Add the corresponding label 'kind/bug' to the issue template (#4952 )

Create SECURITY.md
Merge pull request #4940 from xyz-li/sa_token
2022-06-20 10:32:52 +08:00 · 2022-06-15 10:12:21 +08:00 · 2022-06-09 11:32:40 +08:00 · 2022-06-09 11:13:56 +08:00 · 2022-06-09 10:28:55 +08:00 · 2022-06-08 10:25:00 +08:00
4970 changed files with 604099 additions and 173584 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +0,0 @@
-# exclude all files and folders except bin folder
-**
-!bin
--- a/.env
+++ b/.env
@@ -1,2 +0,0 @@
-DATA_PATH=./tmp
-KUBESPHERE_LOG_LEVEL=debug
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,5 +1,6 @@
 ---
 name: Bug report
+labels: ["kind/bug"]
 about: Create a report to help us improve
 ---

--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,30 +1,54 @@
-**What type of PR is this?**
-> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
->
-> /kind api-change
-> /kind bug
-> /kind cleanup
-> /kind design
-> /kind documentation
-> /kind failing-test
-> /kind feature
-> /kind flake
+<!-- Thanks for sending a pull request! Here are some tips for you:

-**What this PR does / why we need it**:
+1. If you want **faster** PR reviews, read how: https://github.com/kubesphere/community/blob/master/developer-guide/development/the-pr-author-guide-to-getting-through-code-review.md
+2. In case you want to know how your PR got reviewed, read: https://github.com/kubesphere/community/blob/master/developer-guide/development/code-review-guide.md
+3. Here are some coding convetions followed by KubeSphere community: https://github.com/kubesphere/community/blob/master/developer-guide/development/coding-conventions.md
+-->

-**Which issue(s) this PR fixes**:
+### What type of PR is this?
+<!-- 
+Add one of the following kinds:
+/kind bug
+/kind cleanup
+/kind documentation
+/kind feature
+/kind design
+
+Optionally add one or more of the following kinds if applicable:
+/kind api-change
+/kind deprecation
+/kind failing-test
+/kind flake
+/kind regression
+-->
+
+
+### What this PR does / why we need it:
+
+### Which issue(s) this PR fixes:
 <!--
 Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
 _If PR is about `failing-tests or flakes`, please post the related issues/tests in a comment and do not use `Fixes`_*
 -->
 Fixes #

-**Special notes for reviewers**:
+### Special notes for reviewers:
 ```
 ```

-**Additional documentation, usage docs, etc.**:
+### Does this PR introduced a user-facing change?
+<!--
+If no, just write "None" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".

+For more information on release notes see: https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md
+-->
+```release-note
+
+```
+
+### Additional documentation, usage docs, etc.:
 <!--
 This section can be blank if this pull request does not require a release note.
 Please use the following format for linking documentation or pass the
--- a/.github/workflows/build-multiarch.yaml
+++ b/.github/workflows/build-multiarch.yaml
@@ -0,0 +1,42 @@
+name: BuildContainerImage
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'release-*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'release-*'
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push docker images
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name == 'push'
+        run: |
+          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+          REPO=kubespheredev TAG="${GITHUB_REF#refs/*/}" make container-cross-push
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,70 +0,0 @@
-name: Go
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'release*'
-    tags:
-      - 'v*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'release*'
-
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Set up Go 1.13
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: Check pr is properly formatted
-        run: diff -u <(echo -n) <(gofmt -d ./pkg ./cmd ./tools ./test)
-
-      - name: Verify goimports
-        run: go get -u golang.org/x/tools/cmd/goimports && bash hack/verify-goimports.sh
-
-      - name: Downloading go dependencies
-        run: go mod vendor
-
-      - name: Install kubebuilder
-        run: bash hack/install_kubebuilder.sh
-
-      - name: Build
-        run: make all
-
-      - name: Make OpenAPI Spec
-        run: make openapi
-
-      - name: Uploading code coverage
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: unittests
-          name: codecov-umbrella
-          fail_ci_if_error: false
-
-      - name: Get branch name
-        id: extract_branch
-        shell: bash
-        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-
-      - name: Build and push docker images
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        if: github.event_name == 'push'
-        run: |
-          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
-          bash hack/docker_build.sh ${{ steps.extract_branch.outputs.branch }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -13,20 +13,17 @@ jobs:
      GO111MODULE: on
    steps:

-      - name: Set up Go 1.13
-        uses: actions/setup-go@v1
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
        with:
-          go-version: 1.13
+          go-version: 1.16
        id: go

      - name: Check out code into the Go module directory
        uses: actions/checkout@v2

-      - name: Downloading go dependencies
-        run: go mod vendor
-
      - name: Create kind cluster
-        uses: helm/kind-action@v1.0.0-rc.1
+        uses: helm/kind-action@v1.2.0
        with:
          config: .github/workflows/kind/kind.yaml

@@ -34,4 +31,14 @@ jobs:
        run: KIND_CLUSTER_NAME=chart-testing hack/deploy-kubesphere.sh

      - name: Run e2e testing
-        run: go test ./test/e2e
+        run: go test ./test/e2e
+
+      - name: slack
+        uses: 8398a7/action-slack@v3
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        with:
+          status: ${{ job.status }}
+          fields: repo,message,commit,author,action,eventName,ref,workflow,job,took
+        if: failure()
+
--- a/.github/workflows/kind/kind.yaml
+++ b/.github/workflows/kind/kind.yaml
@@ -2,7 +2,7 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  image: kindest/node:v1.19.7
+  image: kindest/node:v1.21.1
  extraMounts:
  - hostPath: /etc/localtime
    containerPath: /etc/localtime
--- a/.github/workflows/nightly-builds.yml
+++ b/.github/workflows/nightly-builds.yml
@@ -15,26 +15,24 @@ jobs:
      GO111MODULE: on
    steps:

-      - name: Set up Go 1.13
-        uses: actions/setup-go@v1
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
        with:
-          go-version: 1.13
+          go-version: 1.16
        id: go

      - name: Check out code into the Go module directory
        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0

-      - name: Downloading go dependencies
-        run: go mod vendor
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all

-      - name: Install kubebuilder
-        run: bash hack/install_kubebuilder.sh
-
-      - name: Build
-        run: make all
-
-      - name: Make OpenAPI Spec
-        run: make openapi
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v1

      - name: Build and push docker images
        env:
@@ -42,19 +40,8 @@ jobs:
          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
        run: |
          echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
-          bash hack/docker_build.sh master
-
-          if [[ $? == 0 ]]; then
-            tag=nightly-$(date '+%Y%m%d')
-
-            docker tag kubespheredev/ks-apiserver kubespheredev/ks-apiserver:${tag}
-            docker tag kubespheredev/ks-controller-manager kubespheredev/ks-controller-manager:${tag}
-
-            docker push kubespheredev/ks-apiserver:${tag}
-            docker push kubespheredev/ks-controller-manager:${tag}
-          else
-            exit -1
-          fi
+          tag=nightly-$(date '+%Y%m%d')
+          REPO=kubespheredev TAG=${tag} make container-cross-push

      - name: slack
        uses: 8398a7/action-slack@v3
@@ -63,4 +50,4 @@ jobs:
        with:
          status: ${{ job.status }}
          fields: repo,message,commit,author,action,eventName,ref,workflow,job,took
-        if: always()
+        if: failure()
--- a/.gitignore
+++ b/.gitignore
@@ -32,3 +32,4 @@ kustomize/network/etcd
 apiserver.local.config
 tmp/
 kubesphere.yaml
+testbin/
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -0,0 +1,62 @@
+#
+#  Copyright 2022 The KubeSphere Authors.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+header:
+  license:
+    spdx-id: Apache-2.0
+    copyright-owner: KubeSphere Authors
+
+    content: |
+      Copyright 2022 The KubeSphere Authors.
+  
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+      
+          http://www.apache.org/licenses/LICENSE-2.0
+      
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+
+
+  paths-ignore:
+    - 'api'
+    - 'build'
+    - 'docs'
+    - 'config'
+    - 'test'
+    - 'install'
+    - 'hack'
+    - 'vendor'
+    - 'staging'
+    - 'LICENSE'
+    - 'OWNERS'
+    - 'Makefile'
+    - 'pkg/client/**'
+    - 'pkg/simple/client/**'
+    - '**/*.md'
+    - '**/*.json'
+    - '**/go.mod'
+    - '**/go.sum'
+    - '.github/**'
+    - '.gitignore'
+    - '.gitattributes'
+    - 'pkg/controller/application/status.go'
+
+  comment: on-failure
--- a/148
+++ b/148
@@ -2,9 +2,16 @@
 # Use of this source code is governed by a Apache license
 # that can be found in the LICENSE file.

+
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true"

+GV="network:v1alpha1 servicemesh:v1alpha2 tenant:v1alpha1 tenant:v1alpha2 devops:v1alpha1 iam:v1alpha2 devops:v1alpha3 cluster:v1alpha1 storage:v1alpha1 auditing:v1alpha1 types:v1beta1 quota:v1alpha2 application:v1alpha1 notification:v2beta1 gateway:v1alpha1"
+MANIFESTS="application/* cluster/* iam/* network/v1alpha1 quota/* storage/* tenant/* gateway/*"
+
+# App Version
+APP_VERSION = v3.2.0
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -13,7 +20,10 @@ GOBIN=$(shell go env GOBIN)
 endif

 OUTPUT_DIR=bin
-GOFLAGS=-mod=vendor
+ifeq (${GOFLAGS},)
+	# go build with vendor by default.
+	export GOFLAGS=-mod=vendor
+endif
 define ALL_HELP_INFO
 # Build code.
 #
@@ -34,94 +44,118 @@ define ALL_HELP_INFO
 #           debugging tools like delve.
 endef
 .PHONY: all
-all: test ks-apiserver ks-controller-manager
+all: test ks-apiserver ks-controller-manager;$(info $(M)...Begin to test and build all of binary.) @ ## Test and build all of binary.
+
+help:
+	@grep -hE '^[ a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-17s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: binary
+# Build all of binary
+binary: | ks-apiserver ks-controller-manager; $(info $(M)...Build all of binary.) @ ## Build all of binary.

 # Build ks-apiserver binary
-ks-apiserver: fmt vet
-	hack/gobuild.sh cmd/ks-apiserver
+ks-apiserver: ; $(info $(M)...Begin to build ks-apiserver binary.)  @ ## Build ks-apiserver.
+	 hack/gobuild.sh cmd/ks-apiserver;

 # Build ks-controller-manager binary
-ks-controller-manager: fmt vet
+ks-controller-manager: ; $(info $(M)...Begin to build ks-controller-manager binary.)  @ ## Build ks-controller-manager.
 	hack/gobuild.sh cmd/controller-manager

+# Run all verify scripts hack/verify-*.sh
+verify-all: ; $(info $(M)...Begin to run all verify scripts hack/verify-*.sh.)  @ ## Run all verify scripts hack/verify-*.sh.
+	hack/verify-all.sh
+
 # Build e2e binary
-e2e: fmt vet
+e2e: ;$(info $(M)...Begin to build e2e binary.)  @ ## Build e2e binary.
 	hack/build_e2e.sh test/e2e

-# Run go fmt against code 
-fmt:
+kind-e2e: ;$(info $(M)...Run e2e test.) @ ## Run e2e test in kind.
+	hack/kind_e2e.sh
+
+# Run go fmt against code
+fmt: ;$(info $(M)...Begin to run go fmt against code.)  @ ## Run go fmt against code.
 	gofmt -w ./pkg ./cmd ./tools ./api

-goimports:
+# Format all import, `goimports` is required.
+goimports: ;$(info $(M)...Begin to Format all import.)  @ ## Format all import, `goimports` is required.
 	@hack/update-goimports.sh

 # Run go vet against code
-vet:
+vet: ;$(info $(M)...Begin to run go vet against code.)  @ ## Run go vet against code.
 	go vet ./pkg/... ./cmd/...

 # Generate manifests e.g. CRD, RBAC etc.
-manifests:
-	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=./pkg/apis/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
+manifests: ;$(info $(M)...Begin to generate manifests e.g. CRD, RBAC etc..)  @ ## Generate manifests e.g. CRD, RBAC etc.
+	hack/generate_manifests.sh ${CRD_OPTIONS} ${MANIFESTS}

-deploy: manifests
+deploy: manifests ;$(info $(M)...Begin to deploy.)  @ ## Deploy.
 	kubectl apply -f config/crds
 	kustomize build config/default | kubectl apply -f -

-mockgen:
+mockgen: ;$(info $(M)...Begin to mockgen.)  @ ## Mockgen.
 	mockgen -package=openpitrix -source=pkg/simple/client/openpitrix/openpitrix.go -destination=pkg/simple/client/openpitrix/mock.go

-deepcopy:
-	GO111MODULE=on go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
-	${GOPATH}/bin/deepcopy-gen -i kubesphere.io/kubesphere/pkg/apis/... -h ./hack/boilerplate.go.txt -O zz_generated.deepcopy
+deepcopy: ;$(info $(M)...Begin to deepcopy.)  @ ## Deepcopy.
+	hack/generate_group.sh "deepcopy" kubesphere.io/api kubesphere.io/api ${GV} --output-base=staging/src/  -h "hack/boilerplate.go.txt"

-openapi:
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/tenant/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/servicemesh/v1alpha2 -p kubesphere.io/kubesphere/pkg/apis/servicemesh/v1alpha2 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/api/networking/v1,./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/k8s.io/apimachinery/pkg/util/intstr,./pkg/apis/network/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/devops/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/kubesphere/pkg/apis/devops/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/cluster/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/kubesphere/pkg/apis/cluster/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
-	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/devops/v1alpha3,./vendor/k8s.io/apimachinery/pkg/runtime -p kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+openapi: ;$(info $(M)...Begin to openapi.)  @ ## Openapi.
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/tenant/v1alpha1 -p kubesphere.io/api/tenant/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/network/v1alpha1 -p kubesphere.io/api/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/servicemesh/v1alpha2 -p kubesphere.io/api/servicemesh/v1alpha2 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/api/networking/v1,./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/k8s.io/apimachinery/pkg/util/intstr,./vendor/kubesphere.io/api/network/v1alpha1 -p kubesphere.io/api/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/devops/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/api/devops/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/cluster/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/api/cluster/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/kubesphere.io/api/devops/v1alpha3,./vendor/k8s.io/apimachinery/pkg/runtime -p kubesphere.io/api/devops/v1alpha3 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list  --output-base=staging/src/
 	go run ./tools/cmd/crd-doc-gen/main.go
 	go run ./tools/cmd/doc-gen/main.go
-# Build the docker image
-docker-build: all
-	hack/docker_build.sh
-docker-build-no-test: ks-apiserver ks-controller-manager
+
+container: ;$(info $(M)...Begin to build the docker image.)  @ ## Build the docker image.
+	DRY_RUN=true hack/docker_build.sh
+
+container-push: ;$(info $(M)...Begin to build and push.)  @ ## Build and Push.
 	hack/docker_build.sh

+container-cross: ; $(info $(M)...Begin to build container images for multiple platforms.)  @ ## Build container images for multiple platforms. Currently, only linux/amd64,linux/arm64 are supported.
+	DRY_RUN=true hack/docker_build_multiarch.sh
+
+container-cross-push: ; $(info $(M)...Begin to build and push.)  @ ## Build and Push.
+	hack/docker_build_multiarch.sh
+
+helm-package: ; $(info $(M)...Begin to helm-package.)  @ ## Helm-package.
+	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
+	helm package config/ks-core --app-version=${APP_VERSION} --version=0.1.0 -d ./bin
+
+helm-deploy: ; $(info $(M)...Begin to helm-deploy.)  @ ## Helm-deploy.
+	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
+	- kubectl create ns kubesphere-controls-system
+	helm upgrade --install ks-core ./config/ks-core -n kubesphere-system --create-namespace
+	kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml
+
+helm-uninstall: ; $(info $(M)...Begin to helm-uninstall.)  @ ## Helm-uninstall.
+	- kubectl delete ns kubesphere-controls-system
+	helm uninstall ks-core -n kubesphere-system
+	kubectl delete -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml
+
 # Run tests
-test: fmt vet
-	export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT=2m; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+test: vet test-env ;$(info $(M)...Begin to run tests.)  @ ## Run tests.
+	export KUBEBUILDER_ASSETS=$(shell pwd)/testbin/bin; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt
+	cd staging/src/kubesphere.io/api ; GOFLAGS="" go test ./...
+	cd staging/src/kubesphere.io/client-go ; GOFLAGS="" go test ./...
+
+.PHONY: test-env
+test-env: ;$(info $(M)...Begin to setup test env) @ ## Download unit test libraries e.g. kube-apiserver etcd.
+	@hack/setup-kubebuilder-env.sh

 .PHONY: clean
-clean:
+clean: ;$(info $(M)...Begin to clean.)  @ ## Clean.
 	-make -C ./pkg/version clean
 	@echo "ok"

-# find or download controller-gen
-# download controller-gen if necessary
-clientset: 
-	./hack/generate_client.sh
+clientset:  ;$(info $(M)...Begin to find or download controller-gen.)  @ ## Find or download controller-gen,download controller-gen if necessary.
+	./hack/generate_client.sh ${GV}

-
-# Currently in the upgrade phase of controller tools.
-# But the new controller tools are not compatible with the old version.
-# With these commands you may need to manually modify the generated code
-# So don't use it unless you know it very deeply
-internal-crds:
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/network/..." output:crd:artifacts:config=config/crd/bases
-
-internal-generate-apis: internal-controller-gen
-	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths=./pkg/apis/network/...
-
-internal-controller-gen:
-ifeq (, $(shell which controller-gen))
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.4
-CONTROLLER_GEN=$(GOBIN)/controller-gen
-else
-CONTROLLER_GEN=$(shell which controller-gen)
-endif
-
-network-rbac:
-	$(CONTROLLER_GEN) paths=./pkg/controller/network/provider/ paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-k8s
-	$(CONTROLLER_GEN) paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-etcd
+# Fix invalid file's license.
+update-licenses: ;$(info $(M)...Begin to update licenses.)
+	@hack/update-licenses.sh
--- a/19
+++ b/19
@@ -1,6 +1,9 @@
 approvers:
    - zryfish #oncall
    - rayzhou2017
+    - wansir
+    - zheng1
+    - benjaminhuo

 reviewers:
    - rayzhou2017
@@ -8,16 +11,16 @@ reviewers:
    - benjaminhuo
    - calvinyv
    - FeynmanZhou
-    - huanggze
-    - huojiao2006
-    - Ma-Dan
-    - magicsong
    - pixiake
-    - runzexia
    - wansir
-    - wnxn
    - zheng1
-    - soulseen
-    - shaowenchen
    - stoneshi-yunify
    - linuxsuren
+    - RolandMa1986
+    - wanjunlei
+    - xyz-li
+    - junotx
+    - yuswift
+    - zhu733756
+    - JohnNiang
+    - dkeven
--- a/3
+++ b/3
@@ -1,3 +0,0 @@
-version: "1"
-domain: kubesphere.io
-repo: kubesphere.io/kubesphere
--- a/README.md
+++ b/README.md
@@ -1,11 +1,20 @@
-# KubeSphere Container Platform
+<p align="center">
+<a href="https://kubesphere.io/"><img src="docs/images/kubesphere-icon.gif" alt="banner" width="200px"></a>
+</p>

-[![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
-[![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
-[![Go Report Card](https://goreportcard.com/badge/github.com/kubesphere/kubesphere)](https://goreportcard.com/report/github.com/kubesphere/kubesphere)
-[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/v3.0.0)
+<p align="center">
+<b>The container platform tailored for <i>Kubernetes multi-cloud, datacenter, and edge</i> management</b>
+</p>
+
+<p align=center>
+<a href="https://goreportcard.com/report/github.com/kubesphere/kubesphere"><img src="https://goreportcard.com/badge/github.com/kubesphere/kubesphere" alt="A+"></a>
+<a href="https://hub.docker.com/r/kubesphere/ks-installer"><img src="https://img.shields.io/docker/pulls/kubesphere/ks-installer"></a>
+<a href="https://github.com/search?q=user%3Akubesphere+user%3Akubesphere-sigs+label%3A%22good+first+issue%22+state%3Aopen&type=Issues&ref=advsearch&l=&l="><img src="https://img.shields.io/github/issues/badges/shields/good%20first%20issue" alt="good first"></a>
+<a href="https://twitter.com/intent/follow?screen_name=KubeSphere"><img src="https://img.shields.io/twitter/follow/KubeSphere?style=social" alt="follow on Twitter"></a>
+<a href="https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE"><img src="https://img.shields.io/badge/Slack-600%2B-blueviolet?logo=slack&amp;logoColor=white"></a>
+<a href="https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw"><img src="https://img.shields.io/youtube/channel/subscribers/UCyTdUQUYjf7XLjxECx63Hpw?style=social"></a>
+</p>

-![logo](docs/images/kubesphere-logo.png)

 ----

@@ -13,7 +22,7 @@

 > English | [中文](README_zh.md)

-[KubeSphere](https://kubesphere.io/) is a **distributed operating system providing cloud native stack** with [Kubernetes](https://kubernetes.io) as its kernel, and aims to be plug-and-play architecture for third-party applications seamless integration to boost its ecosystem. KubeSphere is also a multi-tenant enterprise-grade container platform with full-stack automated IT operation and streamlined DevOps workflows. It provides developer-friendly wizard web UI, helping enterprises to build out a more robust and feature-rich platform, which includes most common functionalities needed for enterprise Kubernetes strategy, see [Feature List](#features) for details.
+[KubeSphere](https://kubesphere.io/) is a **distributed operating system for cloud-native application management**, using [Kubernetes](https://kubernetes.io) as its kernel. It provides a plug-and-play architecture, allowing third-party applications to be seamlessly integrated into its ecosystem. KubeSphere is also a multi-tenant container platform with full-stack automated IT operation and streamlined DevOps workflows. It provides developer-friendly wizard web UI, helping enterprises to build out a more robust and feature-rich platform, which includes most common functionalities needed for enterprise Kubernetes strategy, see [Feature List](#features) for details.

 The following screenshots give a close insight into KubeSphere. Please check [What is KubeSphere](https://kubesphere.io/docs/introduction/what-is-kubesphere/) for further information.

@@ -36,68 +45,128 @@ The following screenshots give a close insight into KubeSphere. Please check [Wh
  </tr>
 </table>

-## Demo Environment
+## Demo environment

-Using the account `demo1 / Demo123` to log in the [demo environment](https://demo.kubesphere.io/). Please note the account is granted view access. You can also have a quick view of [KubeSphere Demo Video](https://youtu.be/u5lQvhi_Xlc).
+🎮 Using the account `demo1 / Demo123` to log in the [demo environment](https://demo.kubesphere.io/). Please note the account is granted view access. 

-## Architecture
-
-KubeSphere uses a loosely-coupled architecture that separates the [frontend](https://github.com/kubesphere/console) from the [backend](https://github.com/kubesphere/kubesphere). External systems can access the components of the backend which are delivered as Docker containers through the REST APIs. See [Architecture](https://kubesphere.io/docs/introduction/architecture/) for details.
-
-![Architecture](docs/images/architecture.png)
+🖥 You can also have a quick view of [Demo video](https://youtu.be/YxZ1YUv0CYs).

 ## Features

-|Feature|Description|
-|---|---|
-| Provisioning Kubernetes Cluster|Support deploy Kubernetes on your infrastructure out of box, including online and air gapped installation|
-| Multi-cluster Management | Provide a centralized control plane to manage multiple Kubernetes Clusters, support application distribution across multiple clusters and cloud providers|
-| Kubernetes Resource Management | Provide web console for creating and managing Kubernetes resources, with powerful observability including monitoring, logging, events, alerting and notification |
-| DevOps System | Provide out-of-box CI/CD based on Jenkins, and offers automated workflow tools including binary-to-image (B2I) and source-to-image (S2I) |
-| Application Store | Provide application store for Helm-based applications, and offers application lifecycle management |
-| Service Mesh (Istio-based) | Provide fine-grained traffic management, observability and tracing for distributed microservice applications, provides visualization for traffic topology |
-| Rich Observability | Provide multi-dimensional monitoring metrics, and provides multi-tenant logging, events and [auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) management, support alerting and notification for both application and infrastructure |
-| Multi-tenant Management | Provide unified authentication with fine-grained roles and three-tier authorization system, supports AD/LDAP authentication |
-| Infrastructure Management | Support node management and monitoring, and supports adding new nodes for Kubernetes cluster |
-| Storage Support | Support GlusterFS, CephRBD, NFS, LocalPV (default), etc. open source storage solutions, provides CSI plugins to consume storage from cloud providers |
-| Network Support | Support Calico, Flannel, etc., provides [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) management, and load balancer plug-in [Porter](https://github.com/kubesphere/porter) for bare metal.|
-| GPU Support | Support add GPU node, support vGPU, enables running ML applications on Kubernetes, e.g. TensorFlow |
+<details>
+  <summary><b>🕸 Provisioning Kubernetes Cluster</b></summary>
+  Support deploy Kubernetes on any infrastructure, support online and air-gapped installation, <a href="https://kubesphere.io/docs/installing-on-linux/introduction/intro/">learn more</a>.
+  </details>

-Please see the [Feature and Benefits](https://kubesphere.io/docs/introduction/features/) for further information.
+<details>
+  <summary><b>🔗 Kubernetes Multi-cluster Management</b></summary>
+  Provide a centralized control plane to manage multiple Kubernetes clusters, support propagate an app to multiple K8s clusters across different cloud providers.
+  </details>
+
+<details>
+  <summary><b>🤖 Kubernetes DevOps</b></summary>
+  Provide out-of-box CI/CD based on Jenkins, and offers automated workflow tools including binary-to-image (B2I) and source-to-image (S2I), <a href="https://kubesphere.io/devops/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>🔎 Cloud Native Observability</b></summary>
+  Multi-dimensional monitoring, events and auditing logs are supported; multi-tenant log query and collection, alerting and notification are built-in, <a href="https://kubesphere.io/observability/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>🧩 Service Mesh (Istio-based)</b></summary>
+  Provide fine-grained traffic management, observability and tracing for distributed microservice applications, provides visualization for traffic topology, <a href="https://kubesphere.io/service-mesh/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>💻 App Store</b></summary>
+  Provide an App Store for Helm-based applications, and offer application lifecycle management on Kubernetes platform, <a href="https://kubesphere.io/docs/pluggable-components/app-store/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>💡 Edge Computing Platform</b></summary>
+  KubeSphere integrates <a href="https://kubeedge.io/en/">KubeEdge</a> to enable users to deploy applications on the edge devices and view logs and monitoring metrics of them on the console, <a href="https://kubesphere.io/docs/pluggable-components/kubeedge/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>📊 Metering and Billing</b></summary>
+  Track resource consumption at different levels on a unified dashboard, which helps you make better-informed decisions on planning and reduce the cost, <a href="https://kubesphere.io/docs/toolbox/metering-and-billing/view-resource-consumption/">learn more</a>.
+  </details>
+
+<details>
+  <summary><b>🗃 Support Multiple Storage and Networking Solutions</b></summary>
+  <li>Support GlusterFS, CephRBD, NFS, LocalPV solutions, and provide CSI plugins to consume storage from multiple cloud providers.</li><li>Provide Load Balancer Implementation <a href="https://github.com/kubesphere/openelb">OpenELB</a> for Kubernetes in bare-metal, edge, and virtualization.</li><li> Provides network policy and Pod IP pools management, support Calico, Flannel, Kube-OVN</li>.</li>.
+  </details>
+
+<details>
+  <summary><b>🏘 Multi-tenancy</b></summary>
+  Provide unified authentication with fine-grained roles and three-tier authorization system, and support AD/LDAP authentication.
+  </details>
+
+<details>
+  <summary><b>🧠 GPU Workloads Scheduling and Monitoring</b></summary>
+  Create GPU workloads on the GUI, schedule GPU resources, and manage GPU resource quotas by tenant.
+  </details>
+
+
+## Architecture
+
+KubeSphere uses a loosely-coupled architecture that separates the [frontend](https://github.com/kubesphere/console) from the [backend](https://github.com/kubesphere/kubesphere). External systems can access the components of the backend through the REST APIs. 
+
+![Architecture](docs/images/architecture.png)

 ----

-## Latest Release
-
-KubeSphere 3.0.0 is now generally available! See the [Release Notes For 3.0.0](https://kubesphere.io/docs/release/release-v300/) for the updates.
+## Latest release

+🎉 KubeSphere 3.2.1 was released on Dec 20! It brought enhancements and better user experience, see the [Release Notes For 3.2.1](https://kubesphere.io/docs/release/release-v321/) for the updates.
 ## Installation

-KubeSphere can run anywhere from on-premise datacenter to any cloud to edge. In addition, it can be deployed on any version-compatible running Kubernetes cluster.
+KubeSphere can run anywhere from on-premise datacenter to any cloud to edge. In addition, it can be deployed on any version-compatible Kubernetes cluster. The installer will start a minimal installation by default, you can [enable other pluggable components before or after installation](https://kubesphere.io/docs/quick-start/enable-pluggable-components/).
+### Quick start
+#### Installing on K8s/K3s

-### QuickStarts
+If your cluster meets the [prerequisites](https://kubesphere.io/docs/quick-start/minimal-kubesphere-on-k8s/#prerequisites), then run the following commands to install KubeSphere on an exiting Kubernetes cluster:

-[Quickstarts](https://kubesphere.io/docs/quick-start/) include six hands-on lab exercises that help you quickly get started with KubeSphere.
+```yaml
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/kubesphere-installer.yaml
+   
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/cluster-configuration.yaml
+```
+#### All-in-one

-### Installing on Existing Kubernetes Cluster
+👨‍💻 No Kubernetes? You can use [KubeKey](https://github.com/kubesphere/kubekey) to install both KubeSphere and Kubernetes/K3s in single-node mode on your Linux machine. Let's take K3s as an example:

- [Installing KubeSphere on Amazon EKS](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-eks/)
- [Installing KubeSphere on Azure AKS](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-aks/)
- [Installing KubeSphere on Google GKE](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-gke/)
- [Installing KubeSphere on DigitalOcean Kubernetes](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-do/)
- [Installing KubeSphere on Oracle OKE](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-oke/)
- [Installing KubeSphere on Tencent TKE](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-ks-on-tencent-tke/)
- [Installing KubeSphere on Huaweicloud CCE](https://v3-0.docs.kubesphere.io/docs/installing-on-kubernetes/hosted-kubernetes/install-ks-on-huawei-cce/)
+```yaml
+# Download KubeKey
+curl -sfL https://get-kk.kubesphere.io | VERSION=v2.0.0 sh -
+# Make kk executable
+chmod +x kk
+# Create a cluster
+./kk create cluster --with-kubernetes v1.21.4-k3s --with-kubesphere v3.2.1
+```

-### Installing on Linux
+You can run the following command to view the installation logs. After KubeSphere is successfully installed, you can access the KubeSphere web console at `http://IP:30880` and log in using the default administrator account (admin/P@88w0rd).

- [Installing KubeSphere on Azure VM](https://v3-0.docs.kubesphere.io/docs/installing-on-linux/public-cloud/install-ks-on-azure-vms/)
- [Installing KubeSphere on VMware vSphere](https://v3-0.docs.kubesphere.io/docs/installing-on-linux/on-premises/install-kubesphere-on-vmware-vsphere/)
- [Installing KubeSphere on QingCloud Instance](https://v3-0.docs.kubesphere.io/docs/installing-on-linux/public-cloud/kubesphere-on-qingcloud-instance/)
- [Installing on Alibaba Cloud ECS](https://v3-0.docs.kubesphere.io/docs/installing-on-linux/public-cloud/install-kubesphere-on-ali-ecs/)
- [Installing on Huaweicloud VM](https://v3-0.docs.kubesphere.io/docs/installing-on-linux/public-cloud/install-ks-on-huaweicloud-ecs/)
+```yaml
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+``` 
+### 🐯 Katacoda for quick learning

-## Contributing, Support, Discussion, and Community
+[Katacoda](https://www.katacoda.com/) allows you to explore how to install KubeSphere on an existing Kubernetes cluster in a browser. You can start the [Katacoda scenario with KubeSphere](https://www.katacoda.com/kubesphere/scenarios/install-kubesphere-on-kubernetes) in minutes.
+### KubeSphere for hosted Kubernetes services
+
+KubeSphere is hosted on the following cloud providers, you can try KubeSphere by one-click installation on their hosted Kubernetes services. 
+
+- [KubeSphere for Amazon EKS](https://aws.amazon.com/quickstart/architecture/qingcloud-kubesphere/)
+- [KubeSphere for Azure AKS](https://market.azure.cn/marketplace/apps/qingcloud.kubesphere)
+- [KubeSphere for DigitalOcean Kubernetes](https://marketplace.digitalocean.com/apps/kubesphere)
+- [KubeSphere on QingCloud AppCenter(QKE)](https://www.qingcloud.com/products/kubesphereqke)
+
+You can also install KubeSphere on other hosted Kubernetes services within minutes, see the [step-by-step guides](https://kubesphere.io/docs/installing-on-kubernetes/) to get started.
+
+> 👨‍💻 No internet access? Refer to the [Air-gapped Installation on Kubernetes](https://kubesphere.io/docs/installing-on-kubernetes/on-prem-kubernetes/install-ks-on-linux-airgapped/) or [Air-gapped Installation on Linux](https://kubesphere.io/docs/installing-on-linux/introduction/air-gapped-installation/) for instructions on how to use private registry to install KubeSphere.
+## Contributing, support, discussion, and community

 We :heart: your contribution. The [community](https://github.com/kubesphere/community) walks you through how to get started contributing KubeSphere. The [development guide](https://github.com/kubesphere/community/tree/master/developer-guide/development) explains how to set up development environment.

@@ -106,18 +175,16 @@ We :heart: your contribution. The [community](https://github.com/kubesphere/comm
 - [Follow us on Twitter](https://twitter.com/KubeSphere)

 Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
-
 ## Who are using KubeSphere

-The [user case studies](https://kubesphere.io/case/) page includes the user list of the project. You can [submit a PR](https://github.com/kubesphere/kubesphere/blob/master/docs/powered-by-kubesphere.md) to add your institution name and homepage if you are using KubeSphere.
-
+The [user case studies](https://kubesphere.io/case/) page includes the user list of the project. You can [leave a comment](https://github.com/kubesphere/kubesphere/issues/4123) to let us know your use case.
 ## Landscapes

 <p align="center">
 <br/><br/>
-<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;
 <br/><br/>
 KubeSphere is a member of CNCF and a <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes Conformance Certified platform
-</a>, which enriches the <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF CLOUD NATIVE Landscape.
+</a>, which enriches the <a href="https://landscape.cncf.io/?landscape=observability-and-analysis&license=apache-license-2-0">CNCF CLOUD NATIVE Landscape.
 </a>
 </p>
--- a/README_zh.md
+++ b/README_zh.md
@@ -1,10 +1,20 @@
-# KubeSphere 容器平台
+<p align="center">
+<a href="https://kubesphere.com.cn/"><img src="docs/images/kubesphere-icon.gif" alt="banner" width="200px"></a>
+</p>

-[![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
-[![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
-[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/v3.0.0)
+<p align="center">
+<b>适用于<i> Kubernetes 多云、数据中心和边缘 </i>管理的容器平台</b>
+</p>
+
+<p align=center>
+<a href="https://goreportcard.com/report/github.com/kubesphere/kubesphere"><img src="https://goreportcard.com/badge/github.com/kubesphere/kubesphere" alt="A+"></a>
+<a href="https://hub.docker.com/r/kubesphere/ks-installer"><img src="https://img.shields.io/docker/pulls/kubesphere/ks-installer"></a>
+<a href="https://github.com/search?q=user%3Akubesphere+user%3Akubesphere-sigs+label%3A%22good+first+issue%22+state%3Aopen&type=Issues&ref=advsearch&l=&l="><img src="https://img.shields.io/github/issues/badges/shields/good%20first%20issue" alt="good first"></a>
+<a href="https://twitter.com/intent/follow?screen_name=KubeSphere"><img src="https://img.shields.io/twitter/follow/KubeSphere?style=social" alt="follow on Twitter"></a>
+<a href="https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE"><img src="https://img.shields.io/badge/Slack-600%2B-blueviolet?logo=slack&amp;logoColor=white"></a>
+<a href="https://www.youtube.com/channel/UCyTdUQUYjf7XLjxECx63Hpw"><img src="https://img.shields.io/youtube/channel/subscribers/UCyTdUQUYjf7XLjxECx63Hpw?style=social"></a>
+</p>

-![logo](docs/images/kubesphere-logo.png)

 ----

@@ -12,9 +22,9 @@

 > [English](README.md) | 中文

-[KubeSphere](https://kubesphere.com.cn) 是在 [Kubernetes](https://kubernetes.io) 之上构建的面向云原生应用的 **容器混合云**，支持多云与多集群管理，提供全栈的 IT 自动化运维的能力，简化企业的 DevOps 工作流。KubeSphere 提供了运维友好的向导式操作界面，帮助企业快速构建一个强大和功能丰富的容器云平台。KubeSphere 愿景是打造一个基于 Kubernetes 的云原生分布式操作系统，它的架构可以很方便地与云原生生态进行即插即用（plug-and-play）的集成。
+[KubeSphere](https://kubesphere.io/zh/) 愿景是打造一个以 [Kubernetes](https://kubernetes.io/zh/) 为内核的 **云原生分布式操作系统**，它的架构可以非常方便地使第三方应用与云原生生态组件进行即插即用（plug-and-play）的集成，支持云原生应用在多云与多集群的统一分发和运维管理。 KubeSphere 也是一个多租户容器平台，提供全栈的 IT 自动化运维的能力，简化企业的 DevOps 工作流。KubeSphere 提供了运维友好的向导式操作界面，帮助企业快速构建一个强大和功能丰富的容器云平台，详情请参阅 [平台功能](#平台功能) 。

-KubeSphere 目前最新的版本为 3.0.0，所有版本 100% 开源，关于 KubeSphere 更详细的介绍与说明请参阅 [什么是 KubeSphere](https://kubesphere.com.cn/docs/zh-CN/introduction/what-is-kubesphere/)。
+下面的屏幕截图让我们进一步了解 KubeSphere，关于 KubeSphere 更详细的介绍与说明请参阅 [什么是 KubeSphere](https://kubesphere.io/zh/docs/introduction/what-is-kubesphere/) 。

 <table>
  <tr>
@@ -35,89 +45,150 @@ KubeSphere 目前最新的版本为 3.0.0，所有版本 100% 开源，关于 Ku
  </tr>
 </table>

-## 快速体验
+## Demo 环境

-使用体验账号 `demo1 / Demo123` 登录 [Demo 环境](https://demo.kubesphere.io/)，该账号仅授予了 view 权限，建议自行安装体验完整的管理功能。您还可以访问 Youtube 查看 [KubeSphere Demo 视频](https://youtu.be/u5lQvhi_Xlc)。
+🎮 使用账号 `demo1 / Demo123` 登录 [Demo 环境](https://demo.kubesphere.io/) 。请注意，该帐户仅授予了 view 权限。

-## 架构
+🖥 您还可以快速查看[Demo 视频](https://youtu.be/YxZ1YUv0CYs) 。

-KubeSphere 采用了前后端分离的架构设计，后端的各个功能组件可通过 REST API 对接外部系统，详见 [架构说明](https://kubesphere.com.cn/docs/zh-CN/introduction/architecture/)。本仓库仅包含后端代码，前端代码参考 [Console 项目](https://github.com/kubesphere/console)。
+## 平台功能
+
+<details>
+  <summary><b>🕸 部署 Kubernetes 集群</b></summary>
+  支持在任何基础设施上部署 Kubernetes，支持在线安装和离线安装，<a href="https://kubesphere.io/zh/docs/installing-on-linux/introduction/intro/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>🔗 Kubernetes 多集群管理</b></summary>
+  提供集中控制平台来管理多个 Kubernetes 集群，支持将应用程序发布到跨不同云供应商的多个 k8s 集群上。
+  </details>
+
+<details>
+  <summary><b>🤖 Kubernetes DevOps</b></summary>
+  提供开箱即用的基于 Jenkins 的 CI/CD，并内置自动化流水线插件，包括 Binary-to-Image (B2I) 和 Source-to-Image (S2I)，<a href="https://kubesphere.io/zh/devops/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>🔎 云原生可观测性</b></summary>
+  支持多维度监控、事件和审计日志；内置多租户日志查询和收集，告警和通知，<a href="https://kubesphere.io/zh/observability/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>🧩 基于 Istio 的微服务治理</b></summary>
+  为分布式微服务应用程序提供细粒度的流量管理、可观测性和服务跟踪，支持可视化的流量拓扑，<a href="https://kubesphere.io/zh/service-mesh/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>💻 应用商店</b></summary>
+  为基于 Helm 的应用程序提供应用商店，并在 Kubernetes 平台上提供应用程序生命周期管理功能，<a href="https://kubesphere.io/zh/docs/pluggable-components/app-store/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>💡 Kubernetes 边缘节点管理</b></summary>
+  基于 <a href="https://kubeedge.io/zh/">KubeEdge</a> 实现应用与工作负载在云端与边缘节点的统一分发与管理，解决在海量边、端设备上完成应用交付、运维、管控的需求，<a href= "https://kubesphere.io/zh/docs/pluggable-components/kubeedge/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>📊 多维度计量与计费</b></summary>
+  提供基于集群与租户的多维度资源计量与计费的监控报表，让 Kubernetes 运营成本更透明，<a href="https://kubesphere.io/zh/docs/toolbox/metering-and-billing/view-resource-consumption/">了解更多</a>。
+  </details>
+
+<details>
+  <summary><b>🗃 支持多种存储和网络解决方案</b></summary>
+  <li>支持 GlusterFS、CephRBD、NFS、LocalPV ，并提供多个 CSI 插件对接公有云与企业级存储。</li><li>提供 Kubernetes 在裸机、边缘和虚拟化中的负载均衡器实现 <a href="https://github.com/kubesphere/openelb">OpenELB</a> 。</li><li>提供网络策略和容器组 IP 池管理，支持 Calico、Flannel、Kube-OVN。</li>
+  </details>
+
+<details>
+  <summary><b>🏘 多租户与统一鉴权认证</b></summary>
+  提供统一的认证鉴权与细粒度的基于角色的授权系统，支持对接 AD/LDAP 。
+  </details>
+
+<details>
+  <summary><b>🧠 GPU 工作负载调度与监控</b></summary>
+  支持可视化创建 GPU 工作负载，支持 GPU 监控，同时还支持对 GPU 资源进行租户级配额管理。
+  </details>
+
+## 架构说明
+
+KubeSphere 使用前后端分离的架构，将 [前端](https://github.com/kubesphere/console) 与 [后端](https://github.com/kubesphere/kubesphere) 分开。后端的各个功能组件可通过 REST API 对接外部系统。

 ![Architecture](docs/images/architecture.png)

-## 核心功能
-
-|功能 |介绍 |
-| --- | ---|
-|多云与多集群管理|提供多云与多集群的中央管理面板，支持集群导入，支持应用在多云与多集群一键分发|
-| Kubernetes 集群搭建与运维 | 支持在线 & 离线安装、升级与扩容 K8s 集群，支持安装 “云原生全家桶” |
-| Kubernetes 资源可视化管理 | 可视化纳管原生 Kubernetes 资源，支持向导式创建与管理 K8s 资源 |
-| 基于 Jenkins 的 DevOps 系统 | 支持图形化与脚本两种方式构建 CI/CD 流水线，内置 Source to Image（S2I）和 Binary to Image（B2I）等 CD 工具 |
-| 应用商店与应用生命周期管理 | 提供应用商店，内置 Redis、MySQL 等 15 个常用应用，支持应用的生命周期管理 |
-| 基于 Istio 的微服务治理 (Service Mesh) | 提供可视化无代码侵入的 **灰度发布、熔断、流量治理与流量拓扑、分布式 Tracing** |
-| 多租户管理 | 提供基于角色的细粒度多租户统一认证，支持 **对接企业 LDAP/AD**，提供多层级的权限管理 |
-| 丰富的可观察性功能 | 提供集群/工作负载/Pod/容器等多维度的监控，提供基于多租户的日志查询与日志收集，支持节点与应用层级的告警与通知 |
-|基础设施管理|支持 Kubernetes 节点管理，支持节点扩容与集群升级，提供基于节点的多项监控指标与告警规则 |
-| 存储管理 | 支持对接 Ceph、GlusterFS、NFS、Local PV，支持可视化运维管理 PVC、StorageClass，提供 CSI 插件对接云平台存储 |
-| 网络管理 | 提供租户网络隔离与 K8s [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) 管理，支持 Calico、Flannel，提供 [Porter LB](https://github.com/kubesphere/porter) 用于暴露物理环境 K8s 集群的 LoadBalancer 服务 |
-| GPU support | 集群支持添加 GPU 与 vGPU，可运行 TensorFlow 等 ML 框架 |
-
-以上功能说明详见 [产品功能](https://kubesphere.com.cn/docs/zh-CN/introduction/features/)。
-
 ----

-## 最新发布
+## 最新版本

-KubeSphere 3.0.0 已于 2020 年 8 月 31 日正式 GA！点击 [Release Notes For 3.0.0](https://kubesphere.com.cn/docs/release/release-v300/) 查看 3.0.0 版本的更新详情。
-
-## 安装 3.0.0
+🎉 KubeSphere 3.2.1 全新发布！！多项功能优化，带来更好的用户体验，详见 [v3.2.1 发行记录](https://kubesphere.com.cn/docs/release/release-v321/) 。
+## 安装

+KubeSphere 支持在任意平台运行，从本地数据中心到混合多云再走向边缘。此外，KubeSphere 可以部署在任何版本兼容的 Kubernetes 集群上。Installer 默认将执行最小化安装，您可以在安装前或安装后自定义[安装可插拔功能组件](https://kubesphere.com.cn/docs/quick-start/enable-pluggable-components/)。
 ### 快速入门
+#### 在 K8s/K3s 上安装

-[快速入门系列](https://kubesphere.com.cn/docs/quick-start/) 提供了快速安装与入门示例，供初次安装体验参考。
+请确保您的集群满足安装的[前提条件](https://kubesphere.io/zh/docs/quick-start/minimal-kubesphere-on-k8s/)，运行以下命令以在现有 Kubernetes 集群上安装 KubeSphere：

-### 在已有 Kubernetes 之上安装 KubeSphere
+```yaml
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/kubesphere-installer.yaml
+   
+kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.2.1/cluster-configuration.yaml
+```
+#### All-in-one（Linux 单节点安装）

- [基于 Kubernetes 的安装介绍](https://kubesphere.com.cn/docs/installing-on-kubernetes/introduction/overview/)
- [在阿里云 ACK 安装 KubeSphere](https://kubesphere.com.cn/forum/d/1745-kubesphere-v3-0-0-dev-on-ack)
- [在腾讯云 TKE 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-ks-on-tencent-tke/)
- [在华为云 CCE 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-ks-on-huawei-cce/)
- [在 AWS EKS 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-eks/)
- [在 Google GKE 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-gke/)
- [在 Azure AKS 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-aks/)
- [在 DigitalOcean 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-do/)
- [在 Oracle OKE 安装 KubeSphere](https://kubesphere.com.cn/docs/installing-on-kubernetes/hosted-kubernetes/install-kubesphere-on-oke/)
+👨‍💻 没有 Kubernetes 集群? 可以用 [KubeKey](https://github.com/kubesphere/kubekey) 在 Linux 环境以 All-in-one 快速安装单节点 K8s/K3s 和 KubeSphere，下面以 K3s 为例：

-### 基于 Linux 安装 KubeSphere
+```yaml
+# 下载 KubeKey
+curl -sfL https://get-kk.kubesphere.io | VERSION=v1.2.0 sh -
+# 为 kk 赋予可执行权限
+chmod +x kk
+# 创建集群
+./kk create cluster --with-kubernetes v1.21.4-k3s --with-kubesphere v3.2.1
+```

- [多节点安装介绍（以三节点为例）](https://kubesphere.com.cn/docs/installing-on-linux/introduction/multioverview/)
- [在 VMware vSphere 安装高可用集群](https://kubesphere.com.cn/docs/installing-on-linux/on-premises/install-kubesphere-on-vmware-vsphere/)
- [在青云QingCloud 安装高可用集群](https://kubesphere.com.cn/docs/installing-on-linux/public-cloud/kubesphere-on-qingcloud-instance/)
- [在阿里云 ECS 部署高可用集群](https://kubesphere.com.cn/docs/installing-on-linux/public-cloud/install-kubesphere-on-ali-ecs/)
+可使用以下命令查看安装日志。如果安装成功，可使用 `http://IP:30880` 访问 KubeSphere Console，管理员登录帐密为 `admin/P@88w0rd`。

- [在华为云 VM 部署高可用集群](https://kubesphere.com.cn/docs/installing-on-linux/public-cloud/install-kubesphere-on-huaweicloud-ecs/)
- [在 Azure VM 安装高可用集群](https://kubesphere.com.cn/docs/installing-on-linux/public-cloud/install-kubesphere-on-azure-vms/)
+```yaml
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+``` 
+### 🐯 使用 Katacoda 在线安装体验 KubeSphere

-## 技术社区
+[Katacoda](https://www.katacoda.com/) 是一个在线的云原生技术学习实验平台，你可以使用它在浏览器中快速 [安装体验 KubeSphere](https://www.katacoda.com/kubesphere/scenarios/install-kubesphere-on-kubernetes) 。
+### 在托管 Kubernetes 上部署 KubeSphere

-[KubeSphere 社区](https://github.com/kubesphere/community) 包含所有社区的信息，包括如何开发，兴趣小组(SIG)等。比如[开发指南](https://github.com/kubesphere/community/tree/master/developer-guide/development) 详细说明了如何从源码编译、KubeSphere 的 GitHub 工作流、如何贡献代码以及如何测试等。
+KubeSphere 托管在以下云供应商上，您可以通过在其托管的 Kubernetes 服务上一键安装来部署 KubeSphere。
+
+- [在 Amazon EKS 上部署 KubeSphere](https://aws.amazon.com/quickstart/architecture/qingcloud-kubesphere/)
+- [在 Azure AKS 上部署 KubeSphere](https://market.azure.cn/marketplace/apps/qingcloud.kubesphere)
+- [在 DigitalOcean 上部署 KubeSphere](https://marketplace.digitalocean.com/apps/kubesphere)
+- [在青云QingCloud QKE 上部署 KubeSphere](https://www.qingcloud.com/products/kubesphereqke)
+
+您还可以在几分钟内在其他托管的 Kubernetes 服务上安装 KubeSphere，请参阅 [官方文档](https://kubesphere.io/zh/docs/installing-on-kubernetes/) 以开始使用。
+
+> 👨‍💻 不能访问网络？参考 [在Kubernetes上离线安装](https://kubesphere.io/zh/docs/installing-on-kubernetes/on-prem-kubernetes/install-ks-on-linux-airgapped/) 或者 [在 Linux 上离线安装](https://kubesphere.io/zh/docs/installing-on-linux/introduction/air-gapped-installation/) 了解如何使用私有仓库来安装 KubeSphere。
+
+## 贡献、支持、讨论和社区
+
+我们 :heart: 您的贡献。[社区](https://github.com/kubesphere/community) 将引导您了解如何开始贡献 KubeSphere。[开发指南](https://github.com/kubesphere/community/tree/master/developer-guide/development) 说明了如何安装开发环境。

 - [中文论坛](https://kubesphere.com.cn/forum/)
- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
 - [社区微信群（见官网底部）](https://kubesphere.com.cn/)
- [Bug 与建议反馈（GitHub Issue）](https://github.com/kubesphere/kubesphere/issues)
+- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+- [Bilibili](https://space.bilibili.com/438908638)
+- [在推特上关注我们](https://twitter.com/KubeSphere)
+
+请将任何 KubeSphere 的 Bug、问题和需求提交到 [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues) 。

 ## 谁在使用 KubeSphere

-[Powered by KubeSphere](https://kubesphere.com.cn/case/) 列出了哪些企业在使用 KubeSphere，如果您所在的企业已安装使用了 KubeSphere，欢迎[提交 PR](https://github.com/kubesphere/kubesphere/blob/master/docs/powered-by-kubesphere.md)。
+[用户案例学习](https://kubesphere.com.cn/case/) 列出了哪些企业在使用 KubeSphere。欢迎 [发表评论](https://github.com/kubesphere/kubesphere/issues/4123) 来分享您的使用案例。

 ## Landscapes

 <p align="center">
 <br/><br/>
-<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;
 <br/><br/>
 KubeSphere 是 CNCF 基金会成员并且通过了 <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes 一致性认证
-</a>，进一步丰富了 <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF 云原生的生态。
+</a>，进一步丰富了 <a href="https://landscape.cncf.io/?landscape=observability-and-analysis&license=apache-license-2-0">CNCF 云原生的生态。
 </a>
 </p>
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,50 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.2.x   | :white_check_mark: |
+| 3.1.x   | :white_check_mark: |
+| 3.0.x   | :white_check_mark: |
+| 2.1.x   | :white_check_mark: |
+| < 2.1.x   | :x:                |
+
+## Reporting a Vulnerability
+
+# Security Vulnerability Disclosure and Response Process
+
+To ensure KubeSphere security, a security vulnerability disclosure and response process is adopted. And the security team is set up in KubeSphere community, also any issue and PR is welcome for every contributors.
+
+The primary goal of this process is to reduce the total exposure time of users to publicly known vulnerabilities. To quickly fix vulnerabilities of KubeSphere, the security team is responsible for the entire vulnerability management process, including internal communication and external disclosure.
+
+If you find a vulnerability or encounter a security incident involving vulnerabilities of KubeSphere, please report it as soon as possible to the KubeSphere security team (security@kubesphere.io).
+
+Please kindly help provide as much vulnerability information as possible in the following format:
+
+- Issue title(Please add 'Security' lable)*:
+
+- Overview*:
+
+- Affected components and version number*:
+
+- CVE number (if any):
+
+- Vulnerability verification process*:
+
+- Contact information*:
+
+The asterisk (*) indicates the required field.
+
+# Response Time
+
+The KubeSphere security team will confirm the vulnerabilities and contact you within 2 working days after your submission.
+
+We will publicly thank you after fixing the security vulnerability. To avoid negative impact, please keep the vulnerability confidential until we fix it. We would appreciate it if you could obey the following code of conduct:
+
+The vulnerability will not be disclosed until KubeSphere releases a patch for it.
+
+The details of the vulnerability, for example, exploits code, will not be disclosed.
--- a/api/api-rules/violation_exceptions.list
+++ b/api/api-rules/violation_exceptions.list
@@ -1,6 +1,3 @@
-API rule violation: list_type_missing,./pkg/apis/devops/v1alpha3,DevOpsProjectList,Items
-API rule violation: list_type_missing,./pkg/apis/devops/v1alpha3,NoScmPipeline,Parameters
-API rule violation: list_type_missing,./pkg/apis/devops/v1alpha3,PipelineList,Items
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,ServerAddressByClientCIDRs
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,Versions
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroupList,Groups
@@ -9,16 +6,15 @@ API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIRe
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,ServerAddressByClientCIDRs
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ApplyOptions,DryRun
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,CreateOptions,DryRun
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,DeleteOptions,DryRun
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,FieldsV1,Raw
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelector,MatchExpressions
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelectorRequirement,Values
-API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,List,Items
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,Finalizers
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,ManagedFields
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,OwnerReferences
-API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PartialObjectMetadataList,Items
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PatchOptions,DryRun
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,RootPaths,Paths
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,StatusDetails,Causes
@@ -29,63 +25,7 @@ API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,UpdateOptions,DryRun
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,RawExtension,Raw
 API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,ApiUri
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,CloneOption
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverBranches
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromForks
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromOrigin
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverTags
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,RegexFilter
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,BitbucketServerSource,ScmId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,DiscarderProperty,DaysToKeep
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,DiscarderProperty,NumToKeep
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,CloneOption
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,DiscoverBranches
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,DiscoverTags
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,RegexFilter
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitSource,ScmId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,ApiUri
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,CloneOption
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,DiscoverBranches
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,DiscoverPRFromForks
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,DiscoverPRFromOrigin
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,DiscoverTags
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,RegexFilter
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GithubSource,ScmId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,ApiUri
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,CloneOption
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,DiscoverBranches
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,DiscoverPRFromForks
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,DiscoverPRFromOrigin
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,DiscoverTags
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,RegexFilter
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,ScmId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,GitlabSource,ServerName
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchJobTrigger,CreateActionJobsToTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchJobTrigger,DeleteActionJobsToTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,BitbucketServerSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,GitHubSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,GitSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,GitlabSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,MultiBranchJobTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,ScriptPath
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,SingleSvnSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,SourceType
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,SvnSource
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,MultiBranchPipeline,TimerTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,NoScmPipeline,DisableConcurrent
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,NoScmPipeline,RemoteTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,NoScmPipeline,TimerTrigger
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,Parameter,DefaultValue
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,PipelineSpec,MultiBranchPipeline
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,SingleSvnSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,SingleSvnSource,ScmId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,SvnSource,CredentialId
-API rule violation: names_match,./pkg/apis/devops/v1alpha3,SvnSource,ScmId
+API rule violation: list_type_missing,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,Parameters
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
@@ -96,3 +36,60 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,BitbucketServerSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,DiscarderProperty,DaysToKeep
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,DiscarderProperty,NumToKeep
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GithubSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ApiUri
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,CloneOption
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,DiscoverTags
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,RegexFilter
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,GitlabSource,ServerName
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchJobTrigger,CreateActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchJobTrigger,DeleteActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,BitbucketServerSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitHubSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,GitlabSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,MultiBranchJobTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,ScriptPath
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SingleSvnSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SourceType
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,SvnSource
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,MultiBranchPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,DisableConcurrent
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,RemoteTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,NoScmPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,Parameter,DefaultValue
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,PipelineSpec,MultiBranchPipeline
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SingleSvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SingleSvnSource,ScmId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/api/devops/v1alpha3,SvnSource,ScmId
--- a/api/ks-openapi-spec/swagger.json
+++ b/api/ks-openapi-spec/swagger.json
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
--- a/build/ks-apiserver/Dockerfile
+++ b/build/ks-apiserver/Dockerfile
@@ -1,23 +1,48 @@
 # Copyright 2020 The KubeSphere Authors. All rights reserved.
 # Use of this source code is governed by an Apache license
 # that can be found in the LICENSE file.
-FROM alpine:3.11

+# Download dependencies
+FROM alpine:3.11 as base_os_context
+
+ARG TARGETARCH
+ARG TARGETOS
 ARG HELM_VERSION=v3.5.2

+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/
+
+WORKDIR /tmp
+
 RUN apk add --no-cache ca-certificates
+
 # install helm
-RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar xvf helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    rm helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv linux-amd64/helm /usr/bin/ && \
-    rm -rf linux-amd64
-# To speed up building process, we copy binary directly from make
-# result instead of building it again, so make sure you run the 
-# following command first before building docker image
-#   make ks-apiserver
-#
-COPY  /bin/cmd/ks-apiserver /usr/local/bin/
+ADD https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/${TARGETOS}-${TARGETARCH}/helm ${OUTDIR}/usr/local/bin/
+
+# Build 
+FROM golang:1.16.3 as build_context
+
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/
+
+WORKDIR /workspace
+ADD . /workspace/
+
+RUN make ks-apiserver
+RUN mv /workspace/bin/cmd/ks-apiserver ${OUTDIR}/usr/local/bin/
+
+##############
+# Final image
+#############
+
+FROM alpine:3.11 
+
+COPY --from=base_os_context /out/ /
+COPY --from=build_context /out/ /
+
+WORKDIR /

 EXPOSE 9090
 CMD ["sh"]
--- a/build/ks-controller-manager/Dockerfile
+++ b/build/ks-controller-manager/Dockerfile
@@ -1,25 +1,66 @@
 # Copyright 2020 The KubeSphere Authors. All rights reserved.
 # Use of this source code is governed by an Apache license
 # that can be found in the LICENSE file.
-FROM alpine:3.11

+# Download dependencies
+FROM alpine:3.11 as base_os_context
+
+ARG TARGETARCH
+ARG TARGETOS
 ARG HELM_VERSION=v3.5.2
-ARG KUSTOMIZE_VERSION=v4.0.5
+ARG KUSTOMIZE_VERSION=v4.2.0
+ARG INGRESS_NGINX_VERSION=4.0.13
+
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin
+RUN mkdir -p ${OUTDIR}/var/helm-charts
+
+WORKDIR /tmp

 RUN apk add --no-cache ca-certificates
-# install helm
-RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar xvf helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    rm helm-${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv linux-amd64/helm /usr/bin/ && \
-    rm -rf linux-amd64
+
+# Install helm
+ADD https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/${TARGETOS}-${TARGETARCH}/helm ${OUTDIR}/usr/local/bin/
+
 # install kustomize
-RUN wget https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    tar xvf kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    rm kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz && \
-    mv kustomize /usr/bin
-    
-COPY  /bin/cmd/controller-manager /usr/local/bin/
+ADD https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz /tmp
+RUN tar xvzf /tmp/kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz -C /tmp
+RUN mv /tmp/kustomize ${OUTDIR}/usr/local/bin/
+
+
+# Install Nginx Ingress Helm Chart
+ADD https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-${INGRESS_NGINX_VERSION}/ingress-nginx-${INGRESS_NGINX_VERSION}.tgz /tmp
+RUN tar xvzf /tmp/ingress-nginx-${INGRESS_NGINX_VERSION}.tgz -C /tmp
+RUN mv /tmp/ingress-nginx ${OUTDIR}/var/helm-charts/
+
+# Build
+
+FROM golang:1.16.3 as build_context
+
+ENV OUTDIR=/out
+RUN mkdir -p ${OUTDIR}/usr/local/bin/
+RUN mkdir -p ${OUTDIR}/var/helm-charts
+
+WORKDIR /workspace
+ADD . /workspace/
+
+RUN make ks-controller-manager
+RUN mv /workspace/bin/cmd/controller-manager ${OUTDIR}/usr/local/bin/
+
+# Copy gateway config and helm chart
+RUN mv /workspace/config/gateway ${OUTDIR}/var/helm-charts/
+RUN mv /workspace/config/watches.yaml ${OUTDIR}/var/helm-charts/
+
+# Final Image
+
+FROM alpine:3.11 
+
+COPY --from=base_os_context /out/ /
+COPY --from=build_context /out/ /
+
+WORKDIR /

 EXPOSE 8443 8080

--- a/cmd/controller-manager/app/controllers.go
+++ b/cmd/controller-manager/app/controllers.go
@@ -17,20 +17,48 @@ limitations under the License.
 package app

 import (
-	"k8s.io/apimachinery/pkg/runtime"
+	"fmt"
+	"time"
+
+	"github.com/kubesphere/pvc-autoresizer/runners"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog"
+	ctrl "sigs.k8s.io/controller-runtime"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/kubefed/pkg/controller/util"

-	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
-	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
+	"kubesphere.io/kubesphere/cmd/controller-manager/app/options"
+	"kubesphere.io/kubesphere/pkg/controller/application"
+	"kubesphere.io/kubesphere/pkg/controller/helm"
+	"kubesphere.io/kubesphere/pkg/controller/namespace"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmapplication"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmcategory"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrelease"
+	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrepo"
+	"kubesphere.io/kubesphere/pkg/controller/quota"
+	"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
+	"kubesphere.io/kubesphere/pkg/controller/user"
+	"kubesphere.io/kubesphere/pkg/controller/workspace"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerole"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/workspacetemplate"
+	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+
+	"kubesphere.io/kubesphere/pkg/controller/storage/snapshotclass"
+
+	iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
+
 	"kubesphere.io/kubesphere/pkg/controller/certificatesigningrequest"
 	"kubesphere.io/kubesphere/pkg/controller/cluster"
 	"kubesphere.io/kubesphere/pkg/controller/clusterrolebinding"
 	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
-	"kubesphere.io/kubesphere/pkg/controller/devopscredential"
-	"kubesphere.io/kubesphere/pkg/controller/devopsproject"
 	"kubesphere.io/kubesphere/pkg/controller/globalrole"
 	"kubesphere.io/kubesphere/pkg/controller/globalrolebinding"
 	"kubesphere.io/kubesphere/pkg/controller/group"
@@ -41,269 +69,509 @@ import (
 	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
 	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy/provider"
 	"kubesphere.io/kubesphere/pkg/controller/notification"
-	"kubesphere.io/kubesphere/pkg/controller/pipeline"
-	"kubesphere.io/kubesphere/pkg/controller/s2ibinary"
-	"kubesphere.io/kubesphere/pkg/controller/s2irun"
 	"kubesphere.io/kubesphere/pkg/controller/storage/capability"
-	"kubesphere.io/kubesphere/pkg/controller/storage/expansion"
-	"kubesphere.io/kubesphere/pkg/controller/user"
 	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
 	"kubesphere.io/kubesphere/pkg/informers"
-	"kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
-	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
-	"kubesphere.io/kubesphere/pkg/simple/client/multicluster"
-	"kubesphere.io/kubesphere/pkg/simple/client/network"
 	ippoolclient "kubesphere.io/kubesphere/pkg/simple/client/network/ippool"
-	"kubesphere.io/kubesphere/pkg/simple/client/s3"
 )

-func addControllers(
-	mgr manager.Manager,
-	client k8s.Client,
-	informerFactory informers.InformerFactory,
-	devopsClient devops.Interface,
-	s3Client s3.Interface,
-	ldapClient ldapclient.Interface,
-	options *k8s.KubernetesOptions,
-	authenticationOptions *authoptions.AuthenticationOptions,
-	multiClusterOptions *multicluster.Options,
-	networkOptions *network.Options,
-	serviceMeshEnabled bool,
-	kubectlImage string,
-	stopCh <-chan struct{}) error {
+var allControllers = []string{
+	"user",
+	"workspacetemplate",
+	"workspace",
+	"workspacerole",
+	"workspacerolebinding",
+	"namespace",

+	"helmrepo",
+	"helmcategory",
+	"helmapplication",
+	"helmapplicationversion",
+	"helmrelease",
+	"helm",
+
+	"application",
+	"serviceaccount",
+	"resourcequota",
+
+	"virtualservice",
+	"destinationrule",
+	"job",
+	"storagecapability",
+	"volumesnapshot",
+	"pvcautoresizer",
+	"workloadrestart",
+	"loginrecord",
+	"cluster",
+	"nsnp",
+	"ippool",
+	"csr",
+
+	"clusterrolebinding",
+
+	"fedglobalrolecache",
+	"globalrole",
+	"fedglobalrolebindingcache",
+	"globalrolebinding",
+
+	"groupbinding",
+	"group",
+
+	"notification",
+}
+
+// setup all available controllers one by one
+func addAllControllers(mgr manager.Manager, client k8s.Client, informerFactory informers.InformerFactory,
+	cmOptions *options.KubeSphereControllerManagerOptions,
+	stopCh <-chan struct{}) error {
+	var err error
+
+	////////////////////////////////////
+	// begin init necessary informers
+	////////////////////////////////////
 	kubernetesInformer := informerFactory.KubernetesSharedInformerFactory()
 	istioInformer := informerFactory.IstioSharedInformerFactory()
 	kubesphereInformer := informerFactory.KubeSphereSharedInformerFactory()
+	////////////////////////////////////
+	// end informers
+	////////////////////////////////////

-	multiClusterEnabled := multiClusterOptions.Enable
+	////////////////////////////////////
+	// begin init necessary clients
+	////////////////////////////////////
+	kubeconfigClient := kubeconfig.NewOperator(client.Kubernetes(),
+		informerFactory.KubernetesSharedInformerFactory().Core().V1().ConfigMaps().Lister(),
+		client.Config())

-	var vsController, drController manager.Runnable
+	var devopsClient devops.Interface
+	if cmOptions.DevopsOptions != nil && len(cmOptions.DevopsOptions.Host) != 0 {
+		devopsClient, err = jenkins.NewDevopsClient(cmOptions.DevopsOptions)
+		if err != nil {
+			return fmt.Errorf("failed to connect jenkins, please check jenkins status, error: %v", err)
+		}
+	}
+
+	var ldapClient ldapclient.Interface
+	// when there is no ldapOption, we set ldapClient as nil, which means we don't need to sync user info into ldap.
+	if cmOptions.LdapOptions != nil && len(cmOptions.LdapOptions.Host) != 0 {
+		if cmOptions.LdapOptions.Host == ldapclient.FAKE_HOST { // for debug only
+			ldapClient = ldapclient.NewSimpleLdap()
+		} else {
+			ldapClient, err = ldapclient.NewLdapClient(cmOptions.LdapOptions, stopCh)
+			if err != nil {
+				return fmt.Errorf("failed to connect to ldap service, please check ldap status, error: %v", err)
+			}
+		}
+	} else {
+		klog.Warning("ks-controller-manager starts without ldap provided, it will not sync user into ldap")
+	}
+	////////////////////////////////////
+	// end init clients
+	////////////////////////////////////
+
+	////////////////////////////////////////////////////////
+	// begin init controller and add to manager one by one
+	////////////////////////////////////////////////////////
+
+	// "user" controller
+	if cmOptions.IsControllerEnabled("user") {
+		userController := &user.Reconciler{
+			MultiClusterEnabled:     cmOptions.MultiClusterOptions.Enable,
+			MaxConcurrentReconciles: 4,
+			LdapClient:              ldapClient,
+			DevopsClient:            devopsClient,
+			KubeconfigClient:        kubeconfigClient,
+			AuthenticationOptions:   cmOptions.AuthenticationOptions,
+		}
+		addControllerWithSetup(mgr, "user", userController)
+	}
+
+	// "workspacetemplate" controller
+	if cmOptions.IsControllerEnabled("workspacetemplate") {
+		workspaceTemplateReconciler := &workspacetemplate.Reconciler{MultiClusterEnabled: cmOptions.MultiClusterOptions.Enable}
+		addControllerWithSetup(mgr, "workspacetemplate", workspaceTemplateReconciler)
+	}
+
+	// "workspace" controller
+	if cmOptions.IsControllerEnabled("workspace") {
+		workspaceReconciler := &workspace.Reconciler{}
+		addControllerWithSetup(mgr, "workspace", workspaceReconciler)
+	}
+
+	// "workspacerole" controller
+	if cmOptions.IsControllerEnabled("workspacerole") {
+		workspaceRoleReconciler := &workspacerole.Reconciler{MultiClusterEnabled: cmOptions.MultiClusterOptions.Enable}
+		addControllerWithSetup(mgr, "workspacerole", workspaceRoleReconciler)
+	}
+
+	// "workspacerolebinding" controller
+	if cmOptions.IsControllerEnabled("workspacerolebinding") {
+		workspaceRoleBindingReconciler := &workspacerolebinding.Reconciler{MultiClusterEnabled: cmOptions.MultiClusterOptions.Enable}
+		addControllerWithSetup(mgr, "workspacerolebinding", workspaceRoleBindingReconciler)
+	}
+
+	// "namespace" controller
+	if cmOptions.IsControllerEnabled("namespace") {
+		namespaceReconciler := &namespace.Reconciler{GatewayOptions: cmOptions.GatewayOptions}
+		addControllerWithSetup(mgr, "namespace", namespaceReconciler)
+	}
+
+	// "helmrepo" controller
+	if cmOptions.IsControllerEnabled("helmrepo") {
+		helmRepoReconciler := &helmrepo.ReconcileHelmRepo{}
+		addControllerWithSetup(mgr, "helmrepo", helmRepoReconciler)
+	}
+
+	// "helmcategory" controller
+	if cmOptions.IsControllerEnabled("helmcategory") {
+		helmCategoryReconciler := &helmcategory.ReconcileHelmCategory{}
+		addControllerWithSetup(mgr, "helmcategory", helmCategoryReconciler)
+	}
+
+	var opS3Client s3.Interface
+	if !cmOptions.OpenPitrixOptions.AppStoreConfIsEmpty() {
+		opS3Client, err = s3.NewS3Client(cmOptions.OpenPitrixOptions.S3Options)
+		if err != nil {
+			klog.Fatalf("failed to connect to s3, please check openpitrix s3 service status, error: %v", err)
+		}
+
+		// "helmapplication" controller
+		if cmOptions.IsControllerEnabled("helmapplication") {
+			reconcileHelmApp := (&helmapplication.ReconcileHelmApplication{})
+			addControllerWithSetup(mgr, "helmapplication", reconcileHelmApp)
+		}
+
+		// "helmapplicationversion" controller
+		if cmOptions.IsControllerEnabled("helmapplicationversion") {
+			reconcileHelmAppVersion := (&helmapplication.ReconcileHelmApplicationVersion{})
+			addControllerWithSetup(mgr, "helmapplicationversion", reconcileHelmAppVersion)
+		}
+	}
+
+	// "helmrelease" controller
+	if cmOptions.IsControllerEnabled("helmrelease") {
+		reconcileHelmRelease := &helmrelease.ReconcileHelmRelease{
+			// nil interface is valid value.
+			StorageClient:      opS3Client,
+			KsFactory:          informerFactory.KubeSphereSharedInformerFactory(),
+			MultiClusterEnable: cmOptions.MultiClusterOptions.Enable,
+			WaitTime:           cmOptions.OpenPitrixOptions.ReleaseControllerOptions.WaitTime,
+			MaxConcurrent:      cmOptions.OpenPitrixOptions.ReleaseControllerOptions.MaxConcurrent,
+			StopChan:           stopCh,
+		}
+		addControllerWithSetup(mgr, "helmrelease", reconcileHelmRelease)
+	}
+
+	// "helm" controller
+	if cmOptions.IsControllerEnabled("helm") {
+		if !cmOptions.GatewayOptions.IsEmpty() {
+			helmReconciler := &helm.Reconciler{GatewayOptions: cmOptions.GatewayOptions}
+			addControllerWithSetup(mgr, "helm", helmReconciler)
+		}
+	}
+
+	// "application" controller
+	if cmOptions.IsControllerEnabled("application") {
+		selector, _ := labels.Parse(cmOptions.ApplicationSelector)
+		applicationReconciler := &application.ApplicationReconciler{
+			Scheme:              mgr.GetScheme(),
+			Client:              mgr.GetClient(),
+			Mapper:              mgr.GetRESTMapper(),
+			ApplicationSelector: selector,
+		}
+		addControllerWithSetup(mgr, "application", applicationReconciler)
+	}
+
+	// "serviceaccount" controller
+	if cmOptions.IsControllerEnabled("serviceaccount") {
+		saReconciler := &serviceaccount.Reconciler{}
+		addControllerWithSetup(mgr, "serviceaccount", saReconciler)
+	}
+
+	// "resourcequota" controller
+	if cmOptions.IsControllerEnabled("resourcequota") {
+		resourceQuotaReconciler := &quota.Reconciler{
+			MaxConcurrentReconciles: quota.DefaultMaxConcurrentReconciles,
+			ResyncPeriod:            quota.DefaultResyncPeriod,
+			InformerFactory:         informerFactory.KubernetesSharedInformerFactory(),
+		}
+		addControllerWithSetup(mgr, "resourcequota", resourceQuotaReconciler)
+	}
+
+	serviceMeshEnabled := cmOptions.ServiceMeshOptions != nil && len(cmOptions.ServiceMeshOptions.IstioPilotHost) != 0
 	if serviceMeshEnabled {
-		vsController = virtualservice.NewVirtualServiceController(kubernetesInformer.Core().V1().Services(),
-			istioInformer.Networking().V1alpha3().VirtualServices(),
-			istioInformer.Networking().V1alpha3().DestinationRules(),
-			kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
-			client.Kubernetes(),
-			client.Istio(),
-			client.KubeSphere())
+		// "virtualservice" controller
+		if cmOptions.IsControllerEnabled("virtualservice") {
+			vsController := virtualservice.NewVirtualServiceController(kubernetesInformer.Core().V1().Services(),
+				istioInformer.Networking().V1alpha3().VirtualServices(),
+				istioInformer.Networking().V1alpha3().DestinationRules(),
+				kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
+				client.Kubernetes(),
+				client.Istio(),
+				client.KubeSphere())
+			addController(mgr, "virtualservice", vsController)
+		}

-		drController = destinationrule.NewDestinationRuleController(kubernetesInformer.Apps().V1().Deployments(),
-			istioInformer.Networking().V1alpha3().DestinationRules(),
-			kubernetesInformer.Core().V1().Services(),
-			kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
-			client.Kubernetes(),
-			client.Istio(),
-			client.KubeSphere())
+		// "destinationrule" controller
+		if cmOptions.IsControllerEnabled("destinationrule") {
+			drController := destinationrule.NewDestinationRuleController(kubernetesInformer.Apps().V1().Deployments(),
+				istioInformer.Networking().V1alpha3().DestinationRules(),
+				kubernetesInformer.Core().V1().Services(),
+				kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
+				client.Kubernetes(),
+				client.Istio(),
+				client.KubeSphere())
+			addController(mgr, "destinationrule", drController)
+		}
 	}

-	jobController := job.NewJobController(kubernetesInformer.Batch().V1().Jobs(), client.Kubernetes())
+	// "job" controller
+	if cmOptions.IsControllerEnabled("job") {
+		jobController := job.NewJobController(kubernetesInformer.Batch().V1().Jobs(), client.Kubernetes())
+		addController(mgr, "job", jobController)
+	}

-	var s2iBinaryController, s2iRunController, devopsProjectController, devopsPipelineController, devopsCredentialController manager.Runnable
-	if devopsClient != nil {
-		s2iBinaryController = s2ibinary.NewController(client.Kubernetes(),
-			client.KubeSphere(),
-			kubesphereInformer.Devops().V1alpha1().S2iBinaries(),
-			s3Client,
+	// "storagecapability" controller
+	if cmOptions.IsControllerEnabled("storagecapability") {
+		storageCapabilityController := capability.NewController(
+			client.Kubernetes().StorageV1().StorageClasses(),
+			kubernetesInformer.Storage().V1().StorageClasses(),
+			kubernetesInformer.Storage().V1().CSIDrivers(),
 		)
-
-		s2iRunController = s2irun.NewS2iRunController(client.Kubernetes(),
-			client.KubeSphere(),
-			kubesphereInformer.Devops().V1alpha1().S2iBinaries(),
-			kubesphereInformer.Devops().V1alpha1().S2iRuns())
-
-		devopsProjectController = devopsproject.NewController(client.Kubernetes(),
-			client.KubeSphere(), devopsClient,
-			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
-			informerFactory.KubeSphereSharedInformerFactory().Devops().V1alpha3().DevOpsProjects(),
-			informerFactory.KubeSphereSharedInformerFactory().Tenant().V1alpha1().Workspaces())
-
-		devopsPipelineController = pipeline.NewController(client.Kubernetes(),
-			client.KubeSphere(),
-			devopsClient,
-			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
-			informerFactory.KubeSphereSharedInformerFactory().Devops().V1alpha3().Pipelines())
-
-		devopsCredentialController = devopscredential.NewController(client.Kubernetes(),
-			devopsClient,
-			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
-			informerFactory.KubernetesSharedInformerFactory().Core().V1().Secrets())
-
+		addController(mgr, "storagecapability", storageCapabilityController)
 	}

-	storageCapabilityController := capability.NewController(
-		client.KubeSphere().StorageV1alpha1().StorageClassCapabilities(),
-		kubesphereInformer.Storage().V1alpha1(),
-		client.Kubernetes().StorageV1().StorageClasses(),
-		kubernetesInformer.Storage().V1().StorageClasses(),
-		capability.SnapshotSupported(client.Kubernetes().Discovery()),
-		client.Snapshot().SnapshotV1beta1().VolumeSnapshotClasses(),
-		informerFactory.SnapshotSharedInformerFactory().Snapshot().V1beta1().VolumeSnapshotClasses(),
-		kubernetesInformer.Storage().V1beta1().CSIDrivers(),
-	)
-
-	volumeExpansionController := expansion.NewVolumeExpansionController(
-		client.Kubernetes(),
-		kubernetesInformer.Core().V1().PersistentVolumeClaims(),
-		kubernetesInformer.Storage().V1().StorageClasses(),
-		kubernetesInformer.Core().V1().Pods(),
-		kubernetesInformer.Apps().V1().Deployments(),
-		kubernetesInformer.Apps().V1().ReplicaSets(),
-		kubernetesInformer.Apps().V1().StatefulSets())
-
-	var fedUserCache, fedGlobalRoleBindingCache, fedGlobalRoleCache cache.Store
-	var fedUserCacheController, fedGlobalRoleBindingCacheController, fedGlobalRoleCacheController cache.Controller
-
-	if multiClusterEnabled {
-		fedUserClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedUserResource)
-		if err != nil {
-			klog.Error(err)
-			return err
-		}
-		fedGlobalRoleClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleResource)
-		if err != nil {
-			klog.Error(err)
-			return err
-		}
-		fedGlobalRoleBindingClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleBindingResource)
-		if err != nil {
-			klog.Error(err)
-			return err
-		}
-
-		fedUserCache, fedUserCacheController = util.NewResourceInformer(fedUserClient, "", &iamv1alpha2.FedUserResource, func(object runtime.Object) {})
-		fedGlobalRoleCache, fedGlobalRoleCacheController = util.NewResourceInformer(fedGlobalRoleClient, "", &iamv1alpha2.FedGlobalRoleResource, func(object runtime.Object) {})
-		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController = util.NewResourceInformer(fedGlobalRoleBindingClient, "", &iamv1alpha2.FedGlobalRoleBindingResource, func(object runtime.Object) {})
-
-		go fedUserCacheController.Run(stopCh)
-		go fedGlobalRoleCacheController.Run(stopCh)
-		go fedGlobalRoleBindingCacheController.Run(stopCh)
+	// "volumesnapshot" controller
+	if cmOptions.IsControllerEnabled("volumesnapshot") {
+		volumeSnapshotController := snapshotclass.NewController(
+			kubernetesInformer.Storage().V1().StorageClasses(),
+			client.Snapshot().SnapshotV1().VolumeSnapshotClasses(),
+			informerFactory.SnapshotSharedInformerFactory().Snapshot().V1().VolumeSnapshotClasses(),
+		)
+		addController(mgr, "volumesnapshot", volumeSnapshotController)
 	}

-	userController := user.NewUserController(client.Kubernetes(), client.KubeSphere(), client.Config(),
-		kubesphereInformer.Iam().V1alpha2().Users(),
-		kubesphereInformer.Iam().V1alpha2().LoginRecords(),
-		fedUserCache, fedUserCacheController,
-		kubernetesInformer.Core().V1().ConfigMaps(),
-		ldapClient, devopsClient,
-		authenticationOptions, multiClusterEnabled)
+	// "pvc-autoresizer"
+	monitoringOptionsEnable := cmOptions.MonitoringOptions != nil && len(cmOptions.MonitoringOptions.Endpoint) != 0
+	if monitoringOptionsEnable {
+		if cmOptions.IsControllerEnabled("pvc-autoresizer") {
+			if err := runners.SetupIndexer(mgr, false); err != nil {
+				return err
+			}
+			promClient, err := runners.NewPrometheusClient(cmOptions.MonitoringOptions.Endpoint)
+			if err != nil {
+				return err
+			}
+			pvcAutoResizerController := runners.NewPVCAutoresizer(
+				promClient,
+				mgr.GetClient(),
+				ctrl.Log.WithName("pvc-autoresizer"),
+				1*time.Minute,
+				mgr.GetEventRecorderFor("pvc-autoresizer"),
+			)
+			addController(mgr, "pvcautoresizer", pvcAutoResizerController)
+		}
+	}

-	loginRecordController := loginrecord.NewLoginRecordController(
-		client.Kubernetes(),
-		client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().LoginRecords(),
-		kubesphereInformer.Iam().V1alpha2().Users(),
-		authenticationOptions.LoginHistoryRetentionPeriod,
-		authenticationOptions.LoginHistoryMaximumEntries)
+	if cmOptions.IsControllerEnabled("pvc-workload-restarter") {
+		restarter := runners.NewRestarter(
+			mgr.GetClient(),
+			ctrl.Log.WithName("pvc-workload-restarter"),
+			1*time.Minute,
+			mgr.GetEventRecorderFor("pvc-workload-restarter"),
+		)
+		addController(mgr, "pvcworkloadrestarter", restarter)
+	}

-	csrController := certificatesigningrequest.NewController(client.Kubernetes(),
-		kubernetesInformer.Certificates().V1beta1().CertificateSigningRequests(),
-		kubernetesInformer.Core().V1().ConfigMaps(), client.Config())
-
-	clusterRoleBindingController := clusterrolebinding.NewController(client.Kubernetes(),
-		kubernetesInformer.Rbac().V1().ClusterRoleBindings(),
-		kubernetesInformer.Apps().V1().Deployments(),
-		kubernetesInformer.Core().V1().Pods(),
-		kubesphereInformer.Iam().V1alpha2().Users(),
-		kubectlImage)
-
-	globalRoleController := globalrole.NewController(client.Kubernetes(), client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().GlobalRoles(), fedGlobalRoleCache, fedGlobalRoleCacheController)
-
-	globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
-		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController,
-		multiClusterEnabled)
-
-	groupBindingController := groupbinding.NewController(client.Kubernetes(), client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().GroupBindings(),
-		kubesphereInformer.Types().V1beta1().FederatedGroupBindings(),
-		multiClusterEnabled)
-
-	groupController := group.NewController(client.Kubernetes(), client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().Groups(),
-		kubesphereInformer.Types().V1beta1().FederatedGroups(),
-		multiClusterEnabled)
-
-	var clusterController manager.Runnable
-	if multiClusterEnabled {
-		clusterController = cluster.NewClusterController(
+	// "loginrecord" controller
+	if cmOptions.IsControllerEnabled("loginrecord") {
+		loginRecordController := loginrecord.NewLoginRecordController(
 			client.Kubernetes(),
-			client.Config(),
-			kubesphereInformer.Cluster().V1alpha1().Clusters(),
-			client.KubeSphere().ClusterV1alpha1().Clusters(),
-			multiClusterOptions.ClusterControllerResyncSecond)
+			client.KubeSphere(),
+			kubesphereInformer.Iam().V1alpha2().LoginRecords(),
+			kubesphereInformer.Iam().V1alpha2().Users(),
+			cmOptions.AuthenticationOptions.LoginHistoryRetentionPeriod,
+			cmOptions.AuthenticationOptions.LoginHistoryMaximumEntries)
+		addController(mgr, "loginrecord", loginRecordController)
 	}

-	var nsnpController manager.Runnable
-	if networkOptions.EnableNetworkPolicy {
-		nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
-		if err != nil {
-			return err
+	// "csr" controller
+	if cmOptions.IsControllerEnabled("csr") {
+		csrController := certificatesigningrequest.NewController(client.Kubernetes(),
+			kubernetesInformer.Certificates().V1().CertificateSigningRequests(),
+			kubernetesInformer.Core().V1().ConfigMaps(), client.Config())
+		addController(mgr, "csr", csrController)
+	}
+
+	// "clusterrolebinding" controller
+	if cmOptions.IsControllerEnabled("clusterrolebinding") {
+		clusterRoleBindingController := clusterrolebinding.NewController(client.Kubernetes(),
+			kubernetesInformer.Rbac().V1().ClusterRoleBindings(),
+			kubernetesInformer.Apps().V1().Deployments(),
+			kubernetesInformer.Core().V1().Pods(),
+			kubesphereInformer.Iam().V1alpha2().Users(),
+			cmOptions.AuthenticationOptions.KubectlImage)
+		addController(mgr, "clusterrolebinding", clusterRoleBindingController)
+	}
+
+	// "fedglobalrolecache" controller
+	var fedGlobalRoleCache cache.Store
+	var fedGlobalRoleCacheController cache.Controller
+	if cmOptions.IsControllerEnabled("fedglobalrolecache") {
+		if cmOptions.MultiClusterOptions.Enable {
+			fedGlobalRoleClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleResource)
+			if err != nil {
+				klog.Fatalf("Unable to create FedGlobalRole controller: %v", err)
+			}
+			fedGlobalRoleCache, fedGlobalRoleCacheController = util.NewResourceInformer(fedGlobalRoleClient, "",
+				&iamv1alpha2.FedGlobalRoleResource, func(object runtimeclient.Object) {})
+			go fedGlobalRoleCacheController.Run(stopCh)
+			addSuccessfullyControllers.Insert("fedglobalrolecache")
 		}
-
-		nsnpController = nsnetworkpolicy.NewNSNetworkPolicyController(client.Kubernetes(),
-			client.KubeSphere().NetworkV1alpha1(),
-			kubesphereInformer.Network().V1alpha1().NamespaceNetworkPolicies(),
-			kubernetesInformer.Core().V1().Services(),
-			kubernetesInformer.Core().V1().Nodes(),
-			kubesphereInformer.Tenant().V1alpha1().Workspaces(),
-			kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions)
 	}

-	var ippoolController manager.Runnable
-	ippoolProvider := ippoolclient.NewProvider(kubernetesInformer, client.KubeSphere(), client.Kubernetes(), networkOptions.IPPoolType, options)
-	if ippoolProvider != nil {
-		ippoolController = ippool.NewIPPoolController(kubesphereInformer, kubernetesInformer, client.Kubernetes(), client.KubeSphere(), ippoolProvider)
-	}
-
-	controllers := map[string]manager.Runnable{
-		"virtualservice-controller":     vsController,
-		"destinationrule-controller":    drController,
-		"job-controller":                jobController,
-		"s2ibinary-controller":          s2iBinaryController,
-		"s2irun-controller":             s2iRunController,
-		"storagecapability-controller":  storageCapabilityController,
-		"volumeexpansion-controller":    volumeExpansionController,
-		"user-controller":               userController,
-		"loginrecord-controller":        loginRecordController,
-		"cluster-controller":            clusterController,
-		"nsnp-controller":               nsnpController,
-		"csr-controller":                csrController,
-		"clusterrolebinding-controller": clusterRoleBindingController,
-		"globalrolebinding-controller":  globalRoleBindingController,
-		"ippool-controller":             ippoolController,
-		"groupbinding-controller":       groupBindingController,
-		"group-controller":              groupController,
-	}
-
-	if devopsClient != nil {
-		controllers["pipeline-controller"] = devopsPipelineController
-		controllers["devopsprojects-controller"] = devopsProjectController
-		controllers["devopscredential-controller"] = devopsCredentialController
-	}
-
-	if multiClusterEnabled {
-		controllers["globalrole-controller"] = globalRoleController
-		notificationController, err := notification.NewController(client.Kubernetes(), mgr.GetClient(), mgr.GetCache())
-		if err != nil {
-			return err
+	// "globalrole" controller
+	if cmOptions.IsControllerEnabled("globalrole") {
+		if cmOptions.MultiClusterOptions.Enable {
+			globalRoleController := globalrole.NewController(client.Kubernetes(), client.KubeSphere(),
+				kubesphereInformer.Iam().V1alpha2().GlobalRoles(), fedGlobalRoleCache, fedGlobalRoleCacheController)
+			addController(mgr, "globalrole", globalRoleController)
 		}
-		controllers["notification-controller"] = notificationController
 	}

-	for name, ctrl := range controllers {
-		if ctrl == nil {
-			klog.V(4).Infof("%s is not going to run due to dependent component disabled.", name)
-			continue
+	// "fedglobalrolebindingcache" controller
+	var fedGlobalRoleBindingCache cache.Store
+	var fedGlobalRoleBindingCacheController cache.Controller
+	if cmOptions.IsControllerEnabled("fedglobalrolebindingcache") {
+		if cmOptions.MultiClusterOptions.Enable {
+			fedGlobalRoleBindingClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleBindingResource)
+			if err != nil {
+				klog.Fatalf("Unable to create FedGlobalRoleBinding controller: %v", err)
+			}
+			fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController = util.NewResourceInformer(fedGlobalRoleBindingClient, "",
+				&iamv1alpha2.FedGlobalRoleBindingResource, func(object runtimeclient.Object) {})
+			go fedGlobalRoleBindingCacheController.Run(stopCh)
+			addSuccessfullyControllers.Insert("fedglobalrolebindingcache")
 		}
+	}

-		if err := mgr.Add(ctrl); err != nil {
-			klog.Error(err, "add controller to manager failed", "name", name)
-			return err
+	// "globalrolebinding" controller
+	if cmOptions.IsControllerEnabled("globalrolebinding") {
+		globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
+			kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
+			fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController,
+			cmOptions.MultiClusterOptions.Enable)
+		addController(mgr, "globalrolebinding", globalRoleBindingController)
+	}
+
+	// "groupbinding" controller
+	if cmOptions.IsControllerEnabled("groupbinding") {
+		groupBindingController := groupbinding.NewController(client.Kubernetes(), client.KubeSphere(),
+			kubesphereInformer.Iam().V1alpha2().GroupBindings(),
+			kubesphereInformer.Types().V1beta1().FederatedGroupBindings(),
+			cmOptions.MultiClusterOptions.Enable)
+		addController(mgr, "groupbinding", groupBindingController)
+	}
+
+	// "group" controller
+	if cmOptions.IsControllerEnabled("group") {
+		groupController := group.NewController(client.Kubernetes(), client.KubeSphere(),
+			kubesphereInformer.Iam().V1alpha2().Groups(),
+			kubesphereInformer.Types().V1beta1().FederatedGroups(),
+			cmOptions.MultiClusterOptions.Enable)
+		addController(mgr, "group", groupController)
+	}
+
+	// "cluster" controller
+	if cmOptions.IsControllerEnabled("cluster") {
+		if cmOptions.MultiClusterOptions.Enable {
+			clusterController := cluster.NewClusterController(
+				client.Kubernetes(),
+				client.KubeSphere(),
+				client.Config(),
+				kubesphereInformer.Cluster().V1alpha1().Clusters(),
+				kubesphereInformer.Iam().V1alpha2().Users().Lister(),
+				cmOptions.MultiClusterOptions.ClusterControllerResyncPeriod,
+				cmOptions.MultiClusterOptions.HostClusterName,
+			)
+			addController(mgr, "cluster", clusterController)
+		}
+	}
+
+	// "nsnp" controller
+	if cmOptions.IsControllerEnabled("nsnp") {
+		if cmOptions.NetworkOptions.EnableNetworkPolicy {
+			nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
+			if err != nil {
+				klog.Fatalf("Unable to create NSNetworkPolicy controller: %v", err)
+			}
+
+			nsnpController := nsnetworkpolicy.NewNSNetworkPolicyController(client.Kubernetes(),
+				client.KubeSphere().NetworkV1alpha1(),
+				kubesphereInformer.Network().V1alpha1().NamespaceNetworkPolicies(),
+				kubernetesInformer.Core().V1().Services(),
+				kubernetesInformer.Core().V1().Nodes(),
+				kubesphereInformer.Tenant().V1alpha1().Workspaces(),
+				kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, cmOptions.NetworkOptions.NSNPOptions)
+			addController(mgr, "nsnp", nsnpController)
+		}
+	}
+
+	// "ippool" controller
+	if cmOptions.IsControllerEnabled("ippool") {
+		ippoolProvider := ippoolclient.NewProvider(kubernetesInformer, client.KubeSphere(), client.Kubernetes(),
+			cmOptions.NetworkOptions.IPPoolType, cmOptions.KubernetesOptions)
+		if ippoolProvider != nil {
+			ippoolController := ippool.NewIPPoolController(kubesphereInformer, kubernetesInformer, client.Kubernetes(),
+				client.KubeSphere(), ippoolProvider)
+			addController(mgr, "ippool", ippoolController)
+		}
+	}
+
+	// "notification" controller
+	if cmOptions.IsControllerEnabled("notification") {
+		if cmOptions.MultiClusterOptions.Enable {
+			notificationController, err := notification.NewController(client.Kubernetes(), mgr.GetClient(), mgr.GetCache())
+			if err != nil {
+				klog.Fatalf("Unable to create Notification controller: %v", err)
+			}
+			addController(mgr, "notification", notificationController)
+		}
+	}
+
+	// log all controllers process result
+	for _, name := range allControllers {
+		if cmOptions.IsControllerEnabled(name) {
+			if addSuccessfullyControllers.Has(name) {
+				klog.Infof("%s controller is enabled and added successfully.", name)
+			} else {
+				klog.Infof("%s controller is enabled but is not going to run due to its dependent component being disabled.", name)
+			}
+		} else {
+			klog.Infof("%s controller is disabled by controller selectors.", name)
 		}
 	}

 	return nil
 }
+
+var addSuccessfullyControllers = sets.NewString()
+
+type setupableController interface {
+	SetupWithManager(mgr ctrl.Manager) error
+}
+
+func addControllerWithSetup(mgr manager.Manager, name string, controller setupableController) {
+	if err := controller.SetupWithManager(mgr); err != nil {
+		klog.Fatalf("Unable to create %v controller: %v", name, err)
+	}
+	addSuccessfullyControllers.Insert(name)
+}
+
+func addController(mgr manager.Manager, name string, controller manager.Runnable) {
+	if err := mgr.Add(controller); err != nil {
+		klog.Fatalf("Unable to create %v controller: %v", name, err)
+	}
+	addSuccessfullyControllers.Insert(name)
+}
--- a/cmd/controller-manager/app/options/options.go
+++ b/cmd/controller-manager/app/options/options.go
@@ -18,9 +18,18 @@ package options

 import (
 	"flag"
+	"fmt"
 	"strings"
 	"time"

+	"kubesphere.io/kubesphere/pkg/simple/client/monitoring/prometheus"
+
+	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication"
+
 	"k8s.io/apimachinery/pkg/labels"

 	"github.com/spf13/pflag"
@@ -28,8 +37,8 @@ import (
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"

-	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/gateway"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
 	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
 	"kubesphere.io/kubesphere/pkg/simple/client/multicluster"
@@ -43,12 +52,14 @@ type KubeSphereControllerManagerOptions struct {
 	KubernetesOptions     *k8s.KubernetesOptions
 	DevopsOptions         *jenkins.Options
 	S3Options             *s3.Options
-	AuthenticationOptions *authoptions.AuthenticationOptions
+	AuthenticationOptions *authentication.Options
 	LdapOptions           *ldapclient.Options
 	OpenPitrixOptions     *openpitrix.Options
 	NetworkOptions        *network.Options
 	MultiClusterOptions   *multicluster.Options
 	ServiceMeshOptions    *servicemesh.Options
+	GatewayOptions        *gateway.Options
+	MonitoringOptions     *prometheus.Options
 	LeaderElect           bool
 	LeaderElection        *leaderelection.LeaderElectionConfig
 	WebhookCertDir        string
@@ -61,6 +72,19 @@ type KubeSphereControllerManagerOptions struct {
 	//      "kubesphere.io/creator=" means reconcile applications with this label key
 	//      "!kubesphere.io/creator" means exclude applications with this key
 	ApplicationSelector string
+
+	// ControllerGates is the list of controller gates to enable or disable controller.
+	// '*' means "all enabled by default controllers"
+	// 'foo' means "enable 'foo'"
+	// '-foo' means "disable 'foo'"
+	// first item for a particular name wins.
+	//     e.g. '-foo,foo' means "disable foo", 'foo,-foo' means "enable foo"
+	// * has the lowest priority.
+	//     e.g. *,-foo, means "disable 'foo'"
+	ControllerGates []string
+
+	// Enable gops or not.
+	GOPSEnabled bool
 }

 func NewKubeSphereControllerManagerOptions() *KubeSphereControllerManagerOptions {
@@ -73,7 +97,8 @@ func NewKubeSphereControllerManagerOptions() *KubeSphereControllerManagerOptions
 		NetworkOptions:        network.NewNetworkOptions(),
 		MultiClusterOptions:   multicluster.NewOptions(),
 		ServiceMeshOptions:    servicemesh.NewServiceMeshOptions(),
-		AuthenticationOptions: authoptions.NewAuthenticateOptions(),
+		AuthenticationOptions: authentication.NewOptions(),
+		GatewayOptions:        gateway.NewGatewayOptions(),
 		LeaderElection: &leaderelection.LeaderElectionConfig{
 			LeaseDuration: 30 * time.Second,
 			RenewDeadline: 15 * time.Second,
@@ -82,12 +107,13 @@ func NewKubeSphereControllerManagerOptions() *KubeSphereControllerManagerOptions
 		LeaderElect:         false,
 		WebhookCertDir:      "",
 		ApplicationSelector: "",
+		ControllerGates:     []string{"*"},
 	}

 	return s
 }

-func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
+func (s *KubeSphereControllerManagerOptions) Flags(allControllerNameSelectors []string) cliflag.NamedFlagSets {
 	fss := cliflag.NamedFlagSets{}

 	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
@@ -99,7 +125,7 @@ func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
 	s.NetworkOptions.AddFlags(fss.FlagSet("network"), s.NetworkOptions)
 	s.MultiClusterOptions.AddFlags(fss.FlagSet("multicluster"), s.MultiClusterOptions)
 	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"), s.ServiceMeshOptions)
-
+	s.GatewayOptions.AddFlags(fss.FlagSet("gateway"), s.GatewayOptions)
 	fs := fss.FlagSet("leaderelection")
 	s.bindLeaderElectionFlags(s.LeaderElection, fs)

@@ -116,6 +142,13 @@ func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
 	gfs.StringVar(&s.ApplicationSelector, "application-selector", s.ApplicationSelector, ""+
 		"Only reconcile application(sigs.k8s.io/application) objects match given selector, this could avoid conflicts with "+
 		"other projects built on top of sig-application. Default behavior is to reconcile all of application objects.")
+	gfs.StringSliceVar(&s.ControllerGates, "controllers", []string{"*"}, fmt.Sprintf(""+
+		"A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller "+
+		"named 'foo', '-foo' disables the controller named 'foo'.\nAll controllers: %s",
+		strings.Join(allControllerNameSelectors, ", ")))
+
+	gfs.BoolVar(&s.GOPSEnabled, "gops", s.GOPSEnabled, "Whether to enable gops or not.  When enabled this option, "+
+		"controller-manager will listen on a random port on 127.0.0.1, then you can use the gops tool to list and diagnose the controller-manager currently running.")

 	kfs := fss.FlagSet("klog")
 	local := flag.NewFlagSet("klog", flag.ExitOnError)
@@ -128,25 +161,58 @@ func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
 	return fss
 }

-func (s *KubeSphereControllerManagerOptions) Validate() []error {
+// Validate Options and Genetic Options
+func (o *KubeSphereControllerManagerOptions) Validate(allControllerNameSelectors []string) []error {
 	var errs []error
-	errs = append(errs, s.DevopsOptions.Validate()...)
-	errs = append(errs, s.KubernetesOptions.Validate()...)
-	errs = append(errs, s.S3Options.Validate()...)
-	errs = append(errs, s.OpenPitrixOptions.Validate()...)
-	errs = append(errs, s.NetworkOptions.Validate()...)
-	errs = append(errs, s.LdapOptions.Validate()...)
+	errs = append(errs, o.DevopsOptions.Validate()...)
+	errs = append(errs, o.KubernetesOptions.Validate()...)
+	errs = append(errs, o.S3Options.Validate()...)
+	errs = append(errs, o.OpenPitrixOptions.Validate()...)
+	errs = append(errs, o.NetworkOptions.Validate()...)
+	errs = append(errs, o.LdapOptions.Validate()...)
+	errs = append(errs, o.MultiClusterOptions.Validate()...)

-	if len(s.ApplicationSelector) != 0 {
-		_, err := labels.Parse(s.ApplicationSelector)
+	// genetic option: application-selector
+	if len(o.ApplicationSelector) != 0 {
+		_, err := labels.Parse(o.ApplicationSelector)
 		if err != nil {
 			errs = append(errs, err)
 		}
 	}

+	// genetic option: controllers, check all selectors are valid
+	allControllersNameSet := sets.NewString(allControllerNameSelectors...)
+	for _, selector := range o.ControllerGates {
+		if selector == "*" {
+			continue
+		}
+		selector = strings.TrimPrefix(selector, "-")
+		if !allControllersNameSet.Has(selector) {
+			errs = append(errs, fmt.Errorf("%q is not in the list of known controllers", selector))
+		}
+	}
+
 	return errs
 }

+// IsControllerEnabled check if a specified controller enabled or not.
+func (o *KubeSphereControllerManagerOptions) IsControllerEnabled(name string) bool {
+	hasStar := false
+	for _, ctrl := range o.ControllerGates {
+		if ctrl == name {
+			return true
+		}
+		if ctrl == "-"+name {
+			return false
+		}
+		if ctrl == "*" {
+			hasStar = true
+		}
+	}
+
+	return hasStar
+}
+
 func (s *KubeSphereControllerManagerOptions) bindLeaderElectionFlags(l *leaderelection.LeaderElectionConfig, fs *pflag.FlagSet) {
 	fs.DurationVar(&l.LeaseDuration, "leader-elect-lease-duration", l.LeaseDuration, ""+
 		"The duration that non-leader candidates will wait after observing a leadership "+
@@ -162,3 +228,18 @@ func (s *KubeSphereControllerManagerOptions) bindLeaderElectionFlags(l *leaderel
 		"The duration the clients should wait between attempting acquisition and renewal "+
 		"of a leadership. This is only applicable if leader election is enabled.")
 }
+
+// MergeConfig merge new config without validation
+// When misconfigured, the app should just crash directly
+func (s *KubeSphereControllerManagerOptions) MergeConfig(cfg *controllerconfig.Config) {
+	s.KubernetesOptions = cfg.KubernetesOptions
+	s.DevopsOptions = cfg.DevopsOptions
+	s.S3Options = cfg.S3Options
+	s.AuthenticationOptions = cfg.AuthenticationOptions
+	s.LdapOptions = cfg.LdapOptions
+	s.OpenPitrixOptions = cfg.OpenPitrixOptions
+	s.NetworkOptions = cfg.NetworkOptions
+	s.MultiClusterOptions = cfg.MultiClusterOptions
+	s.ServiceMeshOptions = cfg.ServiceMeshOptions
+	s.GatewayOptions = cfg.GatewayOptions
+}
--- a/cmd/controller-manager/app/options/options_test.go
+++ b/cmd/controller-manager/app/options/options_test.go
@@ -0,0 +1,81 @@
+// Copyright 2022 The KubeSphere Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+package options
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// ref: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/controller-manager/app/helper_test.go
+func TestIsControllerEnabled(t *testing.T) {
+	testcases := []struct {
+		name            string
+		controllerName  string
+		controllerFlags []string
+		expected        bool
+	}{
+		{
+			name:            "on by name",
+			controllerName:  "bravo",
+			controllerFlags: []string{"alpha", "bravo", "-charlie"},
+			expected:        true,
+		},
+		{
+			name:            "off by name",
+			controllerName:  "charlie",
+			controllerFlags: []string{"alpha", "bravo", "-charlie"},
+			expected:        false,
+		},
+		{
+			name:            "on by default",
+			controllerName:  "alpha",
+			controllerFlags: []string{"*"},
+			expected:        true,
+		},
+		{
+			name:            "on by star, not off by name",
+			controllerName:  "alpha",
+			controllerFlags: []string{"*", "-charlie"},
+			expected:        true,
+		},
+		{
+			name:            "off by name with star",
+			controllerName:  "charlie",
+			controllerFlags: []string{"*", "-charlie"},
+			expected:        false,
+		},
+		{
+			name:            "off then on",
+			controllerName:  "alpha",
+			controllerFlags: []string{"-alpha", "alpha"},
+			expected:        false,
+		},
+		{
+			name:            "on then off",
+			controllerName:  "alpha",
+			controllerFlags: []string{"alpha", "-alpha"},
+			expected:        true,
+		},
+	}
+
+	for _, tc := range testcases {
+		option := NewKubeSphereControllerManagerOptions()
+		option.ControllerGates = tc.controllerFlags
+		actual := option.IsControllerEnabled(tc.controllerName)
+		assert.Equal(t, tc.expected, actual, "%v: expected %v, got %v", tc.name, tc.expected, actual)
+	}
+}
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -17,46 +17,34 @@ limitations under the License.
 package app

 import (
+	"context"
 	"fmt"
 	"os"

+	"github.com/google/gops/agent"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"
 	"k8s.io/klog/klogr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"

 	"kubesphere.io/kubesphere/cmd/controller-manager/app/options"
 	"kubesphere.io/kubesphere/pkg/apis"
 	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
-	"kubesphere.io/kubesphere/pkg/controller/application"
-	"kubesphere.io/kubesphere/pkg/controller/namespace"
 	"kubesphere.io/kubesphere/pkg/controller/network/webhooks"
-	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmapplication"
-	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmcategory"
-	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrelease"
-	"kubesphere.io/kubesphere/pkg/controller/openpitrix/helmrepo"
 	"kubesphere.io/kubesphere/pkg/controller/quota"
-	"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
 	"kubesphere.io/kubesphere/pkg/controller/user"
-	"kubesphere.io/kubesphere/pkg/controller/workspace"
-	"kubesphere.io/kubesphere/pkg/controller/workspacerole"
-	"kubesphere.io/kubesphere/pkg/controller/workspacerolebinding"
-	"kubesphere.io/kubesphere/pkg/controller/workspacetemplate"
 	"kubesphere.io/kubesphere/pkg/informers"
-	"kubesphere.io/kubesphere/pkg/simple/client/devops"
-	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
-	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
 	"kubesphere.io/kubesphere/pkg/simple/client/s3"
 	"kubesphere.io/kubesphere/pkg/utils/metrics"
 	"kubesphere.io/kubesphere/pkg/utils/term"
+	"kubesphere.io/kubesphere/pkg/version"
 )

 func NewControllerManagerCommand() *cobra.Command {
@@ -74,6 +62,8 @@ func NewControllerManagerCommand() *cobra.Command {
 			NetworkOptions:        conf.NetworkOptions,
 			MultiClusterOptions:   conf.MultiClusterOptions,
 			ServiceMeshOptions:    conf.ServiceMeshOptions,
+			GatewayOptions:        conf.GatewayOptions,
+			MonitoringOptions:     conf.MonitoringOptions,
 			LeaderElection:        s.LeaderElection,
 			LeaderElect:           s.LeaderElect,
 			WebhookCertDir:        s.WebhookCertDir,
@@ -84,14 +74,22 @@ func NewControllerManagerCommand() *cobra.Command {

 	cmd := &cobra.Command{
 		Use:  "controller-manager",
-		Long: `KubeSphere controller manager is a daemon that`,
+		Long: `KubeSphere controller manager is a daemon that embeds the control loops shipped with KubeSphere.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			if errs := s.Validate(); len(errs) != 0 {
+			if errs := s.Validate(allControllers); len(errs) != 0 {
 				klog.Error(utilerrors.NewAggregate(errs))
 				os.Exit(1)
 			}

-			if err = run(s, signals.SetupSignalHandler()); err != nil {
+			if s.GOPSEnabled {
+				// Add agent to report additional information such as the current stack trace, Go version, memory stats, etc.
+				// Bind to a random port on address 127.0.0.1
+				if err := agent.Listen(agent.Options{}); err != nil {
+					klog.Fatal(err)
+				}
+			}
+
+			if err = Run(s, controllerconfig.WatchConfigChange(), signals.SetupSignalHandler()); err != nil {
 				klog.Error(err)
 				os.Exit(1)
 			}
@@ -100,7 +98,7 @@ func NewControllerManagerCommand() *cobra.Command {
 	}

 	fs := cmd.Flags()
-	namedFlagSets := s.Flags()
+	namedFlagSets := s.Flags(allControllers)

 	for _, f := range namedFlagSets.FlagSets {
 		fs.AddFlagSet(f)
@@ -112,10 +110,55 @@ func NewControllerManagerCommand() *cobra.Command {
 		_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
 	})
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version of KubeSphere controller-manager",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(version.Get())
+		},
+	}
+
+	cmd.AddCommand(versionCmd)
+
 	return cmd
 }

-func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{}) error {
+func Run(s *options.KubeSphereControllerManagerOptions, configCh <-chan controllerconfig.Config, ctx context.Context) error {
+	ictx, cancelFunc := context.WithCancel(context.TODO())
+	errCh := make(chan error)
+	defer close(errCh)
+	go func() {
+		if err := run(s, ictx); err != nil {
+			errCh <- err
+		}
+	}()
+
+	// The ctx (signals.SetupSignalHandler()) is to control the entire program life cycle,
+	// The ictx(internal context)  is created here to control the life cycle of the controller-manager(all controllers, sharedInformer, webhook etc.)
+	// when config changed, stop server and renew context, start new server
+	for {
+		select {
+		case <-ctx.Done():
+			cancelFunc()
+			return nil
+		case cfg := <-configCh:
+			cancelFunc()
+			s.MergeConfig(&cfg)
+			ictx, cancelFunc = context.WithCancel(context.TODO())
+			go func() {
+				if err := run(s, ictx); err != nil {
+					errCh <- err
+				}
+			}()
+		case err := <-errCh:
+			cancelFunc()
+			return err
+		}
+	}
+}
+
+func run(s *options.KubeSphereControllerManagerOptions, ctx context.Context) error {

 	kubernetesClient, err := k8s.NewKubernetesClient(s.KubernetesOptions)
 	if err != nil {
@@ -123,32 +166,8 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 		return err
 	}

-	var devopsClient devops.Interface
-	if s.DevopsOptions != nil && len(s.DevopsOptions.Host) != 0 {
-		devopsClient, err = jenkins.NewDevopsClient(s.DevopsOptions)
-		if err != nil {
-			return fmt.Errorf("failed to connect jenkins, please check jenkins status, error: %v", err)
-		}
-	}
-
-	var ldapClient ldapclient.Interface
-	// when there is no ldapOption, we set ldapClient as nil, which means we don't need to sync user info into ldap.
-	if s.LdapOptions != nil && len(s.LdapOptions.Host) != 0 {
-		if s.LdapOptions.Host == ldapclient.FAKE_HOST { // for debug only
-			ldapClient = ldapclient.NewSimpleLdap()
-		} else {
-			ldapClient, err = ldapclient.NewLdapClient(s.LdapOptions, stopCh)
-			if err != nil {
-				return fmt.Errorf("failed to connect to ldap service, please check ldap status, error: %v", err)
-			}
-		}
-	} else {
-		klog.Warning("ks-controller-manager starts without ldap provided, it will not sync user into ldap")
-	}
-
-	var s3Client s3.Interface
 	if s.S3Options != nil && len(s.S3Options.Endpoint) != 0 {
-		s3Client, err = s3.NewS3Client(s.S3Options)
+		_, err = s3.NewS3Client(s.S3Options)
 		if err != nil {
 			return fmt.Errorf("failed to connect to s3, please check s3 service status, error: %v", err)
 		}
@@ -195,110 +214,19 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 	// register common meta types into schemas.
 	metav1.AddToGroupVersion(mgr.GetScheme(), metav1.SchemeGroupVersion)

-	workspaceTemplateReconciler := &workspacetemplate.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
-	if err = workspaceTemplateReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create workspace template controller: %v", err)
-	}
-
-	workspaceReconciler := &workspace.Reconciler{}
-	if err = workspaceReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create workspace controller: %v", err)
-	}
-
-	workspaceRoleReconciler := &workspacerole.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
-	if err = workspaceRoleReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create workspace role controller: %v", err)
-	}
-
-	workspaceRoleBindingReconciler := &workspacerolebinding.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
-	if err = workspaceRoleBindingReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create workspace role binding controller: %v", err)
-	}
-
-	namespaceReconciler := &namespace.Reconciler{}
-	if err = namespaceReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create namespace controller: %v", err)
-	}
-
-	err = helmrepo.Add(mgr)
-	if err != nil {
-		klog.Fatal("Unable to create helm repo controller")
-	}
-
-	err = helmcategory.Add(mgr)
-	if err != nil {
-		klog.Fatal("Unable to create helm category controller")
-	}
-
-	var opS3Client s3.Interface
-	if !s.OpenPitrixOptions.AppStoreConfIsEmpty() {
-		opS3Client, err = s3.NewS3Client(s.OpenPitrixOptions.S3Options)
-		if err != nil {
-			klog.Fatalf("failed to connect to s3, please check openpitrix s3 service status, error: %v", err)
-		}
-		err = (&helmapplication.ReconcileHelmApplication{}).SetupWithManager(mgr)
-		if err != nil {
-			klog.Fatalf("Unable to create helm application controller, error: %s", err)
-		}
-
-		err = (&helmapplication.ReconcileHelmApplicationVersion{}).SetupWithManager(mgr)
-		if err != nil {
-			klog.Fatalf("Unable to create helm application version controller, error: %s ", err)
-		}
-	}
-
-	err = (&helmrelease.ReconcileHelmRelease{
-		// nil interface is valid value.
-		StorageClient:      opS3Client,
-		KsFactory:          informerFactory.KubeSphereSharedInformerFactory(),
-		MultiClusterEnable: s.MultiClusterOptions.Enable,
-	}).SetupWithManager(mgr)
-
-	if err != nil {
-		klog.Fatalf("Unable to create helm release controller, error: %s", err)
-	}
-
-	selector, _ := labels.Parse(s.ApplicationSelector)
-	applicationReconciler := &application.ApplicationReconciler{
-		Scheme:              mgr.GetScheme(),
-		Client:              mgr.GetClient(),
-		Mapper:              mgr.GetRESTMapper(),
-		ApplicationSelector: selector,
-	}
-	if err = applicationReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create application controller: %v", err)
-	}
-
-	saReconciler := &serviceaccount.Reconciler{}
-	if err = saReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create ServiceAccount controller: %v", err)
-	}
-
-	resourceQuotaReconciler := quota.Reconciler{}
-	if err := resourceQuotaReconciler.SetupWithManager(mgr, quota.DefaultMaxConcurrentReconciles, quota.DefaultResyncPeriod, informerFactory.KubernetesSharedInformerFactory()); err != nil {
-		klog.Fatalf("Unable to create ResourceQuota controller: %v", err)
-	}
-
 	// TODO(jeff): refactor config with CRD
-	servicemeshEnabled := s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.IstioPilotHost) != 0
-	if err = addControllers(mgr,
+	// install all controllers
+	if err = addAllControllers(mgr,
 		kubernetesClient,
 		informerFactory,
-		devopsClient,
-		s3Client,
-		ldapClient,
-		s.KubernetesOptions,
-		s.AuthenticationOptions,
-		s.MultiClusterOptions,
-		s.NetworkOptions,
-		servicemeshEnabled,
-		s.AuthenticationOptions.KubectlImage, stopCh); err != nil {
+		s,
+		ctx.Done()); err != nil {
 		klog.Fatalf("unable to register controllers to the manager: %v", err)
 	}

 	// Start cache data after all informer is registered
 	klog.V(0).Info("Starting cache resource from apiserver...")
-	informerFactory.Start(stopCh)
+	informerFactory.Start(ctx.Done())

 	// Setup webhooks
 	klog.V(2).Info("setting up webhook server")
@@ -308,6 +236,7 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 	hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
 	hookServer.Register("/validate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.ValidatingHandler{C: mgr.GetClient()}})
 	hookServer.Register("/mutate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.MutatingHandler{C: mgr.GetClient()}})
+	hookServer.Register("/persistentvolumeclaims", &webhook.Admission{Handler: &webhooks.AccessorHandler{C: mgr.GetClient()}})

 	resourceQuotaAdmission, err := quota.NewResourceQuotaAdmission(mgr.GetClient(), mgr.GetScheme())
 	if err != nil {
@@ -321,7 +250,7 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 	mgr.AddMetricsExtraHandler("/kapis/metrics", metrics.Handler())

 	klog.V(0).Info("Starting the controllers.")
-	if err = mgr.Start(stopCh); err != nil {
+	if err = mgr.Start(ctx); err != nil {
 		klog.Fatalf("unable to run the manager: %v", err)
 	}

--- a/cmd/ks-apiserver/app/options/options.go
+++ b/cmd/ks-apiserver/app/options/options.go
@@ -21,14 +21,20 @@ import (
 	"flag"
 	"fmt"

+	openpitrixv1 "kubesphere.io/kubesphere/pkg/kapis/openpitrix/v1"
+	"kubesphere.io/kubesphere/pkg/utils/clusterclient"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
+
+	"k8s.io/client-go/kubernetes/scheme"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"
 	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"

 	"kubesphere.io/kubesphere/pkg/apis"
 	"kubesphere.io/kubesphere/pkg/apiserver"
 	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
-	"kubesphere.io/kubesphere/pkg/client/clientset/versioned/scheme"
 	"kubesphere.io/kubesphere/pkg/informers"
 	genericoptions "kubesphere.io/kubesphere/pkg/server/options"
 	"kubesphere.io/kubesphere/pkg/simple/client/alerting"
@@ -56,6 +62,9 @@ type ServerRunOptions struct {

 	//
 	DebugMode bool
+
+	// Enable gops or not.
+	GOPSEnabled bool
 }

 func NewServerRunOptions() *ServerRunOptions {
@@ -70,6 +79,8 @@ func NewServerRunOptions() *ServerRunOptions {
 func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
 	fs := fss.FlagSet("generic")
 	fs.BoolVar(&s.DebugMode, "debug", false, "Don't enable this if you don't know what it means.")
+	fs.BoolVar(&s.GOPSEnabled, "gops", false, "Whether to enable gops or not. When enabled this option, "+
+		"ks-apiserver will listen on a random port on 127.0.0.1, then you can use the gops tool to list and diagnose the ks-apiserver currently running.")
 	s.GenericServerRunOptions.AddFlags(fs, s.GenericServerRunOptions)
 	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
 	s.AuthenticationOptions.AddFlags(fss.FlagSet("authentication"), s.AuthenticationOptions)
@@ -206,6 +217,13 @@ func (s *ServerRunOptions) NewAPIServer(stopCh <-chan struct{}) (*apiserver.APIS
 		apiServer.AlertingClient = alertingClient
 	}

+	if s.Config.MultiClusterOptions.Enable {
+		cc := clusterclient.NewClusterClient(informerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters())
+		apiServer.ClusterClient = cc
+	}
+
+	apiServer.OpenpitrixClient = openpitrixv1.NewOpenpitrixClient(informerFactory, apiServer.KubernetesClient.KubeSphere(), s.OpenPitrixOptions, apiServer.ClusterClient, stopCh)
+
 	server := &http.Server{
 		Addr: fmt.Sprintf(":%d", s.GenericServerRunOptions.InsecurePort),
 	}
@@ -215,7 +233,11 @@ func (s *ServerRunOptions) NewAPIServer(stopCh <-chan struct{}) (*apiserver.APIS
 		if err != nil {
 			return nil, err
 		}
-		server.TLSConfig.Certificates = []tls.Certificate{certificate}
+
+		server.TLSConfig = &tls.Config{
+			Certificates: []tls.Certificate{certificate},
+		}
+		server.Addr = fmt.Sprintf(":%d", s.GenericServerRunOptions.SecurePort)
 	}

 	sch := scheme.Scheme
@@ -225,7 +247,17 @@ func (s *ServerRunOptions) NewAPIServer(stopCh <-chan struct{}) (*apiserver.APIS

 	apiServer.RuntimeCache, err = runtimecache.New(apiServer.KubernetesClient.Config(), runtimecache.Options{Scheme: sch})
 	if err != nil {
-		klog.Fatalf("unable to create runtime cache: %v", err)
+		klog.Fatalf("unable to create controller runtime cache: %v", err)
+	}
+
+	apiServer.RuntimeClient, err = runtimeclient.New(apiServer.KubernetesClient.Config(), runtimeclient.Options{Scheme: sch})
+	if err != nil {
+		klog.Fatalf("unable to create controller runtime client: %v", err)
+	}
+
+	apiServer.Issuer, err = token.NewIssuer(s.AuthenticationOptions)
+	if err != nil {
+		klog.Fatalf("unable to create issuer: %v", err)
 	}

 	apiServer.Server = server
--- a/cmd/ks-apiserver/app/server.go
+++ b/cmd/ks-apiserver/app/server.go
@@ -17,19 +17,22 @@ limitations under the License.
 package app

 import (
+	"context"
 	"fmt"
+	"net/http"

+	"github.com/google/gops/agent"
 	"github.com/spf13/cobra"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog"

+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+
 	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
 	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
-	"kubesphere.io/kubesphere/pkg/utils/signals"
 	"kubesphere.io/kubesphere/pkg/utils/term"
-
-	tracing "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/version"
 )

 func NewAPIServerCommand() *cobra.Command {
@@ -56,7 +59,15 @@ cluster's shared state through which all other components interact.`,
 				return utilerrors.NewAggregate(errs)
 			}

-			return Run(s, signals.SetupSignalHandler())
+			if s.GOPSEnabled {
+				// Add agent to report additional information such as the current stack trace, Go version, memory stats, etc.
+				// Bind to a random port on address 127.0.0.1.
+				if err := agent.Listen(agent.Options{}); err != nil {
+					klog.Fatal(err)
+				}
+			}
+
+			return Run(s, apiserverconfig.WatchConfigChange(), signals.SetupSignalHandler())
 		},
 		SilenceUsage: true,
 	}
@@ -73,34 +84,68 @@ cluster's shared state through which all other components interact.`,
 		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
 	})
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version of KubeSphere ks-apiserver",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(version.Get())
+		},
+	}
+
+	cmd.AddCommand(versionCmd)
+
 	return cmd
 }

-func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
+func Run(s *options.ServerRunOptions, configCh <-chan apiserverconfig.Config, ctx context.Context) error {
+	ictx, cancelFunc := context.WithCancel(context.TODO())
+	errCh := make(chan error)
+	defer close(errCh)
+	go func() {
+		if err := run(s, ictx); err != nil {
+			errCh <- err
+		}
+	}()

-	initializeServicemeshConfig(s)
+	// The ctx (signals.SetupSignalHandler()) is to control the entire program life cycle,
+	// The ictx(internal context)  is created here to control the life cycle of the ks-apiserver(http server, sharedInformer etc.)
+	// when config change, stop server and renew context, start new server
+	for {
+		select {
+		case <-ctx.Done():
+			cancelFunc()
+			return nil
+		case cfg := <-configCh:
+			cancelFunc()
+			s.Config = &cfg
+			ictx, cancelFunc = context.WithCancel(context.TODO())
+			go func() {
+				if err := run(s, ictx); err != nil {
+					errCh <- err
+				}
+			}()
+		case err := <-errCh:
+			cancelFunc()
+			return err
+		}
+	}
+}

-	apiserver, err := s.NewAPIServer(stopCh)
+func run(s *options.ServerRunOptions, ctx context.Context) error {
+	apiserver, err := s.NewAPIServer(ctx.Done())
 	if err != nil {
 		return err
 	}

-	err = apiserver.PrepareRun(stopCh)
+	err = apiserver.PrepareRun(ctx.Done())
 	if err != nil {
+		return err
+	}
+
+	err = apiserver.Run(ctx)
+	if err == http.ErrServerClosed {
 		return nil
 	}
-
-	return apiserver.Run(stopCh)
-}
-
-func initializeServicemeshConfig(s *options.ServerRunOptions) {
-	// Config jaeger query endpoint address
-	if s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.JaegerQueryHost) != 0 {
-		tracing.JaegerQueryUrl = s.ServiceMeshOptions.JaegerQueryHost
-	}
-
-	// Set the kiali query endpoint address
-	if s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.KialiQueryHost) != 0 {
-		tracing.KialiQueryUrl = s.ServiceMeshOptions.KialiQueryHost
-	}
+	return err
 }
--- a/config/crd/bases/cluster.kubesphere.io_agents.yaml
+++ b/config/crd/bases/cluster.kubesphere.io_agents.yaml
@@ -1,114 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: agents.cluster.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.Paused
-    name: Paused
-    type: bool
-  group: cluster.kubesphere.io
-  names:
-    kind: Agent
-    listKind: AgentList
-    plural: agents
-    singular: agent
-  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: Agent is the Schema for the agents API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: AgentSpec defines the desired state of Agent
-          properties:
-            kubernetesAPIServerPort:
-              description: KubeAPIServerPort is the port which listens for forwarding
-                kube-apiserver traffic
-              type: integer
-            kubesphereAPIServerPort:
-              description: KubeSphereAPIServerPort is the port which listens for forwarding
-                kubesphere apigateway traffic
-              type: integer
-            paused:
-              description: Indicates that the agent is paused.
-              type: boolean
-            proxy:
-              description: Proxy address
-              type: string
-            token:
-              description: Token used by agents to connect to proxy.
-              type: string
-          type: object
-        status:
-          description: AgentStatus defines the observed state of Agent
-          properties:
-            conditions:
-              description: Represents the latest available observations of a agent's
-                current state.
-              items:
-                properties:
-                  lastTransitionTime:
-                    description: Last time the condition transitioned from one status
-                      to another.
-                    format: date-time
-                    type: string
-                  lastUpdateTime:
-                    description: The last time this condition was updated.
-                    format: date-time
-                    type: string
-                  message:
-                    description: A human readable message indicating details about
-                      the transition.
-                    type: string
-                  reason:
-                    description: The reason for the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
-                    type: string
-                  type:
-                    description: Type of AgentCondition
-                    type: string
-                required:
-                - status
-                type: object
-              type: array
-            kubeconfig:
-              description: Issued new kubeconfig by proxy server
-              format: byte
-              type: string
-            ping:
-              description: Represents the connection quality, in ms
-              format: int64
-              type: integer
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/cluster.kubesphere.io_clusters.yaml
+++ b/config/crd/bases/cluster.kubesphere.io_clusters.yaml
@@ -1,168 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: clusters.cluster.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.joinFederation
-    name: Federated
-    type: boolean
-  - JSONPath: .spec.provider
-    name: Provider
-    type: string
-  - JSONPath: .spec.enable
-    name: Active
-    type: boolean
-  - JSONPath: .status.kubernetesVersion
-    name: Version
-    type: string
-  group: cluster.kubesphere.io
-  names:
-    kind: Cluster
-    listKind: ClusterList
-    plural: clusters
-    singular: cluster
-  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: Cluster is the schema for the clusters API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            connection:
-              description: Connection holds info to connect to the member cluster
-              properties:
-                kubeconfig:
-                  description: KubeConfig content used to connect to cluster api server
-                    Should provide this field explicitly if connection type is direct.
-                    Will be populated by ks-proxy if connection type is proxy.
-                  format: byte
-                  type: string
-                kubernetesAPIEndpoint:
-                  description: Kubernetes API Server endpoint. This can be a hostname,
-                    hostname:port, IP or IP:port. Should provide this field explicitly
-                    if connection type is direct. Will be populated by ks-apiserver
-                    if connection type is proxy.
-                  type: string
-                kubernetesAPIServerPort:
-                  description: KubeAPIServerPort is the port which listens for forwarding
-                    kube-apiserver traffic Only applicable when connection type is
-                    proxy.
-                  type: integer
-                kubesphereAPIEndpoint:
-                  description: KubeSphere API Server endpoint. This can be a hostname,
-                    hostname:port, IP or IP:port. Should provide this field explicitly
-                    if connection type is direct. Will be populated by ks-apiserver
-                    if connection type is proxy.
-                  type: string
-                kubesphereAPIServerPort:
-                  description: KubeSphereAPIServerPort is the port which listens for
-                    forwarding kubesphere apigateway traffic Only applicable when
-                    connection type is proxy.
-                  type: integer
-                token:
-                  description: Token used by agents of member cluster to connect to
-                    host cluster proxy. This field is populated by apiserver only
-                    if connection type is proxy.
-                  type: string
-                type:
-                  description: type defines how host cluster will connect to host
-                    cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig
-                    and kubesphere apiserver endpoint provided ConnectionTypeProxy
-                    means using kubesphere proxy, no kubeconfig   or kubesphere apiserver
-                    endpoint required
-                  type: string
-              type: object
-            enable:
-              description: Desired state of the cluster
-              type: boolean
-            joinFederation:
-              description: Join cluster as a kubefed cluster
-              type: boolean
-            provider:
-              description: Provider of the cluster, this field is just for description
-              type: string
-          type: object
-        status:
-          properties:
-            conditions:
-              description: Represents the latest available observations of a cluster's
-                current state.
-              items:
-                properties:
-                  lastTransitionTime:
-                    description: Last time the condition transitioned from one status
-                      to another.
-                    format: date-time
-                    type: string
-                  lastUpdateTime:
-                    description: The last time this condition was updated.
-                    format: date-time
-                    type: string
-                  message:
-                    description: A human readable message indicating details about
-                      the transition.
-                    type: string
-                  reason:
-                    description: The reason for the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
-                    type: string
-                  type:
-                    description: Type of the condition
-                    type: string
-                required:
-                - status
-                - type
-                type: object
-              type: array
-            kubernetesVersion:
-              description: GitVersion of the kubernetes cluster, this field is populated
-                by cluster controller
-              type: string
-            nodeCount:
-              description: Count of the kubernetes cluster nodes This field may not
-                reflect the instant status of the cluster.
-              type: integer
-            region:
-              description: Region is the name of the region in which all of the nodes
-                in the cluster exist.  e.g. 'us-east1'.
-              type: string
-            zones:
-              description: Zones are the names of availability zones in which the
-                nodes of the cluster exist, e.g. 'us-east1-a'.
-              items:
-                type: string
-              type: array
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_devopsprojects.yaml
+++ b/config/crd/bases/devops.kubesphere.io_devopsprojects.yaml
@@ -1,59 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: devopsprojects.devops.kubesphere.io
-spec:
-  group: devops.kubesphere.io
-  names:
-    categories:
-    - devops
-    kind: DevOpsProject
-    listKind: DevOpsProjectList
-    plural: devopsprojects
-    singular: devopsproject
-  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: DevOpsProject is the Schema for the devopsprojects API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: DevOpsProjectSpec defines the desired state of DevOpsProject
-          type: object
-        status:
-          description: DevOpsProjectStatus defines the observed state of DevOpsProject
-          properties:
-            adminNamespace:
-              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
-                of cluster Important: Run "make" to regenerate code after modifying
-                this file'
-              type: string
-          type: object
-      type: object
-  version: v1alpha3
-  versions:
-  - name: v1alpha3
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_pipelines.yaml
+++ b/config/crd/bases/devops.kubesphere.io_pipelines.yaml
@@ -1,260 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: pipelines.devops.kubesphere.io
-spec:
-  group: devops.kubesphere.io
-  names:
-    kind: Pipeline
-    listKind: PipelineList
-    plural: pipelines
-    singular: pipeline
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: Pipeline is the Schema for the pipelines API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: PipelineSpec defines the desired state of Pipeline
-          properties:
-            multi_branch_pipeline:
-              properties:
-                bitbucket_server_source:
-                  properties:
-                    api_uri:
-                      type: string
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: integer
-                    discover_pr_from_forks:
-                      properties:
-                        strategy:
-                          type: integer
-                        trust:
-                          type: integer
-                      type: object
-                    discover_pr_from_origin:
-                      type: integer
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    owner:
-                      type: string
-                    regex_filter:
-                      type: string
-                    repo:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                descriptio:
-                  type: string
-                discarder:
-                  properties:
-                    days_to_keep:
-                      type: string
-                    num_to_keep:
-                      type: string
-                  type: object
-                git_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: boolean
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    regex_filter:
-                      type: string
-                    scm_id:
-                      type: string
-                    url:
-                      type: string
-                  type: object
-                github_source:
-                  properties:
-                    api_uri:
-                      type: string
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: integer
-                    discover_pr_from_forks:
-                      properties:
-                        strategy:
-                          type: integer
-                        trust:
-                          type: integer
-                      type: object
-                    discover_pr_from_origin:
-                      type: integer
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    owner:
-                      type: string
-                    regex_filter:
-                      type: string
-                    repo:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                multibranch_job_trigger:
-                  properties:
-                    create_action_job_to_trigger:
-                      type: string
-                    delete_action_job_to_trigger:
-                      type: string
-                  type: object
-                name:
-                  type: string
-                script_path:
-                  type: string
-                single_svn_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    remote:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                source_type:
-                  type: string
-                svn_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    excludes:
-                      type: string
-                    includes:
-                      type: string
-                    remote:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                timer_trigger:
-                  properties:
-                    cron:
-                      description: user in no scm job
-                      type: string
-                    interval:
-                      description: use in multi-branch job
-                      type: string
-                  type: object
-              required:
-              - name
-              - script_path
-              - source_type
-              type: object
-            pipeline:
-              properties:
-                descriptio:
-                  type: string
-                disable_concurrent:
-                  type: boolean
-                discarder:
-                  properties:
-                    days_to_keep:
-                      type: string
-                    num_to_keep:
-                      type: string
-                  type: object
-                jenkinsfile:
-                  type: string
-                name:
-                  type: string
-                parameters:
-                  items:
-                    properties:
-                      default_value:
-                        type: string
-                      description:
-                        type: string
-                      name:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                    - name
-                    - type
-                    type: object
-                  type: array
-                remote_trigger:
-                  properties:
-                    token:
-                      type: string
-                  type: object
-                timer_trigger:
-                  properties:
-                    cron:
-                      description: user in no scm job
-                      type: string
-                    interval:
-                      description: use in multi-branch job
-                      type: string
-                  type: object
-              required:
-              - name
-              type: object
-            type:
-              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-                Important: Run "make" to regenerate code after modifying this file'
-              type: string
-          required:
-          - type
-          type: object
-        status:
-          description: PipelineStatus defines the observed state of Pipeline
-          type: object
-      type: object
-  version: v1alpha3
-  versions:
-  - name: v1alpha3
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_s2ibinaries.yaml
+++ b/config/crd/bases/devops.kubesphere.io_s2ibinaries.yaml
@@ -1,86 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: s2ibinaries.devops.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.fileName
-    name: FileName
-    type: string
-  - JSONPath: .spec.md5
-    name: MD5
-    type: string
-  - JSONPath: .spec.size
-    name: Size
-    type: string
-  - JSONPath: .status.phase
-    name: Phase
-    type: string
-  group: devops.kubesphere.io
-  names:
-    kind: S2iBinary
-    listKind: S2iBinaryList
-    plural: s2ibinaries
-    singular: s2ibinary
-  scope: Namespaced
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iBinary is the Schema for the s2ibinaries API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iBinarySpec defines the desired state of S2iBinary
-          properties:
-            downloadURL:
-              description: DownloadURL in KubeSphere
-              type: string
-            fileName:
-              description: FileName is filename of binary
-              type: string
-            md5:
-              description: MD5 is Binary's MD5 Hash
-              type: string
-            size:
-              description: Size is the file size of file
-              type: string
-            uploadTimeStamp:
-              description: UploadTime is last upload time
-              format: date-time
-              type: string
-          type: object
-        status:
-          description: S2iBinaryStatus defines the observed state of S2iBinary
-          properties:
-            phase:
-              description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_s2ibuilders.yaml
+++ b/config/crd/bases/devops.kubesphere.io_s2ibuilders.yaml
@@ -1,578 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: s2ibuilders.devops.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.runCount
-    name: RunCount
-    type: integer
-  - JSONPath: .status.lastRunState
-    name: LastRunState
-    type: string
-  - JSONPath: .status.lastRunName
-    name: LastRunName
-    type: string
-  - JSONPath: .status.lastRunStartTime
-    name: LastRunStartTime
-    type: date
-  group: devops.kubesphere.io
-  names:
-    kind: S2iBuilder
-    listKind: S2iBuilderList
-    plural: s2ibuilders
-    shortNames:
-    - s2ib
-    singular: s2ibuilder
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iBuilder is the Schema for the s2ibuilders API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iBuilderSpec defines the desired state of S2iBuilder
-          properties:
-            config:
-              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-                Important: Run "make" to regenerate code after modifying this file'
-              properties:
-                addHost:
-                  description: AddHost Add a line to /etc/hosts for test purpose or
-                    private use in LAN. Its format is host:IP,muliple hosts can be
-                    added  by using multiple --add-host
-                  items:
-                    type: string
-                  type: array
-                asDockerfile:
-                  description: AsDockerfile indicates the path where the Dockerfile
-                    should be written instead of building a new image.
-                  type: string
-                assembleUser:
-                  description: AssembleUser specifies the user to run the assemble
-                    script in container
-                  type: string
-                blockOnBuild:
-                  description: BlockOnBuild prevents s2i from performing a docker
-                    build operation if one is necessary to execute ONBUILD commands,
-                    or to layer source code into the container for images that don't
-                    have a tar binary available, if the image contains ONBUILD commands
-                    that would be executed.
-                  type: boolean
-                branchExpression:
-                  description: Regular expressions, ignoring names that do not match
-                    the provided regular expression
-                  type: string
-                buildVolumes:
-                  description: BuildVolumes specifies a list of volumes to mount to
-                    container running the build.
-                  items:
-                    type: string
-                  type: array
-                builderBaseImageVersion:
-                  description: BuilderBaseImageVersion provides optional version information
-                    about the builder base image.
-                  type: string
-                builderImage:
-                  description: BuilderImage describes which image is used for building
-                    the result images.
-                  type: string
-                builderImageVersion:
-                  description: BuilderImageVersion provides optional version information
-                    about the builder image.
-                  type: string
-                builderPullPolicy:
-                  description: BuilderPullPolicy specifies when to pull the builder
-                    image
-                  type: string
-                callbackUrl:
-                  description: CallbackURL is a URL which is called upon successful
-                    build to inform about that fact.
-                  type: string
-                cgroupLimits:
-                  description: CGroupLimits describes the cgroups limits that will
-                    be applied to any containers run by s2i.
-                  properties:
-                    cpuPeriod:
-                      format: int64
-                      type: integer
-                    cpuQuota:
-                      format: int64
-                      type: integer
-                    cpuShares:
-                      format: int64
-                      type: integer
-                    memoryLimitBytes:
-                      format: int64
-                      type: integer
-                    memorySwap:
-                      format: int64
-                      type: integer
-                    parent:
-                      type: string
-                  required:
-                  - cpuPeriod
-                  - cpuQuota
-                  - cpuShares
-                  - memoryLimitBytes
-                  - memorySwap
-                  - parent
-                  type: object
-                contextDir:
-                  description: Specify a relative directory inside the application
-                    repository that should be used as a root directory for the application.
-                  type: string
-                description:
-                  description: Description is a result image description label. The
-                    default is no description.
-                  type: string
-                destination:
-                  description: Destination specifies a location where the untar operation
-                    will place its artifacts.
-                  type: string
-                displayName:
-                  description: DisplayName is a result image display-name label. This
-                    defaults to the output image name.
-                  type: string
-                dockerConfig:
-                  description: DockerConfig describes how to access host docker daemon.
-                  properties:
-                    caFile:
-                      description: CAFile is the certificate authority file path for
-                        a TLS connection
-                      type: string
-                    certFile:
-                      description: CertFile is the certificate file path for a TLS
-                        connection
-                      type: string
-                    endPoint:
-                      description: Endpoint is the docker network endpoint or socket
-                      type: string
-                    keyFile:
-                      description: KeyFile is the key file path for a TLS connection
-                      type: string
-                    tlsVerify:
-                      description: TLSVerify indicates if TLS peer must be verified
-                      type: boolean
-                    useTLS:
-                      description: UseTLS indicates if TLS must be used
-                      type: boolean
-                  required:
-                  - caFile
-                  - certFile
-                  - endPoint
-                  - keyFile
-                  - tlsVerify
-                  - useTLS
-                  type: object
-                dockerNetworkMode:
-                  description: DockerNetworkMode is used to set the docker network
-                    setting to --net=container:<id> when the builder is invoked from
-                    a container.
-                  type: string
-                dropCapabilities:
-                  description: DropCapabilities contains a list of capabilities to
-                    drop when executing containers
-                  items:
-                    type: string
-                  type: array
-                environment:
-                  description: Environment is a map of environment variables to be
-                    passed to the image.
-                  items:
-                    description: EnvironmentSpec specifies a single environment variable.
-                    properties:
-                      name:
-                        type: string
-                      value:
-                        type: string
-                    required:
-                    - name
-                    - value
-                    type: object
-                  type: array
-                excludeRegExp:
-                  description: ExcludeRegExp contains a string representation of the
-                    regular expression desired for deciding which files to exclude
-                    from the tar stream
-                  type: string
-                export:
-                  description: Export Push the result image to specify image registry
-                    in tag
-                  type: boolean
-                gitSecretRef:
-                  description: GitSecretRef is the BasicAuth Secret of Git Clone
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                hasOnBuild:
-                  description: HasOnBuild will be set to true if the builder image
-                    contains ONBUILD instructions
-                  type: boolean
-                imageName:
-                  description: ImageName Contains the registry address and reponame,
-                    tag should set by field tag alone
-                  type: string
-                imageScriptsUrl:
-                  description: ImageScriptsURL is the default location to find the
-                    assemble/run scripts for a builder image. This url can be a reference
-                    within the builder image if the scheme is specified as image://
-                  type: string
-                imageWorkDir:
-                  description: ImageWorkDir is the default working directory for the
-                    builder image.
-                  type: string
-                incremental:
-                  description: Incremental describes whether to try to perform incremental
-                    build.
-                  type: boolean
-                incrementalAuthentication:
-                  description: IncrementalAuthentication holds the authentication
-                    information for pulling the previous image from private repositories
-                  properties:
-                    email:
-                      type: string
-                    password:
-                      type: string
-                    secretRef:
-                      description: LocalObjectReference contains enough information
-                        to let you locate the referenced object inside the same namespace.
-                      properties:
-                        name:
-                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?'
-                          type: string
-                      type: object
-                    serverAddress:
-                      type: string
-                    username:
-                      type: string
-                  type: object
-                incrementalFromTag:
-                  description: IncrementalFromTag sets an alternative image tag to
-                    look for existing artifacts. Tag is used by default if this is
-                    not set.
-                  type: string
-                injections:
-                  description: Injections specifies a list source/destination folders
-                    that are injected to the container that runs assemble. All files
-                    we inject will be truncated after the assemble script finishes.
-                  items:
-                    description: VolumeSpec represents a single volume mount point.
-                    properties:
-                      destination:
-                        description: Destination is the path to mount the volume to
-                          - absolute or relative.
-                        type: string
-                      keep:
-                        description: Keep indicates if the mounted data should be
-                          kept in the final image.
-                        type: boolean
-                      source:
-                        description: Source is a reference to the volume source.
-                        type: string
-                    type: object
-                  type: array
-                isBinaryURL:
-                  description: IsBinaryURL explain the type of SourceURL. If it is
-                    IsBinaryURL, it will download the file directly without using
-                    git.
-                  type: boolean
-                keepSymlinks:
-                  description: KeepSymlinks indicates to copy symlinks as symlinks.
-                    Default behavior is to follow symlinks and copy files by content.
-                  type: boolean
-                labelNamespace:
-                  description: LabelNamespace provides the namespace under which the
-                    labels will be generated.
-                  type: string
-                labels:
-                  additionalProperties:
-                    type: string
-                  description: Labels specify labels and their values to be applied
-                    to the resulting image. Label keys must have non-zero length.
-                    The labels defined here override generated labels in case they
-                    have the same name.
-                  type: object
-                layeredBuild:
-                  description: LayeredBuild describes if this is build which layered
-                    scripts and sources on top of BuilderImage.
-                  type: boolean
-                nodeAffinityKey:
-                  description: The key of Node Affinity.
-                  type: string
-                nodeAffinityValues:
-                  description: The values of Node Affinity.
-                  items:
-                    type: string
-                  type: array
-                outputBuildResult:
-                  description: Whether output build result to status.
-                  type: boolean
-                outputImageName:
-                  description: OutputImageName is a result image name without tag,
-                    default is latest. tag will append to ImageName in the end
-                  type: string
-                preserveWorkingDir:
-                  description: PreserveWorkingDir describes if working directory should
-                    be left after processing.
-                  type: boolean
-                previousImagePullPolicy:
-                  description: PreviousImagePullPolicy specifies when to pull the
-                    previously build image when doing incremental build
-                  type: string
-                pullAuthentication:
-                  description: PullAuthentication holds the authentication information
-                    for pulling the Docker images from private repositories
-                  properties:
-                    email:
-                      type: string
-                    password:
-                      type: string
-                    secretRef:
-                      description: LocalObjectReference contains enough information
-                        to let you locate the referenced object inside the same namespace.
-                      properties:
-                        name:
-                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?'
-                          type: string
-                      type: object
-                    serverAddress:
-                      type: string
-                    username:
-                      type: string
-                  type: object
-                pushAuthentication:
-                  description: PullAuthentication holds the authentication information
-                    for pulling the Docker images from private repositories
-                  properties:
-                    email:
-                      type: string
-                    password:
-                      type: string
-                    secretRef:
-                      description: LocalObjectReference contains enough information
-                        to let you locate the referenced object inside the same namespace.
-                      properties:
-                        name:
-                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?'
-                          type: string
-                      type: object
-                    serverAddress:
-                      type: string
-                    username:
-                      type: string
-                  type: object
-                removePreviousImage:
-                  description: RemovePreviousImage describes if previous image should
-                    be removed after successful build. This applies only to incremental
-                    builds.
-                  type: boolean
-                revisionId:
-                  description: The RevisionId is a branch name or a SHA-1 hash of
-                    every important thing about the commit
-                  type: string
-                runImage:
-                  description: RunImage will trigger a "docker run ..." invocation
-                    of the produced image so the user can see if it operates as he
-                    would expect
-                  type: boolean
-                runtimeArtifacts:
-                  description: RuntimeArtifacts specifies a list of source/destination
-                    pairs that will be copied from builder to a runtime image. Source
-                    can be a file or directory. Destination must be a directory. Regardless
-                    whether it is an absolute or relative path, it will be placed
-                    into image's WORKDIR. Destination also can be empty or equals
-                    to ".", in this case it just refers to a root of WORKDIR. In case
-                    it's empty, S2I will try to get this list from io.openshift.s2i.assemble-input-files
-                    label on a RuntimeImage.
-                  items:
-                    description: VolumeSpec represents a single volume mount point.
-                    properties:
-                      destination:
-                        description: Destination is the path to mount the volume to
-                          - absolute or relative.
-                        type: string
-                      keep:
-                        description: Keep indicates if the mounted data should be
-                          kept in the final image.
-                        type: boolean
-                      source:
-                        description: Source is a reference to the volume source.
-                        type: string
-                    type: object
-                  type: array
-                runtimeAuthentication:
-                  description: RuntimeAuthentication holds the authentication information
-                    for pulling the runtime Docker images from private repositories.
-                  properties:
-                    email:
-                      type: string
-                    password:
-                      type: string
-                    secretRef:
-                      description: LocalObjectReference contains enough information
-                        to let you locate the referenced object inside the same namespace.
-                      properties:
-                        name:
-                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Add other useful fields. apiVersion, kind, uid?'
-                          type: string
-                      type: object
-                    serverAddress:
-                      type: string
-                    username:
-                      type: string
-                  type: object
-                runtimeImage:
-                  description: RuntimeImage specifies the image that will be a base
-                    for resulting image and will be used for running an application.
-                    By default, BuilderImage is used for building and running, but
-                    the latter may be overridden.
-                  type: string
-                runtimeImagePullPolicy:
-                  description: RuntimeImagePullPolicy specifies when to pull a runtime
-                    image.
-                  type: string
-                scriptDownloadProxyConfig:
-                  description: ScriptDownloadProxyConfig optionally specifies the
-                    http and https proxy to use when downloading scripts
-                  properties:
-                    httpProxy:
-                      type: string
-                    httpsProxy:
-                      type: string
-                  type: object
-                scriptsUrl:
-                  description: ScriptsURL is a URL describing where to fetch the S2I
-                    scripts from during build process. This url can be a reference
-                    within the builder image if the scheme is specified as image://
-                  type: string
-                secretCode:
-                  description: SecretCode
-                  type: string
-                securityOpt:
-                  description: SecurityOpt are passed as options to the docker containers
-                    launched by s2i.
-                  items:
-                    type: string
-                  type: array
-                sourceUrl:
-                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
-                  type: string
-                tag:
-                  description: Tag is a result image tag name.
-                  type: string
-                taintKey:
-                  description: The name of taint.
-                  type: string
-                usage:
-                  description: Usage allows for properly shortcircuiting s2i logic
-                    when `s2i usage` is invoked
-                  type: boolean
-                workingDir:
-                  description: WorkingDir describes temporary directory used for downloading
-                    sources, scripts and tar operations.
-                  type: string
-                workingSourceDir:
-                  description: WorkingSourceDir describes the subdirectory off of
-                    WorkingDir set up during the repo download that is later used
-                    as the root for ignore processing
-                  type: string
-              required:
-              - imageName
-              - sourceUrl
-              type: object
-            fromTemplate:
-              description: FromTemplate define some inputs from user
-              properties:
-                builderImage:
-                  description: BaseImage specify which version of this template to
-                    use
-                  type: string
-                name:
-                  description: Name specify a template to use, so many fields in Config
-                    can left empty
-                  type: string
-                parameters:
-                  description: Parameters must use with `template`, fill some parameters
-                    which template will use
-                  items:
-                    properties:
-                      defaultValue:
-                        type: string
-                      description:
-                        type: string
-                      key:
-                        type: string
-                      optValues:
-                        items:
-                          type: string
-                        type: array
-                      required:
-                        type: boolean
-                      type:
-                        type: string
-                      value:
-                        type: string
-                    type: object
-                  type: array
-              type: object
-          type: object
-        status:
-          description: S2iBuilderStatus defines the observed state of S2iBuilder
-          properties:
-            lastRunName:
-              description: LastRunState return the name of the newest run of this
-                builder
-              type: string
-            lastRunStartTime:
-              description: LastRunStartTime return the startTime of the newest run
-                of this builder
-              format: date-time
-              type: string
-            lastRunState:
-              description: LastRunState return the state of the newest run of this
-                builder
-              type: string
-            runCount:
-              description: RunCount represent the sum of s2irun of this builder
-              type: integer
-          required:
-          - runCount
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_s2ibuildertemplates.yaml
+++ b/config/crd/bases/devops.kubesphere.io_s2ibuildertemplates.yaml
@@ -1,141 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: s2ibuildertemplates.devops.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.codeFramework
-    name: Framework
-    type: string
-  - JSONPath: .spec.defaultBaseImage
-    name: DefaultBaseImage
-    type: string
-  - JSONPath: .spec.version
-    name: Version
-    type: string
-  group: devops.kubesphere.io
-  names:
-    categories:
-    - devops
-    kind: S2iBuilderTemplate
-    listKind: S2iBuilderTemplateList
-    plural: s2ibuildertemplates
-    shortNames:
-    - s2ibt
-    singular: s2ibuildertemplate
-  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
-          properties:
-            codeFramework:
-              description: CodeFramework means which language this template is designed
-                for and which framework is using if has framework. Like Java, NodeJS
-                etc
-              type: string
-            containerInfo:
-              description: Images are the images this template will use.
-              items:
-                properties:
-                  buildVolumes:
-                    description: BuildVolumes specifies a list of volumes to mount
-                      to container running the build.
-                    items:
-                      type: string
-                    type: array
-                  builderImage:
-                    description: BaseImage are the images this template will use.
-                    type: string
-                  runtimeArtifacts:
-                    items:
-                      description: VolumeSpec represents a single volume mount point.
-                      properties:
-                        destination:
-                          description: Destination is the path to mount the volume
-                            to - absolute or relative.
-                          type: string
-                        keep:
-                          description: Keep indicates if the mounted data should be
-                            kept in the final image.
-                          type: boolean
-                        source:
-                          description: Source is a reference to the volume source.
-                          type: string
-                      type: object
-                    type: array
-                  runtimeImage:
-                    type: string
-                type: object
-              type: array
-            defaultBaseImage:
-              description: DefaultBaseImage is the image that will be used by default
-              type: string
-            description:
-              description: Description illustrate the purpose of this template
-              type: string
-            environment:
-              description: Parameters is a set of environment variables to be passed
-                to the image.
-              items:
-                properties:
-                  defaultValue:
-                    type: string
-                  description:
-                    type: string
-                  key:
-                    type: string
-                  optValues:
-                    items:
-                      type: string
-                    type: array
-                  required:
-                    type: boolean
-                  type:
-                    type: string
-                  value:
-                    type: string
-                type: object
-              type: array
-            iconPath:
-              description: IconPath is used for frontend display
-              type: string
-            version:
-              description: Version of template
-              type: string
-          type: object
-        status:
-          description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/devops.kubesphere.io_s2iruns.yaml
+++ b/config/crd/bases/devops.kubesphere.io_s2iruns.yaml
@@ -1,181 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: s2iruns.devops.kubesphere.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.runState
-    name: State
-    type: string
-  - JSONPath: .status.kubernetesJobName
-    name: K8sJobName
-    type: string
-  - JSONPath: .status.startTime
-    name: StartTime
-    type: date
-  - JSONPath: .status.completionTime
-    name: CompletionTime
-    type: date
-  - JSONPath: .status.s2iBuildResult.imageName
-    name: ImageName
-    type: string
-  group: devops.kubesphere.io
-  names:
-    kind: S2iRun
-    listKind: S2iRunList
-    plural: s2iruns
-    shortNames:
-    - s2ir
-    singular: s2irun
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iRun is the Schema for the s2iruns API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iRunSpec defines the desired state of S2iRun
-          properties:
-            backoffLimit:
-              description: BackoffLimit limits the restart count of each s2irun. Default
-                is 0
-              format: int32
-              type: integer
-            builderName:
-              description: BuilderName specify the name of s2ibuilder, required
-              type: string
-            newRevisionId:
-              description: NewRevisionId override the default NewRevisionId in its
-                s2ibuilder.
-              type: string
-            newSourceURL:
-              description: NewSourceURL is used to download new binary artifacts
-              type: string
-            newTag:
-              description: NewTag override the default tag in its s2ibuilder, image
-                name cannot be changed.
-              type: string
-            secondsAfterFinished:
-              description: SecondsAfterFinished if is set and greater than zero, and
-                the job created by s2irun become successful or failed , the job will
-                be auto deleted after SecondsAfterFinished
-              format: int32
-              type: integer
-          required:
-          - builderName
-          type: object
-        status:
-          description: S2iRunStatus defines the observed state of S2iRun
-          properties:
-            completionTime:
-              description: Represents time when the job was completed. It is not guaranteed
-                to be set in happens-before order across separate operations. It is
-                represented in RFC3339 form and is in UTC.
-              format: date-time
-              type: string
-            kubernetesJobName:
-              description: KubernetesJobName is the job name in k8s
-              type: string
-            logURL:
-              description: LogURL is uesd for external log handler to let user know
-                where is log located in
-              type: string
-            runState:
-              description: RunState  indicates whether this job is done or failed
-              type: string
-            s2iBuildResult:
-              description: S2i build result info.
-              properties:
-                commandPull:
-                  description: Command for pull image.
-                  type: string
-                imageCreated:
-                  description: Image created time.
-                  type: string
-                imageID:
-                  description: Image ID.
-                  type: string
-                imageName:
-                  description: ImageName is the name of artifact
-                  type: string
-                imageRepoTags:
-                  description: image tags.
-                  items:
-                    type: string
-                  type: array
-                imageSize:
-                  description: The size in bytes of the image
-                  format: int64
-                  type: integer
-              type: object
-            s2iBuildSource:
-              description: S2i build source info.
-              properties:
-                binaryName:
-                  description: Binary file Name
-                  type: string
-                binarySize:
-                  description: Binary file Size
-                  format: int64
-                  type: integer
-                builderImage:
-                  description: // BuilderImage describes which image is used for building
-                    the result images.
-                  type: string
-                commitID:
-                  description: CommitID represents an arbitrary extended object reference
-                    in Git as SHA-1
-                  type: string
-                committerEmail:
-                  description: CommitterEmail contains the e-mail of the committer
-                  type: string
-                committerName:
-                  description: CommitterName contains the name of the committer
-                  type: string
-                description:
-                  description: Description is a result image description label. The
-                    default is no description.
-                  type: string
-                revisionId:
-                  description: The RevisionId is a branch name or a SHA-1 hash of
-                    every important thing about the commit
-                  type: string
-                sourceUrl:
-                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
-                  type: string
-              type: object
-            startTime:
-              description: StartTime represent when this run began
-              format: date-time
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/servicemesh.kubesphere.io_servicepolicies.yaml
+++ b/config/crd/bases/servicemesh.kubesphere.io_servicepolicies.yaml
--- a/config/crd/bases/servicemesh.kubesphere.io_strategies.yaml
+++ b/config/crd/bases/servicemesh.kubesphere.io_strategies.yaml
--- a/config/crds/application.kubesphere.io_helmapplications.yaml
+++ b/config/crds/application.kubesphere.io_helmapplications.yaml
@@ -37,10 +37,14 @@ spec:
        description: HelmApplication is the Schema for the helmapplications API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
@@ -73,10 +77,13 @@ spec:
            description: HelmApplicationStatus defines the observed state of HelmApplication
            properties:
              latestVersion:
-                description: If this application belong to appStore, latestVersion is the the latest version of the active application version. otherwise latestVersion is the latest version of all application version
+                description: If this application belong to appStore, latestVersion
+                  is the the latest version of the active application version. otherwise
+                  latestVersion is the latest version of all application version
                type: string
              state:
-                description: 'the state of the helm application: draft, submitted, passed, rejected, suspended, active'
+                description: 'the state of the helm application: draft, submitted,
+                  passed, rejected, suspended, active'
                type: string
              statusTime:
                format: date-time
--- a/config/crds/application.kubesphere.io_helmapplicationversions.yaml
+++ b/config/crds/application.kubesphere.io_helmapplicationversions.yaml
@@ -31,13 +31,18 @@ spec:
    name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: HelmApplicationVersion is the Schema for the helmapplicationversions API
+        description: HelmApplicationVersion is the Schema for the helmapplicationversions
+          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
@@ -47,13 +52,15 @@ spec:
              annotations:
                additionalProperties:
                  type: string
-                description: Annotations are additional mappings uninterpreted by Helm, made available for inspection by other applications.
+                description: Annotations are additional mappings uninterpreted by
+                  Helm, made available for inspection by other applications.
                type: object
              apiVersion:
                description: The API Version of this chart.
                type: string
              appVersion:
-                description: The version of the application enclosed inside of this chart.
+                description: The version of the application enclosed inside of this
+                  chart.
                type: string
              condition:
                description: The condition to check to enable chart
@@ -72,30 +79,39 @@ spec:
              dependencies:
                description: Dependencies are a list of dependencies for a chart.
                items:
-                  description: Dependency describes a chart upon which another chart depends. Dependencies can be used to express developer intent, or to capture the state of a chart.
+                  description: Dependency describes a chart upon which another chart
+                    depends. Dependencies can be used to express developer intent,
+                    or to capture the state of a chart.
                  properties:
                    alias:
                      description: Alias usable alias to be used for the chart
                      type: string
                    condition:
-                      description: A yaml path that resolves to a boolean, used for enabling/disabling charts (e.g. subchart1.enabled )
+                      description: A yaml path that resolves to a boolean, used for
+                        enabling/disabling charts (e.g. subchart1.enabled )
                      type: string
                    enabled:
                      description: Enabled bool determines if chart should be loaded
                      type: boolean
                    name:
-                      description: Name is the name of the dependency. This must mach the name in the dependency's Chart.yaml.
+                      description: Name is the name of the dependency. This must mach
+                        the name in the dependency's Chart.yaml.
                      type: string
                    repository:
-                      description: The URL to the repository. Appending `index.yaml` to this string should result in a URL that can be used to fetch the repository index.
+                      description: The URL to the repository. Appending `index.yaml`
+                        to this string should result in a URL that can be used to
+                        fetch the repository index.
                      type: string
                    tags:
-                      description: Tags can be used to group charts for enabling/disabling together
+                      description: Tags can be used to group charts for enabling/disabling
+                        together
                      items:
                        type: string
                      type: array
                    version:
-                      description: Version is the version (range) of this chart. A lock file will always produce a single version, while a dependency may contain a semantic version range.
+                      description: Version is the version (range) of this chart. A
+                        lock file will always produce a single version, while a dependency
+                        may contain a semantic version range.
                      type: string
                  required:
                  - name
@@ -112,7 +128,8 @@ spec:
                description: chart digest
                type: string
              home:
-                description: The URL to a relevant project page, git repo, or contact person
+                description: The URL to a relevant project page, git repo, or contact
+                  person
                type: string
              icon:
                description: The URL to an icon file.
@@ -123,21 +140,25 @@ spec:
                  type: string
                type: array
              kubeVersion:
-                description: KubeVersion is a SemVer constraint specifying the version of Kubernetes required.
+                description: KubeVersion is a SemVer constraint specifying the version
+                  of Kubernetes required.
                type: string
              maintainers:
-                description: A list of name and URL/email address combinations for the maintainer(s)
+                description: A list of name and URL/email address combinations for
+                  the maintainer(s)
                items:
                  description: Maintainer describes a Chart maintainer.
                  properties:
                    email:
-                      description: Email is an optional email address to contact the named maintainer
+                      description: Email is an optional email address to contact the
+                        named maintainer
                      type: string
                    name:
                      description: Name is a user name or organization name
                      type: string
                    url:
-                      description: URL is an optional URL to an address for the named maintainer
+                      description: URL is an optional URL to an address for the named
+                        maintainer
                      type: string
                  type: object
                type: array
@@ -165,7 +186,8 @@ spec:
                type: string
            type: object
          status:
-            description: HelmApplicationVersionStatus defines the observed state of HelmApplicationVersion
+            description: HelmApplicationVersionStatus defines the observed state of
+              HelmApplicationVersion
            properties:
              audit:
                items:
@@ -179,7 +201,8 @@ spec:
                    operatorType:
                      type: string
                    state:
-                      description: 'audit state: submitted, passed, draft, active, rejected, suspended'
+                      description: 'audit state: submitted, passed, draft, active,
+                        rejected, suspended'
                      type: string
                    time:
                      description: audit time
--- a/config/crds/application.kubesphere.io_helmcategories.yaml
+++ b/config/crds/application.kubesphere.io_helmcategories.yaml
@@ -34,10 +34,14 @@ spec:
        description: HelmCategory is the Schema for the helmcategories API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
--- a/config/crds/application.kubesphere.io_helmreleases.yaml
+++ b/config/crds/application.kubesphere.io_helmreleases.yaml
@@ -43,10 +43,14 @@ spec:
        description: HelmRelease is the Schema for the helmreleases API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
@@ -66,7 +70,8 @@ spec:
                description: The name of the chart which will be installed.
                type: string
              chartVersion:
-                description: Specify the exact chart version to install. If this is not specified, the latest version is installed
+                description: Specify the exact chart version to install. If this is
+                  not specified, the latest version is installed
                type: string
              description:
                description: Message got from frontend
@@ -82,7 +87,9 @@ spec:
                format: byte
                type: string
              version:
-                description: expected release version, when this version is not equal status.version, the release need upgrade this filed should be modified when any filed of the spec modified.
+                description: expected release version, when this version is not equal
+                  status.version, the release need upgrade this filed should be modified
+                  when any filed of the spec modified.
                type: integer
            required:
            - chartName
@@ -94,18 +101,20 @@ spec:
            description: HelmReleaseStatus defines the observed state of HelmRelease
            properties:
              deployStatus:
-                description: deploy status list of history, which will store at most 10 state
+                description: deploy status list of history, which will store at most
+                  10 state
                items:
                  properties:
                    deployTime:
-                      description: deploy time
+                      description: deploy time, upgrade time or check status time
                      format: date-time
                      type: string
                    message:
-                      description: A human readable message indicating details about why the release is in this state.
+                      description: A human readable message indicating details about
+                        why the release is in this state.
                      type: string
                    state:
-                      description: deploy state
+                      description: current state of the release
                      type: string
                  required:
                  - deployTime
@@ -113,7 +122,7 @@ spec:
                  type: object
                type: array
              lastDeployed:
-                description: last successful deploy time
+                description: last deploy time or upgrade time
                format: date-time
                type: string
              lastUpdate:
@@ -121,7 +130,8 @@ spec:
                format: date-time
                type: string
              message:
-                description: A human readable message indicating details about why the release is in this state.
+                description: A human readable message indicating details about why
+                  the release is in this state.
                type: string
              state:
                description: current state
--- a/config/crds/application.kubesphere.io_helmrepos.yaml
+++ b/config/crds/application.kubesphere.io_helmrepos.yaml
@@ -40,10 +40,14 @@ spec:
        description: HelmRepo is the Schema for the helmrepoes API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
@@ -56,13 +60,16 @@ spec:
                  accessKeyID:
                    type: string
                  caFile:
-                    description: verify certificates of HTTPS-enabled servers using this CA bundle
+                    description: verify certificates of HTTPS-enabled servers using
+                      this CA bundle
                    type: string
                  certFile:
-                    description: identify HTTPS client using this SSL certificate file
+                    description: identify HTTPS client using this SSL certificate
+                      file
                    type: string
                  insecureSkipTLSVerify:
-                    description: skip tls certificate checks for the repository, default is ture
+                    description: skip tls certificate checks for the repository, default
+                      is ture
                    type: boolean
                  keyFile:
                    description: identify HTTPS client using this SSL key file
@@ -83,13 +90,16 @@ spec:
                description: name of the repo
                type: string
              syncPeriod:
-                description: sync period in seconds, no sync when SyncPeriod=0, the minimum SyncPeriod is 180s
+                description: sync period in seconds, no sync when SyncPeriod=0, the
+                  minimum SyncPeriod is 180s
                type: integer
              url:
                description: helm repo url
                type: string
              version:
-                description: expected repo version, when this version is not equal status.version, the repo need upgrade this filed should be modified when any filed of the spec modified.
+                description: expected repo version, when this version is not equal
+                  status.version, the repo need upgrade this filed should be modified
+                  when any filed of the spec modified.
                type: integer
            required:
            - name
@@ -109,14 +119,17 @@ spec:
                description: current state of the repo, successful, failed or syncing
                type: string
              syncState:
-                description: sync state list of history, which will store at most 10 state
+                description: sync state list of history, which will store at most
+                  10 state
                items:
                  properties:
                    message:
-                      description: A human readable message indicating details about why the repo is in this state.
+                      description: A human readable message indicating details about
+                        why the repo is in this state.
                      type: string
                    state:
-                      description: 'last sync state, valid state are: "failed", "success", and ""'
+                      description: 'last sync state, valid state are: "failed", "success",
+                        and ""'
                      type: string
                    syncTime:
                      format: date-time
@@ -126,7 +139,8 @@ spec:
                  type: object
                type: array
              version:
-                description: if status.version!=spec.Version, we need sync the repo now
+                description: if status.version!=spec.Version, we need sync the repo
+                  now
                type: integer
            type: object
        type: object
--- a/config/crds/auditing.kubesphere.io_rules.yaml
+++ b/config/crds/auditing.kubesphere.io_rules.yaml
@@ -1,92 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: rules.auditing.kubesphere.io
-spec:
-  group: auditing.kubesphere.io
-  names:
-    kind: Rule
-    listKind: RuleList
-    plural: rules
-    singular: rule
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: Rule is the Schema for the rules API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: AuditRuleSpec defines the desired state of Rule
-          properties:
-            rules:
-              items:
-                properties:
-                  alias:
-                    description: This effective When the rule type is alias
-                    type: string
-                  condition:
-                    description: Rule condition This effective When the rule type
-                      is rule
-                    type: string
-                  desc:
-                    description: Rule describe
-                    type: string
-                  enable:
-                    description: Is the rule enable
-                    type: boolean
-                  list:
-                    description: This effective When the rule type is list
-                    items:
-                      type: string
-                    type: array
-                  macro:
-                    description: This effective When the rule type is macro
-                    type: string
-                  name:
-                    description: Rule name
-                    type: string
-                  output:
-                    description: The output formater of message which send to user
-                    type: string
-                  priority:
-                    description: Rule priority, DEBUG, INFO, WARNING
-                    type: string
-                  type:
-                    description: Rule type, rule, macro,list,alias
-                    type: string
-                required:
-                - enable
-                type: object
-              type: array
-          type: object
-        status:
-          description: AuditRuleStatus defines the observed state of Rule
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/auditing.kubesphere.io_webhooks.yaml
+++ b/config/crds/auditing.kubesphere.io_webhooks.yaml
@@ -1,915 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: webhooks.auditing.kubesphere.io
-spec:
-  group: auditing.kubesphere.io
-  names:
-    kind: Webhook
-    listKind: WebhookList
-    plural: webhooks
-    singular: webhook
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: Webhook is the Schema for the webhooks API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: WebhookSpec defines the desired state of Webhook
-          properties:
-            affinity:
-              description: If specified, the pod's scheduling constraints
-              properties:
-                nodeAffinity:
-                  description: Describes node affinity scheduling rules for the pod.
-                  properties:
-                    preferredDuringSchedulingIgnoredDuringExecution:
-                      description: The scheduler will prefer to schedule pods to nodes
-                        that satisfy the affinity expressions specified by this field,
-                        but it may choose a node that violates one or more of the
-                        expressions. The node that is most preferred is the one with
-                        the greatest sum of weights, i.e. for each node that meets
-                        all of the scheduling requirements (resource request, requiredDuringScheduling
-                        affinity expressions, etc.), compute a sum by iterating through
-                        the elements of this field and adding "weight" to the sum
-                        if the node matches the corresponding matchExpressions; the
-                        node(s) with the highest sum are the most preferred.
-                      items:
-                        description: An empty preferred scheduling term matches all
-                          objects with implicit weight 0 (i.e. it's a no-op). A null
-                          preferred scheduling term matches no objects (i.e. is also
-                          a no-op).
-                        properties:
-                          preference:
-                            description: A node selector term, associated with the
-                              corresponding weight.
-                            properties:
-                              matchExpressions:
-                                description: A list of node selector requirements
-                                  by node's labels.
-                                items:
-                                  description: A node selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: The label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: Represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                      type: string
-                                    values:
-                                      description: An array of string values. If the
-                                        operator is In or NotIn, the values array
-                                        must be non-empty. If the operator is Exists
-                                        or DoesNotExist, the values array must be
-                                        empty. If the operator is Gt or Lt, the values
-                                        array must have a single element, which will
-                                        be interpreted as an integer. This array is
-                                        replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchFields:
-                                description: A list of node selector requirements
-                                  by node's fields.
-                                items:
-                                  description: A node selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: The label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: Represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                      type: string
-                                    values:
-                                      description: An array of string values. If the
-                                        operator is In or NotIn, the values array
-                                        must be non-empty. If the operator is Exists
-                                        or DoesNotExist, the values array must be
-                                        empty. If the operator is Gt or Lt, the values
-                                        array must have a single element, which will
-                                        be interpreted as an integer. This array is
-                                        replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                            type: object
-                          weight:
-                            description: Weight associated with matching the corresponding
-                              nodeSelectorTerm, in the range 1-100.
-                            format: int32
-                            type: integer
-                        required:
-                        - preference
-                        - weight
-                        type: object
-                      type: array
-                    requiredDuringSchedulingIgnoredDuringExecution:
-                      description: If the affinity requirements specified by this
-                        field are not met at scheduling time, the pod will not be
-                        scheduled onto the node. If the affinity requirements specified
-                        by this field cease to be met at some point during pod execution
-                        (e.g. due to an update), the system may or may not try to
-                        eventually evict the pod from its node.
-                      properties:
-                        nodeSelectorTerms:
-                          description: Required. A list of node selector terms. The
-                            terms are ORed.
-                          items:
-                            description: A null or empty node selector term matches
-                              no objects. The requirements of them are ANDed. The
-                              TopologySelectorTerm type implements a subset of the
-                              NodeSelectorTerm.
-                            properties:
-                              matchExpressions:
-                                description: A list of node selector requirements
-                                  by node's labels.
-                                items:
-                                  description: A node selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: The label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: Represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                      type: string
-                                    values:
-                                      description: An array of string values. If the
-                                        operator is In or NotIn, the values array
-                                        must be non-empty. If the operator is Exists
-                                        or DoesNotExist, the values array must be
-                                        empty. If the operator is Gt or Lt, the values
-                                        array must have a single element, which will
-                                        be interpreted as an integer. This array is
-                                        replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchFields:
-                                description: A list of node selector requirements
-                                  by node's fields.
-                                items:
-                                  description: A node selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: The label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: Represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                      type: string
-                                    values:
-                                      description: An array of string values. If the
-                                        operator is In or NotIn, the values array
-                                        must be non-empty. If the operator is Exists
-                                        or DoesNotExist, the values array must be
-                                        empty. If the operator is Gt or Lt, the values
-                                        array must have a single element, which will
-                                        be interpreted as an integer. This array is
-                                        replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                            type: object
-                          type: array
-                      required:
-                      - nodeSelectorTerms
-                      type: object
-                  type: object
-                podAffinity:
-                  description: Describes pod affinity scheduling rules (e.g. co-locate
-                    this pod in the same node, zone, etc. as some other pod(s)).
-                  properties:
-                    preferredDuringSchedulingIgnoredDuringExecution:
-                      description: The scheduler will prefer to schedule pods to nodes
-                        that satisfy the affinity expressions specified by this field,
-                        but it may choose a node that violates one or more of the
-                        expressions. The node that is most preferred is the one with
-                        the greatest sum of weights, i.e. for each node that meets
-                        all of the scheduling requirements (resource request, requiredDuringScheduling
-                        affinity expressions, etc.), compute a sum by iterating through
-                        the elements of this field and adding "weight" to the sum
-                        if the node has pods which matches the corresponding podAffinityTerm;
-                        the node(s) with the highest sum are the most preferred.
-                      items:
-                        description: The weights of all of the matched WeightedPodAffinityTerm
-                          fields are added per-node to find the most preferred node(s)
-                        properties:
-                          podAffinityTerm:
-                            description: Required. A pod affinity term, associated
-                              with the corresponding weight.
-                            properties:
-                              labelSelector:
-                                description: A label query over a set of resources,
-                                  in this case pods.
-                                properties:
-                                  matchExpressions:
-                                    description: matchExpressions is a list of label
-                                      selector requirements. The requirements are
-                                      ANDed.
-                                    items:
-                                      description: A label selector requirement is
-                                        a selector that contains values, a key, and
-                                        an operator that relates the key and values.
-                                      properties:
-                                        key:
-                                          description: key is the label key that the
-                                            selector applies to.
-                                          type: string
-                                        operator:
-                                          description: operator represents a key's
-                                            relationship to a set of values. Valid
-                                            operators are In, NotIn, Exists and DoesNotExist.
-                                          type: string
-                                        values:
-                                          description: values is an array of string
-                                            values. If the operator is In or NotIn,
-                                            the values array must be non-empty. If
-                                            the operator is Exists or DoesNotExist,
-                                            the values array must be empty. This array
-                                            is replaced during a strategic merge patch.
-                                          items:
-                                            type: string
-                                          type: array
-                                      required:
-                                      - key
-                                      - operator
-                                      type: object
-                                    type: array
-                                  matchLabels:
-                                    additionalProperties:
-                                      type: string
-                                    description: matchLabels is a map of {key,value}
-                                      pairs. A single {key,value} in the matchLabels
-                                      map is equivalent to an element of matchExpressions,
-                                      whose key field is "key", the operator is "In",
-                                      and the values array contains only "value".
-                                      The requirements are ANDed.
-                                    type: object
-                                type: object
-                              namespaces:
-                                description: namespaces specifies which namespaces
-                                  the labelSelector applies to (matches against);
-                                  null or empty list means "this pod's namespace"
-                                items:
-                                  type: string
-                                type: array
-                              topologyKey:
-                                description: This pod should be co-located (affinity)
-                                  or not co-located (anti-affinity) with the pods
-                                  matching the labelSelector in the specified namespaces,
-                                  where co-located is defined as running on a node
-                                  whose value of the label with key topologyKey matches
-                                  that of any node on which any of the selected pods
-                                  is running. Empty topologyKey is not allowed.
-                                type: string
-                            required:
-                            - topologyKey
-                            type: object
-                          weight:
-                            description: weight associated with matching the corresponding
-                              podAffinityTerm, in the range 1-100.
-                            format: int32
-                            type: integer
-                        required:
-                        - podAffinityTerm
-                        - weight
-                        type: object
-                      type: array
-                    requiredDuringSchedulingIgnoredDuringExecution:
-                      description: If the affinity requirements specified by this
-                        field are not met at scheduling time, the pod will not be
-                        scheduled onto the node. If the affinity requirements specified
-                        by this field cease to be met at some point during pod execution
-                        (e.g. due to a pod label update), the system may or may not
-                        try to eventually evict the pod from its node. When there
-                        are multiple elements, the lists of nodes corresponding to
-                        each podAffinityTerm are intersected, i.e. all terms must
-                        be satisfied.
-                      items:
-                        description: Defines a set of pods (namely those matching
-                          the labelSelector relative to the given namespace(s)) that
-                          this pod should be co-located (affinity) or not co-located
-                          (anti-affinity) with, where co-located is defined as running
-                          on a node whose value of the label with key <topologyKey>
-                          matches that of any node on which a pod of the set of pods
-                          is running
-                        properties:
-                          labelSelector:
-                            description: A label query over a set of resources, in
-                              this case pods.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector
-                                  requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values.
-                                        If the operator is In or NotIn, the values
-                                        array must be non-empty. If the operator is
-                                        Exists or DoesNotExist, the values array must
-                                        be empty. This array is replaced during a
-                                        strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs.
-                                  A single {key,value} in the matchLabels map is equivalent
-                                  to an element of matchExpressions, whose key field
-                                  is "key", the operator is "In", and the values array
-                                  contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          namespaces:
-                            description: namespaces specifies which namespaces the
-                              labelSelector applies to (matches against); null or
-                              empty list means "this pod's namespace"
-                            items:
-                              type: string
-                            type: array
-                          topologyKey:
-                            description: This pod should be co-located (affinity)
-                              or not co-located (anti-affinity) with the pods matching
-                              the labelSelector in the specified namespaces, where
-                              co-located is defined as running on a node whose value
-                              of the label with key topologyKey matches that of any
-                              node on which any of the selected pods is running. Empty
-                              topologyKey is not allowed.
-                            type: string
-                        required:
-                        - topologyKey
-                        type: object
-                      type: array
-                  type: object
-                podAntiAffinity:
-                  description: Describes pod anti-affinity scheduling rules (e.g.
-                    avoid putting this pod in the same node, zone, etc. as some other
-                    pod(s)).
-                  properties:
-                    preferredDuringSchedulingIgnoredDuringExecution:
-                      description: The scheduler will prefer to schedule pods to nodes
-                        that satisfy the anti-affinity expressions specified by this
-                        field, but it may choose a node that violates one or more
-                        of the expressions. The node that is most preferred is the
-                        one with the greatest sum of weights, i.e. for each node that
-                        meets all of the scheduling requirements (resource request,
-                        requiredDuringScheduling anti-affinity expressions, etc.),
-                        compute a sum by iterating through the elements of this field
-                        and adding "weight" to the sum if the node has pods which
-                        matches the corresponding podAffinityTerm; the node(s) with
-                        the highest sum are the most preferred.
-                      items:
-                        description: The weights of all of the matched WeightedPodAffinityTerm
-                          fields are added per-node to find the most preferred node(s)
-                        properties:
-                          podAffinityTerm:
-                            description: Required. A pod affinity term, associated
-                              with the corresponding weight.
-                            properties:
-                              labelSelector:
-                                description: A label query over a set of resources,
-                                  in this case pods.
-                                properties:
-                                  matchExpressions:
-                                    description: matchExpressions is a list of label
-                                      selector requirements. The requirements are
-                                      ANDed.
-                                    items:
-                                      description: A label selector requirement is
-                                        a selector that contains values, a key, and
-                                        an operator that relates the key and values.
-                                      properties:
-                                        key:
-                                          description: key is the label key that the
-                                            selector applies to.
-                                          type: string
-                                        operator:
-                                          description: operator represents a key's
-                                            relationship to a set of values. Valid
-                                            operators are In, NotIn, Exists and DoesNotExist.
-                                          type: string
-                                        values:
-                                          description: values is an array of string
-                                            values. If the operator is In or NotIn,
-                                            the values array must be non-empty. If
-                                            the operator is Exists or DoesNotExist,
-                                            the values array must be empty. This array
-                                            is replaced during a strategic merge patch.
-                                          items:
-                                            type: string
-                                          type: array
-                                      required:
-                                      - key
-                                      - operator
-                                      type: object
-                                    type: array
-                                  matchLabels:
-                                    additionalProperties:
-                                      type: string
-                                    description: matchLabels is a map of {key,value}
-                                      pairs. A single {key,value} in the matchLabels
-                                      map is equivalent to an element of matchExpressions,
-                                      whose key field is "key", the operator is "In",
-                                      and the values array contains only "value".
-                                      The requirements are ANDed.
-                                    type: object
-                                type: object
-                              namespaces:
-                                description: namespaces specifies which namespaces
-                                  the labelSelector applies to (matches against);
-                                  null or empty list means "this pod's namespace"
-                                items:
-                                  type: string
-                                type: array
-                              topologyKey:
-                                description: This pod should be co-located (affinity)
-                                  or not co-located (anti-affinity) with the pods
-                                  matching the labelSelector in the specified namespaces,
-                                  where co-located is defined as running on a node
-                                  whose value of the label with key topologyKey matches
-                                  that of any node on which any of the selected pods
-                                  is running. Empty topologyKey is not allowed.
-                                type: string
-                            required:
-                            - topologyKey
-                            type: object
-                          weight:
-                            description: weight associated with matching the corresponding
-                              podAffinityTerm, in the range 1-100.
-                            format: int32
-                            type: integer
-                        required:
-                        - podAffinityTerm
-                        - weight
-                        type: object
-                      type: array
-                    requiredDuringSchedulingIgnoredDuringExecution:
-                      description: If the anti-affinity requirements specified by
-                        this field are not met at scheduling time, the pod will not
-                        be scheduled onto the node. If the anti-affinity requirements
-                        specified by this field cease to be met at some point during
-                        pod execution (e.g. due to a pod label update), the system
-                        may or may not try to eventually evict the pod from its node.
-                        When there are multiple elements, the lists of nodes corresponding
-                        to each podAffinityTerm are intersected, i.e. all terms must
-                        be satisfied.
-                      items:
-                        description: Defines a set of pods (namely those matching
-                          the labelSelector relative to the given namespace(s)) that
-                          this pod should be co-located (affinity) or not co-located
-                          (anti-affinity) with, where co-located is defined as running
-                          on a node whose value of the label with key <topologyKey>
-                          matches that of any node on which a pod of the set of pods
-                          is running
-                        properties:
-                          labelSelector:
-                            description: A label query over a set of resources, in
-                              this case pods.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector
-                                  requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector
-                                    that contains values, a key, and an operator that
-                                    relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector
-                                        applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values.
-                                        If the operator is In or NotIn, the values
-                                        array must be non-empty. If the operator is
-                                        Exists or DoesNotExist, the values array must
-                                        be empty. This array is replaced during a
-                                        strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs.
-                                  A single {key,value} in the matchLabels map is equivalent
-                                  to an element of matchExpressions, whose key field
-                                  is "key", the operator is "In", and the values array
-                                  contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          namespaces:
-                            description: namespaces specifies which namespaces the
-                              labelSelector applies to (matches against); null or
-                              empty list means "this pod's namespace"
-                            items:
-                              type: string
-                            type: array
-                          topologyKey:
-                            description: This pod should be co-located (affinity)
-                              or not co-located (anti-affinity) with the pods matching
-                              the labelSelector in the specified namespaces, where
-                              co-located is defined as running on a node whose value
-                              of the label with key topologyKey matches that of any
-                              node on which any of the selected pods is running. Empty
-                              topologyKey is not allowed.
-                            type: string
-                        required:
-                        - topologyKey
-                        type: object
-                      type: array
-                  type: object
-              type: object
-            args:
-              description: Arguments to the entrypoint.. It will be appended to the
-                args and replace the default value.
-              items:
-                type: string
-              type: array
-            auditLevel:
-              description: 'The Level that all requests are recorded at. available
-                options: None, Metadata, Request, RequestResponse default: Metadata'
-              type: string
-            auditSinkPolicy:
-              description: AuditSinkPolicy is a rule selector, only the rule matched
-                this selector will be taked effect.
-              properties:
-                alertingRuleSelector:
-                  description: A label selector is a label query over a set of resources.
-                    The result of matchLabels and matchExpressions are ANDed. An empty
-                    label selector matches all objects. A null label selector matches
-                    no objects.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-                archivingRuleSelector:
-                  description: A label selector is a label query over a set of resources.
-                    The result of matchLabels and matchExpressions are ANDed. An empty
-                    label selector matches all objects. A null label selector matches
-                    no objects.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-              type: object
-            auditType:
-              description: Audit type, static or dynamic.
-              type: string
-            image:
-              description: The webhook docker image name.
-              type: string
-            imagePullPolicy:
-              description: 'Image pull policy. One of Always, Never, IfNotPresent.
-                Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
-                Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
-              type: string
-            imagePullSecrets:
-              description: 'ImagePullSecrets is an optional list of references to
-                secrets in the same namespace to use for pulling any of the images
-                used by this PodSpec. If specified, these secrets will be passed to
-                individual puller implementations for them to use. For example, in
-                the case of docker, only DockerConfig type secrets are honored. More
-                info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
-              items:
-                description: LocalObjectReference contains enough information to let
-                  you locate the referenced object inside the same namespace.
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
-              type: array
-            k8sAuditingEnabled:
-              description: K8s auditing is enabled or not.
-              type: boolean
-            nodeSelector:
-              additionalProperties:
-                type: string
-              description: 'NodeSelector is a selector which must be true for the
-                pod to fit on a node. Selector which must match a node''s labels for
-                the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
-              type: object
-            priority:
-              description: Rule priority, DEBUG < INFO < WARNING Audit events will
-                be stored only when the priority of the audit rule matching the audit
-                event is greater than this.
-              type: string
-            receivers:
-              description: ' Receiver contains the information to make a connection
-                with the alertmanager'
-              items:
-                description: Receiver config which received the audit alert
-                properties:
-                  config:
-                    description: ClientConfig holds the connection parameters for
-                      the webhook
-                    properties:
-                      caBundle:
-                        description: '`caBundle` is a PEM encoded CA bundle which
-                          will be used to validate the webhook''s server certificate.
-                          If unspecified, system trust roots on the apiserver are
-                          used.'
-                        format: byte
-                        type: string
-                      service:
-                        description: "`service` is a reference to the service for
-                          this webhook. Either `service` or `url` must be specified.
-                          \n If the webhook is running within the cluster, then you
-                          should use `service`."
-                        properties:
-                          name:
-                            description: '`name` is the name of the service. Required'
-                            type: string
-                          namespace:
-                            description: '`namespace` is the namespace of the service.
-                              Required'
-                            type: string
-                          path:
-                            description: '`path` is an optional URL path which will
-                              be sent in any request to this service.'
-                            type: string
-                          port:
-                            description: If specified, the port on the service that
-                              hosting webhook. Default to 443 for backward compatibility.
-                              `port` should be a valid port number (1-65535, inclusive).
-                            format: int32
-                            type: integer
-                        required:
-                        - name
-                        - namespace
-                        type: object
-                      url:
-                        description: "`url` gives the location of the webhook, in
-                          standard URL form (`scheme://host:port/path`). Exactly one
-                          of `url` or `service` must be specified. \n The `host` should
-                          not refer to a service running in the cluster; use the `service`
-                          field instead. The host might be resolved via external DNS
-                          in some apiservers (e.g., `kube-apiserver` cannot resolve
-                          in-cluster DNS as that would be a layering violation). `host`
-                          may also be an IP address. \n Please note that using `localhost`
-                          or `127.0.0.1` as a `host` is risky unless you take great
-                          care to run this webhook on all hosts which run an apiserver
-                          which might need to make calls to this webhook. Such installs
-                          are likely to be non-portable, i.e., not easy to turn up
-                          in a new cluster. \n The scheme must be \"https\"; the URL
-                          must begin with \"https://\". \n A path is optional, and
-                          if present may be any string permissible in a URL. You may
-                          use the path to pass an arbitrary string to the webhook,
-                          for example, a cluster identifier. \n Attempting to use
-                          a user or basic auth e.g. \"user:password@\" is not allowed.
-                          Fragments (\"#...\") and query parameters (\"?...\") are
-                          not allowed, either."
-                        type: string
-                    type: object
-                  name:
-                    description: Receiver name
-                    type: string
-                  type:
-                    description: Receiver type, alertmanager or webhook
-                    type: string
-                type: object
-              type: array
-            replicas:
-              description: Number of desired pods. This is a pointer to distinguish
-                between explicit zero and not specified. Defaults to 1.
-              format: int32
-              type: integer
-            resources:
-              description: 'Compute Resources required by this container. Cannot be
-                updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
-              properties:
-                limits:
-                  additionalProperties:
-                    type: string
-                  description: 'Limits describes the maximum amount of compute resources
-                    allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
-                  type: object
-                requests:
-                  additionalProperties:
-                    type: string
-                  description: 'Requests describes the minimum amount of compute resources
-                    required. If Requests is omitted for a container, it defaults
-                    to Limits if that is explicitly specified, otherwise to an implementation-defined
-                    value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
-                  type: object
-              type: object
-            tolerations:
-              description: If specified, the pod's tolerations.
-              items:
-                description: The pod this Toleration is attached to tolerates any
-                  taint that matches the triple <key,value,effect> using the matching
-                  operator <operator>.
-                properties:
-                  effect:
-                    description: Effect indicates the taint effect to match. Empty
-                      means match all taint effects. When specified, allowed values
-                      are NoSchedule, PreferNoSchedule and NoExecute.
-                    type: string
-                  key:
-                    description: Key is the taint key that the toleration applies
-                      to. Empty means match all taint keys. If the key is empty, operator
-                      must be Exists; this combination means to match all values and
-                      all keys.
-                    type: string
-                  operator:
-                    description: Operator represents a key's relationship to the value.
-                      Valid operators are Exists and Equal. Defaults to Equal. Exists
-                      is equivalent to wildcard for value, so that a pod can tolerate
-                      all taints of a particular category.
-                    type: string
-                  tolerationSeconds:
-                    description: TolerationSeconds represents the period of time the
-                      toleration (which must be of effect NoExecute, otherwise this
-                      field is ignored) tolerates the taint. By default, it is not
-                      set, which means tolerate the taint forever (do not evict).
-                      Zero and negative values will be treated as 0 (evict immediately)
-                      by the system.
-                    format: int64
-                    type: integer
-                  value:
-                    description: Value is the taint value the toleration matches to.
-                      If the operator is Exists, the value should be empty, otherwise
-                      just a regular string.
-                    type: string
-                type: object
-              type: array
-          type: object
-        status:
-          description: WebhookStatus defines the observed state of Webhook
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/cluster.kubesphere.io_clusters.yaml
+++ b/config/crds/cluster.kubesphere.io_clusters.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,19 +8,6 @@ metadata:
  creationTimestamp: null
  name: clusters.cluster.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.joinFederation
-    name: Federated
-    type: boolean
-  - JSONPath: .spec.provider
-    name: Provider
-    type: string
-  - JSONPath: .spec.enable
-    name: Active
-    type: boolean
-  - JSONPath: .status.kubernetesVersion
-    name: Version
-    type: string
  group: cluster.kubesphere.io
  names:
    kind: Cluster
@@ -28,143 +15,173 @@ spec:
    plural: clusters
    singular: cluster
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: Cluster is the schema for the clusters API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            connection:
-              description: Connection holds info to connect to the member cluster
-              properties:
-                kubeconfig:
-                  description: KubeConfig content used to connect to cluster api server
-                    Should provide this field explicitly if connection type is direct.
-                    Will be populated by ks-proxy if connection type is proxy.
-                  format: byte
-                  type: string
-                kubernetesAPIEndpoint:
-                  description: 'Kubernetes API Server endpoint. Example: https://10.10.0.1:6443
-                    Should provide this field explicitly if connection type is direct.
-                    Will be populated by ks-apiserver if connection type is proxy.'
-                  type: string
-                kubernetesAPIServerPort:
-                  description: KubeAPIServerPort is the port which listens for forwarding
-                    kube-apiserver traffic Only applicable when connection type is
-                    proxy.
-                  type: integer
-                kubesphereAPIEndpoint:
-                  description: 'KubeSphere API Server endpoint. Example: http://10.10.0.11:8080
-                    Should provide this field explicitly if connection type is direct.
-                    Will be populated by ks-apiserver if connection type is proxy.'
-                  type: string
-                kubesphereAPIServerPort:
-                  description: KubeSphereAPIServerPort is the port which listens for
-                    forwarding kubesphere apigateway traffic Only applicable when
-                    connection type is proxy.
-                  type: integer
-                token:
-                  description: Token used by agents of member cluster to connect to
-                    host cluster proxy. This field is populated by apiserver only
-                    if connection type is proxy.
-                  type: string
-                type:
-                  description: type defines how host cluster will connect to host
-                    cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig
-                    and kubesphere apiserver endpoint provided ConnectionTypeProxy
-                    means using kubesphere proxy, no kubeconfig   or kubesphere apiserver
-                    endpoint required
-                  type: string
-              type: object
-            enable:
-              description: Desired state of the cluster
-              type: boolean
-            joinFederation:
-              description: Join cluster as a kubefed cluster
-              type: boolean
-            provider:
-              description: Provider of the cluster, this field is just for description
-              type: string
-          type: object
-        status:
-          properties:
-            conditions:
-              description: Represents the latest available observations of a cluster's
-                current state.
-              items:
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.joinFederation
+      name: Federated
+      type: boolean
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.enable
+      name: Active
+      type: boolean
+    - jsonPath: .status.kubernetesVersion
+      name: Version
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Cluster is the schema for the clusters API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              connection:
+                description: Connection holds info to connect to the member cluster
                properties:
-                  lastTransitionTime:
-                    description: Last time the condition transitioned from one status
-                      to another.
-                    format: date-time
+                  externalKubernetesAPIEndpoint:
+                    description: External Kubernetes API Server endpoint Will be populated
+                      by ks-apiserver if connection type is proxy and ExternalKubeAPIEnabled
+                      is true.
                    type: string
-                  lastUpdateTime:
-                    description: The last time this condition was updated.
-                    format: date-time
+                  kubeconfig:
+                    description: KubeConfig content used to connect to cluster api
+                      server Should provide this field explicitly if connection type
+                      is direct. Will be populated by ks-proxy if connection type
+                      is proxy.
+                    format: byte
                    type: string
-                  message:
-                    description: A human readable message indicating details about
-                      the transition.
+                  kubernetesAPIEndpoint:
+                    description: 'Kubernetes API Server endpoint. Example: https://10.10.0.1:6443
+                      Should provide this field explicitly if connection type is direct.
+                      Will be populated by ks-apiserver if connection type is proxy.'
                    type: string
-                  reason:
-                    description: The reason for the condition's last transition.
+                  kubernetesAPIServerPort:
+                    description: KubeAPIServerPort is the port which listens for forwarding
+                      kube-apiserver traffic Only applicable when connection type
+                      is proxy.
+                    type: integer
+                  kubesphereAPIEndpoint:
+                    description: 'KubeSphere API Server endpoint. Example: http://10.10.0.11:8080
+                      Should provide this field explicitly if connection type is direct.
+                      Will be populated by ks-apiserver if connection type is proxy.'
                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
+                  kubesphereAPIServerPort:
+                    description: KubeSphereAPIServerPort is the port which listens
+                      for forwarding kubesphere apigateway traffic Only applicable
+                      when connection type is proxy.
+                    type: integer
+                  token:
+                    description: Token used by agents of member cluster to connect
+                      to host cluster proxy. This field is populated by apiserver
+                      only if connection type is proxy.
                    type: string
                  type:
-                    description: Type of the condition
+                    description: type defines how host cluster will connect to host
+                      cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig
+                      and kubesphere apiserver endpoint provided ConnectionTypeProxy
+                      means using kubesphere proxy, no kubeconfig   or kubesphere
+                      apiserver endpoint required
                    type: string
-                required:
-                - status
-                - type
                type: object
-              type: array
-            configz:
-              additionalProperties:
+              enable:
+                description: Desired state of the cluster
                type: boolean
-              description: Configz is status of components enabled in the member cluster.
-                This is synchronized with member cluster every amount of time, like
-                5 minutes.
-              type: object
-            kubernetesVersion:
-              description: GitVersion of the kubernetes cluster, this field is populated
-                by cluster controller
-              type: string
-            nodeCount:
-              description: Count of the kubernetes cluster nodes This field may not
-                reflect the instant status of the cluster.
-              type: integer
-            region:
-              description: Region is the name of the region in which all of the nodes
-                in the cluster exist.  e.g. 'us-east1'.
-              type: string
-            zones:
-              description: Zones are the names of availability zones in which the
-                nodes of the cluster exist, e.g. 'us-east1-a'.
-              items:
+              externalKubeAPIEnabled:
+                description: ExternalKubeAPIEnabled export kubeapiserver to public
+                  use a lb type service if connection type is proxy
+                type: boolean
+              joinFederation:
+                description: Join cluster as a kubefed cluster
+                type: boolean
+              provider:
+                description: Provider of the cluster, this field is just for description
                type: string
-              type: array
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Represents the latest available observations of a cluster's
+                  current state.
+                items:
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    lastUpdateTime:
+                      description: The last time this condition was updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of the condition
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              configz:
+                additionalProperties:
+                  type: boolean
+                description: Configz is status of components enabled in the member
+                  cluster. This is synchronized with member cluster every amount of
+                  time, like 5 minutes.
+                type: object
+              kubeSphereVersion:
+                description: GitVersion of the /kapis/version api response, this field
+                  is populated by cluster controller
+                type: string
+              kubernetesVersion:
+                description: GitVersion of the kubernetes cluster, this field is populated
+                  by cluster controller
+                type: string
+              nodeCount:
+                description: Count of the kubernetes cluster nodes This field may
+                  not reflect the instant status of the cluster.
+                type: integer
+              region:
+                description: Region is the name of the region in which all of the
+                  nodes in the cluster exist.  e.g. 'us-east1'.
+                type: string
+              uid:
+                description: UID is the kube-system namespace UID of the cluster,
+                  which represents the unique ID of the cluster.
+                type: string
+              zones:
+                description: Zones are the names of availability zones in which the
+                  nodes of the cluster exist, e.g. 'us-east1-a'.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/devops.kubesphere.io_devopsprojects.yaml
+++ b/config/crds/devops.kubesphere.io_devopsprojects.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,38 +17,31 @@ spec:
    plural: devopsprojects
    singular: devopsproject
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: DevOpsProject is the Schema for the devopsprojects API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: DevOpsProjectSpec defines the desired state of DevOpsProject
-          type: object
-        status:
-          description: DevOpsProjectStatus defines the observed state of DevOpsProject
-          properties:
-            adminNamespace:
-              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
-                of cluster Important: Run "make" to regenerate code after modifying
-                this file'
-              type: string
-          type: object
-      type: object
-  version: v1alpha3
  versions:
  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: DevOpsProject is the Schema for the devopsprojects API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DevOpsProjectSpec defines the desired state of DevOpsProject
+            type: object
+          status:
+            description: DevOpsProjectStatus defines the observed state of DevOpsProject
+            properties:
+              adminNamespace:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                type: string
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/devops.kubesphere.io_pipelines.yaml
+++ b/config/crds/devops.kubesphere.io_pipelines.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -15,288 +15,281 @@ spec:
    plural: pipelines
    singular: pipeline
  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: Pipeline is the Schema for the pipelines API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: PipelineSpec defines the desired state of Pipeline
-          properties:
-            multi_branch_pipeline:
-              properties:
-                bitbucket_server_source:
-                  properties:
-                    api_uri:
-                      type: string
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: integer
-                    discover_pr_from_forks:
-                      properties:
-                        strategy:
-                          type: integer
-                        trust:
-                          type: integer
-                      type: object
-                    discover_pr_from_origin:
-                      type: integer
-                    discover_tags:
-                      type: boolean
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    owner:
-                      type: string
-                    regex_filter:
-                      type: string
-                    repo:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                description:
-                  type: string
-                discarder:
-                  properties:
-                    days_to_keep:
-                      type: string
-                    num_to_keep:
-                      type: string
-                  type: object
-                git_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: boolean
-                    discover_tags:
-                      type: boolean
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    regex_filter:
-                      type: string
-                    scm_id:
-                      type: string
-                    url:
-                      type: string
-                  type: object
-                github_source:
-                  description: GithubSource and BitbucketServerSource have the same
-                    structure, but we don't use one due to crd errors
-                  properties:
-                    api_uri:
-                      type: string
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: integer
-                    discover_pr_from_forks:
-                      properties:
-                        strategy:
-                          type: integer
-                        trust:
-                          type: integer
-                      type: object
-                    discover_pr_from_origin:
-                      type: integer
-                    discover_tags:
-                      type: boolean
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    owner:
-                      type: string
-                    regex_filter:
-                      type: string
-                    repo:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                gitlab_source:
-                  properties:
-                    api_uri:
-                      type: string
-                    credential_id:
-                      type: string
-                    discover_branches:
-                      type: integer
-                    discover_pr_from_forks:
-                      properties:
-                        strategy:
-                          type: integer
-                        trust:
-                          type: integer
-                      type: object
-                    discover_pr_from_origin:
-                      type: integer
-                    discover_tags:
-                      type: boolean
-                    git_clone_option:
-                      properties:
-                        depth:
-                          type: integer
-                        shallow:
-                          type: boolean
-                        timeout:
-                          type: integer
-                      type: object
-                    owner:
-                      type: string
-                    regex_filter:
-                      type: string
-                    repo:
-                      type: string
-                    scm_id:
-                      type: string
-                    server_name:
-                      type: string
-                  type: object
-                multibranch_job_trigger:
-                  properties:
-                    create_action_job_to_trigger:
-                      type: string
-                    delete_action_job_to_trigger:
-                      type: string
-                  type: object
-                name:
-                  type: string
-                script_path:
-                  type: string
-                single_svn_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    remote:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                source_type:
-                  type: string
-                svn_source:
-                  properties:
-                    credential_id:
-                      type: string
-                    excludes:
-                      type: string
-                    includes:
-                      type: string
-                    remote:
-                      type: string
-                    scm_id:
-                      type: string
-                  type: object
-                timer_trigger:
-                  properties:
-                    cron:
-                      description: user in no scm job
-                      type: string
-                    interval:
-                      description: use in multi-branch job
-                      type: string
-                  type: object
-              required:
-              - name
-              - script_path
-              - source_type
-              type: object
-            pipeline:
-              properties:
-                description:
-                  type: string
-                disable_concurrent:
-                  type: boolean
-                discarder:
-                  properties:
-                    days_to_keep:
-                      type: string
-                    num_to_keep:
-                      type: string
-                  type: object
-                jenkinsfile:
-                  type: string
-                name:
-                  type: string
-                parameters:
-                  items:
-                    properties:
-                      default_value:
-                        type: string
-                      description:
-                        type: string
-                      name:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                    - name
-                    - type
-                    type: object
-                  type: array
-                remote_trigger:
-                  properties:
-                    token:
-                      type: string
-                  type: object
-                timer_trigger:
-                  properties:
-                    cron:
-                      description: user in no scm job
-                      type: string
-                    interval:
-                      description: use in multi-branch job
-                      type: string
-                  type: object
-              required:
-              - name
-              type: object
-            type:
-              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-                Important: Run "make" to regenerate code after modifying this file'
-              type: string
-          required:
-          - type
-          type: object
-        status:
-          description: PipelineStatus defines the observed state of Pipeline
-          type: object
-      type: object
-  version: v1alpha3
  versions:
  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Pipeline is the Schema for the pipelines API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PipelineSpec defines the desired state of Pipeline
+            properties:
+              multi_branch_pipeline:
+                properties:
+                  bitbucket_server_source:
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  description:
+                    type: string
+                  discarder:
+                    properties:
+                      days_to_keep:
+                        type: string
+                      num_to_keep:
+                        type: string
+                    type: object
+                  git_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: boolean
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      regex_filter:
+                        type: string
+                      scm_id:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  github_source:
+                    description: GithubSource and BitbucketServerSource have the same structure, but we don't use one due to crd errors
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  gitlab_source:
+                    properties:
+                      api_uri:
+                        type: string
+                      credential_id:
+                        type: string
+                      discover_branches:
+                        type: integer
+                      discover_pr_from_forks:
+                        properties:
+                          strategy:
+                            type: integer
+                          trust:
+                            type: integer
+                        type: object
+                      discover_pr_from_origin:
+                        type: integer
+                      discover_tags:
+                        type: boolean
+                      git_clone_option:
+                        properties:
+                          depth:
+                            type: integer
+                          shallow:
+                            type: boolean
+                          timeout:
+                            type: integer
+                        type: object
+                      owner:
+                        type: string
+                      regex_filter:
+                        type: string
+                      repo:
+                        type: string
+                      scm_id:
+                        type: string
+                      server_name:
+                        type: string
+                    type: object
+                  multibranch_job_trigger:
+                    properties:
+                      create_action_job_to_trigger:
+                        type: string
+                      delete_action_job_to_trigger:
+                        type: string
+                    type: object
+                  name:
+                    type: string
+                  script_path:
+                    type: string
+                  single_svn_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      remote:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  source_type:
+                    type: string
+                  svn_source:
+                    properties:
+                      credential_id:
+                        type: string
+                      excludes:
+                        type: string
+                      includes:
+                        type: string
+                      remote:
+                        type: string
+                      scm_id:
+                        type: string
+                    type: object
+                  timer_trigger:
+                    properties:
+                      cron:
+                        description: user in no scm job
+                        type: string
+                      interval:
+                        description: use in multi-branch job
+                        type: string
+                    type: object
+                required:
+                - name
+                - script_path
+                - source_type
+                type: object
+              pipeline:
+                properties:
+                  description:
+                    type: string
+                  disable_concurrent:
+                    type: boolean
+                  discarder:
+                    properties:
+                      days_to_keep:
+                        type: string
+                      num_to_keep:
+                        type: string
+                    type: object
+                  jenkinsfile:
+                    type: string
+                  name:
+                    type: string
+                  parameters:
+                    items:
+                      properties:
+                        default_value:
+                          type: string
+                        description:
+                          type: string
+                        name:
+                          type: string
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                  remote_trigger:
+                    properties:
+                      token:
+                        type: string
+                    type: object
+                  timer_trigger:
+                    properties:
+                      cron:
+                        description: user in no scm job
+                        type: string
+                      interval:
+                        description: use in multi-branch job
+                        type: string
+                    type: object
+                required:
+                - name
+                type: object
+              type:
+                description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
+                type: string
+            required:
+            - type
+            type: object
+          status:
+            description: PipelineStatus defines the observed state of Pipeline
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/devops.kubesphere.io_s2ibinaries.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibinaries.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,19 +8,6 @@ metadata:
  creationTimestamp: null
  name: s2ibinaries.devops.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.fileName
-    name: FileName
-    type: string
-  - JSONPath: .spec.md5
-    name: MD5
-    type: string
-  - JSONPath: .spec.size
-    name: Size
-    type: string
-  - JSONPath: .status.phase
-    name: Phase
-    type: string
  group: devops.kubesphere.io
  names:
    kind: S2iBinary
@@ -28,56 +15,64 @@ spec:
    plural: s2ibinaries
    singular: s2ibinary
  scope: Namespaced
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iBinary is the Schema for the s2ibinaries API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iBinarySpec defines the desired state of S2iBinary
-          properties:
-            downloadURL:
-              description: DownloadURL in KubeSphere
-              type: string
-            fileName:
-              description: FileName is filename of binary
-              type: string
-            md5:
-              description: MD5 is Binary's MD5 Hash
-              type: string
-            size:
-              description: Size is the file size of file
-              type: string
-            uploadTimeStamp:
-              description: UploadTime is last upload time
-              format: date-time
-              type: string
-          type: object
-        status:
-          description: S2iBinaryStatus defines the observed state of S2iBinary
-          properties:
-            phase:
-              description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
  versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.fileName
+      name: FileName
+      type: string
+    - jsonPath: .spec.md5
+      name: MD5
+      type: string
+    - jsonPath: .spec.size
+      name: Size
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iBinary is the Schema for the s2ibinaries API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iBinarySpec defines the desired state of S2iBinary
+            properties:
+              downloadURL:
+                description: DownloadURL in KubeSphere
+                type: string
+              fileName:
+                description: FileName is filename of binary
+                type: string
+              md5:
+                description: MD5 is Binary's MD5 Hash
+                type: string
+              size:
+                description: Size is the file size of file
+                type: string
+              uploadTimeStamp:
+                description: UploadTime is last upload time
+                format: date-time
+                type: string
+            type: object
+          status:
+            description: S2iBinaryStatus defines the observed state of S2iBinary
+            properties:
+              phase:
+                description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
+                type: string
+            type: object
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/devops.kubesphere.io_s2ibuilders.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibuilders.yaml
--- a/config/crds/devops.kubesphere.io_s2ibuildertemplates.yaml
+++ b/config/crds/devops.kubesphere.io_s2ibuildertemplates.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,16 +8,6 @@ metadata:
  creationTimestamp: null
  name: s2ibuildertemplates.devops.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.codeFramework
-    name: Framework
-    type: string
-  - JSONPath: .spec.defaultBaseImage
-    name: DefaultBaseImage
-    type: string
-  - JSONPath: .spec.version
-    name: Version
-    type: string
  group: devops.kubesphere.io
  names:
    categories:
@@ -29,110 +19,109 @@ spec:
    - s2ibt
    singular: s2ibuildertemplate
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
-          properties:
-            codeFramework:
-              description: CodeFramework means which language this template is designed
-                for and which framework is using if has framework. Like Java, NodeJS
-                etc
-              type: string
-            containerInfo:
-              description: Images are the images this template will use.
-              items:
-                properties:
-                  buildVolumes:
-                    description: BuildVolumes specifies a list of volumes to mount
-                      to container running the build.
-                    items:
-                      type: string
-                    type: array
-                  builderImage:
-                    description: BaseImage are the images this template will use.
-                    type: string
-                  runtimeArtifacts:
-                    items:
-                      description: VolumeSpec represents a single volume mount point.
-                      properties:
-                        destination:
-                          description: Destination is the path to mount the volume
-                            to - absolute or relative.
-                          type: string
-                        keep:
-                          description: Keep indicates if the mounted data should be
-                            kept in the final image.
-                          type: boolean
-                        source:
-                          description: Source is a reference to the volume source.
-                          type: string
-                      type: object
-                    type: array
-                  runtimeImage:
-                    type: string
-                type: object
-              type: array
-            defaultBaseImage:
-              description: DefaultBaseImage is the image that will be used by default
-              type: string
-            description:
-              description: Description illustrate the purpose of this template
-              type: string
-            environment:
-              description: Parameters is a set of environment variables to be passed
-                to the image.
-              items:
-                properties:
-                  defaultValue:
-                    type: string
-                  description:
-                    type: string
-                  key:
-                    type: string
-                  optValues:
-                    items:
-                      type: string
-                    type: array
-                  required:
-                    type: boolean
-                  type:
-                    type: string
-                  value:
-                    type: string
-                type: object
-              type: array
-            iconPath:
-              description: IconPath is used for frontend display
-              type: string
-            version:
-              description: Version of template
-              type: string
-          type: object
-        status:
-          description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
-          type: object
-      type: object
-  version: v1alpha1
  versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.codeFramework
+      name: Framework
+      type: string
+    - jsonPath: .spec.defaultBaseImage
+      name: DefaultBaseImage
+      type: string
+    - jsonPath: .spec.version
+      name: Version
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
+            properties:
+              codeFramework:
+                description: CodeFramework means which language this template is designed for and which framework is using if has framework. Like Java, NodeJS etc
+                type: string
+              containerInfo:
+                description: Images are the images this template will use.
+                items:
+                  properties:
+                    buildVolumes:
+                      description: BuildVolumes specifies a list of volumes to mount to container running the build.
+                      items:
+                        type: string
+                      type: array
+                    builderImage:
+                      description: BaseImage are the images this template will use.
+                      type: string
+                    runtimeArtifacts:
+                      items:
+                        description: VolumeSpec represents a single volume mount point.
+                        properties:
+                          destination:
+                            description: Destination is the path to mount the volume to - absolute or relative.
+                            type: string
+                          keep:
+                            description: Keep indicates if the mounted data should be kept in the final image.
+                            type: boolean
+                          source:
+                            description: Source is a reference to the volume source.
+                            type: string
+                        type: object
+                      type: array
+                    runtimeImage:
+                      type: string
+                  type: object
+                type: array
+              defaultBaseImage:
+                description: DefaultBaseImage is the image that will be used by default
+                type: string
+              description:
+                description: Description illustrate the purpose of this template
+                type: string
+              environment:
+                description: Parameters is a set of environment variables to be passed to the image.
+                items:
+                  properties:
+                    defaultValue:
+                      type: string
+                    description:
+                      type: string
+                    key:
+                      type: string
+                    optValues:
+                      items:
+                        type: string
+                      type: array
+                    required:
+                      type: boolean
+                    type:
+                      type: string
+                    value:
+                      type: string
+                  type: object
+                type: array
+              iconPath:
+                description: IconPath is used for frontend display
+                type: string
+              version:
+                description: Version of template
+                type: string
+            type: object
+          status:
+            description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
+            type: object
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/devops.kubesphere.io_s2iruns.yaml
+++ b/config/crds/devops.kubesphere.io_s2iruns.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,22 +8,6 @@ metadata:
  creationTimestamp: null
  name: s2iruns.devops.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.runState
-    name: State
-    type: string
-  - JSONPath: .status.kubernetesJobName
-    name: K8sJobName
-    type: string
-  - JSONPath: .status.startTime
-    name: StartTime
-    type: date
-  - JSONPath: .status.completionTime
-    name: CompletionTime
-    type: date
-  - JSONPath: .status.s2iBuildResult.imageName
-    name: ImageName
-    type: string
  group: devops.kubesphere.io
  names:
    kind: S2iRun
@@ -33,146 +17,145 @@ spec:
    - s2ir
    singular: s2irun
  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: S2iRun is the Schema for the s2iruns API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: S2iRunSpec defines the desired state of S2iRun
-          properties:
-            backoffLimit:
-              description: BackoffLimit limits the restart count of each s2irun. Default
-                is 0
-              format: int32
-              type: integer
-            builderName:
-              description: BuilderName specify the name of s2ibuilder, required
-              type: string
-            newRevisionId:
-              description: NewRevisionId override the default NewRevisionId in its
-                s2ibuilder.
-              type: string
-            newSourceURL:
-              description: NewSourceURL is used to download new binary artifacts
-              type: string
-            newTag:
-              description: NewTag override the default tag in its s2ibuilder, image
-                name cannot be changed.
-              type: string
-            secondsAfterFinished:
-              description: SecondsAfterFinished if is set and greater than zero, and
-                the job created by s2irun become successful or failed , the job will
-                be auto deleted after SecondsAfterFinished
-              format: int32
-              type: integer
-          required:
-          - builderName
-          type: object
-        status:
-          description: S2iRunStatus defines the observed state of S2iRun
-          properties:
-            completionTime:
-              description: Represents time when the job was completed. It is not guaranteed
-                to be set in happens-before order across separate operations. It is
-                represented in RFC3339 form and is in UTC.
-              format: date-time
-              type: string
-            kubernetesJobName:
-              description: KubernetesJobName is the job name in k8s
-              type: string
-            logURL:
-              description: LogURL is uesd for external log handler to let user know
-                where is log located in
-              type: string
-            runState:
-              description: RunState  indicates whether this job is done or failed
-              type: string
-            s2iBuildResult:
-              description: S2i build result info.
-              properties:
-                commandPull:
-                  description: Command for pull image.
-                  type: string
-                imageCreated:
-                  description: Image created time.
-                  type: string
-                imageID:
-                  description: Image ID.
-                  type: string
-                imageName:
-                  description: ImageName is the name of artifact
-                  type: string
-                imageRepoTags:
-                  description: image tags.
-                  items:
-                    type: string
-                  type: array
-                imageSize:
-                  description: The size in bytes of the image
-                  format: int64
-                  type: integer
-              type: object
-            s2iBuildSource:
-              description: S2i build source info.
-              properties:
-                binaryName:
-                  description: Binary file Name
-                  type: string
-                binarySize:
-                  description: Binary file Size
-                  format: int64
-                  type: integer
-                builderImage:
-                  description: // BuilderImage describes which image is used for building
-                    the result images.
-                  type: string
-                commitID:
-                  description: CommitID represents an arbitrary extended object reference
-                    in Git as SHA-1
-                  type: string
-                committerEmail:
-                  description: CommitterEmail contains the e-mail of the committer
-                  type: string
-                committerName:
-                  description: CommitterName contains the name of the committer
-                  type: string
-                description:
-                  description: Description is a result image description label. The
-                    default is no description.
-                  type: string
-                revisionId:
-                  description: The RevisionId is a branch name or a SHA-1 hash of
-                    every important thing about the commit
-                  type: string
-                sourceUrl:
-                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
-                  type: string
-              type: object
-            startTime:
-              description: StartTime represent when this run began
-              format: date-time
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
  versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .status.runState
+      name: State
+      type: string
+    - jsonPath: .status.kubernetesJobName
+      name: K8sJobName
+      type: string
+    - jsonPath: .status.startTime
+      name: StartTime
+      type: date
+    - jsonPath: .status.completionTime
+      name: CompletionTime
+      type: date
+    - jsonPath: .status.s2iBuildResult.imageName
+      name: ImageName
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: S2iRun is the Schema for the s2iruns API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: S2iRunSpec defines the desired state of S2iRun
+            properties:
+              backoffLimit:
+                description: BackoffLimit limits the restart count of each s2irun. Default is 0
+                format: int32
+                type: integer
+              builderName:
+                description: BuilderName specify the name of s2ibuilder, required
+                type: string
+              newRevisionId:
+                description: NewRevisionId override the default NewRevisionId in its s2ibuilder.
+                type: string
+              newSourceURL:
+                description: NewSourceURL is used to download new binary artifacts
+                type: string
+              newTag:
+                description: NewTag override the default tag in its s2ibuilder, image name cannot be changed.
+                type: string
+              secondsAfterFinished:
+                description: SecondsAfterFinished if is set and greater than zero, and the job created by s2irun become successful or failed , the job will be auto deleted after SecondsAfterFinished
+                format: int32
+                type: integer
+            required:
+            - builderName
+            type: object
+          status:
+            description: S2iRunStatus defines the observed state of S2iRun
+            properties:
+              completionTime:
+                description: Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.
+                format: date-time
+                type: string
+              kubernetesJobName:
+                description: KubernetesJobName is the job name in k8s
+                type: string
+              logURL:
+                description: LogURL is uesd for external log handler to let user know where is log located in
+                type: string
+              runState:
+                description: RunState  indicates whether this job is done or failed
+                type: string
+              s2iBuildResult:
+                description: S2i build result info.
+                properties:
+                  commandPull:
+                    description: Command for pull image.
+                    type: string
+                  imageCreated:
+                    description: Image created time.
+                    type: string
+                  imageID:
+                    description: Image ID.
+                    type: string
+                  imageName:
+                    description: ImageName is the name of artifact
+                    type: string
+                  imageRepoTags:
+                    description: image tags.
+                    items:
+                      type: string
+                    type: array
+                  imageSize:
+                    description: The size in bytes of the image
+                    format: int64
+                    type: integer
+                type: object
+              s2iBuildSource:
+                description: S2i build source info.
+                properties:
+                  binaryName:
+                    description: Binary file Name
+                    type: string
+                  binarySize:
+                    description: Binary file Size
+                    format: int64
+                    type: integer
+                  builderImage:
+                    description: // BuilderImage describes which image is used for building the result images.
+                    type: string
+                  commitID:
+                    description: CommitID represents an arbitrary extended object reference in Git as SHA-1
+                    type: string
+                  committerEmail:
+                    description: CommitterEmail contains the e-mail of the committer
+                    type: string
+                  committerName:
+                    description: CommitterName contains the name of the committer
+                    type: string
+                  description:
+                    description: Description is a result image description label. The default is no description.
+                    type: string
+                  revisionId:
+                    description: The RevisionId is a branch name or a SHA-1 hash of every important thing about the commit
+                    type: string
+                  sourceUrl:
+                    description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                    type: string
+                type: object
+              startTime:
+                description: StartTime represent when this run began
+                format: date-time
+                type: string
+            type: object
+        type: object
    served: true
    storage: true
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/gateway.kubesphere.io_gateways.yaml
+++ b/config/crds/gateway.kubesphere.io_gateways.yaml
@@ -0,0 +1,122 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: gateways.gateway.kubesphere.io
+spec:
+  group: gateway.kubesphere.io
+  names:
+    kind: Gateway
+    listKind: GatewayList
+    plural: gateways
+    singular: gateway
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Gateway is the Schema for the gateways API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GatewaySpec defines the desired state of Gateway
+            properties:
+              controller:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  config:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  replicas:
+                    format: int32
+                    type: integer
+                  scope:
+                    properties:
+                      enabled:
+                        type: boolean
+                      namespace:
+                        type: string
+                    type: object
+                type: object
+              deployment:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  replicas:
+                    format: int32
+                    type: integer
+                  resources:
+                    description: ResourceRequirements describes the compute resource
+                      requirements.
+                    properties:
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Limits describes the maximum amount of compute
+                          resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Requests describes the minimum amount of compute
+                          resources required. If Requests is omitted for a container,
+                          it defaults to Limits if that is explicitly specified, otherwise
+                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                    type: object
+                type: object
+              service:
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  type:
+                    description: Service Type string describes ingress methods for
+                      a service
+                    type: string
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/gateway.kubesphere.io_nginxes.yaml
+++ b/config/crds/gateway.kubesphere.io_nginxes.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: nginxes.gateway.kubesphere.io
+spec:
+  group: gateway.kubesphere.io
+  names:
+    kind: Nginx
+    listKind: NginxList
+    plural: nginxes
+    singular: nginx
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Nginx is the Schema for the nginxes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of Nginx
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: Status defines the observed state of Nginx
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
--- a/config/crds/iam.kubesphere.io_federatedrolebindings.yaml
+++ b/config/crds/iam.kubesphere.io_federatedrolebindings.yaml
@@ -0,0 +1,128 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: federatedrolebindings.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    kind: FederatedRoleBinding
+    listKind: FederatedRoleBindingList
+    plural: federatedrolebindings
+    singular: federatedrolebinding
+  scope: Namespaced
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              placement:
+                properties:
+                  clusterSelector:
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    type: object
+                  clusters:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              template:
+                properties:
+                  metadata:
+                    type: object
+                  roleRef:
+                    description: RoleRef contains information that points to the role
+                      being used
+                    properties:
+                      apiGroup:
+                        description: APIGroup is the group for the resource being
+                          referenced
+                        type: string
+                      kind:
+                        description: Kind is the type of resource being referenced
+                        type: string
+                      name:
+                        description: Name is the name of resource being referenced
+                        type: string
+                    required:
+                    - apiGroup
+                    - kind
+                    - name
+                    type: object
+                  subjects:
+                    items:
+                      description: Subject contains a reference to the object or user
+                        identities a role binding applies to.  This can either hold
+                        a direct API object reference, or a value for non-objects
+                        such as user and group names.
+                      properties:
+                        apiGroup:
+                          description: APIGroup holds the API group of the referenced
+                            subject. Defaults to "" for ServiceAccount subjects. Defaults
+                            to "rbac.authorization.k8s.io" for User and Group subjects.
+                          type: string
+                        kind:
+                          description: Kind of object being referenced. Values defined
+                            by this API group are "User", "Group", and "ServiceAccount".
+                            If the Authorizer does not recognized the kind value,
+                            the Authorizer should report an error.
+                          type: string
+                        name:
+                          description: Name of the object being referenced.
+                          type: string
+                        namespace:
+                          description: Namespace of the referenced object.  If the
+                            object kind is non-namespace, such as "User" or "Group",
+                            and this value is not empty the Authorizer should report
+                            an error.
+                          type: string
+                      required:
+                      - kind
+                      - name
+                      type: object
+                    type: array
+                required:
+                - roleRef
+                type: object
+            required:
+            - placement
+            - template
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_federatedroles.yaml
+++ b/config/crds/iam.kubesphere.io_federatedroles.yaml
@@ -0,0 +1,125 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: federatedroles.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    kind: FederatedRole
+    listKind: FederatedRoleList
+    plural: federatedroles
+    singular: federatedrole
+  scope: Namespaced
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              placement:
+                properties:
+                  clusterSelector:
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    type: object
+                  clusters:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              template:
+                properties:
+                  metadata:
+                    type: object
+                  rules:
+                    items:
+                      description: PolicyRule holds information that describes a policy
+                        rule, but does not contain information about who the rule
+                        applies to or which namespace the rule applies to.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the name of the APIGroup that
+                            contains the resources.  If multiple API groups are specified,
+                            any action requested against one of the enumerated resources
+                            in any API group will be allowed.
+                          items:
+                            type: string
+                          type: array
+                        nonResourceURLs:
+                          description: NonResourceURLs is a set of partial urls that
+                            a user should have access to.  *s are allowed, but only
+                            as the full, final step in the path Since non-resource
+                            URLs are not namespaced, this field is only applicable
+                            for ClusterRoles referenced from a ClusterRoleBinding.
+                            Rules can either apply to API resources (such as "pods"
+                            or "secrets") or non-resource URL paths (such as "/api"),  but
+                            not both.
+                          items:
+                            type: string
+                          type: array
+                        resourceNames:
+                          description: ResourceNames is an optional white list of
+                            names that the rule applies to.  An empty set means that
+                            everything is allowed.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: Resources is a list of resources this rule
+                            applies to.  ResourceAll represents all resources.
+                          items:
+                            type: string
+                          type: array
+                        verbs:
+                          description: Verbs is a list of Verbs that apply to ALL
+                            the ResourceKinds and AttributeRestrictions contained
+                            in this rule.  VerbAll represents all kinds.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - verbs
+                      type: object
+                    type: array
+                type: object
+            required:
+            - placement
+            - template
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_federatedusers.yaml
+++ b/config/crds/iam.kubesphere.io_federatedusers.yaml
@@ -0,0 +1,139 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: federatedusers.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    kind: FederatedUser
+    listKind: FederatedUserList
+    plural: federatedusers
+    singular: federateduser
+  scope: Namespaced
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              placement:
+                properties:
+                  clusterSelector:
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    type: object
+                  clusters:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              template:
+                properties:
+                  metadata:
+                    type: object
+                  spec:
+                    description: UserSpec defines the desired state of User
+                    properties:
+                      description:
+                        description: Description of the user.
+                        type: string
+                      displayName:
+                        type: string
+                      email:
+                        description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt).
+                        type: string
+                      groups:
+                        items:
+                          type: string
+                        type: array
+                      lang:
+                        description: The preferred written or spoken language for
+                          the user.
+                        type: string
+                      password:
+                        description: 'password will be encrypted by mutating admission
+                          webhook Password pattern is tricky here. The rule is simple:
+                          length between [6,64], at least one uppercase letter, one
+                          lowercase letter, one digit. The regexp in console(javascript)
+                          is quite straightforward: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[^]{6,64}$
+                          But in Go, we don''t have ?= (back tracking) capability
+                          in regexp (also in CRD validation pattern) So we adopted
+                          an alternative scheme to achieve. Use 6 different regexp
+                          to combine to achieve the same effect. These six schemes
+                          enumerate the arrangement of numbers, uppercase letters,
+                          and lowercase letters that appear for the first time. -
+                          ^(.*[a-z].*[A-Z].*[0-9].*)$ stands for lowercase letter
+                          comes first, then followed by an uppercase letter, then
+                          a digit. - ^(.*[a-z].*[0-9].*[A-Z].*)$ stands for lowercase
+                          letter comes first, then followed by a digit, then an uppercase
+                          leeter. - ^(.*[A-Z].*[a-z].*[0-9].*)$ ... - ^(.*[A-Z].*[0-9].*[a-z].*)$
+                          ... - ^(.*[0-9].*[a-z].*[A-Z].*)$ ... - ^(.*[0-9].*[A-Z].*[a-z].*)$
+                          ... Last but not least, the bcrypt string is also included
+                          to match the encrypted password. ^(\$2[ayb]\$.{56})$'
+                        maxLength: 64
+                        minLength: 6
+                        pattern: ^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$
+                        type: string
+                    required:
+                    - email
+                    type: object
+                  status:
+                    description: UserStatus defines the observed state of User
+                    properties:
+                      lastLoginTime:
+                        description: Last login attempt timestamp
+                        format: date-time
+                        type: string
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      reason:
+                        type: string
+                      state:
+                        description: The user status
+                        type: string
+                    type: object
+                required:
+                - spec
+                type: object
+            required:
+            - placement
+            - template
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/iam.kubesphere.io_globalrolebindings.yaml
+++ b/config/crds/iam.kubesphere.io_globalrolebindings.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,78 +17,77 @@ spec:
    plural: globalrolebindings
    singular: globalrolebinding
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: GlobalRoleBinding is the Schema for the globalrolebindings API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: Standard object's metadata.
-          type: object
-        roleRef:
-          description: RoleRef can only reference a GlobalRole. If the RoleRef cannot
-            be resolved, the Authorizer must return an error.
-          properties:
-            apiGroup:
-              description: APIGroup is the group for the resource being referenced
-              type: string
-            kind:
-              description: Kind is the type of resource being referenced
-              type: string
-            name:
-              description: Name is the name of resource being referenced
-              type: string
-          required:
-          - apiGroup
-          - kind
-          - name
-          type: object
-        subjects:
-          description: Subjects holds references to the objects the role applies to.
-          items:
-            description: Subject contains a reference to the object or user identities
-              a role binding applies to.  This can either hold a direct API object
-              reference, or a value for non-objects such as user and group names.
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: GlobalRoleBinding is the Schema for the globalrolebindings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          roleRef:
+            description: RoleRef can only reference a GlobalRole. If the RoleRef cannot
+              be resolved, the Authorizer must return an error.
            properties:
              apiGroup:
-                description: APIGroup holds the API group of the referenced subject.
-                  Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                  for User and Group subjects.
+                description: APIGroup is the group for the resource being referenced
                type: string
              kind:
-                description: Kind of object being referenced. Values defined by this
-                  API group are "User", "Group", and "ServiceAccount". If the Authorizer
-                  does not recognized the kind value, the Authorizer should report
-                  an error.
+                description: Kind is the type of resource being referenced
                type: string
              name:
-                description: Name of the object being referenced.
-                type: string
-              namespace:
-                description: Namespace of the referenced object.  If the object kind
-                  is non-namespace, such as "User" or "Group", and this value is not
-                  empty the Authorizer should report an error.
+                description: Name is the name of resource being referenced
                type: string
            required:
+            - apiGroup
            - kind
            - name
            type: object
-          type: array
-      required:
-      - roleRef
-      type: object
-  version: v1alpha2
-  versions:
-  - name: v1alpha2
+          subjects:
+            description: Subjects holds references to the objects the role applies
+              to.
+            items:
+              description: Subject contains a reference to the object or user identities
+                a role binding applies to.  This can either hold a direct API object
+                reference, or a value for non-objects such as user and group names.
+              properties:
+                apiGroup:
+                  description: APIGroup holds the API group of the referenced subject.
+                    Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
+                    for User and Group subjects.
+                  type: string
+                kind:
+                  description: Kind of object being referenced. Values defined by
+                    this API group are "User", "Group", and "ServiceAccount". If the
+                    Authorizer does not recognized the kind value, the Authorizer
+                    should report an error.
+                  type: string
+                name:
+                  description: Name of the object being referenced.
+                  type: string
+                namespace:
+                  description: Namespace of the referenced object.  If the object
+                    kind is non-namespace, such as "User" or "Group", and this value
+                    is not empty the Authorizer should report an error.
+                  type: string
+              required:
+              - kind
+              - name
+              type: object
+            type: array
+        required:
+        - roleRef
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/iam.kubesphere.io_globalroles.yaml
+++ b/config/crds/iam.kubesphere.io_globalroles.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,74 +17,73 @@ spec:
    plural: globalroles
    singular: globalrole
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: Standard object's metadata.
-          type: object
-        rules:
-          description: Rules holds all the PolicyRules for this GlobalRole
-          items:
-            description: PolicyRule holds information that describes a policy rule,
-              but does not contain information about who the rule applies to or which
-              namespace the rule applies to.
-            properties:
-              apiGroups:
-                description: APIGroups is the name of the APIGroup that contains the
-                  resources.  If multiple API groups are specified, any action requested
-                  against one of the enumerated resources in any API group will be
-                  allowed.
-                items:
-                  type: string
-                type: array
-              nonResourceURLs:
-                description: NonResourceURLs is a set of partial urls that a user
-                  should have access to.  *s are allowed, but only as the full, final
-                  step in the path Since non-resource URLs are not namespaced, this
-                  field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
-                  Rules can either apply to API resources (such as "pods" or "secrets")
-                  or non-resource URL paths (such as "/api"),  but not both.
-                items:
-                  type: string
-                type: array
-              resourceNames:
-                description: ResourceNames is an optional white list of names that
-                  the rule applies to.  An empty set means that everything is allowed.
-                items:
-                  type: string
-                type: array
-              resources:
-                description: Resources is a list of resources this rule applies to.  ResourceAll
-                  represents all resources.
-                items:
-                  type: string
-                type: array
-              verbs:
-                description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
-                  and AttributeRestrictions contained in this rule.  VerbAll represents
-                  all kinds.
-                items:
-                  type: string
-                type: array
-            required:
-            - verbs
-            type: object
-          type: array
-      type: object
-  version: v1alpha2
  versions:
  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          rules:
+            description: Rules holds all the PolicyRules for this GlobalRole
+            items:
+              description: PolicyRule holds information that describes a policy rule,
+                but does not contain information about who the rule applies to or
+                which namespace the rule applies to.
+              properties:
+                apiGroups:
+                  description: APIGroups is the name of the APIGroup that contains
+                    the resources.  If multiple API groups are specified, any action
+                    requested against one of the enumerated resources in any API group
+                    will be allowed.
+                  items:
+                    type: string
+                  type: array
+                nonResourceURLs:
+                  description: NonResourceURLs is a set of partial urls that a user
+                    should have access to.  *s are allowed, but only as the full,
+                    final step in the path Since non-resource URLs are not namespaced,
+                    this field is only applicable for ClusterRoles referenced from
+                    a ClusterRoleBinding. Rules can either apply to API resources
+                    (such as "pods" or "secrets") or non-resource URL paths (such
+                    as "/api"),  but not both.
+                  items:
+                    type: string
+                  type: array
+                resourceNames:
+                  description: ResourceNames is an optional white list of names that
+                    the rule applies to.  An empty set means that everything is allowed.
+                  items:
+                    type: string
+                  type: array
+                resources:
+                  description: Resources is a list of resources this rule applies
+                    to.  ResourceAll represents all resources.
+                  items:
+                    type: string
+                  type: array
+                verbs:
+                  description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                    and AttributeRestrictions contained in this rule.  VerbAll represents
+                    all kinds.
+                  items:
+                    type: string
+                  type: array
+              required:
+              - verbs
+              type: object
+            type: array
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/iam.kubesphere.io_groupbindings.yaml
+++ b/config/crds/iam.kubesphere.io_groupbindings.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,13 +8,6 @@ metadata:
  creationTimestamp: null
  name: groupbindings.iam.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .groupRef.name
-    name: Group
-    type: string
-  - JSONPath: .users
-    name: Users
-    type: string
  group: iam.kubesphere.io
  names:
    categories:
@@ -24,43 +17,49 @@ spec:
    plural: groupbindings
    singular: groupbinding
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: GroupBinding is the Schema for the groupbindings API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        groupRef:
-          description: GroupRef defines the desired relation of GroupBinding
-          properties:
-            apiGroup:
-              type: string
-            kind:
-              type: string
-            name:
-              type: string
-          type: object
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        users:
-          items:
-            type: string
-          type: array
-      type: object
-  version: v1alpha2
  versions:
-  - name: v1alpha2
+  - additionalPrinterColumns:
+    - jsonPath: .groupRef.name
+      name: Group
+      type: string
+    - jsonPath: .users
+      name: Users
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: GroupBinding is the Schema for the groupbindings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          groupRef:
+            description: GroupRef defines the desired relation of GroupBinding
+            properties:
+              apiGroup:
+                type: string
+              kind:
+                type: string
+              name:
+                type: string
+            type: object
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          users:
+            items:
+              type: string
+            type: array
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/iam.kubesphere.io_groups.yaml
+++ b/config/crds/iam.kubesphere.io_groups.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,10 +8,6 @@ metadata:
  creationTimestamp: null
  name: groups.iam.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .metadata.labels.kubesphere\.io/workspace
-    name: Workspace
-    type: string
  group: iam.kubesphere.io
  names:
    categories:
@@ -21,35 +17,38 @@ spec:
    plural: groups
    singular: group
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: Group is the Schema for the groups API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: GroupSpec defines the desired state of Group
-          type: object
-        status:
-          description: GroupStatus defines the observed state of Group
-          type: object
-      type: object
-  version: v1alpha2
  versions:
-  - name: v1alpha2
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Group is the Schema for the groups API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GroupSpec defines the desired state of Group
+            type: object
+          status:
+            description: GroupStatus defines the observed state of Group
+            type: object
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/iam.kubesphere.io_loginrecords.yaml
+++ b/config/crds/iam.kubesphere.io_loginrecords.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,25 +8,6 @@ metadata:
  creationTimestamp: null
  name: loginrecords.iam.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .spec.type
-    name: Type
-    type: string
-  - JSONPath: .spec.provider
-    name: Provider
-    type: string
-  - JSONPath: .spec.sourceIP
-    name: From
-    type: string
-  - JSONPath: .spec.success
-    name: Success
-    type: string
-  - JSONPath: .spec.reason
-    name: Reason
-    type: string
-  - JSONPath: .metadata.creationTimestamp
-    name: Age
-    type: date
  group: iam.kubesphere.io
  names:
    categories:
@@ -36,57 +17,75 @@ spec:
    plural: loginrecords
    singular: loginrecord
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            provider:
-              description: Provider of authentication, Ldap/Github etc.
-              type: string
-            reason:
-              description: States failed login attempt reason
-              type: string
-            sourceIP:
-              description: Source IP of client
-              type: string
-            success:
-              description: Successful login attempt or not
-              type: boolean
-            type:
-              description: Which authentication method used, BasicAuth/OAuth
-              type: string
-            userAgent:
-              description: User agent of login attempt
-              type: string
-          required:
-          - provider
-          - reason
-          - sourceIP
-          - success
-          - type
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1alpha2
  versions:
-  - name: v1alpha2
+  - additionalPrinterColumns:
+    - jsonPath: .spec.type
+      name: Type
+      type: string
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.sourceIP
+      name: From
+      type: string
+    - jsonPath: .spec.success
+      name: Success
+      type: string
+    - jsonPath: .spec.reason
+      name: Reason
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              provider:
+                description: Provider of authentication, Ldap/Github etc.
+                type: string
+              reason:
+                description: States failed login attempt reason
+                type: string
+              sourceIP:
+                description: Source IP of client
+                type: string
+              success:
+                description: Successful login attempt or not
+                type: boolean
+              type:
+                description: Which authentication method used, BasicAuth/OAuth
+                type: string
+              userAgent:
+                description: User agent of login attempt
+                type: string
+            required:
+            - provider
+            - reason
+            - sourceIP
+            - success
+            - type
+            type: object
+        required:
+        - spec
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/iam.kubesphere.io_rolebases.yaml
+++ b/config/crds/iam.kubesphere.io_rolebases.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,29 +17,30 @@ spec:
    plural: rolebases
    singular: rolebase
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        role:
-          type: object
-      required:
-      - role
-      type: object
-  version: v1alpha2
  versions:
  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          role:
+            type: object
+            x-kubernetes-embedded-resource: true
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - role
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/iam.kubesphere.io_users.yaml
+++ b/config/crds/iam.kubesphere.io_users.yaml
@@ -31,10 +31,14 @@ spec:
        description: User is the Schema for the users API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
@@ -57,7 +61,26 @@ spec:
                description: The preferred written or spoken language for the user.
                type: string
              password:
-                description: password will be encrypted by mutating admission webhook
+                description: 'password will be encrypted by mutating admission webhook
+                  Password pattern is tricky here. The rule is simple: length between
+                  [6,64], at least one uppercase letter, one lowercase letter, one
+                  digit. The regexp in console(javascript) is quite straightforward:
+                  ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[^]{6,64}$ But in Go, we don''t have
+                  ?= (back tracking) capability in regexp (also in CRD validation
+                  pattern) So we adopted an alternative scheme to achieve. Use 6 different
+                  regexp to combine to achieve the same effect. These six schemes
+                  enumerate the arrangement of numbers, uppercase letters, and lowercase
+                  letters that appear for the first time. - ^(.*[a-z].*[A-Z].*[0-9].*)$
+                  stands for lowercase letter comes first, then followed by an uppercase
+                  letter, then a digit. - ^(.*[a-z].*[0-9].*[A-Z].*)$ stands for lowercase
+                  letter comes first, then followed by a digit, then an uppercase
+                  leeter. - ^(.*[A-Z].*[a-z].*[0-9].*)$ ... - ^(.*[A-Z].*[0-9].*[a-z].*)$
+                  ... - ^(.*[0-9].*[a-z].*[A-Z].*)$ ... - ^(.*[0-9].*[A-Z].*[a-z].*)$
+                  ... Last but not least, the bcrypt string is also included to match
+                  the encrypted password. ^(\$2[ayb]\$.{56})$'
+                maxLength: 64
+                minLength: 6
+                pattern: ^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$
                type: string
            required:
            - email
--- a/config/crds/iam.kubesphere.io_workspacerolebindings.yaml
+++ b/config/crds/iam.kubesphere.io_workspacerolebindings.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,10 +8,6 @@ metadata:
  creationTimestamp: null
  name: workspacerolebindings.iam.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .metadata.labels.kubesphere\.io/workspace
-    name: Workspace
-    type: string
  group: iam.kubesphere.io
  names:
    categories:
@@ -21,81 +17,85 @@ spec:
    plural: workspacerolebindings
    singular: workspacerolebinding
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: WorkspaceRoleBinding is the Schema for the workspacerolebindings
-        API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        roleRef:
-          description: RoleRef can only reference a WorkspaceRole. If the RoleRef
-            cannot be resolved, the Authorizer must return an error.
-          properties:
-            apiGroup:
-              description: APIGroup is the group for the resource being referenced
-              type: string
-            kind:
-              description: Kind is the type of resource being referenced
-              type: string
-            name:
-              description: Name is the name of resource being referenced
-              type: string
-          required:
-          - apiGroup
-          - kind
-          - name
-          type: object
-        subjects:
-          description: Subjects holds references to the objects the role applies to.
-          items:
-            description: Subject contains a reference to the object or user identities
-              a role binding applies to.  This can either hold a direct API object
-              reference, or a value for non-objects such as user and group names.
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceRoleBinding is the Schema for the workspacerolebindings
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          roleRef:
+            description: RoleRef can only reference a WorkspaceRole. If the RoleRef
+              cannot be resolved, the Authorizer must return an error.
            properties:
              apiGroup:
-                description: APIGroup holds the API group of the referenced subject.
-                  Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                  for User and Group subjects.
+                description: APIGroup is the group for the resource being referenced
                type: string
              kind:
-                description: Kind of object being referenced. Values defined by this
-                  API group are "User", "Group", and "ServiceAccount". If the Authorizer
-                  does not recognized the kind value, the Authorizer should report
-                  an error.
+                description: Kind is the type of resource being referenced
                type: string
              name:
-                description: Name of the object being referenced.
-                type: string
-              namespace:
-                description: Namespace of the referenced object.  If the object kind
-                  is non-namespace, such as "User" or "Group", and this value is not
-                  empty the Authorizer should report an error.
+                description: Name is the name of resource being referenced
                type: string
            required:
+            - apiGroup
            - kind
            - name
            type: object
-          type: array
-      required:
-      - roleRef
-      type: object
-  version: v1alpha2
-  versions:
-  - name: v1alpha2
+          subjects:
+            description: Subjects holds references to the objects the role applies
+              to.
+            items:
+              description: Subject contains a reference to the object or user identities
+                a role binding applies to.  This can either hold a direct API object
+                reference, or a value for non-objects such as user and group names.
+              properties:
+                apiGroup:
+                  description: APIGroup holds the API group of the referenced subject.
+                    Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
+                    for User and Group subjects.
+                  type: string
+                kind:
+                  description: Kind of object being referenced. Values defined by
+                    this API group are "User", "Group", and "ServiceAccount". If the
+                    Authorizer does not recognized the kind value, the Authorizer
+                    should report an error.
+                  type: string
+                name:
+                  description: Name of the object being referenced.
+                  type: string
+                namespace:
+                  description: Namespace of the referenced object.  If the object
+                    kind is non-namespace, such as "User" or "Group", and this value
+                    is not empty the Authorizer should report an error.
+                  type: string
+              required:
+              - kind
+              - name
+              type: object
+            type: array
+        required:
+        - roleRef
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/iam.kubesphere.io_workspaceroles.yaml
+++ b/config/crds/iam.kubesphere.io_workspaceroles.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -8,13 +8,6 @@ metadata:
  creationTimestamp: null
  name: workspaceroles.iam.kubesphere.io
 spec:
-  additionalPrinterColumns:
-  - JSONPath: .metadata.labels.kubesphere\.io/workspace
-    name: Workspace
-    type: string
-  - JSONPath: .metadata.annotations.kubesphere\.io/alias-name
-    name: Alias
-    type: string
  group: iam.kubesphere.io
  names:
    categories:
@@ -24,77 +17,83 @@ spec:
    plural: workspaceroles
    singular: workspacerole
  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: Standard object's metadata.
-          type: object
-        rules:
-          description: Rules holds all the PolicyRules for this WorkspaceRole
-          items:
-            description: PolicyRule holds information that describes a policy rule,
-              but does not contain information about who the rule applies to or which
-              namespace the rule applies to.
-            properties:
-              apiGroups:
-                description: APIGroups is the name of the APIGroup that contains the
-                  resources.  If multiple API groups are specified, any action requested
-                  against one of the enumerated resources in any API group will be
-                  allowed.
-                items:
-                  type: string
-                type: array
-              nonResourceURLs:
-                description: NonResourceURLs is a set of partial urls that a user
-                  should have access to.  *s are allowed, but only as the full, final
-                  step in the path Since non-resource URLs are not namespaced, this
-                  field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
-                  Rules can either apply to API resources (such as "pods" or "secrets")
-                  or non-resource URL paths (such as "/api"),  but not both.
-                items:
-                  type: string
-                type: array
-              resourceNames:
-                description: ResourceNames is an optional white list of names that
-                  the rule applies to.  An empty set means that everything is allowed.
-                items:
-                  type: string
-                type: array
-              resources:
-                description: Resources is a list of resources this rule applies to.  ResourceAll
-                  represents all resources.
-                items:
-                  type: string
-                type: array
-              verbs:
-                description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
-                  and AttributeRestrictions contained in this rule.  VerbAll represents
-                  all kinds.
-                items:
-                  type: string
-                type: array
-            required:
-            - verbs
-            type: object
-          type: array
-      type: object
-  version: v1alpha2
  versions:
-  - name: v1alpha2
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels.kubesphere\.io/workspace
+      name: Workspace
+      type: string
+    - jsonPath: .metadata.annotations.kubesphere\.io/alias-name
+      name: Alias
+      type: string
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          rules:
+            description: Rules holds all the PolicyRules for this WorkspaceRole
+            items:
+              description: PolicyRule holds information that describes a policy rule,
+                but does not contain information about who the rule applies to or
+                which namespace the rule applies to.
+              properties:
+                apiGroups:
+                  description: APIGroups is the name of the APIGroup that contains
+                    the resources.  If multiple API groups are specified, any action
+                    requested against one of the enumerated resources in any API group
+                    will be allowed.
+                  items:
+                    type: string
+                  type: array
+                nonResourceURLs:
+                  description: NonResourceURLs is a set of partial urls that a user
+                    should have access to.  *s are allowed, but only as the full,
+                    final step in the path Since non-resource URLs are not namespaced,
+                    this field is only applicable for ClusterRoles referenced from
+                    a ClusterRoleBinding. Rules can either apply to API resources
+                    (such as "pods" or "secrets") or non-resource URL paths (such
+                    as "/api"),  but not both.
+                  items:
+                    type: string
+                  type: array
+                resourceNames:
+                  description: ResourceNames is an optional white list of names that
+                    the rule applies to.  An empty set means that everything is allowed.
+                  items:
+                    type: string
+                  type: array
+                resources:
+                  description: Resources is a list of resources this rule applies
+                    to.  ResourceAll represents all resources.
+                  items:
+                    type: string
+                  type: array
+                verbs:
+                  description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                    and AttributeRestrictions contained in this rule.  VerbAll represents
+                    all kinds.
+                  items:
+                    type: string
+                  type: array
+              required:
+              - verbs
+              type: object
+            type: array
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/istio-crds.yaml
+++ b/config/crds/istio-crds.yaml
--- a/config/crds/istio_v1alpha3_destinationrule.yaml
+++ b/config/crds/istio_v1alpha3_destinationrule.yaml
@@ -1,763 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: destinationrules.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: DestinationRule
-    plural: destinationrules
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            host:
-              description: 'REQUIRED. The name of a service from the service registry.
-                Service names are looked up from the platform''s service registry
-                (e.g., Kubernetes services, Consul services, etc.) and from the hosts
-                declared by [ServiceEntries](#ServiceEntry). Rules defined for services
-                that do not exist in the service registry will be ignored.  *Note
-                for Kubernetes users*: When short names are used (e.g. "reviews" instead
-                of "reviews.default.svc.cluster.local"), Istio will interpret the
-                short name based on the namespace of the rule, not the service. A
-                rule in the "default" namespace containing a host "reviews will be
-                interpreted as "reviews.default.svc.cluster.local", irrespective of
-                the actual namespace associated with the reviews service. _To avoid
-                potential misconfigurations, it is recommended to always use fully
-                qualified domain names over short names._  Note that the host field
-                applies to both HTTP and TCP services.'
-              type: string
-            subsets:
-              description: One or more named sets that represent individual versions
-                of a service. Traffic policies can be overridden at subset level.
-              items:
-                properties:
-                  labels:
-                    description: REQUIRED. Labels apply a filter over the endpoints
-                      of a service in the service registry. See route rules for examples
-                      of usage.
-                    type: object
-                  name:
-                    description: REQUIRED. Name of the subset. The service name and
-                      the subset name can be used for traffic splitting in a route
-                      rule.
-                    type: string
-                  trafficPolicy:
-                    description: Traffic policies that apply to this subset. Subsets
-                      inherit the traffic policies specified at the DestinationRule
-                      level. Settings specified at the subset level will override
-                      the corresponding settings specified at the DestinationRule
-                      level.
-                    properties:
-                      connectionPool:
-                        description: Settings controlling the volume of connections
-                          to an upstream service
-                        properties:
-                          http:
-                            description: HTTP connection pool settings.
-                            properties:
-                              maxRequestsPerConnection:
-                                description: Maximum number of requests per connection
-                                  to a backend. Setting this parameter to 1 disables
-                                  keep alive.
-                                format: int32
-                                type: integer
-                              maxRetries:
-                                description: Maximum number of retries that can be
-                                  outstanding to all hosts in a cluster at a given
-                                  time. Defaults to 3.
-                                format: int32
-                                type: integer
-                            type: object
-                          tcp:
-                            description: Settings common to both HTTP and TCP upstream
-                              connections.
-                            properties:
-                              connectTimeout:
-                                description: TCP connection timeout.
-                                type: string
-                              maxConnections:
-                                description: Maximum number of HTTP1 /TCP connections
-                                  to a destination host.
-                                format: int32
-                                type: integer
-                            type: object
-                        type: object
-                      loadBalancer:
-                        description: Settings controlling the load balancer algorithms.
-                        properties:
-                          consistentHash:
-                            properties:
-                              httpCookie:
-                                description: Hash based on HTTP cookie.
-                                properties:
-                                  name:
-                                    description: REQUIRED. Name of the cookie.
-                                    type: string
-                                  path:
-                                    description: Path to set for the cookie.
-                                    type: string
-                                  ttl:
-                                    description: REQUIRED. Lifetime of the cookie.
-                                    type: string
-                                required:
-                                - name
-                                - ttl
-                                type: object
-                              httpHeaderName:
-                                description: 'It is required to specify exactly one
-                                  of the fields as hash key: HttpHeaderName, HttpCookie,
-                                  or UseSourceIP. Hash based on a specific HTTP header.'
-                                type: string
-                              minimumRingSize:
-                                description: The minimum number of virtual nodes to
-                                  use for the hash ring. Defaults to 1024. Larger
-                                  ring sizes result in more granular load distributions.
-                                  If the number of hosts in the load balancing pool
-                                  is larger than the ring size, each host will be
-                                  assigned a single virtual node.
-                                format: int64
-                                type: integer
-                              useSourceIp:
-                                description: Hash based on the source IP address.
-                                type: boolean
-                            type: object
-                          simple:
-                            description: 'It is required to specify exactly one of
-                              the fields: Simple or ConsistentHash'
-                            type: string
-                        type: object
-                      outlierDetection:
-                        description: Settings controlling eviction of unhealthy hosts
-                          from the load balancing pool
-                        properties:
-                          baseEjectionTime:
-                            description: 'Minimum ejection duration. A host will remain
-                              ejected for a period equal to the product of minimum
-                              ejection duration and the number of times the host has
-                              been ejected. This technique allows the system to automatically
-                              increase the ejection period for unhealthy upstream
-                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
-                              is 30s.'
-                            type: string
-                          consecutiveErrors:
-                            description: Number of errors before a host is ejected
-                              from the connection pool. Defaults to 5. When the upstream
-                              host is accessed over HTTP, a 5xx return code qualifies
-                              as an error. When the upstream host is accessed over
-                              an opaque TCP connection, connect timeouts and connection
-                              error/failure events qualify as an error.
-                            format: int32
-                            type: integer
-                          interval:
-                            description: 'Time interval between ejection sweep analysis.
-                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                            type: string
-                          maxEjectionPercent:
-                            description: Maximum % of hosts in the load balancing
-                              pool for the upstream service that can be ejected. Defaults
-                              to 10%.
-                            format: int32
-                            type: integer
-                        type: object
-                      portLevelSettings:
-                        description: Traffic policies specific to individual ports.
-                          Note that port level settings will override the destination-level
-                          settings. Traffic settings specified at the destination-level
-                          will not be inherited when overridden by port-level settings,
-                          i.e. default values will be applied to fields omitted in
-                          port-level traffic policies.
-                        items:
-                          properties:
-                            connectionPool:
-                              description: Settings controlling the volume of connections
-                                to an upstream service
-                              properties:
-                                http:
-                                  description: HTTP connection pool settings.
-                                  properties:
-                                    maxRequestsPerConnection:
-                                      description: Maximum number of requests per
-                                        connection to a backend. Setting this parameter
-                                        to 1 disables keep alive.
-                                      format: int32
-                                      type: integer
-                                    maxRetries:
-                                      description: Maximum number of retries that
-                                        can be outstanding to all hosts in a cluster
-                                        at a given time. Defaults to 3.
-                                      format: int32
-                                      type: integer
-                                  type: object
-                                tcp:
-                                  description: Settings common to both HTTP and TCP
-                                    upstream connections.
-                                  properties:
-                                    connectTimeout:
-                                      description: TCP connection timeout.
-                                      type: string
-                                    maxConnections:
-                                      description: Maximum number of HTTP1 /TCP connections
-                                        to a destination host.
-                                      format: int32
-                                      type: integer
-                                  type: object
-                              type: object
-                            loadBalancer:
-                              description: Settings controlling the load balancer
-                                algorithms.
-                              properties:
-                                consistentHash:
-                                  properties:
-                                    httpCookie:
-                                      description: Hash based on HTTP cookie.
-                                      properties:
-                                        name:
-                                          description: REQUIRED. Name of the cookie.
-                                          type: string
-                                        path:
-                                          description: Path to set for the cookie.
-                                          type: string
-                                        ttl:
-                                          description: REQUIRED. Lifetime of the cookie.
-                                          type: string
-                                      required:
-                                      - name
-                                      - ttl
-                                      type: object
-                                    httpHeaderName:
-                                      description: 'It is required to specify exactly
-                                        one of the fields as hash key: HttpHeaderName,
-                                        HttpCookie, or UseSourceIP. Hash based on
-                                        a specific HTTP header.'
-                                      type: string
-                                    minimumRingSize:
-                                      description: The minimum number of virtual nodes
-                                        to use for the hash ring. Defaults to 1024.
-                                        Larger ring sizes result in more granular
-                                        load distributions. If the number of hosts
-                                        in the load balancing pool is larger than
-                                        the ring size, each host will be assigned
-                                        a single virtual node.
-                                      format: int64
-                                      type: integer
-                                    useSourceIp:
-                                      description: Hash based on the source IP address.
-                                      type: boolean
-                                  type: object
-                                simple:
-                                  description: 'It is required to specify exactly
-                                    one of the fields: Simple or ConsistentHash'
-                                  type: string
-                              type: object
-                            outlierDetection:
-                              description: Settings controlling eviction of unhealthy
-                                hosts from the load balancing pool
-                              properties:
-                                baseEjectionTime:
-                                  description: 'Minimum ejection duration. A host
-                                    will remain ejected for a period equal to the
-                                    product of minimum ejection duration and the number
-                                    of times the host has been ejected. This technique
-                                    allows the system to automatically increase the
-                                    ejection period for unhealthy upstream servers.
-                                    format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
-                                    30s.'
-                                  type: string
-                                consecutiveErrors:
-                                  description: Number of errors before a host is ejected
-                                    from the connection pool. Defaults to 5. When
-                                    the upstream host is accessed over HTTP, a 5xx
-                                    return code qualifies as an error. When the upstream
-                                    host is accessed over an opaque TCP connection,
-                                    connect timeouts and connection error/failure
-                                    events qualify as an error.
-                                  format: int32
-                                  type: integer
-                                interval:
-                                  description: 'Time interval between ejection sweep
-                                    analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
-                                    Default is 10s.'
-                                  type: string
-                                maxEjectionPercent:
-                                  description: Maximum % of hosts in the load balancing
-                                    pool for the upstream service that can be ejected.
-                                    Defaults to 10%.
-                                  format: int32
-                                  type: integer
-                              type: object
-                            port:
-                              description: Specifies the port name or number of a
-                                port on the destination service on which this policy
-                                is being applied.  Names must comply with DNS label
-                                syntax (rfc1035) and therefore cannot collide with
-                                numbers. If there are multiple ports on a service
-                                with the same protocol the names should be of the
-                                form <protocol-name>-<DNS label>.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            tls:
-                              description: TLS related settings for connections to
-                                the upstream service.
-                              properties:
-                                caCertificates:
-                                  description: 'OPTIONAL: The path to the file containing
-                                    certificate authority certificates to use in verifying
-                                    a presented server certificate. If omitted, the
-                                    proxy will not verify the server''s certificate.
-                                    Should be empty if mode is `ISTIO_MUTUAL`.'
-                                  type: string
-                                clientCertificate:
-                                  description: REQUIRED if mode is `MUTUAL`. The path
-                                    to the file holding the client-side TLS certificate
-                                    to use. Should be empty if mode is `ISTIO_MUTUAL`.
-                                  type: string
-                                mode:
-                                  description: 'REQUIRED: Indicates whether connections
-                                    to this port should be secured using TLS. The
-                                    value of this field determines how TLS is enforced.'
-                                  type: string
-                                privateKey:
-                                  description: REQUIRED if mode is `MUTUAL`. The path
-                                    to the file holding the client's private key.
-                                    Should be empty if mode is `ISTIO_MUTUAL`.
-                                  type: string
-                                sni:
-                                  description: SNI string to present to the server
-                                    during TLS handshake. Should be empty if mode
-                                    is `ISTIO_MUTUAL`.
-                                  type: string
-                                subjectAltNames:
-                                  description: A list of alternate names to verify
-                                    the subject identity in the certificate. If specified,
-                                    the proxy will verify that the server certificate's
-                                    subject alt name matches one of the specified
-                                    values. Should be empty if mode is `ISTIO_MUTUAL`.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                              - mode
-                              type: object
-                          required:
-                          - port
-                          type: object
-                        type: array
-                      tls:
-                        description: TLS related settings for connections to the upstream
-                          service.
-                        properties:
-                          caCertificates:
-                            description: 'OPTIONAL: The path to the file containing
-                              certificate authority certificates to use in verifying
-                              a presented server certificate. If omitted, the proxy
-                              will not verify the server''s certificate. Should be
-                              empty if mode is `ISTIO_MUTUAL`.'
-                            type: string
-                          clientCertificate:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client-side TLS certificate to
-                              use. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          mode:
-                            description: 'REQUIRED: Indicates whether connections
-                              to this port should be secured using TLS. The value
-                              of this field determines how TLS is enforced.'
-                            type: string
-                          privateKey:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client's private key. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          sni:
-                            description: SNI string to present to the server during
-                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          subjectAltNames:
-                            description: A list of alternate names to verify the subject
-                              identity in the certificate. If specified, the proxy
-                              will verify that the server certificate's subject alt
-                              name matches one of the specified values. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - mode
-                        type: object
-                    type: object
-                required:
-                - name
-                - labels
-                type: object
-              type: array
-            trafficPolicy:
-              description: Traffic policies to apply (load balancing policy, connection
-                pool sizes, outlier detection).
-              properties:
-                connectionPool:
-                  description: Settings controlling the volume of connections to an
-                    upstream service
-                  properties:
-                    http:
-                      description: HTTP connection pool settings.
-                      properties:
-                        maxRequestsPerConnection:
-                          description: Maximum number of requests per connection to
-                            a backend. Setting this parameter to 1 disables keep alive.
-                          format: int32
-                          type: integer
-                        maxRetries:
-                          description: Maximum number of retries that can be outstanding
-                            to all hosts in a cluster at a given time. Defaults to
-                            3.
-                          format: int32
-                          type: integer
-                      type: object
-                    tcp:
-                      description: Settings common to both HTTP and TCP upstream connections.
-                      properties:
-                        connectTimeout:
-                          description: TCP connection timeout.
-                          type: string
-                        maxConnections:
-                          description: Maximum number of HTTP1 /TCP connections to
-                            a destination host.
-                          format: int32
-                          type: integer
-                      type: object
-                  type: object
-                loadBalancer:
-                  description: Settings controlling the load balancer algorithms.
-                  properties:
-                    consistentHash:
-                      properties:
-                        httpCookie:
-                          description: Hash based on HTTP cookie.
-                          properties:
-                            name:
-                              description: REQUIRED. Name of the cookie.
-                              type: string
-                            path:
-                              description: Path to set for the cookie.
-                              type: string
-                            ttl:
-                              description: REQUIRED. Lifetime of the cookie.
-                              type: string
-                          required:
-                          - name
-                          - ttl
-                          type: object
-                        httpHeaderName:
-                          description: 'It is required to specify exactly one of the
-                            fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
-                            Hash based on a specific HTTP header.'
-                          type: string
-                        minimumRingSize:
-                          description: The minimum number of virtual nodes to use
-                            for the hash ring. Defaults to 1024. Larger ring sizes
-                            result in more granular load distributions. If the number
-                            of hosts in the load balancing pool is larger than the
-                            ring size, each host will be assigned a single virtual
-                            node.
-                          format: int64
-                          type: integer
-                        useSourceIp:
-                          description: Hash based on the source IP address.
-                          type: boolean
-                      type: object
-                    simple:
-                      description: 'It is required to specify exactly one of the fields:
-                        Simple or ConsistentHash'
-                      type: string
-                  type: object
-                outlierDetection:
-                  description: Settings controlling eviction of unhealthy hosts from
-                    the load balancing pool
-                  properties:
-                    baseEjectionTime:
-                      description: 'Minimum ejection duration. A host will remain
-                        ejected for a period equal to the product of minimum ejection
-                        duration and the number of times the host has been ejected.
-                        This technique allows the system to automatically increase
-                        the ejection period for unhealthy upstream servers. format:
-                        1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
-                      type: string
-                    consecutiveErrors:
-                      description: Number of errors before a host is ejected from
-                        the connection pool. Defaults to 5. When the upstream host
-                        is accessed over HTTP, a 5xx return code qualifies as an error.
-                        When the upstream host is accessed over an opaque TCP connection,
-                        connect timeouts and connection error/failure events qualify
-                        as an error.
-                      format: int32
-                      type: integer
-                    interval:
-                      description: 'Time interval between ejection sweep analysis.
-                        format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                      type: string
-                    maxEjectionPercent:
-                      description: Maximum % of hosts in the load balancing pool for
-                        the upstream service that can be ejected. Defaults to 10%.
-                      format: int32
-                      type: integer
-                  type: object
-                portLevelSettings:
-                  description: Traffic policies specific to individual ports. Note
-                    that port level settings will override the destination-level settings.
-                    Traffic settings specified at the destination-level will not be
-                    inherited when overridden by port-level settings, i.e. default
-                    values will be applied to fields omitted in port-level traffic
-                    policies.
-                  items:
-                    properties:
-                      connectionPool:
-                        description: Settings controlling the volume of connections
-                          to an upstream service
-                        properties:
-                          http:
-                            description: HTTP connection pool settings.
-                            properties:
-                              maxRequestsPerConnection:
-                                description: Maximum number of requests per connection
-                                  to a backend. Setting this parameter to 1 disables
-                                  keep alive.
-                                format: int32
-                                type: integer
-                              maxRetries:
-                                description: Maximum number of retries that can be
-                                  outstanding to all hosts in a cluster at a given
-                                  time. Defaults to 3.
-                                format: int32
-                                type: integer
-                            type: object
-                          tcp:
-                            description: Settings common to both HTTP and TCP upstream
-                              connections.
-                            properties:
-                              connectTimeout:
-                                description: TCP connection timeout.
-                                type: string
-                              maxConnections:
-                                description: Maximum number of HTTP1 /TCP connections
-                                  to a destination host.
-                                format: int32
-                                type: integer
-                            type: object
-                        type: object
-                      loadBalancer:
-                        description: Settings controlling the load balancer algorithms.
-                        properties:
-                          consistentHash:
-                            properties:
-                              httpCookie:
-                                description: Hash based on HTTP cookie.
-                                properties:
-                                  name:
-                                    description: REQUIRED. Name of the cookie.
-                                    type: string
-                                  path:
-                                    description: Path to set for the cookie.
-                                    type: string
-                                  ttl:
-                                    description: REQUIRED. Lifetime of the cookie.
-                                    type: string
-                                required:
-                                - name
-                                - ttl
-                                type: object
-                              httpHeaderName:
-                                description: 'It is required to specify exactly one
-                                  of the fields as hash key: HttpHeaderName, HttpCookie,
-                                  or UseSourceIP. Hash based on a specific HTTP header.'
-                                type: string
-                              minimumRingSize:
-                                description: The minimum number of virtual nodes to
-                                  use for the hash ring. Defaults to 1024. Larger
-                                  ring sizes result in more granular load distributions.
-                                  If the number of hosts in the load balancing pool
-                                  is larger than the ring size, each host will be
-                                  assigned a single virtual node.
-                                format: int64
-                                type: integer
-                              useSourceIp:
-                                description: Hash based on the source IP address.
-                                type: boolean
-                            type: object
-                          simple:
-                            description: 'It is required to specify exactly one of
-                              the fields: Simple or ConsistentHash'
-                            type: string
-                        type: object
-                      outlierDetection:
-                        description: Settings controlling eviction of unhealthy hosts
-                          from the load balancing pool
-                        properties:
-                          baseEjectionTime:
-                            description: 'Minimum ejection duration. A host will remain
-                              ejected for a period equal to the product of minimum
-                              ejection duration and the number of times the host has
-                              been ejected. This technique allows the system to automatically
-                              increase the ejection period for unhealthy upstream
-                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
-                              is 30s.'
-                            type: string
-                          consecutiveErrors:
-                            description: Number of errors before a host is ejected
-                              from the connection pool. Defaults to 5. When the upstream
-                              host is accessed over HTTP, a 5xx return code qualifies
-                              as an error. When the upstream host is accessed over
-                              an opaque TCP connection, connect timeouts and connection
-                              error/failure events qualify as an error.
-                            format: int32
-                            type: integer
-                          interval:
-                            description: 'Time interval between ejection sweep analysis.
-                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
-                            type: string
-                          maxEjectionPercent:
-                            description: Maximum % of hosts in the load balancing
-                              pool for the upstream service that can be ejected. Defaults
-                              to 10%.
-                            format: int32
-                            type: integer
-                        type: object
-                      port:
-                        description: Specifies the port name or number of a port on
-                          the destination service on which this policy is being applied.  Names
-                          must comply with DNS label syntax (rfc1035) and therefore
-                          cannot collide with numbers. If there are multiple ports
-                          on a service with the same protocol the names should be
-                          of the form <protocol-name>-<DNS label>.
-                        properties:
-                          name:
-                            description: Valid port name
-                            type: string
-                          number:
-                            description: Valid port number
-                            format: int32
-                            type: integer
-                        type: object
-                      tls:
-                        description: TLS related settings for connections to the upstream
-                          service.
-                        properties:
-                          caCertificates:
-                            description: 'OPTIONAL: The path to the file containing
-                              certificate authority certificates to use in verifying
-                              a presented server certificate. If omitted, the proxy
-                              will not verify the server''s certificate. Should be
-                              empty if mode is `ISTIO_MUTUAL`.'
-                            type: string
-                          clientCertificate:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client-side TLS certificate to
-                              use. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          mode:
-                            description: 'REQUIRED: Indicates whether connections
-                              to this port should be secured using TLS. The value
-                              of this field determines how TLS is enforced.'
-                            type: string
-                          privateKey:
-                            description: REQUIRED if mode is `MUTUAL`. The path to
-                              the file holding the client's private key. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          sni:
-                            description: SNI string to present to the server during
-                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                            type: string
-                          subjectAltNames:
-                            description: A list of alternate names to verify the subject
-                              identity in the certificate. If specified, the proxy
-                              will verify that the server certificate's subject alt
-                              name matches one of the specified values. Should be
-                              empty if mode is `ISTIO_MUTUAL`.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - mode
-                        type: object
-                    required:
-                    - port
-                    type: object
-                  type: array
-                tls:
-                  description: TLS related settings for connections to the upstream
-                    service.
-                  properties:
-                    caCertificates:
-                      description: 'OPTIONAL: The path to the file containing certificate
-                        authority certificates to use in verifying a presented server
-                        certificate. If omitted, the proxy will not verify the server''s
-                        certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
-                      type: string
-                    clientCertificate:
-                      description: REQUIRED if mode is `MUTUAL`. The path to the file
-                        holding the client-side TLS certificate to use. Should be
-                        empty if mode is `ISTIO_MUTUAL`.
-                      type: string
-                    mode:
-                      description: 'REQUIRED: Indicates whether connections to this
-                        port should be secured using TLS. The value of this field
-                        determines how TLS is enforced.'
-                      type: string
-                    privateKey:
-                      description: REQUIRED if mode is `MUTUAL`. The path to the file
-                        holding the client's private key. Should be empty if mode
-                        is `ISTIO_MUTUAL`.
-                      type: string
-                    sni:
-                      description: SNI string to present to the server during TLS
-                        handshake. Should be empty if mode is `ISTIO_MUTUAL`.
-                      type: string
-                    subjectAltNames:
-                      description: A list of alternate names to verify the subject
-                        identity in the certificate. If specified, the proxy will
-                        verify that the server certificate's subject alt name matches
-                        one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
-                      items:
-                        type: string
-                      type: array
-                  required:
-                  - mode
-                  type: object
-              type: object
-          required:
-          - host
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/istio_v1alpha3_gateway.yaml
+++ b/config/crds/istio_v1alpha3_gateway.yaml
@@ -1,129 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: gateways.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: Gateway
-    plural: gateways
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            selector:
-              description: One or more labels that indicate a specific set of pods/VMs
-                on which this gateway configuration should be applied. If no selectors
-                are provided, the gateway will be implemented by the default istio-ingress
-                controller.
-              type: object
-            servers:
-              description: 'REQUIRED: A list of server specifications.'
-              items:
-                properties:
-                  hosts:
-                    description: A list of hosts exposed by this gateway. While typically
-                      applicable to HTTP services, it can also be used for TCP services
-                      using TLS with SNI. Standard DNS wildcard prefix syntax is permitted.  A
-                      VirtualService that is bound to a gateway must having a matching
-                      host in its default destination. Specifically one of the VirtualService
-                      destination hosts is a strict suffix of a gateway host or a
-                      gateway host is a suffix of one of the VirtualService hosts.
-                    items:
-                      type: string
-                    type: array
-                  port:
-                    description: 'REQUIRED: The Port on which the proxy should listen
-                      for incoming connections'
-                    properties:
-                      name:
-                        description: Label assigned to the port.
-                        type: string
-                      number:
-                        description: 'REQUIRED: A valid non-negative integer port
-                          number.'
-                        format: int64
-                        type: integer
-                      protocol:
-                        description: 'REQUIRED: The protocol exposed on the port.
-                          MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP.'
-                        type: string
-                    required:
-                    - number
-                    - protocol
-                    type: object
-                  tls:
-                    description: Set of TLS related options that govern the server's
-                      behavior. Use these options to control if all http requests
-                      should be redirected to https, and the TLS modes to use.
-                    properties:
-                      caCertificates:
-                        description: REQUIRED if mode is "MUTUAL". The path to a file
-                          containing certificate authority certificates to use in
-                          verifying a presented client side certificate.
-                        type: string
-                      httpsRedirect:
-                        description: If set to true, the load balancer will send a
-                          302 redirect for all http connections, asking the clients
-                          to use HTTPS.
-                        type: boolean
-                      mode:
-                        description: 'Optional: Indicates whether connections to this
-                          port should be secured using TLS. The value of this field
-                          determines how TLS is enforced.'
-                        type: string
-                      privateKey:
-                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
-                          path to the file holding the server's private key.
-                        type: string
-                      serverCertificate:
-                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
-                          path to the file holding the server-side TLS certificate
-                          to use.
-                        type: string
-                      subjectAltNames:
-                        description: A list of alternate names to verify the subject
-                          identity in the certificate presented by the client.
-                        items:
-                          type: string
-                        type: array
-                    required:
-                    - httpsRedirect
-                    - serverCertificate
-                    - privateKey
-                    - caCertificates
-                    - subjectAltNames
-                    type: object
-                required:
-                - port
-                type: object
-              type: array
-          required:
-          - servers
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/istio_v1alpha3_virtualservice.yaml
+++ b/config/crds/istio_v1alpha3_virtualservice.yaml
@@ -1,695 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: null
-  labels:
-    controller-tools.k8s.io: "1.0"
-  name: virtualservices.istio.kubesphere.io
-spec:
-  group: istio.kubesphere.io
-  names:
-    kind: VirtualService
-    plural: virtualservices
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            gateways:
-              description: The names of gateways and sidecars that should apply these
-                routes. A single VirtualService is used for sidecars inside the mesh
-                as well as for one or more gateways. The selection condition imposed
-                by this field can be overridden using the source field in the match
-                conditions of HTTP/TCP routes. The reserved word "mesh" is used to
-                imply all the sidecars in the mesh. When this field is omitted, the
-                default gateway ("mesh") will be used, which would apply the rule
-                to all sidecars in the mesh. If a list of gateway names is provided,
-                the rules will apply only to the gateways. To apply the rules to both
-                gateways and sidecars, specify "mesh" as one of the gateway names.
-              items:
-                type: string
-              type: array
-            hosts:
-              description: REQUIRED. The destination address for traffic captured
-                by this virtual service. Could be a DNS name with wildcard prefix
-                or a CIDR prefix. Depending on the platform, short-names can also
-                be used instead of a FQDN (i.e. has no dots in the name). In such
-                a scenario, the FQDN of the host would be derived based on the underlying
-                platform.  For example on Kubernetes, when hosts contains a short
-                name, Istio will interpret the short name based on the namespace of
-                the rule. Thus, when a client namespace applies a rule in the "default"
-                namespace containing a name "reviews, Istio will setup routes to the
-                "reviews.default.svc.cluster.local" service. However, if a different
-                name such as "reviews.sales.svc.cluster.local" is used, it would be
-                treated as a FQDN during virtual host matching. In Consul, a plain
-                service name would be resolved to the FQDN "reviews.service.consul".  Note
-                that the hosts field applies to both HTTP and TCP services. Service
-                inside the mesh, i.e., those found in the service registry, must always
-                be referred to using their alphanumeric names. IP addresses or CIDR
-                prefixes are allowed only for services defined via the Gateway.
-              items:
-                type: string
-              type: array
-            http:
-              description: An ordered list of route rules for HTTP traffic. The first
-                rule matching an incoming request is used.
-              items:
-                properties:
-                  appendHeaders:
-                    description: Additional HTTP headers to add before forwarding
-                      a request to the destination service.
-                    type: object
-                  corsPolicy:
-                    description: Cross-Origin Resource Sharing policy
-                    properties:
-                      allowCredentials:
-                        description: Indicates whether the caller is allowed to send
-                          the actual request (not the preflight) using credentials.
-                          Translates to Access-Control-Allow-Credentials header.
-                        type: boolean
-                      allowHeaders:
-                        description: List of HTTP headers that can be used when requesting
-                          the resource. Serialized to Access-Control-Allow-Methods
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      allowMethods:
-                        description: List of HTTP methods allowed to access the resource.
-                          The content will be serialized into the Access-Control-Allow-Methods
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      allowOrigin:
-                        description: The list of origins that are allowed to perform
-                          CORS requests. The content will be serialized into the Access-Control-Allow-Origin
-                          header. Wildcard * will allow all origins.
-                        items:
-                          type: string
-                        type: array
-                      exposeHeaders:
-                        description: A white list of HTTP headers that the browsers
-                          are allowed to access. Serialized into Access-Control-Expose-Headers
-                          header.
-                        items:
-                          type: string
-                        type: array
-                      maxAge:
-                        description: Specifies how long the the results of a preflight
-                          request can be cached. Translates to the Access-Control-Max-Age
-                          header.
-                        type: string
-                    type: object
-                  fault:
-                    description: Fault injection policy to apply on HTTP traffic.
-                    properties:
-                      abort:
-                        description: Abort Http request attempts and return error
-                          codes back to downstream service, giving the impression
-                          that the upstream service is faulty.
-                        properties:
-                          httpStatus:
-                            description: REQUIRED. HTTP status code to use to abort
-                              the Http request.
-                            format: int64
-                            type: integer
-                          percent:
-                            description: Percentage of requests to be aborted with
-                              the error code provided (0-100).
-                            format: int64
-                            type: integer
-                        required:
-                        - httpStatus
-                        type: object
-                      delay:
-                        description: Delay requests before forwarding, emulating various
-                          failures such as network issues, overloaded upstream service,
-                          etc.
-                        properties:
-                          exponentialDelay:
-                            description: (-- Add a delay (based on an exponential
-                              function) before forwarding the request. mean delay
-                              needed to derive the exponential delay values --)
-                            type: string
-                          fixedDelay:
-                            description: 'REQUIRED. Add a fixed delay before forwarding
-                              the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.'
-                            type: string
-                          percent:
-                            description: Percentage of requests on which the delay
-                              will be injected (0-100).
-                            format: int64
-                            type: integer
-                        required:
-                        - fixedDelay
-                        type: object
-                    type: object
-                  match:
-                    description: Match conditions to be satisfied for the rule to
-                      be activated. All conditions inside a single match block have
-                      AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        authority:
-                          description: 'HTTP Authority values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        headers:
-                          description: 'The header keys must be lowercase and use
-                            hyphen as the separator, e.g. _x-request-id_.  Header
-                            values are case-sensitive and formatted as follows:  -
-                            `exact: "value"` for exact string match  - `prefix: "value"`
-                            for prefix-based match  - `regex: "value"` for ECMAscript
-                            style regex-based match  **Note:** The keys `uri`, `scheme`,
-                            `method`, and `authority` will be ignored.'
-                          type: object
-                        method:
-                          description: 'HTTP Method values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        port:
-                          description: Specifies the ports on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int32
-                          type: integer
-                        scheme:
-                          description: 'URI Scheme values are case-sensitive and formatted
-                            as follows:  - `exact: "value"` for exact string match  -
-                            `prefix: "value"` for prefix-based match  - `regex: "value"`
-                            for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                        uri:
-                          description: 'URI to match values are case-sensitive and
-                            formatted as follows:  - `exact: "value"` for exact string
-                            match  - `prefix: "value"` for prefix-based match  - `regex:
-                            "value"` for ECMAscript style regex-based match'
-                          properties:
-                            exact:
-                              description: exact string match
-                              type: string
-                            prefix:
-                              description: prefix-based match
-                              type: string
-                            regex:
-                              description: ECMAscript style regex-based match
-                              type: string
-                            suffix:
-                              description: suffix-based match.
-                              type: string
-                          type: object
-                      type: object
-                    type: array
-                  mirror:
-                    description: Mirror HTTP traffic to a another destination in addition
-                      to forwarding the requests to the intended destination. Mirrored
-                      traffic is on a best effort basis where the sidecar/gateway
-                      will not wait for the mirrored cluster to respond before returning
-                      the response from the original destination.  Statistics will
-                      be generated for the mirrored destination.
-                    properties:
-                      host:
-                        description: 'REQUIRED. The name of a service from the service
-                          registry. Service names are looked up from the platform''s
-                          service registry (e.g., Kubernetes services, Consul services,
-                          etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
-                          Traffic forwarded to destinations that are not found in
-                          either of the two, will be dropped.  *Note for Kubernetes
-                          users*: When short names are used (e.g. "reviews" instead
-                          of "reviews.default.svc.cluster.local"), Istio will interpret
-                          the short name based on the namespace of the rule, not the
-                          service. A rule in the "default" namespace containing a
-                          host "reviews will be interpreted as "reviews.default.svc.cluster.local",
-                          irrespective of the actual namespace associated with the
-                          reviews service. _To avoid potential misconfigurations,
-                          it is recommended to always use fully qualified domain names
-                          over short names._'
-                        type: string
-                      port:
-                        description: Specifies the port on the host that is being
-                          addressed. If a service exposes only a single port it is
-                          not required to explicitly select the port.
-                        properties:
-                          name:
-                            description: Valid port name
-                            type: string
-                          number:
-                            description: Valid port number
-                            format: int32
-                            type: integer
-                        type: object
-                      subset:
-                        description: The name of a subset within the service. Applicable
-                          only to services within the mesh. The subset must be defined
-                          in a corresponding DestinationRule.
-                        type: string
-                    required:
-                    - host
-                    type: object
-                  redirect:
-                    description: A http rule can either redirect or forward (default)
-                      traffic. If traffic passthrough option is specified in the rule,
-                      route/redirect will be ignored. The redirect primitive can be
-                      used to send a HTTP 302 redirect to a different URI or Authority.
-                    properties:
-                      authority:
-                        description: On a redirect, overwrite the Authority/Host portion
-                          of the URL with this value.
-                        type: string
-                      uri:
-                        description: On a redirect, overwrite the Path portion of
-                          the URL with this value. Note that the entire path will
-                          be replaced, irrespective of the request URI being matched
-                          as an exact path or prefix.
-                        type: string
-                    type: object
-                  removeResponseHeaders:
-                    description: Http headers to remove before returning the response
-                      to the caller
-                    type: object
-                  retries:
-                    description: Retry policy for HTTP requests.
-                    properties:
-                      attempts:
-                        description: REQUIRED. Number of retries for a given request.
-                          The interval between retries will be determined automatically
-                          (25ms+). Actual number of retries attempted depends on the
-                          httpReqTimeout.
-                        format: int64
-                        type: integer
-                      perTryTimeout:
-                        description: 'Timeout per retry attempt for a given request.
-                          format: 1h/1m/1s/1ms. MUST BE >=1ms.'
-                        type: string
-                    required:
-                    - attempts
-                    - perTryTimeout
-                    type: object
-                  rewrite:
-                    description: Rewrite HTTP URIs and Authority headers. Rewrite
-                      cannot be used with Redirect primitive. Rewrite will be performed
-                      before forwarding.
-                    properties:
-                      authority:
-                        description: rewrite the Authority/Host header with this value.
-                        type: string
-                      uri:
-                        description: rewrite the path (or the prefix) portion of the
-                          URI with this value. If the original URI was matched based
-                          on prefix, the value provided in this field will replace
-                          the corresponding matched prefix.
-                        type: string
-                    type: object
-                  route:
-                    description: A http rule can either redirect or forward (default)
-                      traffic. The forwarding target can be one of several versions
-                      of a service (see glossary in beginning of document). Weights
-                      associated with the service version determine the proportion
-                      of traffic it receives.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                  timeout:
-                    description: Timeout for HTTP requests.
-                    type: string
-                  websocketUpgrade:
-                    description: Indicates that a HTTP/1.1 client connection to this
-                      particular route should be allowed (and expected) to upgrade
-                      to a WebSocket connection. The default is false. Istio's reference
-                      sidecar implementation (Envoy) expects the first request to
-                      this route to contain the WebSocket upgrade headers. Otherwise,
-                      the request will be rejected. Note that Websocket allows secondary
-                      protocol negotiation which may then be subject to further routing
-                      rules based on the protocol selected.
-                    type: boolean
-                type: object
-              type: array
-            tcp:
-              description: An ordered list of route rules for TCP traffic. The first
-                rule matching an incoming request is used.
-              items:
-                properties:
-                  match:
-                    description: Match conditions to be satisfied for the rule to
-                      be activated. All conditions inside a single match block have
-                      AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        destinationSubnets:
-                          description: IPv4 or IPv6 ip address of destination with
-                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
-                          items:
-                            type: string
-                          type: array
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        port:
-                          description: Specifies the port on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int64
-                          type: integer
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                      type: object
-                    type: array
-                  route:
-                    description: The destinations to which the connection should be
-                      forwarded to. Weights must add to 100%.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                required:
-                - match
-                - route
-                type: object
-              type: array
-            tls:
-              items:
-                properties:
-                  match:
-                    description: REQUIRED. Match conditions to be satisfied for the
-                      rule to be activated. All conditions inside a single match block
-                      have AND semantics, while the list of match blocks have OR semantics.
-                      The rule is matched if any one of the match blocks succeed.
-                    items:
-                      properties:
-                        destinationSubnets:
-                          description: IPv4 or IPv6 ip addresses of destination with
-                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
-                          items:
-                            type: string
-                          type: array
-                        gateways:
-                          description: Names of gateways where the rule should be
-                            applied to. Gateway names at the top of the VirtualService
-                            (if any) are overridden. The gateway match is independent
-                            of sourceLabels.
-                          items:
-                            type: string
-                          type: array
-                        port:
-                          description: Specifies the port on the host that is being
-                            addressed. Many services only expose a single port or
-                            label ports with the protocols they support, in these
-                            cases it is not required to explicitly select the port.
-                          format: int64
-                          type: integer
-                        sniHosts:
-                          description: REQUIRED. SNI (server name indicator) to match
-                            on. Wildcard prefixes can be used in the SNI value, e.g.,
-                            *.com will match foo.example.com as well as example.com.
-                            An SNI value must be a subset (i.e., fall within the domain)
-                            of the corresponding virtual service's hosts
-                          items:
-                            type: string
-                          type: array
-                        sourceLabels:
-                          description: One or more labels that constrain the applicability
-                            of a rule to workloads with the given labels. If the VirtualService
-                            has a list of gateways specified at the top, it should
-                            include the reserved gateway `mesh` in order for this
-                            field to be applicable.
-                          type: object
-                      required:
-                      - sniHosts
-                      type: object
-                    type: array
-                  route:
-                    description: The destination to which the connection should be
-                      forwarded to.
-                    items:
-                      properties:
-                        destination:
-                          description: REQUIRED. Destination uniquely identifies the
-                            instances of a service to which the request/connection
-                            should be forwarded to.
-                          properties:
-                            host:
-                              description: 'REQUIRED. The name of a service from the
-                                service registry. Service names are looked up from
-                                the platform''s service registry (e.g., Kubernetes
-                                services, Consul services, etc.) and from the hosts
-                                declared by [ServiceEntry](#ServiceEntry). Traffic
-                                forwarded to destinations that are not found in either
-                                of the two, will be dropped.  *Note for Kubernetes
-                                users*: When short names are used (e.g. "reviews"
-                                instead of "reviews.default.svc.cluster.local"), Istio
-                                will interpret the short name based on the namespace
-                                of the rule, not the service. A rule in the "default"
-                                namespace containing a host "reviews will be interpreted
-                                as "reviews.default.svc.cluster.local", irrespective
-                                of the actual namespace associated with the reviews
-                                service. _To avoid potential misconfigurations, it
-                                is recommended to always use fully qualified domain
-                                names over short names._'
-                              type: string
-                            port:
-                              description: Specifies the port on the host that is
-                                being addressed. If a service exposes only a single
-                                port it is not required to explicitly select the port.
-                              properties:
-                                name:
-                                  description: Valid port name
-                                  type: string
-                                number:
-                                  description: Valid port number
-                                  format: int32
-                                  type: integer
-                              type: object
-                            subset:
-                              description: The name of a subset within the service.
-                                Applicable only to services within the mesh. The subset
-                                must be defined in a corresponding DestinationRule.
-                              type: string
-                          required:
-                          - host
-                          type: object
-                        weight:
-                          description: REQUIRED. The proportion of traffic to be forwarded
-                            to the service version. (0-100). Sum of weights across
-                            destinations SHOULD BE == 100. If there is only destination
-                            in a rule, the weight value is assumed to be 100.
-                          format: int64
-                          type: integer
-                      required:
-                      - destination
-                      - weight
-                      type: object
-                    type: array
-                required:
-                - match
-                - route
-                type: object
-              type: array
-          required:
-          - hosts
-          type: object
-      required:
-      - spec
-  version: v1alpha3
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/monitoring.kubesphere.io_clusterdashboards.yaml
+++ b/config/crds/monitoring.kubesphere.io_clusterdashboards.yaml
@@ -1,184 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.4
-  creationTimestamp: null
-  name: clusterdashboards.monitoring.kubesphere.io
-spec:
-  group: monitoring.kubesphere.io
-  names:
-    kind: ClusterDashboard
-    listKind: ClusterDashboardList
-    plural: clusterdashboards
-    singular: clusterdashboard
-  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: ClusterDashboard is the Schema for the culsterdashboards API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: DashboardSpec defines the desired state of Dashboard
-          properties:
-            datasource:
-              description: Dashboard datasource
-              type: string
-            description:
-              description: Dashboard description
-              type: string
-            panels:
-              description: Collection of panels. Panel is one of [Row](row.md), [Singlestat](#singlestat.md)
-                or [Graph](graph.md)
-              items:
-                description: Supported panel type
-                properties:
-                  bars:
-                    description: Display as a bar chart
-                    type: boolean
-                  colors:
-                    description: Set series color
-                    items:
-                      type: string
-                    type: array
-                  decimals:
-                    description: Limit the decimal numbers
-                    format: int64
-                    type: integer
-                  description:
-                    description: Panel description
-                    type: string
-                  format:
-                    description: Display unit
-                    type: string
-                  id:
-                    description: Panel ID
-                    format: int64
-                    type: integer
-                  lines:
-                    description: Display as a line chart
-                    type: boolean
-                  stack:
-                    description: Display as a stacked chart
-                    type: boolean
-                  targets:
-                    allOf:
-                    - items:
-                        description: Query editor options
-                        properties:
-                          expr:
-                            description: Input for fetching metrics.
-                            type: string
-                          legendFormat:
-                            description: Legend format for outputs. You can make a
-                              dynamic legend with templating variables.
-                            type: string
-                          refId:
-                            description: Reference ID
-                            format: int64
-                            type: integer
-                          step:
-                            description: Set series time interval
-                            type: string
-                        type: object
-                    - items:
-                        description: Query editor options
-                        properties:
-                          expr:
-                            description: Input for fetching metrics.
-                            type: string
-                          legendFormat:
-                            description: Legend format for outputs. You can make a
-                              dynamic legend with templating variables.
-                            type: string
-                          refId:
-                            description: Reference ID
-                            format: int64
-                            type: integer
-                          step:
-                            description: Set series time interval
-                            type: string
-                        type: object
-                    description: A collection of queries
-                    type: array
-                  title:
-                    description: Name of the row panel
-                    type: string
-                  type:
-                    description: Must be `row`
-                    type: string
-                  yaxes:
-                    description: Y-axis options
-                    items:
-                      properties:
-                        decimals:
-                          description: Limit the decimal numbers
-                          format: int64
-                          type: integer
-                        format:
-                          description: Display unit
-                          type: string
-                      type: object
-                    type: array
-                required:
-                - type
-                type: object
-              type: array
-            templating:
-              description: Templating variables
-              items:
-                description: Templating defines a variable, which can be used as a
-                  placeholder in query
-                properties:
-                  name:
-                    description: Variable name
-                    type: string
-                  query:
-                    description: Set variable values to be the return result of the
-                      query
-                    type: string
-                type: object
-              type: array
-            time:
-              description: Time range for display
-              properties:
-                from:
-                  description: Start time in the format of `^now([+-][0-9]+[smhdwMy])?$`,
-                    eg. `now-1M`. It denotes the end time is set to the last month
-                    since now.
-                  type: string
-                to:
-                  description: End time in the format of `^now([+-][0-9]+[smhdwMy])?$`,
-                    eg. `now-1M`. It denotes the start time is set to the last month
-                    since now.
-                  type: string
-              type: object
-            title:
-              description: Dashboard title
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/monitoring.kubesphere.io_dashboards.yaml
+++ b/config/crds/monitoring.kubesphere.io_dashboards.yaml
@@ -1,184 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.4
-  creationTimestamp: null
-  name: dashboards.monitoring.kubesphere.io
-spec:
-  group: monitoring.kubesphere.io
-  names:
-    kind: Dashboard
-    listKind: DashboardList
-    plural: dashboards
-    singular: dashboard
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: Dashboard is the Schema for the dashboards API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: DashboardSpec defines the desired state of Dashboard
-          properties:
-            datasource:
-              description: Dashboard datasource
-              type: string
-            description:
-              description: Dashboard description
-              type: string
-            panels:
-              description: Collection of panels. Panel is one of [Row](row.md), [Singlestat](#singlestat.md)
-                or [Graph](graph.md)
-              items:
-                description: Supported panel type
-                properties:
-                  bars:
-                    description: Display as a bar chart
-                    type: boolean
-                  colors:
-                    description: Set series color
-                    items:
-                      type: string
-                    type: array
-                  decimals:
-                    description: Limit the decimal numbers
-                    format: int64
-                    type: integer
-                  description:
-                    description: Panel description
-                    type: string
-                  format:
-                    description: Display unit
-                    type: string
-                  id:
-                    description: Panel ID
-                    format: int64
-                    type: integer
-                  lines:
-                    description: Display as a line chart
-                    type: boolean
-                  stack:
-                    description: Display as a stacked chart
-                    type: boolean
-                  targets:
-                    allOf:
-                    - items:
-                        description: Query editor options
-                        properties:
-                          expr:
-                            description: Input for fetching metrics.
-                            type: string
-                          legendFormat:
-                            description: Legend format for outputs. You can make a
-                              dynamic legend with templating variables.
-                            type: string
-                          refId:
-                            description: Reference ID
-                            format: int64
-                            type: integer
-                          step:
-                            description: Set series time interval
-                            type: string
-                        type: object
-                    - items:
-                        description: Query editor options
-                        properties:
-                          expr:
-                            description: Input for fetching metrics.
-                            type: string
-                          legendFormat:
-                            description: Legend format for outputs. You can make a
-                              dynamic legend with templating variables.
-                            type: string
-                          refId:
-                            description: Reference ID
-                            format: int64
-                            type: integer
-                          step:
-                            description: Set series time interval
-                            type: string
-                        type: object
-                    description: A collection of queries
-                    type: array
-                  title:
-                    description: Name of the row panel
-                    type: string
-                  type:
-                    description: Must be `row`
-                    type: string
-                  yaxes:
-                    description: Y-axis options
-                    items:
-                      properties:
-                        decimals:
-                          description: Limit the decimal numbers
-                          format: int64
-                          type: integer
-                        format:
-                          description: Display unit
-                          type: string
-                      type: object
-                    type: array
-                required:
-                - type
-                type: object
-              type: array
-            templating:
-              description: Templating variables
-              items:
-                description: Templating defines a variable, which can be used as a
-                  placeholder in query
-                properties:
-                  name:
-                    description: Variable name
-                    type: string
-                  query:
-                    description: Set variable values to be the return result of the
-                      query
-                    type: string
-                type: object
-              type: array
-            time:
-              description: Time range for display
-              properties:
-                from:
-                  description: Start time in the format of `^now([+-][0-9]+[smhdwMy])?$`,
-                    eg. `now-1M`. It denotes the end time is set to the last month
-                    since now.
-                  type: string
-                to:
-                  description: End time in the format of `^now([+-][0-9]+[smhdwMy])?$`,
-                    eg. `now-1M`. It denotes the start time is set to the last month
-                    since now.
-                  type: string
-              type: object
-            title:
-              description: Dashboard title
-              type: string
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/network.kubesphere.io_ipamblocks.yaml
+++ b/config/crds/network.kubesphere.io_ipamblocks.yaml
@@ -1,74 +1,75 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
  creationTimestamp: null
  name: ipamblocks.network.kubesphere.io
 spec:
  group: network.kubesphere.io
  names:
    kind: IPAMBlock
+    listKind: IPAMBlockList
    plural: ipamblocks
+    singular: ipamblock
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: Standard object's metadata.
-          type: object
-        spec:
-          description: Specification of the IPAMBlock.
-          properties:
-            allocations:
-              items:
-                type: integer
-                nullable: true
-              type: array
-            attributes:
-              items:
-                properties:
-                  handle_id:
-                    type: string
-                  secondary:
-                    additionalProperties:
-                      type: string
-                    type: object
-                type: object
-              type: array
-            cidr:
-              type: string
-            deleted:
-              type: boolean
-            id:
-              format: int32
-              type: integer
-            unallocated:
-              items:
-                type: integer
-              type: array
-          required:
-          - allocations
-          - attributes
-          - cidr
-          - deleted
-          - id
-          - unallocated
-          type: object
-      type: object
-  version: v1alpha1
  versions:
  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the IPAMBlock.
+            properties:
+              allocations:
+                items:
+                  type: integer
+                type: array
+              attributes:
+                items:
+                  properties:
+                    handle_id:
+                      type: string
+                    secondary:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
+              cidr:
+                type: string
+              deleted:
+                type: boolean
+              id:
+                format: int32
+                type: integer
+              unallocated:
+                items:
+                  type: integer
+                type: array
+            required:
+            - allocations
+            - attributes
+            - cidr
+            - deleted
+            - id
+            - unallocated
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/network.kubesphere.io_ipamhandles.yaml
+++ b/config/crds/network.kubesphere.io_ipamhandles.yaml
@@ -1,52 +1,54 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
  creationTimestamp: null
  name: ipamhandles.network.kubesphere.io
 spec:
  group: network.kubesphere.io
  names:
    kind: IPAMHandle
+    listKind: IPAMHandleList
    plural: ipamhandles
+    singular: ipamhandle
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: Standard object's metadata.
-          type: object
-        spec:
-          description: Specification of the IPAMHandle.
-          properties:
-            block:
-              additionalProperties:
-                type: integer
-              type: object
-            deleted:
-              type: boolean
-            handleID:
-              type: string
-          required:
-          - block
-          - deleted
-          - handleID
-          type: object
-      type: object
-  version: v1alpha1
  versions:
  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the IPAMHandle.
+            properties:
+              block:
+                additionalProperties:
+                  type: integer
+                type: object
+              deleted:
+                type: boolean
+              handleID:
+                type: string
+            required:
+            - block
+            - deleted
+            - handleID
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/network.kubesphere.io_ippools.yaml
+++ b/config/crds/network.kubesphere.io_ippools.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -15,120 +15,119 @@ spec:
    plural: ippools
    singular: ippool
  scope: Cluster
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            blockSize:
-              description: The block size to use for IP address assignments from this
-                pool. Defaults to 26 for IPv4 and 112 for IPv6.
-              type: integer
-            cidr:
-              description: The pool CIDR.
-              type: string
-            disabled:
-              description: When disabled is true, IPAM will not assign addresses from
-                this pool.
-              type: boolean
-            dns:
-              description: DNS contains values interesting for DNS resolvers
-              properties:
-                domain:
-                  type: string
-                nameservers:
-                  items:
-                    type: string
-                  type: array
-                options:
-                  items:
-                    type: string
-                  type: array
-                search:
-                  items:
-                    type: string
-                  type: array
-              type: object
-            gateway:
-              type: string
-            rangeEnd:
-              description: The last ip, inclusive
-              type: string
-            rangeStart:
-              description: The first ip, inclusive
-              type: string
-            routes:
-              items:
-                properties:
-                  dst:
-                    type: string
-                  gateway:
-                    type: string
-                type: object
-              type: array
-            type:
-              type: string
-            vlanConfig:
-              properties:
-                master:
-                  type: string
-                vlanId:
-                  format: int32
-                  type: integer
-              required:
-              - master
-              - vlanId
-              type: object
-          required:
-          - cidr
-          - type
-          type: object
-        status:
-          properties:
-            allocations:
-              type: integer
-            capacity:
-              type: integer
-            reserved:
-              type: integer
-            synced:
-              type: boolean
-            unallocated:
-              type: integer
-            workspaces:
-              additionalProperties:
-                properties:
-                  allocations:
-                    type: integer
-                required:
-                - allocations
-                type: object
-              type: object
-          required:
-          - allocations
-          - capacity
-          - unallocated
-          type: object
-      type: object
-  version: v1alpha1
  versions:
  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              blockSize:
+                description: The block size to use for IP address assignments from
+                  this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                type: integer
+              cidr:
+                description: The pool CIDR.
+                type: string
+              disabled:
+                description: When disabled is true, IPAM will not assign addresses
+                  from this pool.
+                type: boolean
+              dns:
+                description: DNS contains values interesting for DNS resolvers
+                properties:
+                  domain:
+                    type: string
+                  nameservers:
+                    items:
+                      type: string
+                    type: array
+                  options:
+                    items:
+                      type: string
+                    type: array
+                  search:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              gateway:
+                type: string
+              rangeEnd:
+                description: The last ip, inclusive
+                type: string
+              rangeStart:
+                description: The first ip, inclusive
+                type: string
+              routes:
+                items:
+                  properties:
+                    dst:
+                      type: string
+                    gateway:
+                      type: string
+                  type: object
+                type: array
+              type:
+                type: string
+              vlanConfig:
+                properties:
+                  master:
+                    type: string
+                  vlanId:
+                    format: int32
+                    type: integer
+                required:
+                - master
+                - vlanId
+                type: object
+            required:
+            - cidr
+            - type
+            type: object
+          status:
+            properties:
+              allocations:
+                type: integer
+              capacity:
+                type: integer
+              reserved:
+                type: integer
+              synced:
+                type: boolean
+              unallocated:
+                type: integer
+              workspaces:
+                additionalProperties:
+                  properties:
+                    allocations:
+                      type: integer
+                  required:
+                  - allocations
+                  type: object
+                type: object
+            required:
+            - allocations
+            - capacity
+            - unallocated
+            type: object
+        type: object
    served: true
    storage: true
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml
+++ b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -19,236 +19,263 @@ spec:
    - nsnp
    singular: namespacenetworkpolicy
  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies
-        API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: NamespaceNetworkPolicySpec provides the specification of a
-            NamespaceNetworkPolicy
-          properties:
-            egress:
-              description: List of egress rules to be applied to the selected pods.
-                Outgoing traffic is allowed if there are no NetworkPolicies selecting
-                the pod (and cluster policy otherwise allows the traffic), OR if the
-                traffic matches at least one egress rule across all of the NetworkPolicy
-                objects whose podSelector matches the pod. If this field is empty
-                then this NetworkPolicy limits all outgoing traffic (and serves solely
-                to ensure that the pods it selects are isolated by default). This
-                field is beta-level in 1.8
-              items:
-                description: NetworkPolicyEgressRule describes a particular set of
-                  traffic that is allowed out of pods matched by a NetworkPolicySpec's
-                  podSelector. The traffic must match both ports and to. This type
-                  is beta-level in 1.8
-                properties:
-                  ports:
-                    description: List of destination ports for outgoing traffic. Each
-                      item in this list is combined using a logical OR. If this field
-                      is empty or missing, this rule matches all ports (traffic not
-                      restricted by port). If this field is present and contains at
-                      least one item, then this rule allows traffic only if the traffic
-                      matches at least one port in the list.
-                    items:
-                      description: NetworkPolicyPort describes a port to allow traffic
-                        on
-                      properties:
-                        port:
-                          anyOf:
-                          - type: integer
-                          - type: string
-                          description: The port on the given protocol. This can either
-                            be a numerical or named port on a pod. If this field is
-                            not provided, this matches all port names and numbers.
-                          x-kubernetes-int-or-string: true
-                        protocol:
-                          description: The protocol (TCP, UDP, or SCTP) which traffic
-                            must match. If not specified, this field defaults to TCP.
-                          type: string
-                      type: object
-                    type: array
-                  to:
-                    description: List of destinations for outgoing traffic of pods
-                      selected for this rule. Items in this list are combined using
-                      a logical OR operation. If this field is empty or missing, this
-                      rule matches all destinations (traffic not restricted by destination).
-                      If this field is present and contains at least one item, this
-                      rule allows traffic only if the traffic matches at least one
-                      item in the to list.
-                    items:
-                      description: NetworkPolicyPeer describes a peer to allow traffic
-                        from. Only certain combinations of fields are allowed
-                      properties:
-                        ipBlock:
-                          description: IPBlock defines policy on a particular IPBlock.
-                            If this field is set then neither of the other fields
-                            can be.
-                          properties:
-                            cidr:
-                              description: CIDR is a string representing the IP Block
-                                Valid examples are "192.168.1.1/24"
-                              type: string
-                            except:
-                              description: Except is a slice of CIDRs that should
-                                not be included within an IP Block Valid examples
-                                are "192.168.1.1/24" Except values will be rejected
-                                if they are outside the CIDR range
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - cidr
-                          type: object
-                        namespace:
-                          properties:
-                            name:
-                              type: string
-                          required:
-                          - name
-                          type: object
-                        service:
-                          properties:
-                            name:
-                              type: string
-                            namespace:
-                              type: string
-                          required:
-                          - name
-                          - namespace
-                          type: object
-                      type: object
-                    type: array
-                type: object
-              type: array
-            ingress:
-              description: List of ingress rules to be applied to the selected pods.
-                Traffic is allowed to a pod if there are no NetworkPolicies selecting
-                the pod (and cluster policy otherwise allows the traffic), OR if the
-                traffic source is the pod's local node, OR if the traffic matches
-                at least one ingress rule across all of the NetworkPolicy objects
-                whose podSelector matches the pod. If this field is empty then this
-                NetworkPolicy does not allow any traffic (and serves solely to ensure
-                that the pods it selects are isolated by default)
-              items:
-                description: NetworkPolicyIngressRule describes a particular set of
-                  traffic that is allowed to the pods matched by a NetworkPolicySpec's
-                  podSelector. The traffic must match both ports and from.
-                properties:
-                  from:
-                    description: List of sources which should be able to access the
-                      pods selected for this rule. Items in this list are combined
-                      using a logical OR operation. If this field is empty or missing,
-                      this rule matches all sources (traffic not restricted by source).
-                      If this field is present and contains at least one item, this
-                      rule allows traffic only if the traffic matches at least one
-                      item in the from list.
-                    items:
-                      description: NetworkPolicyPeer describes a peer to allow traffic
-                        from. Only certain combinations of fields are allowed
-                      properties:
-                        ipBlock:
-                          description: IPBlock defines policy on a particular IPBlock.
-                            If this field is set then neither of the other fields
-                            can be.
-                          properties:
-                            cidr:
-                              description: CIDR is a string representing the IP Block
-                                Valid examples are "192.168.1.1/24"
-                              type: string
-                            except:
-                              description: Except is a slice of CIDRs that should
-                                not be included within an IP Block Valid examples
-                                are "192.168.1.1/24" Except values will be rejected
-                                if they are outside the CIDR range
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - cidr
-                          type: object
-                        namespace:
-                          properties:
-                            name:
-                              type: string
-                          required:
-                          - name
-                          type: object
-                        service:
-                          properties:
-                            name:
-                              type: string
-                            namespace:
-                              type: string
-                          required:
-                          - name
-                          - namespace
-                          type: object
-                      type: object
-                    type: array
-                  ports:
-                    description: List of ports which should be made accessible on
-                      the pods selected for this rule. Each item in this list is combined
-                      using a logical OR. If this field is empty or missing, this
-                      rule matches all ports (traffic not restricted by port). If
-                      this field is present and contains at least one item, then this
-                      rule allows traffic only if the traffic matches at least one
-                      port in the list.
-                    items:
-                      description: NetworkPolicyPort describes a port to allow traffic
-                        on
-                      properties:
-                        port:
-                          anyOf:
-                          - type: integer
-                          - type: string
-                          description: The port on the given protocol. This can either
-                            be a numerical or named port on a pod. If this field is
-                            not provided, this matches all port names and numbers.
-                          x-kubernetes-int-or-string: true
-                        protocol:
-                          description: The protocol (TCP, UDP, or SCTP) which traffic
-                            must match. If not specified, this field defaults to TCP.
-                          type: string
-                      type: object
-                    type: array
-                type: object
-              type: array
-            policyTypes:
-              description: List of rule types that the NetworkPolicy relates to. Valid
-                options are "Ingress", "Egress", or "Ingress,Egress". If this field
-                is not specified, it will default based on the existence of Ingress
-                or Egress rules; policies that contain an Egress section are assumed
-                to affect Egress, and all policies (whether or not they contain an
-                Ingress section) are assumed to affect Ingress. If you want to write
-                an egress-only policy, you must explicitly specify policyTypes [ "Egress"
-                ]. Likewise, if you want to write a policy that specifies that no
-                egress is allowed, you must specify a policyTypes value that include
-                "Egress" (since such a policy would not include an Egress section
-                and would otherwise default to just [ "Ingress" ]). This field is
-                beta-level in 1.8
-              items:
-                description: Policy Type string describes the NetworkPolicy type This
-                  type is beta-level in 1.8
-                type: string
-              type: array
-          type: object
-      type: object
-  version: v1alpha1
  versions:
  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NamespaceNetworkPolicySpec provides the specification of
+              a NamespaceNetworkPolicy
+            properties:
+              egress:
+                description: List of egress rules to be applied to the selected pods.
+                  Outgoing traffic is allowed if there are no NetworkPolicies selecting
+                  the pod (and cluster policy otherwise allows the traffic), OR if
+                  the traffic matches at least one egress rule across all of the NetworkPolicy
+                  objects whose podSelector matches the pod. If this field is empty
+                  then this NetworkPolicy limits all outgoing traffic (and serves
+                  solely to ensure that the pods it selects are isolated by default).
+                  This field is beta-level in 1.8
+                items:
+                  description: NetworkPolicyEgressRule describes a particular set
+                    of traffic that is allowed out of pods matched by a NetworkPolicySpec's
+                    podSelector. The traffic must match both ports and to. This type
+                    is beta-level in 1.8
+                  properties:
+                    ports:
+                      description: List of destination ports for outgoing traffic.
+                        Each item in this list is combined using a logical OR. If
+                        this field is empty or missing, this rule matches all ports
+                        (traffic not restricted by port). If this field is present
+                        and contains at least one item, then this rule allows traffic
+                        only if the traffic matches at least one port in the list.
+                      items:
+                        description: NetworkPolicyPort describes a port to allow traffic
+                          on
+                        properties:
+                          endPort:
+                            description: If set, indicates that the range of ports
+                              from port to endPort, inclusive, should be allowed by
+                              the policy. This field cannot be defined if the port
+                              field is not defined or if the port field is defined
+                              as a named (string) port. The endPort must be equal
+                              or greater than port. This feature is in Alpha state
+                              and should be enabled using the Feature Gate "NetworkPolicyEndPort".
+                            format: int32
+                            type: integer
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: The port on the given protocol. This can
+                              either be a numerical or named port on a pod. If this
+                              field is not provided, this matches all port names and
+                              numbers. If present, only traffic on the specified protocol
+                              AND port will be matched.
+                            x-kubernetes-int-or-string: true
+                          protocol:
+                            default: TCP
+                            description: The protocol (TCP, UDP, or SCTP) which traffic
+                              must match. If not specified, this field defaults to
+                              TCP.
+                            type: string
+                        type: object
+                      type: array
+                    to:
+                      description: List of destinations for outgoing traffic of pods
+                        selected for this rule. Items in this list are combined using
+                        a logical OR operation. If this field is empty or missing,
+                        this rule matches all destinations (traffic not restricted
+                        by destination). If this field is present and contains at
+                        least one item, this rule allows traffic only if the traffic
+                        matches at least one item in the to list.
+                      items:
+                        description: NetworkPolicyPeer describes a peer to allow traffic
+                          from. Only certain combinations of fields are allowed
+                        properties:
+                          ipBlock:
+                            description: IPBlock defines policy on a particular IPBlock.
+                              If this field is set then neither of the other fields
+                              can be.
+                            properties:
+                              cidr:
+                                description: CIDR is a string representing the IP
+                                  Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+                                type: string
+                              except:
+                                description: Except is a slice of CIDRs that should
+                                  not be included within an IP Block Valid examples
+                                  are "192.168.1.1/24" or "2001:db9::/64" Except values
+                                  will be rejected if they are outside the CIDR range
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - cidr
+                            type: object
+                          namespace:
+                            properties:
+                              name:
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          service:
+                            properties:
+                              name:
+                                type: string
+                              namespace:
+                                type: string
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              ingress:
+                description: List of ingress rules to be applied to the selected pods.
+                  Traffic is allowed to a pod if there are no NetworkPolicies selecting
+                  the pod (and cluster policy otherwise allows the traffic), OR if
+                  the traffic source is the pod's local node, OR if the traffic matches
+                  at least one ingress rule across all of the NetworkPolicy objects
+                  whose podSelector matches the pod. If this field is empty then this
+                  NetworkPolicy does not allow any traffic (and serves solely to ensure
+                  that the pods it selects are isolated by default)
+                items:
+                  description: NetworkPolicyIngressRule describes a particular set
+                    of traffic that is allowed to the pods matched by a NetworkPolicySpec's
+                    podSelector. The traffic must match both ports and from.
+                  properties:
+                    from:
+                      description: List of sources which should be able to access
+                        the pods selected for this rule. Items in this list are combined
+                        using a logical OR operation. If this field is empty or missing,
+                        this rule matches all sources (traffic not restricted by source).
+                        If this field is present and contains at least one item, this
+                        rule allows traffic only if the traffic matches at least one
+                        item in the from list.
+                      items:
+                        description: NetworkPolicyPeer describes a peer to allow traffic
+                          from. Only certain combinations of fields are allowed
+                        properties:
+                          ipBlock:
+                            description: IPBlock defines policy on a particular IPBlock.
+                              If this field is set then neither of the other fields
+                              can be.
+                            properties:
+                              cidr:
+                                description: CIDR is a string representing the IP
+                                  Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+                                type: string
+                              except:
+                                description: Except is a slice of CIDRs that should
+                                  not be included within an IP Block Valid examples
+                                  are "192.168.1.1/24" or "2001:db9::/64" Except values
+                                  will be rejected if they are outside the CIDR range
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - cidr
+                            type: object
+                          namespace:
+                            properties:
+                              name:
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          service:
+                            properties:
+                              name:
+                                type: string
+                              namespace:
+                                type: string
+                            required:
+                            - name
+                            - namespace
+                            type: object
+                        type: object
+                      type: array
+                    ports:
+                      description: List of ports which should be made accessible on
+                        the pods selected for this rule. Each item in this list is
+                        combined using a logical OR. If this field is empty or missing,
+                        this rule matches all ports (traffic not restricted by port).
+                        If this field is present and contains at least one item, then
+                        this rule allows traffic only if the traffic matches at least
+                        one port in the list.
+                      items:
+                        description: NetworkPolicyPort describes a port to allow traffic
+                          on
+                        properties:
+                          endPort:
+                            description: If set, indicates that the range of ports
+                              from port to endPort, inclusive, should be allowed by
+                              the policy. This field cannot be defined if the port
+                              field is not defined or if the port field is defined
+                              as a named (string) port. The endPort must be equal
+                              or greater than port. This feature is in Alpha state
+                              and should be enabled using the Feature Gate "NetworkPolicyEndPort".
+                            format: int32
+                            type: integer
+                          port:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: The port on the given protocol. This can
+                              either be a numerical or named port on a pod. If this
+                              field is not provided, this matches all port names and
+                              numbers. If present, only traffic on the specified protocol
+                              AND port will be matched.
+                            x-kubernetes-int-or-string: true
+                          protocol:
+                            default: TCP
+                            description: The protocol (TCP, UDP, or SCTP) which traffic
+                              must match. If not specified, this field defaults to
+                              TCP.
+                            type: string
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              policyTypes:
+                description: List of rule types that the NetworkPolicy relates to.
+                  Valid options are "Ingress", "Egress", or "Ingress,Egress". If this
+                  field is not specified, it will default based on the existence of
+                  Ingress or Egress rules; policies that contain an Egress section
+                  are assumed to affect Egress, and all policies (whether or not they
+                  contain an Ingress section) are assumed to affect Ingress. If you
+                  want to write an egress-only policy, you must explicitly specify
+                  policyTypes [ "Egress" ]. Likewise, if you want to write a policy
+                  that specifies that no egress is allowed, you must specify a policyTypes
+                  value that include "Egress" (since such a policy would not include
+                  an Egress section and would otherwise default to just [ "Ingress"
+                  ]). This field is beta-level in 1.8
+                items:
+                  description: PolicyType string describes the NetworkPolicy type
+                    This type is beta-level in 1.8
+                  type: string
+                type: array
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/notification.kubesphere.io_configs.yaml
+++ b/config/crds/notification.kubesphere.io_configs.yaml
@@ -1,283 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: configs.notification.kubesphere.io
-spec:
-  group: notification.kubesphere.io
-  names:
-    categories:
-    - notification-manager
-    kind: Config
-    listKind: ConfigList
-    plural: configs
-    shortNames:
-    - nc
-    singular: config
-  scope: Cluster
-  versions:
-  - name: v2beta1
-    schema:
-      openAPIV3Schema:
-        description: DingTalkConfig is the Schema for the dingtalkconfigs API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ConfigSpec defines the desired state of Config
-            properties:
-              dingtalk:
-                properties:
-                  conversation:
-                    description: Only needed when send alerts to the conversation.
-                    properties:
-                      appkey:
-                        description: The key of the application with which to send messages.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                      appsecret:
-                        description: The key in the secret to be used. Must be a valid secret key.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                    type: object
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                type: object
-              email:
-                properties:
-                  authIdentify:
-                    description: The identity for PLAIN authentication.
-                    type: string
-                  authPassword:
-                    description: The secret contains the SMTP password for LOGIN and PLAIN authentications.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be a valid secret key.
-                        type: string
-                      name:
-                        description: Name of the secret.
-                        type: string
-                      namespace:
-                        description: The namespace of the secret, default to the pod's namespace.
-                        type: string
-                    required:
-                    - key
-                    type: object
-                  authSecret:
-                    description: The secret contains the SMTP secret for CRAM-MD5 authentication.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be a valid secret key.
-                        type: string
-                      name:
-                        description: Name of the secret.
-                        type: string
-                      namespace:
-                        description: The namespace of the secret, default to the pod's namespace.
-                        type: string
-                    required:
-                    - key
-                    type: object
-                  authUsername:
-                    description: The username for CRAM-MD5, LOGIN and PLAIN authentications.
-                    type: string
-                  from:
-                    description: The sender address.
-                    type: string
-                  hello:
-                    description: The hostname to use when identifying to the SMTP server.
-                    type: string
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  requireTLS:
-                    description: The default SMTP TLS requirement.
-                    type: boolean
-                  smartHost:
-                    description: The address of the SMTP server.
-                    properties:
-                      host:
-                        type: string
-                      port:
-                        type: integer
-                    required:
-                    - host
-                    - port
-                    type: object
-                  tls:
-                    description: TLSConfig configures the options for TLS connections.
-                    properties:
-                      clientCertificate:
-                        description: The certificate of the client.
-                        properties:
-                          cert:
-                            description: The client cert file for the targets.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          key:
-                            description: The client key file for the targets.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                        type: object
-                      insecureSkipVerify:
-                        description: Disable target certificate validation.
-                        type: boolean
-                      rootCA:
-                        description: RootCA defines the root certificate authorities that clients use when verifying server certificates.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                      serverName:
-                        description: Used to verify the hostname for the targets.
-                        type: string
-                    type: object
-                required:
-                - from
-                - smartHost
-                type: object
-              slack:
-                properties:
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  slackTokenSecret:
-                    description: The token of user or bot.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be a valid secret key.
-                        type: string
-                      name:
-                        description: Name of the secret.
-                        type: string
-                      namespace:
-                        description: The namespace of the secret, default to the pod's namespace.
-                        type: string
-                    required:
-                    - key
-                    type: object
-                type: object
-              webhook:
-                properties:
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                type: object
-              wechat:
-                properties:
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  wechatApiAgentId:
-                    description: The id of the application which sending message.
-                    type: string
-                  wechatApiCorpId:
-                    description: The corp id for authentication.
-                    type: string
-                  wechatApiSecret:
-                    description: The API key to use when talking to the WeChat API.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be a valid secret key.
-                        type: string
-                      name:
-                        description: Name of the secret.
-                        type: string
-                      namespace:
-                        description: The namespace of the secret, default to the pod's namespace.
-                        type: string
-                    required:
-                    - key
-                    type: object
-                  wechatApiUrl:
-                    description: The WeChat API URL.
-                    type: string
-                required:
-                - wechatApiAgentId
-                - wechatApiCorpId
-                - wechatApiSecret
-                type: object
-            type: object
-          status:
-            description: ConfigStatus defines the observed state of Config
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/notification.kubesphere.io_receivers.yaml
+++ b/config/crds/notification.kubesphere.io_receivers.yaml
@@ -1,590 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: receivers.notification.kubesphere.io
-spec:
-  group: notification.kubesphere.io
-  names:
-    categories:
-    - notification-manager
-    kind: Receiver
-    listKind: ReceiverList
-    plural: receivers
-    shortNames:
-    - nr
-    singular: receiver
-  scope: Cluster
-  versions:
-  - name: v2beta1
-    schema:
-      openAPIV3Schema:
-        description: Receiver is the Schema for the receivers API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ReceiverSpec defines the desired state of Receiver
-            properties:
-              dingtalk:
-                properties:
-                  alertSelector:
-                    description: Selector to filter alerts.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  chatbot:
-                    description: Be careful, a ChatBot only can send 20 message per minute.
-                    properties:
-                      keywords:
-                        description: Custom keywords of ChatBot
-                        items:
-                          type: string
-                        type: array
-                      secret:
-                        description: Secret of ChatBot, you can get it after enabled Additional Signature of ChatBot.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                      webhook:
-                        description: The webhook of ChatBot which the message will send to.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                    required:
-                    - webhook
-                    type: object
-                  conversation:
-                    description: The conversation which message will send to.
-                    properties:
-                      chatids:
-                        items:
-                          type: string
-                        type: array
-                    required:
-                    - chatids
-                    type: object
-                  dingtalkConfigSelector:
-                    description: DingTalkConfig to be selected for this receiver
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  enabled:
-                    description: whether the receiver is enabled
-                    type: boolean
-                type: object
-              email:
-                properties:
-                  alertSelector:
-                    description: Selector to filter alerts.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  emailConfigSelector:
-                    description: EmailConfig to be selected for this receiver
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  enabled:
-                    description: whether the receiver is enabled
-                    type: boolean
-                  to:
-                    description: Receivers' email addresses
-                    items:
-                      type: string
-                    type: array
-                required:
-                - to
-                type: object
-              slack:
-                properties:
-                  alertSelector:
-                    description: Selector to filter alerts.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  channels:
-                    description: The channel or user to send notifications to.
-                    items:
-                      type: string
-                    type: array
-                  enabled:
-                    description: whether the receiver is enabled
-                    type: boolean
-                  slackConfigSelector:
-                    description: SlackConfig to be selected for this receiver
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                required:
-                - channels
-                type: object
-              webhook:
-                properties:
-                  alertSelector:
-                    description: Selector to filter alerts.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  enabled:
-                    description: whether the receiver is enabled
-                    type: boolean
-                  httpConfig:
-                    description: HTTPClientConfig configures an HTTP client.
-                    properties:
-                      basicAuth:
-                        description: The HTTP basic authentication credentials for the targets.
-                        properties:
-                          password:
-                            description: SecretKeySelector selects a key of a Secret.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          username:
-                            type: string
-                        required:
-                        - username
-                        type: object
-                      bearerToken:
-                        description: The bearer token for the targets.
-                        properties:
-                          key:
-                            description: The key of the secret to select from.  Must be a valid secret key.
-                            type: string
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: The namespace of the secret, default to the pod's namespace.
-                            type: string
-                        required:
-                        - key
-                        type: object
-                      proxyUrl:
-                        description: HTTP proxy server to use to connect to the targets.
-                        type: string
-                      tlsConfig:
-                        description: TLSConfig to use to connect to the targets.
-                        properties:
-                          clientCertificate:
-                            description: The certificate of the client.
-                            properties:
-                              cert:
-                                description: The client cert file for the targets.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                              key:
-                                description: The client key file for the targets.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                            type: object
-                          insecureSkipVerify:
-                            description: Disable target certificate validation.
-                            type: boolean
-                          rootCA:
-                            description: RootCA defines the root certificate authorities that clients use when verifying server certificates.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          serverName:
-                            description: Used to verify the hostname for the targets.
-                            type: string
-                        type: object
-                    type: object
-                  service:
-                    description: "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified. \n If the webhook is running within the cluster, then you should use `service`."
-                    properties:
-                      name:
-                        description: '`name` is the name of the service. Required'
-                        type: string
-                      namespace:
-                        description: '`namespace` is the namespace of the service. Required'
-                        type: string
-                      path:
-                        description: '`path` is an optional URL path which will be sent in any request to this service.'
-                        type: string
-                      port:
-                        description: If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
-                        format: int32
-                        type: integer
-                      scheme:
-                        description: Http scheme, default is http.
-                        type: string
-                    required:
-                    - name
-                    - namespace
-                    type: object
-                  url:
-                    description: "`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. \n The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some api servers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. \n Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. \n A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. \n Attempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either."
-                    type: string
-                  webhookConfigSelector:
-                    description: WebhookConfig to be selected for this receiver
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                type: object
-              wechat:
-                properties:
-                  alertSelector:
-                    description: Selector to filter alerts.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  enabled:
-                    description: whether the receiver is enabled
-                    type: boolean
-                  toParty:
-                    items:
-                      type: string
-                    type: array
-                  toTag:
-                    items:
-                      type: string
-                    type: array
-                  toUser:
-                    items:
-                      type: string
-                    type: array
-                  wechatConfigSelector:
-                    description: WechatConfig to be selected for this receiver
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                type: object
-            type: object
-          status:
-            description: ReceiverStatus defines the observed state of Receiver
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/quota.kubesphere.io_resourcequotas.yaml
+++ b/config/crds/quota.kubesphere.io_resourcequotas.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,151 +17,172 @@ spec:
    plural: resourcequotas
    singular: resourcequota
  scope: Cluster
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: WorkspaceResourceQuota sets aggregate quota restrictions enforced
-        per workspace
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
-          type: object
-        spec:
-          description: Spec defines the desired quota
-          properties:
-            quota:
-              description: Quota defines the desired quota
-              properties:
-                hard:
-                  additionalProperties:
-                    type: string
-                  description: 'hard is the set of desired hard limits for each named
-                    resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
-                  type: object
-                scopeSelector:
-                  description: scopeSelector is also a collection of filters like
-                    scopes that must match each object tracked by a quota but expressed
-                    using ScopeSelectorOperator in combination with possible values.
-                    For a resource to match, both scopes AND scopeSelector (if specified
-                    in spec), must be matched.
-                  properties:
-                    matchExpressions:
-                      description: A list of scope selector requirements by scope
-                        of the resources.
-                      items:
-                        description: A scoped-resource selector requirement is a selector
-                          that contains values, a scope name, and an operator that
-                          relates the scope name and values.
-                        properties:
-                          operator:
-                            description: Represents a scope's relationship to a set
-                              of values. Valid operators are In, NotIn, Exists, DoesNotExist.
-                            type: string
-                          scopeName:
-                            description: The name of the scope that the selector applies
-                              to.
-                            type: string
-                          values:
-                            description: An array of string values. If the operator
-                              is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - operator
-                        - scopeName
-                        type: object
-                      type: array
-                  type: object
-                scopes:
-                  description: A collection of filters that must match each object
-                    tracked by a quota. If not specified, the quota matches all objects.
-                  items:
-                    description: A ResourceQuotaScope defines a filter that must match
-                      each object tracked by a quota
-                    type: string
-                  type: array
-              type: object
-            selector:
-              additionalProperties:
-                type: string
-              description: LabelSelector is used to select projects by label.
-              type: object
-          required:
-          - quota
-          - selector
-          type: object
-        status:
-          description: Status defines the actual enforced quota and its current usage
-          properties:
-            namespaces:
-              description: Namespaces slices the usage by project.
-              items:
-                description: ResourceQuotaStatusByNamespace gives status for a particular
-                  project
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceResourceQuota sets aggregate quota restrictions enforced
+          per workspace
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired quota
+            properties:
+              quota:
+                description: Quota defines the desired quota
                properties:
                  hard:
                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: 'hard is the set of desired hard limits for each
+                      named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
+                    type: object
+                  scopeSelector:
+                    description: scopeSelector is also a collection of filters like
+                      scopes that must match each object tracked by a quota but expressed
+                      using ScopeSelectorOperator in combination with possible values.
+                      For a resource to match, both scopes AND scopeSelector (if specified
+                      in spec), must be matched.
+                    properties:
+                      matchExpressions:
+                        description: A list of scope selector requirements by scope
+                          of the resources.
+                        items:
+                          description: A scoped-resource selector requirement is a
+                            selector that contains values, a scope name, and an operator
+                            that relates the scope name and values.
+                          properties:
+                            operator:
+                              description: Represents a scope's relationship to a
+                                set of values. Valid operators are In, NotIn, Exists,
+                                DoesNotExist.
+                              type: string
+                            scopeName:
+                              description: The name of the scope that the selector
+                                applies to.
+                              type: string
+                            values:
+                              description: An array of string values. If the operator
+                                is In or NotIn, the values array must be non-empty.
+                                If the operator is Exists or DoesNotExist, the values
+                                array must be empty. This array is replaced during
+                                a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - operator
+                          - scopeName
+                          type: object
+                        type: array
+                    type: object
+                  scopes:
+                    description: A collection of filters that must match each object
+                      tracked by a quota. If not specified, the quota matches all
+                      objects.
+                    items:
+                      description: A ResourceQuotaScope defines a filter that must
+                        match each object tracked by a quota
                      type: string
+                    type: array
+                type: object
+              selector:
+                additionalProperties:
+                  type: string
+                description: LabelSelector is used to select projects by label.
+                type: object
+            required:
+            - quota
+            - selector
+            type: object
+          status:
+            description: Status defines the actual enforced quota and its current
+              usage
+            properties:
+              namespaces:
+                description: Namespaces slices the usage by project.
+                items:
+                  description: ResourceQuotaStatusByNamespace gives status for a particular
+                    project
+                  properties:
+                    hard:
+                      additionalProperties:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
+                      description: 'Hard is the set of enforced hard limits for each
+                        named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
+                      type: object
+                    namespace:
+                      description: Namespace the project this status applies to
+                      type: string
+                    used:
+                      additionalProperties:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
+                      description: Used is the current observed total usage of the
+                        resource in the namespace.
+                      type: object
+                  required:
+                  - namespace
+                  type: object
+                type: array
+              total:
+                description: Total defines the actual enforced quota and its current
+                  usage across all projects
+                properties:
+                  hard:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
                    description: 'Hard is the set of enforced hard limits for each
                      named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
                    type: object
-                  namespace:
-                    description: Namespace the project this status applies to
-                    type: string
                  used:
                    additionalProperties:
-                      type: string
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
                    description: Used is the current observed total usage of the resource
                      in the namespace.
                    type: object
-                required:
-                - namespace
                type: object
-              type: array
-            total:
-              description: Total defines the actual enforced quota and its current
-                usage across all projects
-              properties:
-                hard:
-                  additionalProperties:
-                    type: string
-                  description: 'Hard is the set of enforced hard limits for each named
-                    resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
-                  type: object
-                used:
-                  additionalProperties:
-                    type: string
-                  description: Used is the current observed total usage of the resource
-                    in the namespace.
-                  type: object
-              type: object
-          required:
-          - namespaces
-          - total
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1alpha2
-  versions:
-  - name: v1alpha2
+            required:
+            - namespaces
+            - total
+            type: object
+        required:
+        - spec
+        type: object
    served: true
    storage: true
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/servicemesh.kubesphere.io_servicepolicies.yaml
+++ b/config/crds/servicemesh.kubesphere.io_servicepolicies.yaml
--- a/config/crds/servicemesh.kubesphere.io_strategies.yaml
+++ b/config/crds/servicemesh.kubesphere.io_strategies.yaml
--- a/config/crds/snapshot.storage.k8s.io_volumesnapshot.yaml
+++ b/config/crds/snapshot.storage.k8s.io_volumesnapshot.yaml
@@ -1,503 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
-    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
-  creationTimestamp: null
-  name: volumesnapshotclasses.snapshot.storage.k8s.io
-spec:
-  additionalPrinterColumns:
-    - JSONPath: .driver
-      name: Driver
-      type: string
-    - JSONPath: .deletionPolicy
-      description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass
-        should be deleted when its bound VolumeSnapshot is deleted.
-      name: DeletionPolicy
-      type: string
-    - JSONPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-  group: snapshot.storage.k8s.io
-  names:
-    kind: VolumeSnapshotClass
-    listKind: VolumeSnapshotClassList
-    plural: volumesnapshotclasses
-    singular: volumesnapshotclass
-  preserveUnknownFields: false
-  scope: Cluster
-  subresources: {}
-  validation:
-    openAPIV3Schema:
-      description: VolumeSnapshotClass specifies parameters that a underlying storage
-        system uses when creating a volume snapshot. A specific VolumeSnapshotClass
-        is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses
-        are non-namespaced
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        deletionPolicy:
-          description: deletionPolicy determines whether a VolumeSnapshotContent created
-            through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot
-            is deleted. Supported values are "Retain" and "Delete". "Retain" means
-            that the VolumeSnapshotContent and its physical snapshot on underlying
-            storage system are kept. "Delete" means that the VolumeSnapshotContent
-            and its physical snapshot on underlying storage system are deleted. Required.
-          enum:
-            - Delete
-            - Retain
-          type: string
-        driver:
-          description: driver is the name of the storage driver that handles this
-            VolumeSnapshotClass. Required.
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        parameters:
-          additionalProperties:
-            type: string
-          description: parameters is a key-value map with storage driver specific
-            parameters for creating snapshots. These values are opaque to Kubernetes.
-          type: object
-      required:
-        - deletionPolicy
-        - driver
-      type: object
-  version: v1beta1
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
-    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
-  creationTimestamp: null
-  name: volumesnapshotcontents.snapshot.storage.k8s.io
-spec:
-  additionalPrinterColumns:
-    - JSONPath: .status.readyToUse
-      description: Indicates if a snapshot is ready to be used to restore a volume.
-      name: ReadyToUse
-      type: boolean
-    - JSONPath: .status.restoreSize
-      description: Represents the complete size of the snapshot in bytes
-      name: RestoreSize
-      type: integer
-    - JSONPath: .spec.deletionPolicy
-      description: Determines whether this VolumeSnapshotContent and its physical snapshot
-        on the underlying storage system should be deleted when its bound VolumeSnapshot
-        is deleted.
-      name: DeletionPolicy
-      type: string
-    - JSONPath: .spec.driver
-      description: Name of the CSI driver used to create the physical snapshot on the
-        underlying storage system.
-      name: Driver
-      type: string
-    - JSONPath: .spec.volumeSnapshotClassName
-      description: Name of the VolumeSnapshotClass to which this snapshot belongs.
-      name: VolumeSnapshotClass
-      type: string
-    - JSONPath: .spec.volumeSnapshotRef.name
-      description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent
-        object is bound.
-      name: VolumeSnapshot
-      type: string
-    - JSONPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-  group: snapshot.storage.k8s.io
-  names:
-    kind: VolumeSnapshotContent
-    listKind: VolumeSnapshotContentList
-    plural: volumesnapshotcontents
-    singular: volumesnapshotcontent
-  preserveUnknownFields: false
-  scope: Cluster
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: VolumeSnapshotContent represents the actual "on-disk" snapshot
-        object in the underlying storage system
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        spec:
-          description: spec defines properties of a VolumeSnapshotContent created
-            by the underlying storage system. Required.
-          properties:
-            deletionPolicy:
-              description: deletionPolicy determines whether this VolumeSnapshotContent
-                and its physical snapshot on the underlying storage system should
-                be deleted when its bound VolumeSnapshot is deleted. Supported values
-                are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent
-                and its physical snapshot on underlying storage system are kept. "Delete"
-                means that the VolumeSnapshotContent and its physical snapshot on
-                underlying storage system are deleted. In dynamic snapshot creation
-                case, this field will be filled in with the "DeletionPolicy" field
-                defined in the VolumeSnapshotClass the VolumeSnapshot refers to. For
-                pre-existing snapshots, users MUST specify this field when creating
-                the VolumeSnapshotContent object. Required.
-              enum:
-                - Delete
-                - Retain
-              type: string
-            driver:
-              description: driver is the name of the CSI driver used to create the
-                physical snapshot on the underlying storage system. This MUST be the
-                same as the name returned by the CSI GetPluginName() call for that
-                driver. Required.
-              type: string
-            source:
-              description: source specifies from where a snapshot will be created.
-                This field is immutable after creation. Required.
-              properties:
-                snapshotHandle:
-                  description: snapshotHandle specifies the CSI "snapshot_id" of a
-                    pre-existing snapshot on the underlying storage system. This field
-                    is immutable.
-                  type: string
-                volumeHandle:
-                  description: volumeHandle specifies the CSI "volume_id" of the volume
-                    from which a snapshot should be dynamically taken from. This field
-                    is immutable.
-                  type: string
-              type: object
-            volumeSnapshotClassName:
-              description: name of the VolumeSnapshotClass to which this snapshot
-                belongs.
-              type: string
-            volumeSnapshotRef:
-              description: volumeSnapshotRef specifies the VolumeSnapshot object to
-                which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName
-                field must reference to this VolumeSnapshotContent's name for the
-                bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent
-                object, name and namespace of the VolumeSnapshot object MUST be provided
-                for binding to happen. This field is immutable after creation. Required.
-              properties:
-                apiVersion:
-                  description: API version of the referent.
-                  type: string
-                fieldPath:
-                  description: 'If referring to a piece of an object instead of an
-                    entire object, this string should contain a valid JSON/Go field
-                    access statement, such as desiredState.manifest.containers[2].
-                    For example, if the object reference is to a container within
-                    a pod, this would take on a value like: "spec.containers{name}"
-                    (where "name" refers to the name of the container that triggered
-                    the event) or if no container name is specified "spec.containers[2]"
-                    (container with index 2 in this pod). This syntax is chosen only
-                    to have some well-defined way of referencing a part of an object.
-                    TODO: this design is not final and this field is subject to change
-                    in the future.'
-                  type: string
-                kind:
-                  description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                  type: string
-                name:
-                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                  type: string
-                namespace:
-                  description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                  type: string
-                resourceVersion:
-                  description: 'Specific resourceVersion to which this reference is
-                    made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                  type: string
-                uid:
-                  description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                  type: string
-              type: object
-          required:
-            - deletionPolicy
-            - driver
-            - source
-            - volumeSnapshotRef
-          type: object
-        status:
-          description: status represents the current information of a snapshot.
-          properties:
-            creationTime:
-              description: creationTime is the timestamp when the point-in-time snapshot
-                is taken by the underlying storage system. In dynamic snapshot creation
-                case, this field will be filled in with the "creation_time" value
-                returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing
-                snapshot, this field will be filled with the "creation_time" value
-                returned from the CSI "ListSnapshots" gRPC call if the driver supports
-                it. If not specified, it indicates the creation time is unknown. The
-                format of this field is a Unix nanoseconds time encoded as an int64.
-                On Unix, the command `date +%s%N` returns the current time in nanoseconds
-                since 1970-01-01 00:00:00 UTC.
-              format: int64
-              type: integer
-            error:
-              description: error is the latest observed error during snapshot creation,
-                if any.
-              properties:
-                message:
-                  description: 'message is a string detailing the encountered error
-                    during snapshot creation if specified. NOTE: message may be logged,
-                    and it should not contain sensitive information.'
-                  type: string
-                time:
-                  description: time is the timestamp when the error was encountered.
-                  format: date-time
-                  type: string
-              type: object
-            readyToUse:
-              description: readyToUse indicates if a snapshot is ready to be used
-                to restore a volume. In dynamic snapshot creation case, this field
-                will be filled in with the "ready_to_use" value returned from CSI
-                "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this
-                field will be filled with the "ready_to_use" value returned from the
-                CSI "ListSnapshots" gRPC call if the driver supports it, otherwise,
-                this field will be set to "True". If not specified, it means the readiness
-                of a snapshot is unknown.
-              type: boolean
-            restoreSize:
-              description: restoreSize represents the complete size of the snapshot
-                in bytes. In dynamic snapshot creation case, this field will be filled
-                in with the "size_bytes" value returned from CSI "CreateSnapshotRequest"
-                gRPC call. For a pre-existing snapshot, this field will be filled
-                with the "size_bytes" value returned from the CSI "ListSnapshots"
-                gRPC call if the driver supports it. When restoring a volume from
-                this snapshot, the size of the volume MUST NOT be smaller than the
-                restoreSize if it is specified, otherwise the restoration will fail.
-                If not specified, it indicates that the size is unknown.
-              format: int64
-              minimum: 0
-              type: integer
-            snapshotHandle:
-              description: snapshotHandle is the CSI "snapshot_id" of a snapshot on
-                the underlying storage system. If not specified, it indicates that
-                dynamic snapshot creation has either failed or it is still in progress.
-              type: string
-          type: object
-      required:
-        - spec
-      type: object
-  version: v1beta1
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
-    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
-  creationTimestamp: null
-  name: volumesnapshots.snapshot.storage.k8s.io
-spec:
-  additionalPrinterColumns:
-    - JSONPath: .status.readyToUse
-      description: Indicates if a snapshot is ready to be used to restore a volume.
-      name: ReadyToUse
-      type: boolean
-    - JSONPath: .spec.source.persistentVolumeClaimName
-      description: Name of the source PVC from where a dynamically taken snapshot will
-        be created.
-      name: SourcePVC
-      type: string
-    - JSONPath: .spec.source.volumeSnapshotContentName
-      description: Name of the VolumeSnapshotContent which represents a pre-provisioned
-        snapshot.
-      name: SourceSnapshotContent
-      type: string
-    - JSONPath: .status.restoreSize
-      description: Represents the complete size of the snapshot.
-      name: RestoreSize
-      type: string
-    - JSONPath: .spec.volumeSnapshotClassName
-      description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot.
-      name: SnapshotClass
-      type: string
-    - JSONPath: .status.boundVolumeSnapshotContentName
-      description: The name of the VolumeSnapshotContent to which this VolumeSnapshot
-        is bound.
-      name: SnapshotContent
-      type: string
-    - JSONPath: .status.creationTime
-      description: Timestamp when the point-in-time snapshot is taken by the underlying
-        storage system.
-      name: CreationTime
-      type: date
-    - JSONPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-  group: snapshot.storage.k8s.io
-  names:
-    kind: VolumeSnapshot
-    listKind: VolumeSnapshotList
-    plural: volumesnapshots
-    singular: volumesnapshot
-  preserveUnknownFields: false
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: VolumeSnapshot is a user's request for either creating a point-in-time
-        snapshot of a persistent volume, or binding to a pre-existing snapshot.
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        spec:
-          description: 'spec defines the desired characteristics of a snapshot requested
-            by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots
-            Required.'
-          properties:
-            source:
-              description: source specifies where a snapshot will be created from.
-                This field is immutable after creation. Required.
-              properties:
-                persistentVolumeClaimName:
-                  description: persistentVolumeClaimName specifies the name of the
-                    PersistentVolumeClaim object in the same namespace as the VolumeSnapshot
-                    object where the snapshot should be dynamically taken from. This
-                    field is immutable.
-                  type: string
-                volumeSnapshotContentName:
-                  description: volumeSnapshotContentName specifies the name of a pre-existing
-                    VolumeSnapshotContent object. This field is immutable.
-                  type: string
-              type: object
-            volumeSnapshotClassName:
-              description: 'volumeSnapshotClassName is the name of the VolumeSnapshotClass
-                requested by the VolumeSnapshot. If not specified, the default snapshot
-                class will be used if one exists. If not specified, and there is no
-                default snapshot class, dynamic snapshot creation will fail. Empty
-                string is not allowed for this field. TODO(xiangqian): a webhook validation
-                on empty string. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes'
-              type: string
-          required:
-            - source
-          type: object
-        status:
-          description: 'status represents the current information of a snapshot. NOTE:
-            status can be modified by sources other than system controllers, and must
-            not be depended upon for accuracy. Controllers should only use information
-            from the VolumeSnapshotContent object after verifying that the binding
-            is accurate and complete.'
-          properties:
-            boundVolumeSnapshotContentName:
-              description: 'boundVolumeSnapshotContentName represents the name of
-                the VolumeSnapshotContent object to which the VolumeSnapshot object
-                is bound. If not specified, it indicates that the VolumeSnapshot object
-                has not been successfully bound to a VolumeSnapshotContent object
-                yet. NOTE: Specified boundVolumeSnapshotContentName alone does not
-                mean binding       is valid. Controllers MUST always verify bidirectional
-                binding between       VolumeSnapshot and VolumeSnapshotContent to
-                avoid possible security issues.'
-              type: string
-            creationTime:
-              description: creationTime is the timestamp when the point-in-time snapshot
-                is taken by the underlying storage system. In dynamic snapshot creation
-                case, this field will be filled in with the "creation_time" value
-                returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing
-                snapshot, this field will be filled with the "creation_time" value
-                returned from the CSI "ListSnapshots" gRPC call if the driver supports
-                it. If not specified, it indicates that the creation time of the snapshot
-                is unknown.
-              format: date-time
-              type: string
-            error:
-              description: error is the last observed error during snapshot creation,
-                if any. This field could be helpful to upper level controllers(i.e.,
-                application controller) to decide whether they should continue on
-                waiting for the snapshot to be created based on the type of error
-                reported.
-              properties:
-                message:
-                  description: 'message is a string detailing the encountered error
-                    during snapshot creation if specified. NOTE: message may be logged,
-                    and it should not contain sensitive information.'
-                  type: string
-                time:
-                  description: time is the timestamp when the error was encountered.
-                  format: date-time
-                  type: string
-              type: object
-            readyToUse:
-              description: readyToUse indicates if a snapshot is ready to be used
-                to restore a volume. In dynamic snapshot creation case, this field
-                will be filled in with the "ready_to_use" value returned from CSI
-                "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this
-                field will be filled with the "ready_to_use" value returned from the
-                CSI "ListSnapshots" gRPC call if the driver supports it, otherwise,
-                this field will be set to "True". If not specified, it means the readiness
-                of a snapshot is unknown.
-              type: boolean
-            restoreSize:
-              anyOf:
-                - type: integer
-                - type: string
-              description: restoreSize represents the complete size of the snapshot
-                in bytes. In dynamic snapshot creation case, this field will be filled
-                in with the "size_bytes" value returned from CSI "CreateSnapshotRequest"
-                gRPC call. For a pre-existing snapshot, this field will be filled
-                with the "size_bytes" value returned from the CSI "ListSnapshots"
-                gRPC call if the driver supports it. When restoring a volume from
-                this snapshot, the size of the volume MUST NOT be smaller than the
-                restoreSize if it is specified, otherwise the restoration will fail.
-                If not specified, it indicates that the size is unknown.
-              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
-              x-kubernetes-int-or-string: true
-          type: object
-      required:
-        - spec
-      type: object
-  version: v1beta1
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/storage.kubesphere.io_provisionercapabilities.yaml
+++ b/config/crds/storage.kubesphere.io_provisionercapabilities.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -14,94 +14,104 @@ spec:
    listKind: ProvisionerCapabilityList
    plural: provisionercapabilities
    singular: provisionercapability
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: ProvisionerCapability is the schema for the provisionercapability
-        API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability
-          properties:
-            features:
-              description: CapabilityFeatures describe storage features
-              properties:
-                snapshot:
-                  description: SnapshotFeature describe snapshot features
-                  properties:
-                    create:
-                      type: boolean
-                    list:
-                      type: boolean
-                  required:
-                  - create
-                  - list
-                  type: object
-                topology:
-                  type: boolean
-                volume:
-                  description: VolumeFeature describe volume features
-                  properties:
-                    attach:
-                      type: boolean
-                    clone:
-                      type: boolean
-                    create:
-                      type: boolean
-                    expandMode:
-                      type: string
-                    list:
-                      type: boolean
-                    stats:
-                      type: boolean
-                  required:
-                  - attach
-                  - clone
-                  - create
-                  - expandMode
-                  - list
-                  - stats
-                  type: object
-              required:
-              - snapshot
-              - topology
-              - volume
-              type: object
-            pluginInfo:
-              description: PluginInfo describes plugin info
-              properties:
-                name:
-                  type: string
-                version:
-                  type: string
-              required:
-              - name
-              - version
-              type: object
-          required:
-          - features
-          - pluginInfo
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1alpha1
+  scope: Cluster
  versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.pluginInfo.name
+      name: Provisioner
+      type: string
+    - jsonPath: .spec.features.volume.expandMode
+      name: Expand
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ProvisionerCapability is the schema for the provisionercapability
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability
+            properties:
+              features:
+                description: CapabilityFeatures describe storage features
+                properties:
+                  snapshot:
+                    description: SnapshotFeature describe snapshot features
+                    properties:
+                      create:
+                        type: boolean
+                      list:
+                        type: boolean
+                    required:
+                    - create
+                    - list
+                    type: object
+                  topology:
+                    type: boolean
+                  volume:
+                    description: VolumeFeature describe volume features
+                    properties:
+                      attach:
+                        type: boolean
+                      clone:
+                        type: boolean
+                      create:
+                        type: boolean
+                      expandMode:
+                        type: string
+                      list:
+                        type: boolean
+                      stats:
+                        type: boolean
+                    required:
+                    - attach
+                    - clone
+                    - create
+                    - expandMode
+                    - list
+                    - stats
+                    type: object
+                required:
+                - snapshot
+                - topology
+                - volume
+                type: object
+              pluginInfo:
+                description: PluginInfo describes plugin info
+                properties:
+                  name:
+                    type: string
+                  version:
+                    type: string
+                required:
+                - name
+                - version
+                type: object
+            required:
+            - features
+            - pluginInfo
+            type: object
+        required:
+        - spec
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml
+++ b/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -14,85 +14,104 @@ spec:
    listKind: StorageClassCapabilityList
    plural: storageclasscapabilities
    singular: storageclasscapability
-  scope: Namespaced
-  validation:
-    openAPIV3Schema:
-      description: StorageClassCapability is the Schema for the storage class capability
-        API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability
-          properties:
-            features:
-              description: CapabilityFeatures describe storage features
-              properties:
-                snapshot:
-                  description: SnapshotFeature describe snapshot features
-                  properties:
-                    create:
-                      type: boolean
-                    list:
-                      type: boolean
-                  required:
-                  - create
-                  - list
-                  type: object
-                topology:
-                  type: boolean
-                volume:
-                  description: VolumeFeature describe volume features
-                  properties:
-                    attach:
-                      type: boolean
-                    clone:
-                      type: boolean
-                    create:
-                      type: boolean
-                    expandMode:
-                      type: string
-                    list:
-                      type: boolean
-                    stats:
-                      type: boolean
-                  required:
-                  - attach
-                  - clone
-                  - create
-                  - expandMode
-                  - list
-                  - stats
-                  type: object
-              required:
-              - snapshot
-              - topology
-              - volume
-              type: object
-            provisioner:
-              type: string
-          required:
-          - features
-          - provisioner
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1alpha1
+  scope: Cluster
  versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.provisioner
+      name: Provisioner
+      type: string
+    - jsonPath: .spec.features.volume.create
+      name: Volume
+      type: boolean
+    - jsonPath: .spec.features.volume.expandMode
+      name: Expand
+      type: string
+    - jsonPath: .spec.features.volume.clone
+      name: Clone
+      type: boolean
+    - jsonPath: .spec.features.snapshot.create
+      name: Snapshot
+      type: boolean
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: StorageClassCapability is the Schema for the storage class capability
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability
+            properties:
+              features:
+                description: CapabilityFeatures describe storage features
+                properties:
+                  snapshot:
+                    description: SnapshotFeature describe snapshot features
+                    properties:
+                      create:
+                        type: boolean
+                      list:
+                        type: boolean
+                    required:
+                    - create
+                    - list
+                    type: object
+                  topology:
+                    type: boolean
+                  volume:
+                    description: VolumeFeature describe volume features
+                    properties:
+                      attach:
+                        type: boolean
+                      clone:
+                        type: boolean
+                      create:
+                        type: boolean
+                      expandMode:
+                        type: string
+                      list:
+                        type: boolean
+                      stats:
+                        type: boolean
+                    required:
+                    - attach
+                    - clone
+                    - create
+                    - expandMode
+                    - list
+                    - stats
+                    type: object
+                required:
+                - snapshot
+                - topology
+                - volume
+                type: object
+              provisioner:
+                type: string
+            required:
+            - features
+            - provisioner
+            type: object
+        required:
+        - spec
+        type: object
    served: true
    storage: true
+    subresources: {}
 status:
  acceptedNames:
    kind: ""
--- a/config/crds/storage.kubesphere.io_storageclasseraccessor.yaml
+++ b/config/crds/storage.kubesphere.io_storageclasseraccessor.yaml
@@ -0,0 +1,180 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: accessors.storage.kubesphere.io
+spec:
+  group: storage.kubesphere.io
+  names:
+    kind: Accessor
+    listKind: AccessorList
+    plural: accessors
+    singular: accessor
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.storageClassName
+          name: StorageClass
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Accessor is the Schema for the accessors API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: AccessorSpec defines the desired state of Accessor
+              properties:
+                namespaceSelector:
+                  properties:
+                    fieldSelector:
+                      items:
+                        properties:
+                          fieldExpressions:
+                            items:
+                              properties:
+                                field:
+                                  enum:
+                                    - Name
+                                    - Status
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                  type: string
+                                values:
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                                - field
+                                - operator
+                                - values
+                              type: object
+                            type: array
+                        required:
+                          - fieldExpressions
+                        type: object
+                      type: array
+                    labelSelector:
+                      items:
+                        properties:
+                          matchExpressions:
+                            items:
+                              properties:
+                                key:
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                  type: string
+                                values:
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                                - key
+                                - operator
+                                - values
+                              type: object
+                            type: array
+                        required:
+                          - matchExpressions
+                        type: object
+                      type: array
+                  type: object
+                storageClassName:
+                  type: string
+                workspaceSelector:
+                  properties:
+                    fieldSelector:
+                      items:
+                        properties:
+                          fieldExpressions:
+                            items:
+                              properties:
+                                field:
+                                  enum:
+                                    - Name
+                                    - Status
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                  type: string
+                                values:
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                                - field
+                                - operator
+                                - values
+                              type: object
+                            type: array
+                        required:
+                          - fieldExpressions
+                        type: object
+                      type: array
+                    labelSelector:
+                      items:
+                        properties:
+                          matchExpressions:
+                            items:
+                              properties:
+                                key:
+                                  type: string
+                                operator:
+                                  enum:
+                                    - In
+                                    - NotIn
+                                  type: string
+                                values:
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                                - key
+                                - operator
+                                - values
+                              type: object
+                            type: array
+                        required:
+                          - matchExpressions
+                        type: object
+                      type: array
+                  type: object
+              required:
+                - storageClassName
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/config/crds/tenant.kubesphere.io_workspaces.yaml
+++ b/config/crds/tenant.kubesphere.io_workspaces.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,37 +17,36 @@ spec:
    plural: workspaces
    singular: workspace
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: Workspace is the Schema for the workspaces API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: WorkspaceSpec defines the desired state of Workspace
-          properties:
-            manager:
-              type: string
-            networkIsolation:
-              type: boolean
-          type: object
-        status:
-          description: WorkspaceStatus defines the observed state of Workspace
-          type: object
-      type: object
-  version: v1alpha1
  versions:
  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Workspace is the Schema for the workspaces API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: WorkspaceSpec defines the desired state of Workspace
+            properties:
+              manager:
+                type: string
+              networkIsolation:
+                type: boolean
+            type: object
+          status:
+            description: WorkspaceStatus defines the observed state of Workspace
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/tenant.kubesphere.io_workspacetemplates.yaml
+++ b/config/crds/tenant.kubesphere.io_workspacetemplates.yaml
@@ -1,6 +1,6 @@

 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
@@ -17,90 +17,126 @@ spec:
    plural: workspacetemplates
    singular: workspacetemplate
  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      description: WorkspaceTemplate is the Schema for the workspacetemplates API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            overrides:
-              items:
-                properties:
-                  clusterName:
-                    type: string
-                  clusterOverrides:
-                    items:
-                      properties:
-                        op:
-                          type: string
-                        path:
-                          type: string
-                        value:
-                          type: object
-                      required:
-                      - path
-                      - value
-                      type: object
-                    type: array
-                required:
-                - clusterName
-                - clusterOverrides
-                type: object
-              type: array
-            placement:
-              properties:
-                clusterSelector:
-                  properties:
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      type: object
-                  type: object
-                clusters:
-                  items:
-                    properties:
-                      name:
-                        type: string
-                    required:
-                    - name
-                    type: object
-                  type: array
-              type: object
-            template:
-              properties:
-                metadata:
-                  type: object
-                spec:
-                  description: WorkspaceSpec defines the desired state of Workspace
-                  properties:
-                    manager:
-                      type: string
-                    networkIsolation:
-                      type: boolean
-                  type: object
-              required:
-              - spec
-              type: object
-          required:
-          - placement
-          - template
-          type: object
-      type: object
-  version: v1alpha2
  versions:
  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: WorkspaceTemplate is the Schema for the workspacetemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              overrides:
+                items:
+                  properties:
+                    clusterName:
+                      type: string
+                    clusterOverrides:
+                      items:
+                        properties:
+                          op:
+                            type: string
+                          path:
+                            type: string
+                          value:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - path
+                        type: object
+                      type: array
+                  required:
+                  - clusterName
+                  type: object
+                type: array
+              placement:
+                properties:
+                  clusterSelector:
+                    description: A label selector is a label query over a set of resources.
+                      The result of matchLabels and matchExpressions are ANDed. An
+                      empty label selector matches all objects. A null label selector
+                      matches no objects.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  clusters:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              template:
+                properties:
+                  metadata:
+                    type: object
+                  spec:
+                    description: WorkspaceSpec defines the desired state of Workspace
+                    properties:
+                      manager:
+                        type: string
+                      networkIsolation:
+                        type: boolean
+                    type: object
+                type: object
+            required:
+            - placement
+            - template
+            type: object
+        type: object
    served: true
    storage: true
 status:
--- a/config/crds/types.kubefed.io_federatedgroupbindings.yaml
+++ b/config/crds/types.kubefed.io_federatedgroupbindings.yaml
@@ -1,212 +0,0 @@
---
-apiVersion: core.kubefed.io/v1beta1
-kind: FederatedTypeConfig
-metadata:
-  name: groupbindings.iam.kubesphere.io
-spec:
-  federatedType:
-    group: types.kubefed.io
-    kind: FederatedGroupBinding
-    pluralName: federatedgroupbindings
-    scope: Cluster
-    version: v1beta1
-  propagation: Enabled
-  targetType:
-    group: iam.kubesphere.io
-    kind: GroupBinding
-    pluralName: groupbindings
-    scope: Cluster
-    version: v1alpha2
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatedgroupbindings.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedGroupBinding
-    listKind: FederatedGroupBindingList
-    plural: federatedgroupbindings
-    singular: federatedgroupbinding
-  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            overrides:
-              items:
-                properties:
-                  clusterName:
-                    type: string
-                  clusterOverrides:
-                    items:
-                      properties:
-                        op:
-                          type: string
-                        path:
-                          type: string
-                        value:
-                          type: object
-                      required:
-                      - path
-                      type: object
-                    type: array
-                required:
-                - clusterName
-                type: object
-              type: array
-            placement:
-              properties:
-                clusterSelector:
-                  description: A label selector is a label query over a set of resources.
-                    The result of matchLabels and matchExpressions are ANDed. An empty
-                    label selector matches all objects. A null label selector matches
-                    no objects.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-                clusters:
-                  items:
-                    properties:
-                      name:
-                        type: string
-                    required:
-                    - name
-                    type: object
-                  type: array
-              type: object
-            template:
-              properties:
-                metadata:
-                  type: object
-                groupRef:
-                  description: GroupRef defines the desired relation of GroupBinding
-                  properties:
-                    apiGroup:
-                      type: string
-                    kind:
-                      type: string
-                    name:
-                      type: string
-                  type: object
-                users:
-                  items:
-                    type: string
-                  type: array
-              type: object
-          required:
-          - placement
-          - template
-          type: object
-        status:
-          properties:
-            clusters:
-              items:
-                properties:
-                  name:
-                    type: string
-                  status:
-                    type: string
-                required:
-                - name
-                type: object
-              type: array
-            conditions:
-              items:
-                properties:
-                  lastTransitionTime:
-                    description: Last time the condition transit from one status to
-                      another.
-                    type: string
-                  lastUpdateTime:
-                    description: Last time reconciliation resulted in an error or
-                      the last time a change was propagated to member clusters.
-                    type: string
-                  reason:
-                    description: (brief) reason for the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
-                    type: string
-                  type:
-                    description: Type of cluster condition
-                    type: string
-                required:
-                - status
-                - type
-                type: object
-              type: array
-            observedGeneration:
-              format: int64
-              type: integer
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1beta1
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/types.kubefed.io_federatedgroups.yaml
+++ b/config/crds/types.kubefed.io_federatedgroups.yaml
@@ -1,200 +0,0 @@
---
-apiVersion: core.kubefed.io/v1beta1
-kind: FederatedTypeConfig
-metadata:
-  name: groups.iam.kubesphere.io
-spec:
-  federatedType:
-    group: types.kubefed.io
-    kind: FederatedGroup
-    pluralName: federatedgroups
-    scope: Cluster
-    version: v1beta1
-  propagation: Enabled
-  targetType:
-    group: iam.kubesphere.io
-    kind: Group
-    pluralName: groups
-    scope: Cluster
-    version: v1alpha2
---
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatedgroups.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedGroup
-    listKind: FederatedGroupList
-    plural: federatedgroups
-    singular: federatedgroup
-  scope: Cluster
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          properties:
-            overrides:
-              items:
-                properties:
-                  clusterName:
-                    type: string
-                  clusterOverrides:
-                    items:
-                      properties:
-                        op:
-                          type: string
-                        path:
-                          type: string
-                        value:
-                          type: object
-                      required:
-                      - path
-                      type: object
-                    type: array
-                required:
-                - clusterName
-                type: object
-              type: array
-            placement:
-              properties:
-                clusterSelector:
-                  description: A label selector is a label query over a set of resources.
-                    The result of matchLabels and matchExpressions are ANDed. An empty
-                    label selector matches all objects. A null label selector matches
-                    no objects.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-                clusters:
-                  items:
-                    properties:
-                      name:
-                        type: string
-                    required:
-                    - name
-                    type: object
-                  type: array
-              type: object
-            template:
-              properties:
-                spec:
-                  description: GroupSpec defines the desired state of Group
-                  type: object
-              type: object
-          required:
-          - placement
-          - template
-          type: object
-        status:
-          properties:
-            clusters:
-              items:
-                properties:
-                  name:
-                    type: string
-                  status:
-                    type: string
-                required:
-                - name
-                type: object
-              type: array
-            conditions:
-              items:
-                properties:
-                  lastTransitionTime:
-                    description: Last time the condition transit from one status to
-                      another.
-                    type: string
-                  lastUpdateTime:
-                    description: Last time reconciliation resulted in an error or
-                      the last time a change was propagated to member clusters.
-                    type: string
-                  reason:
-                    description: (brief) reason for the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
-                    type: string
-                  type:
-                    description: Type of cluster condition
-                    type: string
-                required:
-                - status
-                - type
-                type: object
-              type: array
-            observedGeneration:
-              format: int64
-              type: integer
-          type: object
-      required:
-      - spec
-      type: object
-  version: v1beta1
-  versions:
-  - name: v1beta1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/types.kubefed.io_federatednamespaces.yaml
+++ b/config/crds/types.kubefed.io_federatednamespaces.yaml
@@ -1,164 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatednamespaces.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedNamespace
-    listKind: FederatedNamespaceList
-    plural: federatednamespaces
-    singular: federatednamespace
-  scope: Namespaced
-  versions:
-  - name: v1beta1
-    schema:
-      openAPIV3Schema:
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              overrides:
-                items:
-                  properties:
-                    clusterName:
-                      type: string
-                    clusterOverrides:
-                      items:
-                        properties:
-                          op:
-                            type: string
-                          path:
-                            type: string
-                          value:
-                            type: object
-                        required:
-                        - path
-                        type: object
-                      type: array
-                  required:
-                  - clusterName
-                  type: object
-                type: array
-              placement:
-                properties:
-                  clusterSelector:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  clusters:
-                    items:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                      - name
-                      type: object
-                    type: array
-                type: object
-              template:
-                properties:
-                  spec:
-                    description: NamespaceSpec describes the attributes on a Namespace.
-                    properties:
-                      finalizers:
-                        description: 'Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/'
-                        items:
-                          description: FinalizerName is the name identifying a finalizer during namespace lifecycle.
-                          type: string
-                        type: array
-                    type: object
-                type: object
-            required:
-            - placement
-            - template
-            type: object
-          status:
-            properties:
-              clusters:
-                items:
-                  properties:
-                    name:
-                      type: string
-                    status:
-                      type: string
-                  required:
-                  - name
-                  type: object
-                type: array
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      description: Last time the condition transit from one status to another.
-                      type: string
-                    lastUpdateTime:
-                      description: Last time reconciliation resulted in an error or the last time a change was propagated to member clusters.
-                      type: string
-                    reason:
-                      description: (brief) reason for the condition's last transition.
-                      type: string
-                    status:
-                      description: Status of the condition, one of True, False, Unknown.
-                      type: string
-                    type:
-                      description: Type of cluster condition
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/types.kubefed.io_federatednotificationconfigs.yaml
+++ b/config/crds/types.kubefed.io_federatednotificationconfigs.yaml
@@ -1,393 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatednotificationconfigs.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedNotificationConfig
-    listKind: FederatedNotificationConfigList
-    plural: federatednotificationconfigs
-    singular: federatednotificationconfig
-  scope: Cluster
-  versions:
-  - name: v1beta1
-    schema:
-      openAPIV3Schema:
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              overrides:
-                items:
-                  properties:
-                    clusterName:
-                      type: string
-                    clusterOverrides:
-                      items:
-                        properties:
-                          op:
-                            type: string
-                          path:
-                            type: string
-                          value:
-                            type: object
-                        required:
-                        - path
-                        type: object
-                      type: array
-                  required:
-                  - clusterName
-                  type: object
-                type: array
-              placement:
-                properties:
-                  clusterSelector:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  clusters:
-                    items:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                      - name
-                      type: object
-                    type: array
-                type: object
-              template:
-                properties:
-                  metadata:
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                  spec:
-                    description: ConfigSpec defines the desired state of Config
-                    properties:
-                      dingtalk:
-                        properties:
-                          conversation:
-                            description: Only needed when send alerts to the conversation.
-                            properties:
-                              appkey:
-                                description: The key of the application with which to send messages.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                              appsecret:
-                                description: The key in the secret to be used. Must be a valid secret key.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      email:
-                        properties:
-                          authIdentify:
-                            description: The identity for PLAIN authentication.
-                            type: string
-                          authPassword:
-                            description: The secret contains the SMTP password for LOGIN and PLAIN authentications.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          authSecret:
-                            description: The secret contains the SMTP secret for CRAM-MD5 authentication.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          authUsername:
-                            description: The username for CRAM-MD5, LOGIN and PLAIN authentications.
-                            type: string
-                          from:
-                            description: The sender address.
-                            type: string
-                          hello:
-                            description: The hostname to use when identifying to the SMTP server.
-                            type: string
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          requireTLS:
-                            description: The default SMTP TLS requirement.
-                            type: boolean
-                          smartHost:
-                            description: The address of the SMTP server.
-                            properties:
-                              host:
-                                type: string
-                              port:
-                                type: integer
-                            required:
-                            - host
-                            - port
-                            type: object
-                          tls:
-                            description: TLSConfig configures the options for TLS connections.
-                            properties:
-                              clientCertificate:
-                                description: The certificate of the client.
-                                properties:
-                                  cert:
-                                    description: The client cert file for the targets.
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.  Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: Name of the secret.
-                                        type: string
-                                      namespace:
-                                        description: The namespace of the secret, default to the pod's namespace.
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                  key:
-                                    description: The client key file for the targets.
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.  Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: Name of the secret.
-                                        type: string
-                                      namespace:
-                                        description: The namespace of the secret, default to the pod's namespace.
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                type: object
-                              insecureSkipVerify:
-                                description: Disable target certificate validation.
-                                type: boolean
-                              rootCA:
-                                description: RootCA defines the root certificate authorities that clients use when verifying server certificates.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                              serverName:
-                                description: Used to verify the hostname for the targets.
-                                type: string
-                            type: object
-                        required:
-                        - from
-                        - smartHost
-                        type: object
-                      slack:
-                        properties:
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          slackTokenSecret:
-                            description: The token of user or bot.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                        type: object
-                      webhook:
-                        properties:
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      wechat:
-                        properties:
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          wechatApiAgentId:
-                            description: The id of the application which sending message.
-                            type: string
-                          wechatApiCorpId:
-                            description: The corp id for authentication.
-                            type: string
-                          wechatApiSecret:
-                            description: The API key to use when talking to the WeChat API.
-                            properties:
-                              key:
-                                description: The key of the secret to select from.  Must be a valid secret key.
-                                type: string
-                              name:
-                                description: Name of the secret.
-                                type: string
-                              namespace:
-                                description: The namespace of the secret, default to the pod's namespace.
-                                type: string
-                            required:
-                            - key
-                            type: object
-                          wechatApiUrl:
-                            description: The WeChat API URL.
-                            type: string
-                        required:
-                        - wechatApiAgentId
-                        - wechatApiCorpId
-                        - wechatApiSecret
-                        type: object
-                    type: object
-                type: object
-            required:
-            - placement
-            - template
-            type: object
-          status:
-            properties:
-              clusters:
-                items:
-                  properties:
-                    name:
-                      type: string
-                    status:
-                      type: string
-                  required:
-                  - name
-                  type: object
-                type: array
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      description: Last time the condition transit from one status to another.
-                      type: string
-                    lastUpdateTime:
-                      description: Last time reconciliation resulted in an error or the last time a change was propagated to member clusters.
-                      type: string
-                    reason:
-                      description: (brief) reason for the condition's last transition.
-                      type: string
-                    status:
-                      description: Status of the condition, one of True, False, Unknown.
-                      type: string
-                    type:
-                      description: Type of cluster condition
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/types.kubefed.io_federatednotificationreceivers.yaml
+++ b/config/crds/types.kubefed.io_federatednotificationreceivers.yaml
@@ -1,700 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatednotificationreceivers.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedNotificationReceiver
-    listKind: FederatedNotificationReceiverList
-    plural: federatednotificationreceivers
-    singular: federatednotificationreceiver
-  scope: Cluster
-  versions:
-  - name: v1beta1
-    schema:
-      openAPIV3Schema:
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              overrides:
-                items:
-                  properties:
-                    clusterName:
-                      type: string
-                    clusterOverrides:
-                      items:
-                        properties:
-                          op:
-                            type: string
-                          path:
-                            type: string
-                          value:
-                            type: object
-                        required:
-                        - path
-                        type: object
-                      type: array
-                  required:
-                  - clusterName
-                  type: object
-                type: array
-              placement:
-                properties:
-                  clusterSelector:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  clusters:
-                    items:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                      - name
-                      type: object
-                    type: array
-                type: object
-              template:
-                properties:
-                  metadata:
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                  spec:
-                    description: ReceiverSpec defines the desired state of Receiver
-                    properties:
-                      dingtalk:
-                        properties:
-                          alertSelector:
-                            description: Selector to filter alerts.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          chatbot:
-                            description: Be careful, a ChatBot only can send 20 message per minute.
-                            properties:
-                              keywords:
-                                description: Custom keywords of ChatBot
-                                items:
-                                  type: string
-                                type: array
-                              secret:
-                                description: Secret of ChatBot, you can get it after enabled Additional Signature of ChatBot.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                              webhook:
-                                description: The webhook of ChatBot which the message will send to.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                            required:
-                            - webhook
-                            type: object
-                          conversation:
-                            description: The conversation which message will send to.
-                            properties:
-                              chatids:
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - chatids
-                            type: object
-                          dingtalkConfigSelector:
-                            description: DingTalkConfig to be selected for this receiver
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          enabled:
-                            description: whether the receiver is enabled
-                            type: boolean
-                        type: object
-                      email:
-                        properties:
-                          alertSelector:
-                            description: Selector to filter alerts.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          emailConfigSelector:
-                            description: EmailConfig to be selected for this receiver
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          enabled:
-                            description: whether the receiver is enabled
-                            type: boolean
-                          to:
-                            description: Receivers' email addresses
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - to
-                        type: object
-                      slack:
-                        properties:
-                          alertSelector:
-                            description: Selector to filter alerts.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          channels:
-                            description: The channel or user to send notifications to.
-                            items:
-                              type: string
-                            type: array
-                          enabled:
-                            description: whether the receiver is enabled
-                            type: boolean
-                          slackConfigSelector:
-                            description: SlackConfig to be selected for this receiver
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                        required:
-                        - channels
-                        type: object
-                      webhook:
-                        properties:
-                          alertSelector:
-                            description: Selector to filter alerts.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          enabled:
-                            description: whether the receiver is enabled
-                            type: boolean
-                          httpConfig:
-                            description: HTTPClientConfig configures an HTTP client.
-                            properties:
-                              basicAuth:
-                                description: The HTTP basic authentication credentials for the targets.
-                                properties:
-                                  password:
-                                    description: SecretKeySelector selects a key of a Secret.
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.  Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: Name of the secret.
-                                        type: string
-                                      namespace:
-                                        description: The namespace of the secret, default to the pod's namespace.
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                  username:
-                                    type: string
-                                required:
-                                - username
-                                type: object
-                              bearerToken:
-                                description: The bearer token for the targets.
-                                properties:
-                                  key:
-                                    description: The key of the secret to select from.  Must be a valid secret key.
-                                    type: string
-                                  name:
-                                    description: Name of the secret.
-                                    type: string
-                                  namespace:
-                                    description: The namespace of the secret, default to the pod's namespace.
-                                    type: string
-                                required:
-                                - key
-                                type: object
-                              proxyUrl:
-                                description: HTTP proxy server to use to connect to the targets.
-                                type: string
-                              tlsConfig:
-                                description: TLSConfig to use to connect to the targets.
-                                properties:
-                                  clientCertificate:
-                                    description: The certificate of the client.
-                                    properties:
-                                      cert:
-                                        description: The client cert file for the targets.
-                                        properties:
-                                          key:
-                                            description: The key of the secret to select from.  Must be a valid secret key.
-                                            type: string
-                                          name:
-                                            description: Name of the secret.
-                                            type: string
-                                          namespace:
-                                            description: The namespace of the secret, default to the pod's namespace.
-                                            type: string
-                                        required:
-                                        - key
-                                        type: object
-                                      key:
-                                        description: The client key file for the targets.
-                                        properties:
-                                          key:
-                                            description: The key of the secret to select from.  Must be a valid secret key.
-                                            type: string
-                                          name:
-                                            description: Name of the secret.
-                                            type: string
-                                          namespace:
-                                            description: The namespace of the secret, default to the pod's namespace.
-                                            type: string
-                                        required:
-                                        - key
-                                        type: object
-                                    type: object
-                                  insecureSkipVerify:
-                                    description: Disable target certificate validation.
-                                    type: boolean
-                                  rootCA:
-                                    description: RootCA defines the root certificate authorities that clients use when verifying server certificates.
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.  Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: Name of the secret.
-                                        type: string
-                                      namespace:
-                                        description: The namespace of the secret, default to the pod's namespace.
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                  serverName:
-                                    description: Used to verify the hostname for the targets.
-                                    type: string
-                                type: object
-                            type: object
-                          service:
-                            description: "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified. \n If the webhook is running within the cluster, then you should use `service`."
-                            properties:
-                              name:
-                                description: '`name` is the name of the service. Required'
-                                type: string
-                              namespace:
-                                description: '`namespace` is the namespace of the service. Required'
-                                type: string
-                              path:
-                                description: '`path` is an optional URL path which will be sent in any request to this service.'
-                                type: string
-                              port:
-                                description: If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
-                                format: int32
-                                type: integer
-                              scheme:
-                                description: Http scheme, default is http.
-                                type: string
-                            required:
-                            - name
-                            - namespace
-                            type: object
-                          url:
-                            description: "`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. \n The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some api servers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. \n Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. \n A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. \n Attempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either."
-                            type: string
-                          webhookConfigSelector:
-                            description: WebhookConfig to be selected for this receiver
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                        type: object
-                      wechat:
-                        properties:
-                          alertSelector:
-                            description: Selector to filter alerts.
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                          enabled:
-                            description: whether the receiver is enabled
-                            type: boolean
-                          toParty:
-                            items:
-                              type: string
-                            type: array
-                          toTag:
-                            items:
-                              type: string
-                            type: array
-                          toUser:
-                            items:
-                              type: string
-                            type: array
-                          wechatConfigSelector:
-                            description: WechatConfig to be selected for this receiver
-                            properties:
-                              matchExpressions:
-                                description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                items:
-                                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                  properties:
-                                    key:
-                                      description: key is the label key that the selector applies to.
-                                      type: string
-                                    operator:
-                                      description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                      type: string
-                                    values:
-                                      description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                      items:
-                                        type: string
-                                      type: array
-                                  required:
-                                  - key
-                                  - operator
-                                  type: object
-                                type: array
-                              matchLabels:
-                                additionalProperties:
-                                  type: string
-                                description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                type: object
-                            type: object
-                        type: object
-                    type: object
-                type: object
-            required:
-            - placement
-            - template
-            type: object
-          status:
-            properties:
-              clusters:
-                items:
-                  properties:
-                    name:
-                      type: string
-                    status:
-                      type: string
-                  required:
-                  - name
-                  type: object
-                type: array
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      description: Last time the condition transit from one status to another.
-                      type: string
-                    lastUpdateTime:
-                      description: Last time reconciliation resulted in an error or the last time a change was propagated to member clusters.
-                      type: string
-                    reason:
-                      description: (brief) reason for the condition's last transition.
-                      type: string
-                    status:
-                      description: Status of the condition, one of True, False, Unknown.
-                      type: string
-                    type:
-                      description: Type of cluster condition
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crds/types.kubefed.io_federatedsecrets.yaml
+++ b/config/crds/types.kubefed.io_federatedsecrets.yaml
@@ -1,165 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: (devel)
-  creationTimestamp: null
-  name: federatedsecrets.types.kubefed.io
-spec:
-  group: types.kubefed.io
-  names:
-    kind: FederatedSecret
-    listKind: FederatedSecretList
-    plural: federatedsecrets
-    singular: federatedsecret
-  scope: Namespaced
-  versions:
-  - name: v1beta1
-    schema:
-      openAPIV3Schema:
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              overrides:
-                items:
-                  properties:
-                    clusterName:
-                      type: string
-                    clusterOverrides:
-                      items:
-                        properties:
-                          op:
-                            type: string
-                          path:
-                            type: string
-                          value:
-                            type: object
-                        required:
-                        - path
-                        type: object
-                      type: array
-                  required:
-                  - clusterName
-                  type: object
-                type: array
-              placement:
-                properties:
-                  clusterSelector:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                              items:
-                                type: string
-                              type: array
-                          required:
-                          - key
-                          - operator
-                          type: object
-                        type: array
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                  clusters:
-                    items:
-                      properties:
-                        name:
-                          type: string
-                      required:
-                      - name
-                      type: object
-                    type: array
-                type: object
-              template:
-                properties:
-                  data:
-                    additionalProperties:
-                      format: byte
-                      type: string
-                    type: object
-                  stringData:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  type:
-                    type: string
-                type: object
-            required:
-            - placement
-            - template
-            type: object
-          status:
-            properties:
-              clusters:
-                items:
-                  properties:
-                    name:
-                      type: string
-                    status:
-                      type: string
-                  required:
-                  - name
-                  type: object
-                type: array
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      description: Last time the condition transit from one status to another.
-                      type: string
-                    lastUpdateTime:
-                      description: Last time reconciliation resulted in an error or the last time a change was propagated to member clusters.
-                      type: string
-                    reason:
-                      description: (brief) reason for the condition's last transition.
-                      type: string
-                    status:
-                      description: Status of the condition, one of True, False, Unknown.
-                      type: string
-                    type:
-                      description: Type of cluster condition
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -1,49 +0,0 @@
-# Add namespace to all resources.
-namespace: t-system
-
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-namePrefix: t-
-
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
-
-# Each entry in this list must resolve to an existing
-# resource definition in YAML. These are the resource
-# files that kustomize reads, modifies and emits as a
-# YAML string, with resources separated by document
-# markers ("---").
-resources:
- ../rbac/rbac_role.yaml
- ../rbac/rbac_role_binding.yaml
- ../manager/manager.yaml
-  # Comment the following 3 lines if you want to disable
-  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
-#- ../rbac/auth_proxy_service.yaml
-#- ../rbac/auth_proxy_role.yaml
-#- ../rbac/auth_proxy_role_binding.yaml
-
-patches:
- manager_image_patch.yaml
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
- manager_auth_proxy_patch.yaml
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, uncomment the following line and
-  # comment manager_auth_proxy_patch.yaml.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-#- manager_prometheus_metrics_patch.yaml
-
-vars:
- name: WEBHOOK_SECRET_NAME
-  objref:
-    kind: Secret
-    name: webhook-server-secret
-    apiVersion: v1
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -1,24 +0,0 @@
-# This patch injects a sidecar container which is an HTTP proxy for the controller manager.
-# It performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        image: quay.io/coreos/kube-rbac-proxy:v0.4.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=10"
-        ports:
-        - containerPort: 8443
-          name: https
-      - name: manager
-        args:
-        - "--metrics-addr=127.0.0.1:8080"
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -1,12 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      # Change the value of image field below to your controller image URL
-      - image: kubespheredev/controller-manager:latest
-        name: manager
--- a/config/default/manager_prometheus_metrics_patch.yaml
+++ b/config/default/manager_prometheus_metrics_patch.yaml
@@ -1,19 +0,0 @@
-# This patch enables Prometheus scraping for the manager pod.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    metadata:
-      annotations:
-        prometheus.io/scrape: 'true'
-    spec:
-      containers:
-      # Expose the prometheus metrics on default port
-      - name: manager
-        ports:
-        - containerPort: 8080
-          name: metrics
-          protocol: TCP
--- a/config/default/provisonercapability/aws-ebs.yaml
+++ b/config/default/provisonercapability/aws-ebs.yaml
@@ -1,20 +0,0 @@
-apiVersion: storage.kubesphere.io/v1alpha1
-kind: ProvisionerCapability
-metadata:
-  name: kubernetes-io-aws-ebs
-spec:
-  pluginInfo:
-    name: kubernetes.io/aws-ebs
-    version: ""
-  features:
-    topology: false
-    volume:
-      create: true
-      attach: true
-      clone: false
-      list: false
-      stats: false
-      expandMode: ONLINE
-    snapshot:
-      create: false
-      list: false
--- a/config/default/provisonercapability/azure-disk.yaml
+++ b/config/default/provisonercapability/azure-disk.yaml
@@ -1,20 +0,0 @@
-apiVersion: storage.kubesphere.io/v1alpha1
-kind: ProvisionerCapability
-metadata:
-  name: kubernetes-io-azure-disk
-spec:
-  pluginInfo:
-    name: kubernetes.io/azure-disk
-    version: ""
-  features:
-    topology: false
-    volume:
-      create: true
-      attach: true
-      clone: false
-      list: false
-      stats: false
-      expandMode: OFFLINE
-    snapshot:
-      create: false
-      list: false
--- a/config/default/provisonercapability/azure-file.yaml
+++ b/config/default/provisonercapability/azure-file.yaml
@@ -1,20 +0,0 @@
-apiVersion: storage.kubesphere.io/v1alpha1
-kind: ProvisionerCapability
-metadata:
-  name: kubernetes-io-azure-file
-spec:
-  pluginInfo:
-    name: kubernetes.io/azure-file
-    version: ""
-  features:
-    topology: false
-    volume:
-      create: true
-      attach: true
-      clone: false
-      list: false
-      stats: false
-      expandMode: OFFLINE
-    snapshot:
-      create: false
-      list: false
--- a/Show More
+++ b/Show More