatus defines the observed state of HelmApplication
+            properties:
+              latestVersion:
+                description: If this application belong to appStore, latestVersion is the the latest version of the active application version. otherwise latestVersion is the latest version of all application version
+                type: string
+              state:
+                description: 'the state of the helm application: draft, submitted, passed, rejected, suspended, active'
+                type: string
+              statusTime:
+                format: date-time
+                type: string
+              updateTime:
+                format: date-time
+                type: string
+            required:
+            - statusTime
+            - updateTime
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/application.kubesphere.io_helmapplicationversions.yaml
+++ b/config/crds/application.kubesphere.io_helmapplicationversions.yaml
@@ -0,0 +1,205 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: helmapplicationversions.application.kubesphere.io
+spec:
+  group: application.kubesphere.io
+  names:
+    kind: HelmApplicationVersion
+    listKind: HelmApplicationVersionList
+    plural: helmapplicationversions
+    shortNames:
+    - happver
+    singular: helmapplicationversion
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: application name
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HelmApplicationVersion is the Schema for the helmapplicationversions API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmApplicationVersionSpec defines the desired state of HelmApplicationVersion
+            properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations are additional mappings uninterpreted by Helm, made available for inspection by other applications.
+                type: object
+              apiVersion:
+                description: The API Version of this chart.
+                type: string
+              appVersion:
+                description: The version of the application enclosed inside of this chart.
+                type: string
+              condition:
+                description: The condition to check to enable chart
+                type: string
+              created:
+                description: chart create time
+                format: date-time
+                type: string
+              data:
+                description: raw data of chart, it will !!!NOT!!! be save to etcd
+                format: byte
+                type: string
+              dataKey:
+                description: dataKey in the storage
+                type: string
+              dependencies:
+                description: Dependencies are a list of dependencies for a chart.
+                items:
+                  description: Dependency describes a chart upon which another chart depends. Dependencies can be used to express developer intent, or to capture the state of a chart.
+                  properties:
+                    alias:
+                      description: Alias usable alias to be used for the chart
+                      type: string
+                    condition:
+                      description: A yaml path that resolves to a boolean, used for enabling/disabling charts (e.g. subchart1.enabled )
+                      type: string
+                    enabled:
+                      description: Enabled bool determines if chart should be loaded
+                      type: boolean
+                    name:
+                      description: Name is the name of the dependency. This must mach the name in the dependency's Chart.yaml.
+                      type: string
+                    repository:
+                      description: The URL to the repository. Appending `index.yaml` to this string should result in a URL that can be used to fetch the repository index.
+                      type: string
+                    tags:
+                      description: Tags can be used to group charts for enabling/disabling together
+                      items:
+                        type: string
+                      type: array
+                    version:
+                      description: Version is the version (range) of this chart. A lock file will always produce a single version, while a dependency may contain a semantic version range.
+                      type: string
+                  required:
+                  - name
+                  - repository
+                  type: object
+                type: array
+              deprecated:
+                description: Whether or not this chart is deprecated
+                type: boolean
+              description:
+                description: A one-sentence description of the chart
+                type: string
+              digest:
+                description: chart digest
+                type: string
+              home:
+                description: The URL to a relevant project page, git repo, or contact person
+                type: string
+              icon:
+                description: The URL to an icon file.
+                type: string
+              keywords:
+                description: A list of string keywords
+                items:
+                  type: string
+                type: array
+              kubeVersion:
+                description: KubeVersion is a SemVer constraint specifying the version of Kubernetes required.
+                type: string
+              maintainers:
+                description: A list of name and URL/email address combinations for the maintainer(s)
+                items:
+                  description: Maintainer describes a Chart maintainer.
+                  properties:
+                    email:
+                      description: Email is an optional email address to contact the named maintainer
+                      type: string
+                    name:
+                      description: Name is a user name or organization name
+                      type: string
+                    url:
+                      description: URL is an optional URL to an address for the named maintainer
+                      type: string
+                  type: object
+                type: array
+              name:
+                description: The name of the chart
+                type: string
+              sources:
+                description: Source is the URL to the source code of this chart
+                items:
+                  type: string
+                type: array
+              tags:
+                description: The tags to check to enable chart
+                type: string
+              type:
+                description: 'Specifies the chart type: application or library'
+                type: string
+              urls:
+                description: chart url
+                items:
+                  type: string
+                type: array
+              version:
+                description: A SemVer 2 conformant version string of the chart
+                type: string
+            type: object
+          status:
+            description: HelmApplicationVersionStatus defines the observed state of HelmApplicationVersion
+            properties:
+              audit:
+                items:
+                  properties:
+                    message:
+                      description: audit message
+                      type: string
+                    operator:
+                      description: audit operator
+                      type: string
+                    operatorType:
+                      type: string
+                    state:
+                      description: 'audit state: submitted, passed, draft, active, rejected, suspended'
+                      type: string
+                    time:
+                      description: audit time
+                      format: date-time
+                      type: string
+                  required:
+                  - time
+                  type: object
+                type: array
+              state:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/application.kubesphere.io_helmcategories.yaml
+++ b/config/crds/application.kubesphere.io_helmcategories.yaml
@@ -0,0 +1,76 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: helmcategories.application.kubesphere.io
+spec:
+  group: application.kubesphere.io
+  names:
+    kind: HelmCategory
+    listKind: HelmCategoryList
+    plural: helmcategories
+    shortNames:
+    - hctg
+    singular: helmcategory
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: name
+      type: string
+    - jsonPath: .status.total
+      name: total
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HelmCategory is the Schema for the helmcategories API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmCategorySpec defines the desired state of HelmRepo
+            properties:
+              description:
+                description: info from frontend
+                type: string
+              locale:
+                type: string
+              name:
+                description: name of the category
+                type: string
+            required:
+            - name
+            type: object
+          status:
+            properties:
+              total:
+                description: total helmapplications belong to this category
+                type: integer
+            required:
+            - total
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/application.kubesphere.io_helmreleases.yaml
+++ b/config/crds/application.kubesphere.io_helmreleases.yaml
@@ -0,0 +1,145 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: helmreleases.application.kubesphere.io
+spec:
+  group: application.kubesphere.io
+  names:
+    kind: HelmRelease
+    listKind: HelmReleaseList
+    plural: helmreleases
+    shortNames:
+    - hrls
+    singular: helmrelease
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: Release Name
+      type: string
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    - jsonPath: .metadata.labels.kubesphere\.io/cluster
+      name: Cluster
+      type: string
+    - jsonPath: .metadata.labels.kubesphere\.io/namespace
+      name: Namespace
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HelmRelease is the Schema for the helmreleases API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmReleaseSpec defines the desired state of HelmRelease
+            properties:
+              appId:
+                description: id of the helmapplication
+                type: string
+              appVerId:
+                description: application version id
+                type: string
+              chartAppVer:
+                description: appVersion from Chart.yaml
+                type: string
+              chartName:
+                description: The name of the chart which will be installed.
+                type: string
+              chartVersion:
+                description: Specify the exact chart version to install. If this is not specified, the latest version is installed
+                type: string
+              description:
+                description: Message got from frontend
+                type: string
+              name:
+                description: Name of the release
+                type: string
+              repoId:
+                description: id of  the repo
+                type: string
+              values:
+                description: helm release values.yaml
+                format: byte
+                type: string
+              version:
+                description: expected release version, when this version is not equal status.version, the release need upgrade this filed should be modified when any filed of the spec modified.
+                type: integer
+            required:
+            - chartName
+            - chartVersion
+            - name
+            - version
+            type: object
+          status:
+            description: HelmReleaseStatus defines the observed state of HelmRelease
+            properties:
+              deployStatus:
+                description: deploy status list of history, which will store at most 10 state
+                items:
+                  properties:
+                    deployTime:
+                      description: deploy time, upgrade time or check status time
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about why the release is in this state.
+                      type: string
+                    state:
+                      description: current state of the release
+                      type: string
+                  required:
+                  - deployTime
+                  - state
+                  type: object
+                type: array
+              lastDeployed:
+                description: last deploy time or upgrade time
+                format: date-time
+                type: string
+              lastUpdate:
+                description: last update time
+                format: date-time
+                type: string
+              message:
+                description: A human readable message indicating details about why the release is in this state.
+                type: string
+              state:
+                description: current state
+                type: string
+              version:
+                description: current release version
+                type: integer
+            required:
+            - state
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/application.kubesphere.io_helmrepos.yaml
+++ b/config/crds/application.kubesphere.io_helmrepos.yaml
@@ -0,0 +1,142 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: helmrepos.application.kubesphere.io
+spec:
+  group: application.kubesphere.io
+  names:
+    kind: HelmRepo
+    listKind: HelmRepoList
+    plural: helmrepos
+    shortNames:
+    - hrepo
+    singular: helmrepo
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.name
+      name: name
+      type: string
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    - jsonPath: .spec.url
+      name: url
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HelmRepo is the Schema for the helmrepoes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmRepoSpec defines the desired state of HelmRepo
+            properties:
+              credential:
+                description: helm repo credential
+                properties:
+                  accessKeyID:
+                    type: string
+                  caFile:
+                    description: verify certificates of HTTPS-enabled servers using this CA bundle
+                    type: string
+                  certFile:
+                    description: identify HTTPS client using this SSL certificate file
+                    type: string
+                  insecureSkipTLSVerify:
+                    description: skip tls certificate checks for the repository, default is ture
+                    type: boolean
+                  keyFile:
+                    description: identify HTTPS client using this SSL key file
+                    type: string
+                  password:
+                    description: chart repository password
+                    type: string
+                  secretAccessKey:
+                    type: string
+                  username:
+                    description: chart repository username
+                    type: string
+                type: object
+              description:
+                description: chart repo description from frontend
+                type: string
+              name:
+                description: name of the repo
+                type: string
+              syncPeriod:
+                description: sync period in seconds, no sync when SyncPeriod=0, the minimum SyncPeriod is 180s
+                type: integer
+              url:
+                description: helm repo url
+                type: string
+              version:
+                description: expected repo version, when this version is not equal status.version, the repo need upgrade this filed should be modified when any filed of the spec modified.
+                type: integer
+            required:
+            - name
+            - url
+            type: object
+          status:
+            description: HelmRepoStatus defines the observed state of HelmRepo
+            properties:
+              data:
+                description: repo index
+                type: string
+              lastUpdateTime:
+                description: status last update time
+                format: date-time
+                type: string
+              state:
+                description: current state of the repo, successful, failed or syncing
+                type: string
+              syncState:
+                description: sync state list of history, which will store at most 10 state
+                items:
+                  properties:
+                    message:
+                      description: A human readable message indicating details about why the repo is in this state.
+                      type: string
+                    state:
+                      description: 'last sync state, valid state are: "failed", "success", and ""'
+                      type: string
+                    syncTime:
+                      format: date-time
+                      type: string
+                  required:
+                  - syncTime
+                  type: object
+                type: array
+              version:
+                description: if status.version!=spec.Version, we need sync the repo now
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/cluster.kubesphere.io_clusters.yaml
+++ b/config/crds/cluster.kubesphere.io_clusters.yaml
@@ -0,0 +1,146 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: clusters.cluster.kubesphere.io
+spec:
+  group: cluster.kubesphere.io
+  names:
+    kind: Cluster
+    listKind: ClusterList
+    plural: clusters
+    singular: cluster
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.joinFederation
+      name: Federated
+      type: boolean
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.enable
+      name: Active
+      type: boolean
+    - jsonPath: .status.kubernetesVersion
+      name: Version
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Cluster is the schema for the clusters API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              connection:
+                description: Connection holds info to connect to the member cluster
+                properties:
+                  kubeconfig:
+                    description: KubeConfig content used to connect to cluster api server Should provide this field explicitly if connection type is direct. Will be populated by ks-proxy if connection type is proxy.
+                    format: byte
+                    type: string
+                  kubernetesAPIEndpoint:
+                    description: 'Kubernetes API Server endpoint. Example: https://10.10.0.1:6443 Should provide this field explicitly if connection type is direct. Will be populated by ks-apiserver if connection type is proxy.'
+                    type: string
+                  kubernetesAPIServerPort:
+                    description: KubeAPIServerPort is the port which listens for forwarding kube-apiserver traffic Only applicable when connection type is proxy.
+                    type: integer
+                  kubesphereAPIEndpoint:
+                    description: 'KubeSphere API Server endpoint. Example: http://10.10.0.11:8080 Should provide this field explicitly if connection type is direct. Will be populated by ks-apiserver if connection type is proxy.'
+                    type: string
+                  kubesphereAPIServerPort:
+                    description: KubeSphereAPIServerPort is the port which listens for forwarding kubesphere apigateway traffic Only applicable when connection type is proxy.
+                    type: integer
+                  token:
+                    description: Token used by agents of member cluster to connect to host cluster proxy. This field is populated by apiserver only if connection type is proxy.
+                    type: string
+                  type:
+                    description: type defines how host cluster will connect to host cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig and kubesphere apiserver endpoint provided ConnectionTypeProxy means using kubesphere proxy, no kubeconfig   or kubesphere apiserver endpoint required
+                    type: string
+                type: object
+              enable:
+                description: Desired state of the cluster
+                type: boolean
+              joinFederation:
+                description: Join cluster as a kubefed cluster
+                type: boolean
+              provider:
+                description: Provider of the cluster, this field is just for description
+                type: string
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Represents the latest available observations of a cluster's current state.
+                items:
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    lastUpdateTime:
+                      description: The last time this condition was updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of the condition
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              configz:
+                additionalProperties:
+                  type: boolean
+                description: Configz is status of components enabled in the member cluster. This is synchronized with member cluster every amount of time, like 5 minutes.
+                type: object
+              kubeSphereVersion:
+                description: GitVersion of the /kapis/version api response, this field is populated by cluster controller
+                type: string
+              kubernetesVersion:
+                description: GitVersion of the kubernetes cluster, this field is populated by cluster controller
+                type: string
+              nodeCount:
+                description: Count of the kubernetes cluster nodes This field may not reflect the instant status of the cluster.
+                type: integer
+              region:
+                description: Region is the name of the region in which all of the nodes in the cluster exist.  e.g. 'us-east1'.
+                type: string
+              zones:
+                description: Zones are the names of availability zones in which the nodes of the cluster exist, e.g. 'us-east1-a'.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_devopsprojects.yaml
+++ b/config/crds/devops.kubesphere.io_devopsprojects.yaml
@@ -0,0 +1,52 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: devopsprojects.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: DevOpsProject
+    listKind: DevOpsProjectList
+    plural: devopsprojects
+    singular: devopsproject
+  scope: Cluster
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: DevOpsProject is the Schema for the devopsprojects API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DevOpsProjectSpec defines the desired state of DevOpsProject
+            type: object
+          status:
+            description: DevOpsProjectStatus defines the observed state of DevOpsProject
+            properties:
+              adminNamespace:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_pipelines.yaml
+++ b/config/crds/devops.kubesphere.io_pipelines.yaml
@@ -0,0 +1,300 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: pipelines.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: Pipeline
+    listKind: PipelineList
+    plural: pipelines
+    singular: pipeline
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Pipeline is the Schema for the pipelines API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PipelineSpec defines the desired state of Pipeline
+            properties:
+              multi_branch_pipeline:
+                properties:
+                  bitbucket_server_source:
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  description:
+                    type: string
+                  discarder:
+                    properties:
+                      days_to_keep:
+                        type: string
+                      num_to_keep:
+                        type: string
+                    type: object
+                  git_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: boolean
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      regex_filter:
+                        type: string
+                      scm_id:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  github_source:
+                    description: GithubSource and BitbucketServerSource have the same structure, but we don't use one due to crd errors
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  gitlab_source:
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                      server_name:
+                        type: string
+                    type: object
+                  multibranch_job_trigger:
+                    properties:
+                      create_action_job_to_trigger:
+                        type: string
+                      delete_action_job_to_trigger:
+                        type: string
+                    type: object
+                  name:
+                    type: string
+                  script_path:
+                    type: string
+                  single_svn_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      remote:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  source_type:
+                    type: string
+                  svn_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      excludes:
+                        type: string
+                      includes:
+                        type: string
+                      remote:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  timer_trigger:
+                    properties:
+                      cron:
+                        description: user in no scm job
+                        type: string
+                      interval:
+                        description: use in multi-branch job
+                        type: string
+                    type: object
+                required:
+                - name
+                - script_path
+                - source_type
+                type: object
+              pipeline:
+                properties:
+                  description:
+                    type: string
+                  disable_concurrent:
+                    type: boolean
+                  discarder:
+                    properties:
+                      days_to_keep:
+                        type: string
+                      num_to_keep:
+                        type: string
+                    type: object
+                  jenkinsfile:
+                    type: string
+                  name:
+                    type: string
+                  parameters:
+                    items:
+                      properties:
+                        default_value:
+                          type: string
+                        description:
+                          type: string
+                        name:
+                          type: string
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                  remote_trigger:
+                    properties:
+                      token:
+                        type: string
+                    type: object
+                  timer_trigger:
+                    properties:
+                      cron:
+                        description: user in no scm job
+                        type: string
+                      interval:
+                        description: use in multi-branch job
+                        type: string
+                    type: object
+                required:
+                - name
+                type: object
+              type:
+                description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
+                type: string
+            required:
+            - type
+            type: object
+          status:
+            description: PipelineStatus defines the observed state of Pipeline
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_s2ibinaries.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibinaries.yaml
@@ -0,0 +1,81 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibinaries.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBinary
+    listKind: S2iBinaryList
+    plural: s2ibinaries
+    singular: s2ibinary
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.fileName
+      name: FileName
+      type: string
+    - jsonPath: .spec.md5
+      name: MD5
+      type: string
+    - jsonPath: .spec.size
+      name: Size
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iBinary is the Schema for the s2ibinaries API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iBinarySpec defines the desired state of S2iBinary
+            properties:
+              downloadURL:
+                description: DownloadURL in KubeSphere
+                type: string
+              fileName:
+                description: FileName is filename of binary
+                type: string
+              md5:
+                description: MD5 is Binary's MD5 Hash
+                type: string
+              size:
+                description: Size is the file size of file
+                type: string
+              uploadTimeStamp:
+                description: UploadTime is last upload time
+                format: date-time
+                type: string
+            type: object
+          status:
+            description: S2iBinaryStatus defines the observed state of S2iBinary
+            properties:
+              phase:
+                description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_s2ibuilders.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibuilders.yaml
@@ -0,0 +1,475 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuilders.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBuilder
+    listKind: S2iBuilderList
+    plural: s2ibuilders
+    shortNames:
+    - s2ib
+    singular: s2ibuilder
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.runCount
+      name: RunCount
+      type: integer
+    - jsonPath: .status.lastRunState
+      name: LastRunState
+      type: string
+    - jsonPath: .status.lastRunName
+      name: LastRunName
+      type: string
+    - jsonPath: .status.lastRunStartTime
+      name: LastRunStartTime
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iBuilder is the Schema for the s2ibuilders API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iBuilderSpec defines the desired state of S2iBuilder
+            properties:
+              config:
+                description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
+                properties:
+                  addHost:
+                    description: AddHost Add a line to /etc/hosts for test purpose or private use in LAN. Its format is host:IP,multiple hosts can be added  by using multiple --add-host
+                    items:
+                      type: string
+                    type: array
+                  asDockerfile:
+                    description: AsDockerfile indicates the path where the Dockerfile should be written instead of building a new image.
+                    type: string
+                  assembleUser:
+                    description: AssembleUser specifies the user to run the assemble script in container
+                    type: string
+                  blockOnBuild:
+                    description: BlockOnBuild prevents s2i from performing a docker build operation if one is necessary to execute ONBUILD commands, or to layer source code into the container for images that don't have a tar binary available, if the image contains ONBUILD commands that would be executed.
+                    type: boolean
+                  branchExpression:
+                    description: Regular expressions, ignoring names that do not match the provided regular expression
+                    type: string
+                  buildVolumes:
+                    description: BuildVolumes specifies a list of volumes to mount to container running the build.
+                    items:
+                      type: string
+                    type: array
+                  builderBaseImageVersion:
+                    description: BuilderBaseImageVersion provides optional version information about the builder base image.
+                    type: string
+                  builderImage:
+                    description: BuilderImage describes which image is used for building the result images.
+                    type: string
+                  builderImageVersion:
+                    description: BuilderImageVersion provides optional version information about the builder image.
+                    type: string
+                  builderPullPolicy:
+                    description: BuilderPullPolicy specifies when to pull the builder image
+                    type: string
+                  callbackUrl:
+                    description: CallbackURL is a URL which is called upon successful build to inform about that fact.
+                    type: string
+                  cgroupLimits:
+                    description: CGroupLimits describes the cgroups limits that will be applied to any containers run by s2i.
+                    properties:
+                      cpuPeriod:
+                        format: int64
+                        type: integer
+                      cpuQuota:
+                        format: int64
+                        type: integer
+                      cpuShares:
+                        format: int64
+                        type: integer
+                      memoryLimitBytes:
+                        format: int64
+                        type: integer
+                      memorySwap:
+                        format: int64
+                        type: integer
+                      parent:
+                        type: string
+                    required:
+                    - cpuPeriod
+                    - cpuQuota
+                    - cpuShares
+                    - memoryLimitBytes
+                    - memorySwap
+                    - parent
+                    type: object
+                  contextDir:
+                    description: Specify a relative directory inside the application repository that should be used as a root directory for the application.
+                    type: string
+                  description:
+                    description: Description is a result image description label. The default is no description.
+                    type: string
+                  destination:
+                    description: Destination specifies a location where the untar operation will place its artifacts.
+                    type: string
+                  displayName:
+                    description: DisplayName is a result image display-name label. This defaults to the output image name.
+                    type: string
+                  dockerConfig:
+                    description: DockerConfig describes how to access host docker daemon.
+                    properties:
+                      caFile:
+                        description: CAFile is the certificate authority file path for a TLS connection
+                        type: string
+                      certFile:
+                        description: CertFile is the certificate file path for a TLS connection
+                        type: string
+                      endPoint:
+                        description: Endpoint is the docker network endpoint or socket
+                        type: string
+                      keyFile:
+                        description: KeyFile is the key file path for a TLS connection
+                        type: string
+                      tlsVerify:
+                        description: TLSVerify indicates if TLS peer must be verified
+                        type: boolean
+                      useTLS:
+                        description: UseTLS indicates if TLS must be used
+                        type: boolean
+                    required:
+                    - caFile
+                    - certFile
+                    - endPoint
+                    - keyFile
+                    - tlsVerify
+                    - useTLS
+                    type: object
+                  dockerNetworkMode:
+                    description: DockerNetworkMode is used to set the docker network setting to --net=container:<id> when the builder is invoked from a container.
+                    type: string
+                  dropCapabilities:
+                    description: DropCapabilities contains a list of capabilities to drop when executing containers
+                    items:
+                      type: string
+                    type: array
+                  environment:
+                    description: Environment is a map of environment variables to be passed to the image.
+                    items:
+                      description: EnvironmentSpec specifies a single environment variable.
+                      properties:
+                        name:
+                          type: string
+                        value:
+                          type: string
+                      required:
+                      - name
+                      - value
+                      type: object
+                    type: array
+                  excludeRegExp:
+                    description: ExcludeRegExp contains a string representation of the regular expression desired for deciding which files to exclude from the tar stream
+                    type: string
+                  export:
+                    description: Export Push the result image to specify image registry in tag
+                    type: boolean
+                  gitSecretRef:
+                    description: GitSecretRef is the BasicAuth Secret of Git Clone
+                    properties:
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                        type: string
+                    type: object
+                  hasOnBuild:
+                    description: HasOnBuild will be set to true if the builder image contains ONBUILD instructions
+                    type: boolean
+                  imageName:
+                    description: ImageName Contains the registry address and reponame, tag should set by field tag alone
+                    type: string
+                  imageScriptsUrl:
+                    description: ImageScriptsURL is the default location to find the assemble/run scripts for a builder image. This url can be a reference within the builder image if the scheme is specified as image://
+                    type: string
+                  imageWorkDir:
+                    description: ImageWorkDir is the default working directory for the builder image.
+                    type: string
+                  incremental:
+                    description: Incremental describes whether to try to perform incremental build.
+                    type: boolean
+                  incrementalAuthentication:
+                    description: IncrementalAuthentication holds the authentication information for pulling the previous image from private repositories
+                    properties:
+                      email:
+                        type: string
+                      password:
+                        type: string
+                      secretRef:
+                        description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
+                      serverAddress:
+                        type: string
+                      username:
+                        type: string
+                    type: object
+                  incrementalFromTag:
+                    description: IncrementalFromTag sets an alternative image tag to look for existing artifacts. Tag is used by default if this is not set.
+                    type: string
+                  injections:
+                    description: Injections specifies a list source/destination folders that are injected to the container that runs assemble. All files we inject will be truncated after the assemble script finishes.
+                    items:
+                      description: VolumeSpec represents a single volume mount point.
+                      properties:
+                        destination:
+                          description: Destination is the path to mount the volume to - absolute or relative.
+                          type: string
+                        keep:
+                          description: Keep indicates if the mounted data should be kept in the final image.
+                          type: boolean
+                        source:
+                          description: Source is a reference to the volume source.
+                          type: string
+                      type: object
+                    type: array
+                  isBinaryURL:
+                    description: IsBinaryURL explain the type of SourceURL. If it is IsBinaryURL, it will download the file directly without using git.
+                    type: boolean
+                  keepSymlinks:
+                    description: KeepSymlinks indicates to copy symlinks as symlinks. Default behavior is to follow symlinks and copy files by content.
+                    type: boolean
+                  labelNamespace:
+                    description: LabelNamespace provides the namespace under which the labels will be generated.
+                    type: string
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels specify labels and their values to be applied to the resulting image. Label keys must have non-zero length. The labels defined here override generated labels in case they have the same name.
+                    type: object
+                  layeredBuild:
+                    description: LayeredBuild describes if this is build which layered scripts and sources on top of BuilderImage.
+                    type: boolean
+                  nodeAffinityKey:
+                    description: The key of Node Affinity.
+                    type: string
+                  nodeAffinityValues:
+                    description: The values of Node Affinity.
+                    items:
+                      type: string
+                    type: array
+                  outputBuildResult:
+                    description: Whether output build result to status.
+                    type: boolean
+                  outputImageName:
+                    description: OutputImageName is a result image name without tag, default is latest. tag will append to ImageName in the end
+                    type: string
+                  preserveWorkingDir:
+                    description: PreserveWorkingDir describes if working directory should be left after processing.
+                    type: boolean
+                  previousImagePullPolicy:
+                    description: PreviousImagePullPolicy specifies when to pull the previously build image when doing incremental build
+                    type: string
+                  pullAuthentication:
+                    description: PullAuthentication holds the authentication information for pulling the Docker images from private repositories
+                    properties:
+                      email:
+                        type: string
+                      password:
+                        type: string
+                      secretRef:
+                        description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
+                      serverAddress:
+                        type: string
+                      username:
+                        type: string
+                    type: object
+                  pushAuthentication:
+                    description: PullAuthentication holds the authentication information for pulling the Docker images from private repositories
+                    properties:
+                      email:
+                        type: string
+                      password:
+                        type: string
+                      secretRef:
+                        description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
+                      serverAddress:
+                        type: string
+                      username:
+                        type: string
+                    type: object
+                  removePreviousImage:
+                    description: RemovePreviousImage describes if previous image should be removed after successful build. This applies only to incremental builds.
+                    type: boolean
+                  revisionId:
+                    description: The RevisionId is a branch name or a SHA-1 hash of every important thing about the commit
+                    type: string
+                  runImage:
+                    description: RunImage will trigger a "docker run ..." invocation of the produced image so the user can see if it operates as he would expect
+                    type: boolean
+                  runtimeArtifacts:
+                    description: RuntimeArtifacts specifies a list of source/destination pairs that will be copied from builder to a runtime image. Source can be a file or directory. Destination must be a directory. Regardless whether it is an absolute or relative path, it will be placed into image's WORKDIR. Destination also can be empty or equals to ".", in this case it just refers to a root of WORKDIR. In case it's empty, S2I will try to get this list from io.openshift.s2i.assemble-input-files label on a RuntimeImage.
+                    items:
+                      description: VolumeSpec represents a single volume mount point.
+                      properties:
+                        destination:
+                          description: Destination is the path to mount the volume to - absolute or relative.
+                          type: string
+                        keep:
+                          description: Keep indicates if the mounted data should be kept in the final image.
+                          type: boolean
+                        source:
+                          description: Source is a reference to the volume source.
+                          type: string
+                      type: object
+                    type: array
+                  runtimeAuthentication:
+                    description: RuntimeAuthentication holds the authentication information for pulling the runtime Docker images from private repositories.
+                    properties:
+                      email:
+                        type: string
+                      password:
+                        type: string
+                      secretRef:
+                        description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
+                      serverAddress:
+                        type: string
+                      username:
+                        type: string
+                    type: object
+                  runtimeImage:
+                    description: RuntimeImage specifies the image that will be a base for resulting image and will be used for running an application. By default, BuilderImage is used for building and running, but the latter may be overridden.
+                    type: string
+                  runtimeImagePullPolicy:
+                    description: RuntimeImagePullPolicy specifies when to pull a runtime image.
+                    type: string
+                  scriptDownloadProxyConfig:
+                    description: ScriptDownloadProxyConfig optionally specifies the http and https proxy to use when downloading scripts
+                    properties:
+                      httpProxy:
+                        type: string
+                      httpsProxy:
+                        type: string
+                    type: object
+                  scriptsUrl:
+                    description: ScriptsURL is a URL describing where to fetch the S2I scripts from during build process. This url can be a reference within the builder image if the scheme is specified as image://
+                    type: string
+                  secretCode:
+                    description: SecretCode
+                    type: string
+                  securityOpt:
+                    description: SecurityOpt are passed as options to the docker containers launched by s2i.
+                    items:
+                      type: string
+                    type: array
+                  sourceUrl:
+                    description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                    type: string
+                  tag:
+                    description: Tag is a result image tag name.
+                    type: string
+                  taintKey:
+                    description: The name of taint.
+                    type: string
+                  usage:
+                    description: Usage allows for properly shortcircuiting s2i logic when `s2i usage` is invoked
+                    type: boolean
+                  workingDir:
+                    description: WorkingDir describes temporary directory used for downloading sources, scripts and tar operations.
+                    type: string
+                  workingSourceDir:
+                    description: WorkingSourceDir describes the subdirectory off of WorkingDir set up during the repo download that is later used as the root for ignore processing
+                    type: string
+                required:
+                - imageName
+                - sourceUrl
+                type: object
+              fromTemplate:
+                description: FromTemplate define some inputs from user
+                properties:
+                  builderImage:
+                    description: BaseImage specify which version of this template to use
+                    type: string
+                  name:
+                    description: Name specify a template to use, so many fields in Config can left empty
+                    type: string
+                  parameters:
+                    description: Parameters must use with `template`, fill some parameters which template will use
+                    items:
+                      properties:
+                        defaultValue:
+                          type: string
+                        description:
+                          type: string
+                        key:
+                          type: string
+                        optValues:
+                          items:
+                            type: string
+                          type: array
+                        required:
+                          type: boolean
+                        type:
+                          type: string
+                        value:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: S2iBuilderStatus defines the observed state of S2iBuilder
+            properties:
+              lastRunName:
+                description: LastRunState return the name of the newest run of this builder
+                type: string
+              lastRunStartTime:
+                description: LastRunStartTime return the startTime of the newest run of this builder
+                format: date-time
+                type: string
+              lastRunState:
+                description: LastRunState return the state of the newest run of this builder
+                type: string
+              runCount:
+                description: RunCount represent the sum of s2irun of this builder
+                type: integer
+            required:
+            - runCount
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_s2ibuildertemplates.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibuildertemplates.yaml
@@ -0,0 +1,130 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuildertemplates.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: S2iBuilderTemplate
+    listKind: S2iBuilderTemplateList
+    plural: s2ibuildertemplates
+    shortNames:
+    - s2ibt
+    singular: s2ibuildertemplate
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.codeFramework
+      name: Framework
+      type: string
+    - jsonPath: .spec.defaultBaseImage
+      name: DefaultBaseImage
+      type: string
+    - jsonPath: .spec.version
+      name: Version
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
+            properties:
+              codeFramework:
+                description: CodeFramework means which language this template is designed for and which framework is using if has framework. Like Java, NodeJS etc
+                type: string
+              containerInfo:
+                description: Images are the images this template will use.
+                items:
+                  properties:
+                    buildVolumes:
+                      description: BuildVolumes specifies a list of volumes to mount to container running the build.
+                      items:
+                        type: string
+                      type: array
+                    builderImage:
+                      description: BaseImage are the images this template will use.
+                      type: string
+                    runtimeArtifacts:
+                      items:
+                        description: VolumeSpec represents a single volume mount point.
+                        properties:
+                          destination:
+                            description: Destination is the path to mount the volume to - absolute or relative.
+                            type: string
+                          keep:
+                            description: Keep indicates if the mounted data should be kept in the final image.
+                            type: boolean
+                          source:
+                            description: Source is a reference to the volume source.
+                            type: string
+                        type: object
+                      type: array
+                    runtimeImage:
+                      type: string
+                  type: object
+                type: array
+              defaultBaseImage:
+                description: DefaultBaseImage is the image that will be used by default
+                type: string
+              description:
+                description: Description illustrate the purpose of this template
+                type: string
+              environment:
+                description: Parameters is a set of environment variables to be passed to the image.
+                items:
+                  properties:
+                    defaultValue:
+                      type: string
+                    description:
+                      type: string
+                    key:
+                      type: string
+                    optValues:
+                      items:
+                        type: string
+                      type: array
+                    required:
+                      type: boolean
+                    type:
+                      type: string
+                    value:
+                      type: string
+                  type: object
+                type: array
+              iconPath:
+                description: IconPath is used for frontend display
+                type: string
+              version:
+                description: Version of template
+                type: string
+            type: object
+          status:
+            description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops.kubesphere.io_s2iruns.yaml
+++ b/config/crds/devops.kubesphere.io_s2iruns.yaml
@@ -0,0 +1,164 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2iruns.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: S2iRun
+    listKind: S2iRunList
+    plural: s2iruns
+    shortNames:
+    - s2ir
+    singular: s2irun
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.runState
+      name: State
+      type: string
+    - jsonPath: .status.kubernetesJobName
+      name: K8sJobName
+      type: string
+    - jsonPath: .status.startTime
+      name: StartTime
+      type: date
+    - jsonPath: .status.completionTime
+      name: CompletionTime
+      type: date
+    - jsonPath: .status.s2iBuildResult.imageName
+      name: ImageName
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iRun is the Schema for the s2iruns API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iRunSpec defines the desired state of S2iRun
+            properties:
+              backoffLimit:
+                description: BackoffLimit limits the restart count of each s2irun. Default is 0
+                format: int32
+                type: integer
+              builderName:
+                description: BuilderName specify the name of s2ibuilder, required
+                type: string
+              newRevisionId:
+                description: NewRevisionId override the default NewRevisionId in its s2ibuilder.
+                type: string
+              newSourceURL:
+                description: NewSourceURL is used to download new binary artifacts
+                type: string
+              newTag:
+                description: NewTag override the default tag in its s2ibuilder, image name cannot be changed.
+                type: string
+              secondsAfterFinished:
+                description: SecondsAfterFinished if is set and greater than zero, and the job created by s2irun become successful or failed , the job will be auto deleted after SecondsAfterFinished
+                format: int32
+                type: integer
+            required:
+            - builderName
+            type: object
+          status:
+            description: S2iRunStatus defines the observed state of S2iRun
+            properties:
+              completionTime:
+                description: Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.
+                format: date-time
+                type: string
+              kubernetesJobName:
+                description: KubernetesJobName is the job name in k8s
+                type: string
+              logURL:
+                description: LogURL is uesd for external log handler to let user know where is log located in
+                type: string
+              runState:
+                description: RunState  indicates whether this job is done or failed
+                type: string
+              s2iBuildResult:
+                description: S2i build result info.
+                properties:
+                  commandPull:
+                    description: Command for pull image.
+                    type: string
+                  imageCreated:
+                    description: Image created time.
+                    type: string
+                  imageID:
+                    description: Image ID.
+                    type: string
+                  imageName:
+                    description: ImageName is the name of artifact
+                    type: string
+                  imageRepoTags:
+                    description: image tags.
+                    items:
+                      type: string
+                    type: array
+                  imageSize:
+                    description: The size in bytes of the image
+                    format: int64
+                    type: integer
+                type: object
+              s2iBuildSource:
+                description: S2i build source info.
+                properties:
+                  binaryName:
+                    description: Binary file Name
+                    type: string
+                  binarySize:
+                    description: Binary file Size
+                    format: int64
+                    type: integer
+                  builderImage:
+                    description: // BuilderImage describes which image is used for building the result images.
+                    type: string
+                  commitID:
+                    description: CommitID represents an arbitrary extended object reference in Git as SHA-1
+                    type: string
+                  committerEmail:
+                    description: CommitterEmail contains the e-mail of the committer
+                    type: string
+                  committerName:
+                    description: CommitterName contains the name of the committer
+                    type: string
+                  description:
+                    description: Description is a result image description label. The default is no description.
+                    type: string
+                  revisionId:
+                    description: The RevisionId is a branch name or a SHA-1 hash of every important thing about the commit
+                    type: string
+                  sourceUrl:
+                    description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                    type: string
+                type: object
+              startTime:
+                description: StartTime represent when this run began
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/devops_v1alpha1_s2ibinary.yaml
+++ b/config/crds/devops_v1alpha1_s2ibinary.yaml
@@ -1,73 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: s2ibinaries.devops.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.fileName
-    name: FileName
-    type: string
-  - JSONPath: .spec.md5
-    name: MD5
-    type: string
-  - JSONPath: .spec.size
-    name: Size
-    type: string
-  - JSONPath: .status.phase
-    name: Phase
-    type: string
-  group: devops.kubesphere.io
-  names:
-    kind: S2iBinary
-    plural: s2ibinaries
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            downloadURL:
-              description: DownloadURL in KubeSphere
-              type: string
-            fileName:
-              description: FileName is filename of binary
-              type: string
-            md5:
-              description: MD5 is Binary's MD5 Hash
-              type: string
-            size:
-              description: Size is the file size of file
-              type: string
-            uploadTimeStamp:
-              description: UploadTime is last upload time
-              format: date-time
-              type: string
-          type: object
-        status:
-          properties:
-            phase:
-              description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
-              type: string
-          type: object
-  version: v1alpha1
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/gateway.kubesphere.io_gateways.yaml
+++ b/config/crds/gateway.kubesphere.io_gateways.yaml
@@ -0,0 +1,95 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: gateways.gateway.kubesphere.io
+spec:
+  group: gateway.kubesphere.io
+  names:
+    kind: Gateway
+    listKind: GatewayList
+    plural: gateways
+    singular: gateway
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Gateway is the Schema for the gateways API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GatewaySpec defines the desired state of Gateway
+            properties:
+              controller:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  config:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  replicas:
+                    format: int32
+                    type: integer
+                  scope:
+                    properties:
+                      enabled:
+                        type: boolean
+                      namespace:
+                        type: string
+                    type: object
+                type: object
+              deployment:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  replicas:
+                    format: int32
+                    type: integer
+                type: object
+              service:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  type:
+                    description: Service Type string describes ingress methods for
+                      a service
+                    type: string
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/gateway.kubesphere.io_nginxes.yaml
+++ b/config/crds/gateway.kubesphere.io_nginxes.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: nginxes.gateway.kubesphere.io
+spec:
+  group: gateway.kubesphere.io
+  names:
+    kind: Nginx
+    listKind: NginxList
+    plural: nginxes
+    singular: nginx
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Nginx is the Schema for the nginxes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of Nginx
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: Status defines the observed state of Nginx
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/config/crds/iam.kubesphere.io_globalrolebindings.yaml
+++ b/config/crds/iam.kubesphere.io_globalrolebindings.yaml
@@ -0,0 +1,83 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: globalrolebindings.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: GlobalRoleBinding
+    listKind: GlobalRoleBindingList
+    plural: globalrolebindings
+    singular: globalrolebinding
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: GlobalRoleBinding is the Schema for the globalrolebindings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          roleRef:
+            description: RoleRef can only reference a GlobalRole. If the RoleRef cannot be resolved, the Authorizer must return an error.
+            properties:
+              apiGroup:
+                description: APIGroup is the group for the resource being referenced
+                type: string
+              kind:
+                description: Kind is the type of resource being referenced
+                type: string
+              name:
+                description: Name is the name of resource being referenced
+                type: string
+            required:
+            - apiGroup
+            - kind
+            - name
+            type: object
+          subjects:
+            description: Subjects holds references to the objects the role applies to.
+            items:
+              description: Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.
+              properties:
+                apiGroup:
+                  description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                  type: string
+                kind:
+                  description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                  type: string
+                name:
+                  description: Name of the object being referenced.
+                  type: string
+                namespace:
+                  description: Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
+                  type: string
+              required:
+              - kind
+              - name
+              type: object
+            type: array
+        required:
+        - roleRef
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_globalroles.yaml
+++ b/config/crds/iam.kubesphere.io_globalroles.yaml
@@ -0,0 +1,75 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: globalroles.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: GlobalRole
+    listKind: GlobalRoleList
+    plural: globalroles
+    singular: globalrole
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          rules:
+            description: Rules holds all the PolicyRules for this GlobalRole
+            items:
+              description: PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
+              properties:
+                apiGroups:
+                  description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
+                  items:
+                    type: string
+                  type: array
+                nonResourceURLs:
+                  description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                  items:
+                    type: string
+                  type: array
+                resourceNames:
+                  description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+                  items:
+                    type: string
+                  type: array
+                resources:
+                  description: Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+                  items:
+                    type: string
+                  type: array
+                verbs:
+                  description: Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+                  items:
+                    type: string
+                  type: array
+              required:
+              - verbs
+              type: object
+            type: array
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_groupbindings.yaml
+++ b/config/crds/iam.kubesphere.io_groupbindings.yaml
@@ -0,0 +1,64 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: groupbindings.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - group
+    kind: GroupBinding
+    listKind: GroupBindingList
+    plural: groupbindings
+    singular: groupbinding
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .groupRef.name
+      name: Group
+      type: string
+    - jsonPath: .users
+      name: Users
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: GroupBinding is the Schema for the groupbindings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          groupRef:
+            description: GroupRef defines the desired relation of GroupBinding
+            properties:
+              apiGroup:
+                type: string
+              kind:
+                type: string
+              name:
+                type: string
+            type: object
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          users:
+            items:
+              type: string
+            type: array
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_groups.yaml
+++ b/config/crds/iam.kubesphere.io_groups.yaml
@@ -0,0 +1,53 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: groups.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - group
+    kind: Group
+    listKind: GroupList
+    plural: groups
+    singular: group
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Group is the Schema for the groups API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GroupSpec defines the desired state of Group
+            type: object
+          status:
+            description: GroupStatus defines the observed state of Group
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_loginrecords.yaml
+++ b/config/crds/iam.kubesphere.io_loginrecords.yaml
@@ -0,0 +1,90 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: loginrecords.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: LoginRecord
+    listKind: LoginRecordList
+    plural: loginrecords
+    singular: loginrecord
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.type
+      name: Type
+      type: string
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.sourceIP
+      name: From
+      type: string
+    - jsonPath: .spec.success
+      name: Success
+      type: string
+    - jsonPath: .spec.reason
+      name: Reason
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              provider:
+                description: Provider of authentication, Ldap/Github etc.
+                type: string
+              reason:
+                description: States failed login attempt reason
+                type: string
+              sourceIP:
+                description: Source IP of client
+                type: string
+              success:
+                description: Successful login attempt or not
+                type: boolean
+              type:
+                description: Which authentication method used, BasicAuth/OAuth
+                type: string
+              userAgent:
+                description: User agent of login attempt
+                type: string
+            required:
+            - provider
+            - reason
+            - sourceIP
+            - success
+            - type
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_rolebases.yaml
+++ b/config/crds/iam.kubesphere.io_rolebases.yaml
@@ -0,0 +1,47 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: rolebases.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: RoleBase
+    listKind: RoleBaseList
+    plural: rolebases
+    singular: rolebase
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          role:
+            type: object
+            x-kubernetes-embedded-resource: true
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - role
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_users.yaml
+++ b/config/crds/iam.kubesphere.io_users.yaml
@@ -0,0 +1,92 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: users.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: User
+    listKind: UserList
+    plural: users
+    singular: user
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.email
+      name: Email
+      type: string
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: User is the Schema for the users API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: UserSpec defines the desired state of User
+            properties:
+              description:
+                description: Description of the user.
+                type: string
+              displayName:
+                type: string
+              email:
+                description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt).
+                type: string
+              groups:
+                items:
+                  type: string
+                type: array
+              lang:
+                description: The preferred written or spoken language for the user.
+                type: string
+              password:
+                description: password will be encrypted by mutating admission webhook
+                type: string
+            required:
+            - email
+            type: object
+          status:
+            description: UserStatus defines the observed state of User
+            properties:
+              lastLoginTime:
+                description: Last login attempt timestamp
+                format: date-time
+                type: string
+              lastTransitionTime:
+                format: date-time
+                type: string
+              reason:
+                type: string
+              state:
+                description: The user status
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_workspacerolebindings.yaml
+++ b/config/crds/iam.kubesphere.io_workspacerolebindings.yaml
@@ -0,0 +1,88 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspacerolebindings.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: WorkspaceRoleBinding
+    listKind: WorkspaceRoleBindingList
+    plural: workspacerolebindings
+    singular: workspacerolebinding
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceRoleBinding is the Schema for the workspacerolebindings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          roleRef:
+            description: RoleRef can only reference a WorkspaceRole. If the RoleRef cannot be resolved, the Authorizer must return an error.
+            properties:
+              apiGroup:
+                description: APIGroup is the group for the resource being referenced
+                type: string
+              kind:
+                description: Kind is the type of resource being referenced
+                type: string
+              name:
+                description: Name is the name of resource being referenced
+                type: string
+            required:
+            - apiGroup
+            - kind
+            - name
+            type: object
+          subjects:
+            description: Subjects holds references to the objects the role applies to.
+            items:
+              description: Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.
+              properties:
+                apiGroup:
+                  description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                  type: string
+                kind:
+                  description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                  type: string
+                name:
+                  description: Name of the object being referenced.
+                  type: string
+                namespace:
+                  description: Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
+                  type: string
+              required:
+              - kind
+              - name
+              type: object
+            type: array
+        required:
+        - roleRef
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_workspaceroles.yaml
+++ b/config/crds/iam.kubesphere.io_workspaceroles.yaml
@@ -0,0 +1,83 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspaceroles.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: WorkspaceRole
+    listKind: WorkspaceRoleList
+    plural: workspaceroles
+    singular: workspacerole
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    - jsonPath: .metadata.annotations.kubesphere\.io/alias-name
+      name: Alias
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          rules:
+            description: Rules holds all the PolicyRules for this WorkspaceRole
+            items:
+              description: PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
+              properties:
+                apiGroups:
+                  description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
+                  items:
+                    type: string
+                  type: array
+                nonResourceURLs:
+                  description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                  items:
+                    type: string
+                  type: array
+                resourceNames:
+                  description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+                  items:
+                    type: string
+                  type: array
+                resources:
+                  description: Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+                  items:
+                    type: string
+                  type: array
+                verbs:
+                  description: Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+                  items:
+                    type: string
+                  type: array
+              required:
+              - verbs
+              type: object
+            type: array
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/istio-crds.yaml
+++ b/config/crds/istio-crds.yaml
--- a/config/crds/istio_v1alpha3_destinationrule.yaml
+++ b/config/crds/istio_v1alpha3_destinationrule.yaml
@@ -1,763 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: destinationrules.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: DestinationRule
-    plural: destinationrules
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            host:
-              description: 'REQUIRED. The name of a service from the service registry.
-                Service names are looked up from the platform''s service registry
-                (e.g., Kubernetes services, Consul services, etc.) and from the hosts
-                declared by [ServiceEntries](#ServiceEntry). Rules defined for services
-                that do not exist in the service registry will be ignored.  *Note
-                for Kubernetes users*: When short names are used (e.g. "reviews" instead
-                of "reviews.default.svc.cluster.local"), Istio will interpret the
-                short name based on the namespace of the rule, not the service. A
-                rule in the "default" namespace containing a host "reviews will be
-                interpreted as "reviews.default.svc.cluster.local", irrespective of
-                the actual namespace associated with the reviews service. _To avoid
-                potential misconfigurations, it is recommended to always use fully
-                qualified domain names over short names._  Note that the host field
-                applies to both HTTP and TCP services.'
-              type: string
-            subsets:
-              description: One or more named sets that represent individual versions
-                of a service. Traffic policies can be overridden at subset level.
-              items:
-                properties:
-                  labels:
-                    description: REQUIRED. Labels apply a filter over the endpoints
-                      of a service in the service registry. See route rules for examples
-                      of usage.
-                    type: object
-                  name:
-                    description: REQUIRED. Name of the subset. The service name and
-                      the subset name can be used for traffic splitting in a route
-                      rule.
-                    type: string
-                  trafficPolicy:
-                    description: Traffic policies that apply to this subset. Subsets
-                      inherit the traffic policies specified at the DestinationRule
-                      level. Settings specified at the subset level will override
-                      the corresponding settings specified at the DestinationRule
-                      level.
-                    properties:
-                      connectionPool:
-                        description: Settings controlling the volume of connections
-                          to an upstream service
-                        properties:
-                          http:
-                            description: HTTP connection pool settings.
-                            properties:
-                              maxRequestsPerConnection:
-                                description: Maximum number of requests per connection
-                                  to a backend. Setting this parameter to 1 disables
-                                  keep alive.
-                                format: int32
-                                type: integer
-                              maxRetries:
-                                description: Maximum number of retries that can be
-                                  outstanding to all hosts in a cluster at a given
-                                  time. Defaults to 3.
-                                format: int32
-                                type: integer
-                            type: object
-                          tcp:
-                            description: Settings common to both HTTP and TCP upstream
-                              connections.
-                            properties:
-                              connectTimeout:
-                                description: TCP connection timeout.
-                                type: string
-                              maxConnections:
-                                description: Maximum number of HTTP1 /TCP connections
-                                  to a destination host.
-                                format: int32
-                                type: integer
-                            type: object
-                        type: object
-                      loadBalancer:
-                        description: Settings controlling the load balancer algorithms.
-                        properties:
-                          consistentHash:
-                            properties:
-                              httpCookie:
-                                description: Hash based on HTTP cookie.
-                                properties:
-                                  name:
-                                    description: REQUIRED. Name of the cookie.
-                                    type: string
-                                  path:
-                                    description: Path to set for the cookie.
-                                    type: string
-                                  ttl:
-                                    description: REQUIRED. Lifetime of the cookie.
-                                    type: string
-                                required:
-                                - name
-                                - ttl
-                                type: object
-                              httpHeaderName:
-                                description: 'It is required to specify exactly one
-                                  of the fields as hash key: HttpHeaderName, HttpCookie,
-                                  or UseSourceIP. Hash based on a specific HTTP header.'
-                                type: string
-                              minimumRingSize:
-                                description: The minimum number of virtual nodes to
-                                  use for the hash ring. Defaults to 1024. Larger
-                                  ring sizes result in more granular load distributions.
-                                  If the number of hosts in the load balancing pool
-                                  is larger than the ring size, each host will be
-                                  assigned a single virtual node.
-                                format: int64
-                                type: integer
-                              useSourceIp:
-                                description: Hash based on the source IP address.
-                                type: boolean
-                            type: object
-                          simple:
-                            description: 'It is required to specify exactly one of
-                              the fields: Simple or ConsistentHash'
-                            type: string
-                        type: object
-                      outlierDetection:
-                        description: Settings controlling eviction of unhealthy hosts
-                          from the load balancing pool
-                        properties:
-                          baseEjectionTime:
-                            description: 'Minimum ejection duration. A host will remain
-                              ejected for a period equal to the product of minimum
-                              ejection duration and the number of times the host has
-                              been ejected. This technique allows the system to automatically
-                              increase the ejection period for unhealthy upstream
-                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
-                              is 30s.'
-                            type: string
-                          consecutiveErrors:
-                            description: Number of errors before a host is ejected
-                              from the connection pool. Defaults to 5. When the upstream
-                              host is accessed over HTTP, a 5xx return code qualifies
-                              as an error. When the upstream host is accessed over
-                              an opaque TCP connection, connect timeouts and connection
-                              error/failure events qualify as an error.
-                            format: int32
-                            type: integer
-                          interval:
-                            description: 'Time interval between ejection sweep analysis.
-                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                            type: string
-                          maxEjectionPercent:
-                            description: Maximum % of hosts in the load balancing
-                              pool for the upstream service that can be ejected. Defaults
-                              to 10%.
-                            format: int32
-                            type: integer
-                        type: object
-                      portLevelSettings:
-                        description: Traffic policies specific to individual ports.
-                          Note that port level settings will override the destination-level
-                          settings. Traffic settings specified at the destination-level
-                          will not be inherited when overridden by port-level settings,
-                          i.e. default values will be applied to fields omitted in
-                          port-level traffic policies.
-                        items:
-                          properties:
-                            connectionPool:
-                              description: Settings controlling the volume of connections
-                                to an upstream service
-                              properties:
-                                http:
-                                  description: HTTP connection pool settings.
-                                  properties:
-                                    maxRequestsPerConnection:
-                                      description: Maximum number of requests per
-                                        connection to a backend. Setting this parameter
-                                        to 1 disables keep alive.
-                                      format: int32
-                                      type: integer
-                                    maxRetries:
-                                      description: Maximum number of retries that
-                                        can be outstanding to all hosts in a cluster
-                                        at a given time. Defaults to 3.
-                                      format: int32
-                                      type: integer
-                                  type: object
-                                tcp:
-                                  description: Settings common to both HTTP and TCP
-                                    upstream connections.
-                                  properties:
-                                    connectTimeout:
-                                      description: TCP connection timeout.
-                                      type: string
-                                    maxConnections:
-                                      description: Maximum number of HTTP1 /TCP connections
-                                        to a destination host.
-                                      format: int32
-                                      type: integer
-                                  type: object
-                              type: object
-                            loadBalancer:
-                              description: Settings controlling the load balancer
-                                algorithms.
-                              properties:
-                                consistentHash:
-                                  properties:
-                                    httpCookie:
-                                      description: Hash based on HTTP cookie.
-                                      properties:
-                                        name:
-                                          description: REQUIRED. Name of the cookie.
-                                          type: string
-                                        path:
-                                          description: Path to set for the cookie.
-                                          type: string
-                                        ttl:
-                                          description: REQUIRED. Lifetime of the cookie.
-                                          type: string
-                                      required:
-                                      - name
-                                      - ttl
-                                      type: object
-                                    httpHeaderName:
-                                      description: 'It is required to specify exactly
-                                        one of the fields as hash key: HttpHeaderName,
-                                        HttpCookie, or UseSourceIP. Hash based on
-                                        a specific HTTP header.'
-                                      type: string
-                                    minimumRingSize:
-                                      description: The minimum number of virtual nodes
-                                        to use for the hash ring. Defaults to 1024.
-                                        Larger ring sizes result in more granular
-                                        load distributions. If the number of hosts
-                                        in the load balancing pool is larger than
-                                        the ring size, each host will be assigned
-                                        a single virtual node.
-                                      format: int64
-                                      type: integer
-                                    useSourceIp:
-                                      description: Hash based on the source IP address.
-                                      type: boolean
-                                  type: object
-                                simple:
-                                  description: 'It is required to specify exactly
-                                    one of the fields: Simple or ConsistentHash'
-                                  type: string
-                              type: object
-                            outlierDetection:
-                              description: Settings controlling eviction of unhealthy
-                                hosts from the load balancing pool
-                              properties:
-                                baseEjectionTime:
-                                  description: 'Minimum ejection duration. A host
-                                    will remain ejected for a period equal to the
-                                    product of minimum ejection duration and the number
-                                    of times the host has been ejected. This technique
-                                    allows the system to automatically increase the
-                                    ejection period for unhealthy upstream servers.
-                                    format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
-                                    30s.'
-                                  type: string
-                                consecutiveErrors:
-                                  description: Number of errors before a host is ejected
-                                    from the connection pool. Defaults to 5. When
-                                    the upstream host is accessed over HTTP, a 5xx
-                                    return code qualifies as an error. When the upstream
-                                    host is accessed over an opaque TCP connection,
-                                    connect timeouts and connection error/failure
-                                    events qualify as an error.
-                                  format: int32
-                                  type: integer
-                                interval:
-                                  description: 'Time interval between ejection sweep
-                                    analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                    Default is 10s.'
-                                  type: string
-                                maxEjectionPercent:
-                                  description: Maximum % of hosts in the load balancing
-                                    pool for the upstream service that can be ejected.
-                                    Defaults to 10%.
-                                  format: int32
-                                  type: integer
-                              type: object
-                            port:
-                              description: Specifies the port name or number of a
-                                port on the destination service on which this policy
-                                is being applied.  Names must comply with DNS label
-                                syntax (rfc1035) and therefore cannot collide with
-                                numbers. If there are multiple ports on a service
-                                with the same protocol the names should be of the
-                                form <protocol-name>-<DNS label>.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            tls:
-                              description: TLS related settings for connections to
-                                the upstream service.
-                              properties:
-                                caCertificates:
-                                  description: 'OPTIONAL: The path to the file containing
-                                    certificate authority certificates to use in verifying
-                                    a presented server certificate. If omitted, the
-                                    proxy will not verify the server''s certificate.
-                                    Should be empty if mode is `ISTIO_MUTUAL`.'
-                                  type: string
-                                clientCertificate:
-                                  description: REQUIRED if mode is `MUTUAL`. The path
-                                    to the file holding the client-side TLS certificate
-                                    to use. Should be empty if mode is `ISTIO_MUTUAL`.
-                                  type: string
-                                mode:
-                                  description: 'REQUIRED: Indicates whether connections
-                                    to this port should be secured using TLS. The
-                                    value of this field determines how TLS is enforced.'
-                                  type: string
-                                privateKey:
-                                  description: REQUIRED if mode is `MUTUAL`. The path
-                                    to the file holding the client's private key.
-                                    Should be empty if mode is `ISTIO_MUTUAL`.
-                                  type: string
-                                sni:
-                                  description: SNI string to present to the server
-                                    during TLS handshake. Should be empty if mode
-                                    is `ISTIO_MUTUAL`.
-                                  type: string
-                                subjectAltNames:
-                                  description: A list of alternate names to verify
-                                    the subject identity in the certificate. If specified,
-                                    the proxy will verify that the server certificate's
-                                    subject alt name matches one of the specified
-                                    values. Should be empty if mode is `ISTIO_MUTUAL`.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                              - mode
-                              type: object
-                          required:
-                          - port
-                          type: object
-                        type: array
-                      tls:
-                        description: TLS related settings for connections to the upstream
-                          service.
-                        properties:
-                          caCertificates:
-                            description: 'OPTIONAL: The path to the file containing
-                              certificate authority certificates to use in verifying
-                              a presented server certificate. If omitted, the proxy
-                              will not verify the server''s certificate. Should be
-                              empty if mode is `ISTIO_MUTUAL`.'
-                            type: string
-                          clientCertificate:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client-side TLS certificate to
-                              use. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          mode:
-                            description: 'REQUIRED: Indicates whether connections
-                              to this port should be secured using TLS. The value
-                              of this field determines how TLS is enforced.'
-                            type: string
-                          privateKey:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client's private key. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          sni:
-                            description: SNI string to present to the server during
-                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          subjectAltNames:
-                            description: A list of alternate names to verify the subject
-                              identity in the certificate. If specified, the proxy
-                              will verify that the server certificate's subject alt
-                              name matches one of the specified values. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - mode
-                        type: object
-                    type: object
-                required:
-                - name
-                - labels
-                type: object
-              type: array
-            trafficPolicy:
-              description: Traffic policies to apply (load balancing policy, connection
-                pool sizes, outlier detection).
-              properties:
-                connectionPool:
-                  description: Settings controlling the volume of connections to an
-                    upstream service
-                  properties:
-                    http:
-                      description: HTTP connection pool settings.
-                      properties:
-                        maxRequestsPerConnection:
-                          description: Maximum number of requests per connection to
-                            a backend. Setting this parameter to 1 disables keep alive.
-                          format: int32
-                          type: integer
-                        maxRetries:
-                          description: Maximum number of retries that can be outstanding
-                            to all hosts in a cluster at a given time. Defaults to
-                            3.
-                          format: int32
-                          type: integer
-                      type: object
-                    tcp:
-                      description: Settings common to both HTTP and TCP upstream connections.
-                      properties:
-                        connectTimeout:
-                          description: TCP connection timeout.
-                          type: string
-                        maxConnections:
-                          description: Maximum number of HTTP1 /TCP connections to
-                            a destination host.
-                          format: int32
-                          type: integer
-                      type: object
-                  type: object
-                loadBalancer:
-                  description: Settings controlling the load balancer algorithms.
-                  properties:
-                    consistentHash:
-                      properties:
-                        httpCookie:
-                          description: Hash based on HTTP cookie.
-                          properties:
-                            name:
-                              description: REQUIRED. Name of the cookie.
-                              type: string
-                            path:
-                              description: Path to set for the cookie.
-                              type: string
-                            ttl:
-                              description: REQUIRED. Lifetime of the cookie.
-                              type: string
-                          required:
-                          - name
-                          - ttl
-                          type: object
-                        httpHeaderName:
-                          description: 'It is required to specify exactly one of the
-                            fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
-                            Hash based on a specific HTTP header.'
-                          type: string
-                        minimumRingSize:
-                          description: The minimum number of virtual nodes to use
-                            for the hash ring. Defaults to 1024. Larger ring sizes
-                            result in more granular load distributions. If the number
-                            of hosts in the load balancing pool is larger than the
-                            ring size, each host will be assigned a single virtual
-                            node.
-                          format: int64
-                          type: integer
-                        useSourceIp:
-                          description: Hash based on the source IP address.
-                          type: boolean
-                      type: object
-                    simple:
-                      description: 'It is required to specify exactly one of the fields:
-                        Simple or ConsistentHash'
-                      type: string
-                  type: object
-                outlierDetection:
-                  description: Settings controlling eviction of unhealthy hosts from
-                    the load balancing pool
-                  properties:
-                    baseEjectionTime:
-                      description: 'Minimum ejection duration. A host will remain
-                        ejected for a period equal to the product of minimum ejection
-                        duration and the number of times the host has been ejected.
-                        This technique allows the system to automatically increase
-                        the ejection period for unhealthy upstream servers. format:
-                        1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
-                      type: string
-                    consecutiveErrors:
-                      description: Number of errors before a host is ejected from
-                        the connection pool. Defaults to 5. When the upstream host
-                        is accessed over HTTP, a 5xx return code qualifies as an error.
-                        When the upstream host is accessed over an opaque TCP connection,
-                        connect timeouts and connection error/failure events qualify
-                        as an error.
-                      format: int32
-                      type: integer
-                    interval:
-                      description: 'Time interval between ejection sweep analysis.
-                        format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                      type: string
-                    maxEjectionPercent:
-                      description: Maximum % of hosts in the load balancing pool for
-                        the upstream service that can be ejected. Defaults to 10%.
-                      format: int32
-                      type: integer
-                  type: object
-                portLevelSettings:
-                  description: Traffic policies specific to individual ports. Note
-                    that port level settings will override the destination-level settings.
-                    Traffic settings specified at the destination-level will not be
-                    inherited when overridden by port-level settings, i.e. default
-                    values will be applied to fields omitted in port-level traffic
-                    policies.
-                  items:
-                    properties:
-                      connectionPool:
-                        description: Settings controlling the volume of connections
-                          to an upstream service
-                        properties:
-                          http:
-                            description: HTTP connection pool settings.
-                            properties:
-                              maxRequestsPerConnection:
-                                description: Maximum number of requests per connection
-                                  to a backend. Setting this parameter to 1 disables
-                                  keep alive.
-                                format: int32
-                                type: integer
-                              maxRetries:
-                                description: Maximum number of retries that can be
-                                  outstanding to all hosts in a cluster at a given
-                                  time. Defaults to 3.
-                                format: int32
-                                type: integer
-                            type: object
-                          tcp:
-                            description: Settings common to both HTTP and TCP upstream
-                              connections.
-                            properties:
-                              connectTimeout:
-                                description: TCP connection timeout.
-                                type: string
-                              maxConnections:
-                                description: Maximum number of HTTP1 /TCP connections
-                                  to a destination host.
-                                format: int32
-                                type: integer
-                            type: object
-                        type: object
-                      loadBalancer:
-                        description: Settings controlling the load balancer algorithms.
-                        properties:
-                          consistentHash:
-                            properties:
-                              httpCookie:
-                                description: Hash based on HTTP cookie.
-                                properties:
-                                  name:
-                                    description: REQUIRED. Name of the cookie.
-                                    type: string
-                                  path:
-                                    description: Path to set for the cookie.
-                                    type: string
-                                  ttl:
-                                    description: REQUIRED. Lifetime of the cookie.
-                                    type: string
-                                required:
-                                - name
-                                - ttl
-                                type: object
-                              httpHeaderName:
-                                description: 'It is required to specify exactly one
-                                  of the fields as hash key: HttpHeaderName, HttpCookie,
-                                  or UseSourceIP. Hash based on a specific HTTP header.'
-                                type: string
-                              minimumRingSize:
-                                description: The minimum number of virtual nodes to
-                                  use for the hash ring. Defaults to 1024. Larger
-                                  ring sizes result in more granular load distributions.
-                                  If the number of hosts in the load balancing pool
-                                  is larger than the ring size, each host will be
-                                  assigned a single virtual node.
-                                format: int64
-                                type: integer
-                              useSourceIp:
-                                description: Hash based on the source IP address.
-                                type: boolean
-                            type: object
-                          simple:
-                            description: 'It is required to specify exactly one of
-                              the fields: Simple or ConsistentHash'
-                            type: string
-                        type: object
-                      outlierDetection:
-                        description: Settings controlling eviction of unhealthy hosts
-                          from the load balancing pool
-                        properties:
-                          baseEjectionTime:
-                            description: 'Minimum ejection duration. A host will remain
-                              ejected for a period equal to the product of minimum
-                              ejection duration and the number of times the host has
-                              been ejected. This technique allows the system to automatically
-                              increase the ejection period for unhealthy upstream
-                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
-                              is 30s.'
-                            type: string
-                          consecutiveErrors:
-                            description: Number of errors before a host is ejected
-                              from the connection pool. Defaults to 5. When the upstream
-                              host is accessed over HTTP, a 5xx return code qualifies
-                              as an error. When the upstream host is accessed over
-                              an opaque TCP connection, connect timeouts and connection
-                              error/failure events qualify as an error.
-                            format: int32
-                            type: integer
-                          interval:
-                            description: 'Time interval between ejection sweep analysis.
-                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                            type: string
-                          maxEjectionPercent:
-                            description: Maximum % of hosts in the load balancing
-                              pool for the upstream service that can be ejected. Defaults
-                              to 10%.
-                            format: int32
-                            type: integer
-                        type: object
-                      port:
-                        description: Specifies the port name or number of a port on
-                          the destination service on which this policy is being applied.  Names
-                          must comply with DNS label syntax (rfc1035) and therefore
-                          cannot collide with numbers. If there are multiple ports
-                          on a service with the same protocol the names should be
-                          of the form <protocol-name>-<DNS label>.
-                        properties:
-                          name:
-                            description: Valid port name
-                            type: string
-                          number:
-                            description: Valid port number
-                            format: int32
-                            type: integer
-                        type: object
-                      tls:
-                        description: TLS related settings for connections to the upstream
-                          service.
-                        properties:
-                          caCertificates:
-                            description: 'OPTIONAL: The path to the file containing
-                              certificate authority certificates to use in verifying
-                              a presented server certificate. If omitted, the proxy
-                              will not verify the server''s certificate. Should be
-                              empty if mode is `ISTIO_MUTUAL`.'
-                            type: string
-                          clientCertificate:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client-side TLS certificate to
-                              use. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          mode:
-                            description: 'REQUIRED: Indicates whether connections
-                              to this port should be secured using TLS. The value
-                              of this field determines how TLS is enforced.'
-                            type: string
-                          privateKey:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client's private key. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          sni:
-                            description: SNI string to present to the server during
-                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          subjectAltNames:
-                            description: A list of alternate names to verify the subject
-                              identity in the certificate. If specified, the proxy
-                              will verify that the server certificate's subject alt
-                              name matches one of the specified values. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - mode
-                        type: object
-                    required:
-                    - port
-                    type: object
-                  type: array
-                tls:
-                  description: TLS related settings for connections to the upstream
-                    service.
-                  properties:
-                    caCertificates:
-                      description: 'OPTIONAL: The path to the file containing certificate
-                        authority certificates to use in verifying a presented server
-                        certificate. If omitted, the proxy will not verify the server''s
-                        certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
-                      type: string
-                    clientCertificate:
-                      description: REQUIRED if mode is `MUTUAL`. The path to the file
-                        holding the client-side TLS certificate to use. Should be
-                        empty if mode is `ISTIO_MUTUAL`.
-                      type: string
-                    mode:
-                      description: 'REQUIRED: Indicates whether connections to this
-                        port should be secured using TLS. The value of this field
-                        determines how TLS is enforced.'
-                      type: string
-                    privateKey:
-                      description: REQUIRED if mode is `MUTUAL`. The path to the file
-                        holding the client's private key. Should be empty if mode
-                        is `ISTIO_MUTUAL`.
-                      type: string
-                    sni:
-                      description: SNI string to present to the server during TLS
-                        handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                      type: string
-                    subjectAltNames:
-                      description: A list of alternate names to verify the subject
-                        identity in the certificate. If specified, the proxy will
-                        verify that the server certificate's subject alt name matches
-                        one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
-                      items:
-                        type: string
-                      type: array
-                  required:
-                  - mode
-                  type: object
-              type: object
-          required:
-          - host
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/istio_v1alpha3_gateway.yaml
+++ b/config/crds/istio_v1alpha3_gateway.yaml
@@ -1,129 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: gateways.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: Gateway
-    plural: gateways
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            selector:
-              description: One or more labels that indicate a specific set of pods/VMs
-                on which this gateway configuration should be applied. If no selectors
-                are provided, the gateway will be implemented by the default istio-ingress
-                controller.
-              type: object
-            servers:
-              description: 'REQUIRED: A list of server specifications.'
-              items:
-                properties:
-                  hosts:
-                    description: A list of hosts exposed by this gateway. While typically
-                      applicable to HTTP services, it can also be used for TCP services
-                      using TLS with SNI. Standard DNS wildcard prefix syntax is permitted.  A
-                      VirtualService that is bound to a gateway must having a matching
-                      host in its default destination. Specifically one of the VirtualService
-                      destination hosts is a strict suffix of a gateway host or a
-                      gateway host is a suffix of one of the VirtualService hosts.
-                    items:
-                      type: string
-                    type: array
-                  port:
-                    description: 'REQUIRED: The Port on which the proxy should listen
-                      for incoming connections'
-                    properties:
-                      name:
-                        description: Label assigned to the port.
-                        type: string
-                      number:
-                        description: 'REQUIRED: A valid non-negative integer port
-                          number.'
-                        format: int64
-                        type: integer
-                      protocol:
-                        description: 'REQUIRED: The protocol exposed on the port.
-                          MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP.'
-                        type: string
-                    required:
-                    - number
-                    - protocol
-                    type: object
-                  tls:
-                    description: Set of TLS related options that govern the server's
-                      behavior. Use these options to control if all http requests
-                      should be redirected to https, and the TLS modes to use.
-                    properties:
-                      caCertificates:
-                        description: REQUIRED if mode is "MUTUAL". The path to a file
-                          containing certificate authority certificates to use in
-                          verifying a presented client side certificate.
-                        type: string
-                      httpsRedirect:
-                        description: If set to true, the load balancer will send a
-                          302 redirect for all http connections, asking the clients
-                          to use HTTPS.
-                        type: boolean
-                      mode:
-                        description: 'Optional: Indicates whether connections to this
-                          port should be secured using TLS. The value of this field
-                          determines how TLS is enforced.'
-                        type: string
-                      privateKey:
-                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
-                          path to the file holding the server's private key.
-                        type: string
-                      serverCertificate:
-                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
-                          path to the file holding the server-side TLS certificate
-                          to use.
-                        type: string
-                      subjectAltNames:
-                        description: A list of alternate names to verify the subject
-                          identity in the certificate presented by the client.
-                        items:
-                          type: string
-                        type: array
-                    required:
-                    - httpsRedirect
-                    - serverCertificate
-                    - privateKey
-                    - caCertificates
-                    - subjectAltNames
-                    type: object
-                required:
-                - port
-                type: object
-              type: array
-          required:
-          - servers
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/istio_v1alpha3_virtualservice.yaml
+++ b/config/crds/istio_v1alpha3_virtualservice.yaml
@@ -1,695 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: virtualservices.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: VirtualService
-    plural: virtualservices
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            gateways:
-              description: The names of gateways and sidecars that should apply these
-                routes. A single VirtualService is used for sidecars inside the mesh
-                as well as for one or more gateways. The selection condition imposed
-                by this field can be overridden using the source field in the match
-                conditions of HTTP/TCP routes. The reserved word "mesh" is used to
-                imply all the sidecars in the mesh. When this field is omitted, the
-                default gateway ("mesh") will be used, which would apply the rule
-                to all sidecars in the mesh. If a list of gateway names is provided,
-                the rules will apply only to the gateways. To apply the rules to both
-                gateways and sidecars, specify "mesh" as one of the gateway names.
-              items:
-                type: string
-              type: array
-            hosts:
-              description: REQUIRED. The destination address for traffic captured
-                by this virtual service. Could be a DNS name with wildcard prefix
-                or a CIDR prefix. Depending on the platform, short-names can also
-                be used instead of a FQDN (i.e. has no dots in the name). In such
-                a scenario, the FQDN of the host would be derived based on the underlying
-                platform.  For example on Kubernetes, when hosts contains a short
-                name, Istio will interpret the short name based on the namespace of
-                the rule. Thus, when a client namespace applies a rule in the "default"
-                namespace containing a name "reviews, Istio will setup routes to the
-                "reviews.default.svc.cluster.local" service. However, if a different
-                name such as "reviews.sales.svc.cluster.local" is used, it would be
-                treated as a FQDN during virtual host matching. In Consul, a plain
-                service name would be resolved to the FQDN "reviews.service.consul".  Note
-                that the hosts field applies to both HTTP and TCP services. Service
-                inside the mesh, i.e., those found in the service registry, must always
-                be referred to using their alphanumeric names. IP addresses or CIDR
-                prefixes are allowed only for services defined via the Gateway.
-              items:
-                type: string
-              type: array
-            http:
-              description: An ordered list of route rules for HTTP traffic. The first
-                rule matching an incoming request is used.
-              items:
-                properties:
-                  appendHeaders:
-                    description: Additional HTTP headers to add before forwarding
-                      a request to the destination service.
-                    type: object
-                  corsPolicy:
-                    description: Cross-Origin Resource Sharing policy
-                    properties:
-                      allowCredentials:
-                        description: Indicates whether the caller is allowed to send
-                          the actual request (not the preflight) using credentials.
-                          Translates to Access-Control-Allow-Credentials header.
-                        type: boolean
-                      allowHeaders:
-                        description: List of HTTP headers that can be used when requesting
-                          the resource. Serialized to Access-Control-Allow-Methods
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      allowMethods:
-                        description: List of HTTP methods allowed to access the resource.
-                          The content will be serialized into the Access-Control-Allow-Methods
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      allowOrigin:
-                        description: The list of origins that are allowed to perform
-                          CORS requests. The content will be serialized into the Access-Control-Allow-Origin
-                          header. Wildcard * will allow all origins.
-                        items:
-                          type: string
-                        type: array
-                      exposeHeaders:
-                        description: A white list of HTTP headers that the browsers
-                          are allowed to access. Serialized into Access-Control-Expose-Headers
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      maxAge:
-                        description: Specifies how long the the results of a preflight
-                          request can be cached. Translates to the Access-Control-Max-Age
-                          header.
-                        type: string
-                    type: object
-                  fault:
-                    description: Fault injection policy to apply on HTTP traffic.
-                    properties:
-                      abort:
-                        description: Abort Http request attempts and return error
-                          codes back to downstream service, giving the impression
-                          that the upstream service is faulty.
-                        properties:
-                          httpStatus:
-                            description: REQUIRED. HTTP status code to use to abort
-                              the Http request.
-                            format: int64
-                            type: integer
-                          percent:
-                            description: Percentage of requests to be aborted with
-                              the error code provided (0-100).
-                            format: int64
-                            type: integer
-                        required:
-                        - httpStatus
-                        type: object
-                      delay:
-                        description: Delay requests before forwarding, emulating various
-                          failures such as network issues, overloaded upstream service,
-                          etc.
-                        properties:
-                          exponentialDelay:
-                            description: (-- Add a delay (based on an exponential
-                              function) before forwarding the request. mean delay
-                              needed to derive the exponential delay values --)
-                            type: string
-                          fixedDelay:
-                            description: 'REQUIRED. Add a fixed delay before forwarding
-                              the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.'
-                            type: string
-                          percent:
-                            description: Percentage of requests on which the delay
-                              will be injected (0-100).
-                            format: int64
-                            type: integer
-                        required:
-                        - fixedDelay
-                        type: object
-                    type: object
-                  match:
-                    description: Match conditions to be satisfied for the rule to
-                      be activated. All conditions inside a single match block have
-                      AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        authority:
-                          description: 'HTTP Authority values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        headers:
-                          description: 'The header keys must be lowercase and use
-                            hyphen as the separator, e.g. _x-request-id_.  Header
-                            values are case-sensitive and formatted as follows:  -
-                            `exact: "value"` for exact string match  - `prefix: "value"`
-                            for prefix-based match  - `regex: "value"` for ECMAscript
-                            style regex-based match  **Note:** The keys `uri`, `scheme`,
-                            `method`, and `authority` will be ignored.'
-                          type: object
-                        method:
-                          description: 'HTTP Method values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        port:
-                          description: Specifies the ports on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int32
-                          type: integer
-                        scheme:
-                          description: 'URI Scheme values are case-sensitive and formatted
-                            as follows:  - `exact: "value"` for exact string match  -
-                            `prefix: "value"` for prefix-based match  - `regex: "value"`
-                            for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                        uri:
-                          description: 'URI to match values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                      type: object
-                    type: array
-                  mirror:
-                    description: Mirror HTTP traffic to a another destination in addition
-                      to forwarding the requests to the intended destination. Mirrored
-                      traffic is on a best effort basis where the sidecar/gateway
-                      will not wait for the mirrored cluster to respond before returning
-                      the response from the original destination.  Statistics will
-                      be generated for the mirrored destination.
-                    properties:
-                      host:
-                        description: 'REQUIRED. The name of a service from the service
-                          registry. Service names are looked up from the platform''s
-                          service registry (e.g., Kubernetes services, Consul services,
-                          etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
-                          Traffic forwarded to destinations that are not found in
-                          either of the two, will be dropped.  *Note for Kubernetes
-                          users*: When short names are used (e.g. "reviews" instead
-                          of "reviews.default.svc.cluster.local"), Istio will interpret
-                          the short name based on the namespace of the rule, not the
-                          service. A rule in the "default" namespace containing a
-                          host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                          irrespective of the actual namespace associated with the
-                          reviews service. _To avoid potential misconfigurations,
-                          it is recommended to always use fully qualified domain names
-                          over short names._'
-                        type: string
-                      port:
-                        description: Specifies the port on the host that is being
-                          addressed. If a service exposes only a single port it is
-                          not required to explicitly select the port.
-                        properties:
-                          name:
-                            description: Valid port name
-                            type: string
-                          number:
-                            description: Valid port number
-                            format: int32
-                            type: integer
-                        type: object
-                      subset:
-                        description: The name of a subset within the service. Applicable
-                          only to services within the mesh. The subset must be defined
-                          in a corresponding DestinationRule.
-                        type: string
-                    required:
-                    - host
-                    type: object
-                  redirect:
-                    description: A http rule can either redirect or forward (default)
-                      traffic. If traffic passthrough option is specified in the rule,
-                      route/redirect will be ignored. The redirect primitive can be
-                      used to send a HTTP 302 redirect to a different URI or Authority.
-                    properties:
-                      authority:
-                        description: On a redirect, overwrite the Authority/Host portion
-                          of the URL with this value.
-                        type: string
-                      uri:
-                        description: On a redirect, overwrite the Path portion of
-                          the URL with this value. Note that the entire path will
-                          be replaced, irrespective of the request URI being matched
-                          as an exact path or prefix.
-                        type: string
-                    type: object
-                  removeResponseHeaders:
-                    description: Http headers to remove before returning the response
-                      to the caller
-                    type: object
-                  retries:
-                    description: Retry policy for HTTP requests.
-                    properties:
-                      attempts:
-                        description: REQUIRED. Number of retries for a given request.
-                          The interval between retries will be determined automatically
-                          (25ms+). Actual number of retries attempted depends on the
-                          httpReqTimeout.
-                        format: int64
-                        type: integer
-                      perTryTimeout:
-                        description: 'Timeout per retry attempt for a given request.
-                          format: 1h/1m/1s/1ms. MUST BE >=1ms.'
-                        type: string
-                    required:
-                    - attempts
-                    - perTryTimeout
-                    type: object
-                  rewrite:
-                    description: Rewrite HTTP URIs and Authority headers. Rewrite
-                      cannot be used with Redirect primitive. Rewrite will be performed
-                      before forwarding.
-                    properties:
-                      authority:
-                        description: rewrite the Authority/Host header with this value.
-                        type: string
-                      uri:
-                        description: rewrite the path (or the prefix) portion of the
-                          URI with this value. If the original URI was matched based
-                          on prefix, the value provided in this field will replace
-                          the corresponding matched prefix.
-                        type: string
-                    type: object
-                  route:
-                    description: A http rule can either redirect or forward (default)
-                      traffic. The forwarding target can be one of several versions
-                      of a service (see glossary in beginning of document). Weights
-                      associated with the service version determine the proportion
-                      of traffic it receives.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                  timeout:
-                    description: Timeout for HTTP requests.
-                    type: string
-                  websocketUpgrade:
-                    description: Indicates that a HTTP/1.1 client connection to this
-                      particular route should be allowed (and expected) to upgrade
-                      to a WebSocket connection. The default is false. Istio's reference
-                      sidecar implementation (Envoy) expects the first request to
-                      this route to contain the WebSocket upgrade headers. Otherwise,
-                      the request will be rejected. Note that Websocket allows secondary
-                      protocol negotiation which may then be subject to further routing
-                      rules based on the protocol selected.
-                    type: boolean
-                type: object
-              type: array
-            tcp:
-              description: An ordered list of route rules for TCP traffic. The first
-                rule matching an incoming request is used.
-              items:
-                properties:
-                  match:
-                    description: Match conditions to be satisfied for the rule to
-                      be activated. All conditions inside a single match block have
-                      AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        destinationSubnets:
-                          description: IPv4 or IPv6 ip address of destination with
-                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
-                          items:
-                            type: string
-                          type: array
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        port:
-                          description: Specifies the port on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int64
-                          type: integer
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                      type: object
-                    type: array
-                  route:
-                    description: The destinations to which the connection should be
-                      forwarded to. Weights must add to 100%.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                required:
-                - match
-                - route
-                type: object
-              type: array
-            tls:
-              items:
-                properties:
-                  match:
-                    description: REQUIRED. Match conditions to be satisfied for the
-                      rule to be activated. All conditions inside a single match block
-                      have AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        destinationSubnets:
-                          description: IPv4 or IPv6 ip addresses of destination with
-                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
-                          items:
-                            type: string
-                          type: array
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        port:
-                          description: Specifies the port on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int64
-                          type: integer
-                        sniHosts:
-                          description: REQUIRED. SNI (server name indicator) to match
-                            on. Wildcard prefixes can be used in the SNI value, e.g.,
-                            *.com will match foo.example.com as well as example.com.
-                            An SNI value must be a subset (i.e., fall within the domain)
-                            of the corresponding virtual service's hosts
-                          items:
-                            type: string
-                          type: array
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                      required:
-                      - sniHosts
-                      type: object
-                    type: array
-                  route:
-                    description: The destination to which the connection should be
-                      forwarded to.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                required:
-                - match
-                - route
-                type: object
-              type: array
-          required:
-          - hosts
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/network.kubesphere.io_ipamblocks.yaml
+++ b/config/crds/network.kubesphere.io_ipamblocks.yaml
@@ -0,0 +1,76 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: ipamblocks.network.kubesphere.io
+spec:
+  group: network.kubesphere.io
+  names:
+    kind: IPAMBlock
+    listKind: IPAMBlockList
+    plural: ipamblocks
+    singular: ipamblock
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the IPAMBlock.
+            properties:
+              allocations:
+                items:
+                  type: integer
+                type: array
+              attributes:
+                items:
+                  properties:
+                    handle_id:
+                      type: string
+                    secondary:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
+              cidr:
+                type: string
+              deleted:
+                type: boolean
+              id:
+                format: int32
+                type: integer
+              unallocated:
+                items:
+                  type: integer
+                type: array
+            required:
+            - allocations
+            - attributes
+            - cidr
+            - deleted
+            - id
+            - unallocated
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/network.kubesphere.io_ipamhandles.yaml
+++ b/config/crds/network.kubesphere.io_ipamhandles.yaml
@@ -0,0 +1,55 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: ipamhandles.network.kubesphere.io
+spec:
+  group: network.kubesphere.io
+  names:
+    kind: IPAMHandle
+    listKind: IPAMHandleList
+    plural: ipamhandles
+    singular: ipamhandle
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the IPAMHandle.
+            properties:
+              block:
+                additionalProperties:
+                  type: integer
+                type: object
+              deleted:
+                type: boolean
+              handleID:
+                type: string
+            required:
+            - block
+            - deleted
+            - handleID
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/network.kubesphere.io_ippools.yaml
+++ b/config/crds/network.kubesphere.io_ippools.yaml
@@ -0,0 +1,130 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: ippools.network.kubesphere.io
+spec:
+  group: network.kubesphere.io
+  names:
+    kind: IPPool
+    listKind: IPPoolList
+    plural: ippools
+    singular: ippool
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              blockSize:
+                description: The block size to use for IP address assignments from this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                type: integer
+              cidr:
+                description: The pool CIDR.
+                type: string
+              disabled:
+                description: When disabled is true, IPAM will not assign addresses from this pool.
+                type: boolean
+              dns:
+                description: DNS contains values interesting for DNS resolvers
+                properties:
+                  domain:
+                    type: string
+                  nameservers:
+                    items:
+                      type: string
+                    type: array
+                  options:
+                    items:
+                      type: string
+                    type: array
+                  search:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              gateway:
+                type: string
+              rangeEnd:
+                description: The last ip, inclusive
+                type: string
+              rangeStart:
+                description: The first ip, inclusive
+                type: string
+              routes:
+                items:
+                  properties:
+                    dst:
+                      type: string
+                    gateway:
+                      type: string
+                  type: object
+                type: array
+              type:
+                type: string
+              vlanConfig:
+                properties:
+                  master:
+                    type: string
+                  vlanId:
+                    format: int32
+                    type: integer
+                required:
+                - master
+                - vlanId
+                type: object
+            required:
+            - cidr
+            - type
+            type: object
+          status:
+            properties:
+              allocations:
+                type: integer
+              capacity:
+                type: integer
+              reserved:
+                type: integer
+              synced:
+                type: boolean
+              unallocated:
+                type: integer
+              workspaces:
+                additionalProperties:
+                  properties:
+                    allocations:
+                      type: integer
+                  required:
+                  - allocations
+                  type: object
+                type: object
+            required:
+            - allocations
+            - capacity
+            - unallocated
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml
+++ b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml
@@ -0,0 +1,179 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: namespacenetworkpolicies.network.kubesphere.io
+spec:
+  group: network.kubesphere.io
+  names:
+    categories:
+    - networking
+    kind: NamespaceNetworkPolicy
+    listKind: NamespaceNetworkPolicyList
+    plural: namespacenetworkpolicies
+    shortNames:
+    - nsnp
+    singular: namespacenetworkpolicy
+  scope: Namespaced
+  preserveUnknownFields: false
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NamespaceNetworkPolicySpec provides the specification of a NamespaceNetworkPolicy
+            properties:
+              egress:
+                description: List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
+                items:
+                  description: NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
+                  properties:
+                    ports:
+                      description: List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                      items:
+                        description: NetworkPolicyPort describes a port to allow traffic on
+                        properties:
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                            x-kubernetes-int-or-string: true
+                          protocol:
+                            default: TCP
+                            description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                            type: string
+                        type: object
+                      type: array
+                    to:
+                      description: List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
+                      items:
+                        description: NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed
+                        properties:
+                          ipBlock:
+                            description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                            properties:
+                              cidr:
+                                description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+                                type: string
+                              except:
+                                description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - cidr
+                            type: object
+                          namespace:
+                            properties:
+                              name:
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          service:
+                            properties:
+                              name:
+                                type: string
+                              namespace:
+                                type: string
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              ingress:
+                description: List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
+                items:
+                  description: NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+                  properties:
+                    from:
+                      description: List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
+                      items:
+                        description: NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of fields are allowed
+                        properties:
+                          ipBlock:
+                            description: IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+                            properties:
+                              cidr:
+                                description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+                                type: string
+                              except:
+                                description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - cidr
+                            type: object
+                          namespace:
+                            properties:
+                              name:
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          service:
+                            properties:
+                              name:
+                                type: string
+                              namespace:
+                                type: string
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                        type: object
+                      type: array
+                    ports:
+                      description: List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+                      items:
+                        description: NetworkPolicyPort describes a port to allow traffic on
+                        properties:
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                            x-kubernetes-int-or-string: true
+                          protocol:
+                            default: TCP
+                            description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+                            type: string
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              policyTypes:
+                description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                items:
+                  description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/quota.kubesphere.io_resourcequotas.yaml
+++ b/config/crds/quota.kubesphere.io_resourcequotas.yaml
@@ -0,0 +1,161 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: resourcequotas.quota.kubesphere.io
+spec:
+  group: quota.kubesphere.io
+  names:
+    categories:
+    - quota
+    kind: ResourceQuota
+    listKind: ResourceQuotaList
+    plural: resourcequotas
+    singular: resourcequota
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceResourceQuota sets aggregate quota restrictions enforced per workspace
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired quota
+            properties:
+              quota:
+                description: Quota defines the desired quota
+                properties:
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
+                    type: object
+                  scopeSelector:
+                    description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
+                    properties:
+                      matchExpressions:
+                        description: A list of scope selector requirements by scope of the resources.
+                        items:
+                          description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.
+                          properties:
+                            operator:
+                              description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.
+                              type: string
+                            scopeName:
+                              description: The name of the scope that the selector applies to.
+                              type: string
+                            values:
+                              description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - operator
+                          - scopeName
+                          type: object
+                        type: array
+                    type: object
+                  scopes:
+                    description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
+                    items:
+                      description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota
+                      type: string
+                    type: array
+                type: object
+              selector:
+                additionalProperties:
+                  type: string
+                description: LabelSelector is used to select projects by label.
+                type: object
+            required:
+            - quota
+            - selector
+            type: object
+          status:
+            description: Status defines the actual enforced quota and its current usage
+            properties:
+              namespaces:
+                description: Namespaces slices the usage by project.
+                items:
+                  description: ResourceQuotaStatusByNamespace gives status for a particular project
+                  properties:
+                    hard:
+                      additionalProperties:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
+                      description: 'Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
+                      type: object
+                    namespace:
+                      description: Namespace the project this status applies to
+                      type: string
+                    used:
+                      additionalProperties:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
+                      description: Used is the current observed total usage of the resource in the namespace.
+                      type: object
+                  required:
+                  - namespace
+                  type: object
+                type: array
+              total:
+                description: Total defines the actual enforced quota and its current usage across all projects
+                properties:
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: 'Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
+                    type: object
+                  used:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: Used is the current observed total usage of the resource in the namespace.
+                    type: object
+                type: object
+            required:
+            - namespaces
+            - total
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/servicemesh.kubesphere.io_servicepolicies.yaml
+++ b/config/crds/servicemesh.kubesphere.io_servicepolicies.yaml
--- a/config/crds/servicemesh.kubesphere.io_strategies.yaml
+++ b/config/crds/servicemesh.kubesphere.io_strategies.yaml
@@ -0,0 +1,911 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: strategies.servicemesh.kubesphere.io
+spec:
+  group: servicemesh.kubesphere.io
+  names:
+    kind: Strategy
+    listKind: StrategyList
+    plural: strategies
+    singular: strategy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: type of strategy
+      jsonPath: .spec.type
+      name: Type
+      type: string
+    - description: destination hosts
+      jsonPath: .spec.template.spec.hosts
+      name: Hosts
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Strategy is the Schema for the strategies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: StrategySpec defines the desired state of Strategy
+            properties:
+              governor:
+                description: Governor version, the version takes control of all incoming traffic label version value
+                type: string
+              principal:
+                description: Principal version, the one as reference version label version value
+                type: string
+              selector:
+                description: Label selector for virtual services.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+              strategyPolicy:
+                description: strategy policy, how the strategy will be applied by the strategy controller
+                type: string
+              template:
+                description: Template describes the virtual service that will be created.
+                properties:
+                  metadata:
+                    description: Metadata of the virtual services created from this template
+                    type: object
+                  spec:
+                    description: 'Configuration affecting label/content routing, sni routing,
+                      etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+                    properties:
+                      exportTo:
+                        description: A list of namespaces to which this virtual service is
+                          exported.
+                        items:
+                          format: string
+                          type: string
+                        type: array
+                      gateways:
+                        description: The names of gateways and sidecars that should apply
+                          these routes.
+                        items:
+                          format: string
+                          type: string
+                        type: array
+                      hosts:
+                        description: The destination hosts to which traffic is being sent.
+                        items:
+                          format: string
+                          type: string
+                        type: array
+                      http:
+                        description: An ordered list of route rules for HTTP traffic.
+                        items:
+                          properties:
+                            corsPolicy:
+                              description: Cross-Origin Resource Sharing policy (CORS).
+                              properties:
+                                allowCredentials:
+                                  nullable: true
+                                  type: boolean
+                                allowHeaders:
+                                  items:
+                                    format: string
+                                    type: string
+                                  type: array
+                                allowMethods:
+                                  description: List of HTTP methods allowed to access the
+                                    resource.
+                                  items:
+                                    format: string
+                                    type: string
+                                  type: array
+                                allowOrigin:
+                                  description: The list of origins that are allowed to perform
+                                    CORS requests.
+                                  items:
+                                    format: string
+                                    type: string
+                                  type: array
+                                allowOrigins:
+                                  description: String patterns that match allowed origins.
+                                  items:
+                                    oneOf:
+                                      - not:
+                                          anyOf:
+                                            - required:
+                                                - exact
+                                            - required:
+                                                - prefix
+                                            - required:
+                                                - regex
+                                      - required:
+                                          - exact
+                                      - required:
+                                          - prefix
+                                      - required:
+                                          - regex
+                                    properties:
+                                      exact:
+                                        format: string
+                                        type: string
+                                      prefix:
+                                        format: string
+                                        type: string
+                                      regex:
+                                        description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                        format: string
+                                        type: string
+                                    type: object
+                                  type: array
+                                exposeHeaders:
+                                  items:
+                                    format: string
+                                    type: string
+                                  type: array
+                                maxAge:
+                                  type: string
+                              type: object
+                            delegate:
+                              properties:
+                                name:
+                                  description: Name specifies the name of the delegate VirtualService.
+                                  format: string
+                                  type: string
+                                namespace:
+                                  description: Namespace specifies the namespace where the
+                                    delegate VirtualService resides.
+                                  format: string
+                                  type: string
+                              type: object
+                            fault:
+                              description: Fault injection policy to apply on HTTP traffic
+                                at the client side.
+                              properties:
+                                abort:
+                                  oneOf:
+                                    - not:
+                                        anyOf:
+                                          - required:
+                                              - httpStatus
+                                          - required:
+                                              - grpcStatus
+                                          - required:
+                                              - http2Error
+                                    - required:
+                                        - httpStatus
+                                    - required:
+                                        - grpcStatus
+                                    - required:
+                                        - http2Error
+                                  properties:
+                                    grpcStatus:
+                                      format: string
+                                      type: string
+                                    http2Error:
+                                      format: string
+                                      type: string
+                                    httpStatus:
+                                      description: HTTP status code to use to abort the Http
+                                        request.
+                                      format: int32
+                                      type: integer
+                                    percentage:
+                                      description: Percentage of requests to be aborted with
+                                        the error code provided.
+                                      properties:
+                                        value:
+                                          format: double
+                                          type: number
+                                      type: object
+                                  type: object
+                                delay:
+                                  oneOf:
+                                    - not:
+                                        anyOf:
+                                          - required:
+                                              - fixedDelay
+                                          - required:
+                                              - exponentialDelay
+                                    - required:
+                                        - fixedDelay
+                                    - required:
+                                        - exponentialDelay
+                                  properties:
+                                    exponentialDelay:
+                                      type: string
+                                    fixedDelay:
+                                      description: Add a fixed delay before forwarding the
+                                        request.
+                                      type: string
+                                    percent:
+                                      description: Percentage of requests on which the delay
+                                        will be injected (0-100).
+                                      format: int32
+                                      type: integer
+                                    percentage:
+                                      description: Percentage of requests on which the delay
+                                        will be injected.
+                                      properties:
+                                        value:
+                                          format: double
+                                          type: number
+                                      type: object
+                                  type: object
+                              type: object
+                            headers:
+                              properties:
+                                request:
+                                  properties:
+                                    add:
+                                      additionalProperties:
+                                        format: string
+                                        type: string
+                                      type: object
+                                    remove:
+                                      items:
+                                        format: string
+                                        type: string
+                                      type: array
+                                    set:
+                                      additionalProperties:
+                                        format: string
+                                        type: string
+                                      type: object
+                                  type: object
+                                response:
+                                  properties:
+                                    add:
+                                      additionalProperties:
+                                        format: string
+                                        type: string
+                                      type: object
+                                    remove:
+                                      items:
+                                        format: string
+                                        type: string
+                                      type: array
+                                    set:
+                                      additionalProperties:
+                                        format: string
+                                        type: string
+                                      type: object
+                                  type: object
+                              type: object
+                            match:
+                              items:
+                                properties:
+                                  authority:
+                                    oneOf:
+                                      - not:
+                                          anyOf:
+                                            - required:
+                                                - exact
+                                            - required:
+                                                - prefix
+                                            - required:
+                                                - regex
+                                      - required:
+                                          - exact
+                                      - required:
+                                          - prefix
+                                      - required:
+                                          - regex
+                                    properties:
+                                      exact:
+                                        format: string
+                                        type: string
+                                      prefix:
+                                        format: string
+                                        type: string
+                                      regex:
+                                        description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                        format: string
+                                        type: string
+                                    type: object
+                                  gateways:
+                                    description: Names of gateways where the rule should be
+                                      applied.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  headers:
+                                    additionalProperties:
+                                      oneOf:
+                                        - not:
+                                            anyOf:
+                                              - required:
+                                                  - exact
+                                              - required:
+                                                  - prefix
+                                              - required:
+                                                  - regex
+                                        - required:
+                                            - exact
+                                        - required:
+                                            - prefix
+                                        - required:
+                                            - regex
+                                      properties:
+                                        exact:
+                                          format: string
+                                          type: string
+                                        prefix:
+                                          format: string
+                                          type: string
+                                        regex:
+                                          description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                          format: string
+                                          type: string
+                                      type: object
+                                    type: object
+                                  ignoreUriCase:
+                                    description: Flag to specify whether the URI matching
+                                      should be case-insensitive.
+                                    type: boolean
+                                  method:
+                                    oneOf:
+                                      - not:
+                                          anyOf:
+                                            - required:
+                                                - exact
+                                            - required:
+                                                - prefix
+                                            - required:
+                                                - regex
+                                      - required:
+                                          - exact
+                                      - required:
+                                          - prefix
+                                      - required:
+                                          - regex
+                                    properties:
+                                      exact:
+                                        format: string
+                                        type: string
+                                      prefix:
+                                        format: string
+                                        type: string
+                                      regex:
+                                        description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                        format: string
+                                        type: string
+                                    type: object
+                                  name:
+                                    description: The name assigned to a match.
+                                    format: string
+                                    type: string
+                                  port:
+                                    description: Specifies the ports on the host that is being
+                                      addressed.
+                                    type: integer
+                                  queryParams:
+                                    additionalProperties:
+                                      oneOf:
+                                        - not:
+                                            anyOf:
+                                              - required:
+                                                  - exact
+                                              - required:
+                                                  - prefix
+                                              - required:
+                                                  - regex
+                                        - required:
+                                            - exact
+                                        - required:
+                                            - prefix
+                                        - required:
+                                            - regex
+                                      properties:
+                                        exact:
+                                          format: string
+                                          type: string
+                                        prefix:
+                                          format: string
+                                          type: string
+                                        regex:
+                                          description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                          format: string
+                                          type: string
+                                      type: object
+                                    description: Query parameters for matching.
+                                    type: object
+                                  scheme:
+                                    oneOf:
+                                      - not:
+                                          anyOf:
+                                            - required:
+                                                - exact
+                                            - required:
+                                                - prefix
+                                            - required:
+                                                - regex
+                                      - required:
+                                          - exact
+                                      - required:
+                                          - prefix
+                                      - required:
+                                          - regex
+                                    properties:
+                                      exact:
+                                        format: string
+                                        type: string
+                                      prefix:
+                                        format: string
+                                        type: string
+                                      regex:
+                                        description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                        format: string
+                                        type: string
+                                    type: object
+                                  sourceLabels:
+                                    additionalProperties:
+                                      format: string
+                                      type: string
+                                    type: object
+                                  sourceNamespace:
+                                    description: Source namespace constraining the applicability
+                                      of a rule to workloads in that namespace.
+                                    format: string
+                                    type: string
+                                  uri:
+                                    oneOf:
+                                      - not:
+                                          anyOf:
+                                            - required:
+                                                - exact
+                                            - required:
+                                                - prefix
+                                            - required:
+                                                - regex
+                                      - required:
+                                          - exact
+                                      - required:
+                                          - prefix
+                                      - required:
+                                          - regex
+                                    properties:
+                                      exact:
+                                        format: string
+                                        type: string
+                                      prefix:
+                                        format: string
+                                        type: string
+                                      regex:
+                                        description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                        format: string
+                                        type: string
+                                    type: object
+                                  withoutHeaders:
+                                    additionalProperties:
+                                      oneOf:
+                                        - not:
+                                            anyOf:
+                                              - required:
+                                                  - exact
+                                              - required:
+                                                  - prefix
+                                              - required:
+                                                  - regex
+                                        - required:
+                                            - exact
+                                        - required:
+                                            - prefix
+                                        - required:
+                                            - regex
+                                      properties:
+                                        exact:
+                                          format: string
+                                          type: string
+                                        prefix:
+                                          format: string
+                                          type: string
+                                        regex:
+                                          description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                                          format: string
+                                          type: string
+                                      type: object
+                                    description: withoutHeader has the same syntax with the
+                                      header, but has opposite meaning.
+                                    type: object
+                                type: object
+                              type: array
+                            mirror:
+                              properties:
+                                host:
+                                  description: The name of a service from the service registry.
+                                  format: string
+                                  type: string
+                                port:
+                                  description: Specifies the port on the host that is being
+                                    addressed.
+                                  properties:
+                                    number:
+                                      type: integer
+                                  type: object
+                                subset:
+                                  description: The name of a subset within the service.
+                                  format: string
+                                  type: string
+                              type: object
+                            mirror_percent:
+                              description: Percentage of the traffic to be mirrored by the
+                                `mirror` field.
+                              nullable: true
+                              type: integer
+                            mirrorPercent:
+                              description: Percentage of the traffic to be mirrored by the
+                                `mirror` field.
+                              nullable: true
+                              type: integer
+                            mirrorPercentage:
+                              description: Percentage of the traffic to be mirrored by the
+                                `mirror` field.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                            name:
+                              description: The name assigned to the route for debugging purposes.
+                              format: string
+                              type: string
+                            redirect:
+                              description: A HTTP rule can either redirect or forward (default)
+                                traffic.
+                              properties:
+                                authority:
+                                  format: string
+                                  type: string
+                                redirectCode:
+                                  type: integer
+                                uri:
+                                  format: string
+                                  type: string
+                              type: object
+                            retries:
+                              description: Retry policy for HTTP requests.
+                              properties:
+                                attempts:
+                                  description: Number of retries to be allowed for a given
+                                    request.
+                                  format: int32
+                                  type: integer
+                                perTryTimeout:
+                                  description: Timeout per attempt for a given request, including
+                                    the initial call and any retries.
+                                  type: string
+                                retryOn:
+                                  description: Specifies the conditions under which retry
+                                    takes place.
+                                  format: string
+                                  type: string
+                                retryRemoteLocalities:
+                                  description: Flag to specify whether the retries should
+                                    retry to other localities.
+                                  nullable: true
+                                  type: boolean
+                              type: object
+                            rewrite:
+                              description: Rewrite HTTP URIs and Authority headers.
+                              properties:
+                                authority:
+                                  description: rewrite the Authority/Host header with this
+                                    value.
+                                  format: string
+                                  type: string
+                                uri:
+                                  format: string
+                                  type: string
+                              type: object
+                            route:
+                              description: A HTTP rule can either redirect or forward (default)
+                                traffic.
+                              items:
+                                properties:
+                                  destination:
+                                    properties:
+                                      host:
+                                        description: The name of a service from the service
+                                          registry.
+                                        format: string
+                                        type: string
+                                      port:
+                                        description: Specifies the port on the host that is
+                                          being addressed.
+                                        properties:
+                                          number:
+                                            type: integer
+                                        type: object
+                                      subset:
+                                        description: The name of a subset within the service.
+                                        format: string
+                                        type: string
+                                    type: object
+                                  headers:
+                                    properties:
+                                      request:
+                                        properties:
+                                          add:
+                                            additionalProperties:
+                                              format: string
+                                              type: string
+                                            type: object
+                                          remove:
+                                            items:
+                                              format: string
+                                              type: string
+                                            type: array
+                                          set:
+                                            additionalProperties:
+                                              format: string
+                                              type: string
+                                            type: object
+                                        type: object
+                                      response:
+                                        properties:
+                                          add:
+                                            additionalProperties:
+                                              format: string
+                                              type: string
+                                            type: object
+                                          remove:
+                                            items:
+                                              format: string
+                                              type: string
+                                            type: array
+                                          set:
+                                            additionalProperties:
+                                              format: string
+                                              type: string
+                                            type: object
+                                        type: object
+                                    type: object
+                                  weight:
+                                    format: int32
+                                    type: integer
+                                type: object
+                              type: array
+                            timeout:
+                              description: Timeout for HTTP requests, default is disabled.
+                              type: string
+                          type: object
+                        type: array
+                      tcp:
+                        description: An ordered list of route rules for opaque TCP traffic.
+                        items:
+                          properties:
+                            match:
+                              items:
+                                properties:
+                                  destinationSubnets:
+                                    description: IPv4 or IPv6 ip addresses of destination
+                                      with optional subnet.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  gateways:
+                                    description: Names of gateways where the rule should be
+                                      applied.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  port:
+                                    description: Specifies the port on the host that is being
+                                      addressed.
+                                    type: integer
+                                  sourceLabels:
+                                    additionalProperties:
+                                      format: string
+                                      type: string
+                                    type: object
+                                  sourceNamespace:
+                                    description: Source namespace constraining the applicability
+                                      of a rule to workloads in that namespace.
+                                    format: string
+                                    type: string
+                                  sourceSubnet:
+                                    description: IPv4 or IPv6 ip address of source with optional
+                                      subnet.
+                                    format: string
+                                    type: string
+                                type: object
+                              type: array
+                            route:
+                              description: The destination to which the connection should
+                                be forwarded to.
+                              items:
+                                properties:
+                                  destination:
+                                    properties:
+                                      host:
+                                        description: The name of a service from the service
+                                          registry.
+                                        format: string
+                                        type: string
+                                      port:
+                                        description: Specifies the port on the host that is
+                                          being addressed.
+                                        properties:
+                                          number:
+                                            type: integer
+                                        type: object
+                                      subset:
+                                        description: The name of a subset within the service.
+                                        format: string
+                                        type: string
+                                    type: object
+                                  weight:
+                                    format: int32
+                                    type: integer
+                                type: object
+                              type: array
+                          type: object
+                        type: array
+                      tls:
+                        items:
+                          properties:
+                            match:
+                              items:
+                                properties:
+                                  destinationSubnets:
+                                    description: IPv4 or IPv6 ip addresses of destination
+                                      with optional subnet.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  gateways:
+                                    description: Names of gateways where the rule should be
+                                      applied.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  port:
+                                    description: Specifies the port on the host that is being
+                                      addressed.
+                                    type: integer
+                                  sniHosts:
+                                    description: SNI (server name indicator) to match on.
+                                    items:
+                                      format: string
+                                      type: string
+                                    type: array
+                                  sourceLabels:
+                                    additionalProperties:
+                                      format: string
+                                      type: string
+                                    type: object
+                                  sourceNamespace:
+                                    description: Source namespace constraining the applicability
+                                      of a rule to workloads in that namespace.
+                                    format: string
+                                    type: string
+                                type: object
+                              type: array
+                            route:
+                              description: The destination to which the connection should
+                                be forwarded to.
+                              items:
+                                properties:
+                                  destination:
+                                    properties:
+                                      host:
+                                        description: The name of a service from the service
+                                          registry.
+                                        format: string
+                                        type: string
+                                      port:
+                                        description: Specifies the port on the host that is
+                                          being addressed.
+                                        properties:
+                                          number:
+                                            type: integer
+                                        type: object
+                                      subset:
+                                        description: The name of a subset within the service.
+                                        format: string
+                                        type: string
+                                    type: object
+                                  weight:
+                                    format: int32
+                                    type: integer
+                                type: object
+                              type: array
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              type:
+                description: Strategy type
+                type: string
+            type: object
+          status:
+            description: StrategyStatus defines the observed state of Strategy
+            properties:
+              completionTime:
+                description: Represents time when the strategy was completed. It is represented in RFC3339 form and is in UTC.
+                format: date-time
+                type: string
+              conditions:
+                description: The latest available observations of an object's current state.
+                items:
+                  description: StrategyCondition describes current state of a strategy.
+                  properties:
+                    lastProbeTime:
+                      description: Last time the condition was checked.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transit from one status to another
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human readable message indicating details about last transition.
+                      type: string
+                    reason:
+                      description: reason for the condition's last transition
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown
+                      type: string
+                    type:
+                      description: Type of strategy condition, Complete or Failed.
+                      type: string
+                  type: object
+                type: array
+              startTime:
+                description: Represents time when the strategy was acknowledged by the controller. It is represented in RFC3339 form and is in UTC.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/servicemesh_v1alpha2_servicepolicy.yaml
+++ b/config/crds/servicemesh_v1alpha2_servicepolicy.yaml
@@ -1,863 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: servicepolicies.servicemesh.kubesphere.io
-spec:
-  group: servicemesh.kubesphere.io
-  names:
-    kind: ServicePolicy
-    plural: servicepolicies
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            selector:
-              description: Label selector for destination rules.
-              type: object
-            template:
-              description: Template used to create a destination rule
-              properties:
-                spec:
-                  description: Spec indicates the behavior of a destination rule.
-                  properties:
-                    host:
-                      description: 'REQUIRED. The name of a service from the service
-                        registry. Service names are looked up from the platform''s
-                        service registry (e.g., Kubernetes services, Consul services,
-                        etc.) and from the hosts declared by [ServiceEntries](#ServiceEntry).
-                        Rules defined for services that do not exist in the service
-                        registry will be ignored.  *Note for Kubernetes users*: When
-                        short names are used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
-                        Istio will interpret the short name based on the namespace
-                        of the rule, not the service. A rule in the "default" namespace
-                        containing a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                        irrespective of the actual namespace associated with the reviews
-                        service. _To avoid potential misconfigurations, it is recommended
-                        to always use fully qualified domain names over short names._  Note
-                        that the host field applies to both HTTP and TCP services.'
-                      type: string
-                    subsets:
-                      description: One or more named sets that represent individual
-                        versions of a service. Traffic policies can be overridden
-                        at subset level.
-                      items:
-                        properties:
-                          labels:
-                            description: REQUIRED. Labels apply a filter over the
-                              endpoints of a service in the service registry. See
-                              route rules for examples of usage.
-                            type: object
-                          name:
-                            description: REQUIRED. Name of the subset. The service
-                              name and the subset name can be used for traffic splitting
-                              in a route rule.
-                            type: string
-                          trafficPolicy:
-                            description: Traffic policies that apply to this subset.
-                              Subsets inherit the traffic policies specified at the
-                              DestinationRule level. Settings specified at the subset
-                              level will override the corresponding settings specified
-                              at the DestinationRule level.
-                            properties:
-                              connectionPool:
-                                description: Settings controlling the volume of connections
-                                  to an upstream service
-                                properties:
-                                  http:
-                                    description: HTTP connection pool settings.
-                                    properties:
-                                      http1MaxPendingRequests:
-                                        description: Maximum number of pending HTTP
-                                          requests to a destination. Default 1024.
-                                        format: int32
-                                        type: integer
-                                      http2MaxRequests:
-                                        description: Maximum number of requests to
-                                          a backend. Default 1024.
-                                        format: int32
-                                        type: integer
-                                      maxRequestsPerConnection:
-                                        description: Maximum number of requests per
-                                          connection to a backend. Setting this parameter
-                                          to 1 disables keep alive.
-                                        format: int32
-                                        type: integer
-                                      maxRetries:
-                                        description: Maximum number of retries that
-                                          can be outstanding to all hosts in a cluster
-                                          at a given time. Defaults to 3.
-                                        format: int32
-                                        type: integer
-                                    type: object
-                                  tcp:
-                                    description: Settings common to both HTTP and
-                                      TCP upstream connections.
-                                    properties:
-                                      connectTimeout:
-                                        description: TCP connection timeout.
-                                        type: string
-                                      maxConnections:
-                                        description: Maximum number of HTTP1 /TCP
-                                          connections to a destination host.
-                                        format: int32
-                                        type: integer
-                                    type: object
-                                type: object
-                              loadBalancer:
-                                description: Settings controlling the load balancer
-                                  algorithms.
-                                properties:
-                                  consistentHash:
-                                    properties:
-                                      httpCookie:
-                                        description: Hash based on HTTP cookie.
-                                        properties:
-                                          name:
-                                            description: REQUIRED. Name of the cookie.
-                                            type: string
-                                          path:
-                                            description: Path to set for the cookie.
-                                            type: string
-                                          ttl:
-                                            description: REQUIRED. Lifetime of the
-                                              cookie.
-                                            type: string
-                                        required:
-                                        - name
-                                        - ttl
-                                        type: object
-                                      httpHeaderName:
-                                        description: 'It is required to specify exactly
-                                          one of the fields as hash key: HttpHeaderName,
-                                          HttpCookie, or UseSourceIP. Hash based on
-                                          a specific HTTP header.'
-                                        type: string
-                                      minimumRingSize:
-                                        description: The minimum number of virtual
-                                          nodes to use for the hash ring. Defaults
-                                          to 1024. Larger ring sizes result in more
-                                          granular load distributions. If the number
-                                          of hosts in the load balancing pool is larger
-                                          than the ring size, each host will be assigned
-                                          a single virtual node.
-                                        format: int64
-                                        type: integer
-                                      useSourceIp:
-                                        description: Hash based on the source IP address.
-                                        type: boolean
-                                    type: object
-                                  simple:
-                                    description: 'It is required to specify exactly
-                                      one of the fields: Simple or ConsistentHash'
-                                    type: string
-                                type: object
-                              outlierDetection:
-                                description: Settings controlling eviction of unhealthy
-                                  hosts from the load balancing pool
-                                properties:
-                                  baseEjectionTime:
-                                    description: 'Minimum ejection duration. A host
-                                      will remain ejected for a period equal to the
-                                      product of minimum ejection duration and the
-                                      number of times the host has been ejected. This
-                                      technique allows the system to automatically
-                                      increase the ejection period for unhealthy upstream
-                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                      Default is 30s.'
-                                    type: string
-                                  consecutiveErrors:
-                                    description: Number of errors before a host is
-                                      ejected from the connection pool. Defaults to
-                                      5. When the upstream host is accessed over HTTP,
-                                      a 5xx return code qualifies as an error. When
-                                      the upstream host is accessed over an opaque
-                                      TCP connection, connect timeouts and connection
-                                      error/failure events qualify as an error.
-                                    format: int32
-                                    type: integer
-                                  interval:
-                                    description: 'Time interval between ejection sweep
-                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                      Default is 10s.'
-                                    type: string
-                                  maxEjectionPercent:
-                                    description: Maximum % of hosts in the load balancing
-                                      pool for the upstream service that can be ejected.
-                                      Defaults to 10%.
-                                    format: int32
-                                    type: integer
-                                type: object
-                              portLevelSettings:
-                                description: Traffic policies specific to individual
-                                  ports. Note that port level settings will override
-                                  the destination-level settings. Traffic settings
-                                  specified at the destination-level will not be inherited
-                                  when overridden by port-level settings, i.e. default
-                                  values will be applied to fields omitted in port-level
-                                  traffic policies.
-                                items:
-                                  properties:
-                                    connectionPool:
-                                      description: Settings controlling the volume
-                                        of connections to an upstream service
-                                      properties:
-                                        http:
-                                          description: HTTP connection pool settings.
-                                          properties:
-                                            http1MaxPendingRequests:
-                                              description: Maximum number of pending
-                                                HTTP requests to a destination. Default
-                                                1024.
-                                              format: int32
-                                              type: integer
-                                            http2MaxRequests:
-                                              description: Maximum number of requests
-                                                to a backend. Default 1024.
-                                              format: int32
-                                              type: integer
-                                            maxRequestsPerConnection:
-                                              description: Maximum number of requests
-                                                per connection to a backend. Setting
-                                                this parameter to 1 disables keep
-                                                alive.
-                                              format: int32
-                                              type: integer
-                                            maxRetries:
-                                              description: Maximum number of retries
-                                                that can be outstanding to all hosts
-                                                in a cluster at a given time. Defaults
-                                                to 3.
-                                              format: int32
-                                              type: integer
-                                          type: object
-                                        tcp:
-                                          description: Settings common to both HTTP
-                                            and TCP upstream connections.
-                                          properties:
-                                            connectTimeout:
-                                              description: TCP connection timeout.
-                                              type: string
-                                            maxConnections:
-                                              description: Maximum number of HTTP1
-                                                /TCP connections to a destination
-                                                host.
-                                              format: int32
-                                              type: integer
-                                          type: object
-                                      type: object
-                                    loadBalancer:
-                                      description: Settings controlling the load balancer
-                                        algorithms.
-                                      properties:
-                                        consistentHash:
-                                          properties:
-                                            httpCookie:
-                                              description: Hash based on HTTP cookie.
-                                              properties:
-                                                name:
-                                                  description: REQUIRED. Name of the
-                                                    cookie.
-                                                  type: string
-                                                path:
-                                                  description: Path to set for the
-                                                    cookie.
-                                                  type: string
-                                                ttl:
-                                                  description: REQUIRED. Lifetime
-                                                    of the cookie.
-                                                  type: string
-                                              required:
-                                              - name
-                                              - ttl
-                                              type: object
-                                            httpHeaderName:
-                                              description: 'It is required to specify
-                                                exactly one of the fields as hash
-                                                key: HttpHeaderName, HttpCookie, or
-                                                UseSourceIP. Hash based on a specific
-                                                HTTP header.'
-                                              type: string
-                                            minimumRingSize:
-                                              description: The minimum number of virtual
-                                                nodes to use for the hash ring. Defaults
-                                                to 1024. Larger ring sizes result
-                                                in more granular load distributions.
-                                                If the number of hosts in the load
-                                                balancing pool is larger than the
-                                                ring size, each host will be assigned
-                                                a single virtual node.
-                                              format: int64
-                                              type: integer
-                                            useSourceIp:
-                                              description: Hash based on the source
-                                                IP address.
-                                              type: boolean
-                                          type: object
-                                        simple:
-                                          description: 'It is required to specify
-                                            exactly one of the fields: Simple or ConsistentHash'
-                                          type: string
-                                      type: object
-                                    outlierDetection:
-                                      description: Settings controlling eviction of
-                                        unhealthy hosts from the load balancing pool
-                                      properties:
-                                        baseEjectionTime:
-                                          description: 'Minimum ejection duration.
-                                            A host will remain ejected for a period
-                                            equal to the product of minimum ejection
-                                            duration and the number of times the host
-                                            has been ejected. This technique allows
-                                            the system to automatically increase the
-                                            ejection period for unhealthy upstream
-                                            servers. format: 1h/1m/1s/1ms. MUST BE
-                                            >=1ms. Default is 30s.'
-                                          type: string
-                                        consecutiveErrors:
-                                          description: Number of errors before a host
-                                            is ejected from the connection pool. Defaults
-                                            to 5. When the upstream host is accessed
-                                            over HTTP, a 5xx return code qualifies
-                                            as an error. When the upstream host is
-                                            accessed over an opaque TCP connection,
-                                            connect timeouts and connection error/failure
-                                            events qualify as an error.
-                                          format: int32
-                                          type: integer
-                                        interval:
-                                          description: 'Time interval between ejection
-                                            sweep analysis. format: 1h/1m/1s/1ms.
-                                            MUST BE >=1ms. Default is 10s.'
-                                          type: string
-                                        maxEjectionPercent:
-                                          description: Maximum % of hosts in the load
-                                            balancing pool for the upstream service
-                                            that can be ejected. Defaults to 10%.
-                                          format: int32
-                                          type: integer
-                                      type: object
-                                    port:
-                                      description: Specifies the port name or number
-                                        of a port on the destination service on which
-                                        this policy is being applied.  Names must
-                                        comply with DNS label syntax (rfc1035) and
-                                        therefore cannot collide with numbers. If
-                                        there are multiple ports on a service with
-                                        the same protocol the names should be of the
-                                        form <protocol-name>-<DNS label>.
-                                      properties:
-                                        name:
-                                          description: Valid port name
-                                          type: string
-                                        number:
-                                          description: Valid port number
-                                          format: int32
-                                          type: integer
-                                      type: object
-                                    tls:
-                                      description: TLS related settings for connections
-                                        to the upstream service.
-                                      properties:
-                                        caCertificates:
-                                          description: 'OPTIONAL: The path to the
-                                            file containing certificate authority
-                                            certificates to use in verifying a presented
-                                            server certificate. If omitted, the proxy
-                                            will not verify the server''s certificate.
-                                            Should be empty if mode is `ISTIO_MUTUAL`.'
-                                          type: string
-                                        clientCertificate:
-                                          description: REQUIRED if mode is `MUTUAL`.
-                                            The path to the file holding the client-side
-                                            TLS certificate to use. Should be empty
-                                            if mode is `ISTIO_MUTUAL`.
-                                          type: string
-                                        mode:
-                                          description: 'REQUIRED: Indicates whether
-                                            connections to this port should be secured
-                                            using TLS. The value of this field determines
-                                            how TLS is enforced.'
-                                          type: string
-                                        privateKey:
-                                          description: REQUIRED if mode is `MUTUAL`.
-                                            The path to the file holding the client's
-                                            private key. Should be empty if mode is
-                                            `ISTIO_MUTUAL`.
-                                          type: string
-                                        sni:
-                                          description: SNI string to present to the
-                                            server during TLS handshake. Should be
-                                            empty if mode is `ISTIO_MUTUAL`.
-                                          type: string
-                                        subjectAltNames:
-                                          description: A list of alternate names to
-                                            verify the subject identity in the certificate.
-                                            If specified, the proxy will verify that
-                                            the server certificate's subject alt name
-                                            matches one of the specified values. Should
-                                            be empty if mode is `ISTIO_MUTUAL`.
-                                          items:
-                                            type: string
-                                          type: array
-                                      required:
-                                      - mode
-                                      type: object
-                                  required:
-                                  - port
-                                  type: object
-                                type: array
-                              tls:
-                                description: TLS related settings for connections
-                                  to the upstream service.
-                                properties:
-                                  caCertificates:
-                                    description: 'OPTIONAL: The path to the file containing
-                                      certificate authority certificates to use in
-                                      verifying a presented server certificate. If
-                                      omitted, the proxy will not verify the server''s
-                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
-                                    type: string
-                                  clientCertificate:
-                                    description: REQUIRED if mode is `MUTUAL`. The
-                                      path to the file holding the client-side TLS
-                                      certificate to use. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    type: string
-                                  mode:
-                                    description: 'REQUIRED: Indicates whether connections
-                                      to this port should be secured using TLS. The
-                                      value of this field determines how TLS is enforced.'
-                                    type: string
-                                  privateKey:
-                                    description: REQUIRED if mode is `MUTUAL`. The
-                                      path to the file holding the client's private
-                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
-                                    type: string
-                                  sni:
-                                    description: SNI string to present to the server
-                                      during TLS handshake. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    type: string
-                                  subjectAltNames:
-                                    description: A list of alternate names to verify
-                                      the subject identity in the certificate. If
-                                      specified, the proxy will verify that the server
-                                      certificate's subject alt name matches one of
-                                      the specified values. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - mode
-                                type: object
-                            type: object
-                        required:
-                        - name
-                        - labels
-                        type: object
-                      type: array
-                    trafficPolicy:
-                      description: Traffic policies to apply (load balancing policy,
-                        connection pool sizes, outlier detection).
-                      properties:
-                        connectionPool:
-                          description: Settings controlling the volume of connections
-                            to an upstream service
-                          properties:
-                            http:
-                              description: HTTP connection pool settings.
-                              properties:
-                                http1MaxPendingRequests:
-                                  description: Maximum number of pending HTTP requests
-                                    to a destination. Default 1024.
-                                  format: int32
-                                  type: integer
-                                http2MaxRequests:
-                                  description: Maximum number of requests to a backend.
-                                    Default 1024.
-                                  format: int32
-                                  type: integer
-                                maxRequestsPerConnection:
-                                  description: Maximum number of requests per connection
-                                    to a backend. Setting this parameter to 1 disables
-                                    keep alive.
-                                  format: int32
-                                  type: integer
-                                maxRetries:
-                                  description: Maximum number of retries that can
-                                    be outstanding to all hosts in a cluster at a
-                                    given time. Defaults to 3.
-                                  format: int32
-                                  type: integer
-                              type: object
-                            tcp:
-                              description: Settings common to both HTTP and TCP upstream
-                                connections.
-                              properties:
-                                connectTimeout:
-                                  description: TCP connection timeout.
-                                  type: string
-                                maxConnections:
-                                  description: Maximum number of HTTP1 /TCP connections
-                                    to a destination host.
-                                  format: int32
-                                  type: integer
-                              type: object
-                          type: object
-                        loadBalancer:
-                          description: Settings controlling the load balancer algorithms.
-                          properties:
-                            consistentHash:
-                              properties:
-                                httpCookie:
-                                  description: Hash based on HTTP cookie.
-                                  properties:
-                                    name:
-                                      description: REQUIRED. Name of the cookie.
-                                      type: string
-                                    path:
-                                      description: Path to set for the cookie.
-                                      type: string
-                                    ttl:
-                                      description: REQUIRED. Lifetime of the cookie.
-                                      type: string
-                                  required:
-                                  - name
-                                  - ttl
-                                  type: object
-                                httpHeaderName:
-                                  description: 'It is required to specify exactly
-                                    one of the fields as hash key: HttpHeaderName,
-                                    HttpCookie, or UseSourceIP. Hash based on a specific
-                                    HTTP header.'
-                                  type: string
-                                minimumRingSize:
-                                  description: The minimum number of virtual nodes
-                                    to use for the hash ring. Defaults to 1024. Larger
-                                    ring sizes result in more granular load distributions.
-                                    If the number of hosts in the load balancing pool
-                                    is larger than the ring size, each host will be
-                                    assigned a single virtual node.
-                                  format: int64
-                                  type: integer
-                                useSourceIp:
-                                  description: Hash based on the source IP address.
-                                  type: boolean
-                              type: object
-                            simple:
-                              description: 'It is required to specify exactly one
-                                of the fields: Simple or ConsistentHash'
-                              type: string
-                          type: object
-                        outlierDetection:
-                          description: Settings controlling eviction of unhealthy
-                            hosts from the load balancing pool
-                          properties:
-                            baseEjectionTime:
-                              description: 'Minimum ejection duration. A host will
-                                remain ejected for a period equal to the product of
-                                minimum ejection duration and the number of times
-                                the host has been ejected. This technique allows the
-                                system to automatically increase the ejection period
-                                for unhealthy upstream servers. format: 1h/1m/1s/1ms.
-                                MUST BE >=1ms. Default is 30s.'
-                              type: string
-                            consecutiveErrors:
-                              description: Number of errors before a host is ejected
-                                from the connection pool. Defaults to 5. When the
-                                upstream host is accessed over HTTP, a 5xx return
-                                code qualifies as an error. When the upstream host
-                                is accessed over an opaque TCP connection, connect
-                                timeouts and connection error/failure events qualify
-                                as an error.
-                              format: int32
-                              type: integer
-                            interval:
-                              description: 'Time interval between ejection sweep analysis.
-                                format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                              type: string
-                            maxEjectionPercent:
-                              description: Maximum % of hosts in the load balancing
-                                pool for the upstream service that can be ejected.
-                                Defaults to 10%.
-                              format: int32
-                              type: integer
-                          type: object
-                        portLevelSettings:
-                          description: Traffic policies specific to individual ports.
-                            Note that port level settings will override the destination-level
-                            settings. Traffic settings specified at the destination-level
-                            will not be inherited when overridden by port-level settings,
-                            i.e. default values will be applied to fields omitted
-                            in port-level traffic policies.
-                          items:
-                            properties:
-                              connectionPool:
-                                description: Settings controlling the volume of connections
-                                  to an upstream service
-                                properties:
-                                  http:
-                                    description: HTTP connection pool settings.
-                                    properties:
-                                      http1MaxPendingRequests:
-                                        description: Maximum number of pending HTTP
-                                          requests to a destination. Default 1024.
-                                        format: int32
-                                        type: integer
-                                      http2MaxRequests:
-                                        description: Maximum number of requests to
-                                          a backend. Default 1024.
-                                        format: int32
-                                        type: integer
-                                      maxRequestsPerConnection:
-                                        description: Maximum number of requests per
-                                          connection to a backend. Setting this parameter
-                                          to 1 disables keep alive.
-                                        format: int32
-                                        type: integer
-                                      maxRetries:
-                                        description: Maximum number of retries that
-                                          can be outstanding to all hosts in a cluster
-                                          at a given time. Defaults to 3.
-                                        format: int32
-                                        type: integer
-                                    type: object
-                                  tcp:
-                                    description: Settings common to both HTTP and
-                                      TCP upstream connections.
-                                    properties:
-                                      connectTimeout:
-                                        description: TCP connection timeout.
-                                        type: string
-                                      maxConnections:
-                                        description: Maximum number of HTTP1 /TCP
-                                          connections to a destination host.
-                                        format: int32
-                                        type: integer
-                                    type: object
-                                type: object
-                              loadBalancer:
-                                description: Settings controlling the load balancer
-                                  algorithms.
-                                properties:
-                                  consistentHash:
-                                    properties:
-                                      httpCookie:
-                                        description: Hash based on HTTP cookie.
-                                        properties:
-                                          name:
-                                            description: REQUIRED. Name of the cookie.
-                                            type: string
-                                          path:
-                                            description: Path to set for the cookie.
-                                            type: string
-                                          ttl:
-                                            description: REQUIRED. Lifetime of the
-                                              cookie.
-                                            type: string
-                                        required:
-                                        - name
-                                        - ttl
-                                        type: object
-                                      httpHeaderName:
-                                        description: 'It is required to specify exactly
-                                          one of the fields as hash key: HttpHeaderName,
-                                          HttpCookie, or UseSourceIP. Hash based on
-                                          a specific HTTP header.'
-                                        type: string
-                                      minimumRingSize:
-                                        description: The minimum number of virtual
-                                          nodes to use for the hash ring. Defaults
-                                          to 1024. Larger ring sizes result in more
-                                          granular load distributions. If the number
-                                          of hosts in the load balancing pool is larger
-                                          than the ring size, each host will be assigned
-                                          a single virtual node.
-                                        format: int64
-                                        type: integer
-                                      useSourceIp:
-                                        description: Hash based on the source IP address.
-                                        type: boolean
-                                    type: object
-                                  simple:
-                                    description: 'It is required to specify exactly
-                                      one of the fields: Simple or ConsistentHash'
-                                    type: string
-                                type: object
-                              outlierDetection:
-                                description: Settings controlling eviction of unhealthy
-                                  hosts from the load balancing pool
-                                properties:
-                                  baseEjectionTime:
-                                    description: 'Minimum ejection duration. A host
-                                      will remain ejected for a period equal to the
-                                      product of minimum ejection duration and the
-                                      number of times the host has been ejected. This
-                                      technique allows the system to automatically
-                                      increase the ejection period for unhealthy upstream
-                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                      Default is 30s.'
-                                    type: string
-                                  consecutiveErrors:
-                                    description: Number of errors before a host is
-                                      ejected from the connection pool. Defaults to
-                                      5. When the upstream host is accessed over HTTP,
-                                      a 5xx return code qualifies as an error. When
-                                      the upstream host is accessed over an opaque
-                                      TCP connection, connect timeouts and connection
-                                      error/failure events qualify as an error.
-                                    format: int32
-                                    type: integer
-                                  interval:
-                                    description: 'Time interval between ejection sweep
-                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                      Default is 10s.'
-                                    type: string
-                                  maxEjectionPercent:
-                                    description: Maximum % of hosts in the load balancing
-                                      pool for the upstream service that can be ejected.
-                                      Defaults to 10%.
-                                    format: int32
-                                    type: integer
-                                type: object
-                              port:
-                                description: Specifies the port name or number of
-                                  a port on the destination service on which this
-                                  policy is being applied.  Names must comply with
-                                  DNS label syntax (rfc1035) and therefore cannot
-                                  collide with numbers. If there are multiple ports
-                                  on a service with the same protocol the names should
-                                  be of the form <protocol-name>-<DNS label>.
-                                properties:
-                                  name:
-                                    description: Valid port name
-                                    type: string
-                                  number:
-                                    description: Valid port number
-                                    format: int32
-                                    type: integer
-                                type: object
-                              tls:
-                                description: TLS related settings for connections
-                                  to the upstream service.
-                                properties:
-                                  caCertificates:
-                                    description: 'OPTIONAL: The path to the file containing
-                                      certificate authority certificates to use in
-                                      verifying a presented server certificate. If
-                                      omitted, the proxy will not verify the server''s
-                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
-                                    type: string
-                                  clientCertificate:
-                                    description: REQUIRED if mode is `MUTUAL`. The
-                                      path to the file holding the client-side TLS
-                                      certificate to use. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    type: string
-                                  mode:
-                                    description: 'REQUIRED: Indicates whether connections
-                                      to this port should be secured using TLS. The
-                                      value of this field determines how TLS is enforced.'
-                                    type: string
-                                  privateKey:
-                                    description: REQUIRED if mode is `MUTUAL`. The
-                                      path to the file holding the client's private
-                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
-                                    type: string
-                                  sni:
-                                    description: SNI string to present to the server
-                                      during TLS handshake. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    type: string
-                                  subjectAltNames:
-                                    description: A list of alternate names to verify
-                                      the subject identity in the certificate. If
-                                      specified, the proxy will verify that the server
-                                      certificate's subject alt name matches one of
-                                      the specified values. Should be empty if mode
-                                      is `ISTIO_MUTUAL`.
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - mode
-                                type: object
-                            required:
-                            - port
-                            type: object
-                          type: array
-                        tls:
-                          description: TLS related settings for connections to the
-                            upstream service.
-                          properties:
-                            caCertificates:
-                              description: 'OPTIONAL: The path to the file containing
-                                certificate authority certificates to use in verifying
-                                a presented server certificate. If omitted, the proxy
-                                will not verify the server''s certificate. Should
-                                be empty if mode is `ISTIO_MUTUAL`.'
-                              type: string
-                            clientCertificate:
-                              description: REQUIRED if mode is `MUTUAL`. The path
-                                to the file holding the client-side TLS certificate
-                                to use. Should be empty if mode is `ISTIO_MUTUAL`.
-                              type: string
-                            mode:
-                              description: 'REQUIRED: Indicates whether connections
-                                to this port should be secured using TLS. The value
-                                of this field determines how TLS is enforced.'
-                              type: string
-                            privateKey:
-                              description: REQUIRED if mode is `MUTUAL`. The path
-                                to the file holding the client's private key. Should
-                                be empty if mode is `ISTIO_MUTUAL`.
-                              type: string
-                            sni:
-                              description: SNI string to present to the server during
-                                TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                              type: string
-                            subjectAltNames:
-                              description: A list of alternate names to verify the
-                                subject identity in the certificate. If specified,
-                                the proxy will verify that the server certificate's
-                                subject alt name matches one of the specified values.
-                                Should be empty if mode is `ISTIO_MUTUAL`.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - mode
-                          type: object
-                      type: object
-                  required:
-                  - host
-                  type: object
-              type: object
-          type: object
-        status:
-          type: object
-  version: v1alpha2
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/servicemesh_v1alpha2_strategy.yaml
+++ b/config/crds/servicemesh_v1alpha2_strategy.yaml
@@ -1,787 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: strategies.servicemesh.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.type
-    description: type of strategy
-    name: Type
-    type: string
-  - JSONPath: .spec.template.spec.hosts
-    description: destination hosts
-    name: Hosts
-    type: string
-  - JSONPath: .metadata.creationTimestamp
-    description: 'CreationTimestamp is a timestamp representing the server time when
-      this object was created. It is not guaranteed to be set in happens-before order
-      across separate operations. Clients may not set this value. It is represented
-      in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
-      lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
-    name: Age
-    type: date
-  group: servicemesh.kubesphere.io
-  names:
-    kind: Strategy
-    plural: strategies
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            governor:
-              description: Governor version, the version takes control of all incoming
-                traffic label version value
-              type: string
-            principal:
-              description: Principal version, the one as reference version label version
-                value
-              type: string
-            selector:
-              description: Label selector for virtual services.
-              type: object
-            strategyPolicy:
-              description: strategy policy, how the strategy will be applied by the
-                strategy controller
-              type: string
-            template:
-              description: Template describes the virtual service that will be created.
-              properties:
-                metadata:
-                  description: Metadata of the virtual services created from this
-                    template
-                  type: object
-                spec:
-                  description: Spec indicates the behavior of a virtual service.
-                  properties:
-                    gateways:
-                      description: The names of gateways and sidecars that should
-                        apply these routes. A single VirtualService is used for sidecars
-                        inside the mesh as well as for one or more gateways. The selection
-                        condition imposed by this field can be overridden using the
-                        source field in the match conditions of HTTP/TCP routes. The
-                        reserved word "mesh" is used to imply all the sidecars in
-                        the mesh. When this field is omitted, the default gateway
-                        ("mesh") will be used, which would apply the rule to all sidecars
-                        in the mesh. If a list of gateway names is provided, the rules
-                        will apply only to the gateways. To apply the rules to both
-                        gateways and sidecars, specify "mesh" as one of the gateway
-                        names.
-                      items:
-                        type: string
-                      type: array
-                    hosts:
-                      description: REQUIRED. The destination address for traffic captured
-                        by this virtual service. Could be a DNS name with wildcard
-                        prefix or a CIDR prefix. Depending on the platform, short-names
-                        can also be used instead of a FQDN (i.e. has no dots in the
-                        name). In such a scenario, the FQDN of the host would be derived
-                        based on the underlying platform.  For example on Kubernetes,
-                        when hosts contains a short name, Istio will interpret the
-                        short name based on the namespace of the rule. Thus, when
-                        a client namespace applies a rule in the "default" namespace
-                        containing a name "reviews, Istio will setup routes to the
-                        "reviews.default.svc.cluster.local" service. However, if a
-                        different name such as "reviews.sales.svc.cluster.local" is
-                        used, it would be treated as a FQDN during virtual host matching.
-                        In Consul, a plain service name would be resolved to the FQDN
-                        "reviews.service.consul".  Note that the hosts field applies
-                        to both HTTP and TCP services. Service inside the mesh, i.e.,
-                        those found in the service registry, must always be referred
-                        to using their alphanumeric names. IP addresses or CIDR prefixes
-                        are allowed only for services defined via the Gateway.
-                      items:
-                        type: string
-                      type: array
-                    http:
-                      description: An ordered list of route rules for HTTP traffic.
-                        The first rule matching an incoming request is used.
-                      items:
-                        properties:
-                          appendHeaders:
-                            description: Additional HTTP headers to add before forwarding
-                              a request to the destination service.
-                            type: object
-                          corsPolicy:
-                            description: Cross-Origin Resource Sharing policy
-                            properties:
-                              allowCredentials:
-                                description: Indicates whether the caller is allowed
-                                  to send the actual request (not the preflight) using
-                                  credentials. Translates to Access-Control-Allow-Credentials
-                                  header.
-                                type: boolean
-                              allowHeaders:
-                                description: List of HTTP headers that can be used
-                                  when requesting the resource. Serialized to Access-Control-Allow-Methods
-                                  header.
-                                items:
-                                  type: string
-                                type: array
-                              allowMethods:
-                                description: List of HTTP methods allowed to access
-                                  the resource. The content will be serialized into
-                                  the Access-Control-Allow-Methods header.
-                                items:
-                                  type: string
-                                type: array
-                              allowOrigin:
-                                description: The list of origins that are allowed
-                                  to perform CORS requests. The content will be serialized
-                                  into the Access-Control-Allow-Origin header. Wildcard
-                                  * will allow all origins.
-                                items:
-                                  type: string
-                                type: array
-                              exposeHeaders:
-                                description: A white list of HTTP headers that the
-                                  browsers are allowed to access. Serialized into
-                                  Access-Control-Expose-Headers header.
-                                items:
-                                  type: string
-                                type: array
-                              maxAge:
-                                description: Specifies how long the the results of
-                                  a preflight request can be cached. Translates to
-                                  the Access-Control-Max-Age header.
-                                type: string
-                            type: object
-                          fault:
-                            description: Fault injection policy to apply on HTTP traffic.
-                            properties:
-                              abort:
-                                description: Abort Http request attempts and return
-                                  error codes back to downstream service, giving the
-                                  impression that the upstream service is faulty.
-                                properties:
-                                  httpStatus:
-                                    description: REQUIRED. HTTP status code to use
-                                      to abort the Http request.
-                                    format: int64
-                                    type: integer
-                                  percent:
-                                    description: Percentage of requests to be aborted
-                                      with the error code provided (0-100).
-                                    format: int64
-                                    type: integer
-                                required:
-                                - httpStatus
-                                type: object
-                              delay:
-                                description: Delay requests before forwarding, emulating
-                                  various failures such as network issues, overloaded
-                                  upstream service, etc.
-                                properties:
-                                  exponentialDelay:
-                                    description: (-- Add a delay (based on an exponential
-                                      function) before forwarding the request. mean
-                                      delay needed to derive the exponential delay
-                                      values --)
-                                    type: string
-                                  fixedDelay:
-                                    description: 'REQUIRED. Add a fixed delay before
-                                      forwarding the request. Format: 1h/1m/1s/1ms.
-                                      MUST be >=1ms.'
-                                    type: string
-                                  percent:
-                                    description: Percentage of requests on which the
-                                      delay will be injected (0-100).
-                                    format: int64
-                                    type: integer
-                                required:
-                                - fixedDelay
-                                type: object
-                            type: object
-                          match:
-                            description: Match conditions to be satisfied for the
-                              rule to be activated. All conditions inside a single
-                              match block have AND semantics, while the list of match
-                              blocks have OR semantics. The rule is matched if any
-                              one of the match blocks succeed.
-                            items:
-                              properties:
-                                authority:
-                                  description: 'HTTP Authority values are case-sensitive
-                                    and formatted as follows:  - `exact: "value"`
-                                    for exact string match  - `prefix: "value"` for
-                                    prefix-based match  - `regex: "value"` for ECMAscript
-                                    style regex-based match'
-                                  properties:
-                                    exact:
-                                      description: exact string match
-                                      type: string
-                                    prefix:
-                                      description: prefix-based match
-                                      type: string
-                                    regex:
-                                      description: ECMAscript style regex-based match
-                                      type: string
-                                    suffix:
-                                      description: suffix-based match.
-                                      type: string
-                                  type: object
-                                gateways:
-                                  description: Names of gateways where the rule should
-                                    be applied to. Gateway names at the top of the
-                                    VirtualService (if any) are overridden. The gateway
-                                    match is independent of sourceLabels.
-                                  items:
-                                    type: string
-                                  type: array
-                                headers:
-                                  description: 'The header keys must be lowercase
-                                    and use hyphen as the separator, e.g. _x-request-id_.  Header
-                                    values are case-sensitive and formatted as follows:  -
-                                    `exact: "value"` for exact string match  - `prefix:
-                                    "value"` for prefix-based match  - `regex: "value"`
-                                    for ECMAscript style regex-based match  **Note:**
-                                    The keys `uri`, `scheme`, `method`, and `authority`
-                                    will be ignored.'
-                                  type: object
-                                method:
-                                  description: 'HTTP Method values are case-sensitive
-                                    and formatted as follows:  - `exact: "value"`
-                                    for exact string match  - `prefix: "value"` for
-                                    prefix-based match  - `regex: "value"` for ECMAscript
-                                    style regex-based match'
-                                  properties:
-                                    exact:
-                                      description: exact string match
-                                      type: string
-                                    prefix:
-                                      description: prefix-based match
-                                      type: string
-                                    regex:
-                                      description: ECMAscript style regex-based match
-                                      type: string
-                                    suffix:
-                                      description: suffix-based match.
-                                      type: string
-                                  type: object
-                                port:
-                                  description: Specifies the ports on the host that
-                                    is being addressed. Many services only expose
-                                    a single port or label ports with the protocols
-                                    they support, in these cases it is not required
-                                    to explicitly select the port.
-                                  format: int32
-                                  type: integer
-                                scheme:
-                                  description: 'URI Scheme values are case-sensitive
-                                    and formatted as follows:  - `exact: "value"`
-                                    for exact string match  - `prefix: "value"` for
-                                    prefix-based match  - `regex: "value"` for ECMAscript
-                                    style regex-based match'
-                                  properties:
-                                    exact:
-                                      description: exact string match
-                                      type: string
-                                    prefix:
-                                      description: prefix-based match
-                                      type: string
-                                    regex:
-                                      description: ECMAscript style regex-based match
-                                      type: string
-                                    suffix:
-                                      description: suffix-based match.
-                                      type: string
-                                  type: object
-                                sourceLabels:
-                                  description: One or more labels that constrain the
-                                    applicability of a rule to workloads with the
-                                    given labels. If the VirtualService has a list
-                                    of gateways specified at the top, it should include
-                                    the reserved gateway `mesh` in order for this
-                                    field to be applicable.
-                                  type: object
-                                uri:
-                                  description: 'URI to match values are case-sensitive
-                                    and formatted as follows:  - `exact: "value"`
-                                    for exact string match  - `prefix: "value"` for
-                                    prefix-based match  - `regex: "value"` for ECMAscript
-                                    style regex-based match'
-                                  properties:
-                                    exact:
-                                      description: exact string match
-                                      type: string
-                                    prefix:
-                                      description: prefix-based match
-                                      type: string
-                                    regex:
-                                      description: ECMAscript style regex-based match
-                                      type: string
-                                    suffix:
-                                      description: suffix-based match.
-                                      type: string
-                                  type: object
-                              type: object
-                            type: array
-                          mirror:
-                            description: Mirror HTTP traffic to a another destination
-                              in addition to forwarding the requests to the intended
-                              destination. Mirrored traffic is on a best effort basis
-                              where the sidecar/gateway will not wait for the mirrored
-                              cluster to respond before returning the response from
-                              the original destination.  Statistics will be generated
-                              for the mirrored destination.
-                            properties:
-                              host:
-                                description: 'REQUIRED. The name of a service from
-                                  the service registry. Service names are looked up
-                                  from the platform''s service registry (e.g., Kubernetes
-                                  services, Consul services, etc.) and from the hosts
-                                  declared by [ServiceEntry](#ServiceEntry). Traffic
-                                  forwarded to destinations that are not found in
-                                  either of the two, will be dropped.  *Note for Kubernetes
-                                  users*: When short names are used (e.g. "reviews"
-                                  instead of "reviews.default.svc.cluster.local"),
-                                  Istio will interpret the short name based on the
-                                  namespace of the rule, not the service. A rule in
-                                  the "default" namespace containing a host "reviews
-                                  will be interpreted as "reviews.default.svc.cluster.local",
-                                  irrespective of the actual namespace associated
-                                  with the reviews service. _To avoid potential misconfigurations,
-                                  it is recommended to always use fully qualified
-                                  domain names over short names._'
-                                type: string
-                              port:
-                                description: Specifies the port on the host that is
-                                  being addressed. If a service exposes only a single
-                                  port it is not required to explicitly select the
-                                  port.
-                                properties:
-                                  name:
-                                    description: Valid port name
-                                    type: string
-                                  number:
-                                    description: Valid port number
-                                    format: int32
-                                    type: integer
-                                type: object
-                              subset:
-                                description: The name of a subset within the service.
-                                  Applicable only to services within the mesh. The
-                                  subset must be defined in a corresponding DestinationRule.
-                                type: string
-                            required:
-                            - host
-                            type: object
-                          redirect:
-                            description: A http rule can either redirect or forward
-                              (default) traffic. If traffic passthrough option is
-                              specified in the rule, route/redirect will be ignored.
-                              The redirect primitive can be used to send a HTTP 302
-                              redirect to a different URI or Authority.
-                            properties:
-                              authority:
-                                description: On a redirect, overwrite the Authority/Host
-                                  portion of the URL with this value.
-                                type: string
-                              uri:
-                                description: On a redirect, overwrite the Path portion
-                                  of the URL with this value. Note that the entire
-                                  path will be replaced, irrespective of the request
-                                  URI being matched as an exact path or prefix.
-                                type: string
-                            type: object
-                          removeResponseHeaders:
-                            description: Http headers to remove before returning the
-                              response to the caller
-                            type: object
-                          retries:
-                            description: Retry policy for HTTP requests.
-                            properties:
-                              attempts:
-                                description: REQUIRED. Number of retries for a given
-                                  request. The interval between retries will be determined
-                                  automatically (25ms+). Actual number of retries
-                                  attempted depends on the httpReqTimeout.
-                                format: int64
-                                type: integer
-                              perTryTimeout:
-                                description: 'Timeout per retry attempt for a given
-                                  request. format: 1h/1m/1s/1ms. MUST BE >=1ms.'
-                                type: string
-                            required:
-                            - attempts
-                            - perTryTimeout
-                            type: object
-                          rewrite:
-                            description: Rewrite HTTP URIs and Authority headers.
-                              Rewrite cannot be used with Redirect primitive. Rewrite
-                              will be performed before forwarding.
-                            properties:
-                              authority:
-                                description: rewrite the Authority/Host header with
-                                  this value.
-                                type: string
-                              uri:
-                                description: rewrite the path (or the prefix) portion
-                                  of the URI with this value. If the original URI
-                                  was matched based on prefix, the value provided
-                                  in this field will replace the corresponding matched
-                                  prefix.
-                                type: string
-                            type: object
-                          route:
-                            description: A http rule can either redirect or forward
-                              (default) traffic. The forwarding target can be one
-                              of several versions of a service (see glossary in beginning
-                              of document). Weights associated with the service version
-                              determine the proportion of traffic it receives.
-                            items:
-                              properties:
-                                destination:
-                                  description: REQUIRED. Destination uniquely identifies
-                                    the instances of a service to which the request/connection
-                                    should be forwarded to.
-                                  properties:
-                                    host:
-                                      description: 'REQUIRED. The name of a service
-                                        from the service registry. Service names are
-                                        looked up from the platform''s service registry
-                                        (e.g., Kubernetes services, Consul services,
-                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
-                                        Traffic forwarded to destinations that are
-                                        not found in either of the two, will be dropped.  *Note
-                                        for Kubernetes users*: When short names are
-                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
-                                        Istio will interpret the short name based
-                                        on the namespace of the rule, not the service.
-                                        A rule in the "default" namespace containing
-                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                                        irrespective of the actual namespace associated
-                                        with the reviews service. _To avoid potential
-                                        misconfigurations, it is recommended to always
-                                        use fully qualified domain names over short
-                                        names._'
-                                      type: string
-                                    port:
-                                      description: Specifies the port on the host
-                                        that is being addressed. If a service exposes
-                                        only a single port it is not required to explicitly
-                                        select the port.
-                                      properties:
-                                        name:
-                                          description: Valid port name
-                                          type: string
-                                        number:
-                                          description: Valid port number
-                                          format: int32
-                                          type: integer
-                                      type: object
-                                    subset:
-                                      description: The name of a subset within the
-                                        service. Applicable only to services within
-                                        the mesh. The subset must be defined in a
-                                        corresponding DestinationRule.
-                                      type: string
-                                  required:
-                                  - host
-                                  type: object
-                                weight:
-                                  description: REQUIRED. The proportion of traffic
-                                    to be forwarded to the service version. (0-100).
-                                    Sum of weights across destinations SHOULD BE ==
-                                    100. If there is only destination in a rule, the
-                                    weight value is assumed to be 100.
-                                  format: int64
-                                  type: integer
-                              required:
-                              - destination
-                              - weight
-                              type: object
-                            type: array
-                          timeout:
-                            description: Timeout for HTTP requests.
-                            type: string
-                          websocketUpgrade:
-                            description: Indicates that a HTTP/1.1 client connection
-                              to this particular route should be allowed (and expected)
-                              to upgrade to a WebSocket connection. The default is
-                              false. Istio's reference sidecar implementation (Envoy)
-                              expects the first request to this route to contain the
-                              WebSocket upgrade headers. Otherwise, the request will
-                              be rejected. Note that Websocket allows secondary protocol
-                              negotiation which may then be subject to further routing
-                              rules based on the protocol selected.
-                            type: boolean
-                        type: object
-                      type: array
-                    tcp:
-                      description: An ordered list of route rules for TCP traffic.
-                        The first rule matching an incoming request is used.
-                      items:
-                        properties:
-                          match:
-                            description: Match conditions to be satisfied for the
-                              rule to be activated. All conditions inside a single
-                              match block have AND semantics, while the list of match
-                              blocks have OR semantics. The rule is matched if any
-                              one of the match blocks succeed.
-                            items:
-                              properties:
-                                destinationSubnets:
-                                  description: IPv4 or IPv6 ip address of destination
-                                    with optional subnet.  E.g., a.b.c.d/xx form or
-                                    just a.b.c.d.
-                                  items:
-                                    type: string
-                                  type: array
-                                gateways:
-                                  description: Names of gateways where the rule should
-                                    be applied to. Gateway names at the top of the
-                                    VirtualService (if any) are overridden. The gateway
-                                    match is independent of sourceLabels.
-                                  items:
-                                    type: string
-                                  type: array
-                                port:
-                                  description: Specifies the port on the host that
-                                    is being addressed. Many services only expose
-                                    a single port or label ports with the protocols
-                                    they support, in these cases it is not required
-                                    to explicitly select the port.
-                                  format: int64
-                                  type: integer
-                                sourceLabels:
-                                  description: One or more labels that constrain the
-                                    applicability of a rule to workloads with the
-                                    given labels. If the VirtualService has a list
-                                    of gateways specified at the top, it should include
-                                    the reserved gateway `mesh` in order for this
-                                    field to be applicable.
-                                  type: object
-                              type: object
-                            type: array
-                          route:
-                            description: The destinations to which the connection
-                              should be forwarded to. Weights must add to 100%.
-                            items:
-                              properties:
-                                destination:
-                                  description: REQUIRED. Destination uniquely identifies
-                                    the instances of a service to which the request/connection
-                                    should be forwarded to.
-                                  properties:
-                                    host:
-                                      description: 'REQUIRED. The name of a service
-                                        from the service registry. Service names are
-                                        looked up from the platform''s service registry
-                                        (e.g., Kubernetes services, Consul services,
-                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
-                                        Traffic forwarded to destinations that are
-                                        not found in either of the two, will be dropped.  *Note
-                                        for Kubernetes users*: When short names are
-                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
-                                        Istio will interpret the short name based
-                                        on the namespace of the rule, not the service.
-                                        A rule in the "default" namespace containing
-                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                                        irrespective of the actual namespace associated
-                                        with the reviews service. _To avoid potential
-                                        misconfigurations, it is recommended to always
-                                        use fully qualified domain names over short
-                                        names._'
-                                      type: string
-                                    port:
-                                      description: Specifies the port on the host
-                                        that is being addressed. If a service exposes
-                                        only a single port it is not required to explicitly
-                                        select the port.
-                                      properties:
-                                        name:
-                                          description: Valid port name
-                                          type: string
-                                        number:
-                                          description: Valid port number
-                                          format: int32
-                                          type: integer
-                                      type: object
-                                    subset:
-                                      description: The name of a subset within the
-                                        service. Applicable only to services within
-                                        the mesh. The subset must be defined in a
-                                        corresponding DestinationRule.
-                                      type: string
-                                  required:
-                                  - host
-                                  type: object
-                                weight:
-                                  description: REQUIRED. The proportion of traffic
-                                    to be forwarded to the service version. (0-100).
-                                    Sum of weights across destinations SHOULD BE ==
-                                    100. If there is only destination in a rule, the
-                                    weight value is assumed to be 100.
-                                  format: int64
-                                  type: integer
-                              required:
-                              - destination
-                              - weight
-                              type: object
-                            type: array
-                        required:
-                        - match
-                        - route
-                        type: object
-                      type: array
-                    tls:
-                      items:
-                        properties:
-                          match:
-                            description: REQUIRED. Match conditions to be satisfied
-                              for the rule to be activated. All conditions inside
-                              a single match block have AND semantics, while the list
-                              of match blocks have OR semantics. The rule is matched
-                              if any one of the match blocks succeed.
-                            items:
-                              properties:
-                                destinationSubnets:
-                                  description: IPv4 or IPv6 ip addresses of destination
-                                    with optional subnet.  E.g., a.b.c.d/xx form or
-                                    just a.b.c.d.
-                                  items:
-                                    type: string
-                                  type: array
-                                gateways:
-                                  description: Names of gateways where the rule should
-                                    be applied to. Gateway names at the top of the
-                                    VirtualService (if any) are overridden. The gateway
-                                    match is independent of sourceLabels.
-                                  items:
-                                    type: string
-                                  type: array
-                                port:
-                                  description: Specifies the port on the host that
-                                    is being addressed. Many services only expose
-                                    a single port or label ports with the protocols
-                                    they support, in these cases it is not required
-                                    to explicitly select the port.
-                                  format: int64
-                                  type: integer
-                                sniHosts:
-                                  description: REQUIRED. SNI (server name indicator)
-                                    to match on. Wildcard prefixes can be used in
-                                    the SNI value, e.g., *.com will match foo.example.com
-                                    as well as example.com. An SNI value must be a
-                                    subset (i.e., fall within the domain) of the corresponding
-                                    virtual service's hosts
-                                  items:
-                                    type: string
-                                  type: array
-                                sourceLabels:
-                                  description: One or more labels that constrain the
-                                    applicability of a rule to workloads with the
-                                    given labels. If the VirtualService has a list
-                                    of gateways specified at the top, it should include
-                                    the reserved gateway `mesh` in order for this
-                                    field to be applicable.
-                                  type: object
-                              required:
-                              - sniHosts
-                              type: object
-                            type: array
-                          route:
-                            description: The destination to which the connection should
-                              be forwarded to.
-                            items:
-                              properties:
-                                destination:
-                                  description: REQUIRED. Destination uniquely identifies
-                                    the instances of a service to which the request/connection
-                                    should be forwarded to.
-                                  properties:
-                                    host:
-                                      description: 'REQUIRED. The name of a service
-                                        from the service registry. Service names are
-                                        looked up from the platform''s service registry
-                                        (e.g., Kubernetes services, Consul services,
-                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
-                                        Traffic forwarded to destinations that are
-                                        not found in either of the two, will be dropped.  *Note
-                                        for Kubernetes users*: When short names are
-                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
-                                        Istio will interpret the short name based
-                                        on the namespace of the rule, not the service.
-                                        A rule in the "default" namespace containing
-                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                                        irrespective of the actual namespace associated
-                                        with the reviews service. _To avoid potential
-                                        misconfigurations, it is recommended to always
-                                        use fully qualified domain names over short
-                                        names._'
-                                      type: string
-                                    port:
-                                      description: Specifies the port on the host
-                                        that is being addressed. If a service exposes
-                                        only a single port it is not required to explicitly
-                                        select the port.
-                                      properties:
-                                        name:
-                                          description: Valid port name
-                                          type: string
-                                        number:
-                                          description: Valid port number
-                                          format: int32
-                                          type: integer
-                                      type: object
-                                    subset:
-                                      description: The name of a subset within the
-                                        service. Applicable only to services within
-                                        the mesh. The subset must be defined in a
-                                        corresponding DestinationRule.
-                                      type: string
-                                  required:
-                                  - host
-                                  type: object
-                                weight:
-                                  description: REQUIRED. The proportion of traffic
-                                    to be forwarded to the service version. (0-100).
-                                    Sum of weights across destinations SHOULD BE ==
-                                    100. If there is only destination in a rule, the
-                                    weight value is assumed to be 100.
-                                  format: int64
-                                  type: integer
-                              required:
-                              - destination
-                              - weight
-                              type: object
-                            type: array
-                        required:
-                        - match
-                        - route
-                        type: object
-                      type: array
-                  required:
-                  - hosts
-                  type: object
-              type: object
-            type:
-              description: Strategy type
-              type: string
-          type: object
-        status:
-          type: object
-  version: v1alpha2
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/tenant.kubesphere.io_workspaces.yaml
+++ b/config/crds/tenant.kubesphere.io_workspaces.yaml
@@ -0,0 +1,53 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspaces.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    categories:
+    - tenant
+    kind: Workspace
+    listKind: WorkspaceList
+    plural: workspaces
+    singular: workspace
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Workspace is the Schema for the workspaces API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: WorkspaceSpec defines the desired state of Workspace
+            properties:
+              manager:
+                type: string
+              networkIsolation:
+                type: boolean
+            type: object
+          status:
+            description: WorkspaceStatus defines the observed state of Workspace
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/tenant.kubesphere.io_workspacetemplates.yaml
+++ b/config/crds/tenant.kubesphere.io_workspacetemplates.yaml
@@ -0,0 +1,126 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspacetemplates.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    categories:
+    - tenant
+    kind: WorkspaceTemplate
+    listKind: WorkspaceTemplateList
+    plural: workspacetemplates
+    singular: workspacetemplate
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceTemplate is the Schema for the workspacetemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              overrides:
+                items:
+                  properties:
+                    clusterName:
+                      type: string
+                    clusterOverrides:
+                      items:
+                        properties:
+                          op:
+                            type: string
+                          path:
+                            type: string
+                          value:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - path
+                        type: object
+                      type: array
+                  required:
+                  - clusterName
+                  type: object
+                type: array
+              placement:
+                properties:
+                  clusterSelector:
+                    description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  clusters:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              template:
+                properties:
+                  metadata:
+                    type: object
+                  spec:
+                    description: WorkspaceSpec defines the desired state of Workspace
+                    properties:
+                      manager:
+                        type: string
+                      networkIsolation:
+                        type: boolean
+                    type: object
+                type: object
+            required:
+            - placement
+            - template
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/tenant_v1alpha1_workspace.yaml
+++ b/config/crds/tenant_v1alpha1_workspace.yaml
@@ -1,42 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: workspaces.tenant.kubesphere.io
-spec:
-  group: tenant.kubesphere.io
-  names:
-    kind: Workspace
-    plural: workspaces
-  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            manager:
-              type: string
-          type: object
-        status:
-          type: object
-  version: v1alpha1
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -1,49 +0,0 @@
-# Adds namespace to all resources.
-namespace: t-system
-
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-namePrefix: t-
-
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
-
-# Each entry in this list must resolve to an existing
-# resource definition in YAML.  These are the resource
-# files that kustomize reads, modifies and emits as a
-# YAML string, with resources separated by document
-# markers ("---").
-resources:
- ../rbac/rbac_role.yaml
- ../rbac/rbac_role_binding.yaml
- ../manager/manager.yaml
-  # Comment the following 3 lines if you want to disable
-  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
-#- ../rbac/auth_proxy_service.yaml
-#- ../rbac/auth_proxy_role.yaml
-#- ../rbac/auth_proxy_role_binding.yaml
-
-patches:
- manager_image_patch.yaml
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
- manager_auth_proxy_patch.yaml
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, uncomment the following line and
-  # comment manager_auth_proxy_patch.yaml.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-#- manager_prometheus_metrics_patch.yaml
-
-vars:
- name: WEBHOOK_SECRET_NAME
-  objref:
-    kind: Secret
-    name: webhook-server-secret
-    apiVersion: v1
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -1,24 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
-# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        image: quay.io/coreos/kube-rbac-proxy:v0.4.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=10"
-        ports:
-        - containerPort: 8443
-          name: https
-      - name: manager
-        args:
-        - "--metrics-addr=127.0.0.1:8080"
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -1,12 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      # Change the value of image field below to your controller image URL
-      - image: kubespheredev/controller-manager:latest
-        name: manager
--- a/config/default/manager_prometheus_metrics_patch.yaml
+++ b/config/default/manager_prometheus_metrics_patch.yaml
@@ -1,19 +0,0 @@
-# This patch enables Prometheus scraping for the manager pod.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    metadata:
-      annotations:
-        prometheus.io/scrape: 'true'
-    spec:
-      containers:
-      # Expose the prometheus metrics on default port
-      - name: manager
-        ports:
-        - containerPort: 8080
-          name: metrics
-          protocol: TCP
--- a/config/gateway/.helmignore
+++ b/config/gateway/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/config/gateway/Chart.yaml
+++ b/config/gateway/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 1.16.0
+description: The Gateway helm Chart creates a Nginx Ingress Controller release by render a Nginx.gateway.kubesphere.io Kind. 
+name: gateway
+type: application
+version: 0.1.0
--- a/config/gateway/templates/nginx-ingress.yaml
+++ b/config/gateway/templates/nginx-ingress.yaml
@@ -0,0 +1,278 @@
+apiVersion: gateway.kubesphere.io/v1alpha1
+kind: Nginx
+metadata:
+  name: {{ .Release.Name }}-ingress
+spec:
+  fullnameOverride: {{ .Release.Name }}
+  controller:
+    # To rolling upgrade from old nginx ingress controller, we have to overide the name pattern
+    name: ""
+    image:
+    {{- with .Values.controller.image }}
+    {{- toYaml . | nindent 6 }}
+    {{- end }}
+
+    publishService:
+      enabled: {{ eq .Values.service.type "LoadBalancer" }}
+
+    # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+    {{- if .Values.controller.config }}
+    config: {{ toYaml .Values.controller.config | nindent 6 }}
+    {{- end }}
+
+    {{- if hasKey .Values.deployment.annotations "servicemesh.kubesphere.io/enabled" }}
+    podAnnotations:
+      sidecar.istio.io/inject: {{ get .Values.deployment.annotations "servicemesh.kubesphere.io/enabled" }}
+    {{- end }}
+
+    ## Annotations to be added to the controller config configuration configmap
+    ##
+    configAnnotations: {}
+
+    # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers
+    proxySetHeaders: {}
+
+    # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
+    addHeaders: {}
+
+    # Optionally customize the pod dnsConfig.
+    dnsConfig: {}
+
+
+    # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
+    # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
+    reportNodeInternalIp: false
+
+    ## Election ID to use for status update
+    ##
+    electionID: ingress-controller-leader-{{ .Release.Name }}
+
+    ## Name of the ingress class to route through this controller
+    ##
+    ingressClass: nginx
+
+    # This section refers to the creation of the IngressClass resource
+    # IngressClass resources are supported since k8s >= 1.18
+    ingressClassResource:
+      enabled: false
+      default: false
+
+      # Parameters is a link to a custom resource containing additional
+      # configuration for the controller. This is optional if the controller
+      # does not require extra parameters.
+      parameters: {}
+
+    # labels to add to the pod container metadata
+    podLabels: {}
+    #  key: value
+
+
+    ## Limit the scope of the controller
+    ##
+{{- if .Values.controller.scope.enabled }}
+    scope:
+      enabled: true
+      namespace: {{ default .Release.Namespace .Values.controller.scope.namespace }}   # defaults to .Release.Namespace
+{{- end }}
+
+
+    ## Allows customization of the configmap / nginx-configmap namespace
+    ##
+    configMapNamespace: ""   # defaults to .Release.Namespace
+
+    ## Allows customization of the tcp-services-configmap
+    ##
+    tcp:
+      configMapNamespace: ""   # defaults to .Release.Namespace
+      ## Annotations to be added to the tcp config configmap
+      annotations: {}
+
+    ## Allows customization of the udp-services-configmap
+    ##
+    udp:
+      configMapNamespace: ""   # defaults to .Release.Namespace
+      ## Annotations to be added to the udp config configmap
+      annotations: {}
+
+
+    ## Additional command line arguments to pass to nginx-ingress-controller
+    ## E.g. to specify the default SSL certificate you can use
+    ## extraArgs:
+    ##   default-ssl-certificate: "<namespace>/<secret_name>"
+    extraArgs: {}
+
+    ## Additional environment variables to set
+    extraEnvs: []
+
+    kind: Deployment
+
+    ## Annotations to be added to the controller Deployment or DaemonSet
+    ##
+    {{- if .Values.deployment.annotations }}
+    annotations: {{ toYaml .Values.deployment.annotations | nindent 6 }}
+    {{- end }}
+
+    ## Labels to be added to the controller Deployment or DaemonSet
+    ##
+    labels: {}
+    #  keel.sh/policy: patch
+    #  keel.sh/trigger: poll
+
+
+    ## Node tolerations for server scheduling to nodes with taints
+    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+    ##
+    tolerations: []
+    #  - key: "key"
+    #    operator: "Equal|Exists"
+    #    value: "value"
+    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+    ## Affinity and anti-affinity
+    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+    ##
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                - ingress-nginx
+              - key: app.kubernetes.io/instance
+                operator: In
+                values:
+                - {{ .Release.Name }}-ingress
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                - controller
+            topologyKey: kubernetes.io/hostname
+
+      # # An example of required pod anti-affinity
+      # podAntiAffinity:
+      #   requiredDuringSchedulingIgnoredDuringExecution:
+      #   - labelSelector:
+      #       matchExpressions:
+      #       - key: app.kubernetes.io/name
+      #         operator: In
+      #         values:
+      #         - ingress-nginx
+      #       - key: app.kubernetes.io/instance
+      #         operator: In
+      #         values:
+      #         - ingress-nginx
+      #       - key: app.kubernetes.io/component
+      #         operator: In
+      #         values:
+      #         - controller
+      #     topologyKey: "kubernetes.io/hostname"
+
+    ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+    ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+    ##
+    topologySpreadConstraints: []
+      # - maxSkew: 1
+      #   topologyKey: failure-domain.beta.kubernetes.io/zone
+      #   whenUnsatisfiable: DoNotSchedule
+      #   labelSelector:
+      #     matchLabels:
+      #       app.kubernetes.io/instance: ingress-nginx-internal
+
+
+
+    replicaCount: {{.Values.deployment.replicas}}
+
+    minAvailable: 1
+
+    # Define requests resources to avoid probe issues due to CPU utilization in busy nodes
+    # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
+    # Ideally, there should be no limits.
+    # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
+    resources:
+    #  limits:
+    #    cpu: 100m
+    #    memory: 90Mi
+      requests:
+        cpu: 100m
+        memory: 90Mi
+
+    # Mutually exclusive with keda autoscaling
+    autoscaling:
+      enabled: false
+      minReplicas: 1
+      maxReplicas: 11
+      targetCPUUtilizationPercentage: 50
+      targetMemoryUtilizationPercentage: 50
+
+    ## Override NGINX template
+    customTemplate:
+      configMapName: ""
+      configMapKey: ""
+
+    service:
+      enabled: true
+
+{{- if .Values.service.annotations }}
+      annotations: {{ toYaml .Values.service.annotations | nindent 8 }}
+{{- end }}
+      labels: {}
+      # clusterIP: ""
+
+      ## List of IP addresses at which the controller services are available
+      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+      ##
+      externalIPs: []
+
+      # loadBalancerIP: ""
+      loadBalancerSourceRanges: []
+
+      ## Set external traffic policy to: "Local" to preserve source IP on
+      ## providers supporting it
+      ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
+      # externalTrafficPolicy: ""
+
+      # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+      # sessionAffinity: ""
+
+
+      type: {{ .Values.service.type }}
+
+      # type: NodePort
+      # nodePorts:
+      #   http: 32080
+      #   https: 32443
+      #   tcp:
+      #     8080: 32808
+      nodePorts:
+        http: ""
+        https: ""
+        tcp: {}
+        udp: {}
+
+    admissionWebhooks:
+      enabled: false
+
+    metrics:
+      port: 10254
+      enabled: true
+
+      serviceMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: false
+
+
+  ## Optional array of imagePullSecrets containing private registry credentials
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  imagePullSecrets: []
+  # - name: secretName
+
+
+
+
+
--- a/config/gateway/values.yaml
+++ b/config/gateway/values.yaml
@@ -0,0 +1,29 @@
+# Default values for gateway.
+
+controller:
+  replicas: 1
+  annotations: {}
+  # add custom configuration options
+  config: {}
+  ## Limit the scope of the controller
+  ##
+  scope:
+    enabled: false
+    namespace: ""  # defaults to .Release.Namespace
+  image:
+    repository: kubesphere/nginx-ingress-controller
+    tag: "v0.48.1"
+    pullPolicy: IfNotPresent
+    digest: ""
+
+
+service:
+  ## annotations for Services, used for config Cloud LoadBalancer
+  annotations: {}
+  type: LoadBalancer
+
+## for nginx controller, same with controller
+deployment:
+  annotations: {}
+  replicas: 1
+  
--- a/config/ks-core/.helmignore
+++ b/config/ks-core/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/config/ks-core/Chart.yaml
+++ b/config/ks-core/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v2
+name: ks-core
+description: A Helm chart for KubeSphere Core components
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "v3.1.0"
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
--- a/config/ks-core/templates/NOTES.txt
+++ b/config/ks-core/templates/NOTES.txt
--- a/config/ks-core/templates/_helpers.tpl
+++ b/config/ks-core/templates/_helpers.tpl
@@ -0,0 +1,75 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ks-core.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ks-core.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ks-core.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ks-core.labels" -}}
+helm.sh/chart: {{ include "ks-core.chart" . }}
+{{ include "ks-core.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ks-core.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ks-core.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ks-core.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Returns user's password or use default
+*/}}
+{{- define "getOrDefaultPass" }}
+{{- $pws := (lookup "iam.kubesphere.io/v1alpha2" "User" "" .Name) -}}
+{{- if $pws }}
+{{- $pws.spec.password  -}}
+{{- else -}}
+{{- .Default -}}
+{{- end -}}
+{{- end }}
--- a/config/ks-core/templates/account.yaml
+++ b/config/ks-core/templates/account.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: User
+metadata:
+  name: admin
+  annotations:
+    iam.kubesphere.io/uninitialized: "true"
+    helm.sh/resource-policy: keep
+spec:
+  email: admin@kubesphere.io
+  password: "{{ include "getOrDefaultPass" (dict "Name" "admin" "Default" "$2a$10$zcHepmzfKPoxCVCYZr5K7ORPZZ/ySe9p/7IUb/8u./xHrnSX2LOCO") }}"
+status:
+  state: Active
--- a/config/ks-core/templates/ks-apiserver.yml
+++ b/config/ks-core/templates/ks-apiserver.yml
@@ -0,0 +1,116 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ks-apiserver
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-apiserver
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+    type: RollingUpdate
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: ks-apiserver
+      tier: backend
+      # version: {{ .Chart.AppVersion }}
+  template:
+    metadata:
+      labels:
+        app: ks-apiserver
+        tier: backend
+        # version: {{ .Chart.AppVersion }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - command:
+        - ks-apiserver
+        - --logtostderr=true
+        image: {{ .Values.image.ks_apiserver_repo }}:{{ .Values.image.ks_apiserver_tag | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: ks-apiserver
+        ports:
+        - containerPort: 9090
+          protocol: TCP
+        resources:
+          {{- toYaml .Values.apiserver.resources | nindent 12 }}
+        volumeMounts:
+        - mountPath: /etc/kubesphere/ingress-controller
+          name: ks-router-config
+        - mountPath: /etc/kubesphere/
+          name: kubesphere-config
+        - mountPath: /etc/localtime
+          name: host-time
+          readOnly: true
+        {{- if .Values.apiserver.extraVolumeMounts }}
+          {{- toYaml .Values.apiserver.extraVolumeMounts | nindent 8 }}
+        {{- end }}
+        env:
+        {{- if .Values.env }}
+        {{- toYaml .Values.env | nindent 8 }}
+        {{- end }}
+        livenessProbe:
+          failureThreshold: 8
+          httpGet:
+            path: /kapis/version
+            port: 9090
+            scheme: HTTP
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: ks-router-config
+        name: ks-router-config
+      - configMap:
+          defaultMode: 420
+          name: kubesphere-config
+        name: kubesphere-config
+      - hostPath:
+          path: /etc/localtime
+          type: ""
+        name: host-time
+      {{- if .Values.apiserver.extraVolumes }}
+        {{ toYaml .Values.apiserver.extraVolumes | nindent 6 }}
+      {{- end }}
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubernetes.io/created-by: kubesphere.io/ks-apiserver
+  labels:
+    app: ks-apiserver
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-apiserver
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    app: ks-apiserver
+    tier: backend
+    # version: {{ .Chart.AppVersion }}
+  type: ClusterIP
--- a/Show More
+++ b/Show More