apple · bioball · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.2.1
+1.3.0
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -33,7 +33,9 @@ val k8sVersions = listOf(
   "v1.29.0",
   "v1.30.0",
   "v1.31.7",
-  "v1.32.3"
+  "v1.32.3",
+  "v1.33.6",
+  "v1.34.2",
 )
 
 configurations {
@@ -47,8 +49,9 @@ configurations {
 
 dependencies {
   implementation(libs.moshiKotlin)
-  // used to quote identifiers
+  implementation(libs.pklParser)
   implementation(libs.pklCore)
+  implementation(libs.pklFormatter)
   // used for lexing
   implementation(libs.antlr)
 }
@@ -69,9 +72,8 @@ tasks.idea {
 }
 
 tasks.compileKotlin {
-  kotlinOptions {
-    freeCompilerArgs = freeCompilerArgs +
-        listOf("-Xjsr305=strict", "-Xjvm-default=all", "-opt-in=kotlin.RequiresOptIn")
+  compilerOptions {
+    freeCompilerArgs.addAll(listOf("-Xjsr305=strict", "-Xjvm-default=all", "-opt-in=kotlin.RequiresOptIn"))
   }
 }
 

diff --git a/generated-package/api/admissionregistration/v1/MatchCondition.pkl b/generated-package/api/admissionregistration/v1/MatchCondition.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@ extends ".../K8sObject.pkl"
 ///
 /// Must evaluate to bool.
 /// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-/// 
+///
 /// 'object' - The object from the incoming request.
 /// The value is null for DELETE requests.
 /// 'oldObject' - The existing object.
@@ -37,15 +37,14 @@ extends ".../K8sObject.pkl"
 /// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
 ///   request resource.
 /// Documentation on CEL: <https://kubernetes.io/docs/reference/using-api/cel/>
-/// 
+///
 /// Required.
 expression: String
 
 /// Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes.
 ///
 /// A good name should be descriptive of the associated expression.
 /// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-/// 
+///
 /// Required.
 name: String
-
diff --git a/generated-package/api/admissionregistration/v1/MatchResources.pkl b/generated-package/api/admissionregistration/v1/MatchResources.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -28,13 +28,13 @@ import ".../apimachinery/pkg/apis/meta/v1/LabelSelector.pkl"
 /// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
 ///
 /// Allowed values are "Exact" or "Equivalent".
-/// 
+///
 /// - Exact: match a request only if it exactly matches a specified rule.
 /// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
-/// 
+///
 /// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
 /// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
-/// 
+///
 /// Defaults to "Equivalent"
 matchPolicy: String?
 
@@ -52,7 +52,7 @@ excludeResourceRules: Listing<NamedRuleWithOperations>?
 ///
 /// If the object itself is a namespace, the matching is performed on object.metadata.labels.
 /// If the object is another cluster scoped resource, it never skips the policy.
-/// 
+///
 /// For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
 ///   "matchExpressions": [
 ///     {
@@ -65,7 +65,7 @@ excludeResourceRules: Listing<NamedRuleWithOperations>?
 ///     }
 ///   ]
 /// }
-/// 
+///
 /// If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
 ///   "matchExpressions": [
 ///     {
@@ -78,9 +78,9 @@ excludeResourceRules: Listing<NamedRuleWithOperations>?
 ///     }
 ///   ]
 /// }
-/// 
+///
 /// See <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/> for more examples of label selectors.
-/// 
+///
 /// Default to the empty LabelSelector, which matches everything.
 namespaceSelector: LabelSelector?
 
@@ -124,16 +124,16 @@ class NamedRuleWithOperations {
 
   /// Resources is a list of resources this rule applies to.
   ///
-  /// 
+  ///
   /// For example: 'pods' means pods.
   /// 'pods/log' means the log subresource of pods.
   /// '*' means all resources, but not subresources.
   /// 'pods/*' means all subresources of pods.
   /// '*/scale' means all scale subresources.
   /// '*/*' means all resources and their subresources.
-  /// 
+  ///
   /// If wildcard is present, the validation rule will ensure resources do not overlap with each other.
-  /// 
+  ///
   /// Depending on the enclosing object, subresources might not be allowed.
   /// Required.
   resources: Listing<String>
@@ -145,4 +145,3 @@ class NamedRuleWithOperations {
   /// Required.
   apiGroups: Listing<String>
 }
-
diff --git a/generated-package/api/admissionregistration/v1/MutatingWebhookConfiguration.pkl b/generated-package/api/admissionregistration/v1/MutatingWebhookConfiguration.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,11 +20,11 @@ open module k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
 
 extends ".../K8sResource.pkl"
 
-import ".../apimachinery/pkg/apis/meta/v1/ObjectMeta.pkl"
-import ".../apimachinery/pkg/apis/meta/v1/LabelSelector.pkl"
+import ".../api/admissionregistration/v1/MatchCondition.pkl"
 import ".../api/admissionregistration/v1/RuleWithOperations.pkl"
 import ".../api/admissionregistration/v1/WebhookClientConfig.pkl"
-import ".../api/admissionregistration/v1/MatchCondition.pkl"
+import ".../apimachinery/pkg/apis/meta/v1/LabelSelector.pkl"
+import ".../apimachinery/pkg/apis/meta/v1/ObjectMeta.pkl"
 
 fixed apiVersion: "admissionregistration.k8s.io/v1"
 
@@ -48,32 +48,32 @@ class MutatingWebhook {
   /// matchPolicy defines how the "rules" list is used to match incoming requests.
   ///
   /// Allowed values are "Exact" or "Equivalent".
-  /// 
+  ///
   /// - Exact: match a request only if it exactly matches a specified rule.
   /// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-  /// 
+  ///
   /// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
   /// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-  /// 
+  ///
   /// Defaults to "Equivalent"
-  matchPolicy: ("Exact"|"Equivalent")?
+  matchPolicy: ("Exact" | "Equivalent")?
 
   /// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
   ///
   /// Allowed values are "Never" and "IfNeeded".
-  /// 
+  ///
   /// Never: the webhook will not be called more than once in a single admission evaluation.
-  /// 
+  ///
   /// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call.
   /// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
   /// Note:
   /// * the number of additional invocations is not guaranteed to be exactly one.
   /// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
   /// * webhooks that use this option may be reordered to minimize the number of additional invocations.
   /// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
-  /// 
+  ///
   /// Defaults to "Never".
-  reinvocationPolicy: ("Never"|"IfNeeded")?
+  reinvocationPolicy: ("Never" | "IfNeeded")?
 
   /// The name of the admission webhook.
   ///
@@ -85,7 +85,7 @@ class MutatingWebhook {
   ///
   /// If the object itself is a namespace, the matching is performed on object.metadata.labels.
   /// If the object is another cluster scoped resource, it never skips the webhook.
-  /// 
+  ///
   /// For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
   ///   "matchExpressions": [
   ///     {
@@ -98,7 +98,7 @@ class MutatingWebhook {
   ///     }
   ///   ]
   /// }
-  /// 
+  ///
   /// If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
   ///   "matchExpressions": [
   ///     {
@@ -111,9 +111,9 @@ class MutatingWebhook {
   ///     }
   ///   ]
   /// }
-  /// 
+  ///
   /// See <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/> for more examples of label selectors.
-  /// 
+  ///
   /// Default to the empty LabelSelector, which matches everything.
   namespaceSelector: LabelSelector?
 
@@ -140,7 +140,7 @@ class MutatingWebhook {
   /// Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector.
   /// An empty list of matchConditions matches all requests.
   /// There are a maximum of 64 match conditions allowed.
-  /// 
+  ///
   /// The exact matching logic is (in order):
   ///   1.
   /// If ANY matchCondition evaluates to FALSE, the webhook is skipped.
@@ -164,13 +164,12 @@ class MutatingWebhook {
   /// FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail.
   ///
   /// Defaults to Fail.
-  failurePolicy: ("Ignore"|"Fail")?
+  failurePolicy: ("Ignore" | "Fail")?
 
   /// SideEffects states whether this webhook has side effects.
   ///
   /// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
   /// Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone.
   /// Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
-  sideEffects: "None"|"NoneOnDryRun"
+  sideEffects: "None" | "NoneOnDryRun"
 }
-
diff --git a/generated-package/api/admissionregistration/v1/MutatingWebhookConfigurationList.pkl b/generated-package/api/admissionregistration/v1/MutatingWebhookConfigurationList.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,8 +20,8 @@ open module k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList
 
 extends ".../K8sResource.pkl"
 
-import ".../apimachinery/pkg/apis/meta/v1/ListMeta.pkl"
 import ".../api/admissionregistration/v1/MutatingWebhookConfiguration.pkl"
+import ".../apimachinery/pkg/apis/meta/v1/ListMeta.pkl"
 
 fixed apiVersion: "admissionregistration.k8s.io/v1"
 
@@ -34,4 +34,3 @@ metadata: ListMeta?
 
 /// List of MutatingWebhookConfiguration.
 items: Listing<MutatingWebhookConfiguration>
-
diff --git a/generated-package/api/admissionregistration/v1/RuleWithOperations.pkl b/generated-package/api/admissionregistration/v1/RuleWithOperations.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -26,14 +26,14 @@ extends ".../K8sObject.pkl"
 ///
 /// If '*' is present, the length of the slice must be one.
 /// Required.
-operations: Listing<"CREATE"|"UPDATE"|"DELETE"|"CONNECT"|"*">?
+operations: Listing<"CREATE" | "UPDATE" | "DELETE" | "CONNECT" | "*">?
 
 /// APIVersions is the API versions the resources belong to.
 ///
 /// '*' is all versions.
 /// If '*' is present, the length of the slice must be one.
 /// Required.
-apiVersions: Listing<"*"|String>?
+apiVersions: Listing<"*" | String>?
 
 /// scope specifies the scope of this rule.
 ///
@@ -43,20 +43,20 @@ apiVersions: Listing<"*"|String>?
 /// "*" means that there are no scope restrictions.
 /// Subresources match the scope of their parent resource.
 /// Default is "*".
-scope: ("Cluster"|"Namespaced"|"*")?
+scope: ("Cluster" | "Namespaced" | "*")?
 
 /// Resources is a list of resources this rule applies to.
 ///
-/// 
+///
 /// For example: 'pods' means pods.
 /// 'pods/log' means the log subresource of pods.
 /// '*' means all resources, but not subresources.
 /// 'pods/*' means all subresources of pods.
 /// '*/scale' means all scale subresources.
 /// '*/*' means all resources and their subresources.
-/// 
+///
 /// If wildcard is present, the validation rule will ensure resources do not overlap with each other.
-/// 
+///
 /// Depending on the enclosing object, subresources might not be allowed.
 /// Required.
 resources: Listing<String>
@@ -66,5 +66,4 @@ resources: Listing<String>
 /// '*' is all groups.
 /// If '*' is present, the length of the slice must be one.
 /// Required.
-apiGroups: Listing<"*"|String>?
-
+apiGroups: Listing<"*" | String>?