diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
index a96620d8ca..63e0c77d7f 100644
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -73548,6 +73548,10 @@
       "items": {
        "$ref": "#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations"
       }
+     },
+     "sideEffects": {
+      "description": "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.",
+      "type": "string"
      }
     }
    },
diff --git a/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json b/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
index e672b3b0e3..72df787c84 100644
--- a/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
+++ b/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
@@ -1786,6 +1786,10 @@
      "namespaceSelector": {
       "$ref": "v1.LabelSelector",
       "description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."
+     },
+     "sideEffects": {
+      "$ref": "v1beta1.SideEffectClass",
+      "description": "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown."
      }
     }
    },
@@ -1917,6 +1921,10 @@
      }
     }
    },
+   "v1beta1.SideEffectClass": {
+    "id": "v1beta1.SideEffectClass",
+    "properties": {}
+   },
    "v1.WatchEvent": {
     "id": "v1.WatchEvent",
     "required": [
diff --git a/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html b/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
index 2ca40e2c1c..9bb14f3325 100755
--- a/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
+++ b/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
@@ -1049,6 +1049,10 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
 </tbody>
 </table>
 
+</div>
+<div class="sect2">
+<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
+
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_webhook">v1beta1.Webhook</h3>
@@ -1138,13 +1142,16 @@ Default to the empty LabelSelector, which matches everything.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">sideEffects</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_sideeffectclass">v1beta1.SideEffectClass</a></p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
-</div>
-<div class="sect2">
-<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
-
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_operationtype">v1beta1.OperationType</h3>
@@ -1765,6 +1772,10 @@ Port 443 will be used if it is open, otherwise it is an error.</p></td>
 </tbody>
 </table>
 
+</div>
+<div class="sect2">
+<h3 id="_v1beta1_sideeffectclass">v1beta1.SideEffectClass</h3>
+
 </div>
 <div class="sect2">
 <h3 id="_types_uid">types.UID</h3>
diff --git a/pkg/apis/admission/types.go b/pkg/apis/admission/types.go
index 16cbd58695..fb704abdf9 100644
--- a/pkg/apis/admission/types.go
+++ b/pkg/apis/admission/types.go
@@ -73,6 +73,11 @@ type AdmissionRequest struct {
 	// OldObject is the existing object. Only populated for UPDATE requests.
 	// +optional
 	OldObject runtime.Object
+	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// Calls to webhooks must have no side effects if DryRun is true.
+	// Defaults to false.
+	// +optional
+	DryRun *bool
 }
 
 // AdmissionResponse describes an admission response.
diff --git a/pkg/apis/admission/v1beta1/zz_generated.conversion.go b/pkg/apis/admission/v1beta1/zz_generated.conversion.go
index 180cc6bbc5..15dbf75d93 100644
--- a/pkg/apis/admission/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/admission/v1beta1/zz_generated.conversion.go
@@ -89,6 +89,7 @@ func autoConvert_v1beta1_AdmissionRequest_To_admission_AdmissionRequest(in *v1be
 	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.OldObject, &out.OldObject, s); err != nil {
 		return err
 	}
+	out.DryRun = (*bool)(unsafe.Pointer(in.DryRun))
 	return nil
 }
 
@@ -115,6 +116,7 @@ func autoConvert_admission_AdmissionRequest_To_v1beta1_AdmissionRequest(in *admi
 	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.OldObject, &out.OldObject, s); err != nil {
 		return err
 	}
+	out.DryRun = (*bool)(unsafe.Pointer(in.DryRun))
 	return nil
 }
 
diff --git a/pkg/apis/admission/zz_generated.deepcopy.go b/pkg/apis/admission/zz_generated.deepcopy.go
index 9f921cf57e..4c767f0dc7 100644
--- a/pkg/apis/admission/zz_generated.deepcopy.go
+++ b/pkg/apis/admission/zz_generated.deepcopy.go
@@ -37,6 +37,11 @@ func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
 	if in.OldObject != nil {
 		out.OldObject = in.OldObject.DeepCopyObject()
 	}
+	if in.DryRun != nil {
+		in, out := &in.DryRun, &out.DryRun
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/apis/admissionregistration/fuzzer/fuzzer.go b/pkg/apis/admissionregistration/fuzzer/fuzzer.go
index 4275951b51..ba4f2c5e5b 100644
--- a/pkg/apis/admissionregistration/fuzzer/fuzzer.go
+++ b/pkg/apis/admissionregistration/fuzzer/fuzzer.go
@@ -30,6 +30,8 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 			c.FuzzNoCustom(obj) // fuzz self without calling this function again
 			p := admissionregistration.FailurePolicyType("Fail")
 			obj.FailurePolicy = &p
+			s := admissionregistration.SideEffectClassUnknown
+			obj.SideEffects = &s
 		},
 	}
 }
diff --git a/pkg/apis/admissionregistration/types.go b/pkg/apis/admissionregistration/types.go
index 1d71bc6947..511bdd96d1 100644
--- a/pkg/apis/admissionregistration/types.go
+++ b/pkg/apis/admissionregistration/types.go
@@ -112,6 +112,22 @@ const (
 	Fail FailurePolicyType = "Fail"
 )
 
+type SideEffectClass string
+
+const (
+	// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
+	// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+	SideEffectClassUnknown SideEffectClass = "Unknown"
+	// SideEffectClassNone means that calling the webhook will have no side effects.
+	SideEffectClassNone SideEffectClass = "None"
+	// SideEffectClassSome means that calling the webhook will possibly have side effects.
+	// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+	SideEffectClassSome SideEffectClass = "Some"
+	// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
+	// request being reviewed has the dry-run attribute, the side effects will be suppressed.
+	SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun"
+)
+
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -235,6 +251,15 @@ type Webhook struct {
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	NamespaceSelector *metav1.LabelSelector
+
+	// SideEffects states whether this webhookk has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission change and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	// +optional
+	SideEffects *SideEffectClass
 }
 
 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
diff --git a/pkg/apis/admissionregistration/v1beta1/defaults.go b/pkg/apis/admissionregistration/v1beta1/defaults.go
index 907f7d9f31..fa35267624 100644
--- a/pkg/apis/admissionregistration/v1beta1/defaults.go
+++ b/pkg/apis/admissionregistration/v1beta1/defaults.go
@@ -35,4 +35,9 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
 		selector := metav1.LabelSelector{}
 		obj.NamespaceSelector = &selector
 	}
+	if obj.SideEffects == nil {
+		// TODO: revisit/remove this default and possibly make the field required when promoting to v1
+		unknown := admissionregistrationv1beta1.SideEffectClassUnknown
+		obj.SideEffects = &unknown
+	}
 }
diff --git a/pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go b/pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go
index a7ccfae147..3d1d1be717 100644
--- a/pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go
@@ -300,6 +300,7 @@ func autoConvert_v1beta1_Webhook_To_admissionregistration_Webhook(in *v1beta1.We
 	out.Rules = *(*[]admissionregistration.RuleWithOperations)(unsafe.Pointer(&in.Rules))
 	out.FailurePolicy = (*admissionregistration.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
 	out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
+	out.SideEffects = (*admissionregistration.SideEffectClass)(unsafe.Pointer(in.SideEffects))
 	return nil
 }
 
@@ -316,6 +317,7 @@ func autoConvert_admissionregistration_Webhook_To_v1beta1_Webhook(in *admissionr
 	out.Rules = *(*[]v1beta1.RuleWithOperations)(unsafe.Pointer(&in.Rules))
 	out.FailurePolicy = (*v1beta1.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
 	out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
+	out.SideEffects = (*v1beta1.SideEffectClass)(unsafe.Pointer(in.SideEffects))
 	return nil
 }
 
diff --git a/pkg/apis/admissionregistration/validation/validation.go b/pkg/apis/admissionregistration/validation/validation.go
index 958ebf4402..14d3d799bf 100644
--- a/pkg/apis/admissionregistration/validation/validation.go
+++ b/pkg/apis/admissionregistration/validation/validation.go
@@ -192,6 +192,9 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
 	if hook.FailurePolicy != nil && !supportedFailurePolicies.Has(string(*hook.FailurePolicy)) {
 		allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
 	}
+	if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
+		allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
+	}
 
 	if hook.NamespaceSelector != nil {
 		allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)
@@ -291,6 +294,13 @@ var supportedFailurePolicies = sets.NewString(
 	string(admissionregistration.Fail),
 )
 
+var supportedSideEffectClasses = sets.NewString(
+	string(admissionregistration.SideEffectClassUnknown),
+	string(admissionregistration.SideEffectClassNone),
+	string(admissionregistration.SideEffectClassSome),
+	string(admissionregistration.SideEffectClassNoneOnDryRun),
+)
+
 var supportedOperations = sets.NewString(
 	string(admissionregistration.OperationAll),
 	string(admissionregistration.Create),
diff --git a/pkg/apis/admissionregistration/validation/validation_test.go b/pkg/apis/admissionregistration/validation/validation_test.go
index 5dd3fc551b..2cf41fa597 100644
--- a/pkg/apis/admissionregistration/validation/validation_test.go
+++ b/pkg/apis/admissionregistration/validation/validation_test.go
@@ -499,6 +499,21 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				}),
 			expectedError: `webhooks[0].failurePolicy: Unsupported value: "other": supported values: "Fail", "Ignore"`,
 		},
+		{
+			name: "SideEffects can only be \"Unknown\", \"None\", \"Some\", or \"NoneOnDryRun\"",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
+						SideEffects: func() *admissionregistration.SideEffectClass {
+							r := admissionregistration.SideEffectClass("other")
+							return &r
+						}(),
+					},
+				}),
+			expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun", "Some", "Unknown"`,
+		},
 		{
 			name: "both service and URL missing",
 			config: newValidatingWebhookConfiguration(
diff --git a/pkg/apis/admissionregistration/zz_generated.deepcopy.go b/pkg/apis/admissionregistration/zz_generated.deepcopy.go
index 52f31fb1e6..4d86d15899 100644
--- a/pkg/apis/admissionregistration/zz_generated.deepcopy.go
+++ b/pkg/apis/admissionregistration/zz_generated.deepcopy.go
@@ -341,6 +341,11 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
 		*out = new(v1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.SideEffects != nil {
+		in, out := &in.SideEffects, &out.SideEffects
+		*out = new(SideEffectClass)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go b/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
index b5dc9f3200..d2b938e5a2 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
@@ -149,6 +149,16 @@ func (m *AdmissionRequest) MarshalTo(dAtA []byte) (int, error) {
 		return 0, err
 	}
 	i += n5
+	if m.DryRun != nil {
+		dAtA[i] = 0x58
+		i++
+		if *m.DryRun {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
 	return i, nil
 }
 
@@ -314,6 +324,9 @@ func (m *AdmissionRequest) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = m.OldObject.Size()
 	n += 1 + l + sovGenerated(uint64(l))
+	if m.DryRun != nil {
+		n += 2
+	}
 	return n
 }
 
@@ -388,6 +401,7 @@ func (this *AdmissionRequest) String() string {
 		`UserInfo:` + strings.Replace(strings.Replace(this.UserInfo.String(), "UserInfo", "k8s_io_api_authentication_v1.UserInfo", 1), `&`, ``, 1) + `,`,
 		`Object:` + strings.Replace(strings.Replace(this.Object.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
 		`OldObject:` + strings.Replace(strings.Replace(this.OldObject.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`DryRun:` + valueToStringGenerated(this.DryRun) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -760,6 +774,27 @@ func (m *AdmissionRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 11:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DryRun", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.DryRun = &b
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -1316,55 +1351,57 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 800 bytes of a gzipped FileDescriptorProto
+	// 821 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xcf, 0x6f, 0xe3, 0x44,
-	0x14, 0x8e, 0x37, 0x3f, 0x3d, 0xa9, 0xd8, 0xec, 0x00, 0x92, 0x15, 0x21, 0x27, 0xf4, 0x80, 0x8a,
-	0xb4, 0x1d, 0xd3, 0x0a, 0x56, 0xd5, 0x8a, 0x4b, 0xcc, 0x46, 0xa8, 0x42, 0x6a, 0xab, 0x69, 0x83,
-	0x80, 0x03, 0xd2, 0xc4, 0x9e, 0x26, 0x26, 0xf1, 0x8c, 0xf1, 0x8c, 0x53, 0x72, 0x43, 0x5c, 0xb9,
-	0xf0, 0x3f, 0x71, 0xe9, 0xb1, 0xc7, 0x9e, 0x22, 0x1a, 0xfe, 0x00, 0xee, 0x3d, 0x21, 0x8f, 0xc7,
-	0x71, 0x48, 0x5b, 0x68, 0xd1, 0x9e, 0x32, 0xef, 0xbd, 0xef, 0xfb, 0x9e, 0xe7, 0x7b, 0x2f, 0x03,
-	0xfa, 0x93, 0x03, 0x81, 0x02, 0xee, 0x4c, 0x92, 0x21, 0x8d, 0x19, 0x95, 0x54, 0x38, 0x33, 0xca,
-	0x7c, 0x1e, 0x3b, 0xba, 0x40, 0xa2, 0xc0, 0x21, 0x7e, 0x18, 0x08, 0x11, 0x70, 0xe6, 0xcc, 0xf6,
-	0x86, 0x54, 0x92, 0x3d, 0x67, 0x44, 0x19, 0x8d, 0x89, 0xa4, 0x3e, 0x8a, 0x62, 0x2e, 0x39, 0xfc,
-	0x20, 0x43, 0x23, 0x12, 0x05, 0x68, 0x85, 0x46, 0x1a, 0xdd, 0xde, 0x1d, 0x05, 0x72, 0x9c, 0x0c,
-	0x91, 0xc7, 0x43, 0x67, 0xc4, 0x47, 0xdc, 0x51, 0xa4, 0x61, 0x72, 0xae, 0x22, 0x15, 0xa8, 0x53,
-	0x26, 0xd6, 0x7e, 0xb9, 0xde, 0x3a, 0x91, 0x63, 0xca, 0x64, 0xe0, 0x11, 0x99, 0xf5, 0xdf, 0x6c,
-	0xdd, 0xfe, 0xb4, 0x40, 0x87, 0xc4, 0x1b, 0x07, 0x8c, 0xc6, 0x73, 0x27, 0x9a, 0x8c, 0xd2, 0x84,
-	0x70, 0x42, 0x2a, 0xc9, 0x7d, 0x2c, 0xe7, 0x21, 0x56, 0x9c, 0x30, 0x19, 0x84, 0xf4, 0x0e, 0xe1,
-	0xd5, 0x7f, 0x11, 0x84, 0x37, 0xa6, 0x21, 0xd9, 0xe4, 0x6d, 0xff, 0x55, 0x05, 0xad, 0x5e, 0xee,
-	0x08, 0xa6, 0x3f, 0x26, 0x54, 0x48, 0xe8, 0x82, 0x72, 0x12, 0xf8, 0x96, 0xd1, 0x35, 0x76, 0x4c,
-	0xf7, 0x93, 0xcb, 0x45, 0xa7, 0xb4, 0x5c, 0x74, 0xca, 0x83, 0xc3, 0x37, 0xb7, 0x8b, 0xce, 0x87,
-	0x0f, 0x35, 0x92, 0xf3, 0x88, 0x0a, 0x34, 0x38, 0x7c, 0x83, 0x53, 0x32, 0xfc, 0x06, 0x54, 0x26,
-	0x01, 0xf3, 0xad, 0x67, 0x5d, 0x63, 0xa7, 0xb9, 0xff, 0x0a, 0x15, 0x13, 0x58, 0xd1, 0x50, 0x34,
-	0x19, 0xa5, 0x09, 0x81, 0x52, 0x1b, 0xd0, 0x6c, 0x0f, 0x7d, 0x19, 0xf3, 0x24, 0xfa, 0x9a, 0xc6,
-	0xe9, 0xc7, 0x7c, 0x15, 0x30, 0xdf, 0xdd, 0xd2, 0xcd, 0x2b, 0x69, 0x84, 0x95, 0x22, 0x1c, 0x83,
-	0x46, 0x4c, 0x05, 0x4f, 0x62, 0x8f, 0x5a, 0x65, 0xa5, 0xfe, 0xfa, 0xe9, 0xea, 0x58, 0x2b, 0xb8,
-	0x2d, 0xdd, 0xa1, 0x91, 0x67, 0xf0, 0x4a, 0x1d, 0x7e, 0x06, 0x9a, 0x22, 0x19, 0xe6, 0x05, 0xab,
-	0xa2, 0xfc, 0x78, 0x57, 0x13, 0x9a, 0xa7, 0x45, 0x09, 0xaf, 0xe3, 0x60, 0x17, 0x54, 0x18, 0x09,
-	0xa9, 0x55, 0x55, 0xf8, 0xd5, 0x15, 0x8e, 0x48, 0x48, 0xb1, 0xaa, 0x40, 0x07, 0x98, 0xe9, 0xaf,
-	0x88, 0x88, 0x47, 0xad, 0x9a, 0x82, 0xbd, 0xd0, 0x30, 0xf3, 0x28, 0x2f, 0xe0, 0x02, 0x03, 0x3f,
-	0x07, 0x26, 0x8f, 0xd2, 0xc1, 0x05, 0x9c, 0x59, 0x75, 0x45, 0xb0, 0x73, 0xc2, 0x71, 0x5e, 0xb8,
-	0x5d, 0x0f, 0x70, 0x41, 0x80, 0x67, 0xa0, 0x91, 0x08, 0x1a, 0x1f, 0xb2, 0x73, 0x6e, 0x35, 0x94,
-	0x63, 0x1f, 0xa1, 0xf5, 0x7f, 0xc4, 0x3f, 0x96, 0x38, 0x75, 0x6a, 0xa0, 0xd1, 0x85, 0x3b, 0x79,
-	0x06, 0xaf, 0x94, 0xe0, 0x00, 0xd4, 0xf8, 0xf0, 0x07, 0xea, 0x49, 0xcb, 0x54, 0x9a, 0xbb, 0x0f,
-	0x4e, 0x41, 0xef, 0x20, 0xc2, 0xe4, 0xa2, 0xff, 0x93, 0xa4, 0x2c, 0x1d, 0x80, 0xfb, 0x8e, 0x96,
-	0xae, 0x1d, 0x2b, 0x11, 0xac, 0xc5, 0xe0, 0xf7, 0xc0, 0xe4, 0x53, 0x3f, 0x4b, 0x5a, 0xe0, 0xff,
-	0x28, 0xaf, 0xac, 0x3c, 0xce, 0x75, 0x70, 0x21, 0xb9, 0xfd, 0x4b, 0x05, 0xbc, 0x58, 0xdb, 0x78,
-	0x11, 0x71, 0x26, 0xe8, 0x5b, 0x59, 0xf9, 0x8f, 0x41, 0x9d, 0x4c, 0xa7, 0xfc, 0x82, 0x66, 0x5b,
-	0xdf, 0x70, 0x9f, 0x6b, 0x9d, 0x7a, 0x2f, 0x4b, 0xe3, 0xbc, 0x0e, 0x4f, 0x40, 0x4d, 0x48, 0x22,
-	0x13, 0xa1, 0x37, 0xf8, 0xe5, 0xe3, 0x36, 0xf8, 0x54, 0x71, 0x5c, 0x90, 0xda, 0x86, 0xa9, 0x48,
-	0xa6, 0x12, 0x6b, 0x1d, 0xd8, 0x01, 0xd5, 0x88, 0x48, 0x6f, 0xac, 0xb6, 0x74, 0xcb, 0x35, 0x97,
-	0x8b, 0x4e, 0xf5, 0x24, 0x4d, 0xe0, 0x2c, 0x0f, 0x0f, 0x80, 0xa9, 0x0e, 0x67, 0xf3, 0x28, 0x5f,
-	0xcd, 0x76, 0x6a, 0xd2, 0x49, 0x9e, 0xbc, 0x5d, 0x0f, 0x70, 0x01, 0x86, 0xbf, 0x1a, 0xa0, 0x45,
-	0x12, 0x3f, 0x90, 0x3d, 0xc6, 0xb8, 0x54, 0x4b, 0x22, 0xac, 0x5a, 0xb7, 0xbc, 0xd3, 0xdc, 0xef,
-	0xa3, 0x7f, 0x7b, 0x59, 0xd1, 0x1d, 0x9f, 0x51, 0x6f, 0x43, 0xa7, 0xcf, 0x64, 0x3c, 0x77, 0x2d,
-	0x6d, 0x54, 0x6b, 0xb3, 0x8c, 0xef, 0x34, 0x6e, 0x7f, 0x01, 0xde, 0xbf, 0x57, 0x04, 0xb6, 0x40,
-	0x79, 0x42, 0xe7, 0xd9, 0x08, 0x71, 0x7a, 0x84, 0xef, 0x81, 0xea, 0x8c, 0x4c, 0x13, 0xaa, 0xc6,
-	0x61, 0xe2, 0x2c, 0x78, 0xfd, 0xec, 0xc0, 0xd8, 0xfe, 0xdd, 0x00, 0xcf, 0xd7, 0x3e, 0x6e, 0x16,
-	0xd0, 0x0b, 0x38, 0x00, 0xf5, 0x38, 0x7b, 0x00, 0x95, 0x46, 0x73, 0x1f, 0x3d, 0xfa, 0x72, 0x8a,
-	0xe5, 0x36, 0xd3, 0x51, 0xeb, 0x00, 0xe7, 0x5a, 0xf0, 0x5b, 0xf5, 0x5c, 0xa9, 0xdb, 0xeb, 0xc7,
-	0xd0, 0x79, 0xa2, 0x69, 0xee, 0x96, 0x7e, 0x9f, 0x54, 0x84, 0x57, 0x72, 0xee, 0xee, 0xe5, 0x8d,
-	0x5d, 0xba, 0xba, 0xb1, 0x4b, 0xd7, 0x37, 0x76, 0xe9, 0xe7, 0xa5, 0x6d, 0x5c, 0x2e, 0x6d, 0xe3,
-	0x6a, 0x69, 0x1b, 0xd7, 0x4b, 0xdb, 0xf8, 0x63, 0x69, 0x1b, 0xbf, 0xfd, 0x69, 0x97, 0xbe, 0xab,
-	0x6b, 0xe1, 0xbf, 0x03, 0x00, 0x00, 0xff, 0xff, 0x8d, 0xe4, 0x17, 0xc7, 0x4d, 0x07, 0x00, 0x00,
+	0x14, 0x8e, 0x37, 0x69, 0x12, 0x4f, 0x2a, 0x36, 0x3b, 0x80, 0x64, 0x45, 0xc8, 0x09, 0x3d, 0xa0,
+	0x20, 0x6d, 0xc7, 0xb4, 0x82, 0x55, 0xb5, 0xe2, 0x12, 0xd3, 0x08, 0x55, 0x48, 0xdb, 0x6a, 0x76,
+	0x83, 0x80, 0x03, 0xd2, 0xc4, 0x9e, 0x4d, 0x4c, 0xe2, 0x19, 0xe3, 0x99, 0x49, 0xc9, 0x0d, 0x71,
+	0xe5, 0x82, 0xc4, 0x9f, 0xc4, 0xa5, 0xc7, 0x3d, 0xee, 0x29, 0xa2, 0xe1, 0xbf, 0xe8, 0x09, 0x79,
+	0x3c, 0x8e, 0x43, 0xba, 0x85, 0x5d, 0xb4, 0x27, 0xfb, 0xfd, 0xf8, 0xbe, 0x37, 0xf3, 0xbd, 0x37,
+	0x0f, 0x0c, 0x67, 0x27, 0x02, 0x45, 0xdc, 0x9b, 0xa9, 0x31, 0x4d, 0x19, 0x95, 0x54, 0x78, 0x0b,
+	0xca, 0x42, 0x9e, 0x7a, 0x26, 0x40, 0x92, 0xc8, 0x23, 0x61, 0x1c, 0x09, 0x11, 0x71, 0xe6, 0x2d,
+	0x8e, 0xc6, 0x54, 0x92, 0x23, 0x6f, 0x42, 0x19, 0x4d, 0x89, 0xa4, 0x21, 0x4a, 0x52, 0x2e, 0x39,
+	0xfc, 0x20, 0xcf, 0x46, 0x24, 0x89, 0xd0, 0x26, 0x1b, 0x99, 0xec, 0xce, 0xe1, 0x24, 0x92, 0x53,
+	0x35, 0x46, 0x01, 0x8f, 0xbd, 0x09, 0x9f, 0x70, 0x4f, 0x83, 0xc6, 0xea, 0xb9, 0xb6, 0xb4, 0xa1,
+	0xff, 0x72, 0xb2, 0xce, 0xc3, 0xed, 0xd2, 0x4a, 0x4e, 0x29, 0x93, 0x51, 0x40, 0x64, 0x5e, 0x7f,
+	0xb7, 0x74, 0xe7, 0xd3, 0x32, 0x3b, 0x26, 0xc1, 0x34, 0x62, 0x34, 0x5d, 0x7a, 0xc9, 0x6c, 0x92,
+	0x39, 0x84, 0x17, 0x53, 0x49, 0x5e, 0x85, 0xf2, 0xee, 0x42, 0xa5, 0x8a, 0xc9, 0x28, 0xa6, 0xb7,
+	0x00, 0x8f, 0xfe, 0x0b, 0x20, 0x82, 0x29, 0x8d, 0xc9, 0x2e, 0xee, 0xe0, 0xf7, 0x3a, 0x68, 0x0f,
+	0x0a, 0x45, 0x30, 0xfd, 0x51, 0x51, 0x21, 0xa1, 0x0f, 0xaa, 0x2a, 0x0a, 0x1d, 0xab, 0x67, 0xf5,
+	0x6d, 0xff, 0x93, 0xab, 0x55, 0xb7, 0xb2, 0x5e, 0x75, 0xab, 0xa3, 0xb3, 0xd3, 0x9b, 0x55, 0xf7,
+	0xc3, 0xbb, 0x0a, 0xc9, 0x65, 0x42, 0x05, 0x1a, 0x9d, 0x9d, 0xe2, 0x0c, 0x0c, 0xbf, 0x01, 0xb5,
+	0x59, 0xc4, 0x42, 0xe7, 0x5e, 0xcf, 0xea, 0xb7, 0x8e, 0x1f, 0xa1, 0xb2, 0x03, 0x1b, 0x18, 0x4a,
+	0x66, 0x93, 0xcc, 0x21, 0x50, 0x26, 0x03, 0x5a, 0x1c, 0xa1, 0x2f, 0x53, 0xae, 0x92, 0xaf, 0x69,
+	0x9a, 0x1d, 0xe6, 0xab, 0x88, 0x85, 0xfe, 0xbe, 0x29, 0x5e, 0xcb, 0x2c, 0xac, 0x19, 0xe1, 0x14,
+	0x34, 0x53, 0x2a, 0xb8, 0x4a, 0x03, 0xea, 0x54, 0x35, 0xfb, 0xe3, 0x37, 0x67, 0xc7, 0x86, 0xc1,
+	0x6f, 0x9b, 0x0a, 0xcd, 0xc2, 0x83, 0x37, 0xec, 0xf0, 0x33, 0xd0, 0x12, 0x6a, 0x5c, 0x04, 0x9c,
+	0x9a, 0xd6, 0xe3, 0x5d, 0x03, 0x68, 0x3d, 0x2d, 0x43, 0x78, 0x3b, 0x0f, 0xf6, 0x40, 0x8d, 0x91,
+	0x98, 0x3a, 0x7b, 0x3a, 0x7f, 0x73, 0x85, 0x27, 0x24, 0xa6, 0x58, 0x47, 0xa0, 0x07, 0xec, 0xec,
+	0x2b, 0x12, 0x12, 0x50, 0xa7, 0xae, 0xd3, 0x1e, 0x98, 0x34, 0xfb, 0x49, 0x11, 0xc0, 0x65, 0x0e,
+	0xfc, 0x1c, 0xd8, 0x3c, 0xc9, 0x1a, 0x17, 0x71, 0xe6, 0x34, 0x34, 0xc0, 0x2d, 0x00, 0xe7, 0x45,
+	0xe0, 0x66, 0xdb, 0xc0, 0x25, 0x00, 0x3e, 0x03, 0x4d, 0x25, 0x68, 0x7a, 0xc6, 0x9e, 0x73, 0xa7,
+	0xa9, 0x15, 0xfb, 0x08, 0x6d, 0xbf, 0x88, 0x7f, 0x0c, 0x71, 0xa6, 0xd4, 0xc8, 0x64, 0x97, 0xea,
+	0x14, 0x1e, 0xbc, 0x61, 0x82, 0x23, 0x50, 0xe7, 0xe3, 0x1f, 0x68, 0x20, 0x1d, 0x5b, 0x73, 0x1e,
+	0xde, 0xd9, 0x05, 0x33, 0x83, 0x08, 0x93, 0xcb, 0xe1, 0x4f, 0x92, 0xb2, 0xac, 0x01, 0xfe, 0x3b,
+	0x86, 0xba, 0x7e, 0xae, 0x49, 0xb0, 0x21, 0x83, 0xdf, 0x03, 0x9b, 0xcf, 0xc3, 0xdc, 0xe9, 0x80,
+	0xff, 0xc3, 0xbc, 0x91, 0xf2, 0xbc, 0xe0, 0xc1, 0x25, 0x25, 0x3c, 0x00, 0xf5, 0x30, 0x5d, 0x62,
+	0xc5, 0x9c, 0x56, 0xcf, 0xea, 0x37, 0x7d, 0x90, 0x9d, 0xe1, 0x54, 0x7b, 0xb0, 0x89, 0x1c, 0xfc,
+	0x52, 0x03, 0x0f, 0xb6, 0x5e, 0x85, 0x48, 0x38, 0x13, 0xf4, 0xad, 0x3c, 0x8b, 0x8f, 0x41, 0x83,
+	0xcc, 0xe7, 0xfc, 0x92, 0xe6, 0x2f, 0xa3, 0xe9, 0xdf, 0x37, 0x3c, 0x8d, 0x41, 0xee, 0xc6, 0x45,
+	0x1c, 0x5e, 0x80, 0xba, 0x90, 0x44, 0x2a, 0x61, 0xa6, 0xfc, 0xe1, 0xeb, 0x4d, 0xf9, 0x53, 0x8d,
+	0xc9, 0xaf, 0x85, 0xa9, 0x50, 0x73, 0x89, 0x0d, 0x0f, 0xec, 0x82, 0xbd, 0x84, 0xc8, 0x60, 0xaa,
+	0x27, 0x79, 0xdf, 0xb7, 0xd7, 0xab, 0xee, 0xde, 0x45, 0xe6, 0xc0, 0xb9, 0x1f, 0x9e, 0x00, 0x5b,
+	0xff, 0x3c, 0x5b, 0x26, 0xc5, 0xf8, 0x76, 0x32, 0x21, 0x2f, 0x0a, 0xe7, 0xcd, 0xb6, 0x81, 0xcb,
+	0x64, 0xf8, 0xab, 0x05, 0xda, 0x44, 0x85, 0x91, 0x1c, 0x30, 0xc6, 0xa5, 0x1e, 0x24, 0xe1, 0xd4,
+	0x7b, 0xd5, 0x7e, 0xeb, 0x78, 0x88, 0xfe, 0x6d, 0xfb, 0xa2, 0x5b, 0x3a, 0xa3, 0xc1, 0x0e, 0xcf,
+	0x90, 0xc9, 0x74, 0xe9, 0x3b, 0x46, 0xa8, 0xf6, 0x6e, 0x18, 0xdf, 0x2a, 0xdc, 0xf9, 0x02, 0xbc,
+	0xff, 0x4a, 0x12, 0xd8, 0x06, 0xd5, 0x19, 0x5d, 0xe6, 0x2d, 0xc4, 0xd9, 0x2f, 0x7c, 0x0f, 0xec,
+	0x2d, 0xc8, 0x5c, 0x51, 0xdd, 0x0e, 0x1b, 0xe7, 0xc6, 0xe3, 0x7b, 0x27, 0xd6, 0xc1, 0x1f, 0x16,
+	0xb8, 0xbf, 0x75, 0xb8, 0x45, 0x44, 0x2f, 0xe1, 0x08, 0x34, 0xd2, 0x7c, 0x49, 0x6a, 0x8e, 0xd6,
+	0x31, 0x7a, 0xed, 0xcb, 0x69, 0x94, 0xdf, 0xca, 0x5a, 0x6d, 0x0c, 0x5c, 0x70, 0xc1, 0x6f, 0xf5,
+	0x4a, 0xd3, 0xb7, 0x37, 0x0b, 0xd3, 0x7b, 0x43, 0xd1, 0xfc, 0x7d, 0xb3, 0xc3, 0xb4, 0x85, 0x37,
+	0x74, 0xfe, 0xe1, 0xd5, 0xb5, 0x5b, 0x79, 0x71, 0xed, 0x56, 0x5e, 0x5e, 0xbb, 0x95, 0x9f, 0xd7,
+	0xae, 0x75, 0xb5, 0x76, 0xad, 0x17, 0x6b, 0xd7, 0x7a, 0xb9, 0x76, 0xad, 0x3f, 0xd7, 0xae, 0xf5,
+	0xdb, 0x5f, 0x6e, 0xe5, 0xbb, 0x86, 0x21, 0xfe, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xf4, 0xc2, 0x6f,
+	0x1b, 0x71, 0x07, 0x00, 0x00,
 }
diff --git a/staging/src/k8s.io/api/admission/v1beta1/generated.proto b/staging/src/k8s.io/api/admission/v1beta1/generated.proto
index 63a569680e..451d4c9ad7 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/admission/v1beta1/generated.proto
@@ -73,6 +73,11 @@ message AdmissionRequest {
   // OldObject is the existing object. Only populated for UPDATE requests.
   // +optional
   optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
+
+  // DryRun indicates that modifications will definitely not be persisted for this request.
+  // Defaults to false.
+  // +optional
+  optional bool dryRun = 11;
 }
 
 // AdmissionResponse describes an admission response.
diff --git a/staging/src/k8s.io/api/admission/v1beta1/types.go b/staging/src/k8s.io/api/admission/v1beta1/types.go
index a64ec21115..653e847107 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/types.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/types.go
@@ -71,6 +71,10 @@ type AdmissionRequest struct {
 	// OldObject is the existing object. Only populated for UPDATE requests.
 	// +optional
 	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
+	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
 }
 
 // AdmissionResponse describes an admission response.
diff --git a/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
index 4b05fe96b4..8a938db3b4 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
@@ -39,6 +39,7 @@ var map_AdmissionRequest = map[string]string{
 	"userInfo":    "UserInfo is information about the requesting user",
 	"object":      "Object is the object from the incoming request prior to default values being applied",
 	"oldObject":   "OldObject is the existing object. Only populated for UPDATE requests.",
+	"dryRun":      "DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
 }
 
 func (AdmissionRequest) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/admission/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/admission/v1beta1/zz_generated.deepcopy.go
index 9962d6260e..2b4352a948 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/zz_generated.deepcopy.go
@@ -33,6 +33,11 @@ func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
 	in.UserInfo.DeepCopyInto(&out.UserInfo)
 	in.Object.DeepCopyInto(&out.Object)
 	in.OldObject.DeepCopyInto(&out.OldObject)
+	if in.DryRun != nil {
+		in, out := &in.DryRun, &out.DryRun
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
index 8b289c4c50..d6c9d958bf 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
@@ -457,6 +457,12 @@ func (m *Webhook) MarshalTo(dAtA []byte) (int, error) {
 		}
 		i += n7
 	}
+	if m.SideEffects != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.SideEffects)))
+		i += copy(dAtA[i:], *m.SideEffects)
+	}
 	return i, nil
 }
 
@@ -656,6 +662,10 @@ func (m *Webhook) Size() (n int) {
 		l = m.NamespaceSelector.Size()
 		n += 1 + l + sovGenerated(uint64(l))
 	}
+	if m.SideEffects != nil {
+		l = len(*m.SideEffects)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -779,6 +789,7 @@ func (this *Webhook) String() string {
 		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "RuleWithOperations", "RuleWithOperations", 1), `&`, ``, 1) + `,`,
 		`FailurePolicy:` + valueToStringGenerated(this.FailurePolicy) + `,`,
 		`NamespaceSelector:` + strings.Replace(fmt.Sprintf("%v", this.NamespaceSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`SideEffects:` + valueToStringGenerated(this.SideEffects) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1813,6 +1824,36 @@ func (m *Webhook) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SideEffects", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := SideEffectClass(dAtA[iNdEx:postIndex])
+			m.SideEffects = &s
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -2088,60 +2129,62 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 872 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x54, 0xcf, 0x8f, 0xdb, 0x44,
-	0x14, 0x8e, 0x9b, 0xac, 0x92, 0x4c, 0x12, 0xd1, 0x1d, 0x40, 0x0a, 0xab, 0xca, 0x8e, 0x72, 0x40,
-	0x91, 0x50, 0x6d, 0xb2, 0x20, 0x84, 0x10, 0x08, 0xad, 0x57, 0x2a, 0xac, 0xb4, 0x6d, 0xc3, 0x2c,
-	0xb4, 0x12, 0xe2, 0xc0, 0xc4, 0x79, 0xeb, 0x0c, 0xf1, 0x2f, 0x8d, 0xc7, 0x29, 0x7b, 0x43, 0xe2,
-	0x1f, 0x40, 0xe2, 0x8f, 0xe0, 0xaf, 0xe0, 0xbe, 0x37, 0x7a, 0x41, 0xf4, 0x64, 0xb1, 0xe6, 0xcc,
-	0x81, 0x6b, 0x4f, 0x68, 0xec, 0x49, 0x9c, 0x6c, 0xba, 0x69, 0x7a, 0xe1, 0xc0, 0xcd, 0xf3, 0xbd,
-	0xf9, 0xbe, 0xf7, 0xbe, 0xe7, 0xf7, 0x06, 0x7d, 0x31, 0xfb, 0x30, 0x36, 0x59, 0x68, 0xcd, 0x92,
-	0x31, 0xf0, 0x00, 0x04, 0xc4, 0xd6, 0x1c, 0x82, 0x49, 0xc8, 0x2d, 0x15, 0xa0, 0x11, 0xb3, 0xe8,
-	0xc4, 0x67, 0x71, 0xcc, 0xc2, 0x80, 0x83, 0xcb, 0x62, 0xc1, 0xa9, 0x60, 0x61, 0x60, 0xcd, 0x87,
-	0x63, 0x10, 0x74, 0x68, 0xb9, 0x10, 0x00, 0xa7, 0x02, 0x26, 0x66, 0xc4, 0x43, 0x11, 0xe2, 0x41,
-	0xc1, 0x34, 0x69, 0xc4, 0xcc, 0x17, 0x32, 0x4d, 0xc5, 0x3c, 0xb8, 0xeb, 0x32, 0x31, 0x4d, 0xc6,
-	0xa6, 0x13, 0xfa, 0x96, 0x1b, 0xba, 0xa1, 0x95, 0x0b, 0x8c, 0x93, 0xf3, 0xfc, 0x94, 0x1f, 0xf2,
-	0xaf, 0x42, 0xf8, 0xe0, 0xfd, 0xb2, 0x24, 0x9f, 0x3a, 0x53, 0x16, 0x00, 0xbf, 0xb0, 0xa2, 0x99,
-	0x2b, 0x81, 0xd8, 0xf2, 0x41, 0x50, 0x6b, 0xbe, 0x51, 0xce, 0x81, 0x75, 0x13, 0x8b, 0x27, 0x81,
-	0x60, 0x3e, 0x6c, 0x10, 0x3e, 0x78, 0x19, 0x21, 0x76, 0xa6, 0xe0, 0xd3, 0xeb, 0xbc, 0xfe, 0xef,
-	0x1a, 0xba, 0x73, 0x3f, 0x11, 0x54, 0xb0, 0xc0, 0x7d, 0x0c, 0xe3, 0x69, 0x18, 0xce, 0x8e, 0xc3,
-	0xe0, 0x9c, 0xb9, 0x49, 0x61, 0x1b, 0x7f, 0x8b, 0x1a, 0xb2, 0xc8, 0x09, 0x15, 0xb4, 0xab, 0xf5,
-	0xb4, 0x41, 0xeb, 0xf0, 0x5d, 0xb3, 0xec, 0xd5, 0x32, 0x97, 0x19, 0xcd, 0x5c, 0x09, 0xc4, 0xa6,
-	0xbc, 0x6d, 0xce, 0x87, 0xe6, 0xc3, 0xf1, 0x77, 0xe0, 0x88, 0xfb, 0x20, 0xa8, 0x8d, 0x2f, 0x53,
-	0xa3, 0x92, 0xa5, 0x06, 0x2a, 0x31, 0xb2, 0x54, 0xc5, 0x67, 0xa8, 0xa1, 0x32, 0xc7, 0xdd, 0x5b,
-	0xbd, 0xea, 0xa0, 0x75, 0x38, 0x34, 0x77, 0xfd, 0x1b, 0xa6, 0x62, 0xda, 0x35, 0x99, 0x82, 0x34,
-	0x9e, 0x28, 0xa1, 0xfe, 0xdf, 0x1a, 0xea, 0x6d, 0xf3, 0x75, 0xca, 0x62, 0x81, 0xbf, 0xd9, 0xf0,
-	0x66, 0xee, 0xe6, 0x4d, 0xb2, 0x73, 0x67, 0xb7, 0x95, 0xb3, 0xc6, 0x02, 0x59, 0xf1, 0x35, 0x43,
-	0x7b, 0x4c, 0x80, 0xbf, 0x30, 0x75, 0x6f, 0x77, 0x53, 0xdb, 0x0a, 0xb7, 0x3b, 0x2a, 0xe5, 0xde,
-	0x89, 0x14, 0x27, 0x45, 0x8e, 0xfe, 0xcf, 0x1a, 0xaa, 0x91, 0xc4, 0x03, 0xfc, 0x0e, 0x6a, 0xd2,
-	0x88, 0x7d, 0xc6, 0xc3, 0x24, 0x8a, 0xbb, 0x5a, 0xaf, 0x3a, 0x68, 0xda, 0x9d, 0x2c, 0x35, 0x9a,
-	0x47, 0xa3, 0x93, 0x02, 0x24, 0x65, 0x1c, 0x0f, 0x51, 0x8b, 0x46, 0xec, 0x11, 0x70, 0x59, 0x4a,
-	0x51, 0x68, 0xd3, 0x7e, 0x2d, 0x4b, 0x8d, 0xd6, 0xd1, 0xe8, 0x64, 0x01, 0x93, 0xd5, 0x3b, 0x52,
-	0x9f, 0x43, 0x1c, 0x26, 0xdc, 0x81, 0xb8, 0x5b, 0x2d, 0xf5, 0xc9, 0x02, 0x24, 0x65, 0xbc, 0xff,
-	0x8b, 0x86, 0xb0, 0xac, 0xea, 0x31, 0x13, 0xd3, 0x87, 0x11, 0x14, 0x0e, 0x62, 0xfc, 0x29, 0x42,
-	0xe1, 0xf2, 0xa4, 0x8a, 0x34, 0xf2, 0xf9, 0x58, 0xa2, 0xcf, 0x53, 0xa3, 0xb3, 0x3c, 0x7d, 0x79,
-	0x11, 0x01, 0x59, 0xa1, 0xe0, 0x11, 0xaa, 0xf1, 0xc4, 0x83, 0xee, 0xad, 0x8d, 0x9f, 0xf6, 0x92,
-	0xce, 0xca, 0x62, 0xec, 0xb6, 0xea, 0x60, 0xde, 0x30, 0x92, 0x2b, 0xf5, 0x7f, 0xd4, 0xd0, 0xed,
-	0x33, 0xe0, 0x73, 0xe6, 0x00, 0x81, 0x73, 0xe0, 0x10, 0x38, 0x80, 0x2d, 0xd4, 0x0c, 0xa8, 0x0f,
-	0x71, 0x44, 0x1d, 0xc8, 0x07, 0xa4, 0x69, 0xef, 0x2b, 0x6e, 0xf3, 0xc1, 0x22, 0x40, 0xca, 0x3b,
-	0xb8, 0x87, 0x6a, 0xf2, 0x90, 0xd7, 0xd5, 0x2c, 0xf3, 0xc8, 0xbb, 0x24, 0x8f, 0xe0, 0x3b, 0xa8,
-	0x16, 0x51, 0x31, 0xed, 0x56, 0xf3, 0x1b, 0x0d, 0x19, 0x1d, 0x51, 0x31, 0x25, 0x39, 0xda, 0xff,
-	0x43, 0x43, 0xfa, 0x23, 0xea, 0xb1, 0xc9, 0xff, 0x6e, 0x1f, 0xff, 0xd1, 0x50, 0x7f, 0xbb, 0xb3,
-	0xff, 0x60, 0x23, 0xfd, 0xf5, 0x8d, 0xfc, 0x7c, 0x77, 0x5b, 0xdb, 0x4b, 0xbf, 0x61, 0x27, 0x7f,
-	0xab, 0xa2, 0xba, 0xba, 0xbe, 0x9c, 0x0c, 0xed, 0xc6, 0xc9, 0x78, 0x82, 0xda, 0x8e, 0xc7, 0x20,
-	0x10, 0x85, 0xb4, 0x9a, 0xed, 0x4f, 0x5e, 0xb9, 0xf5, 0xc7, 0x2b, 0x22, 0xf6, 0x1b, 0x2a, 0x51,
-	0x7b, 0x15, 0x25, 0x6b, 0x89, 0x30, 0x45, 0x7b, 0x72, 0x05, 0x8a, 0x6d, 0x6e, 0x1d, 0x7e, 0xfc,
-	0x6a, 0xdb, 0xb4, 0xbe, 0xda, 0x65, 0x27, 0x64, 0x2c, 0x26, 0x85, 0x32, 0x3e, 0x45, 0x9d, 0x73,
-	0xca, 0xbc, 0x84, 0xc3, 0x28, 0xf4, 0x98, 0x73, 0xd1, 0xad, 0xe5, 0x6d, 0x78, 0x3b, 0x4b, 0x8d,
-	0xce, 0xbd, 0xd5, 0xc0, 0xf3, 0xd4, 0xd8, 0x5f, 0x03, 0xf2, 0xd5, 0x5f, 0x27, 0xe3, 0xef, 0xd1,
-	0xfe, 0x72, 0xe5, 0xce, 0xc0, 0x03, 0x47, 0x84, 0xbc, 0xbb, 0x97, 0xb7, 0xeb, 0xbd, 0x1d, 0xa7,
-	0x85, 0x8e, 0xc1, 0x5b, 0x50, 0xed, 0x37, 0xb3, 0xd4, 0xd8, 0x7f, 0x70, 0x5d, 0x91, 0x6c, 0x26,
-	0xe9, 0xff, 0xaa, 0xa1, 0xd7, 0x5f, 0xd0, 0x66, 0x4c, 0x51, 0x3d, 0x2e, 0x1e, 0x0f, 0x35, 0xb5,
-	0x1f, 0xed, 0xde, 0xc4, 0xeb, 0xaf, 0x8e, 0xdd, 0xca, 0x52, 0xa3, 0xbe, 0x40, 0x17, 0xba, 0x78,
-	0x80, 0x1a, 0x0e, 0xb5, 0x93, 0x60, 0xa2, 0x9e, 0xbd, 0xb6, 0xdd, 0x96, 0x53, 0x7e, 0x7c, 0x54,
-	0x60, 0x64, 0x19, 0xc5, 0x6f, 0xa1, 0x6a, 0xc2, 0x3d, 0xf5, 0xc2, 0xd4, 0xb3, 0xd4, 0xa8, 0x7e,
-	0x45, 0x4e, 0x89, 0xc4, 0xec, 0xbb, 0x97, 0x57, 0x7a, 0xe5, 0xe9, 0x95, 0x5e, 0x79, 0x76, 0xa5,
-	0x57, 0x7e, 0xc8, 0x74, 0xed, 0x32, 0xd3, 0xb5, 0xa7, 0x99, 0xae, 0x3d, 0xcb, 0x74, 0xed, 0xcf,
-	0x4c, 0xd7, 0x7e, 0xfa, 0x4b, 0xaf, 0x7c, 0x5d, 0x57, 0xa5, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff,
-	0xeb, 0x1f, 0xdb, 0x50, 0x68, 0x09, 0x00, 0x00,
+	// 906 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x54, 0xcf, 0x6f, 0xe3, 0x44,
+	0x14, 0x8e, 0x37, 0x29, 0x49, 0x26, 0x89, 0x76, 0x3b, 0x80, 0x14, 0xaa, 0x95, 0x1d, 0xe5, 0x80,
+	0x22, 0xa1, 0xb5, 0x49, 0x41, 0x08, 0x21, 0x10, 0xaa, 0x0b, 0x0b, 0x95, 0xba, 0xbb, 0x61, 0x0a,
+	0xbb, 0x12, 0xe2, 0xc0, 0xc4, 0x79, 0x49, 0x86, 0xf8, 0x97, 0x66, 0xc6, 0x59, 0x7a, 0x43, 0xe2,
+	0x1f, 0x40, 0x42, 0xfc, 0x0d, 0xfc, 0x15, 0xdc, 0x7b, 0xdc, 0x0b, 0x62, 0x4f, 0x16, 0x35, 0x67,
+	0x0e, 0x5c, 0x7b, 0x42, 0x63, 0x3b, 0x71, 0xd2, 0x6c, 0xbb, 0xe9, 0x85, 0x03, 0x37, 0xcf, 0xf7,
+	0xe6, 0xfb, 0xde, 0xfb, 0x9e, 0xdf, 0x1b, 0xf4, 0xc5, 0xec, 0x7d, 0x61, 0xb2, 0xc0, 0x9a, 0x45,
+	0x43, 0xe0, 0x3e, 0x48, 0x10, 0xd6, 0x1c, 0xfc, 0x51, 0xc0, 0xad, 0x3c, 0x40, 0x43, 0x66, 0xd1,
+	0x91, 0xc7, 0x84, 0x60, 0x81, 0xcf, 0x61, 0xc2, 0x84, 0xe4, 0x54, 0xb2, 0xc0, 0xb7, 0xe6, 0xfd,
+	0x21, 0x48, 0xda, 0xb7, 0x26, 0xe0, 0x03, 0xa7, 0x12, 0x46, 0x66, 0xc8, 0x03, 0x19, 0xe0, 0x5e,
+	0xc6, 0x34, 0x69, 0xc8, 0xcc, 0x17, 0x32, 0xcd, 0x9c, 0xb9, 0x77, 0x6f, 0xc2, 0xe4, 0x34, 0x1a,
+	0x9a, 0x4e, 0xe0, 0x59, 0x93, 0x60, 0x12, 0x58, 0xa9, 0xc0, 0x30, 0x1a, 0xa7, 0xa7, 0xf4, 0x90,
+	0x7e, 0x65, 0xc2, 0x7b, 0xef, 0x16, 0x25, 0x79, 0xd4, 0x99, 0x32, 0x1f, 0xf8, 0xa9, 0x15, 0xce,
+	0x26, 0x0a, 0x10, 0x96, 0x07, 0x92, 0x5a, 0xf3, 0x8d, 0x72, 0xf6, 0xac, 0xab, 0x58, 0x3c, 0xf2,
+	0x25, 0xf3, 0x60, 0x83, 0xf0, 0xde, 0xcb, 0x08, 0xc2, 0x99, 0x82, 0x47, 0x2f, 0xf3, 0xba, 0xbf,
+	0x6b, 0xe8, 0xee, 0x83, 0x48, 0x52, 0xc9, 0xfc, 0xc9, 0x13, 0x18, 0x4e, 0x83, 0x60, 0x76, 0x18,
+	0xf8, 0x63, 0x36, 0x89, 0x32, 0xdb, 0xf8, 0x5b, 0x54, 0x53, 0x45, 0x8e, 0xa8, 0xa4, 0x6d, 0xad,
+	0xa3, 0xf5, 0x1a, 0xfb, 0x6f, 0x9b, 0x45, 0xaf, 0x96, 0xb9, 0xcc, 0x70, 0x36, 0x51, 0x80, 0x30,
+	0xd5, 0x6d, 0x73, 0xde, 0x37, 0x1f, 0x0d, 0xbf, 0x03, 0x47, 0x3e, 0x00, 0x49, 0x6d, 0x7c, 0x16,
+	0x1b, 0xa5, 0x24, 0x36, 0x50, 0x81, 0x91, 0xa5, 0x2a, 0x3e, 0x41, 0xb5, 0x3c, 0xb3, 0x68, 0xdf,
+	0xea, 0x94, 0x7b, 0x8d, 0xfd, 0xbe, 0xb9, 0xed, 0xdf, 0x30, 0x73, 0xa6, 0x5d, 0x51, 0x29, 0x48,
+	0xed, 0x69, 0x2e, 0xd4, 0xfd, 0x5b, 0x43, 0x9d, 0xeb, 0x7c, 0x1d, 0x33, 0x21, 0xf1, 0x37, 0x1b,
+	0xde, 0xcc, 0xed, 0xbc, 0x29, 0x76, 0xea, 0xec, 0x4e, 0xee, 0xac, 0xb6, 0x40, 0x56, 0x7c, 0xcd,
+	0xd0, 0x0e, 0x93, 0xe0, 0x2d, 0x4c, 0xdd, 0xdf, 0xde, 0xd4, 0x75, 0x85, 0xdb, 0xad, 0x3c, 0xe5,
+	0xce, 0x91, 0x12, 0x27, 0x59, 0x8e, 0xee, 0xcf, 0x1a, 0xaa, 0x90, 0xc8, 0x05, 0xfc, 0x16, 0xaa,
+	0xd3, 0x90, 0x7d, 0xc6, 0x83, 0x28, 0x14, 0x6d, 0xad, 0x53, 0xee, 0xd5, 0xed, 0x56, 0x12, 0x1b,
+	0xf5, 0x83, 0xc1, 0x51, 0x06, 0x92, 0x22, 0x8e, 0xfb, 0xa8, 0x41, 0x43, 0xf6, 0x18, 0xb8, 0x2a,
+	0x25, 0x2b, 0xb4, 0x6e, 0xdf, 0x4e, 0x62, 0xa3, 0x71, 0x30, 0x38, 0x5a, 0xc0, 0x64, 0xf5, 0x8e,
+	0xd2, 0xe7, 0x20, 0x82, 0x88, 0x3b, 0x20, 0xda, 0xe5, 0x42, 0x9f, 0x2c, 0x40, 0x52, 0xc4, 0xbb,
+	0xbf, 0x6a, 0x08, 0xab, 0xaa, 0x9e, 0x30, 0x39, 0x7d, 0x14, 0x42, 0xe6, 0x40, 0xe0, 0x8f, 0x11,
+	0x0a, 0x96, 0xa7, 0xbc, 0x48, 0x23, 0x9d, 0x8f, 0x25, 0x7a, 0x11, 0x1b, 0xad, 0xe5, 0xe9, 0xcb,
+	0xd3, 0x10, 0xc8, 0x0a, 0x05, 0x0f, 0x50, 0x85, 0x47, 0x2e, 0xb4, 0x6f, 0x6d, 0xfc, 0xb4, 0x97,
+	0x74, 0x56, 0x15, 0x63, 0x37, 0xf3, 0x0e, 0xa6, 0x0d, 0x23, 0xa9, 0x52, 0xf7, 0x47, 0x0d, 0xdd,
+	0x39, 0x01, 0x3e, 0x67, 0x0e, 0x10, 0x18, 0x03, 0x07, 0xdf, 0x01, 0x6c, 0xa1, 0xba, 0x4f, 0x3d,
+	0x10, 0x21, 0x75, 0x20, 0x1d, 0x90, 0xba, 0xbd, 0x9b, 0x73, 0xeb, 0x0f, 0x17, 0x01, 0x52, 0xdc,
+	0xc1, 0x1d, 0x54, 0x51, 0x87, 0xb4, 0xae, 0x7a, 0x91, 0x47, 0xdd, 0x25, 0x69, 0x04, 0xdf, 0x45,
+	0x95, 0x90, 0xca, 0x69, 0xbb, 0x9c, 0xde, 0xa8, 0xa9, 0xe8, 0x80, 0xca, 0x29, 0x49, 0xd1, 0xee,
+	0x1f, 0x1a, 0xd2, 0x1f, 0x53, 0x97, 0x8d, 0xfe, 0x77, 0xfb, 0xf8, 0x8f, 0x86, 0xba, 0xd7, 0x3b,
+	0xfb, 0x0f, 0x36, 0xd2, 0x5b, 0xdf, 0xc8, 0xcf, 0xb7, 0xb7, 0x75, 0x7d, 0xe9, 0x57, 0xec, 0xe4,
+	0x2f, 0x15, 0x54, 0xcd, 0xaf, 0x2f, 0x27, 0x43, 0xbb, 0x72, 0x32, 0x9e, 0xa2, 0xa6, 0xe3, 0x32,
+	0xf0, 0x65, 0x26, 0x9d, 0xcf, 0xf6, 0x47, 0x37, 0x6e, 0xfd, 0xe1, 0x8a, 0x88, 0xfd, 0x5a, 0x9e,
+	0xa8, 0xb9, 0x8a, 0x92, 0xb5, 0x44, 0x98, 0xa2, 0x1d, 0xb5, 0x02, 0xd9, 0x36, 0x37, 0xf6, 0x3f,
+	0xbc, 0xd9, 0x36, 0xad, 0xaf, 0x76, 0xd1, 0x09, 0x15, 0x13, 0x24, 0x53, 0xc6, 0xc7, 0xa8, 0x35,
+	0xa6, 0xcc, 0x8d, 0x38, 0x0c, 0x02, 0x97, 0x39, 0xa7, 0xed, 0x4a, 0xda, 0x86, 0x37, 0x93, 0xd8,
+	0x68, 0xdd, 0x5f, 0x0d, 0x5c, 0xc4, 0xc6, 0xee, 0x1a, 0x90, 0xae, 0xfe, 0x3a, 0x19, 0x7f, 0x8f,
+	0x76, 0x97, 0x2b, 0x77, 0x02, 0x2e, 0x38, 0x32, 0xe0, 0xed, 0x9d, 0xb4, 0x5d, 0xef, 0x6c, 0x39,
+	0x2d, 0x74, 0x08, 0xee, 0x82, 0x6a, 0xbf, 0x9e, 0xc4, 0xc6, 0xee, 0xc3, 0xcb, 0x8a, 0x64, 0x33,
+	0x09, 0xfe, 0x04, 0x35, 0x04, 0x1b, 0xc1, 0xa7, 0xe3, 0x31, 0x38, 0x52, 0xb4, 0x5f, 0x49, 0x5d,
+	0x74, 0xd5, 0x7b, 0x79, 0x52, 0xc0, 0x17, 0xb1, 0x71, 0xbb, 0x38, 0x1e, 0xba, 0x54, 0x08, 0xb2,
+	0x4a, 0xeb, 0xfe, 0xa6, 0xa1, 0x57, 0x5f, 0xf0, 0xb3, 0x30, 0x45, 0x55, 0x91, 0x3d, 0x41, 0xf9,
+	0xec, 0x7f, 0xb0, 0xfd, 0xaf, 0xb8, 0xfc, 0x76, 0xd9, 0x8d, 0x24, 0x36, 0xaa, 0x0b, 0x74, 0xa1,
+	0x8b, 0x7b, 0xa8, 0xe6, 0x50, 0x3b, 0xf2, 0x47, 0xf9, 0xe3, 0xd9, 0xb4, 0x9b, 0x6a, 0x57, 0x0e,
+	0x0f, 0x32, 0x8c, 0x2c, 0xa3, 0xf8, 0x0d, 0x54, 0x8e, 0xb8, 0x9b, 0xbf, 0x53, 0xd5, 0x24, 0x36,
+	0xca, 0x5f, 0x91, 0x63, 0xa2, 0x30, 0xfb, 0xde, 0xd9, 0xb9, 0x5e, 0x7a, 0x76, 0xae, 0x97, 0x9e,
+	0x9f, 0xeb, 0xa5, 0x1f, 0x12, 0x5d, 0x3b, 0x4b, 0x74, 0xed, 0x59, 0xa2, 0x6b, 0xcf, 0x13, 0x5d,
+	0xfb, 0x33, 0xd1, 0xb5, 0x9f, 0xfe, 0xd2, 0x4b, 0x5f, 0x57, 0xf3, 0xd2, 0xfe, 0x0d, 0x00, 0x00,
+	0xff, 0xff, 0x85, 0x06, 0x8c, 0x7f, 0xae, 0x09, 0x00, 0x00,
 }
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
index 2866b87388..4d55ca878a 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
@@ -208,6 +208,15 @@ message Webhook {
   // Default to the empty LabelSelector, which matches everything.
   // +optional
   optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
+
+  // SideEffects states whether this webhookk has side effects.
+  // Acceptable values are: Unknown, None, Some, NoneOnDryRun
+  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
+  // rejected by a future step in the admission change and the side effects therefore need to be undone.
+  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+  // sideEffects == Unknown or Some. Defaults to Unknown.
+  // +optional
+  optional string sideEffects = 6;
 }
 
 // WebhookClientConfig contains the information to make a TLS
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
index f209e7accc..0b948ba1df 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
@@ -60,6 +60,22 @@ const (
 	Fail FailurePolicyType = "Fail"
 )
 
+type SideEffectClass string
+
+const (
+	// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
+	// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+	SideEffectClassUnknown SideEffectClass = "Unknown"
+	// SideEffectClassNone means that calling the webhook will have no side effects.
+	SideEffectClassNone SideEffectClass = "None"
+	// SideEffectClassSome means that calling the webhook will possibly have side effects.
+	// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+	SideEffectClassSome SideEffectClass = "Some"
+	// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
+	// request being reviewed has the dry-run attribute, the side effects will be suppressed.
+	SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun"
+)
+
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -191,6 +207,15 @@ type Webhook struct {
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
+
+	// SideEffects states whether this webhookk has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission change and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	// +optional
+	SideEffects *SideEffectClass `json:"sideEffects,omitempty" protobuf:"bytes,6,opt,name=sideEffects,casttype=SideEffectClass"`
 }
 
 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
index e90bdc9117..aab917a402 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
@@ -105,6 +105,7 @@ var map_Webhook = map[string]string{
 	"rules":             "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.",
 	"failurePolicy":     "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.",
 	"namespaceSelector": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
+	"sideEffects":       "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.",
 }
 
 func (Webhook) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go
index b71a5e55d7..c6867be122 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go
@@ -252,6 +252,11 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
 		*out = new(v1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.SideEffects != nil {
+		in, out := &in.SideEffects, &out.SideEffects
+		*out = new(SideEffectClass)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
index 048afb3569..c69e015982 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
@@ -83,8 +83,12 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.Version
 // note that callAttrMutatingHook updates attr
 func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
 	if attr.IsDryRun() {
-		// TODO: support this
-		return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		if h.SideEffects == nil {
+			return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
+		}
+		if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
+			return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		}
 	}
 
 	// Make the webhook request
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
index 663349a4e4..cec41315c2 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
@@ -36,6 +36,7 @@ func CreateAdmissionReview(attr *generic.VersionedAttributes) admissionv1beta1.A
 		UID:      aUserInfo.GetUID(),
 		Username: aUserInfo.GetName(),
 	}
+	dryRun := attr.IsDryRun()
 
 	// Convert the extra information in the user object
 	for key, val := range aUserInfo.GetExtra() {
@@ -66,6 +67,7 @@ func CreateAdmissionReview(attr *generic.VersionedAttributes) admissionv1beta1.A
 			OldObject: runtime.RawExtension{
 				Object: attr.VersionedOldObject,
 			},
+			DryRun: &dryRun,
 		},
 	}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
index b6ea69480c..30af14e74f 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
@@ -43,6 +43,11 @@ var matchEverythingRules = []registrationv1beta1.RuleWithOperations{{
 	},
 }}
 
+var sideEffectsUnknown registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassUnknown
+var sideEffectsNone registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassNone
+var sideEffectsSome registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassSome
+var sideEffectsNoneOnDryRun registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassNoneOnDryRun
+
 // NewFakeDataSource returns a mock client and informer returning the given webhooks.
 func NewFakeDataSource(name string, webhooks []registrationv1beta1.Webhook, mutating bool, stopCh <-chan struct{}) (clientset kubernetes.Interface, factory informers.SharedInformerFactory) {
 	var objs = []runtime.Object{
@@ -388,26 +393,66 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
 			Name: "no match dry run",
 			Webhooks: []registrationv1beta1.Webhook{{
 				Name:         "nomatch",
-				ClientConfig: ccfgSVC("disallow"),
+				ClientConfig: ccfgSVC("allow"),
 				Rules: []registrationv1beta1.RuleWithOperations{{
 					Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create},
 				}},
 				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsSome,
 			}},
 			IsDryRun:    true,
 			ExpectAllow: true,
 		},
 		{
-			Name: "match dry run",
+			Name: "match dry run side effects Unknown",
 			Webhooks: []registrationv1beta1.Webhook{{
 				Name:              "allow",
 				ClientConfig:      ccfgSVC("allow"),
 				Rules:             matchEverythingRules,
 				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsUnknown,
 			}},
 			IsDryRun:      true,
 			ErrorContains: "does not support dry run",
 		},
+		{
+			Name: "match dry run side effects None",
+			Webhooks: []registrationv1beta1.Webhook{{
+				Name:              "allow",
+				ClientConfig:      ccfgSVC("allow"),
+				Rules:             matchEverythingRules,
+				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsNone,
+			}},
+			IsDryRun:          true,
+			ExpectAllow:       true,
+			ExpectAnnotations: map[string]string{"allow/key1": "value1"},
+		},
+		{
+			Name: "match dry run side effects Some",
+			Webhooks: []registrationv1beta1.Webhook{{
+				Name:              "allow",
+				ClientConfig:      ccfgSVC("allow"),
+				Rules:             matchEverythingRules,
+				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsSome,
+			}},
+			IsDryRun:      true,
+			ErrorContains: "does not support dry run",
+		},
+		{
+			Name: "match dry run side effects NoneOnDryRun",
+			Webhooks: []registrationv1beta1.Webhook{{
+				Name:              "allow",
+				ClientConfig:      ccfgSVC("allow"),
+				Rules:             matchEverythingRules,
+				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsNoneOnDryRun,
+			}},
+			IsDryRun:          true,
+			ExpectAllow:       true,
+			ExpectAnnotations: map[string]string{"allow/key1": "value1"},
+		},
 		{
 			Name: "illegal annotation format",
 			Webhooks: []registrationv1beta1.Webhook{{
@@ -489,12 +534,13 @@ func NewMutatingTestCases(url *url.URL) []Test {
 			ErrorContains: "invalid character",
 		},
 		{
-			Name: "match & remove label dry run",
+			Name: "match & remove label dry run unsupported",
 			Webhooks: []registrationv1beta1.Webhook{{
 				Name:              "removeLabel",
 				ClientConfig:      ccfgSVC("removeLabel"),
 				Rules:             matchEverythingRules,
 				NamespaceSelector: &metav1.LabelSelector{},
+				SideEffects:       &sideEffectsUnknown,
 			}},
 			IsDryRun:      true,
 			ErrorContains: "does not support dry run",
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go
index 89884e8e1c..8b6214e283 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go
@@ -98,8 +98,12 @@ func (d *validatingDispatcher) Dispatch(ctx context.Context, attr *generic.Versi
 
 func (d *validatingDispatcher) callHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
 	if attr.IsDryRun() {
-		// TODO: support this
-		return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		if h.SideEffects == nil {
+			return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
+		}
+		if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
+			return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		}
 	}
 
 	// Make the webhook request