Update release instructions.

2026-06-14 18:40:55 +00:00 · 2020-08-28 11:39:17 -07:00
13303 changed files with 976671 additions and 182589 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +0,0 @@
-.github
-docs
-examples
-travis
-*.md
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -1,87 +0,0 @@
-name: Bug report
-description: File a bug report
-labels: ["kind/bug"]
-body:
-  - type: textarea
-    id: problem
-    attributes:
-      label: What happened?
-      description: |
-        Please provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner.
-        If this matter is security related, please disclose it privately via https://kubernetes.io/security
-    validations:
-      required: true
-
-  - type: textarea
-    id: expected
-    attributes:
-      label: What did you expect to happen?
-    validations:
-      required: true
-
-  - type: textarea
-    id: repro-files
-    attributes:
-      label: How can we reproduce it (as minimally and precisely as possible)?
-      description: Please provide a minimum set of files that can reproduce the issue. You can paste the file contents here or provide a link to a tarball or git repo. Even better, submit a tests case in the api/krusty package! For more information on how to do that, see https://kubectl.docs.kubernetes.io/contributing/kustomize/bugs/.
-      value: | 
-        ```yaml
-        # kustomization.yaml
-        apiVersion: kustomize.config.k8s.io/v1beta1
-        kind: Kustomization
-        resources:
-        - resources.yaml
-        ```
-    
-        ```yaml
-        # resources.yaml
-        apiVersion: v1
-        kind: ConfigMap
-        metadata:
-          name: test-object
-        data:
-          placeholder: data
-        ```
-    validations:
-      required: true  
-  - type: textarea
-    id: expected-output
-    attributes:
-      label: Expected output
-      description: If you are able to provide reproduction files, please include the output you expect here.
-      value: | 
-        ```yaml
-
-        ```
-    validations:
-      required: false
-  - type: textarea
-    id: actual-output
-    attributes:
-      label: Actual output
-      description: If you are able to provide reproduction files, please include the output they currently produce here.
-      value: | 
-        ```yaml
-
-        ```
-    validations:
-      required: false
-  - type: input
-    id: kustomize-version
-    attributes:
-      label: Kustomize version
-      description: Please use the latest version whenever possible.
-      placeholder: What version of Kustomize are you using?
-    validations:
-      required: true
-  - type: dropdown
-    id: os
-    attributes:
-      label: Operating system
-      options:
-        - Linux
-        - MacOS
-        - Windows
-        - Other
-    validations:
-      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,6 +0,0 @@
-contact_links:
-  - name: Support request
-    url: https://discuss.kubernetes.io
-    about: |
-      Please do not submit support requests or questions as issues. 
-      Ask your question in the Kubernetes Community Forums, or in the #kustomize channel on Kubernetes Slack (https://slack.k8s.io).
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -1,64 +0,0 @@
-name: Feature request
-description: Propose an enhancement to Kustomize
-labels: kind/feature
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Small, straightforward enhancements can be proposed in regular GitHub issues using the template below. As a rule of thumb, the enhancement should be resolvable in a single PR that is at most size L. Anything more involved requires a mini (in-repo) enhancement proposal, and features with implications for kubectl require a full [KEP](https://github.com/kubernetes/enhancements). 
-         
-        For more information on the Kustomize enhancement process, see: https://github.com/kubernetes-sigs/kustomize/tree/master/proposals.      
-         
-        When in doubt, go ahead and fill out the template below; the maintainers will let you know if a KEP is required.
-
-  - type: checkboxes
-    attributes:
-      label: Eschewed features
-      description: Some features are out of scope for Kustomize because they are incompatible with its foundational design principles. Please review the [Eschewed Features](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/) documentation before submitting your feature request.
-      options:
-      - label: This issue is not requesting templating, unstuctured edits, build-time side-effects from args or env vars, or any other eschewed feature.
-        required: true
-
-  - type: textarea
-    id: feature-description
-    attributes:
-      label: What would you like to have added?
-    validations:
-      required: true
-
-  - type: textarea
-    id: rationale
-    attributes:
-      label: Why is this needed?
-    validations:
-      required: true
-      
-  - type: textarea
-    id: current-alternatives
-    attributes:
-      label: Can you accomplish the motivating task without this feature, and if so, how?
-    validations:
-      required: true      
-      
-      
-  - type: textarea
-    id: design-alternatives
-    attributes:
-      label: What other solutions have you considered?
-    validations:
-      required: true        
-
-  - type: textarea
-    id: additional-info
-    attributes:
-      label: Anything else we should know?
-    validations:
-      required: false
-      
-  - type: checkboxes
-    attributes:
-      label: Feature ownership
-      description: The Kustomize project, like many areas of Kubernetes, currently lacks enough contributors to adequately respond to all proposals that have merit. Offering to build and support the feature yourself can help get traction for your request.
-      options:
-      - label: I am interested in contributing this feature myself! 🎉
-        required: false
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,14 +0,0 @@
-version: 2
-updates:
- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-      interval: "weekly"
-
- package-ecosystem: gomod
-  directory: "/"
-  schedule:
-    interval: "weekly"
-  open-pull-requests-limit: 10
-  vulnerability-alerts:
-    enabled: true
--- a/.github/workflows/apidiff.yml
+++ b/.github/workflows/apidiff.yml
@@ -1,36 +0,0 @@
-name: APIDiff
-
-# Trigger the workflow on pull requests and direct pushes to any branch
-on:
-  push:
-  pull_request:
-
-jobs:
-  go-apidiff:
-    name: Verify API differences
-    runs-on: ubuntu-latest
-    # Pull requests from different repository only trigger this checks
-    if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
-    steps:
-      - name: Clone the code
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.work
-      - name: Execute go-apidiff
-        uses: joelanford/go-apidiff@v0.8.3
-        with:
-          compare-imports: true
-          print-compatible: true
-      - name: Report failure
-        uses: nashmaniac/create-issue-action@v1.2
-        # Only report failures of pushes (PRs have are visible through the Checks section) to the default branch
-        if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/master'
-        with:
-          title: 🐛 go-apidiff failed for ${{ github.sha }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          labels: kind/bug
-          body: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -2,157 +2,99 @@ name: Go

 on:
  push:
-    branches: [master]
+    branches: [ master ]
  pull_request:
-    branches: [master]
-
-permissions:
-  contents: read
+    branches: [ master ]

 jobs:
-  ## TODO: conditional-changes checker is not working
-  conditional-changes:
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    outputs:
-      doc: ${{ steps.filter.outputs.doc }}
-    steps:
-    - uses: actions/checkout@v6
-    - uses: dorny/paths-filter@v3
-      id: filter
-      with:
-        filters: |
-          doc:
-            - 'site/**'
-
-  check-modules:
-    name: check-synced-go-modules
-    # needs: conditional-changes
-    # if: needs.conditional-changes.outputs.doc == 'false'
-    runs-on: [ubuntu-latest]
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v6
-      with:
-        go-version-file: go.work
-        cache: true
-        cache-dependency-path: |
-          **/go.sum
-      id: go
-    - name: sync go modules
-      run: make workspace-sync
-    - name: check for changes with 'make workspace-sync'
-      run: git diff --exit-code

  lint:
    name: Lint
-    # needs: conditional-changes
-    # if: needs.conditional-changes.outputs.doc == 'false'
    runs-on: [ubuntu-latest]
    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
+
    - name: Set up Go 1.x
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@v2
      with:
-        go-version-file: go.work
-        cache: true
-        cache-dependency-path: |
-          **/go.sum
+        go-version: ^1.13
      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
    - name: Lint
-      run: make lint
-    - name: Verify boilerplate
-      run: make check-license
+      run: ./travis/kyaml-pre-commit.sh
+      env:
+        KUSTOMIZE_DOCKER_E2E: false # don't need to do e2e tests for linting

-  ## Test all modules without plugins and released modules
-  test-non-released-modules:
+  test-linux:
    name: Test Linux
-    # needs: conditional-changes
-    # if: needs.conditional-changes.outputs.doc == 'false'
    runs-on: [ubuntu-latest]
    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v6
-      with:
-        go-version-file: go.work
-        cache: true
-        cache-dependency-path: |
-          **/go.sum
-      id: go
-    - name: Test all modules without plugins and released modules
-      run: make test-unit-non-plugin-and-non-released
-      env:
-        KUSTOMIZE_DOCKER_E2E: true

-  test-modules:
-    name: Test ${{ matrix.os }} - ${{ matrix.module }}
-    # needs: conditional-changes
-    # if: needs.conditional-changes.outputs.doc == 'false'
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        module:
-        - kyaml
-        - cmd/config
-        - api
-        - kustomize
-        include:
-        - module: kyaml
-          test-cmd: go test -race -v -cover ./...
-        - module: cmd/config
-          test-cmd: go test -v -cover ./...
-        - module: api
-          test-cmd: go test -v -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=2023-01-31T23:38:41Z -X sigs.k8s.io/kustomize/api/provenance.version=(test)"
-        - module: kustomize
-          test-cmd: go test -v -cover ./...
-        - os: ubuntu-latest
-          docker-e2e: true
-        - os: macos-latest
-          docker-e2e: false
-        - os: windows-latest
-          docker-e2e: false
-    env:
-      KUSTOMIZE_DOCKER_E2E: ${{ matrix.docker-e2e }}
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v6
-      with:
-        go-version-file: go.work
-        cache: true
-        cache-dependency-path: |
-          **/go.sum
-      id: go
-    - name: Test ${{ matrix.module }}
-      run: ${{ matrix.test-cmd }}
-      # TODO (#4001): replace specific modules above with this once Windows tests are passing.
-      if: ${{ !(matrix.os == 'windows-latest' && (matrix.module == 'api' || matrix.module == 'kustomize')) }}
-      working-directory: ./${{ matrix.module }}
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.13
+        id: go

-  # Aggregation matrix tests from test-modules for branch protection rules
-  test-modules-summary:
-    name: Test Summary
-    runs-on: ubuntu-latest
-    needs: test-modules
-    if: always()
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Test kyaml
+        run: go test -cover ./...
+        working-directory: ./kyaml
+
+      - name: Test cmd/config
+        run: go test -cover ./...
+        working-directory: ./cmd/config
+        env:
+          KUSTOMIZE_DOCKER_E2E: true
+
+  test-macos:
+    name: Test MacOS
+    runs-on: [macos-latest]
    steps:
-    - name: Check test results
-      run: |
-        if [[ "${{ needs.test-modules.result }}" != "success" ]]; then
-          echo "Some tests failed or were cancelled"
-          exit 1
-        fi
-        echo "All tests passed successfully"
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.13
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Test kyaml
+        run: go test -cover ./...
+        working-directory: ./kyaml
+
+      - name: Test cmd/config
+        run: go test -cover ./...
+        working-directory: ./cmd/config
+        env:
+          KUSTOMIZE_DOCKER_E2E: false # docker not installed on mac
+
+  test-windows:
+    name: Test Windows
+    runs-on: [windows-latest]
+    steps:
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.13
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Test kyaml
+        run: go test -cover ./...
+        working-directory: ./kyaml
+
+      - name: Test cmd/config
+        run: go test -cover ./...
+        working-directory: ./cmd/config
+        env:
+          KUSTOMIZE_DOCKER_E2E: false # docker on windows not working well yet
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,30 +0,0 @@
-name: release
-
-permissions:
-  contents: write # Allow actions to update dependabot PRs
-
-on:
-  push:
-    tags:
-      - kyaml/v*
-      - cmd/config/v*
-      - api/v*
-      - kustomize/v*
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v6
-      with:
-        go-version-file: go.work
-      id: go
-    - run: ./releasing/create-release.sh "${tag}"
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        tag: ${{ github.ref_name }}
--- a/.gitignore
+++ b/.gitignore
@@ -21,14 +21,3 @@
 *.DS_store

 .bin
-
-# Hugo site
-publishedSite/
-site/public/
-site/resources/
-site/.hugo_build.lock
-**/node_modules/
-
-# goreleaser artifacts
-**/dist/
-/output/
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "site/themes/docsy"]
-	path = site/themes/docsy
-	url = https://github.com/google/docsy.git
--- a/.golangci-kustomize.yml
+++ b/.golangci-kustomize.yml
@@ -0,0 +1,50 @@
+run:
+  deadline: 5m
+
+linters:
+  disable-all: true
+  enable:
+    - bodyclose
+    - deadcode
+    - depguard
+    # - dogsled
+    - dupl
+    # - errcheck
+    # - funlen
+    # - gochecknoinits
+    - goconst
+    # - gocritic
+    - gocyclo
+    - gofmt
+    - goimports
+    - golint
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - interfacer
+    - lll
+    - misspell
+    - nakedret
+    # - scopelint
+    - staticcheck
+    - structcheck
+    # stylecheck demands that acronyms not be treated as words
+    # in camelCase, so JsonOp become JSONOp, etc.  Yuck.
+    # - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    # - whitespace
+
+linters-settings:
+  dupl:
+    threshold: 400
+  lll:
+    line-length: 170
+  gocyclo:
+    min-complexity: 15
+  golint:
+    min-confidence: 0.85
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,96 +0,0 @@
-# Copyright 2019 The Kubernetes Authors.
-# SPDX-License-Identifier: Apache-2.0
-
-run:
-  deadline: 5m
-  go: "1.24"
-
-linters:
-  enable-all: true
-  disable:
-    - cyclop
-    - depguard
-    - exhaustivestruct
-    - forbidigo
-    - funlen
-    - gci
-    - gocognit
-    - godot
-    - godox
-    - goerr113
-    - gofumpt
-    - ifshort # too many false positives
-    - ireturn
-    - nilnil
-    - nlreturn
-    - noctx
-    - paralleltest
-    - perfsprint
-    - stylecheck
-    - testifylint
-    - varnamelen
-    - wsl
-    - exhaustruct
-    - deadcode
-    - scopelint
-    - nonamedreturns
-    - golint
-    - maintidx
-    - nosnakecase
-    - testpackage # it's better to keep tests in the same package for now because kustomize does open box testing
-    - structcheck # abandoned by author
-    - varcheck # abandoned by author
-    - maligned # abandoned by author
-    - interfacer # archived by author
-    # TODO(koba1t): temporarily disabled, will be addressed after upgrading to Go 1.24
-    - usetesting
-    - mnd
-    - copyloopvar
-    - intrange
-
-linters-settings:
-  dupl:
-    threshold: 400
-  lll:
-    line-length: 170
-  gocyclo:
-    min-complexity: 30
-  revive:
-    rules:
-      - name: var-naming
-        arguments:
-          - ["ID", "API", "JSON"] # AllowList
-          - [] # DenyList
-  gomnd:
-    ignored-functions:
-      - os.WriteFile
-      - make
-  gomoddirectives:
-    replace-local: true
-  gosec:
-    config:
-      G306: "0644"
-  wrapcheck:
-    ignoreSigs:
-      # defaults
-      - .Errorf(
-      - errors.New(
-      - errors.Unwrap(
-      - .Wrap(
-      - .Wrapf(
-      - .WithMessage(
-      - .WithMessagef(
-      - .WithStack(
-      # from kyaml's errors package
-      - .WrapPrefixf(
-
-issues:
-  new-from-rev: c94b5d8f2 # enables us to enforce a larger set of linters for new code than pass on existing code
-  max-same-issues: 0
-  exclude-rules:
-    - linters:
-        - revive
-      text: "don't use leading"
-    - linters:
-        - staticcheck
-      text: "SA1019: kioutil.Legacy"
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -1,299 +0,0 @@
-# Architecture
-
-* _Updated: December 2021_
-
-This document describes the repository organization and the kustomize
-build process. It's meant to lower the barrier to learning and
-contributing to the code base.
-
-If not kept up to date, it will just be a historical snapshot.
-
-
-## Repository layout
-
-[human-edited docs]: https://github.com/kubernetes-sigs/cli-experimental/tree/master/site
-[generated docs]: https://github.com/kubernetes-sigs/cli-experimental/tree/master/docs
-[rendered docs]: https://kubectl.docs.kubernetes.io
-[openapi]: https://kubernetes.io/blog/2016/12/kubernetes-supports-openapi
-
-[`api` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/api/go.mod
-[`api`]: #the-api-module
-[`cmd/config` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/go.mod
-[`cmd/config`]: #the-cmdconfig-module
-[`kustomize` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/kustomize/go.mod
-[`kustomize`]: #the-kustomize-module
-[`kyaml` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/go.mod
-[`kyaml`]: #the-kyaml-module
-[`kyaml/kio.Filter`]: https://github.com/Kubernetes-sigs/kustomize/blob/master/kyaml/kio/kio.go
-[`go-yaml`]: https://github.com/go-yaml/yaml/tree/v3
-
-
-[3922]: https://github.com/kubernetes-sigs/kustomize/issues/3922
-
-
-
- |  directory  | purpose      |
- | ---------:  | :---------- |
- |       `api` | The [`api`] module, holding high level kustomize code, suitable for import by other programs.  |
- |       `cmd` | Various Go programs aiding repo management. See also `hack`. As an outlier, includes the special [`cmd/config`] module. |
- |      `docs` | Old home of documentation; contains pointers to new homes: [human-edited docs], [generated docs] and [rendered docs]. |
- |  `examples` | Full kustomization examples that run as pre-merge tests.  |
- | `functions` | Examples of plugins in KRM function form. TODO([3922]): Move under `plugin`. |
- |      `hack` | Various shell scripts to help with code management. |
- | `kustomize` | The [`kustomize`] module holds the `main.go` for kustomize. |
- |     `kyaml` | The [`kyaml`] module, holding Kubernetes-specific YAML editing packages used by the [`api`] module. Wraps [`go-yaml`] v3.|
- |    `plugin` | Examples of Kustomize plugins. |
- | `releasing` | Instructions for releasing the various modules. |
- |      `site` | Old generated documentation, kept to provide redirection links to the new docs. |
-
-
-## Modules
-
-[semantically versioned]: https://semver.org
-[Go modules]: https://github.com/golang/go/wiki/Modules
-
-The [Go modules] in the kustomize repository are [semantically versioned].
-
-
-### `kustomize`
-
-> _Depends on [`api`], [`cmd/config`], [`kyaml`]_
-
-The [`kustomize` module] contains the `main.go` for `kustomize`, buildable with
-
-```
-(cd kustomize; go install .)
-```
-
-[appears in kubectl]: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubectl/pkg/cmd/kustomize/kustomize.go
-
-Below this are packages containing
-[cobra](http://github.com/spf13/cobra) commands implementing `build`,
-`edit`, `fix`, etc., packages linked together by `main.go`.
-
-These command packages are intentionally public, semantically
-versioned, and can be used in other programs.  Specifically, the
-`kustomize build` command [appears in kubectl] as `kubectl kustomize`.
-
-The code in the `build` package is dominated by flag validation,
-with minimal business logic.  The critical lines are something
-like
-
-```
-# Make a kustomizer.
-k := krusty.MakeKustomizer(
-  HonorKustomizeFlags(krusty.MakeDefaultOptions()),
-)
-
-# Run the kustomizer, sending location of kustomization.yaml
-m := k.Run(fSys, "/path/to/dir")
-
-# Write the result as YAML.
-writer.Write(m.AsYaml())
-```
-
-The `krusty` package is in the [`api`] module.
-
-### `api`
-
-> _Depends on [`kyaml`] and code generated from builtin plugin modules_
-
-The [`api` module] is used by CLI programs like `kustomize` and `kubectl`
-to read and honor `kustomization.yaml` files and all that implies.
-
-The main public packages in the [`api` module] are
-
- | package   |             |
- | --------: | :---------- |
- | `filters` | Implementations of [`kyaml/kio.Filter`] used by kustomize to transform Kubernetes objects. |
- |  `konfig` | Configuration methods and constants in the kustomize API. |
- |  `krusty` | Primary API entry point.  Holds the kustomizer and hundreds of tests for it. |
- |  `loader` | Loads kustomization files and the files they refer to, enforcing security rules. |
- |  `resmap` | The primary internal data structure over which the kustomizer and filters work. |
- |   `types` | The `Kustomization` object and ancillary structs. |
-
-### `cmd/config`
-
-> _Depends on [`kyaml`]_
-
-This module contains cobra commands and kyaml-based functionality to
-provide unix-like file manipulation commands to kustomize like `grep`
-and `tree`.  These commands may be included in any program that
-manipulates k8s YAML (e.g. kustomize).
-
-### `kyaml`
-
-> _Has no in-repo dependence_
-
-The [`kyaml` module] is a kubernetes-focussed enhancement of [go-yaml].
-
-The YAML manipulation performed by a kustomize is based on these libraries.
-
-These libraries evolve independently of kustomize, and other programs depend on them.
-
-The key public packages in the [`kyaml` module] include
-
- | package   |             |
- | --------: | :---------- |
- | `errors` | Wrapper for the go-errors/errors lib |
- | `filesys` | A kustomize-specific file system abstraction, to ease writing tests |
- | `fn/framework` | An SDK for writing KRM Functions in Go |
- | `fn/runtime` | Implements the runtime for KRM Function extensions |
- | `kio` | Libraries for reading and writing collections of Kubernetes resources as RNodes |
- | `openapi` | Loads and accesses openapi schemas for schema-aware resource manipultaion |
- | `resid` | Representations to aid in unique identification of Kubernetes resources |
- | `yaml` | A Kubernetes-focused wrapper of [go-yaml], notably including the RNode object |
-
-
-------
-
-## How _kustomize build_ works
-
-The command `kustomize build` accepts a single string argument,
-which must resolve to a directory, possibly in a git repository,
-called the _kustomization root_.
-
-This directory must contain a file called `kustomization.yaml`, with
-YAML that marshals into a single instance of a `Kustomization` object.
-
-For the remainder of this document, the word _kustomization_ refers to
-either of these things.
-
-This kustomization is the access point to a directed, acyclic graph of
-Kubernetes objects, including other kustomizations, to include in a
-build.
-
-Execution of `build` starts and ends in the [`api`] module,
-frequently dipping into the [`kyaml`] module for lower level
-YAML manipulation.
-
-### The `build` flow
-
-  - Validate command lines arguments and flags.
-
-  - Make a `Kustomizer` as a function of those arguments.
-
-  - Call `Run` on the kustomizer, passing it the path to the
-    kustomization.
-
-    `Run` returns an instance of `ResMap`, the `api` package's
-    representation of a set of kubernetes `Resource` objects.
-
-    This structure offers resource lookup methods (map behavior),
-    but also retains the resources in the order they were
-    specified in kustomization files (list behavior).
-
-    Post-run, the objects are fully hydrated, per the
-    instructions in the kustomization.
-
-  - Marshal the objects as YAML to a file or `stdout`.
-
-
-### The `Run` function
-
-  - Create various objects
-
-    - A `ResMap` factory.
-
-      Makes  `ResMaps` from byte streams, other `ResMaps`, etc.
-
-    - A file `loader.Loader`.
-
-      It's fed an appropriate set of restrictions, and the path to the kustomization.
-
-    - A plugin loader.
-
-      It finds plugins (transformers, generators or validators)
-      and prepares them for running.
-
-    - A `KustTarget` encapsulating all of the above.
-
-      A KustTarget contains one `Kustomization` and represents
-	  everything that kustomization can reach.  This will include
-	  other `KustTarget` instances, each having a smaller purview than
-	  the one referencing it.
-
-  - Call `KustTarget.Load` to load its kustomization.
-
-    This step deals with deprecations and field changes.
-
-  - Load [openapi] data specified by the kustomization.
-
-    This is needed to recognize k8s kinds and their special
-    properties, e.g. which kinds are cluster-scoped, which kinds
-    refer to others, etc.
-
-  - Call `KustTarget.makeCustomizedResmap` to create the `ResMap` result.
-
-    This visits everything referenced by the kustomization,
-    performing all generation, transformation and validation.
-
-  - Finish the `Run` with
-
-    - Optional reordering of objects in `ResMap`, overriding the
-      FIFO rule.
-
-    - Optional addition of _kustomize build annotations_ to the
-      resources.  E.g. from which repo and file the resource was
-      read, the fact that kustomize touched the resource, etc.
-      These kustomize-specific annotations are intended for
-      server-side data analytics, file structure traceability and
-      reconstruction, etc.
-
-### The `makeCustomizedResmap` function
-
-  This function starts the process of object transformation,
-  as well as accumulation of recursively referenced data.
-
-  - Call `ra := KustTarget.AccumulateTarget`.
-
-    The result, `ra`, is a resource accumulator that contains
-    everything referred to by the current kustomization, now fully
-    hydrated.
-
-  - Uniquify names of generated objects by appending content hashes.
-
-    This cannot be done until the objects are complete.
-
-  - Fix all name references (given that names may have changed).
-
-    E.g. if a ConfigMaps was given a generated name, all objects that
-    refer to that ConfigMap must be given its name.
-
-  - Resolve vars, replacing them with whatever they refer to (a legacy feature).
-
-### The `AccumulateTarget` function
-
-  - Call `AccumulateResources` over the `resources` field (this can recurse).
-  - Call `AccumulateComponents` over the `components` field (this can recurse),
-  - Load legacy (pre-plugin) global kustomize configuration,
-  - Load legacy (pre-openapi) _Custom Resource Definition_ data.
-  - In the context of the data loaded above, run the kustomization's
-    - generators,
-    - transformers,
-    - and validators.
-  - Accumulate `vars` (make note of them for later replacement).
-
-### `AccumulateResources` and component accumulation
-
-  - If the path is a file:
-    - Accumulate the objects in the file (treating them
-      as opaque kubernetes objects).
-
-  - If the path is a directory:
-    - Create a new `KustTarget` referring to that directory's kustomization.
-	- Call `subRa := KustTarget.AccumulateTarget`.
-    - Call `ra.MergeAccumulator(subRa)`
-	This completes a recursion.
-
-  - If the path is a git URL:
-    - Clone the repository to a temporary directory.
-    - Process the path optionally specified in the URL
-      as a path in the clone.
-	- If no path specified, work from the repository root.
-
-
-That's as deep as this discussion will go.
-
-The deeper this document goes into the details, the faster
-it will get out of date.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,304 +1,26 @@
-[SIG-CLI]: https://github.com/kubernetes/community/tree/master/sig-cli
-[Slack channel]: https://kubernetes.slack.com/messages/kustomize
-[Mailing list]: https://groups.google.com/forum/#!forum/kubernetes-sig-cli
-
-[OWNERS file spec]: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
-[Kustomize OWNERS_ALIASES]: https://github.com/kubernetes-sigs/kustomize/blob/8049f7b1af52e8a7ec26faf6cf714f560d0043c5/OWNERS_ALIASES
-[SIG-CLI Teams]: https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml
-[Github permissions]: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization#repository-access-for-each-permission-level
-
-[Contributor License Agreement]: https://git.k8s.io/community/CLA.md
-[Kubernetes Contributor Guide]: http://git.k8s.io/community/contributors/guide
-[Contributor Cheat Sheet]: https://git.k8s.io/community/contributors/guide/contributor-cheatsheet/README.md
-[CNCF Code of Conduct]: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
-[Kubernetes Community Membership]: https://github.com/kubernetes/community/blob/master/community-membership.md
-
-[Kustomize Architecture]: ARCHITECTURE.md
-[Contribution Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/
-[MacOS Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/mac/
-[Windows Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/windows/
-
 # Contributing Guidelines

-Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://github.com/kubernetes/community)! The Kubernetes community abides by the [CNCF Code of Conduct]. Here is an excerpt:
+Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://github.com/kubernetes/community)! The Kubernetes community abides by the CNCF [code of conduct](code-of-conduct.md). Here is an excerpt:

 _As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities._

 ## Getting Started

-### Forking Kustomize and Working Locally
-The Kustomize project uses a "Fork and Pull" workflow that is standard to GitHub. In git terms, your personal fork is referred to as the "origin" and the actual project's git repository is called "upstream". To keep your personal branch (origin) up to date with the project (upstream), it must be configured within your local working copy.
+Dev guides:

-### Create a fork in GitHub
-1. Visit https://github.com/kubernetes-sigs/kustomize
-2. Click the `Fork` button on the top right
+- [Mac](docs/macDevGuide.md)

-### Clone the repository
-```bash
-# Clone your repository fork from the previous step
-git clone --recurse-submodules git@github.com:<your github username>/kustomize.git
-cd kustomize
+We have full documentation on how to get started contributing here:

-# Configure upstream
-git remote add upstream https://github.com/kubernetes-sigs/kustomize
-git remote set-url --push upstream no_push
-
-# Review git configuration
-git remote -v
-```
-
-### Create a working branch
-```bash
-# Fetch changes from upstream master
-cd kustomize
-git fetch upstream
-git checkout master
-git rebase upstream/master
-
-# Create your working branch
-git checkout -b myfeature
-```
-
-### Sync your working branch
-You will need to periodically fetch changes from the `upstream` repository to keep your working branch in sync.
-```bash
-cd kustomize
-git fetch upstream
-git checkout myfeature
-git rebase upstream/master
-```
-
-### Push to GitHub
-When your changes are ready for review, push your working branch to your fork on GitHub.
-```bash
-cd kustomize
-git push origin myfeature
-```
-
-### Pull Request Rules
-
-We are using [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/) as the main guideline of making PR. This guideline serves to help contributor and maintainer to classify their changes, thus providing better insight on type of release will be covered on each Kustomize release cycle.
-
-1. Please add these keywords on your PR titles accordingly
-
-| Keyword  | Description | Example |
-| ------------- | ------------- | ------------- |
-| fix  | Patching or fixing bugs or improvements introduction from previous release. This type of change will mark a `PATCH` release.  | fix: fix null value when generating yaml |
-| feat  | New features. This change will mark a `MINOR` release. | feat: new transformer and generator for ACME API CRD. |
-| chore  | Minor improvement outside main code base  | chore: add exclusion for transformer test. |
-| ci | CI/CD related changes (e.g. github workflow, scripts, CI steps). | ci: remove blocking tests |
-| docs  | Changes related to documentation. | docs: add rules documentation for PR. |
-
-
-2. Add `BREAKING CHANGE:` on your commit message as footer to signify breaking changes. This will help maintainers identify `MAJOR` releases.
-  
-Example:
-
-```
-feat: change YAML parser from `yaml/v1` to `yaml/v2`
-
-BREAKING CHANGE: parse() function now works with 2 arguments.
-```
-
-### Create a Pull Request
-
-1. Visit your fork at `https://github.com/<user>/kustomize`
-2. Click the **Compare & Pull Request** button next to your `myfeature` branch.
-3. Check out the pull request [process](https://github.com/kubernetes/community/blob/master/contributors/guide/pull-requests.md) for more details and advice.
-
-If you ran `git push` in the previous step, GitHub will return a useful link to create a Pull Request.
-
-### Build Kustomize
-The [Kustomize Architecture] document describes the respository organization and the kustomize build process.
-```bash
-# For go version >= 1.13
-unset GOPATH
-unset GO111MODULES
-
-# Build kustomize binary and install in go bin path
-cd kustomize
-make kustomize
-
-# Run unit tests
-make test-unit-all
-
-# Run linter
-make lint
-
-# Test examples against HEAD
-make test-examples-kustomize-against-HEAD
-
-# Run your development version
-~/go/bin/kustomize version
-```
-
-### General resources for contributors
-
- [Contributor License Agreement] - Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests.
- [Kubernetes Contributor Guide] - Main contributor documentation.
- [Contributor Cheat Sheet] - Common resources for existing developers.
-
-Here are some additional ideas to help you get started with Kustomize:
- Attend a Kustomize Bug Scrub. Check the [SIG-CLI] meetings list to find the next one.
- Help triage issues by confirming validity and applying the appropriate `kind` label (e.g. comment `/kind bug`).
- Pick up an issue to fix. Issues with the `help-wanted` label are a good place to start, but you can also look for any issue with the `triage/accepted` label and no assignee. Remember to `/assign` yourself to let others know you're working on it.
- Help confirm new issues labelled `kind/bug` by reproducing them with the latest release.
- Support Kustomize users by responding to questions on issues labelled `kind/support` or in the [Slack channel].
+- [Contributor License Agreement](https://git.k8s.io/community/CLA.md) Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests
+- [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
+- [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet/README.md) - Common resources for existing developers

 ## Mentorship

 - [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!

-## Contributor Ladder
-
-Kustomize follows the [Kubernetes Community Membership] contributor ladder. Roles are as follows:
-
-1. Contributor: Anyone who actively contributes code, issues or reviews to the project. All contributors must sign the [Contributor License Agreement].
-1. Reviewer: Contributors with a history of review and authorship on Kustomize. Has LGTM rights on the Kustomize repo (as do all kubernetes-sigs org members). Active contributors are encouraged to join the reviewers list to be automatically pinged on PRs.
-1. Approver: Highly experienced active reviewer and contributor to Kustomize. Has both LTGM and approval rights on the Kustomize repo, as well as "maintain" [Github permissions].
-1. Owner: Approver who sets technical direction and makes or approves design decisions for the project. Has LGTM and approval rights on the Kustomize repo as well as "admin" [Github permissions].
-
-The kyaml module within the Kustomize repo has additional owners following the same ladder.
-
-For the kustomize project, we have defined some specific guidelines on each step of the ladder:
-
-To reach reviewer status, you must:
- Have been actively involved in kustomize for 3+ months
- Review at least 8 PRs that have been driven through to completion (see the reviewer guide below)
- Author at least 5 PRs that have been approved and merged
- Be a member of the kubernetes-sigs org. This should not be a blocker though, as once you meet the requirements for reviewer here,
-the existing kustomize maintainers will be happy to sponsor your request to join the kubernetes-sigs org.
- Once you have met the above requirements, you may submit a PR adding yourself to the kustomize reviewers list, with links to your
-contributions in the description.
-
-To reach approver status, you must:
- Meet all the requirements of a reviewer
- Have been actively involved in kustomize for 6+ months
- Review at least 15 PRs that have been driven through to completion (see the reviewer guide below)
- Authored PRs meeting *either* of the following requirements:
-  - 15 PRs that have been approved and merged
-  - *OR* 10 PRs that have been approved and merged where some were more difficult, required greater thought/design,
-or built up to larger features/long-term goals.
- File 3 issues. This can be any number of things, including but not limited to:
-  - Bugs with kustomize usage that you've found
-  - CI or release improvements
-  - Creating subtasks of a larger feature or project that you are in charge of.
-  - Long term improvements for the health of the project
- Triage at least 10 untriaged issues, including at least 1 feature request. The kustomize bug scrub is a great place to get practice with doing this, but you can
-also follow the triage guide below to get started on your own.
- Demonstrate deeper understanding of kustomize goals. This can take many forms and is a bit subjective, but here are a few examples:
-  - saying no to an eschewed feature, instead recommending an alternative solution that is more aligned with the declarative configuration model
-  - active participation in discussion on a feature request issue
-  - filing an issue describing a long term problem and solution aligned with kustomize goals, for example: https://github.com/kubernetes-sigs/kustomize/issues/5140
-  - writing up KEPs for features that will improve the kustomize workflow while being aligned with kustomize goals, for example: https://github.com/kubernetes-sigs/kustomize/pull/4558
- Regularly interact with the existing kustomize maintainers, with clear communication about what you are working on or planning to work on. The kustomize
-maintainers should know who you are and be familiar with your contributions.
- If you meet *most* of the above requirements while going above and beyond in a few areas, we will still consider your request to become an approver even
-if you are missing one or two of the requirements. Please contact the maintainers directly to ask about getting approver status if you fall into this category.
- Otherwise, once you meet all the above requirements, you may:
-  - request to be added to the kustomize maintainer meeting that occurs each week with the kustomize PMs.
-  - submit a PR adding yourself to the kustomize approvers list, with links to your contributions in the description.
-
-To reach owner status, you must:
- Meet all the requirements of an approver
- Have been actively involved with kustomize for 1+ year
- Assisted the current owner in driving the roadmap. This can be explicit or implicit help, such as:
-  - Editing the roadmap directly
-  - Reviewing the roadmap
-  - Providing suggestions for issues or prioritization in meetings that indirectly influence the roadmap
- Regularly triage issues and attend the kustomize bug scrub
- Regularly review PRs (1-2 a week)
- Periodically lead the kustomize bug scrub
- Periodically release kustomize (ensuring that there are no release blockers and that release notes are clean)
- Be the primary owner or point of contact for a particular project or area of code
- Ideally, there should be 2-3 owners at a time. Reach out to the current owners if you are interested in ownership. These
-requirements are not strict and evaluation is somewhat subjective.
-
-## Reviewer guide
-Please watch this talk on how to review code from Tim Hockin: https://www.youtube.com/watch?v=OZVv7-o8i40
-
-For reviewing PRs in kustomize, we have some specific guidelines:
- If the PR is introducing a new feature:
-  - *It must be implementing an issue that has already been triage/accepted or
-a KEP that has been approved.* If it is not, then request the PR author to first file an issue.
-  - The PR must include thorough tests for the new feature, including unit and integration tests
-  - The code must be clean and readable, with thought given to how we will maintain the code in the future
-  - If the feature requires being broken up into multiple PRs to ease review, the feature should not be exposed to users
-    until the feature is completed in the last PR. For example, while we were building `kustomize localize`, we
-    built the feature almost entirely under the `api` module as a library with all the needed tests. There was no way
-    for users to invoke the localize code until the last PR that actually exposed the `kustomize localize` command in the
-    kustomize binary. This allowed us to continue development of `kustomize localize` without blocking kustomize releases.
-    If this type of development is not possible, then new features requiring multiple PRs should be
-    developed in their own feature branch.
- If the PR is introducing a bug fix:
-  - If the PR is not fixing an issue that has already been triage/accepted, follow the triage guide below on bug
-    fixes to decide if this is a PR we want to accept.
-  - The PR should have two distinct commits:
-    - The first commit should add a test demonstrating incorrect behavior
-    - The second commit should include the bug fix
-    - Some sample PRs:
-      - https://github.com/kubernetes-sigs/kustomize/pull/5263/commits
-      - https://github.com/kubernetes-sigs/kustomize/pull/3931/commits
-    - The regression test is absolutely required, and we cannot accept bug fixes without tests.
- If the PR is introducing a performance improvement:
-  - The PR description should give an indication of how much the performance is being improved and how we
-    can measure it - benchmark tests are fantastic.
- Other PRs (documentation, CI improvements, etc.) should be reviewed based on your best judgment.
-
-## Triage guide
-The possible triage labels are listed here: https://github.com/kubernetes-sigs/kustomize/labels?q=triage.
-
-Triaging a feature request means:
- Understand what the user is asking for, and their use case.
- Verify that it is not an [eschewed feature](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#build-time-side-effects-from-cli-args-or-env-variables)
- Verify that it is not a duplicate issue.
- Look into workarounds. Is there another way that the user can achieve their use case with existing features?
- If you are new to this role, prior to leaving a comment on the issue, please bring it to weekly standup
-for group discussion to make sure that we are all on the same page.
- Once you feel ready, you can label it with a triage label. Here's an [example](https://github.com/kubernetes-sigs/kustomize/issues/5049). You can also
-look at other feature request issues to see how they were triaged and resolved. There are a few different triage labels that you can use, you can see the
-full list [here](https://github.com/kubernetes-sigs/kustomize/labels?q=triage).
-
-Triaging a bug means:
- First, verify that you can reproduce the issue. If you cannot reproduce the issue or need more information to give
-it a go, triage it accordingly.
- Try to understand if this is really a bug or if this is intended behavior from kustomize. If it seems like intended
-behavior, do your best to explain to the user why this is the case.
- If it seems to be a genuine bug, you can /triage accept the issue. In addition, investigate if there are workarounds or
-alternative solutions for the user that they can try until the issue gets resolved.
-
-The triage party for kustomize is here https://cli.triage.k8s.io/s/kustomize and can be a easy way to
-find issues that have not been triaged yet.
-
-## Project/Product Managers
-
-Kustomize will have opportunities to join in a project/product manager role. You can reach out to
-the existing kustomize maintainers if you are interested in this type of role. Project management work
-can greatly help supplement your contributions as you climb from reviewer to approver
-to owner.
-
-Expectations for this role are:
-
- Triage 1 feature request each week, and bring it to weekly stand-up for discussion. Feature
-requests are issues labeled kind/feature, and you can find them [here](https://github.com/kubernetes-sigs/kustomize/issues?q=is%3Aissue+is%3Aopen+kind+feature+label%3Akind%2Ffeature).
-Please view the above triage guide for details on how to approach feature request triage.
- Monitor the kustomize Slack channel and try to help users if you can. It is a pretty
-active channel, so responding to 4-5 users per week is sufficient even if some
-questions go unanswered. If there is an interesting topic or a recurring problem that many
-users are having, please bring it up in weekly stand-up.
- Keeping track of a queue of backlog issues or PRs that are not being actively looked at in any existing project board.
- Organizing or reorganizing project tracking boards when it makes sense.
-
-You will also be asked to help with roadmap planning, deprecation communication, prioritization,
-and doing research on kustomize usage when appropriate, though these responsibilities will occur less
-frequently.
-
-## Administrative notes:
-
- The [OWNERS file spec] is a useful resources in making changes.
- Maintainers and admins must be added to the appropriate lists in both [Kustomize OWNERS_ALIASES] and [SIG-CLI Teams]. If this isn't done, the individual in question will lack either PR approval rights (Kustomize list) or the appropriate Github repository permissions (community list).
-
 ## Contact Information

- [Slack channel]
- [Mailing list]
+- [Slack channel](https://kubernetes.slack.com/messages/sig-cli)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-cli)
--- a/407
+++ b/407
@@ -3,169 +3,223 @@
 #
 # Makefile for kustomize CLI and API.

-LATEST_RELEASE=v5.8.0
-
-SHELL := /usr/bin/env bash
-GOOS = $(shell go env GOOS)
-GOARCH = $(shell go env GOARCH)
-MYGOBIN = $(shell go env GOBIN)
-ifeq ($(MYGOBIN),)
-MYGOBIN = $(shell go env GOPATH)/bin
-endif
+MYGOBIN := $(shell go env GOPATH)/bin
+SHELL := /bin/bash
 export PATH := $(MYGOBIN):$(PATH)

-# Provide defaults for REPO_OWNER and REPO_NAME if not present.
-# Typically these values would be provided by Prow.
-ifndef REPO_OWNER
-REPO_OWNER := "kubernetes-sigs"
-endif
+.PHONY: all
+all: verify-kustomize

-ifndef REPO_NAME
-REPO_NAME := "kustomize"
-endif
-
-
-# --- Plugins ---
-include Makefile-plugins.mk
-
-
-# --- Tool management ---
-include Makefile-tools.mk
-
-.PHONY: install-tools
-install-tools: \
-	install-local-tools \
-	install-out-of-tree-tools
-
-.PHONY: uninstall-tools
-uninstall-tools: \
-	uninstall-local-tools \
-	uninstall-out-of-tree-tools
-
-.PHONY: install-local-tools
-install-local-tools: \
-	$(MYGOBIN)/gorepomod \
-	$(MYGOBIN)/k8scopy \
-	$(MYGOBIN)/pluginator
-
-.PHONY: uninstall-local-tools
-uninstall-local-tools:
-	rm -f $(MYGOBIN)/gorepomod
-	rm -f $(MYGOBIN)/k8scopy
-	rm -f $(MYGOBIN)/pluginator
-
-# Build from local source.
-$(MYGOBIN)/gorepomod:
-	cd cmd/gorepomod && go install .
-
-# Build from local source.
-$(MYGOBIN)/k8scopy:
-	cd cmd/k8scopy && go install .
-
-# Build from local source.
-$(MYGOBIN)/pluginator:
-	cd cmd/pluginator && go install .
-
-
-# --- Build targets ---
-
-# Build from local source.
-$(MYGOBIN)/kustomize: build-kustomize-api
-	cd kustomize && go install -ldflags \
-	"-X sigs.k8s.io/kustomize/api/provenance.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \
-	 -X sigs.k8s.io/kustomize/api/provenance.version=$(shell git describe --tags --always --dirty)" \
-	.
-
-kustomize: $(MYGOBIN)/kustomize
-
-# Used to add non-default compilation flags when experimenting with
-# plugin-to-api compatibility checks.
-.PHONY: build-kustomize-api
-build-kustomize-api: $(MYGOBIN)/goimports $(builtinplugins)
-	cd api && $(MAKE) build
-
-.PHONY: generate-kustomize-api
-generate-kustomize-api:
-	cd api && $(MAKE) generate
-
-
-# --- Verification targets ---
-.PHONY: verify-kustomize-repo
-verify-kustomize-repo: \
-	install-tools \
-	lint \
-	check-license \
-	test-unit-all \
-	build-non-plugin-all \
-	test-go-mod \
+.PHONY: verify-kustomize
+verify-kustomize: \
+	lint-kustomize \
+	test-unit-kustomize-all \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-latest-release
+	test-examples-kustomize-against-3.8.0

 # The following target referenced by a file in
 # https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/kustomize
 .PHONY: prow-presubmit-check
 prow-presubmit-check: \
-	install-tools \
-	workspace-sync \
-	generate-kustomize-builtin-plugins \
-	builtin-plugins-diff \
-	test-unit-kustomize-plugins \
+	lint-kustomize \
+	test-unit-kustomize-all \
+	test-unit-cmd-all \
 	test-go-mod \
-	build-non-plugin-all \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-latest-release
+	test-examples-kustomize-against-3.8.0

-.PHONY: license
-license: $(MYGOBIN)/addlicense
-	./hack/add-license.sh run
+.PHONY: verify-kustomize-e2e
+verify-kustomize-e2e: test-examples-e2e-kustomize

-.PHONY: check-license
-check-license: $(MYGOBIN)/addlicense
-	./hack/add-license.sh check
+# Other builds in this repo might want a different linter version.
+# Without one Makefile to rule them all, the different makes
+# cannot assume that golanci-lint is at the version they want
+# since everything uses the same implicit GOPATH.
+# This installs in a temp dir to avoid overwriting someone else's
+# linter, then installs in MYGOBIN with a new name.
+# Version pinned by hack/go.mod
+$(MYGOBIN)/golangci-lint-kustomize:
+	( \
+		set -e; \
+		cd hack; \
+		GO111MODULE=on go build -tags=tools -o $(MYGOBIN)/golangci-lint-kustomize github.com/golangci/golangci-lint/cmd/golangci-lint; \
+	)

-.PHONY: lint
-lint: $(MYGOBIN)/golangci-lint $(MYGOBIN)/goimports $(builtinplugins)
-	./hack/for-each-module.sh "make lint"
+# Version pinned by api/go.mod
+$(MYGOBIN)/mdrip:
+	cd api; \
+	go install github.com/monopole/mdrip

-.PHONY: apidiff
-apidiff: $(MYGOBIN)/go-apidiff ## Run the go-apidiff to verify any API differences compared with origin/master
-	go-apidiff master --compare-imports --print-compatible --repo-path=.
+# Version pinned by api/go.mod
+$(MYGOBIN)/stringer:
+	cd api; \
+	go install golang.org/x/tools/cmd/stringer

-.PHONY: test-unit-all
-test-unit-all: \
-	test-unit-non-plugin \
-	test-unit-kustomize-plugins
+# Version pinned by api/go.mod
+$(MYGOBIN)/goimports:
+	cd api; \
+	go install golang.org/x/tools/cmd/goimports

-.PHONY: test-unit-non-plugin
-test-unit-non-plugin:
-	./hack/for-each-module.sh "make test" "./plugin/*" 20
+# Install resource from whatever is checked out.
+$(MYGOBIN)/resource:
+	cd cmd/resource; \
+	go install .

-# This target is used by our Github Actions CI to run unit tests for all non-plugin and non-released modules in multiple GOOS environments.
-.PHONY: test-unit-non-plugin-and-non-released
-test-unit-non-plugin-and-non-released:
-	./hack/for-each-module.sh "make test" "./plugin/*|./kyaml/go.mod|./cmd/config/go.mod|./api/go.mod|./kustomize/go.mod" 16
+# To pin pluginator, use this recipe instead:
+#   cd api;
+#   go install sigs.k8s.io/kustomize/pluginator/v2
+$(MYGOBIN)/pluginator:
+	cd pluginator; \
+	go install .

-.PHONY: build-non-plugin-all
-build-non-plugin-all:
-	./hack/for-each-module.sh "make build" "./plugin/*" 20
+# Install kustomize from whatever is checked out.
+$(MYGOBIN)/kustomize:
+	cd kustomize; \
+	go install .
+
+.PHONY: install-tools
+install-tools: \
+	$(MYGOBIN)/goimports \
+	$(MYGOBIN)/golangci-lint-kustomize \
+	$(MYGOBIN)/mdrip \
+	$(MYGOBIN)/pluginator \
+	$(MYGOBIN)/stringer
+
+### Begin kustomize plugin rules.
+#
+# The rules to deal with builtin plugins are a bit
+# complicated because
+#
+# - Every builtin plugin is a Go plugin -
+#   meaning it gets its own module directory
+#   (outside of the api module) with Go
+#   code in a 'main' package per Go plugin rules.
+# - kustomize locates plugins using the
+#   'apiVersion' and 'kind' fields from the
+#   plugin config file.
+# - k8s wants CamelCase in 'kind' fields.
+# - The module name (the last name in the path)
+#   must be the lowercased 'kind' of the
+#   plugin because Go and related tools
+#   demand lowercase in import paths, but
+#   allow CamelCase in file names.
+# - the generated code must live in the api
+#   module (it's linked into the api).
+
+# Where all generated builtin plugin code should go.
+pGen=api/builtins
+# Where the builtin Go plugin modules live.
+pSrc=plugin/builtin
+
+_builtinplugins = \
+	AnnotationsTransformer.go \
+	ConfigMapGenerator.go \
+	HashTransformer.go \
+	ImageTagTransformer.go \
+	LabelTransformer.go \
+	LegacyOrderTransformer.go \
+	NamespaceTransformer.go \
+	PatchJson6902Transformer.go \
+	PatchStrategicMergeTransformer.go \
+	PatchTransformer.go \
+	PrefixSuffixTransformer.go \
+	ReplicaCountTransformer.go \
+	SecretGenerator.go \
+	ValueAddTransformer.go
+
+# Maintaining this explicit list of generated files, and
+# adding it as a dependency to a few targets, to assure
+# they get recreated if deleted.  The rules below on how
+# to make them don't, by themselves, assure they will be
+# recreated if deleted.
+builtinplugins = $(patsubst %,$(pGen)/%,$(_builtinplugins))
+
+# These rules are verbose, but assure that if a source file
+# is modified, the corresponding generated file, and only
+# that file, will be recreated.
+$(pGen)/AnnotationsTransformer.go: $(pSrc)/annotationstransformer/AnnotationsTransformer.go
+$(pGen)/ConfigMapGenerator.go: $(pSrc)/configmapgenerator/ConfigMapGenerator.go
+$(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
+$(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
+$(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go
+$(pGen)/LegacyOrderTransformer.go: $(pSrc)/legacyordertransformer/LegacyOrderTransformer.go
+$(pGen)/NamespaceTransformer.go: $(pSrc)/namespacetransformer/NamespaceTransformer.go
+$(pGen)/PatchJson6902Transformer.go: $(pSrc)/patchjson6902transformer/PatchJson6902Transformer.go
+$(pGen)/PatchStrategicMergeTransformer.go: $(pSrc)/patchstrategicmergetransformer/PatchStrategicMergeTransformer.go
+$(pGen)/PatchTransformer.go: $(pSrc)/patchtransformer/PatchTransformer.go
+$(pGen)/PrefixSuffixTransformer.go: $(pSrc)/prefixsuffixtransformer/PrefixSuffixTransformer.go
+$(pGen)/ReplicaCountTransformer.go: $(pSrc)/replicacounttransformer/ReplicaCountTransformer.go
+$(pGen)/SecretGenerator.go: $(pSrc)/secretgenerator/SecretGenerator.go
+$(pGen)/ValueAddTransformer.go: $(pSrc)/valueaddtransformer/ValueAddTransformer.go
+
+# The (verbose but portable) Makefile way to convert to lowercase.
+toLowerCase = $(subst A,a,$(subst B,b,$(subst C,c,$(subst D,d,$(subst E,e,$(subst F,f,$(subst G,g,$(subst H,h,$(subst I,i,$(subst J,j,$(subst K,k,$(subst L,l,$(subst M,m,$(subst N,n,$(subst O,o,$(subst P,p,$(subst Q,q,$(subst R,r,$(subst S,s,$(subst T,t,$(subst U,u,$(subst V,v,$(subst W,w,$(subst X,x,$(subst Y,y,$(subst Z,z,$1))))))))))))))))))))))))))
+
+$(pGen)/%.go: $(MYGOBIN)/pluginator
+	@echo "generating $*"
+	( \
+		set -e; \
+		cd $(pSrc)/$(call toLowerCase,$*); \
+		go generate .; \
+		cd ../../../$(pGen); \
+		$(MYGOBIN)/goimports -w $*.go \
+	)
+
+# Target is for debugging.
+.PHONY: generate-kustomize-builtin-plugins
+generate-kustomize-builtin-plugins: $(builtinplugins)
+
+.PHONY: kustomize-external-go-plugin-build
+kustomize-external-go-plugin-build:
+	./hack/buildExternalGoPlugins.sh ./plugin
+
+.PHONY: kustomize-external-go-plugin-clean
+kustomize-external-go-plugin-clean:
+	./hack/buildExternalGoPlugins.sh ./plugin clean
+
+### End kustomize plugin rules.
+
+.PHONY: lint-kustomize
+lint-kustomize: install-tools $(builtinplugins)
+	cd api; \
+	$(MYGOBIN)/golangci-lint-kustomize -c ../.golangci-kustomize.yml run ./...
+	cd kustomize; \
+	$(MYGOBIN)/golangci-lint-kustomize -c ../.golangci-kustomize.yml run ./...
+	cd pluginator; \
+	$(MYGOBIN)/golangci-lint-kustomize -c ../.golangci-kustomize.yml run ./...
+
+# Used to add non-default compilation flags when experimenting with
+# plugin-to-api compatibility checks.
+.PHONY: build-kustomize-api
+build-kustomize-api: $(builtinplugins)
+	cd api; go build ./...
+
+.PHONY: test-unit-kustomize-api
+test-unit-kustomize-api: build-kustomize-api
+	cd api; go test ./...  -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"

 .PHONY: test-unit-kustomize-plugins
-test-unit-kustomize-plugins: build-kustomize-external-go-plugin
+test-unit-kustomize-plugins:
 	./hack/testUnitKustomizePlugins.sh

-.PHONY: functions-examples-all
-functions-examples-all:
-	for dir in $(abspath $(wildcard functions/examples/*/.)); do \
-		echo -e "\n---Running make tasks for function $$dir---"; \
-		set -e; \
-		cd $$dir; $(MAKE) all; \
-	done
+.PHONY: test-unit-kustomize-cli
+test-unit-kustomize-cli:
+	cd kustomize; go test ./...
+
+.PHONY: test-unit-kustomize-all
+test-unit-kustomize-all: \
+	test-unit-kustomize-api \
+	test-unit-kustomize-cli \
+	test-unit-kustomize-plugins
+
+test-unit-cmd-all:
+	./travis/kyaml-pre-commit.sh

 test-go-mod:
-	./hack/for-each-module.sh "go mod tidy -v"
+	./travis/check-go-mod.sh

 .PHONY:
-verify-kustomize-e2e: $(MYGOBIN)/mdrip $(MYGOBIN)/kind
+test-examples-e2e-kustomize: $(MYGOBIN)/mdrip $(MYGOBIN)/kind
 	( \
 		set -e; \
 		/bin/rm -f $(MYGOBIN)/kustomize; \
@@ -179,21 +233,84 @@ test-examples-kustomize-against-HEAD: $(MYGOBIN)/kustomize $(MYGOBIN)/mdrip
 	./hack/testExamplesAgainstKustomize.sh HEAD

 .PHONY:
-test-examples-kustomize-against-latest-release: $(MYGOBIN)/mdrip
-	./hack/testExamplesAgainstKustomize.sh v5@$(LATEST_RELEASE)
+test-examples-kustomize-against-3.8.0: $(MYGOBIN)/mdrip
+	( \
+		set -e; \
+		tag=v3.8.0; \
+		/bin/rm -f $(MYGOBIN)/kustomize; \
+		echo "Installing kustomize $$tag."; \
+		GO111MODULE=on go get sigs.k8s.io/kustomize/kustomize/v3@$${tag}; \
+		./hack/testExamplesAgainstKustomize.sh $$tag; \
+		echo "Reinstalling kustomize from HEAD."; \
+		cd kustomize; go install .; \
+	)

-# Pushes dependencies in the go.work file back to go.mod files of each workspace module.
-.PHONY: workspace-sync
-workspace-sync:
-	go work sync
-	./hack/doGoMod.sh tidy
+# linux only.
+# This is for testing an example plugin that
+# uses kubeval for validation.
+# Don't want to add a hard dependence in go.mod file
+# to github.com/instrumenta/kubeval.
+# Instead, download the binary.
+$(MYGOBIN)/kubeval:
+	( \
+		set -e; \
+		d=$(shell mktemp -d); cd $$d; \
+		wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz; \
+		tar xf kubeval-linux-amd64.tar.gz; \
+		mv kubeval $(MYGOBIN); \
+		rm -rf $$d; \
+	)
+
+# linux only.
+# This is for testing an example plugin that uses helm to inflate a chart
+# for subsequent kustomization.
+# Don't want to add a hard dependence in go.mod file to helm.
+# Instead, download the binaries.
+$(MYGOBIN)/helmV2:
+	( \
+		set -e; \
+		d=$(shell mktemp -d); cd $$d; \
+		tgzFile=helm-v2.13.1-linux-amd64.tar.gz; \
+		wget https://storage.googleapis.com/kubernetes-helm/$$tgzFile; \
+		tar -xvzf $$tgzFile; \
+		mv linux-amd64/helm $(MYGOBIN)/helmV2; \
+		rm -rf $$d \
+	)
+
+# Helm V3 differs from helm V2; downloading it to provide coverage for the
+# chart inflator plugin under helm v3.
+$(MYGOBIN)/helmV3:
+	( \
+		set -e; \
+		d=$(shell mktemp -d); cd $$d; \
+		tgzFile=helm-v3.2.0-rc.1-linux-amd64.tar.gz; \
+		wget https://get.helm.sh/$$tgzFile; \
+		tar -xvzf $$tgzFile; \
+		mv linux-amd64/helm $(MYGOBIN)/helmV3; \
+		rm -rf $$d \
+	)
+
+# Default version of helm is v2 for the time being.
+$(MYGOBIN)/helm: $(MYGOBIN)/helmV2
+	ln -s $(MYGOBIN)/helmV2 $(MYGOBIN)/helm
+
+$(MYGOBIN)/kind:
+	( \
+        set -e; \
+        d=$(shell mktemp -d); cd $$d; \
+        wget -O ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-$(shell uname)-amd64; \
+        chmod +x ./kind; \
+        mv ./kind $(MYGOBIN); \
+        rm -rf $$d; \
+	)

-# --- Cleanup targets ---
 .PHONY: clean
-clean: clean-kustomize-external-go-plugin uninstall-tools
+clean: kustomize-external-go-plugin-clean
 	go clean --cache
 	rm -f $(builtinplugins)
+	rm -f $(MYGOBIN)/pluginator
 	rm -f $(MYGOBIN)/kustomize
+	rm -f $(MYGOBIN)/golangci-lint-kustomize

 # Nuke the site from orbit.  It's the only way to be sure.
 .PHONY: nuke
--- a/Makefile-modules.mk
+++ b/Makefile-modules.mk
@@ -1,39 +0,0 @@
-# Copyright 2022 The Kubernetes Authors.
-# SPDX-License-Identifier: Apache-2.0
-
-MYGOBIN = $(shell go env GOBIN)
-ifeq ($(MYGOBIN),)
-MYGOBIN = $(shell go env GOPATH)/bin
-endif
-export PATH := $(MYGOBIN):$(PATH)
-
-# only set this if not already set, so importing makefiles can override it
-export KUSTOMIZE_ROOT ?= $(shell pwd | sed -E 's|(.*\/kustomize)/(.*)|\1|')
-include $(KUSTOMIZE_ROOT)/Makefile-tools.mk
-
-.PHONY: lint test fix fmt tidy vet build
-
-lint: $(MYGOBIN)/golangci-lint
-	$(MYGOBIN)/golangci-lint cache clean # Workaround for https://github.com/golangci/golangci-lint/issues/3228
-	$(MYGOBIN)/golangci-lint \
-	  -c $$KUSTOMIZE_ROOT/.golangci.yml \
-	  --path-prefix $(shell pwd | sed -E 's|(.*\/kustomize)/(.*)|\2|') \
-	  run ./...
-
-test:
-	go test -v -timeout 45m -cover ./...
-
-fix:
-	go fix ./...
-
-fmt:
-	go fmt ./...
-
-tidy:
-	go mod tidy
-
-vet:
-	go vet ./...
-
-build:
-	go build -v -o $(MYGOBIN) ./...
--- a/Makefile-plugins.mk
+++ b/Makefile-plugins.mk
@@ -1,122 +0,0 @@
-# Copyright 2022 The Kubernetes Authors.
-# SPDX-License-Identifier: Apache-2.0
-
-### Kustomize plugin rules.
-#
-# The rules to deal with builtin plugins are a bit
-# complicated because
-#
-# - Every builtin plugin is a Go plugin -
-#   meaning it gets its own module directory
-#   (outside of the api module) with Go
-#   code in a 'main' package per Go plugin rules.
-# - kustomize locates plugins using the
-#   'apiVersion' and 'kind' fields from the
-#   plugin config file.
-# - k8s wants CamelCase in 'kind' fields.
-# - The module name (the last name in the path)
-#   must be the lowercased 'kind' of the
-#   plugin because Go and related tools
-#   demand lowercase in import paths, but
-#   allow CamelCase in file names.
-# - the generated code must live in the api
-#   module (it's linked into the api).
-
-# Where all generated builtin plugin code should go.
-pGen=api/internal/builtins
-# Where the builtin Go plugin modules live.
-pSrc=plugin/builtin
-
-_builtinplugins = \
-	AnnotationsTransformer.go \
-	ConfigMapGenerator.go \
-	IAMPolicyGenerator.go \
-	HashTransformer.go \
-	ImageTagTransformer.go \
-	LabelTransformer.go \
-	SortOrderTransformer.go \
-	NamespaceTransformer.go \
-	PatchJson6902Transformer.go \
-	PatchStrategicMergeTransformer.go \
-	PatchTransformer.go \
-	PrefixTransformer.go \
-	SuffixTransformer.go \
-	ReplacementTransformer.go \
-	ReplicaCountTransformer.go \
-	SecretGenerator.go \
-	ValueAddTransformer.go \
-	HelmChartInflationGenerator.go
-
-# Maintaining this explicit list of generated files, and
-# adding it as a dependency to a few targets, to assure
-# they get recreated if deleted.  The rules below on how
-# to make them don't, by themselves, assure they will be
-# recreated if deleted.
-builtinplugins = $(patsubst %,$(pGen)/%,$(_builtinplugins))
-
-# These rules are verbose, but assure that if a source file
-# is modified, the corresponding generated file, and only
-# that file, will be recreated.
-$(pGen)/AnnotationsTransformer.go: $(pSrc)/annotationstransformer/AnnotationsTransformer.go
-$(pGen)/ConfigMapGenerator.go: $(pSrc)/configmapgenerator/ConfigMapGenerator.go
-$(pGen)/GkeSaGenerator.go: $(pSrc)/gkesagenerator/GkeSaGenerator.go
-$(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
-$(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
-$(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go
-$(pGen)/SortOrderTransformer.go: $(pSrc)/sortordertransformer/SortOrderTransformer.go
-$(pGen)/NamespaceTransformer.go: $(pSrc)/namespacetransformer/NamespaceTransformer.go
-$(pGen)/PatchJson6902Transformer.go: $(pSrc)/patchjson6902transformer/PatchJson6902Transformer.go
-$(pGen)/PatchStrategicMergeTransformer.go: $(pSrc)/patchstrategicmergetransformer/PatchStrategicMergeTransformer.go
-$(pGen)/PatchTransformer.go: $(pSrc)/patchtransformer/PatchTransformer.go
-$(pGen)/PrefixTransformer.go: $(pSrc)/prefixtransformer/PrefixTransformer.go
-$(pGen)/SuffixTransformer.go: $(pSrc)/suffixtransformer/SuffixTransformer.go
-$(pGen)/ReplacementTransformer.go: $(pSrc)/replacementtransformer/ReplacementTransformer.go
-$(pGen)/ReplicaCountTransformer.go: $(pSrc)/replicacounttransformer/ReplicaCountTransformer.go
-$(pGen)/SecretGenerator.go: $(pSrc)/secretgenerator/SecretGenerator.go
-$(pGen)/ValueAddTransformer.go: $(pSrc)/valueaddtransformer/ValueAddTransformer.go
-$(pGen)/HelmChartInflationGenerator.go: $(pSrc)/helmchartinflationgenerator/HelmChartInflationGenerator.go
-
-# The (verbose but portable) Makefile way to convert to lowercase.
-toLowerCase = $(subst A,a,$(subst B,b,$(subst C,c,$(subst D,d,$(subst E,e,$(subst F,f,$(subst G,g,$(subst H,h,$(subst I,i,$(subst J,j,$(subst K,k,$(subst L,l,$(subst M,m,$(subst N,n,$(subst O,o,$(subst P,p,$(subst Q,q,$(subst R,r,$(subst S,s,$(subst T,t,$(subst U,u,$(subst V,v,$(subst W,w,$(subst X,x,$(subst Y,y,$(subst Z,z,$1))))))))))))))))))))))))))
-
-$(pGen)/%.go: $(MYGOBIN)/pluginator $(MYGOBIN)/goimports
-	@echo "generating $*"
-	( \
-		set -e; \
-		cd $(pSrc)/$(call toLowerCase,$*); \
-		go generate .; \
-		cd ../../../$(pGen); \
-		$(MYGOBIN)/goimports -w $*.go \
-	)
-
-# Generate builtin plugins
-.PHONY: generate-kustomize-builtin-plugins
-generate-kustomize-builtin-plugins: $(builtplugins)
-	for plugin in $(abspath $(wildcard $(pSrc)/*)); do \
-		echo "generating $${plugin} ..."; \
-		set -e; \
-		cd $${plugin}; \
-		go generate .; \
-	done
-
-# Check for diff by comparing current revision of generated plugins on HEAD and newly generated plugins on local branch,
-# If diff is found, throw error code 1
-.PHONY: builtin-plugins-diff
-builtin-plugins-diff: $(builtplugins)
-	for file in $(abspath $(builtinplugins)); do \
-		echo "Checking for diff... $${file}" ; \
-		set -e ; \
-		if [ "`git diff $${file} | wc -c`" -gt 0 ]; then\
-			echo "Error(1): diff found on $${file}"; \
-			git diff $${file};\
-			exit 1;\
-		fi \
-	done
-
-.PHONY: build-kustomize-external-go-plugin
-build-kustomize-external-go-plugin:
-	./hack/buildExternalGoPlugins.sh ./plugin
-
-.PHONY: clean-kustomize-external-go-plugin
-clean-kustomize-external-go-plugin:
-	./hack/buildExternalGoPlugins.sh ./plugin clean
--- a/Makefile-tools.mk
+++ b/Makefile-tools.mk
@@ -1,97 +0,0 @@
-# Copyright 2022 The Kubernetes Authors.
-# SPDX-License-Identifier: Apache-2.0
-
-GOOS = $(shell go env GOOS)
-GOARCH = $(shell go env GOARCH)
-MYGOBIN = $(shell go env GOBIN)
-ifeq ($(MYGOBIN),)
-MYGOBIN = $(shell go env GOPATH)/bin
-endif
-export PATH := $(MYGOBIN):$(PATH)
-
-REPO_ROOT=$(shell git rev-parse --show-toplevel)
-
-# determines whether to run tests that only behave locally; can be overridden by override variable
-export IS_LOCAL = false
-
-.PHONY: install-out-of-tree-tools
-install-out-of-tree-tools: \
-	$(MYGOBIN)/goimports \
-	$(MYGOBIN)/golangci-lint \
-	$(MYGOBIN)/helmV3 \
-	$(MYGOBIN)/mdrip \
-	$(MYGOBIN)/stringer
-
-.PHONY: uninstall-out-of-tree-tools
-uninstall-out-of-tree-tools:
-	rm -f $(MYGOBIN)/goimports
-	rm -f $(MYGOBIN)/golangci-lint
-	rm -f $(MYGOBIN)/helmV3
-	rm -f $(MYGOBIN)/mdrip
-	rm -f $(MYGOBIN)/stringer
-
-.PHONY: $(MYGOBIN)/golangci-lint
-$(MYGOBIN)/golangci-lint:
-	cd $(REPO_ROOT)/hack && go install github.com/golangci/golangci-lint/cmd/golangci-lint
-
-.PHONY: $(MYGOBIN)/mdrip
-$(MYGOBIN)/mdrip:
-	cd $(REPO_ROOT)/hack && go install github.com/monopole/mdrip
-
-.PHONY: $(MYGOBIN)/stringer
-$(MYGOBIN)/stringer:
-	cd $(REPO_ROOT)/hack && go install golang.org/x/tools/cmd/stringer
-
-.PHONY: $(MYGOBIN)/goimports
-$(MYGOBIN)/goimports:
-	cd $(REPO_ROOT)/hack && go install golang.org/x/tools/cmd/goimports
-
-.PHONY: $(MYGOBIN)/mdtogo
-$(MYGOBIN)/mdtogo:
-	cd $(REPO_ROOT)/hack && go install sigs.k8s.io/kustomize/cmd/mdtogo
-
-.PHONY: $(MYGOBIN)/addlicense
-$(MYGOBIN)/addlicense:
-	cd $(REPO_ROOT)/hack && go install github.com/google/addlicense
-
-.PHONY: $(MYGOBIN)/kind
-$(MYGOBIN)/kind:
-	cd $(REPO_ROOT)/hack && go install sigs.k8s.io/kind
-
-.PHONY: $(MYGOBIN)/controller-gen
-$(MYGOBIN)/controller-gen:
-	cd $(REPO_ROOT)/hack && go install sigs.k8s.io/controller-tools/cmd/controller-gen
-
-.PHONY: $(MYGOBIN)/embedmd
-$(MYGOBIN)/embedmd:
-	cd $(REPO_ROOT)/hack && go install github.com/campoy/embedmd
-
-.PHONY: $(MYGOBIN)/go-bindata
-$(MYGOBIN)/go-bindata:
-	cd $(REPO_ROOT)/hack && go install github.com/go-bindata/go-bindata/v3/go-bindata
-
-.PHONY: $(MYGOBIN)/go-apidiff
-$(MYGOBIN)/go-apidiff:
-	cd $(REPO_ROOT)/hack && go install github.com/joelanford/go-apidiff
-
-.PHONY: $(MYGOBIN)/gh
-$(MYGOBIN)/gh:
-	cd $(REPO_ROOT)/hack && go install github.com/cli/cli/cmd/gh
-
-.PHONY: $(MYGOBIN)/kubeval
-$(MYGOBIN)/kubeval:
-	cd $(REPO_ROOT)/hack && go install github.com/instrumenta/kubeval
-
-# Helm V3 differs from helm V2; downloading it to provide coverage for the
-# chart inflator plugin under helm v3.
-.PHONY: $(MYGOBIN)/helmV3
-$(MYGOBIN)/helmV3:
-	( \
-		set -e; \
-		d=$(shell mktemp -d); cd $$d; \
-		tgzFile=helm-v3.10.2-$(GOOS)-$(GOARCH).tar.gz; \
-		wget https://get.helm.sh/$$tgzFile; \
-		tar -xvzf $$tgzFile; \
-		mv $(GOOS)-$(GOARCH)/helm $(MYGOBIN)/helmV3; \
-		rm -rf $$d \
-	)
--- a/5
+++ b/5
@@ -1,5 +1,4 @@
 # See https://github.com/kubernetes/community/blob/master/community-membership.md
 approvers:
-  - kustomize-approvers
-reviewers:
-  - kustomize-reviewers
+  - kustomize-admins
+  - kustomize-maintainers
--- a/47
+++ b/47
@@ -1,36 +1,13 @@
-# Keep *-owners and *-approvers lists in sync with *-admins and *-maintainers in
-# https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml
 aliases:
-  kustomize-owners:
-    - knverey
-    - koba1t
-  kustomize-approvers:
-    - knverey
-    - koba1t
-    - varshaprasad96
-  kustomize-reviewers:
-    - knverey
-    - koba1t
-    - varshaprasad96
-    - ncapps
-
-  docs-approvers:
-    - ncapps
-  docs-reviewers:
-    - ncapps
-
-  commands-approvers: []
-  commands-reviewers: []
-
-  #  emeritus:
-  #    - liujingfang1
-  #    - Shell32-Natsu
-  #    - justinsb
-  #    - monopole
-  #    - pwittrock
-  #    - mengqiy
-  #    - mortent
-  #    - phanimarupaka
-  #    - natasha41575
-  #    - annasong20
-  #    - yuwenma
+  kustomize-admins:
+    - monopole
+    - pwittrock
+  kustomize-maintainers:
+    - droot
+    - justinsb
+    - liujingfang1
+    - mengqiy
+    - monopole
+    - pwittrock
+    - mortent
+    - phanimarupaka
--- a/README.md
+++ b/README.md
@@ -11,8 +11,8 @@ and it's like [`sed`], in that it emits edited text.

 This tool is sponsored by [sig-cli] ([KEP]).

- - [Installation instructions](https://kubectl.docs.kubernetes.io/installation/kustomize/)
- - [General documentation](https://kubectl.docs.kubernetes.io/references/kustomize/)
+ - [Installation instructions](https://kubernetes-sigs.github.io/kustomize/installation)
+ - [General documentation](https://kubernetes-sigs.github.io/kustomize)
 - [Examples](examples)

 [![Build Status](https://prow.k8s.io/badge.svg?jobs=kustomize-presubmit-master)](https://prow.k8s.io/job-history/kubernetes-jenkins/pr-logs/directory/kustomize-presubmit-master)
@@ -20,40 +20,15 @@ This tool is sponsored by [sig-cli] ([KEP]).

 ## kubectl integration

-To find the kustomize version embedded in recent versions of kubectl, run `kubectl version`:
+Since [v1.14][kubectl announcement] the kustomize build system has been included in kubectl.

-```sh
-> kubectl version --client
-Client Version: v1.31.0
-Kustomize Version: v5.4.2
-```
+| kubectl version | kustomize version |
+|---------|--------|
+| v1.16.0 | [v2.0.3](/../../tree/v2.0.3) |
+| v1.15.x | [v2.0.3](/../../tree/v2.0.3) |
+| v1.14.x | [v2.0.3](/../../tree/v2.0.3) |

-The kustomize build flow at [v2.0.3] was added
-to [kubectl v1.14][kubectl announcement].  The kustomize
-flow in kubectl remained frozen at v2.0.3 until kubectl v1.21,
-which [updated it to v4.0.5][kust-in-kubectl update]. It will
-be updated on a regular basis going forward, and such updates
-will be reflected in the Kubernetes release notes.
-
-| Kubectl version | Kustomize version |
-| --------------- | ----------------- |
-| < v1.14         | n/a               |
-| v1.14-v1.20     | v2.0.3            |
-| v1.21           | v4.0.5            |
-| v1.22           | v4.2.0            |
-| v1.23           | v4.4.1            |
-| v1.24           | v4.5.4            |
-| v1.25           | v4.5.7            |
-| v1.26           | v4.5.7            |
-| v1.27           | v5.0.1            |
-
-[v2.0.3]: https://github.com/kubernetes-sigs/kustomize/releases/tag/v2.0.3
-[#2506]: https://github.com/kubernetes-sigs/kustomize/issues/2506
-[#1500]: https://github.com/kubernetes-sigs/kustomize/issues/1500
-[kust-in-kubectl update]: https://github.com/kubernetes/kubernetes/blob/4d75a6238a6e330337526e0513e67d02b1940b63/CHANGELOG/CHANGELOG-1.21.md#kustomize-updates-in-kubectl
-
-For examples and guides for using the kubectl integration please
-see the [kubernetes documentation].
+For examples and guides for using the kubectl integration please see the [kubectl book] or the [kubernetes documentation].

 ## Usage

@@ -68,37 +43,7 @@ This file should declare those resources, and any
 customization to apply to them, e.g. _add a common
 label_.

-```
-
-base: kustomization + resources
-
-kustomization.yaml                                      deployment.yaml                                                 service.yaml
-+---------------------------------------------+         +-------------------------------------------------------+       +-----------------------------------+
-| apiVersion: kustomize.config.k8s.io/v1beta1 |         | apiVersion: apps/v1                                   |       | apiVersion: v1                    |
-| kind: Kustomization                         |         | kind: Deployment                                      |       | kind: Service                     |
-| labels:                                     |         | metadata:                                             |       | metadata:                         |
-| - includeSelectors: true                    |         |   name: myapp                                         |       |   name: myapp                     |
-|   pairs:                                    |         | spec:                                                 |       | spec:                             |
-|     app: myapp                              |         |   selector:                                           |       |   selector:                       |
-| resources:                                  |         |     matchLabels:                                      |       |     app: myapp                    |
-|   - deployment.yaml                         |         |       app: myapp                                      |       |   ports:                          |
-|   - service.yaml                            |         |   template:                                           |       |     - port: 6060                  |
-| configMapGenerator:                         |         |     metadata:                                         |       |       targetPort: 6060            |
-|   - name: myapp-map                         |         |       labels:                                         |       +-----------------------------------+
-|     literals:                               |         |         app: myapp                                    |
-|       - KEY=value                           |         |     spec:                                             |
-+---------------------------------------------+         |       containers:                                     |
-                                                        |         - name: myapp                                 |
-                                                        |           image: myapp                                |
-                                                        |           resources:                                  |
-                                                        |             limits:                                   |
-                                                        |               memory: "128Mi"                         |
-                                                        |               cpu: "500m"                             |
-                                                        |           ports:                                      |
-                                                        |             - containerPort: 6060                     |
-                                                        +-------------------------------------------------------+
-
-```
+![base image][imageBase]

 File structure:

@@ -134,41 +79,20 @@ Manage traditional [variants] of a configuration - like
 _development_, _staging_ and _production_ - using
 [overlays] that modify a common [base].

-```
-
-overlay: kustomization + patches
-
-kustomization.yaml                                      replica_count.yaml                      cpu_count.yaml
-+-----------------------------------------------+       +-------------------------------+       +------------------------------------------+
-| apiVersion: kustomize.config.k8s.io/v1beta1   |       | apiVersion: apps/v1           |       | apiVersion: apps/v1                      |
-| kind: Kustomization                           |       | kind: Deployment              |       | kind: Deployment                         |
-| labels:                                       |       | metadata:                     |       | metadata:                                |
-|  - includeSelectors: true                     |       |   name: myapp                 |       |   name: myapp                            |
-|    pairs:                                     |       | spec:                         |       | spec:                                    |
-|      variant: prod                            |       |   replicas: 80                |       |  template:                               |
-| resources:                                    |       +-------------------------------+       |     spec:                                |
-|   - ../../base                                |                                               |       containers:                        |
-| patches:                                      |                                               |         - name: myapp                    |
-|   - path: replica_count.yaml                  |                                               |           resources:                     |
-|   - path: cpu_count.yaml                      |                                               |             limits:                      |
-+-----------------------------------------------+                                               |               memory: "128Mi"            |
-                                                                                                |               cpu: "7000m"               |
-                                                                                                +------------------------------------------+
-```
-
+![overlay image][imageOverlay]

 File structure:
 > ```
 > ~/someApp
 > ├── base
-> │   ├── deployment.yaml
-> │   ├── kustomization.yaml
-> │   └── service.yaml
+> │   ├── deployment.yaml
+> │   ├── kustomization.yaml
+> │   └── service.yaml
 > └── overlays
 >     ├── development
->     │   ├── cpu_count.yaml
->     │   ├── kustomization.yaml
->     │   └── replica_count.yaml
+>     │   ├── cpu_count.yaml
+>     │   ├── kustomization.yaml
+>     │   └── replica_count.yaml
 >     └── production
 >         ├── cpu_count.yaml
 >         ├── kustomization.yaml
@@ -205,9 +129,8 @@ The YAML can be directly [applied] to a cluster:

 ## Community

- [file a bug](https://kubectl.docs.kubernetes.io/contributing/kustomize/bugs/)
- [contribute a feature](https://kubectl.docs.kubernetes.io/contributing/kustomize/features/)
- [propose a larger enhancement](https://github.com/kubernetes-sigs/kustomize/tree/master/proposals)
+- [file a bug](https://kubernetes-sigs.github.io/kustomize/contributing/bugs/) instructions
+- [contribute a feature](https://kubernetes-sigs.github.io/kustomize/contributing/features/) instructions

 ### Code of conduct

@@ -216,20 +139,27 @@ is governed by the [Kubernetes Code of Conduct].

 [`make`]: https://www.gnu.org/software/make
 [`sed`]: https://www.gnu.org/software/sed
-[DAM]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#declarative-application-management
-[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/2377-Kustomize/README.md
+[DAM]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#declarative-application-management
+[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/0008-kustomize.md
 [Kubernetes Code of Conduct]: code-of-conduct.md
-[applied]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#apply
-[base]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#base
-[declarative configuration]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#declarative-application-management
+[applied]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#apply
+[base]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#base
+[declarative configuration]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#declarative-application-management
+[imageBase]: docs/images/base.jpg
+[imageOverlay]: docs/images/overlay.jpg
 [kubectl announcement]: https://kubernetes.io/blog/2019/03/25/kubernetes-1-14-release-announcement
+[kubectl book]: https://kubectl.docs.kubernetes.io/pages/app_customization/introduction.html
 [kubernetes documentation]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
-[kubernetes style]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#kubernetes-style-object
-[kustomization]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#kustomization
-[overlay]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#overlay
-[overlays]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#overlay
+[kubernetes style]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#kubernetes-style-object
+[kustomization]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#kustomization
+[overlay]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#overlay
+[overlays]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#overlay
 [release page]: https://github.com/kubernetes-sigs/kustomize/releases
-[resource]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#resource
-[resources]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#resource
+[resource]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#resource
+[resources]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#resource
 [sig-cli]: https://github.com/kubernetes/community/blob/master/sig-cli/README.md
-[variants]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#variant
+[variant]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#variant
+[variants]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#variant
+[v2.0.3]: https://github.com/kubernetes-sigs/kustomize/releases/tag/v2.0.3
+[v2.1.0]: https://github.com/kubernetes-sigs/kustomize/releases/tag/v2.1.0
+[workflows]: https://kubernetes-sigs.github.io/kustomize/guides
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,185 +0,0 @@
-# Kustomize roadmap 2023-2024
-
-This document describes the items that we hope to make progress on over the next
-1 year (H2 2023 and H1 2024). Take this roadmap as more of what we hope to achieve
-rather than what we promise to achieve, as some items in this doc are highly dependent
-on the success that we have on-ramping new contributors to the project, and other
-items will depend on external contributions, which can vary.
-
-If you are interested in contributing to a particular area, you can look through
-the project board for that area and assign yourself to one of the issues. It is
-recommended to start with smaller issues to ramp up on the project before starting
-to tackle larger issues.
-
-Project boards:
-https://github.com/orgs/kubernetes-sigs/projects/50
-https://github.com/orgs/kubernetes-sigs/projects/51
-https://github.com/orgs/kubernetes-sigs/projects/52
-https://github.com/orgs/kubernetes-sigs/projects/53
-https://github.com/orgs/kubernetes-sigs/projects/54
-
-## Kustomize contributors (at time of writing):
-
-kustomize owner: @natasha41575
-
-kustomize maintainers: @annasong20, @koba1t
-
-kustomize contributors: @varshaprasad96
-
-
-# H2 2023
-
-## Goal: Create kustomize leadership and contributor playbooks
-
-Contributors: natasha41575, annasong20
-
-Priority: High
-
-Effort: Medium
-
-In the past, when the leads stopped contributing (for various reasons, not covered here)
-in various kubernetes projects, it left a wide hole that few could easily fill,
-leaving the remaining leads in a bad position and the project understaffed. We should assume
-that we will need to onboard new maintainers in the future, and should have playbooks
-for doing so. As we grow the contributor base in kustomize, we will build these playbooks for
-those who are contributing and those who are looking to grow into kustomize leaders.
-To ensure the long term health and stability of the project, we should have:
-
- On-boarding guides for new contributors
- Clear guidelines for how to climb the kustomize ladder from contributor to approver to owner
- A plan (maybe a schedule) for future kustomize cohorts
- A succession plan, in case the current kustomize leads ever decide to step down
-
-## Goal: Onboard 2-5 new contributors to kustomize
-
-Contributors: natasha41575, annasong20, koba1t
-
-Priority: High
-
-Effort: High
-
-In order to make progress on kustomize goals in the future, we need to increase the
-level of staffing on kustomize. We should leverage community contributions to keep kustomize
-healthy and making progress.
-
-The primary means in which we will try to find new kustomize contributors is through the new kustomize
-maintainer training cohort. We will lead a group of ~20 kubernetes community members through a 3-6 month
-training program, involving talk sessions, bug scrubs, issue triage, PR reviews, and coding projects for
-each member.
-
-See [our call for help](https://groups.google.com/a/kubernetes.io/g/dev/c/M5OphEVsv5o/m/zc6G4H15AAAJ) for more
-specific details about the program.
-
-The effort from existing kustomize maintainers here will be to:
- Organize the cohort, so that each cohort member feels productive and understands what they should work on
- Align motivation of the cohort members with the work that we assign to them.
- Review PRs from cohort members in a timely manner.
- Be the point(s) of contact for questions/escalations
- Lead weekly stand-ups and monthly bug scrubs
-
-At the end of all this, if we have a small team of contributors to kustomize, who understand its founding
-philosophy and intentions, we should be able to keep the project up to date.
-
-## Goal: Improve kustomize extensibility through KRM functions and CRD support
-
-Contributors: koba1t, varshaprasad96, external contributors
-
-Priority: High
-
-Effort: High
-
-Project board: https://github.com/orgs/kubernetes-sigs/projects/53/views/1
-
-For a long time, we have supported KRM functions as the proper way to implement custom generators and transformers.
-However, due to limited staffing, we have been unable to drive this feature out of alpha in kustomize. The two
-main features which we hope to make progress on are Composition and Catalog, two long-standing proposals for which
-numerous users have been waiting for a long time. There are several open issues
-regarding KRM functions where our long-term answer has been these two features, but users have been hearing about them
-for over a year without seeing any progress. If we can implement them, they will vastly improve usability and security
-of KRM functions.
-
-One item that falls under this category that does not currently have a contributor is improving CRD support.
-Currently, it is difficult to use CRDs properly, as there are three different fields (configurations, openapi, and crds)
-where users have to input their CRD configuration. We need to consolidate these fields into one easy to use feature to
-support CRDs. If you are interested in putting together a design proposal for how to tackle this task, please reach
-out to the kustomize maintainers.
-
-# H1 2024
-
-## Goal: Improve the kustomize documentation
-
-Contributors: annasong20, external contributions
-
-Priority: High
-
-Effort: High
-
-Project board: https://github.com/orgs/kubernetes-sigs/projects/50
-
-The kustomize documentation is currently fragmented, out of date, and lacks examples to fully understand its value.
-We have had a "docs project" for a long time; we need to prioritize implementing it so that the documentation is in
-one place, easy to find, and helps new users get started more easily. Some outcomes from this project should be:
-
- A single, unified website hosted on kustomize.io
- Updated information architecture, and a plan to keep it up to date
- End to end examples of using kustomize, including complex use cases
-
-## Goal: Fix core usability bugs in kustomize
-
-Contributors: external contributions
-
-Priority: High
-
-Effort: High
-
-Project board: https://github.com/orgs/kubernetes-sigs/projects/51
-
-There are several core usability issues that block some users from adopting kustomize features or in
-some base block users from using kustomize entirely. These issues range from small bugs with workable but
-inconvenient workarounds, to enormous feature gaps.
-
-As part of this goal, we should work toward reducing the number of such issues that we have, making
-kustomize work more smoothly and predictably, and be usable for a larger range of users.
-
-There are a lot of important issues in this project, but the biggest and highest priority one is that
-kustomize doesn't currently support metadata.GenerateName. Unfortunately, we don't currently have anyone
-actively working on this issue, we would need an external contributor to reach out to the kustomize
-maintainers to pick it up.
-
-## Goal: Improve kustomize CI, release, & security patch processes
-
-Contributors: external contributions
-
-Priority: Medium
-
-Effort: High
-
-Project board: https://github.com/orgs/kubernetes-sigs/projects/54
-
-The kustomize release process is currently done on-demand and is strictly linear. This means that if we find a CVE,
-we are forced to release the next version of kustomize ASAP, and we are required to release every PR that has merged
-since the last release. This can put us in a sticky situation if we have a breaking change that we are
-not ready to release yet, but we need a patch quickly.
-
-We should try to improve the kustomize release process so that we can release frequently, reliably, and with some
-flexibility. The outcome of this effort should be:
-
- kustomize is released on a regular cadence (biweekly or monthly)
- kustomize is able to separate patch and feature releases, so that we can fix CVEs without needing to release
-everything that we have in flight
- We can detect and fix CVEs early
-
-## Goal: Take long-standing alpha commands out of alpha
-
-Contributors: external contributions
-
-Priority: Medium
-
-Effort: Medium
-
-Project board: https://github.com/orgs/kubernetes-sigs/projects/52
-
-There are several commands in kustomize that have been alpha for a long time, including the cfg command group and
-localize. Moving them forward can indicate good health of a project and these commands are useful to many users.
-Some of these projects can be good starter issues for new contributors to have an easier onramp while others will
-require more effort and thought.
--- a/8
+++ b/8
@@ -9,7 +9,7 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-eddiezane
-KnVerey
-natasha41575
-soltysh
+
+monopole
+Liujingfang1
+pwittrock
--- a/api/Makefile
+++ b/api/Makefile
@@ -1,28 +0,0 @@
-# Copyright 2022 The Kubernetes Authors.
-# SPDX-License-Identifier: Apache-2.0
-
-include ../Makefile-modules.mk
-
-test:
-	go test -v -timeout 45m -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=2023-01-31T23:38:41Z -X sigs.k8s.io/kustomize/api/provenance.version=(test)"
-
-build:
-	go build -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")" ./...
-
-generate: $(MYGOBIN)/k8scopy $(MYGOBIN)/stringer
-	go generate ./...
-
-lint: lint-api-static
-
-## lint-api-static runs the linter on the API module
-## with build-tag kustomize_disable_go_plugin_support
-## this aims to catch any issues with the API module
-## that would prevent the API module from being used
-## when the go plugin support is disabled.
-lint-api-static:
-	$(MYGOBIN)/golangci-lint cache clean # Workaround for https://github.com/golangci/golangci-lint/issues/3228
-	$(MYGOBIN)/golangci-lint \
-	  -c $$KUSTOMIZE_ROOT/.golangci.yml \
-	  --build-tags kustomize_disable_go_plugin_support \
-	  --path-prefix api \
-	  run ./...
--- a/api/builtins/AnnotationsTransformer.go
+++ b/api/builtins/AnnotationsTransformer.go
@@ -0,0 +1,42 @@
+// Code generated by pluginator on AnnotationsTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/annotations"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+// Add the given annotations to the given field specifications.
+type AnnotationsTransformerPlugin struct {
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+	FieldSpecs  []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *AnnotationsTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Annotations = nil
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *AnnotationsTransformerPlugin) Transform(m resmap.ResMap) error {
+	for _, r := range m.Resources() {
+		err := filtersutil.ApplyToJSON(annotations.Filter{
+			Annotations: p.Annotations,
+			FsSlice:     p.FieldSpecs,
+		}, r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewAnnotationsTransformerPlugin() resmap.TransformerPlugin {
+	return &AnnotationsTransformerPlugin{}
+}
--- a/api/internal/builtins/ConfigMapGenerator.go
+++ b/api/internal/builtins/ConfigMapGenerator.go
@@ -1,4 +1,6 @@
 // Code generated by pluginator on ConfigMapGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
 package builtins

 import (
--- a/api/internal/builtins/HashTransformer.go
+++ b/api/internal/builtins/HashTransformer.go
@@ -1,4 +1,6 @@
 // Code generated by pluginator on HashTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
 package builtins

 import (
@@ -9,7 +11,7 @@ import (
 )

 type HashTransformerPlugin struct {
-	hasher ifc.KustHasher
+	hasher ifc.KunstructuredHasher
 }

 func (p *HashTransformerPlugin) Config(
@@ -22,11 +24,10 @@ func (p *HashTransformerPlugin) Config(
 func (p *HashTransformerPlugin) Transform(m resmap.ResMap) error {
 	for _, res := range m.Resources() {
 		if res.NeedHashSuffix() {
-			h, err := res.Hash(p.hasher)
+			h, err := p.hasher.Hash(res)
 			if err != nil {
 				return err
 			}
-			res.StorePreviousId()
 			res.SetName(fmt.Sprintf("%s-%s", res.GetName(), h))
 		}
 	}
--- a/api/builtins/ImageTagTransformer.go
+++ b/api/builtins/ImageTagTransformer.go
@@ -0,0 +1,187 @@
+// Code generated by pluginator on ImageTagTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/filters/imagetag"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+// Find matching image declarations and replace
+// the name, tag and/or digest.
+type ImageTagTransformerPlugin struct {
+	ImageTag   types.Image       `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *ImageTagTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.ImageTag = types.Image{}
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *ImageTagTransformerPlugin) Transform(m resmap.ResMap) error {
+	for _, r := range m.Resources() {
+		// If you're here because someone expected any field containing
+		// the string "containers" or "initContainers" to get an image
+		// update (not just spec/template/spec/containers[], etc.) then
+		// a code change is needed.  See api/filters/imagetag/legacy
+		// for the start of an implementation that won't use an
+		// allowlist like FsSlice, and instead walks the object looking
+		// for fields named containers or initContainers.
+		err := filtersutil.ApplyToJSON(imagetag.Filter{
+			ImageTag: p.ImageTag,
+			FsSlice:  p.FieldSpecs,
+		}, r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *ImageTagTransformerPlugin) mutateImage(in interface{}) (interface{}, error) {
+	original, ok := in.(string)
+	if !ok {
+		return nil, fmt.Errorf("image path is not of type string but %T", in)
+	}
+
+	if !isImageMatched(original, p.ImageTag.Name) {
+		return original, nil
+	}
+	name, tag := split(original)
+	if p.ImageTag.NewName != "" {
+		name = p.ImageTag.NewName
+	}
+	if p.ImageTag.NewTag != "" {
+		tag = ":" + p.ImageTag.NewTag
+	}
+	if p.ImageTag.Digest != "" {
+		tag = "@" + p.ImageTag.Digest
+	}
+	return name + tag, nil
+}
+
+// findAndReplaceImage replaces the image name and
+// tags inside one object.
+// It searches the object for container session
+// then loops though all images inside containers
+// session, finds matched ones and update the
+// image name and tag name
+func (p *ImageTagTransformerPlugin) findAndReplaceImage(obj map[string]interface{}) error {
+	paths := []string{"containers", "initContainers"}
+	updated := false
+	for _, path := range paths {
+		containers, found := obj[path]
+		if found && containers != nil {
+			if _, err := p.updateContainers(containers); err != nil {
+				return err
+			}
+			updated = true
+		}
+	}
+	if !updated {
+		return p.findContainers(obj)
+	}
+	return nil
+}
+
+func (p *ImageTagTransformerPlugin) updateContainers(in interface{}) (interface{}, error) {
+	containers, ok := in.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf(
+			"containers path is not of type []interface{} but %T", in)
+	}
+	for i := range containers {
+		container := containers[i].(map[string]interface{})
+		containerImage, found := container["image"]
+		if !found {
+			continue
+		}
+		imageName := containerImage.(string)
+		if isImageMatched(imageName, p.ImageTag.Name) {
+			newImage, err := p.mutateImage(imageName)
+			if err != nil {
+				return nil, err
+			}
+			container["image"] = newImage
+		}
+	}
+	return containers, nil
+}
+
+func (p *ImageTagTransformerPlugin) findContainers(obj map[string]interface{}) error {
+	for key := range obj {
+		switch typedV := obj[key].(type) {
+		case map[string]interface{}:
+			err := p.findAndReplaceImage(typedV)
+			if err != nil {
+				return err
+			}
+		case []interface{}:
+			for i := range typedV {
+				item := typedV[i]
+				typedItem, ok := item.(map[string]interface{})
+				if ok {
+					err := p.findAndReplaceImage(typedItem)
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func isImageMatched(s, t string) bool {
+	// Tag values are limited to [a-zA-Z0-9_.{}-].
+	// Some tools like Bazel rules_k8s allow tag patterns with {} characters.
+	// More info: https://github.com/bazelbuild/rules_k8s/pull/423
+	pattern, _ := regexp.Compile("^" + t + "(@sha256)?(:[a-zA-Z0-9_.{}-]*)?$")
+	return pattern.MatchString(s)
+}
+
+// split separates and returns the name and tag parts
+// from the image string using either colon `:` or at `@` separators.
+// Note that the returned tag keeps its separator.
+func split(imageName string) (name string, tag string) {
+	// check if image name contains a domain
+	// if domain is present, ignore domain and check for `:`
+	ic := -1
+	if slashIndex := strings.Index(imageName, "/"); slashIndex < 0 {
+		ic = strings.LastIndex(imageName, ":")
+	} else {
+		lastIc := strings.LastIndex(imageName[slashIndex:], ":")
+		// set ic only if `:` is present
+		if lastIc > 0 {
+			ic = slashIndex + lastIc
+		}
+	}
+	ia := strings.LastIndex(imageName, "@")
+	if ic < 0 && ia < 0 {
+		return imageName, ""
+	}
+
+	i := ic
+	if ia > 0 {
+		i = ia
+	}
+
+	name = imageName[:i]
+	tag = imageName[i:]
+	return
+}
+
+func NewImageTagTransformerPlugin() resmap.TransformerPlugin {
+	return &ImageTagTransformerPlugin{}
+}
--- a/api/builtins/LabelTransformer.go
+++ b/api/builtins/LabelTransformer.go
@@ -0,0 +1,42 @@
+// Code generated by pluginator on LabelTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/labels"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+// Add the given labels to the given field specifications.
+type LabelTransformerPlugin struct {
+	Labels     map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *LabelTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Labels = nil
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *LabelTransformerPlugin) Transform(m resmap.ResMap) error {
+	for _, r := range m.Resources() {
+		err := filtersutil.ApplyToJSON(labels.Filter{
+			Labels:  p.Labels,
+			FsSlice: p.FieldSpecs,
+		}, r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewLabelTransformerPlugin() resmap.TransformerPlugin {
+	return &LabelTransformerPlugin{}
+}
--- a/api/builtins/LegacyOrderTransformer.go
+++ b/api/builtins/LegacyOrderTransformer.go
@@ -0,0 +1,46 @@
+// Code generated by pluginator on LegacyOrderTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sort"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+)
+
+// Sort the resources using an ordering defined in the Gvk class.
+// This puts cluster-wide basic resources with no
+// dependencies (like Namespace, StorageClass, etc.)
+// first, and resources with a high number of dependencies
+// (like ValidatingWebhookConfiguration) last.
+type LegacyOrderTransformerPlugin struct{}
+
+// Nothing needed for configuration.
+func (p *LegacyOrderTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, _ []byte) (err error) {
+	return nil
+}
+
+func (p *LegacyOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	resources := make([]*resource.Resource, m.Size())
+	ids := m.AllIds()
+	sort.Sort(resmap.IdSlice(ids))
+	for i, id := range ids {
+		resources[i], err = m.GetByCurrentId(id)
+		if err != nil {
+			return errors.Wrap(err, "expected match for sorting")
+		}
+	}
+	m.Clear()
+	for _, r := range resources {
+		m.Append(r)
+	}
+	return nil
+}
+
+func NewLegacyOrderTransformerPlugin() resmap.TransformerPlugin {
+	return &LegacyOrderTransformerPlugin{}
+}
--- a/api/builtins/NamespaceTransformer.go
+++ b/api/builtins/NamespaceTransformer.go
@@ -0,0 +1,126 @@
+// Code generated by pluginator on NamespaceTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/namespace"
+	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+// Change or set the namespace of non-cluster level resources.
+type NamespaceTransformerPlugin struct {
+	types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	FieldSpecs       []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *NamespaceTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Namespace = ""
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error {
+	if len(p.Namespace) == 0 {
+		return nil
+	}
+	for _, r := range m.Resources() {
+		if len(r.Map()) == 0 {
+			// Don't mutate empty objects?
+			continue
+		}
+		err := filtersutil.ApplyToJSON(namespace.Filter{
+			Namespace: p.Namespace,
+			FsSlice:   p.FieldSpecs,
+		}, r)
+		if err != nil {
+			return err
+		}
+		matches := m.GetMatchingResourcesByCurrentId(r.CurId().Equals)
+		if len(matches) != 1 {
+			return fmt.Errorf(
+				"namespace transformation produces ID conflict: %+v", matches)
+		}
+	}
+	return nil
+}
+
+// Special casing metadata.namespace since
+// all objects have it, even "ClusterKind" objects
+// that don't exist in a namespace (the Namespace
+// object itself doesn't live in a namespace).
+func (p *NamespaceTransformerPlugin) applicableFieldSpecs(id resid.ResId) []types.FieldSpec {
+	var res []types.FieldSpec
+	for _, fs := range p.FieldSpecs {
+		if id.IsSelected(&fs.Gvk) &&
+			(fs.Path != types.MetadataNamespacePath ||
+				(fs.Path == types.MetadataNamespacePath && id.IsNamespaceableKind())) {
+			res = append(res, fs)
+		}
+	}
+	return res
+}
+
+func (p *NamespaceTransformerPlugin) changeNamespace(
+	_ *resource.Resource) func(in interface{}) (interface{}, error) {
+	return func(in interface{}) (interface{}, error) {
+		switch in.(type) {
+		case string:
+			// will happen when the metadata/namespace
+			// value is replaced
+			return p.Namespace, nil
+		case []interface{}:
+			l, _ := in.([]interface{})
+			for idx, item := range l {
+				switch item.(type) {
+				case map[string]interface{}:
+					// Will happen when mutating the subjects
+					// field of ClusterRoleBinding and RoleBinding
+					inMap, _ := item.(map[string]interface{})
+					if _, ok := inMap["name"]; !ok {
+						continue
+					}
+					name, ok := inMap["name"].(string)
+					if !ok {
+						continue
+					}
+					// The only case we need to force the namespace
+					// if for the "service account". "default" is
+					// kind of hardcoded here for right now.
+					if name != "default" {
+						continue
+					}
+					inMap["namespace"] = p.Namespace
+					l[idx] = inMap
+				default:
+					// nothing to do for right now
+				}
+			}
+			return in, nil
+		case map[string]interface{}:
+			// Will happen if the createField=true
+			// when the namespace is added to the
+			// object
+			inMap := in.(map[string]interface{})
+			if len(inMap) == 0 {
+				return p.Namespace, nil
+			} else {
+				return in, nil
+			}
+		default:
+			return in, nil
+		}
+	}
+}
+
+func NewNamespaceTransformerPlugin() resmap.TransformerPlugin {
+	return &NamespaceTransformerPlugin{}
+}
--- a/api/builtins/PatchJson6902Transformer.go
+++ b/api/builtins/PatchJson6902Transformer.go
@@ -0,0 +1,95 @@
+// Code generated by pluginator on PatchJson6902Transformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchJson6902TransformerPlugin struct {
+	ldr          ifc.Loader
+	decodedPatch jsonpatch.Patch
+	Target       types.PatchTarget `json:"target,omitempty" yaml:"target,omitempty"`
+	Path         string            `json:"path,omitempty" yaml:"path,omitempty"`
+	JsonOp       string            `json:"jsonOp,omitempty" yaml:"jsonOp,omitempty"`
+}
+
+func (p *PatchJson6902TransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	p.ldr = h.Loader()
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	if p.Target.Name == "" {
+		return fmt.Errorf("must specify the target name")
+	}
+	if p.Path == "" && p.JsonOp == "" {
+		return fmt.Errorf("empty file path and empty jsonOp")
+	}
+	if p.Path != "" {
+		if p.JsonOp != "" {
+			return fmt.Errorf("must specify a file path or jsonOp, not both")
+		}
+		rawOp, err := p.ldr.Load(p.Path)
+		if err != nil {
+			return err
+		}
+		p.JsonOp = string(rawOp)
+		if p.JsonOp == "" {
+			return fmt.Errorf("patch file '%s' empty seems to be empty", p.Path)
+		}
+	}
+	if p.JsonOp[0] != '[' {
+		// if it doesn't seem to be JSON, imagine
+		// it is YAML, and convert to JSON.
+		op, err := yaml.YAMLToJSON([]byte(p.JsonOp))
+		if err != nil {
+			return err
+		}
+		p.JsonOp = string(op)
+	}
+	p.decodedPatch, err = jsonpatch.DecodePatch([]byte(p.JsonOp))
+	if err != nil {
+		return errors.Wrapf(err, "decoding %s", p.JsonOp)
+	}
+	if len(p.decodedPatch) == 0 {
+		return fmt.Errorf(
+			"patch appears to be empty; file=%s, JsonOp=%s", p.Path, p.JsonOp)
+	}
+	return err
+}
+
+func (p *PatchJson6902TransformerPlugin) Transform(m resmap.ResMap) error {
+	id := resid.NewResIdWithNamespace(
+		resid.Gvk{
+			Group:   p.Target.Group,
+			Version: p.Target.Version,
+			Kind:    p.Target.Kind,
+		},
+		p.Target.Name,
+		p.Target.Namespace,
+	)
+	obj, err := m.GetById(id)
+	if err != nil {
+		return err
+	}
+	return filtersutil.ApplyToJSON(patchjson6902.Filter{
+		Patch: p.JsonOp,
+	}, obj)
+}
+
+func NewPatchJson6902TransformerPlugin() resmap.TransformerPlugin {
+	return &PatchJson6902TransformerPlugin{}
+}
--- a/api/builtins/PatchStrategicMergeTransformer.go
+++ b/api/builtins/PatchStrategicMergeTransformer.go
@@ -0,0 +1,120 @@
+// Code generated by pluginator on PatchStrategicMergeTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/kustomize/api/filters/patchstrategicmerge"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchStrategicMergeTransformerPlugin struct {
+	h             *resmap.PluginHelpers
+	loadedPatches []*resource.Resource
+	Paths         []types.PatchStrategicMerge `json:"paths,omitempty" yaml:"paths,omitempty"`
+	Patches       string                      `json:"patches,omitempty" yaml:"patches,omitempty"`
+}
+
+func (p *PatchStrategicMergeTransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	p.h = h
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	if len(p.Paths) == 0 && p.Patches == "" {
+		return fmt.Errorf("empty file path and empty patch content")
+	}
+	if len(p.Paths) != 0 {
+		for _, onePath := range p.Paths {
+			res, err := p.h.ResmapFactory().RF().SliceFromBytes([]byte(onePath))
+			if err == nil {
+				p.loadedPatches = append(p.loadedPatches, res...)
+				continue
+			}
+			res, err = p.h.ResmapFactory().RF().SliceFromPatches(
+				p.h.Loader(), []types.PatchStrategicMerge{onePath})
+			if err != nil {
+				return err
+			}
+			p.loadedPatches = append(p.loadedPatches, res...)
+		}
+	}
+	if p.Patches != "" {
+		res, err := p.h.ResmapFactory().RF().SliceFromBytes([]byte(p.Patches))
+		if err != nil {
+			return err
+		}
+		p.loadedPatches = append(p.loadedPatches, res...)
+	}
+
+	if len(p.loadedPatches) == 0 {
+		return fmt.Errorf(
+			"patch appears to be empty; files=%v, Patch=%s", p.Paths, p.Patches)
+	}
+	return err
+}
+
+func (p *PatchStrategicMergeTransformerPlugin) Transform(m resmap.ResMap) error {
+	patches, err := p.h.ResmapFactory().Merge(p.loadedPatches)
+	if err != nil {
+		return err
+	}
+	for _, patch := range patches.Resources() {
+		target, err := m.GetById(patch.OrgId())
+		if err != nil {
+			return err
+		}
+		patchCopy := patch.DeepCopy()
+		patchCopy.SetName(target.GetName())
+		patchCopy.SetNamespace(target.GetNamespace())
+		patchCopy.SetGvk(target.GetGvk())
+		node, err := filtersutil.GetRNode(patchCopy)
+		if err != nil {
+			return err
+		}
+		err = filtersutil.ApplyToJSON(patchstrategicmerge.Filter{
+			Patch: node,
+		}, target)
+		if err != nil {
+			// Check for an error string from UnmarshalJSON that's indicative
+			// of an object that's missing basic KRM fields, and thus may have been
+			// entirely deleted (an acceptable outcome).  This error handling should
+			// be deleted along with use of ResMap and apimachinery functions like
+			// UnmarshalJSON.
+			if !strings.Contains(err.Error(), "Object 'Kind' is missing") {
+				// Some unknown error, let it through.
+				return err
+			}
+			if len(target.Map()) != 0 {
+				return errors.Wrapf(
+					err, "with unexpectedly non-empty object map of size %d",
+					len(target.Map()))
+			}
+			// Fall through to handle deleted object.
+		}
+		if len(target.Map()) == 0 {
+			// This means all fields have been removed from the object.
+			// This can happen if a patch required deletion of the
+			// entire resource (not just a part of it).  This means
+			// the overall resmap must shrink by one.
+			err = m.Remove(target.CurId())
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func NewPatchStrategicMergeTransformerPlugin() resmap.TransformerPlugin {
+	return &PatchStrategicMergeTransformerPlugin{}
+}
--- a/api/builtins/PatchTransformer.go
+++ b/api/builtins/PatchTransformer.go
@@ -0,0 +1,164 @@
+// Code generated by pluginator on PatchTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+	"strings"
+
+	jsonpatch "github.com/evanphx/json-patch"
+	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
+	"sigs.k8s.io/kustomize/api/filters/patchstrategicmerge"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchTransformerPlugin struct {
+	loadedPatch  *resource.Resource
+	decodedPatch jsonpatch.Patch
+	Path         string          `json:"path,omitempty" yaml:"path,omitempty"`
+	Patch        string          `json:"patch,omitempty" yaml:"patch,omitempty"`
+	Target       *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
+}
+
+func (p *PatchTransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) error {
+	err := yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	p.Patch = strings.TrimSpace(p.Patch)
+	if p.Patch == "" && p.Path == "" {
+		return fmt.Errorf(
+			"must specify one of patch and path in\n%s", string(c))
+	}
+	if p.Patch != "" && p.Path != "" {
+		return fmt.Errorf(
+			"patch and path can't be set at the same time\n%s", string(c))
+	}
+
+	if p.Path != "" {
+		loaded, loadErr := h.Loader().Load(p.Path)
+		if loadErr != nil {
+			return loadErr
+		}
+		p.Patch = string(loaded)
+	}
+
+	patchSM, errSM := h.ResmapFactory().RF().FromBytes([]byte(p.Patch))
+	patchJson, errJson := jsonPatchFromBytes([]byte(p.Patch))
+	if (errSM == nil && errJson == nil) ||
+		(patchSM != nil && patchJson != nil) {
+		return fmt.Errorf(
+			"illegally qualifies as both an SM and JSON patch: [%v]",
+			p.Patch)
+	}
+	if errSM != nil && errJson != nil {
+		return fmt.Errorf(
+			"unable to parse SM or JSON patch from [%v]", p.Patch)
+	}
+	if errSM == nil {
+		p.loadedPatch = patchSM
+	} else {
+		p.decodedPatch = patchJson
+	}
+	return nil
+}
+
+func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error {
+	if p.loadedPatch == nil {
+		return p.transformJson6902(m, p.decodedPatch)
+	} else {
+		// The patch was a strategic merge patch
+		return p.transformStrategicMerge(m, p.loadedPatch)
+	}
+}
+
+// transformStrategicMerge applies the provided strategic merge patch
+// to all the resources in the ResMap that match either the Target or
+// the identifier of the patch.
+func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap, patch *resource.Resource) error {
+	if p.Target == nil {
+		target, err := m.GetById(patch.OrgId())
+		if err != nil {
+			return err
+		}
+		return p.applySMPatch(target, patch)
+	}
+
+	resources, err := m.Select(*p.Target)
+	if err != nil {
+		return err
+	}
+	for _, res := range resources {
+		patchCopy := patch.DeepCopy()
+		patchCopy.SetName(res.GetName())
+		patchCopy.SetNamespace(res.GetNamespace())
+		patchCopy.SetGvk(res.GetGvk())
+		err := p.applySMPatch(res, patchCopy)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// applySMPatch applies the provided strategic merge patch to the
+// given resource.
+func (p *PatchTransformerPlugin) applySMPatch(resource, patch *resource.Resource) error {
+	node, err := filtersutil.GetRNode(patch)
+	if err != nil {
+		return err
+	}
+	return filtersutil.ApplyToJSON(patchstrategicmerge.Filter{
+		Patch: node,
+	}, resource)
+}
+
+// transformJson6902 applies the provided json6902 patch
+// to all the resources in the ResMap that match the Target.
+func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpatch.Patch) error {
+	if p.Target == nil {
+		return fmt.Errorf("must specify a target for patch %s", p.Patch)
+	}
+	resources, err := m.Select(*p.Target)
+	if err != nil {
+		return err
+	}
+	for _, res := range resources {
+		err = filtersutil.ApplyToJSON(patchjson6902.Filter{
+			Patch: p.Patch,
+		}, res)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// jsonPatchFromBytes loads a Json 6902 patch from
+// a bytes input
+func jsonPatchFromBytes(
+	in []byte) (jsonpatch.Patch, error) {
+	ops := string(in)
+	if ops == "" {
+		return nil, fmt.Errorf("empty json patch operations")
+	}
+
+	if ops[0] != '[' {
+		jsonOps, err := yaml.YAMLToJSON(in)
+		if err != nil {
+			return nil, err
+		}
+		ops = string(jsonOps)
+	}
+	return jsonpatch.DecodePatch([]byte(ops))
+}
+
+func NewPatchTransformerPlugin() resmap.TransformerPlugin {
+	return &PatchTransformerPlugin{}
+}
--- a/api/builtins/PrefixSuffixTransformer.go
+++ b/api/builtins/PrefixSuffixTransformer.go
@@ -0,0 +1,101 @@
+// Code generated by pluginator on PrefixSuffixTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"errors"
+
+	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
+	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+	"sigs.k8s.io/yaml"
+)
+
+// Add the given prefix and suffix to the field.
+type PrefixSuffixTransformerPlugin struct {
+	Prefix     string        `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+	Suffix     string        `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+// A Gvk skip list for prefix/suffix modification.
+// hard coded for now - eventually should be part of config.
+var prefixSuffixFieldSpecsToSkip = types.FsSlice{
+	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
+	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
+	{Gvk: resid.Gvk{Kind: "Namespace"}},
+}
+
+func (p *PrefixSuffixTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Prefix = ""
+	p.Suffix = ""
+	p.FieldSpecs = nil
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return
+	}
+	if p.FieldSpecs == nil {
+		return errors.New("fieldSpecs is not expected to be nil")
+	}
+	return
+}
+
+func (p *PrefixSuffixTransformerPlugin) Transform(m resmap.ResMap) error {
+	// Even if both the Prefix and Suffix are empty we want
+	// to proceed with the transformation. This allows to add contextual
+	// information to the resources (AddNamePrefix and AddNameSuffix).
+	for _, r := range m.Resources() {
+		// TODO: move this test into the filter (i.e. make a better filter)
+		if p.shouldSkip(r.OrgId()) {
+			continue
+		}
+		id := r.OrgId()
+		// current default configuration contains
+		// only one entry: "metadata/name" with no GVK
+		for _, fs := range p.FieldSpecs {
+			// TODO: this is redundant to filter (but needed for now)
+			if !id.IsSelected(&fs.Gvk) {
+				continue
+			}
+			// TODO: move this test into the filter.
+			if smellsLikeANameChange(&fs) {
+				// "metadata/name" is the only field.
+				// this will add a prefix and a suffix
+				// to the resource even if those are
+				// empty
+				r.AddNamePrefix(p.Prefix)
+				r.AddNameSuffix(p.Suffix)
+			}
+			err := filtersutil.ApplyToJSON(prefixsuffix.Filter{
+				Prefix:    p.Prefix,
+				Suffix:    p.Suffix,
+				FieldSpec: fs,
+			}, r)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func smellsLikeANameChange(fs *types.FieldSpec) bool {
+	return fs.Path == "metadata/name"
+}
+
+func (p *PrefixSuffixTransformerPlugin) shouldSkip(id resid.ResId) bool {
+	for _, path := range prefixSuffixFieldSpecsToSkip {
+		if id.IsSelected(&path.Gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewPrefixSuffixTransformerPlugin() resmap.TransformerPlugin {
+	return &PrefixSuffixTransformerPlugin{}
+}
--- a/api/internal/builtins/ReplicaCountTransformer.go
+++ b/api/internal/builtins/ReplicaCountTransformer.go
@@ -1,13 +1,17 @@
 // Code generated by pluginator on ReplicaCountTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
 package builtins

 import (
 	"fmt"

 	"sigs.k8s.io/kustomize/api/filters/replicacount"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
+
+	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/yaml"
 )

@@ -29,17 +33,19 @@ func (p *ReplicaCountTransformerPlugin) Transform(m resmap.ResMap) error {
 	found := false
 	for _, fs := range p.FieldSpecs {
 		matcher := p.createMatcher(fs)
-		resList := m.GetMatchingResourcesByAnyId(matcher)
+		matchOriginal := m.GetMatchingResourcesByOriginalId(matcher)
+		resList := append(
+			matchOriginal, m.GetMatchingResourcesByCurrentId(matcher)...)
 		if len(resList) > 0 {
 			found = true
 			for _, r := range resList {
 				// There are redundant checks in the filter
 				// that we'll live with until resolution of
 				// https://github.com/kubernetes-sigs/kustomize/issues/2506
-				err := r.ApplyFilter(replicacount.Filter{
+				err := filtersutil.ApplyToJSON(replicacount.Filter{
 					Replica:   p.Replica,
 					FieldSpec: fs,
-				})
+				}, r)
 				if err != nil {
 					return err
 				}
--- a/api/internal/builtins/SecretGenerator.go
+++ b/api/internal/builtins/SecretGenerator.go
@@ -1,4 +1,6 @@
 // Code generated by pluginator on SecretGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
 package builtins

 import (
--- a/api/internal/builtins/ValueAddTransformer.go
+++ b/api/internal/builtins/ValueAddTransformer.go
@@ -1,4 +1,6 @@
 // Code generated by pluginator on ValueAddTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
 package builtins

 import (
@@ -11,6 +13,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filtersutil"
 	"sigs.k8s.io/yaml"
 )

@@ -116,15 +119,15 @@ func (p *ValueAddTransformerPlugin) Transform(m resmap.ResMap) (err error) {
 		// TODO: consider t.NotSelector if implemented
 		for _, res := range resources {
 			if t.FieldPath == types.MetadataNamespacePath {
-				err = res.ApplyFilter(namespace.Filter{
+				err = filtersutil.ApplyToJSON(namespace.Filter{
 					Namespace: p.Value,
-				})
+				}, res)
 			} else {
-				err = res.ApplyFilter(valueadd.Filter{
+				err = filtersutil.ApplyToJSON(valueadd.Filter{
 					Value:            p.Value,
 					FieldPath:        t.FieldPath,
 					FilePathPosition: t.FilePathPosition,
-				})
+				}, res)
 			}
 			if err != nil {
 				return err
--- a/api/builtins/builtins.go
+++ b/api/builtins/builtins.go
@@ -1,49 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Deprecated: Package api/builtins will not be available in API v1.
-package builtins
-
-import (
-	internal "sigs.k8s.io/kustomize/api/internal/builtins"
-)
-
-type (
-	AnnotationsTransformerPlugin         = internal.AnnotationsTransformerPlugin
-	ConfigMapGeneratorPlugin             = internal.ConfigMapGeneratorPlugin
-	HashTransformerPlugin                = internal.HashTransformerPlugin
-	HelmChartInflationGeneratorPlugin    = internal.HelmChartInflationGeneratorPlugin
-	IAMPolicyGeneratorPlugin             = internal.IAMPolicyGeneratorPlugin
-	ImageTagTransformerPlugin            = internal.ImageTagTransformerPlugin
-	LabelTransformerPlugin               = internal.LabelTransformerPlugin
-	NamespaceTransformerPlugin           = internal.NamespaceTransformerPlugin
-	PatchJson6902TransformerPlugin       = internal.PatchJson6902TransformerPlugin
-	PatchStrategicMergeTransformerPlugin = internal.PatchStrategicMergeTransformerPlugin
-	PatchTransformerPlugin               = internal.PatchTransformerPlugin
-	PrefixTransformerPlugin              = internal.PrefixTransformerPlugin
-	SuffixTransformerPlugin              = internal.SuffixTransformerPlugin
-	ReplacementTransformerPlugin         = internal.ReplacementTransformerPlugin
-	ReplicaCountTransformerPlugin        = internal.ReplicaCountTransformerPlugin
-	SecretGeneratorPlugin                = internal.SecretGeneratorPlugin
-	ValueAddTransformerPlugin            = internal.ValueAddTransformerPlugin
-)
-
-var (
-	NewAnnotationsTransformerPlugin         = internal.NewAnnotationsTransformerPlugin
-	NewConfigMapGeneratorPlugin             = internal.NewConfigMapGeneratorPlugin
-	NewHashTransformerPlugin                = internal.NewHashTransformerPlugin
-	NewHelmChartInflationGeneratorPlugin    = internal.NewHelmChartInflationGeneratorPlugin
-	NewIAMPolicyGeneratorPlugin             = internal.NewIAMPolicyGeneratorPlugin
-	NewImageTagTransformerPlugin            = internal.NewImageTagTransformerPlugin
-	NewLabelTransformerPlugin               = internal.NewLabelTransformerPlugin
-	NewNamespaceTransformerPlugin           = internal.NewNamespaceTransformerPlugin
-	NewPatchJson6902TransformerPlugin       = internal.NewPatchJson6902TransformerPlugin
-	NewPatchStrategicMergeTransformerPlugin = internal.NewPatchStrategicMergeTransformerPlugin
-	NewPatchTransformerPlugin               = internal.NewPatchTransformerPlugin
-	NewPrefixTransformerPlugin              = internal.NewPrefixTransformerPlugin
-	NewSuffixTransformerPlugin              = internal.NewSuffixTransformerPlugin
-	NewReplacementTransformerPlugin         = internal.NewReplacementTransformerPlugin
-	NewReplicaCountTransformerPlugin        = internal.NewReplicaCountTransformerPlugin
-	NewSecretGeneratorPlugin                = internal.NewSecretGeneratorPlugin
-	NewValueAddTransformerPlugin            = internal.NewValueAddTransformerPlugin
-)
--- a/api/internal/builtins/doc.go
+++ b/api/internal/builtins/doc.go
--- a/kyaml/filesys/confirmeddir.go
+++ b/kyaml/filesys/confirmeddir.go
@@ -4,7 +4,7 @@
 package filesys

 import (
-	"os"
+	"io/ioutil"
 	"path/filepath"
 	"strings"
 )
@@ -17,12 +17,12 @@ type ConfirmedDir string
 // The directory is cleaned, no symlinks, etc. so it's
 // returned as a ConfirmedDir.
 func NewTmpConfirmedDir() (ConfirmedDir, error) {
-	n, err := os.MkdirTemp("", "kustomize-")
+	n, err := ioutil.TempDir("", "kustomize-")
 	if err != nil {
 		return "", err
 	}

-	// In MacOs `os.MkdirTemp` creates a directory
+	// In MacOs `ioutil.TempDir` creates a directory
 	// with root in the `/var` folder, which is in turn
 	// a symlinked path to `/private/var`.
 	// Function `filepath.EvalSymlinks`is used to
--- a/kyaml/filesys/confirmeddir_test.go
+++ b/kyaml/filesys/confirmeddir_test.go
@@ -1,20 +1,19 @@
 // Copyright 2019 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0

-//go:build !windows
-// +build !windows
-
-package filesys
+package filesys_test

 import (
-	"os"
 	"path/filepath"
 	"testing"
+
+	. "sigs.k8s.io/kustomize/api/filesys"
 )

 func TestJoin(t *testing.T) {
 	fSys := MakeFsInMemory()
-	if err := fSys.Mkdir("/foo"); err != nil {
+	err := fSys.Mkdir("/foo")
+	if err != nil {
 		t.Fatalf("unexpected err: %v", err)
 	}
 	d, f, err := fSys.CleanedAbs("/foo")
@@ -99,7 +98,6 @@ func TestNewTempConfirmDir(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	defer os.RemoveAll(string(tmp))

 	delinked, err := filepath.EvalSymlinks(string(tmp))
 	if err != nil {
--- a/kyaml/filesys/file.go
+++ b/kyaml/filesys/file.go
--- a/kyaml/filesys/fileinfo.go
+++ b/kyaml/filesys/fileinfo.go
--- a/kyaml/filesys/fileondisk.go
+++ b/kyaml/filesys/fileondisk.go
--- a/api/filesys/filesys.go
+++ b/api/filesys/filesys.go
@@ -1,61 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package filesys provides a file system abstraction,
-// a subset of that provided by golang.org/pkg/os,
-// with an on-disk and in-memory representation.
-//
-// Deprecated: use sigs.k8s.io/kustomize/kyaml/filesys instead.
-package filesys
-
-import "sigs.k8s.io/kustomize/kyaml/filesys"
-
-const (
-	// Separator is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.Separator.
-	Separator = filesys.Separator
-	// SelfDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.SelfDir.
-	SelfDir = filesys.SelfDir
-	// ParentDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ParentDir.
-	ParentDir = filesys.ParentDir
-)
-
-type (
-	// FileSystem is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystem.
-	FileSystem = filesys.FileSystem
-	// FileSystemOrOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystemOrOnDisk.
-	FileSystemOrOnDisk = filesys.FileSystemOrOnDisk
-	// ConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ConfirmedDir.
-	ConfirmedDir = filesys.ConfirmedDir
-)
-
-// MakeEmptyDirInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeEmptyDirInMemory.
-func MakeEmptyDirInMemory() FileSystem { return filesys.MakeEmptyDirInMemory() }
-
-// MakeFsInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsInMemory.
-func MakeFsInMemory() FileSystem { return filesys.MakeFsInMemory() }
-
-// MakeFsOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsOnDisk.
-func MakeFsOnDisk() FileSystem { return filesys.MakeFsOnDisk() }
-
-// NewTmpConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.NewTmpConfirmedDir.
-func NewTmpConfirmedDir() (filesys.ConfirmedDir, error) { return filesys.NewTmpConfirmedDir() }
-
-// RootedPath is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.RootedPath.
-func RootedPath(elem ...string) string { return filesys.RootedPath(elem...) }
-
-// StripTrailingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripTrailingSeps.
-func StripTrailingSeps(s string) string { return filesys.StripTrailingSeps(s) }
-
-// StripLeadingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripLeadingSeps.
-func StripLeadingSeps(s string) string { return filesys.StripLeadingSeps(s) }
-
-// PathSplit is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathSplit.
-func PathSplit(incoming string) []string { return filesys.PathSplit(incoming) }
-
-// PathJoin is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathJoin.
-func PathJoin(incoming []string) string { return filesys.PathJoin(incoming) }
-
-// InsertPathPart is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.InsertPathPart.
-func InsertPathPart(path string, pos int, part string) string {
-	return filesys.InsertPathPart(path, pos, part)
-}
--- a/api/filesys/filesystem.go
+++ b/api/filesys/filesystem.go
@@ -0,0 +1,50 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package filesys provides a file system abstraction layer.
+package filesys
+
+import (
+	"path/filepath"
+)
+
+const (
+	Separator = string(filepath.Separator)
+	SelfDir   = "."
+	ParentDir = ".."
+)
+
+// FileSystem groups basic os filesystem methods.
+// It's supposed be functional subset of https://golang.org/pkg/os
+type FileSystem interface {
+	// Create a file.
+	Create(path string) (File, error)
+	// MkDir makes a directory.
+	Mkdir(path string) error
+	// MkDirAll makes a directory path, creating intervening directories.
+	MkdirAll(path string) error
+	// RemoveAll removes path and any children it contains.
+	RemoveAll(path string) error
+	// Open opens the named file for reading.
+	Open(path string) (File, error)
+	// IsDir returns true if the path is a directory.
+	IsDir(path string) bool
+	// CleanedAbs converts the given path into a
+	// directory and a file name, where the directory
+	// is represented as a ConfirmedDir and all that implies.
+	// If the entire path is a directory, the file component
+	// is an empty string.
+	CleanedAbs(path string) (ConfirmedDir, string, error)
+	// Exists is true if the path exists in the file system.
+	Exists(path string) bool
+	// Glob returns the list of matching files,
+	// emulating https://golang.org/pkg/path/filepath/#Glob
+	Glob(pattern string) ([]string, error)
+	// ReadFile returns the contents of the file at the given path.
+	ReadFile(path string) ([]byte, error)
+	// WriteFile writes the data to a file at the given path,
+	// overwriting anything that's already there.
+	WriteFile(path string, data []byte) error
+	// Walk walks the file system with the given WalkFunc.
+	Walk(path string, walkFn filepath.WalkFunc) error
+}
--- a/kyaml/filesys/fsnode.go
+++ b/kyaml/filesys/fsnode.go
@@ -6,7 +6,6 @@ package filesys
 import (
 	"bytes"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"path/filepath"
@@ -14,7 +13,7 @@ import (
 	"sort"
 	"strings"

-	"sigs.k8s.io/kustomize/kyaml/errors"
+	"github.com/pkg/errors"
 )

 var _ File = &fsNode{}
@@ -38,9 +37,9 @@ type fsNode struct {
 	// if this node is a file, this is the content.
 	content []byte

-	// if offset is not nil the file is open and it tracks
-	// the current file offset.
-	offset *int
+	// if this node is a file, this tracks whether or
+	// not it is "open".
+	open bool
 }

 // MakeEmptyDirInMemory returns an empty directory.
@@ -120,14 +119,11 @@ func (n *fsNode) addFile(name string, c []byte) (result *fsNode, err error) {
 	result, ok := parent.dir[fileName]
 	if ok {
 		// File already exists; overwrite it.
-		if result.offset != nil {
-			return nil, fmt.Errorf("cannot add already opened file '%s'", n.Path())
-		}
-		result.content = append(result.content[:0], c...)
+		result.content = c
 		return result, nil
 	}
 	result = &fsNode{
-		content: append([]byte(nil), c...),
+		content: c,
 		parent:  parent,
 	}
 	parent.dir[fileName] = result
@@ -137,12 +133,7 @@ func (n *fsNode) addFile(name string, c []byte) (result *fsNode, err error) {
 // Create implements FileSystem.
 // Create makes an empty file.
 func (n *fsNode) Create(path string) (result File, err error) {
-	f, err := n.AddFile(path, nil)
-	if err != nil {
-		return f, err
-	}
-	f.offset = new(int)
-	return f, nil
+	return n.AddFile(path, []byte{})
 }

 // WriteFile implements FileSystem.
@@ -232,10 +223,10 @@ func (n *fsNode) AddDir(path string) (result *fsNode, err error) {
 func (n *fsNode) CleanedAbs(path string) (ConfirmedDir, string, error) {
 	node, err := n.Find(path)
 	if err != nil {
-		return "", "", errors.WrapPrefixf(err, "unable to clean")
+		return "", "", errors.Wrap(err, "unable to clean")
 	}
 	if node == nil {
-		return "", "", notExistError(path)
+		return "", "", fmt.Errorf("'%s' doesn't exist", path)
 	}
 	if node.isNodeADir() {
 		return ConfirmedDir(node.Path()), "", nil
@@ -308,8 +299,7 @@ func (n *fsNode) RemoveAll(path string) error {
 		return err
 	}
 	if result == nil {
-		// If the path doesn't exist, no need to remove anything.
-		return nil
+		return fmt.Errorf("cannot find '%s' to remove it", path)
 	}
 	return result.Remove()
 }
@@ -349,32 +339,6 @@ func (n *fsNode) IsDir(path string) bool {
 	return result.isNodeADir()
 }

-// ReadDir implements FileSystem.
-func (n *fsNode) ReadDir(path string) ([]string, error) {
-	if !n.Exists(path) {
-		return nil, notExistError(path)
-	}
-	if !n.IsDir(path) {
-		return nil, fmt.Errorf("%s is not a directory", path)
-	}
-
-	dir, err := n.Find(path)
-	if err != nil {
-		return nil, err
-	}
-	if dir == nil {
-		return nil, fmt.Errorf("could not find directory %s", path)
-	}
-
-	keys := make([]string, len(dir.dir))
-	i := 0
-	for k := range dir.dir {
-		keys[i] = k
-		i++
-	}
-	return keys, nil
-}
-
 // Size returns the size of the node.
 func (n *fsNode) Size() int64 {
 	if n.isNodeADir() {
@@ -384,38 +348,22 @@ func (n *fsNode) Size() int64 {
 }

 // Open implements FileSystem.
-// Open opens the node in read-write mode and sets the offset its start.
-// Writing right after opening the file will replace the original content
-// and move the offset forward, as with a file opened with O_RDWR | O_CREATE.
-//
-// As an example, let's consider a file with content "content":
-// - open: sets offset to start, content is "content"
-// - write "@": offset increases by one, the content is now "@ontent"
-// - read the rest: since offset is 1, the read operation returns "ontent"
-// - write "$": offset is at EOF, so "$" is appended and content is now "@ontent$"
-// - read the rest: returns 0 bytes and EOF
-// - close: the content is still "@ontent$"
+// Open opens the node for reading (just marks it).
 func (n *fsNode) Open(path string) (File, error) {
 	result, err := n.Find(path)
 	if err != nil {
 		return nil, err
 	}
 	if result == nil {
-		return nil, notExistError(path)
+		return nil, fmt.Errorf("cannot find '%s' to open it", path)
 	}
-	if result.offset != nil {
-		return nil, fmt.Errorf("cannot open previously opened file '%s'", path)
-	}
-	result.offset = new(int)
+	result.open = true
 	return result, nil
 }

 // Close marks the node closed.
 func (n *fsNode) Close() error {
-	if n.offset == nil {
-		return fmt.Errorf("cannot close already closed file '%s'", n.Path())
-	}
-	n.offset = nil
+	n.open = false
 	return nil
 }

@@ -426,14 +374,11 @@ func (n *fsNode) ReadFile(path string) (c []byte, err error) {
 		return nil, err
 	}
 	if result == nil {
-		return nil, notExistError(path)
-	}
-	if result.isNodeADir() {
-		return nil, fmt.Errorf("cannot read content from non-file '%s'", n.Path())
+		return nil, fmt.Errorf("cannot find '%s' to read it", path)
 	}
 	c = make([]byte, len(result.content))
-	copy(c, result.content)
-	return c, nil
+	_, err = result.Read(c)
+	return c, err
 }

 // Read returns the content of the file node.
@@ -442,19 +387,7 @@ func (n *fsNode) Read(d []byte) (c int, err error) {
 		return 0, fmt.Errorf(
 			"cannot read content from non-file '%s'", n.Path())
 	}
-	if n.offset == nil {
-		return 0, fmt.Errorf("cannot read from closed file '%s'", n.Path())
-	}
-
-	rest := n.content[*n.offset:]
-	if len(d) < len(rest) {
-		rest = rest[:len(d)]
-	} else {
-		err = io.EOF
-	}
-	copy(d, rest)
-	*n.offset += len(rest)
-	return len(rest), err
+	return copy(d, n.content), nil
 }

 // Write saves the contents of the argument to the file node.
@@ -463,12 +396,8 @@ func (n *fsNode) Write(p []byte) (c int, err error) {
 		return 0, fmt.Errorf(
 			"cannot write content to non-file '%s'", n.Path())
 	}
-	if n.offset == nil {
-		return 0, fmt.Errorf("cannot write to closed file '%s'", n.Path())
-	}
-	n.content = append(n.content[:*n.offset], p...)
-	*n.offset = len(n.content)
-	return len(p), nil
+	n.content = make([]byte, len(p))
+	return copy(n.content, p), nil
 }

 // ContentMatches returns true if v matches fake file's content.
@@ -493,7 +422,7 @@ func (n *fsNode) Walk(path string, walkFn filepath.WalkFunc) error {
 		return err
 	}
 	if result == nil {
-		return notExistError(path)
+		return fmt.Errorf("cannot find '%s' to walk it", path)
 	}
 	return result.WalkMe(walkFn)
 }
@@ -569,7 +498,7 @@ func (n *fsNode) DebugPrint() {
 	})
 }

-var legalFileNamePattern = regexp.MustCompile("^[a-zA-Z0-9-_.:]+$")
+var legalFileNamePattern = regexp.MustCompile("^[a-zA-Z0-9-_.]+$")

 // This rules enforced here should be simpler and tighter
 // than what's allowed on a real OS.
@@ -586,7 +515,7 @@ func isLegalFileNameForCreation(n string) bool {
 func (n *fsNode) RegExpGlob(pattern string) ([]string, error) {
 	var result []string
 	var expression = regexp.MustCompile(pattern)
-	err := n.WalkMe(func(path string, info os.FileInfo, err error) error {
+	n.WalkMe(func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
@@ -597,9 +526,6 @@ func (n *fsNode) RegExpGlob(pattern string) ([]string, error) {
 		}
 		return nil
 	})
-	if err != nil {
-		return nil, err
-	}
 	sort.Strings(result)
 	return result, nil
 }
@@ -611,8 +537,7 @@ func (n *fsNode) RegExpGlob(pattern string) ([]string, error) {
 // This is how /bin/ls behaves.
 func (n *fsNode) Glob(pattern string) ([]string, error) {
 	var result []string
-	var allFiles []string
-	err := n.WalkMe(func(path string, info os.FileInfo, err error) error {
+	n.WalkMe(func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
@@ -622,26 +547,11 @@ func (n *fsNode) Glob(pattern string) ([]string, error) {
 				return err
 			}
 			if match {
-				allFiles = append(allFiles, path)
+				result = append(result, path)
 			}
 		}
 		return nil
 	})
-	if err != nil {
-		return nil, err
-	}
-	if IsHiddenFilePath(pattern) {
-		result = allFiles
-	} else {
-		result = RemoveHiddenFiles(allFiles)
-	}
 	sort.Strings(result)
 	return result, nil
 }
-
-// notExistError indicates that a file or directory does not exist.
-// Unwrapping returns os.ErrNotExist so errors.Is(err, os.ErrNotExist) works correctly.
-type notExistError string
-
-func (err notExistError) Error() string { return fmt.Sprintf("'%s' doesn't exist", string(err)) }
-func (err notExistError) Unwrap() error { return os.ErrNotExist }
--- a/kyaml/filesys/fsnode_test.go
+++ b/kyaml/filesys/fsnode_test.go
@@ -1,22 +1,15 @@
 // Copyright 2019 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0

-//go:build !windows
-// +build !windows
-
 package filesys

 import (
 	"fmt"
-	"io"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 	"testing"
-
-	"github.com/stretchr/testify/require"
 )

 const content = `
@@ -33,12 +26,6 @@ var topCases = []pathCase{
 		arg:    ParentDir,
 		errStr: "illegal name '..' in file creation",
 	},
-	{
-		what: "colon",
-		arg:  "a:b",
-		name: "a:b",
-		path: "a:b",
-	},
 	{
 		what:   "empty",
 		arg:    "",
@@ -100,10 +87,11 @@ func TestMakeFsInMemory(t *testing.T) {
 		t, "MakeFsInMemory", true, topCases, MakeFsInMemory())
 }

+//nolint:gocyclo
 func runBasicOperations(
 	t *testing.T, tName string, isFSysRooted bool,
 	cases []pathCase, fSys FileSystem) {
-	t.Helper()
+	buff := make([]byte, 500)
 	for _, c := range cases {
 		err := fSys.WriteFile(c.arg, []byte(content))
 		if c.errStr != "" {
@@ -140,44 +128,26 @@ func runBasicOperations(
 		if fi.Name() != c.name {
 			t.Fatalf("%s; expected name '%s', got '%s'", c.what, c.name, fi.Name())
 		}
-		buff, err := io.ReadAll(f)
+		count, err := f.Read(buff)
 		if err != nil {
 			t.Fatalf("%s; unexpected error: %v", c.what, err)
 		}
-		if string(buff) != content {
+		if string(buff[:count]) != content {
 			t.Fatalf("%s; unexpected buff '%s'", c.what, buff)
 		}
-		count, err := f.Write([]byte(shortContent))
+		count, err = f.Write([]byte(shortContent))
 		if err != nil {
 			t.Fatalf("%s; unexpected error: %v", c.what, err)
 		}
 		if count != len(shortContent) {
 			t.Fatalf("%s; unexpected count: %d", c.what, len(shortContent))
 		}
-		if err := f.Close(); err != nil {
-			t.Fatalf("%s; unexpected error: %v", c.what, err)
-		}
-		stuff, err = fSys.ReadFile(c.path)
-		if err != nil {
-			t.Fatalf("%s; unexpected error: %v", c.what, err)
-		}
-		both := content + shortContent
-		if string(stuff) != both {
-			t.Fatalf("%s; unexpected content '%s', expected '%s'", c.what, stuff, both)
-		}
-
-		content := []byte(shortContent)
-		if err := fSys.WriteFile(c.path, content); err != nil {
-			t.Fatalf("%s; unexpected error: %v", c.what, err)
-		}
-		// This ensures that modifying the original slice does not change the contents of the file.
-		content[0] = '@'
 		stuff, err = fSys.ReadFile(c.path)
 		if err != nil {
 			t.Fatalf("%s; unexpected error: %v", c.what, err)
 		}
 		if string(stuff) != shortContent {
-			t.Fatalf("%s; unexpected content '%s', expected '%s'", c.what, stuff, shortContent)
+			t.Fatalf("%s; unexpected content '%s'", c.what, stuff)
 		}
 	}

@@ -378,7 +348,6 @@ func TestAddFile(t *testing.T) {
 func checkNode(
 	t *testing.T, what string, f *fsNode, name string,
 	size int, isDir bool, path string) {
-	t.Helper()
 	if f.isNodeADir() != isDir {
 		t.Fatalf("%s; unexpected isNodeADir = %v", what, f.isNodeADir())
 	}
@@ -396,7 +365,6 @@ func checkNode(
 func checkOsStat(
 	t *testing.T, what string, f File, name string,
 	size int, isDir bool) {
-	t.Helper()
 	info, err := f.Stat()
 	if err != nil {
 		t.Fatalf("%s; unexpected stat error %v", what, err)
@@ -458,10 +426,10 @@ var bunchOfFiles = []struct {
 		addAsDir: true,
 	},
 	{
-		path: "x",
+		path: filepath.Join("x"),
 	},
 	{
-		path: "y",
+		path: filepath.Join("y"),
 	},
 	{
 		path: filepath.Join("b", "d", "a", "c", "i", "beans"),
@@ -473,17 +441,9 @@ var bunchOfFiles = []struct {
 	{
 		path: filepath.Join("b", "d", "a", "c", "u"),
 	},
-	{
-		path: filepath.Join("b", "d", ".hidden_file"),
-	},
-	{
-		path:     filepath.Join("b", "d", ".hidden_dir"),
-		addAsDir: true,
-	},
 }

 func makeLoadedFileTree(t *testing.T) *fsNode {
-	t.Helper()
 	n := MakeEmptyDirInMemory()
 	var err error
 	expectedFileCount := 0
@@ -498,7 +458,8 @@ func makeLoadedFileTree(t *testing.T) *fsNode {
 			t.Fatalf("unexpected error %v", err)
 		}
 	}
-	if fc := n.FileCount(); fc != expectedFileCount {
+	fc := n.FileCount()
+	if fc != expectedFileCount {
 		t.Fatalf("expected file count %d, got %d",
 			expectedFileCount, fc)
 	}
@@ -568,14 +529,15 @@ func TestRemove(t *testing.T) {
 	orgCount -= 3

 	// Now drop one more for a total of four dropped.
-	result, _ = n.Find("y")
+	result, _ = n.Find(filepath.Join("y"))
 	err = result.Remove()
 	if err != nil {
 		t.Fatalf("%s; unable to remove: %v", path, err)
 	}
 	orgCount -= 1

-	if fc := n.FileCount(); fc != orgCount {
+	fc := n.FileCount()
+	if fc != orgCount {
 		t.Fatalf("expected file count %d, got %d",
 			orgCount, fc)
 	}
@@ -595,7 +557,6 @@ func TestExists(t *testing.T) {
 func TestRegExpGlob(t *testing.T) {
 	n := makeLoadedFileTree(t)
 	expected := []string{
-		filepath.Join("b", "d", ".hidden_file"),
 		filepath.Join("b", "d", "a", "c", "i", "beans"),
 		filepath.Join("b", "d", "a", "c", "m"),
 		filepath.Join("b", "d", "a", "c", "u"),
@@ -615,40 +576,19 @@ func TestRegExpGlob(t *testing.T) {

 func TestGlob(t *testing.T) {
 	n := makeLoadedFileTree(t)
-
-	tests := map[string]struct {
-		globPattern   string
-		expectedFiles []string
-	}{
-		"VisibleFiles": {
-			globPattern: "b/d/*",
-			expectedFiles: []string{
-				filepath.Join("b", "d", "x"),
-				filepath.Join("b", "d", "y"),
-				filepath.Join("b", "d", "z"),
-			},
-		},
-		"HiddenFiles": {
-			globPattern: "b/d/.*",
-			expectedFiles: []string{
-				filepath.Join("b", "d", ".hidden_file"),
-			},
-		},
+	expected := []string{
+		filepath.Join("b", "d", "x"),
+		filepath.Join("b", "d", "y"),
+		filepath.Join("b", "d", "z"),
 	}
-
-	for test, c := range tests {
-		t.Run(test, func(t *testing.T) {
-			paths, err := n.Glob(c.globPattern)
-			if err != nil {
-				t.Fatalf("glob error: %v", err)
-			}
-			assertEqualStringSlices(t, c.expectedFiles, paths, "glob test")
-		})
+	paths, err := n.Glob("b/d/*")
+	if err != nil {
+		t.Fatalf("glob error: %v", err)
 	}
+	assertEqualStringSlices(t, expected, paths, "glob test")
 }

 func assertEqualStringSlices(t *testing.T, expected, actual []string, message string) {
-	t.Helper()
 	if len(expected) != len(actual) {
 		t.Fatalf(
 			"%s; unequal sizes; len(expected)=%d, len(actual)=%d\n%+v\n%+v\n",
@@ -700,7 +640,7 @@ func TestFind(t *testing.T) {
 		},
 		{
 			what:      "directory",
-			arg:       "b",
+			arg:       filepath.Join("b"),
 			expectDir: true,
 		},
 		{
@@ -846,78 +786,3 @@ func TestCleanedAbs(t *testing.T) {
 		}
 	}
 }
-
-func TestConfirmDirMemRoot(t *testing.T) {
-	fSys := MakeFsInMemory()
-	actual, err := ConfirmDir(fSys, Separator)
-	require.NoError(t, err)
-	require.Equal(t, Separator, actual.String())
-}
-
-func TestConfirmDirRelativeNode(t *testing.T) {
-	req := require.New(t)
-	fSysEmpty := MakeEmptyDirInMemory()
-
-	fSysRoot, err := fSysEmpty.AddDir("a")
-	req.NoError(err)
-	fSysSub, err := fSysRoot.AddDir("b")
-	req.NoError(err)
-	err = fSysSub.Mkdir("c")
-	req.NoError(err)
-
-	expected := filepath.Join("a", "b", "c")
-	req.Truef(fSysEmpty.Exists(expected), existMsg, expected)
-
-	actual, err := ConfirmDir(fSysSub, "c")
-	req.NoError(err)
-	req.Equal(expected, actual.String())
-}
-
-func TestFileOps(t *testing.T) {
-	const path = "foo.txt"
-	content := strings.Repeat("longest content", 100)
-
-	fs := MakeFsInMemory()
-	f, err := fs.Create(path)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if _, err := fs.Open(path); err == nil {
-		t.Fatalf("expected already opened error, got nil")
-	}
-	if _, err := fmt.Fprint(f, content); err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if err := f.Close(); err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if err := f.Close(); err == nil {
-		t.Fatalf("expected already closed error, got nil")
-	}
-
-	f, err = fs.Open(path)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	defer f.Close()
-
-	for {
-		buf := make([]byte, rand.Intn(10))
-		n, err := f.Read(buf)
-		if err != nil && err != io.EOF {
-			t.Fatalf("unexpected error: %v", err)
-		}
-		if content[:n] != string(buf[:n]) {
-			t.Fatalf("unexpected read: expected %q got %q", content[:n], buf[:n])
-		}
-		content = content[n:]
-		if err != io.EOF {
-			continue
-		}
-		if len(content) == 0 {
-			break
-		}
-		t.Fatalf("unexpected EOF: remaining %d bytes", len(content))
-	}
-}
--- a/api/filesys/fsondisk.go
+++ b/api/filesys/fsondisk.go
@@ -0,0 +1,114 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+)
+
+var _ FileSystem = fsOnDisk{}
+
+// fsOnDisk implements FileSystem using the local filesystem.
+type fsOnDisk struct{}
+
+// MakeFsOnDisk makes an instance of fsOnDisk.
+func MakeFsOnDisk() FileSystem {
+	return fsOnDisk{}
+}
+
+// Create delegates to os.Create.
+func (fsOnDisk) Create(name string) (File, error) { return os.Create(name) }
+
+// Mkdir delegates to os.Mkdir.
+func (fsOnDisk) Mkdir(name string) error {
+	return os.Mkdir(name, 0777|os.ModeDir)
+}
+
+// MkdirAll delegates to os.MkdirAll.
+func (fsOnDisk) MkdirAll(name string) error {
+	return os.MkdirAll(name, 0777|os.ModeDir)
+}
+
+// RemoveAll delegates to os.RemoveAll.
+func (fsOnDisk) RemoveAll(name string) error {
+	return os.RemoveAll(name)
+}
+
+// Open delegates to os.Open.
+func (fsOnDisk) Open(name string) (File, error) { return os.Open(name) }
+
+// CleanedAbs converts the given path into a
+// directory and a file name, where the directory
+// is represented as a ConfirmedDir and all that implies.
+// If the entire path is a directory, the file component
+// is an empty string.
+func (x fsOnDisk) CleanedAbs(
+	path string) (ConfirmedDir, string, error) {
+	absRoot, err := filepath.Abs(path)
+	if err != nil {
+		return "", "", fmt.Errorf(
+			"abs path error on '%s' : %v", path, err)
+	}
+	deLinked, err := filepath.EvalSymlinks(absRoot)
+	if err != nil {
+		return "", "", fmt.Errorf(
+			"evalsymlink failure on '%s' : %v", path, err)
+	}
+	if x.IsDir(deLinked) {
+		return ConfirmedDir(deLinked), "", nil
+	}
+	d := filepath.Dir(deLinked)
+	if !x.IsDir(d) {
+		// Programmer/assumption error.
+		log.Fatalf("first part of '%s' not a directory", deLinked)
+	}
+	if d == deLinked {
+		// Programmer/assumption error.
+		log.Fatalf("d '%s' should be a subset of deLinked", d)
+	}
+	f := filepath.Base(deLinked)
+	if filepath.Join(d, f) != deLinked {
+		// Programmer/assumption error.
+		log.Fatalf("these should be equal: '%s', '%s'",
+			filepath.Join(d, f), deLinked)
+	}
+	return ConfirmedDir(d), f, nil
+}
+
+// Exists returns true if os.Stat succeeds.
+func (fsOnDisk) Exists(name string) bool {
+	_, err := os.Stat(name)
+	return err == nil
+}
+
+// Glob returns the list of matching files
+func (fsOnDisk) Glob(pattern string) ([]string, error) {
+	return filepath.Glob(pattern)
+}
+
+// IsDir delegates to os.Stat and FileInfo.IsDir
+func (fsOnDisk) IsDir(name string) bool {
+	info, err := os.Stat(name)
+	if err != nil {
+		return false
+	}
+	return info.IsDir()
+}
+
+// ReadFile delegates to ioutil.ReadFile.
+func (fsOnDisk) ReadFile(name string) ([]byte, error) { return ioutil.ReadFile(name) }
+
+// WriteFile delegates to ioutil.WriteFile with read/write permissions.
+func (fsOnDisk) WriteFile(name string, c []byte) error {
+	return ioutil.WriteFile(name, c, 0666)
+}
+
+// Walk delegates to filepath.Walk.
+func (fsOnDisk) Walk(path string, walkFn filepath.WalkFunc) error {
+	return filepath.Walk(path, walkFn)
+}
--- a/api/filesys/fsondisk_test.go
+++ b/api/filesys/fsondisk_test.go
@@ -0,0 +1,165 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys_test
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"testing"
+
+	. "sigs.k8s.io/kustomize/api/filesys"
+)
+
+func makeTestDir(t *testing.T) (FileSystem, string) {
+	fSys := MakeFsOnDisk()
+	td, err := ioutil.TempDir("", "kustomize_testing_dir")
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+	testDir, err := filepath.EvalSymlinks(td)
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+	if !fSys.Exists(testDir) {
+		t.Fatalf("expected existence")
+	}
+	if !fSys.IsDir(testDir) {
+		t.Fatalf("expected directory")
+	}
+	return fSys, testDir
+}
+
+func TestCleanedAbs_1(t *testing.T) {
+	fSys, testDir := makeTestDir(t)
+	defer os.RemoveAll(testDir)
+
+	d, f, err := fSys.CleanedAbs("")
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	if d.String() != wd {
+		t.Fatalf("unexpected d=%s", d)
+	}
+	if f != "" {
+		t.Fatalf("unexpected f=%s", f)
+	}
+}
+
+func TestCleanedAbs_2(t *testing.T) {
+	fSys, testDir := makeTestDir(t)
+	defer os.RemoveAll(testDir)
+
+	d, f, err := fSys.CleanedAbs("/")
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	if d != "/" {
+		t.Fatalf("unexpected d=%s", d)
+	}
+	if f != "" {
+		t.Fatalf("unexpected f=%s", f)
+	}
+}
+
+func TestCleanedAbs_3(t *testing.T) {
+	fSys, testDir := makeTestDir(t)
+	defer os.RemoveAll(testDir)
+
+	err := fSys.WriteFile(
+		filepath.Join(testDir, "foo"), []byte(`foo`))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+
+	d, f, err := fSys.CleanedAbs(filepath.Join(testDir, "foo"))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	if d.String() != testDir {
+		t.Fatalf("unexpected d=%s", d)
+	}
+	if f != "foo" {
+		t.Fatalf("unexpected f=%s", f)
+	}
+}
+
+func TestCleanedAbs_4(t *testing.T) {
+	fSys, testDir := makeTestDir(t)
+	defer os.RemoveAll(testDir)
+
+	err := fSys.MkdirAll(filepath.Join(testDir, "d1", "d2"))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	err = fSys.WriteFile(
+		filepath.Join(testDir, "d1", "d2", "bar"),
+		[]byte(`bar`))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+
+	d, f, err := fSys.CleanedAbs(
+		filepath.Join(testDir, "d1", "d2"))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	if d.String() != filepath.Join(testDir, "d1", "d2") {
+		t.Fatalf("unexpected d=%s", d)
+	}
+	if f != "" {
+		t.Fatalf("unexpected f=%s", f)
+	}
+
+	d, f, err = fSys.CleanedAbs(
+		filepath.Join(testDir, "d1", "d2", "bar"))
+	if err != nil {
+		t.Fatalf("unexpected err=%v", err)
+	}
+	if d.String() != filepath.Join(testDir, "d1", "d2") {
+		t.Fatalf("unexpected d=%s", d)
+	}
+	if f != "bar" {
+		t.Fatalf("unexpected f=%s", f)
+	}
+}
+
+func TestReadFilesRealFS(t *testing.T) {
+	fSys, testDir := makeTestDir(t)
+	defer os.RemoveAll(testDir)
+
+	err := fSys.WriteFile(path.Join(testDir, "foo"), []byte(`foo`))
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+	if !fSys.Exists(path.Join(testDir, "foo")) {
+		t.Fatalf("expected foo")
+	}
+	if fSys.IsDir(path.Join(testDir, "foo")) {
+		t.Fatalf("expected foo not to be a directory")
+	}
+
+	err = fSys.WriteFile(path.Join(testDir, "bar"), []byte(`bar`))
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+
+	files, err := fSys.Glob(path.Join("testDir", "*"))
+	expected := []string{
+		path.Join(testDir, "bar"),
+		path.Join(testDir, "foo"),
+	}
+	if err != nil {
+		t.Fatalf("expected no error")
+	}
+	if reflect.DeepEqual(files, expected) {
+		t.Fatalf("incorrect files found by glob: %v", files)
+	}
+}
--- a/api/filesys/util.go
+++ b/api/filesys/util.go
@@ -0,0 +1,125 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// RootedPath returns a rooted path, e.g. "/foo/bar" as
+// opposed to "foo/bar".
+func RootedPath(elem ...string) string {
+	return Separator + filepath.Join(elem...)
+}
+
+// StripTrailingSeps trims trailing filepath separators from input.
+func StripTrailingSeps(s string) string {
+	k := len(s)
+	for k > 0 && s[k-1] == filepath.Separator {
+		k--
+	}
+	return s[:k]
+}
+
+// StripLeadingSeps trims leading filepath separators from input.
+func StripLeadingSeps(s string) string {
+	k := 0
+	for k < len(s) && s[k] == filepath.Separator {
+		k++
+	}
+	return s[k:]
+}
+
+// PathSplit converts a file path to a slice of string.
+// If the path is absolute (if the path has a leading slash),
+// then the first entry in the result is an empty string.
+// Desired:  path == PathJoin(PathSplit(path))
+func PathSplit(incoming string) []string {
+	if incoming == "" {
+		return []string{}
+	}
+	dir, path := filepath.Split(incoming)
+	if dir == string(os.PathSeparator) {
+		if path == "" {
+			return []string{""}
+		}
+		return []string{"", path}
+	}
+	dir = strings.TrimSuffix(dir, string(os.PathSeparator))
+	if dir == "" {
+		return []string{path}
+	}
+	return append(PathSplit(dir), path)
+}
+
+// PathJoin converts a slice of string to a file path.
+// If the first entry is an empty string, then the returned
+// path is absolute (it has a leading slash).
+// Desired:  path == PathJoin(PathSplit(path))
+func PathJoin(incoming []string) string {
+	if len(incoming) == 0 {
+		return ""
+	}
+	if incoming[0] == "" {
+		return string(os.PathSeparator) + filepath.Join(incoming[1:]...)
+	}
+	return filepath.Join(incoming...)
+}
+
+// InsertPathPart inserts 'part' at position 'pos' in the given filepath.
+// The first position is 0.
+//
+// E.g. if part == 'PEACH'
+//
+//                  OLD : NEW                    : POS
+//      --------------------------------------------------------
+//              {empty} : PEACH                  : irrelevant
+//                    / : /PEACH                 : irrelevant
+//                  pie : PEACH/pie              : 0 (or negative)
+//                 /pie : /PEACH/pie             : 0 (or negative)
+//                  raw : raw/PEACH              : 1 (or larger)
+//                 /raw : /raw/PEACH             : 1 (or larger)
+//      a/nice/warm/pie : a/nice/warm/PEACH/pie  : 3
+//     /a/nice/warm/pie : /a/nice/warm/PEACH/pie : 3
+//
+// * An empty part results in no change.
+//
+// * Absolute paths get their leading '/' stripped, treated like
+//   relative paths, and the leading '/' is re-added on output.
+//   The meaning of pos is intentionally the same in either absolute or
+//   relative paths; if it weren't, this function could convert absolute
+//   paths to relative paths, which is not desirable.
+//
+// * For robustness (liberal input, conservative output) Pos values that
+//   that are too small (large) to index the split filepath result in a
+//   prefix (postfix) rather than an error.  Use extreme position values
+//   to assure a prefix or postfix (e.g. 0 will always prefix, and
+//   9999 will presumably always postfix).
+func InsertPathPart(path string, pos int, part string) string {
+	if part == "" {
+		return path
+	}
+	parts := PathSplit(path)
+	if pos < 0 {
+		pos = 0
+	} else if pos > len(parts) {
+		pos = len(parts)
+	}
+	if len(parts) > 0 && parts[0] == "" && pos < len(parts) {
+		// An empty string at 0 indicates an absolute path, and means
+		// we must increment pos.  This change means that a position
+		// specification has the same meaning in relative and absolute paths.
+		// E.g. in either the path 'a/b/c' or the path '/a/b/c',
+		// 'a' is at 0, 'b' is at 1 and 'c' is at 2, and inserting at
+		// zero means a new first field _without_ changing an absolute
+		// path to a relative path.
+		pos++
+	}
+	result := make([]string, len(parts)+1)
+	copy(result, parts[0:pos])
+	result[pos] = part
+	return PathJoin(append(result, parts[pos:]...))
+}
--- a/api/filesys/util_test.go
+++ b/api/filesys/util_test.go
@@ -0,0 +1,374 @@
+package filesys_test
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	. "sigs.k8s.io/kustomize/api/filesys"
+)
+
+// Confirm behavior of filepath.Match
+func TestFilePathMatch(t *testing.T) {
+	cases := []struct {
+		pattern  string
+		path     string
+		expected bool
+	}{
+		{
+			pattern:  "*e*",
+			path:     "hey",
+			expected: true,
+		},
+		{
+			pattern:  "*e*",
+			path:     "hay",
+			expected: false,
+		},
+		{
+			pattern:  "*e*",
+			path:     filepath.Join("h", "e", "y"),
+			expected: false,
+		},
+		{
+			pattern:  "*/e/*",
+			path:     filepath.Join("h", "e", "y"),
+			expected: true,
+		},
+		{
+			pattern:  "h/e/*",
+			path:     filepath.Join("h", "e", "y"),
+			expected: true,
+		},
+		{
+			pattern:  "*/e/y",
+			path:     filepath.Join("h", "e", "y"),
+			expected: true,
+		},
+		{
+			pattern:  "*/*/*",
+			path:     filepath.Join("h", "e", "y"),
+			expected: true,
+		},
+		{
+			pattern:  "*/*/*",
+			path:     filepath.Join("h", "e", "y", "there"),
+			expected: false,
+		},
+		{
+			pattern:  "*/*/*/t*e",
+			path:     filepath.Join("h", "e", "y", "there"),
+			expected: true,
+		},
+	}
+	for _, item := range cases {
+		match, err := filepath.Match(item.pattern, item.path)
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if match != item.expected {
+			t.Fatalf("'%s' '%s' %v\n", item.pattern, item.path, match)
+		}
+	}
+}
+
+// Confirm behavior of filepath.Split
+func TestFilePathSplit(t *testing.T) {
+	cases := []struct {
+		full string
+		dir  string
+		file string
+	}{
+		{
+			full: "",
+			dir:  "",
+			file: "",
+		},
+		{
+			full: SelfDir,
+			dir:  "",
+			file: SelfDir,
+		},
+		{
+			full: "rabbit.jpg",
+			dir:  "",
+			file: "rabbit.jpg",
+		},
+		{
+			full: "/",
+			dir:  "/",
+			file: "",
+		},
+		{
+			full: "/beans",
+			dir:  "/",
+			file: "beans",
+		},
+		{
+			full: "/home/foo/bar",
+			dir:  "/home/foo/",
+			file: "bar",
+		},
+		{
+			full: "/usr/local/",
+			dir:  "/usr/local/",
+			file: "",
+		},
+		{
+			full: "/usr//local//go",
+			dir:  "/usr//local//",
+			file: "go",
+		},
+	}
+	for _, p := range cases {
+		dir, file := filepath.Split(p.full)
+		if dir != p.dir || file != p.file {
+			t.Fatalf(
+				"in '%s',\ngot dir='%s' (expected '%s'),\n got file='%s' (expected %s).",
+				p.full, dir, p.dir, file, p.file)
+		}
+	}
+}
+
+func TestPathSplitAndJoin(t *testing.T) {
+	cases := map[string]struct {
+		original string
+		expected []string
+	}{
+		"Empty": {
+			original: "",
+			expected: []string{},
+		},
+		"One": {
+			original: "hello",
+			expected: []string{"hello"},
+		},
+		"Two": {
+			original: "hello/there",
+			expected: []string{"hello", "there"},
+		},
+		"Three": {
+			original: "hello/my/friend",
+			expected: []string{"hello", "my", "friend"},
+		},
+	}
+	for n, c := range cases {
+		f := func(t *testing.T, original string, expected []string) {
+			actual := PathSplit(original)
+			if len(actual) != len(expected) {
+				t.Fatalf(
+					"expected len %d, got len %d",
+					len(expected), len(actual))
+			}
+			for i := range expected {
+				if expected[i] != actual[i] {
+					t.Fatalf(
+						"at i=%d, expected '%s', got '%s'",
+						i, expected[i], actual[i])
+				}
+			}
+			joined := PathJoin(actual)
+			if joined != original {
+				t.Fatalf(
+					"when rejoining, expected '%s', got '%s'",
+					original, joined)
+			}
+		}
+		t.Run("relative"+n, func(t *testing.T) {
+			f(t, c.original, c.expected)
+		})
+		t.Run("absolute"+n, func(t *testing.T) {
+			f(t,
+				string(os.PathSeparator)+c.original,
+				append([]string{""}, c.expected...))
+		})
+	}
+}
+
+func TestInsertPathPart(t *testing.T) {
+	cases := map[string]struct {
+		original string
+		pos      int
+		part     string
+		expected string
+	}{
+		"rootOne": {
+			original: "/",
+			pos:      0,
+			part:     "___",
+			expected: "/___",
+		},
+		"rootTwo": {
+			original: "/",
+			pos:      444,
+			part:     "___",
+			expected: "/___",
+		},
+		"rootedFirst": {
+			original: "/apple",
+			pos:      0,
+			part:     "___",
+			expected: "/___/apple",
+		},
+		"rootedSecond": {
+			original: "/apple",
+			pos:      444,
+			part:     "___",
+			expected: "/apple/___",
+		},
+		"rootedThird": {
+			original: "/apple/banana",
+			pos:      444,
+			part:     "___",
+			expected: "/apple/banana/___",
+		},
+		"emptyLow": {
+			original: "",
+			pos:      -3,
+			part:     "___",
+			expected: "___",
+		},
+		"emptyHigh": {
+			original: "",
+			pos:      444,
+			part:     "___",
+			expected: "___",
+		},
+		"peachPie": {
+			original: "a/nice/warm/pie",
+			pos:      3,
+			part:     "PEACH",
+			expected: "a/nice/warm/PEACH/pie",
+		},
+		"rootedPeachPie": {
+			original: "/a/nice/warm/pie",
+			pos:      3,
+			part:     "PEACH",
+			expected: "/a/nice/warm/PEACH/pie",
+		},
+		"longStart": {
+			original: "a/b/c/d/e/f",
+			pos:      0,
+			part:     "___",
+			expected: "___/a/b/c/d/e/f",
+		},
+		"rootedLongStart": {
+			original: "/a/b/c/d/e/f",
+			pos:      0,
+			part:     "___",
+			expected: "/___/a/b/c/d/e/f",
+		},
+		"longMiddle": {
+			original: "a/b/c/d/e/f",
+			pos:      3,
+			part:     "___",
+			expected: "a/b/c/___/d/e/f",
+		},
+		"rootedLongMiddle": {
+			original: "/a/b/c/d/e/f",
+			pos:      3,
+			part:     "___",
+			expected: "/a/b/c/___/d/e/f",
+		},
+		"longEnd": {
+			original: "a/b/c/d/e/f",
+			pos:      444,
+			part:     "___",
+			expected: "a/b/c/d/e/f/___",
+		},
+		"rootedLongEnd": {
+			original: "/a/b/c/d/e/f",
+			pos:      444,
+			part:     "___",
+			expected: "/a/b/c/d/e/f/___",
+		},
+	}
+	for n, c := range cases {
+		t.Run(n, func(t *testing.T) {
+			actual := InsertPathPart(c.original, c.pos, c.part)
+			if actual != c.expected {
+				t.Fatalf("expected '%s', got '%s'", c.expected, actual)
+			}
+		})
+	}
+}
+
+func TestStripTrailingSeps(t *testing.T) {
+	cases := []struct {
+		full string
+		rem  string
+	}{
+		{
+			full: "foo",
+			rem:  "foo",
+		},
+		{
+			full: "",
+			rem:  "",
+		},
+		{
+			full: "foo/",
+			rem:  "foo",
+		},
+		{
+			full: "foo///bar///",
+			rem:  "foo///bar",
+		},
+		{
+			full: "/////",
+			rem:  "",
+		},
+		{
+			full: "/",
+			rem:  "",
+		},
+	}
+	for _, p := range cases {
+		dir := StripTrailingSeps(p.full)
+		if dir != p.rem {
+			t.Fatalf(
+				"in '%s', got dir='%s' (expected '%s')",
+				p.full, dir, p.rem)
+		}
+	}
+}
+
+func TestStripLeadingSeps(t *testing.T) {
+	cases := []struct {
+		full string
+		rem  string
+	}{
+		{
+			full: "foo",
+			rem:  "foo",
+		},
+		{
+			full: "",
+			rem:  "",
+		},
+		{
+			full: "/foo",
+			rem:  "foo",
+		},
+		{
+			full: "///foo///bar///",
+			rem:  "foo///bar///",
+		},
+		{
+			full: "/////",
+			rem:  "",
+		},
+		{
+			full: "/",
+			rem:  "",
+		},
+	}
+	for _, p := range cases {
+		dir := StripLeadingSeps(p.full)
+		if dir != p.rem {
+			t.Fatalf(
+				"in '%s', got dir='%s' (expected '%s')",
+				p.full, dir, p.rem)
+		}
+	}
+}
--- a/api/filters/annotations/annotations.go
+++ b/api/filters/annotations/annotations.go
@@ -19,26 +19,18 @@ type Filter struct {

 	// FsSlice contains the FieldSpecs to locate the namespace field
 	FsSlice types.FsSlice
-
-	trackableSetter filtersutil.TrackableSetter
 }

 var _ kio.Filter = Filter{}
-var _ kio.TrackableFilter = &Filter{}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
-	f.trackableSetter.WithMutationTracker(callback)
-}

 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	keys := yaml.SortedMapKeys(f.Annotations)
+	keys := filtersutil.SortedMapKeys(f.Annotations)
 	_, err := kio.FilterAll(yaml.FilterFunc(
 		func(node *yaml.RNode) (*yaml.RNode, error) {
 			for _, k := range keys {
 				if err := node.PipeE(fsslice.Filter{
 					FsSlice: f.FsSlice,
-					SetValue: f.trackableSetter.SetEntry(
+					SetValue: filtersutil.SetEntry(
 						k, f.Annotations[k], yaml.NodeTagString),
 					CreateKind: yaml.MappingNode, // Annotations are MappingNodes.
 					CreateTag:  yaml.NodeTagMap,
--- a/api/filters/annotations/annotations_test.go
+++ b/api/filters/annotations/annotations_test.go
@@ -11,20 +11,16 @@ import (
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 var annosFs = builtinconfig.MakeDefaultConfig().CommonAnnotations

 func TestAnnotations_Filter(t *testing.T) {
-	mutationTrackStub := filtertest_test.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input                string
-		expectedOutput       string
-		filter               Filter
-		fsslice              types.FsSlice
-		setEntryCallback     func(key, value, tag string, node *yaml.RNode)
-		expectedSetEntryArgs []filtertest_test.SetValueArg
+		input          string
+		expectedOutput string
+		filter         Filter
+		fsslice        types.FsSlice
 	}{
 		"add": {
 			input: `
@@ -214,86 +210,17 @@ metadata:
 				"b": "b1",
 			}},
 		},
-
-		// test usage of SetEntryCallback
-		"set_entry_callback": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-`,
-			expectedOutput: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-  annotations:
-    a: a1
-    b: b1
-spec:
-  template:
-    metadata:
-      annotations:
-        a: a1
-        b: b1
-`,
-			filter: Filter{
-				Annotations: annoMap{
-					"a": "a1",
-					"b": "b1",
-				},
-			},
-			setEntryCallback: mutationTrackStub.MutationTracker,
-			fsslice: []types.FieldSpec{
-				{
-					Path:               "spec/template/metadata/annotations",
-					CreateIfNotPresent: true,
-				},
-			},
-			expectedSetEntryArgs: []filtertest_test.SetValueArg{
-				{
-					Key:      "a",
-					Value:    "a1",
-					Tag:      "!!str",
-					NodePath: []string{"metadata", "annotations"},
-				},
-				{
-					Key:      "a",
-					Value:    "a1",
-					Tag:      "!!str",
-					NodePath: []string{"spec", "template", "metadata", "annotations"},
-				},
-				{
-					Key:      "b",
-					Value:    "b1",
-					Tag:      "!!str",
-					NodePath: []string{"metadata", "annotations"},
-				},
-				{
-					Key:      "b",
-					Value:    "b1",
-					Tag:      "!!str",
-					NodePath: []string{"spec", "template", "metadata", "annotations"},
-				},
-			},
-		},
 	}

 	for tn, tc := range testCases {
-		mutationTrackStub.Reset()
 		t.Run(tn, func(t *testing.T) {
 			filter := tc.filter
-			filter.WithMutationTracker(tc.setEntryCallback)
-			filter.FsSlice = append(annosFs, tc.fsslice...) //nolint:gocritic
+			filter.FsSlice = append(annosFs, tc.fsslice...)
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest_test.RunFilter(t, tc.input, filter))) {
 				t.FailNow()
 			}
-			if !assert.Equal(t, tc.expectedSetEntryArgs, mutationTrackStub.SetValueArgs()) {
-				t.FailNow()
-			}
 		})
 	}
 }
--- a/api/filters/annotations/example_test.go
+++ b/api/filters/annotations/example_test.go
@@ -28,9 +28,7 @@ metadata:
 `)}},
 		Filters: []kio.Filter{Filter{
 			Annotations: map[string]string{
-				"foo":          "bar",
-				"booleanValue": "true",
-				"numberValue":  "42",
+				"foo": "bar",
 			},
 			FsSlice: fss,
 		}},
@@ -46,16 +44,12 @@ metadata:
 	// metadata:
 	//   name: instance
 	//   annotations:
-	//     booleanValue: "true"
 	//     foo: bar
-	//     numberValue: "42"
 	// ---
 	// apiVersion: example.com/v1
 	// kind: Bar
 	// metadata:
 	//   name: instance
 	//   annotations:
-	//     booleanValue: "true"
 	//     foo: bar
-	//     numberValue: "42"
 }
--- a/api/filters/doc.go
+++ b/api/filters/doc.go
@@ -1,8 +0,0 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package filters
-
-// Package filters collects various implementations
-// sigs.k8s.io/kustomize/kyaml/kio.Filter used by kustomize
-// transformers to modify kubernetes objects.
--- a/api/filters/fieldspec/fieldspec.go
+++ b/api/filters/fieldspec/fieldspec.go
@@ -4,29 +4,17 @@
 package fieldspec

 import (
-	"fmt"
 	"strings"

 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/errors"
-	"sigs.k8s.io/kustomize/kyaml/resid"
-	"sigs.k8s.io/kustomize/kyaml/utils"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 var _ yaml.Filter = Filter{}

-// Filter possibly mutates its object argument using a FieldSpec.
-// If the object matches the FieldSpec, and the node found
-// by following the fieldSpec's path is non-null, this filter calls
-// the setValue function on the node at the end of the path.
-// If any part of the path doesn't exist, the filter returns
-// without doing anything and without error, unless it was set
-// to create the path. If set to create, it creates a tree of maps
-// along the path, and the leaf node gets the setValue called on it.
-// Error on GVK mismatch, empty or poorly formed path.
-// Filter expect kustomize style paths, not JSON paths.
+// Filter applies a single fieldSpec to a single object
 // Filter stores internal state and should not be reused
 type Filter struct {
 	// FieldSpec contains the path to the value to set.
@@ -46,52 +34,44 @@ type Filter struct {

 func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
 	// check if the FieldSpec applies to the object
-	if match := isMatchGVK(fltr.FieldSpec, obj); !match {
-		return obj, nil
+	if match, err := isMatchGVK(fltr.FieldSpec, obj); !match || err != nil {
+		return obj, errors.Wrap(err)
 	}
-	fltr.path = utils.PathSplitter(fltr.FieldSpec.Path, "/")
+	fltr.path = splitPath(fltr.FieldSpec.Path)
 	if err := fltr.filter(obj); err != nil {
+		s, _ := obj.String()
 		return nil, errors.WrapPrefixf(err,
-			"considering field '%s' of object %s", fltr.FieldSpec.Path, resid.FromRNode(obj))
+			"obj '%s' at path '%v'", s, fltr.FieldSpec.Path)
 	}
 	return obj, nil
 }

-// Recursively called.
 func (fltr Filter) filter(obj *yaml.RNode) error {
 	if len(fltr.path) == 0 {
 		// found the field -- set its value
 		return fltr.SetValue(obj)
 	}
-	if obj.IsTaggedNull() || obj.IsNil() {
-		return nil
-	}
 	switch obj.YNode().Kind {
 	case yaml.SequenceNode:
-		return fltr.handleSequence(obj)
+		return fltr.seq(obj)
 	case yaml.MappingNode:
-		return fltr.handleMap(obj)
-	case yaml.AliasNode:
-		return fltr.filter(yaml.NewRNode(obj.YNode().Alias))
+		return fltr.field(obj)
 	default:
 		return errors.Errorf("expected sequence or mapping node")
 	}
 }

-// handleMap calls filter on the map field matching the next path element
-func (fltr Filter) handleMap(obj *yaml.RNode) error {
+// field calls filter on the field matching the next path element
+func (fltr Filter) field(obj *yaml.RNode) error {
 	fieldName, isSeq := isSequenceField(fltr.path[0])
-	if fieldName == "" {
-		return fmt.Errorf("cannot set or create an empty field name")
-	}
 	// lookup the field matching the next path element
-	var operation yaml.Filter
+	var lookupField yaml.Filter
 	var kind yaml.Kind
-	tag := yaml.NodeTagEmpty
+	tag := "" // TODO: change to yaml.NodeTagEmpty
 	switch {
 	case !fltr.FieldSpec.CreateIfNotPresent || fltr.CreateKind == 0 || isSeq:
-		// don't create the field if we don't find it
-		operation = yaml.Lookup(fieldName)
+		// dont' create the field if we don't find it
+		lookupField = yaml.Lookup(fieldName)
 		if isSeq {
 			// The query path thinks this field should be a sequence;
 			// accept this hint for use later if the tag is NodeTagNull.
@@ -99,30 +79,25 @@ func (fltr Filter) handleMap(obj *yaml.RNode) error {
 		}
 	case len(fltr.path) <= 1:
 		// create the field if it is missing: use the provided node kind
-		operation = yaml.LookupCreate(fltr.CreateKind, fieldName)
+		lookupField = yaml.LookupCreate(fltr.CreateKind, fieldName)
 		kind = fltr.CreateKind
 		tag = fltr.CreateTag
 	default:
 		// create the field if it is missing: must be a mapping node
-		operation = yaml.LookupCreate(yaml.MappingNode, fieldName)
+		lookupField = yaml.LookupCreate(yaml.MappingNode, fieldName)
 		kind = yaml.MappingNode
 		tag = yaml.NodeTagMap
 	}

 	// locate (or maybe create) the field
-	field, err := obj.Pipe(operation)
-	if err != nil {
+	field, err := obj.Pipe(lookupField)
+	if err != nil || field == nil {
 		return errors.WrapPrefixf(err, "fieldName: %s", fieldName)
 	}
-	if field == nil {
-		// No error if field not found.
-		return nil
-	}

-	// if the value exists, but is null and kind is set,
-	// then change it to the creation type
+	// if the value exists, but is null, then change it to the creation type
 	// TODO: update yaml.LookupCreate to support this
-	if field.YNode().Tag == yaml.NodeTagNull && yaml.IsCreate(kind) {
+	if field.YNode().Tag == yaml.NodeTagNull {
 		field.YNode().Kind = kind
 		field.YNode().Tag = tag
 	}
@@ -135,10 +110,8 @@ func (fltr Filter) handleMap(obj *yaml.RNode) error {
 }

 // seq calls filter on all sequence elements
-func (fltr Filter) handleSequence(obj *yaml.RNode) error {
+func (fltr Filter) seq(obj *yaml.RNode) error {
 	if err := obj.VisitElements(func(node *yaml.RNode) error {
-		// set an accurate FieldPath for nested elements
-		node.AppendToFieldPath(obj.FieldPath()...)
 		// recurse on each element -- re-allocating a Filter is
 		// not strictly required, but is more consistent with field
 		// and less likely to have side effects
@@ -148,35 +121,56 @@ func (fltr Filter) handleSequence(obj *yaml.RNode) error {
 		return errors.WrapPrefixf(err,
 			"visit traversal on path: %v", fltr.path)
 	}
+
 	return nil
 }

 // isSequenceField returns true if the path element is for a sequence field.
 // isSequence also returns the path element with the '[]' suffix trimmed
 func isSequenceField(name string) (string, bool) {
-	shorter := strings.TrimSuffix(name, "[]")
-	return shorter, shorter != name
+	isSeq := strings.HasSuffix(name, "[]")
+	name = strings.TrimSuffix(name, "[]")
+	return name, isSeq
 }

 // isMatchGVK returns true if the fs.GVK matches the obj GVK.
-func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) bool {
-	if kind := obj.GetKind(); fs.Kind != "" && fs.Kind != kind {
+func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) (bool, error) {
+	meta, err := obj.GetMeta()
+	if err != nil {
+		return false, err
+	}
+	if fs.Kind != "" && fs.Kind != meta.Kind {
 		// kind doesn't match
-		return false
+		return false, err
 	}

 	// parse the group and version from the apiVersion field
-	group, version := resid.ParseGroupVersion(obj.GetApiVersion())
+	group, version := parseGV(meta.APIVersion)

 	if fs.Group != "" && fs.Group != group {
 		// group doesn't match
-		return false
+		return false, nil
 	}

 	if fs.Version != "" && fs.Version != version {
 		// version doesn't match
-		return false
+		return false, nil
 	}

-	return true
+	return true, nil
+}
+
+func splitPath(path string) []string {
+	ps := strings.Split(path, "/")
+	var res []string
+	res = append(res, ps[0])
+	for i := 1; i < len(ps); i++ {
+		lastIndex := len(res) - 1
+		if strings.HasSuffix(res[lastIndex], "\\") {
+			res[lastIndex] = strings.TrimSuffix(res[lastIndex], "\\") + "/" + ps[i]
+		} else {
+			res = append(res, ps[i])
+		}
+	}
+	return res
 }
--- a/api/filters/fieldspec/fieldspec_test.go
+++ b/api/filters/fieldspec/fieldspec_test.go
@@ -9,246 +9,212 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/kustomize/api/filters/fieldspec"
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

-func TestFilter_Filter(t *testing.T) {
-	testCases := map[string]struct {
-		input     string
-		expected  string
-		filter    fieldspec.Filter
-		fieldSpec string
-		error     string
-	}{
-		"path not found": {
-			fieldSpec: `
-path: a/b
-group: foo
-kind: Bar
-`,
-			input: `
-apiVersion: foo
-kind: Bar
-xxx:
-`,
-			expected: `
-apiVersion: foo
-kind: Bar
-xxx:
-`,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
-		},
-		"empty path": {
-			fieldSpec: `
-group: foo
-version: v1
-kind: Bar
-`,
-			input: `
-apiVersion: foo/v1
-kind: Bar
-xxx:
-`,
-			expected: `
-apiVersion: foo
-kind: Bar
-xxx:
-`,
-			error: `considering field '' of object Bar.v1.foo/[noName].[noNs]: cannot set or create an empty field name`,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
-		},
+type TestCase struct {
+	name      string
+	input     string
+	expected  string
+	filter    fieldspec.Filter
+	fieldSpec string
+	error     string
+}

-		"update": {
-			fieldSpec: `
+var tests = []TestCase{
+	{
+		name: "update",
+		fieldSpec: `
 path: a/b
 group: foo
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
  b: c
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
  b: e
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"update-kind-not-match": {
-			fieldSpec: `
+	{
+		name: "update-kind-not-match",
+		fieldSpec: `
 path: a/b
 group: foo
 kind: Bar1
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar2
 a:
  b: c
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar2
 a:
  b: c
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"update-group-not-match": {
-			fieldSpec: `
+	{
+		name: "update-group-not-match",
+		fieldSpec: `
 path: a/b
 group: foo1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo2/v1beta1
 kind: Bar
 a:
  b: c
 `,
-			expected: `
+		expected: `
 apiVersion: foo2/v1beta1
 kind: Bar
 a:
  b: c
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"update-version-not-match": {
-			fieldSpec: `
+	{
+		name: "update-version-not-match",
+		fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta2
 kind: Bar
 a:
  b: c
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta2
 kind: Bar
 a:
  b: c
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"bad-version": {
-			fieldSpec: `
+	{
+		name: "bad-version",
+		fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta2/something
 kind: Bar
 a:
  b: c
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta2/something
 kind: Bar
 a:
  b: c
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"bad-meta": {
-			fieldSpec: `
+	{
+		name: "bad-meta",
+		fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-			input: `
+		input: `
 a:
  b: c
 `,
-			expected: `
-a:
-  b: c
-`,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+		error: "missing Resource metadata",
+	},

-		"miss-match-type": {
-			fieldSpec: `
+	{
+		name: "miss-match-type",
+		fieldSpec: `
 path: a/b/c
 kind: Bar
 `,
-			input: `
+		input: `
 kind: Bar
 a:
  b: a
 `,
-			error: `considering field 'a/b/c' of object Bar.[noVer].[noGrp]/[noName].[noNs]: expected sequence or mapping node`,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		error: "obj 'kind: Bar\na:\n  b: a\n' at path 'a/b/c': " +
+			"expected sequence or mapping node",
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		"add": {
-			fieldSpec: `
+	{
+		name: "add",
+		fieldSpec: `
 path: a/b/c/d
 group: foo
 create: true
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {b: {c: {d: e}}}
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("e"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("e"),
+			CreateKind: yaml.ScalarNode,
 		},
+	},

-		"update-in-sequence": {
-			fieldSpec: `
+	{
+		name: "update-in-sequence",
+		fieldSpec: `
 path: a/b[]/c/d
 group: foo
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
@@ -256,7 +222,7 @@ a:
  - c:
      d: a
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
@@ -264,237 +230,245 @@ a:
  - c:
      d: e
 `,
-			filter: fieldspec.Filter{
-				SetValue: filtersutil.SetScalar("e"),
-			},
+		filter: fieldspec.Filter{
+			SetValue: filtersutil.SetScalar("e"),
 		},
+	},

-		// Don't create a sequence
-		"empty-sequence-no-create": {
-			fieldSpec: `
+	// Don't create a sequence
+	{
+		name: "empty-sequence-no-create",
+		fieldSpec: `
 path: a/b[]/c/d
 group: foo
 create: true
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("e"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("e"),
+			CreateKind: yaml.ScalarNode,
 		},
+	},

-		// Create a new field for an element in a sequence
-		"empty-sequence-create": {
-			fieldSpec: `
+	// Create a new field for an element in a sequence
+	{
+		name: "empty-sequence-create",
+		fieldSpec: `
 path: a/b[]/c/d
 group: foo
 create: true
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
  b:
  - c: {}
 `,
-			expected: `
+		expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
  b:
  - c: {d: e}
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("e"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("e"),
+			CreateKind: yaml.ScalarNode,
 		},
+	},

-		"group v1": {
-			fieldSpec: `
+	{
+		name: "group v1",
+		fieldSpec: `
 path: a/b
 group: v1
 create: true
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("e"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("e"),
+			CreateKind: yaml.ScalarNode,
 		},
+	},

-		"version v1": {
-			fieldSpec: `
+	{
+		name: "version v1",
+		fieldSpec: `
 path: a/b
 version: v1
 create: true
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 a:
  b: e
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("e"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("e"),
+			CreateKind: yaml.ScalarNode,
 		},
-
-		"successfully set field on array entry no sequence hint": {
-			fieldSpec: `
+	},
+	{
+		name: "successfully set field on array entry no sequence hint",
+		fieldSpec: `
 path: spec/containers/image
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
  - image: foo
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
  - image: bar
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-
-		"successfully set field on array entry with sequence hint": {
-			fieldSpec: `
+	},
+	{
+		name: "successfully set field on array entry with sequence hint",
+		fieldSpec: `
 path: spec/containers[]/image
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
  - image: foo
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
  - image: bar
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-		"failure to set field on array entry with sequence hint in path": {
-			fieldSpec: `
+	},
+	{
+		name: "failure to set field on array entry with sequence hint in path",
+		fieldSpec: `
 path: spec/containers[]/image
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 spec:
  containers: []
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-
-		"failure to set field on array entry, no sequence hint in path": {
-			fieldSpec: `
+	},
+	{
+		name: "failure to set field on array entry, no sequence hint in path",
+		fieldSpec: `
 path: spec/containers/image
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 spec:
  containers:
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-		"fieldname with slash '/'": {
-			fieldSpec: `
+		error: "obj '' at path 'spec/containers/image': expected sequence or mapping node",
+	},
+	{
+		name: "filedname with slash '/'",
+		fieldSpec: `
 path: a/b\/c/d
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 a:
  b/c:
    d: foo
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 a:
  b/c:
    d: bar
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-		"fieldname with multiple '/'": {
-			fieldSpec: `
+	},
+	{
+		name: "filedname with multiple '/'",
+		fieldSpec: `
 path: a/b\/c/d\/e/f
 version: v1
 kind: Bar
 `,
-			input: `
+		input: `
 apiVersion: v1
 kind: Bar
 a:
@@ -502,7 +476,7 @@ a:
    d/e:
      f: foo
 `,
-			expected: `
+		expected: `
 apiVersion: v1
 kind: Bar
 a:
@@ -510,24 +484,25 @@ a:
    d/e:
      f: bar
 `,
-			filter: fieldspec.Filter{
-				SetValue:   filtersutil.SetScalar("bar"),
-				CreateKind: yaml.ScalarNode,
-			},
+		filter: fieldspec.Filter{
+			SetValue:   filtersutil.SetScalar("bar"),
+			CreateKind: yaml.ScalarNode,
 		},
-	}
+	},
+}

-	for n := range testCases {
-		tc := testCases[n]
-		t.Run(n, func(t *testing.T) {
-			err := yaml.Unmarshal([]byte(tc.fieldSpec), &tc.filter.FieldSpec)
+func TestFilter_Filter(t *testing.T) {
+	for i := range tests {
+		test := tests[i]
+		t.Run(test.name, func(t *testing.T) {
+			err := yaml.Unmarshal([]byte(test.fieldSpec), &test.filter.FieldSpec)
 			if !assert.NoError(t, err) {
 				t.FailNow()
 			}

 			out := &bytes.Buffer{}
 			rw := &kio.ByteReadWriter{
-				Reader:                bytes.NewBufferString(tc.input),
+				Reader:                bytes.NewBufferString(test.input),
 				Writer:                out,
 				OmitReaderAnnotations: true,
 			}
@@ -535,11 +510,11 @@ a:
 			// run the filter
 			err = kio.Pipeline{
 				Inputs:  []kio.Reader{rw},
-				Filters: []kio.Filter{kio.FilterAll(tc.filter)},
+				Filters: []kio.Filter{kio.FilterAll(test.filter)},
 				Outputs: []kio.Writer{rw},
 			}.Execute()
-			if tc.error != "" {
-				if !assert.EqualError(t, err, tc.error) {
+			if test.error != "" {
+				if !assert.EqualError(t, err, test.error) {
 					t.FailNow()
 				}
 				// stop rest of test
@@ -552,92 +527,10 @@ a:

 			// check results
 			if !assert.Equal(t,
-				strings.TrimSpace(tc.expected),
+				strings.TrimSpace(test.expected),
 				strings.TrimSpace(out.String())) {
 				t.FailNow()
 			}
 		})
 	}
 }
-
-func TestFilter_FieldPaths(t *testing.T) {
-	testCases := map[string]struct {
-		input     string
-		fieldSpec string
-		expected  []string
-	}{
-		"fieldpath containing SequenceNode": {
-			input: `
-apiVersion: v1
-kind: Pod
-metadata:
-  name: app
-spec:
-  containers:
-  - name: store
-    image: redis:6.2.6
-  - name: server
-    image: nginx:latest
-`,
-			fieldSpec: `
-path: spec/containers[]/image
-kind: Pod
-`,
-			expected: []string{
-				"spec.containers.image",
-				"spec.containers.image",
-			},
-		},
-		"fieldpath with MappingNode": {
-			input: `
-apiVersion: v1
-kind: Pod
-metadata:
-  name: app
-spec:
-  containers:
-  - name: store
-    image: redis:6.2.6
-  - name: server
-    image: nginx:latest
-`,
-			fieldSpec: `
-path: metadata/name
-kind: Pod
-`,
-			expected: []string{
-				"metadata.name",
-			},
-		},
-	}
-	for name, tc := range testCases {
-		var fieldPaths []string
-		trackableSetter := filtersutil.TrackableSetter{}
-		trackableSetter.WithMutationTracker(func(key, value, tag string, node *yaml.RNode) {
-			fieldPaths = append(fieldPaths, strings.Join(node.FieldPath(), "."))
-		})
-		filter := fieldspec.Filter{
-			SetValue: trackableSetter.SetScalar("foo"),
-		}
-
-		t.Run(name, func(t *testing.T) {
-			err := yaml.Unmarshal([]byte(tc.fieldSpec), &filter.FieldSpec)
-			require.NoError(t, err)
-			rw := &kio.ByteReadWriter{
-				Reader:                bytes.NewBufferString(tc.input),
-				Writer:                &bytes.Buffer{},
-				OmitReaderAnnotations: true,
-			}
-
-			// run the filter
-			err = kio.Pipeline{
-				Inputs:  []kio.Reader{rw},
-				Filters: []kio.Filter{kio.FilterAll(filter)},
-				Outputs: []kio.Writer{rw},
-			}.Execute()
-
-			require.NoError(t, err)
-			assert.Equal(t, tc.expected, fieldPaths)
-		})
-	}
-}
--- a/api/filters/fieldspec/gvk.go
+++ b/api/filters/fieldspec/gvk.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+package fieldspec
+
+import (
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Return true for 'v' followed by a 1 or 2, and don't look at rest.
+// I.e. 'v1', 'v1beta1', 'v2', would return true.
+func looksLikeACoreApiVersion(s string) bool {
+	if len(s) < 2 {
+		return false
+	}
+	if s[0:1] != "v" {
+		return false
+	}
+	return s[1:2] == "1" || s[1:2] == "2"
+}
+
+// parseGV parses apiVersion field into group and version.
+func parseGV(apiVersion string) (group, version string) {
+	// parse the group and version from the apiVersion field
+	parts := strings.SplitN(apiVersion, "/", 2)
+	group = parts[0]
+	if len(parts) > 1 {
+		version = parts[1]
+	}
+	// Special case the original "apiVersion" of what
+	// we now call the "core" (empty) group.
+	if version == "" && looksLikeACoreApiVersion(group) {
+		version = group
+		group = ""
+	}
+	return
+}
+
+// GetGVK parses the metadata into a GVK
+func GetGVK(meta yaml.ResourceMeta) resid.Gvk {
+	group, version := parseGV(meta.APIVersion)
+	return resid.Gvk{
+		Group:   group,
+		Version: version,
+		Kind:    meta.Kind,
+	}
+}
--- a/api/filters/fieldspec/gvk_test.go
+++ b/api/filters/fieldspec/gvk_test.go
@@ -0,0 +1,156 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+package fieldspec
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func TestParseGV(t *testing.T) {
+	testCases := map[string]struct {
+		input           string
+		expectedGroup   string
+		expectedVersion string
+	}{
+		"empty": {
+			input:           "",
+			expectedGroup:   "",
+			expectedVersion: "",
+		},
+		"certSigning": {
+			input:           "certificates.k8s.io/v1beta1",
+			expectedGroup:   "certificates.k8s.io",
+			expectedVersion: "v1beta1",
+		},
+		"extensions": {
+			input:           "extensions/v1beta1",
+			expectedGroup:   "extensions",
+			expectedVersion: "v1beta1",
+		},
+		"normal": {
+			input:           "apps/v1",
+			expectedGroup:   "apps",
+			expectedVersion: "v1",
+		},
+		"justApps": {
+			input:           "apps",
+			expectedGroup:   "apps",
+			expectedVersion: "",
+		},
+		"coreV1": {
+			input:           "v1",
+			expectedGroup:   "",
+			expectedVersion: "v1",
+		},
+		"coreV2": {
+			input:           "v2",
+			expectedGroup:   "",
+			expectedVersion: "v2",
+		},
+		"coreV2Beta1": {
+			input:           "v2beta1",
+			expectedGroup:   "",
+			expectedVersion: "v2beta1",
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			group, version := parseGV(tc.input)
+			if !assert.Equal(t, tc.expectedGroup, group) {
+				t.FailNow()
+			}
+			if !assert.Equal(t, tc.expectedVersion, version) {
+				t.FailNow()
+			}
+		})
+	}
+}
+
+func TestGetGVK(t *testing.T) {
+	testCases := map[string]struct {
+		input      string
+		expected   resid.Gvk
+		parseError string
+		metaError  string
+	}{
+		"empty": {
+			input: `
+`,
+			parseError: "EOF",
+		},
+		"junk": {
+			input: `
+congress: effective
+`,
+			metaError: "missing Resource metadata",
+		},
+		"normal": {
+			input: `
+apiVersion: apps/v1
+kind: Deployment
+`,
+			expected: resid.Gvk{Group: "apps", Version: "v1", Kind: "Deployment"},
+		},
+		"apiVersionOnlyWithSlash": {
+			input: `
+apiVersion: apps/v1
+`,
+			expected: resid.Gvk{Group: "apps", Version: "v1", Kind: ""},
+		},
+		"apiVersionOnlyNoSlash1": {
+			input: `
+apiVersion: apps
+`,
+			expected: resid.Gvk{Group: "apps", Version: "", Kind: ""},
+		},
+		"apiVersionOnlyNoSlash2": {
+			input: `
+apiVersion: v1
+`,
+			expected: resid.Gvk{Group: "", Version: "v1", Kind: ""},
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			obj, err := yaml.Parse(tc.input)
+			if len(tc.parseError) != 0 {
+				if err == nil {
+					t.Error("expected parse error")
+					return
+				}
+				if !strings.Contains(err.Error(), tc.parseError) {
+					t.Errorf("expected parse err '%s', got '%v'", tc.parseError, err)
+				}
+				return
+			}
+			if !assert.NoError(t, err) {
+				t.FailNow()
+			}
+			meta, err := obj.GetMeta()
+			if len(tc.metaError) != 0 {
+				if err == nil {
+					t.Error("expected meta error")
+					return
+				}
+				if !strings.Contains(err.Error(), tc.metaError) {
+					t.Errorf("expected meta err '%s', got '%v'", tc.metaError, err)
+				}
+				return
+			}
+			if !assert.NoError(t, err) {
+				t.FailNow()
+			}
+			gvk := GetGVK(meta)
+			if !assert.Equal(t, tc.expected, gvk) {
+				t.FailNow()
+			}
+		})
+	}
+}
--- a/api/filters/filtersutil/filtersutil.go
+++ b/api/filters/filtersutil/filtersutil.go
@@ -0,0 +1,21 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filtersutil
+
+import (
+	"sort"
+)
+
+// SortedMapKeys returns a sorted slice of keys to the given map.
+// Writing this function never gets old.
+func SortedMapKeys(m map[string]string) []string {
+	keys := make([]string, len(m))
+	i := 0
+	for k := range m {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	return keys
+}
--- a/api/filters/filtersutil/filtersutil_test.go
+++ b/api/filters/filtersutil/filtersutil_test.go
@@ -0,0 +1,34 @@
+package filtersutil_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+)
+
+func TestSortedKeys(t *testing.T) {
+	testCases := map[string]struct {
+		input    map[string]string
+		expected []string
+	}{
+		"empty": {
+			input:    map[string]string{},
+			expected: []string{}},
+		"one": {
+			input:    map[string]string{"a": "aaa"},
+			expected: []string{"a"}},
+		"three": {
+			input:    map[string]string{"c": "ccc", "b": "bbb", "a": "aaa"},
+			expected: []string{"a", "b", "c"}},
+	}
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			if !assert.Equal(t,
+				filtersutil.SortedMapKeys(tc.input),
+				tc.expected) {
+				t.FailNow()
+			}
+		})
+	}
+}
--- a/api/filters/filtersutil/setters.go
+++ b/api/filters/filtersutil/setters.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package filtersutil

 import (
@@ -12,94 +9,25 @@ type SetFn func(*yaml.RNode) error

 // SetScalar returns a SetFn to set a scalar value
 func SetScalar(value string) SetFn {
-	return SetEntry("", value, yaml.NodeTagEmpty)
+	return func(node *yaml.RNode) error {
+		return node.PipeE(yaml.FieldSetter{StringValue: value})
+	}
 }

-// SetEntry returns a SetFn to set a field or a map entry to a value.
-// It can be used with an empty name to set both a value and a tag on a scalar node.
-// When setting only a value on a scalar node, use SetScalar instead.
-func SetEntry(name, value, tag string) SetFn {
+// SetEntry returns a SetFn to set an entry in a map
+func SetEntry(key, value, tag string) SetFn {
 	n := &yaml.Node{
 		Kind:  yaml.ScalarNode,
 		Value: value,
 		Tag:   tag,
 	}
+	if tag == yaml.NodeTagString && yaml.IsYaml1_1NonString(n) {
+		n.Style = yaml.DoubleQuotedStyle
+	}
 	return func(node *yaml.RNode) error {
 		return node.PipeE(yaml.FieldSetter{
-			Name:  name,
+			Name:  key,
 			Value: yaml.NewRNode(n),
 		})
 	}
 }
-
-type TrackableSetter struct {
-	// SetValueCallback will be invoked each time a field is set
-	setValueCallback func(name, value, tag string, node *yaml.RNode)
-}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (s *TrackableSetter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) *TrackableSetter {
-	s.setValueCallback = callback
-	return s
-}
-
-// SetScalar returns a SetFn to set a scalar value.
-// if a mutation tracker has been registered, the tracker will be invoked each
-// time a scalar is set
-func (s TrackableSetter) SetScalar(value string) SetFn {
-	return s.SetEntry("", value, yaml.NodeTagEmpty)
-}
-
-// SetScalarIfEmpty returns a SetFn to set a scalar value only if it isn't already set.
-// If a mutation tracker has been registered, the tracker will be invoked each
-// time a scalar is actually set.
-func (s TrackableSetter) SetScalarIfEmpty(value string) SetFn {
-	return s.SetEntryIfEmpty("", value, yaml.NodeTagEmpty)
-}
-
-// SetEntry returns a SetFn to set a field or a map entry to a value.
-// It can be used with an empty name to set both a value and a tag on a scalar node.
-// When setting only a value on a scalar node, use SetScalar instead.
-// If a mutation tracker has been registered, the tracker will be invoked each
-// time an entry is set.
-func (s TrackableSetter) SetEntry(name, value, tag string) SetFn {
-	origSetEntry := SetEntry(name, value, tag)
-	return func(node *yaml.RNode) error {
-		if s.setValueCallback != nil {
-			s.setValueCallback(name, value, tag, node)
-		}
-		return origSetEntry(node)
-	}
-}
-
-// SetEntryIfEmpty returns a SetFn to set a field or a map entry to a value only if it isn't already set.
-// It can be used with an empty name to set both a value and a tag on a scalar node.
-// When setting only a value on a scalar node, use SetScalar instead.
-// If a mutation tracker has been registered, the tracker will be invoked each
-// time an entry is actually set.
-func (s TrackableSetter) SetEntryIfEmpty(key, value, tag string) SetFn {
-	origSetEntry := SetEntry(key, value, tag)
-	return func(node *yaml.RNode) error {
-		if hasExistingValue(node, key) {
-			return nil
-		}
-		if s.setValueCallback != nil {
-			s.setValueCallback(key, value, tag, node)
-		}
-		return origSetEntry(node)
-	}
-}
-
-func hasExistingValue(node *yaml.RNode, key string) bool {
-	if node.IsNilOrEmpty() {
-		return false
-	}
-	if err := yaml.ErrorIfInvalid(node, yaml.ScalarNode); err == nil {
-		return yaml.GetValue(node) != ""
-	}
-	entry := node.Field(key)
-	if entry.IsNilOrEmpty() {
-		return false
-	}
-	return yaml.GetValue(entry.Value) != ""
-}
--- a/api/filters/filtersutil/setters_test.go
+++ b/api/filters/filtersutil/setters_test.go
@@ -1,108 +0,0 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package filtersutil_test
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"sigs.k8s.io/kustomize/api/filters/filtersutil"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-func TestTrackableSetter_SetScalarIfEmpty(t *testing.T) {
-	tests := []struct {
-		name  string
-		input *yaml.RNode
-		value string
-		want  string
-	}{
-		{
-			name:  "sets null values",
-			input: yaml.MakeNullNode(),
-			value: "foo",
-			want:  "foo",
-		},
-		{
-			name:  "sets empty values",
-			input: yaml.NewScalarRNode(""),
-			value: "foo",
-			want:  "foo",
-		},
-		{
-			name:  "does not overwrite values",
-			input: yaml.NewStringRNode("a"),
-			value: "foo",
-			want:  "a",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			wasSet := false
-			s := (&filtersutil.TrackableSetter{}).WithMutationTracker(func(_, _, _ string, _ *yaml.RNode) {
-				wasSet = true
-			})
-			wantSet := tt.value == tt.want
-			fn := s.SetScalarIfEmpty(tt.value)
-			require.NoError(t, fn(tt.input))
-			assert.Equal(t, tt.want, yaml.GetValue(tt.input))
-			assert.Equal(t, wantSet, wasSet, "tracker invoked even though value was not changed")
-		})
-	}
-}
-
-func TestTrackableSetter_SetEntryIfEmpty(t *testing.T) {
-	tests := []struct {
-		name  string
-		input *yaml.RNode
-		key   string
-		value string
-		want  string
-	}{
-		{
-			name:  "sets empty values",
-			input: yaml.NewMapRNode(&map[string]string{"setMe": ""}),
-			key:   "setMe",
-			value: "foo",
-			want:  "foo",
-		},
-		{
-			name:  "sets missing keys",
-			input: yaml.NewMapRNode(&map[string]string{}),
-			key:   "setMe",
-			value: "foo",
-			want:  "foo",
-		},
-		{
-			name:  "does not overwrite values",
-			input: yaml.NewMapRNode(&map[string]string{"existing": "original"}),
-			key:   "existing",
-			value: "foo",
-			want:  "original",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			wasSet := false
-			s := (&filtersutil.TrackableSetter{}).WithMutationTracker(func(_, _, _ string, _ *yaml.RNode) {
-				wasSet = true
-			})
-			wantSet := tt.value == tt.want
-			fn := s.SetEntryIfEmpty(tt.key, tt.value, "")
-			require.NoError(t, fn(tt.input))
-			assert.Equal(t, tt.want, yaml.GetValue(tt.input.Field(tt.key).Value))
-			assert.Equal(t, wantSet, wasSet, "tracker invoked even though value was not changed")
-		})
-	}
-}
-
-func TestTrackableSetter_SetEntryIfEmpty_BadInputNodeKind(t *testing.T) {
-	fn := filtersutil.TrackableSetter{}.SetEntryIfEmpty("foo", "false", yaml.NodeTagBool)
-	rn := yaml.NewListRNode("nope")
-	rn.AppendToFieldPath("dummy", "path")
-	assert.EqualError(t, fn(rn), `wrong node kind: expected MappingNode but got SequenceNode: node contents:
- nope
-`)
-}
--- a/api/filters/iampolicygenerator/doc.go
+++ b/api/filters/iampolicygenerator/doc.go
@@ -1,6 +0,0 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package gkesagenerator contains a kio.Filter that that generates a
-// iampolicy-related resources for a given cloud provider
-package iampolicygenerator
--- a/api/filters/iampolicygenerator/example_test.go
+++ b/api/filters/iampolicygenerator/example_test.go
@@ -1,46 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package iampolicygenerator
-
-import (
-	"log"
-	"os"
-
-	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-func ExampleFilter() {
-	f := Filter{}
-	var err = yaml.Unmarshal([]byte(`
-cloud: gke
-kubernetesService: 
-  namespace: k8s-namespace
-  name: k8s-sa-name
-serviceAccount:
-  name: gsa-name
-  projectId: project-id
-`), &f)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = kio.Pipeline{
-		Inputs:  []kio.Reader{},
-		Filters: []kio.Filter{f},
-		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
-	}.Execute()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// Output:
-	// apiVersion: v1
-	// kind: ServiceAccount
-	// metadata:
-	//   annotations:
-	//     iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
-	//   name: k8s-sa-name
-	//   namespace: k8s-namespace
-}
--- a/api/filters/iampolicygenerator/iampolicygenerator.go
+++ b/api/filters/iampolicygenerator/iampolicygenerator.go
@@ -1,55 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package iampolicygenerator
-
-import (
-	"fmt"
-
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-type Filter struct {
-	IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
-}
-
-// Filter adds a GKE service account object to nodes
-func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	switch f.IAMPolicyGenerator.Cloud {
-	case types.GKE:
-		IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
-		if err != nil {
-			return nil, err
-		}
-		nodes = append(nodes, IAMPolicyResources...)
-	default:
-		return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
-	}
-	return nodes, nil
-}
-
-func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
-	var result []*yaml.RNode
-	input := fmt.Sprintf(`
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
-  name: %s
-`, f.IAMPolicyGenerator.ServiceAccount.Name,
-		f.IAMPolicyGenerator.ProjectId,
-		f.IAMPolicyGenerator.KubernetesService.Name)
-
-	if f.IAMPolicyGenerator.Namespace != "" {
-		input += fmt.Sprintf("\n  namespace: %s", f.IAMPolicyGenerator.Namespace)
-	}
-
-	sa, err := yaml.Parse(input)
-	if err != nil {
-		return nil, err
-	}
-
-	return append(result, sa), nil
-}
--- a/api/filters/iampolicygenerator/iampolicygenerator_test.go
+++ b/api/filters/iampolicygenerator/iampolicygenerator_test.go
@@ -1,75 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package iampolicygenerator
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
-	"sigs.k8s.io/kustomize/api/types"
-)
-
-func TestFilter(t *testing.T) {
-	testCases := map[string]struct {
-		args     types.IAMPolicyGeneratorArgs
-		expected string
-	}{
-		"with namespace": {
-			args: types.IAMPolicyGeneratorArgs{
-				Cloud: types.GKE,
-				KubernetesService: types.KubernetesService{
-					Namespace: "k8s-namespace",
-					Name:      "k8s-sa-name",
-				},
-				ServiceAccount: types.ServiceAccount{
-					Name:      "gsa-name",
-					ProjectId: "project-id",
-				},
-			},
-			expected: `
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
-  name: k8s-sa-name
-  namespace: k8s-namespace
-`,
-		},
-		"without namespace": {
-			args: types.IAMPolicyGeneratorArgs{
-				Cloud: types.GKE,
-				KubernetesService: types.KubernetesService{
-					Name: "k8s-sa-name",
-				},
-				ServiceAccount: types.ServiceAccount{
-					Name:      "gsa-name",
-					ProjectId: "project-id",
-				},
-			},
-			expected: `
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
-  name: k8s-sa-name
-`,
-		},
-	}
-
-	for tn, tc := range testCases {
-		t.Run(tn, func(t *testing.T) {
-			f := Filter{
-				IAMPolicyGenerator: tc.args,
-			}
-			actual := filtertest.RunFilter(t, "", f)
-			if !assert.Equal(t, strings.TrimSpace(tc.expected), strings.TrimSpace(actual)) {
-				t.FailNow()
-			}
-		})
-	}
-}
--- a/api/filters/imagetag/imagetag.go
+++ b/api/filters/imagetag/imagetag.go
@@ -23,17 +23,9 @@ type Filter struct {
 	// FsSlice contains the FieldSpecs to locate an image field,
 	// e.g. Path: "spec/myContainers[]/image"
 	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-
-	trackableSetter filtersutil.TrackableSetter
 }

 var _ kio.Filter = Filter{}
-var _ kio.TrackableFilter = &Filter{}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
-	f.trackableSetter.WithMutationTracker(callback)
-}

 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	_, err := kio.FilterAll(yaml.FilterFunc(f.filter)).Filter(nodes)
@@ -48,11 +40,8 @@ func (f Filter) filter(node *yaml.RNode) (*yaml.RNode, error) {
 		return node, nil
 	}
 	if err := node.PipeE(fsslice.Filter{
-		FsSlice: f.FsSlice,
-		SetValue: imageTagUpdater{
-			ImageTag:        f.ImageTag,
-			trackableSetter: f.trackableSetter,
-		}.SetImageValue,
+		FsSlice:  f.FsSlice,
+		SetValue: updateImageTagFn(f.ImageTag),
 	}); err != nil {
 		return nil, err
 	}
@@ -70,3 +59,11 @@ func (f Filter) isOnDenyList(node *yaml.RNode) bool {
 	// https://github.com/kubernetes-sigs/kustomize/issues/890
 	return meta.Kind == `CustomResourceDefinition`
 }
+
+func updateImageTagFn(imageTag types.Image) filtersutil.SetFn {
+	return func(node *yaml.RNode) error {
+		return node.PipeE(imageTagUpdater{
+			ImageTag: imageTag,
+		})
+	}
+}
--- a/api/filters/imagetag/imagetag_test.go
+++ b/api/filters/imagetag/imagetag_test.go
@@ -10,22 +10,18 @@ import (
 	"github.com/stretchr/testify/assert"
 	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 func TestImageTagUpdater_Filter(t *testing.T) {
-	mutationTrackerStub := filtertest.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input                string
-		expectedOutput       string
-		filter               Filter
-		fsSlice              types.FsSlice
-		setValueCallback     func(key, value, tag string, node *yaml.RNode)
-		expectedSetValueArgs []filtertest.SetValueArg
+		input          string
+		expectedOutput string
+		filter         Filter
+		fsSlice        types.FsSlice
 	}{
 		"ignore CustomResourceDefinition": {
 			input: `
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: whatever
@@ -34,7 +30,7 @@ spec:
  - image: whatever
 `,
 			expectedOutput: `
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: whatever
@@ -662,315 +658,17 @@ spec:
 				},
 			},
 		},
-		"mutation tracker": {
-			input: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: deploy1
-spec:
-  template:
-    spec:
-      containers:
-      - image: nginx:1.7.9
-        name: nginx-tagged
-      - image: nginx:latest
-        name: nginx-latest
-      - image: foobar:1
-        name: replaced-with-digest
-      - image: postgres:1.8.0
-        name: postgresdb
-      initContainers:
-      - image: nginx
-        name: nginx-notag
-      - image: nginx@sha256:111111111111111111
-        name: nginx-sha256
-      - image: alpine:1.8.0
-        name: init-alpine
-`,
-			expectedOutput: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: deploy1
-spec:
-  template:
-    spec:
-      containers:
-      - image: busybox:v3
-        name: nginx-tagged
-      - image: busybox:v3
-        name: nginx-latest
-      - image: foobar:1
-        name: replaced-with-digest
-      - image: postgres:1.8.0
-        name: postgresdb
-      initContainers:
-      - image: busybox:v3
-        name: nginx-notag
-      - image: busybox:v3
-        name: nginx-sha256
-      - image: alpine:1.8.0
-        name: init-alpine
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "busybox",
-					NewTag:  "v3",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/template/spec/containers[]/image",
-				},
-				{
-					Path: "spec/template/spec/initContainers[]/image",
-				},
-			},
-			setValueCallback: mutationTrackerStub.MutationTracker,
-			expectedSetValueArgs: []filtertest.SetValueArg{
-				{
-					Value:    "busybox:v3",
-					NodePath: []string{"spec", "template", "spec", "containers", "image"},
-				},
-				{
-					Value:    "busybox:v3",
-					NodePath: []string{"spec", "template", "spec", "containers", "image"},
-				},
-				{
-					Value:    "busybox:v3",
-					NodePath: []string{"spec", "template", "spec", "initContainers", "image"},
-				},
-				{
-					Value:    "busybox:v3",
-					NodePath: []string{"spec", "template", "spec", "initContainers", "image"},
-				},
-			},
-		},
-		"image with tag and digest new name": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: nginx:1.2.1@sha256:46d5b90a7f4e9996351ad893a26bcbd27216676ad4d5316088ce351fb2c2c3dd
-`,
-			expectedOutput: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: apache:1.2.1@sha256:46d5b90a7f4e9996351ad893a26bcbd27216676ad4d5316088ce351fb2c2c3dd
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "apache",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/image",
-				},
-			},
-		},
-		"image with tag and digest new name new tag": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: nginx:1.2.1@sha256:46d5b90a7f4e9996351ad893a26bcbd27216676ad4d5316088ce351fb2c2c3dd
-`,
-			expectedOutput: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: apache:1.3.0
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "apache",
-					NewTag:  "1.3.0",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/image",
-				},
-			},
-		},
-		"image with tag and digest new name new tag and digest": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: nginx:1.2.1@sha256:46d5b90a7f4e9996351ad893a26bcbd27216676ad4d5316088ce351fb2c2c3dd
-`,
-			expectedOutput: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-spec:
-  image: apache:1.3.0@sha256:xyz
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "apache",
-					NewTag:  "1.3.0",
-					Digest:  "sha256:xyz",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/image",
-				},
-			},
-		},
-		"updateimagesuffix": {
-			input: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: deploysuffix
-spec:
-  template:
-    spec:
-      containers:
-      - image: redis:6.2.6
-        name: redis
-`,
-			expectedOutput: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: deploysuffix
-spec:
-  template:
-    spec:
-      containers:
-      - image: redis:6.2.6-alpine
-        name: redis
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:      "redis",
-					TagSuffix: "-alpine",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/template/spec/containers[]/image",
-				},
-			},
-		},
-		"update image volume in pod template": {
-			input: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: imagevolume
-spec:
-  template:
-    spec:
-      volumes:
-      - name: volume
-        image:
-          reference: nginx
-`,
-			expectedOutput: `
-group: apps
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: imagevolume
-spec:
-  template:
-    spec:
-      volumes:
-      - name: volume
-        image:
-          reference: apache@12345
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "apache",
-					Digest:  "12345",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/template/spec/volumes[]/image/reference",
-				},
-			},
-		},
-		"update image volume in pod spec": {
-			input: `
-apiVersion: v1
-kind: Pod
-metadata:
-  name: imagevolume
-spec:
-  volumes:
-  - name: volume
-    image:
-      reference: nginx
-`,
-			expectedOutput: `
-apiVersion: v1
-kind: Pod
-metadata:
-  name: imagevolume
-spec:
-  volumes:
-  - name: volume
-    image:
-      reference: apache@12345
-`,
-			filter: Filter{
-				ImageTag: types.Image{
-					Name:    "nginx",
-					NewName: "apache",
-					Digest:  "12345",
-				},
-			},
-			fsSlice: []types.FieldSpec{
-				{
-					Path: "spec/volumes[]/image/reference",
-				},
-			},
-		},
 	}

 	for tn, tc := range testCases {
-		mutationTrackerStub.Reset()
 		t.Run(tn, func(t *testing.T) {
 			filter := tc.filter
-			filter.WithMutationTracker(tc.setValueCallback)
 			filter.FsSlice = tc.fsSlice
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest.RunFilter(t, tc.input, filter))) {
 				t.FailNow()
 			}
-			assert.Equal(t, tc.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }
--- a/api/filters/imagetag/legacy.go
+++ b/api/filters/imagetag/legacy.go
@@ -4,9 +4,7 @@
 package imagetag

 import (
-	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -76,17 +74,28 @@ func (f findFieldsFilter) walk(node *yaml.RNode) error {
 				return err
 			}
 			key := n.Key.YNode().Value
-			if utils.StringSliceContains(f.fields, key) {
+			if contains(f.fields, key) {
 				return f.fieldCallback(n.Value)
 			}
 			return nil
 		})
 	case yaml.SequenceNode:
-		return errors.Wrap(node.VisitElements(f.walk))
+		return node.VisitElements(func(n *yaml.RNode) error {
+			return f.walk(n)
+		})
 	}
 	return nil
 }

+func contains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
+
 func checkImageTagsFn(imageTag types.Image) fieldCallback {
 	return func(node *yaml.RNode) error {
 		if node.YNode().Kind != yaml.SequenceNode {
--- a/api/filters/imagetag/updater.go
+++ b/api/filters/imagetag/updater.go
@@ -4,9 +4,7 @@
 package imagetag

 import (
-	"sigs.k8s.io/kustomize/api/filters/filtersutil"
-
-	"sigs.k8s.io/kustomize/api/internal/image"
+	"sigs.k8s.io/kustomize/api/image"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -15,57 +13,31 @@ import (
 // that will update the value of the yaml node based on the provided
 // ImageTag if the current value matches the format of an image reference.
 type imageTagUpdater struct {
-	Kind            string      `yaml:"kind,omitempty"`
-	ImageTag        types.Image `yaml:"imageTag,omitempty"`
-	trackableSetter filtersutil.TrackableSetter
+	Kind     string      `yaml:"kind,omitempty"`
+	ImageTag types.Image `yaml:"imageTag,omitempty"`
 }

-func (u imageTagUpdater) SetImageValue(rn *yaml.RNode) error {
+func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
 	if err := yaml.ErrorIfInvalid(rn, yaml.ScalarNode); err != nil {
-		return err
+		return nil, err
 	}

 	value := rn.YNode().Value

 	if !image.IsImageMatched(value, u.ImageTag.Name) {
-		return nil
+		return rn, nil
 	}

-	name, tag, digest := image.Split(value)
+	name, tag := image.Split(value)
 	if u.ImageTag.NewName != "" {
 		name = u.ImageTag.NewName
 	}
-
-	// overriding tag or digest will replace both original tag and digest values
-	switch {
-	case u.ImageTag.NewTag != "" && u.ImageTag.Digest != "":
-		tag = u.ImageTag.NewTag
-		digest = u.ImageTag.Digest
-	case u.ImageTag.NewTag != "":
-		tag = u.ImageTag.NewTag
-		digest = ""
-	case u.ImageTag.Digest != "":
-		tag = ""
-		digest = u.ImageTag.Digest
-	case u.ImageTag.TagSuffix != "":
-		tag += u.ImageTag.TagSuffix
-		digest = ""
+	if u.ImageTag.NewTag != "" {
+		tag = ":" + u.ImageTag.NewTag
+	}
+	if u.ImageTag.Digest != "" {
+		tag = "@" + u.ImageTag.Digest
 	}

-	// build final image name
-	if tag != "" {
-		name += ":" + tag
-	}
-	if digest != "" {
-		name += "@" + digest
-	}
-
-	return u.trackableSetter.SetScalar(name)(rn)
-}
-
-func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
-	if err := u.SetImageValue(rn); err != nil {
-		return nil, err
-	}
-	return rn, nil
+	return rn.Pipe(yaml.FieldSetter{StringValue: name + tag})
 }
--- a/api/filters/labels/labels.go
+++ b/api/filters/labels/labels.go
@@ -20,26 +20,18 @@ type Filter struct {

 	// FsSlice identifies the label fields.
 	FsSlice types.FsSlice
-
-	trackableSetter filtersutil.TrackableSetter
 }

 var _ kio.Filter = Filter{}
-var _ kio.TrackableFilter = &Filter{}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
-	f.trackableSetter.WithMutationTracker(callback)
-}

 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	keys := yaml.SortedMapKeys(f.Labels)
+	keys := filtersutil.SortedMapKeys(f.Labels)
 	_, err := kio.FilterAll(yaml.FilterFunc(
 		func(node *yaml.RNode) (*yaml.RNode, error) {
 			for _, k := range keys {
 				if err := node.PipeE(fsslice.Filter{
 					FsSlice: f.FsSlice,
-					SetValue: f.trackableSetter.SetEntry(
+					SetValue: filtersutil.SetEntry(
 						k, f.Labels[k], yaml.NodeTagString),
 					CreateKind: yaml.MappingNode, // Labels are MappingNodes.
 					CreateTag:  yaml.NodeTagMap,
--- a/api/filters/labels/labels_test.go
+++ b/api/filters/labels/labels_test.go
@@ -8,20 +8,16 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/resid"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/resid"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

 func TestLabels_Filter(t *testing.T) {
-	mutationTrackerStub := filtertest_test.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input                string
-		expectedOutput       string
-		filter               Filter
-		setEntryCallback     func(key, value, tag string, node *yaml.RNode)
-		expectedSetEntryArgs []filtertest_test.SetValueArg
+		input          string
+		expectedOutput string
+		filter         Filter
 	}{
 		"add": {
 			input: `
@@ -403,74 +399,15 @@ metadata:
 				},
 			},
 		},
-
-		// test usage of SetEntryCallback
-		"set_entry_callback": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-  labels:
-    witcher: geralt
-`,
-			expectedOutput: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-  labels:
-    witcher: geralt
-    mage: yennefer
-a:
-  b:
-    mage: yennefer
-`,
-			filter: Filter{
-				Labels: labelMap{
-					"mage": "yennefer",
-				},
-				FsSlice: []types.FieldSpec{
-					{
-						Path:               "metadata/labels",
-						CreateIfNotPresent: true,
-					},
-					{
-						Path:               "a/b",
-						CreateIfNotPresent: true,
-					},
-				},
-			},
-			setEntryCallback: mutationTrackerStub.MutationTracker,
-			expectedSetEntryArgs: []filtertest_test.SetValueArg{
-				{
-					Key:      "mage",
-					Value:    "yennefer",
-					Tag:      "!!str",
-					NodePath: []string{"metadata", "labels"},
-				},
-				{
-					Key:      "mage",
-					Value:    "yennefer",
-					Tag:      "!!str",
-					NodePath: []string{"a", "b"},
-				},
-			},
-		},
 	}

 	for tn, tc := range testCases {
-		mutationTrackerStub.Reset()
 		t.Run(tn, func(t *testing.T) {
-			tc.filter.WithMutationTracker(tc.setEntryCallback)
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest_test.RunFilter(t, tc.input, tc.filter))) {
 				t.FailNow()
 			}
-			if !assert.Equal(t, tc.expectedSetEntryArgs, mutationTrackerStub.SetValueArgs()) {
-				t.FailNow()
-			}
 		})
 	}
 }
--- a/api/filters/nameref/doc.go
+++ b/api/filters/nameref/doc.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 // Package nameref contains a kio.Filter implementation of the kustomize
 // name reference transformer.
 package nameref
--- a/api/filters/nameref/nameref.go
+++ b/api/filters/nameref/nameref.go
@@ -1,78 +1,38 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package nameref

 import (
 	"fmt"
-	"strings"

 	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

-// Filter updates a name references.
+// Filter will update the name reference
 type Filter struct {
-	// Referrer refers to another resource X by X's name.
-	// E.g. A Deployment can refer to a ConfigMap.
-	// The Deployment is the Referrer,
-	// the ConfigMap is the ReferralTarget.
-	// This filter seeks to repair the reference in Deployment, given
-	// that the ConfigMap's name may have changed.
-	Referrer *resource.Resource
-
-	// NameFieldToUpdate is the field in the Referrer
-	// that holds the name requiring an update.
-	// This is the field to write.
-	NameFieldToUpdate types.FieldSpec
-
-	// ReferralTarget is the source of the new value for
-	// the name, always in the 'metadata/name' field.
-	// This is the field to read.
-	ReferralTarget resid.Gvk
-
-	// Set of resources to scan to find the ReferralTarget.
+	FieldSpec          types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+	Referrer           *resource.Resource
+	Target             resid.Gvk
 	ReferralCandidates resmap.ResMap
 }

-// At time of writing, in practice this is called with a slice with only
-// one entry, the node also referred to be the resource in the Referrer field.
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
 }

-// The node passed in here is the same node as held in Referrer;
-// that's how the referrer's name field is updated.
-// Currently, however, this filter still needs the extra methods on Referrer
-// to consult things like the resource Id, its namespace, etc.
-// TODO(3455): No filter should use the Resource api; all information
-// about names should come from annotations, with helper methods
-// on the RNode object.  Resource should get stupider, RNode smarter.
 func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
-	if err := f.confirmNodeMatchesReferrer(node); err != nil {
-		// sanity check.
-		return nil, err
-	}
-	f.NameFieldToUpdate.Gvk = f.Referrer.GetGvk()
-	if err := node.PipeE(fieldspec.Filter{
-		FieldSpec: f.NameFieldToUpdate,
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec: f.FieldSpec,
 		SetValue:  f.set,
-	}); err != nil {
-		return nil, errors.WrapPrefixf(
-			err, "updating name reference in '%s' field of '%s'",
-			f.NameFieldToUpdate.Path, f.Referrer.CurId().String())
-	}
-	return node, nil
+	})
+	return node, err
 }

-// This function is called on the node found at FieldSpec.Path.
-// It's some node in the Referrer.
 func (f Filter) set(node *yaml.RNode) error {
 	if yaml.IsMissingOrNull(node) {
 		return nil
@@ -81,334 +41,193 @@ func (f Filter) set(node *yaml.RNode) error {
 	case yaml.ScalarNode:
 		return f.setScalar(node)
 	case yaml.MappingNode:
+		// Kind: ValidatingWebhookConfiguration
+		// FieldSpec is webhooks/clientConfig/service
 		return f.setMapping(node)
 	case yaml.SequenceNode:
-		return applyFilterToSeq(seqFilter{
-			setScalarFn:  f.setScalar,
-			setMappingFn: f.setMapping,
-		}, node)
+		return f.setSequence(node)
 	default:
-		return fmt.Errorf("node must be a scalar, sequence or map")
+		return fmt.Errorf(
+			"node is expected to be either a string or a slice of string or a map of string")
 	}
 }

-// This method used when NameFieldToUpdate doesn't lead to
-// one scalar field (typically called 'name'), but rather
-// leads to a map field (called anything). In this case we
-// must complete the field path, looking for both  a 'name'
-// and a 'namespace' field to help select the proper
-// ReferralTarget to read the name and namespace from.
+func (f Filter) setSequence(node *yaml.RNode) error {
+	return applyFilterToSeq(seqFilter{
+		setScalarFn:  f.setScalar,
+		setMappingFn: f.setMapping,
+	}, node)
+}
+
 func (f Filter) setMapping(node *yaml.RNode) error {
-	if node.YNode().Kind != yaml.MappingNode {
-		return fmt.Errorf("expect a mapping node")
-	}
-	nameNode, err := node.Pipe(yaml.FieldMatcher{Name: "name"})
-	if err != nil {
-		return errors.WrapPrefixf(err, "trying to match 'name' field")
-	}
-	if nameNode == nil {
-		// This is a _configuration_ error; the field path
-		// specified in NameFieldToUpdate.Path doesn't resolve
-		// to a map with a 'name' field, so we have no idea what
-		// field to update with a new name.
-		return fmt.Errorf("path config error; no 'name' field in node")
-	}
-	candidates, err := f.filterMapCandidatesByNamespace(node)
-	if err != nil {
-		return err
-	}
-	oldName := nameNode.YNode().Value
-	// use allNamesAndNamespacesAreTheSame to compare referral candidates for functional identity,
-	// because we source both name and namespace values from the referral in this case.
-	referral, err := f.selectReferral(oldName, candidates, allNamesAndNamespacesAreTheSame)
-	if err != nil || referral == nil {
-		// Nil referral means nothing to do.
-		return err
-	}
-	f.recordTheReferral(referral)
-	if referral.GetName() == oldName && referral.GetNamespace() == "" {
-		// The name has not changed, nothing to do.
-		return nil
-	}
-	if err = node.PipeE(yaml.FieldSetter{
-		Name:        "name",
-		StringValue: referral.GetName(),
-	}); err != nil {
-		return err
-	}
-	if referral.GetNamespace() == "" {
-		// Don't write an empty string into the namespace field, as
-		// it should not replace the value "default".  The empty
-		// string is handled as a wild card here, not as an implicit
-		// specification of the "default" k8s namespace.
-		return nil
-	}
-	return node.PipeE(yaml.FieldSetter{
-		Name:        "namespace",
-		StringValue: referral.GetNamespace(),
-	})
-}
-
-func (f Filter) filterMapCandidatesByNamespace(
-	node *yaml.RNode) ([]*resource.Resource, error) {
-	namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"})
-	if err != nil {
-		return nil, errors.WrapPrefixf(err, "trying to match 'namespace' field")
-	}
-	if namespaceNode == nil {
-		return f.ReferralCandidates.Resources(), nil
-	}
-	namespace := namespaceNode.YNode().Value
-	nsMap := f.ReferralCandidates.GroupedByOriginalNamespace()
-	if candidates, ok := nsMap[namespace]; ok {
-		return candidates, nil
-	}
-	nsMap = f.ReferralCandidates.GroupedByCurrentNamespace()
-	// This could be nil, or an empty list.
-	return nsMap[namespace], nil
+	return setNameAndNs(
+		node,
+		f.Referrer,
+		f.Target,
+		f.ReferralCandidates,
+	)
 }

 func (f Filter) setScalar(node *yaml.RNode) error {
-	// use allNamesAreTheSame to compare referral candidates for functional identity,
-	// because we only source the name from the referral in this case.
-	referral, err := f.selectReferral(
-		node.YNode().Value, f.ReferralCandidates.Resources(), allNamesAreTheSame)
-	if err != nil || referral == nil {
-		// Nil referral means nothing to do.
+	newValue, err := getSimpleNameField(
+		node.YNode().Value,
+		f.Referrer,
+		f.Target,
+		f.ReferralCandidates,
+		f.ReferralCandidates.Resources(),
+	)
+	if err != nil {
 		return err
 	}
-	f.recordTheReferral(referral)
-	if referral.GetName() == node.YNode().Value {
-		// The name has not changed, nothing to do.
-		return nil
-	}
-	return node.PipeE(yaml.FieldSetter{StringValue: referral.GetName()})
-}
-
-// In the resource, make a note that it is referred to by the Referrer.
-func (f Filter) recordTheReferral(referral *resource.Resource) {
-	referral.AppendRefBy(f.Referrer.CurId())
-}
-
-// getRoleRefGvk returns a Gvk in the roleRef field. Return error
-// if the roleRef, roleRef/apiGroup or roleRef/kind is missing.
-func getRoleRefGvk(n *resource.Resource) (*resid.Gvk, error) {
-	roleRef, err := n.Pipe(yaml.Lookup("roleRef"))
+	err = filtersutil.SetScalar(newValue)(node)
 	if err != nil {
-		return nil, err
+		return err
 	}
-	if roleRef.IsNil() {
-		return nil, fmt.Errorf("roleRef cannot be found in %s", n.MustString())
-	}
-	apiGroup, err := roleRef.Pipe(yaml.Lookup("apiGroup"))
-	if err != nil {
-		return nil, err
-	}
-	if apiGroup.IsNil() {
-		return nil, fmt.Errorf("apiGroup cannot be found in roleRef %s", roleRef.MustString())
-	}
-	kind, err := roleRef.Pipe(yaml.Lookup("kind"))
-	if err != nil {
-		return nil, err
-	}
-	if kind.IsNil() {
-		return nil, fmt.Errorf("kind cannot be found in roleRef %s", roleRef.MustString())
-	}
-	return &resid.Gvk{
-		Group: apiGroup.YNode().Value,
-		Kind:  kind.YNode().Value,
-	}, nil
+	return nil
 }

-// sieveFunc returns true if the resource argument satisfies some criteria.
-type sieveFunc func(*resource.Resource) bool
-
-// doSieve uses a function to accept or ignore resources from a list.
-// If list is nil, returns immediately.
-// It's a filter obviously, but that term is overloaded here.
-func doSieve(list []*resource.Resource, fn sieveFunc) (s []*resource.Resource) {
-	for _, r := range list {
-		if fn(r) {
-			s = append(s, r)
+func filterReferralCandidates(
+	referrer *resource.Resource,
+	matches []*resource.Resource) []*resource.Resource {
+	var ret []*resource.Resource
+	for _, m := range matches {
+		if referrer.PrefixesSuffixesEquals(m) {
+			ret = append(ret, m)
 		}
 	}
-	return
+	return ret
 }

-func acceptAll(r *resource.Resource) bool {
-	return true
-}
-
-func previousNameMatches(name string) sieveFunc {
-	return func(r *resource.Resource) bool {
-		for _, id := range r.PrevIds() {
-			if id.Name == name {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func previousIdSelectedByGvk(gvk *resid.Gvk) sieveFunc {
-	return func(r *resource.Resource) bool {
-		for _, id := range r.PrevIds() {
-			if id.IsSelected(gvk) {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-// If the we are updating a 'roleRef/name' field, the 'apiGroup' and 'kind'
-// fields in the same 'roleRef' map must be considered.
-// If either object is cluster-scoped, there can be a referral.
-// E.g. a RoleBinding (which exists in a namespace) can refer
-// to a ClusterRole (cluster-scoped) object.
-// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
-// Likewise, a ClusterRole can refer to a Secret (in a namespace).
-// Objects in different namespaces generally cannot refer to other
-// with some exceptions (e.g. RoleBinding and ServiceAccount are both
-// namespaceable, but the former can refer to accounts in other namespaces).
-func (f Filter) roleRefFilter() sieveFunc {
-	if !strings.HasSuffix(f.NameFieldToUpdate.Path, "roleRef/name") {
-		return acceptAll
-	}
-	roleRefGvk, err := getRoleRefGvk(f.Referrer)
-	if err != nil {
-		return acceptAll
-	}
-	return previousIdSelectedByGvk(roleRefGvk)
-}
-
-func prefixSuffixEquals(other resource.ResCtx, allowEmpty bool) sieveFunc {
-	return func(r *resource.Resource) bool {
-		return r.PrefixesSuffixesEquals(other, allowEmpty)
-	}
-}
-
-func (f Filter) sameCurrentNamespaceAsReferrer() sieveFunc {
-	referrerCurId := f.Referrer.CurId()
-	if referrerCurId.IsClusterScoped() {
-		// If the referrer is cluster-scoped, let anything through.
-		return acceptAll
-	}
-	return func(r *resource.Resource) bool {
-		if r.CurId().IsClusterScoped() {
-			// Allow cluster-scoped through.
-			return true
-		}
-		if r.GetKind() == "ServiceAccount" {
-			// Allow service accounts through, even though they
-			// are in a namespace.  A RoleBinding in another namespace
-			// can reference them.
-			return true
-		}
-		return referrerCurId.IsNsEquals(r.CurId())
-	}
-}
-
-// selectReferral picks the best referral from a list of candidates.
-func (f Filter) selectReferral(
-	// The name referral that may need to be updated.
+// selectReferral picks the referral among a subset of candidates.
+// It returns the current name and namespace of the selected candidate.
+// Note that the content of the referricalCandidateSubset slice is most of the time
+// identical to the referralCandidates resmap. Still in some cases, such
+// as ClusterRoleBinding, the subset only contains the resources of a specific
+// namespace.
+func selectReferral(
 	oldName string,
-	candidates []*resource.Resource,
-	// function that returns whether two referrals are identical for the purposes of the transformation
-	candidatesIdentical func(resources []*resource.Resource) bool) (*resource.Resource, error) {
-	candidates = doSieve(candidates, previousNameMatches(oldName))
-	candidates = doSieve(candidates, previousIdSelectedByGvk(&f.ReferralTarget))
-	candidates = doSieve(candidates, f.roleRefFilter())
-	candidates = doSieve(candidates, f.sameCurrentNamespaceAsReferrer())
-	if len(candidates) == 1 {
-		return candidates[0], nil
-	}
-	candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, true))
-	if len(candidates) > 1 {
-		candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, false))
-	}
-	if len(candidates) == 1 {
-		return candidates[0], nil
-	}
-	if len(candidates) == 0 {
-		return nil, nil
-	}
-	if candidatesIdentical(candidates) {
-		// Just take the first one.
-		return candidates[0], nil
-	}
-	ids := getIds(candidates)
-	return nil, fmt.Errorf("found multiple possible referrals: %s\n%s", ids, f.failureDetails(candidates))
-}
+	referrer *resource.Resource,
+	target resid.Gvk,
+	referralCandidates resmap.ResMap,
+	referralCandidateSubset []*resource.Resource) (string, string, error) {

-func (f Filter) failureDetails(resources []*resource.Resource) string {
-	msg := strings.Builder{}
-	msg.WriteString(fmt.Sprintf("\n**** Too many possible referral targets to referrer:\n%s\n", f.Referrer.MustYaml()))
-	for i, r := range resources {
-		msg.WriteString(fmt.Sprintf("--- possible referral %d:\n%s\n", i, r.MustYaml()))
-	}
-	return msg.String()
-}
-
-func allNamesAreTheSame(resources []*resource.Resource) bool {
-	name := resources[0].GetName()
-	for i := 1; i < len(resources); i++ {
-		if name != resources[i].GetName() {
-			return false
+	for _, res := range referralCandidateSubset {
+		id := res.OrgId()
+		if id.IsSelected(&target) && res.GetOriginalName() == oldName {
+			matches := referralCandidates.GetMatchingResourcesByOriginalId(id.Equals)
+			// If there's more than one match,
+			// filter the matches by prefix and suffix
+			if len(matches) > 1 {
+				filteredMatches := filterReferralCandidates(referrer, matches)
+				if len(filteredMatches) > 1 {
+					return "", "", fmt.Errorf(
+						"multiple matches for %s:\n  %v",
+						id, getIds(filteredMatches))
+				}
+				// Check is the match the resource we are working on
+				if len(filteredMatches) == 0 || res != filteredMatches[0] {
+					continue
+				}
+			}
+			// In the resource, note that it is referenced
+			// by the referrer.
+			res.AppendRefBy(referrer.CurId())
+			// Return transformed name of the object,
+			// complete with prefixes, hashes, etc.
+			return res.GetName(), res.GetNamespace(), nil
 		}
 	}
-	return true
+
+	return oldName, "", nil
 }

-func allNamesAndNamespacesAreTheSame(resources []*resource.Resource) bool {
-	name := resources[0].GetName()
-	namespace := resources[0].GetNamespace()
-	for i := 1; i < len(resources); i++ {
-		if name != resources[i].GetName() || namespace != resources[i].GetNamespace() {
-			return false
-		}
-	}
-	return true
+// utility function to replace a simple string by the new name
+func getSimpleNameField(
+	oldName string,
+	referrer *resource.Resource,
+	target resid.Gvk,
+	referralCandidates resmap.ResMap,
+	referralCandidateSubset []*resource.Resource) (string, error) {
+
+	newName, _, err := selectReferral(oldName, referrer, target,
+		referralCandidates, referralCandidateSubset)
+
+	return newName, err
 }

-func getIds(rs []*resource.Resource) string {
+func getIds(rs []*resource.Resource) []string {
 	var result []string
 	for _, r := range rs {
-		result = append(result, r.CurId().String())
+		result = append(result, r.CurId().String()+"\n")
 	}
-	return strings.Join(result, ", ")
+	return result
 }

-func checkEqual(k, a, b string) error {
-	if a != b {
-		return fmt.Errorf(
-			"node-referrerOriginal '%s' mismatch '%s' != '%s'",
-			k, a, b)
-	}
-	return nil
-}
+// utility function to replace name field within a map RNode
+// and leverage the namespace field.
+func setNameAndNs(
+	in *yaml.RNode,
+	referrer *resource.Resource,
+	target resid.Gvk,
+	referralCandidates resmap.ResMap) error {

-func (f Filter) confirmNodeMatchesReferrer(node *yaml.RNode) error {
-	meta, err := node.GetMeta()
+	if in.YNode().Kind != yaml.MappingNode {
+		return fmt.Errorf("expect a mapping node")
+	}
+
+	// Get name field
+	nameNode, err := in.Pipe(yaml.FieldMatcher{
+		Name: "name",
+	})
+	if err != nil || nameNode == nil {
+		return fmt.Errorf("cannot find field 'name' in node")
+	}
+
+	// Get namespace field
+	namespaceNode, err := in.Pipe(yaml.FieldMatcher{
+		Name: "namespace",
+	})
+	if err != nil {
+		return fmt.Errorf("error when find field 'namespace'")
+	}
+
+	// check is namespace matched
+	// name will bot be updated if the namespace doesn't match
+	subset := referralCandidates.Resources()
+	if namespaceNode != nil {
+		namespace := namespaceNode.YNode().Value
+		bynamespace := referralCandidates.GroupedByOriginalNamespace()
+		if _, ok := bynamespace[namespace]; !ok {
+			return nil
+		}
+		subset = bynamespace[namespace]
+	}
+
+	oldName := nameNode.YNode().Value
+	newname, newnamespace, err := selectReferral(oldName, referrer, target,
+		referralCandidates, subset)
 	if err != nil {
 		return err
 	}
-	gvk := f.Referrer.GetGvk()
-	if err = checkEqual(
-		"APIVersion", meta.APIVersion, gvk.ApiVersion()); err != nil {
-		return err
+
+	if (newname == oldName) && (newnamespace == "") {
+		// no candidate found.
+		return nil
 	}
-	if err = checkEqual(
-		"Kind", meta.Kind, gvk.Kind); err != nil {
-		return err
-	}
-	if err = checkEqual(
-		"Name", meta.Name, f.Referrer.GetName()); err != nil {
-		return err
-	}
-	if err = checkEqual(
-		"Namespace", meta.Namespace, f.Referrer.GetNamespace()); err != nil {
-		return err
+
+	// set name
+	in.Pipe(yaml.FieldSetter{
+		Name:        "name",
+		StringValue: newname,
+	})
+	if newnamespace != "" {
+		// We don't want value "" to replace value "default" since
+		// the empty string is handled as a wild card here not default namespace
+		// by kubernetes.
+		in.Pipe(yaml.FieldSetter{
+			Name:        "namespace",
+			StringValue: newnamespace,
+		})
 	}
 	return nil
 }
--- a/api/filters/nameref/nameref_test.go
+++ b/api/filters/nameref/nameref_test.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package nameref

 import (
@@ -8,23 +5,24 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/provider"
+	"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
+	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/resid"
 )

 func TestNamerefFilter(t *testing.T) {
 	testCases := map[string]struct {
-		referrerOriginal string
-		candidates       string
-		referrerFinal    string
-		filter           Filter
-		originalNames    []string
+		input         string
+		candidates    string
+		expected      string
+		filter        Filter
+		originalNames []string
 	}{
 		"simple scalar": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -43,8 +41,8 @@ kind: NotSecret
 metadata:
  name: newName2
 `,
-			originalNames: []string{"oldName", "newName2"},
-			referrerFinal: `
+			originalNames: []string{"oldName", ""},
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -53,8 +51,8 @@ ref:
  name: newName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -62,7 +60,7 @@ ref:
 			},
 		},
 		"sequence": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -82,8 +80,8 @@ kind: NotSecret
 metadata:
  name: newName2
 `,
-			originalNames: []string{"oldName1", "newName2"},
-			referrerFinal: `
+			originalNames: []string{"oldName1", ""},
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -93,8 +91,8 @@ seq:
 - oldName2
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "seq"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "seq"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -102,7 +100,7 @@ seq:
 			},
 		},
 		"mapping": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -121,8 +119,8 @@ kind: NotSecret
 metadata:
  name: newName2
 `,
-			originalNames: []string{"oldName", "newName2"},
-			referrerFinal: `
+			originalNames: []string{"oldName", ""},
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -131,8 +129,8 @@ map:
  name: newName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "map"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "map"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -140,85 +138,40 @@ map:
 			},
 		},
 		"mapping with namespace": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dep
-  namespace: someNs
 map:
  name: oldName
-  namespace: someNs
-`,
-			candidates: `
-apiVersion: apps/v1
-kind: Secret
-metadata:
-  name: newName
-  namespace: someNs
---
-apiVersion: apps/v1
-kind: NotSecret
-metadata:
-  name: newName2
---
-apiVersion: apps/v1
-kind: Secret
-metadata:
-  name: thirdName
-`,
-			originalNames: []string{"oldName", "oldName", "oldName"},
-			referrerFinal: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-  namespace: someNs
-map:
-  name: newName
-  namespace: someNs
-`,
-			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "map"},
-				ReferralTarget: resid.Gvk{
-					Group:   "apps",
-					Version: "v1",
-					Kind:    "Secret",
-				},
-			},
-		},
-		"null value": {
-			referrerOriginal: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-map:
-  name: null
+  namespace: oldNs
 `,
 			candidates: `
 apiVersion: apps/v1
 kind: Secret
 metadata:
  name: newName
+  namespace: oldNs
 ---
 apiVersion: apps/v1
 kind: NotSecret
 metadata:
  name: newName2
 `,
-			originalNames: []string{"oldName", "newName2"},
-			referrerFinal: `
+			originalNames: []string{"oldName", ""},
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: dep
 map:
-  name: null
+  name: newName
+  namespace: oldNs
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "map"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "map"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -229,14 +182,14 @@ map:

 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
-			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
+			factory := resource.NewFactory(kunstruct.NewKunstructuredFactoryImpl())
+			referrer, err := factory.FromBytes([]byte(tc.input))
 			if err != nil {
 				t.Fatal(err)
 			}
 			tc.filter.Referrer = referrer

-			resMapFactory := resmap.NewFactory(factory)
+			resMapFactory := resmap.NewFactory(factory, nil)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -246,10 +199,10 @@ map:
 			candidates := resMapFactory.FromResourceSlice(candidatesRes)
 			tc.filter.ReferralCandidates = candidates

-			result := filtertest_test.RunFilter(t, tc.referrerOriginal, tc.filter)
 			if !assert.Equal(t,
-				strings.TrimSpace(tc.referrerFinal),
-				strings.TrimSpace(result)) {
+				strings.TrimSpace(tc.expected),
+				strings.TrimSpace(
+					filtertest_test.RunFilter(t, tc.input, tc.filter))) {
 				t.FailNow()
 			}
 		})
@@ -258,14 +211,35 @@ map:

 func TestNamerefFilterUnhappy(t *testing.T) {
 	testCases := map[string]struct {
-		referrerOriginal string
-		candidates       string
-		referrerFinal    string
-		filter           Filter
-		originalNames    []string
+		input         string
+		candidates    string
+		expected      string
+		filter        Filter
+		originalNames []string
 	}{
+		"invalid node type": {
+			input: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+ref:
+  name: null
+`,
+			candidates:    "",
+			originalNames: []string{},
+			expected:      "obj '' at path 'ref/name': node is expected to be either a string or a slice of string or a map of string",
+			filter: Filter{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
+					Group:   "apps",
+					Version: "v1",
+					Kind:    "Secret",
+				},
+			},
+		},
 		"multiple match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -285,10 +259,10 @@ metadata:
  name: newName2
 `,
 			originalNames: []string{"oldName", "oldName"},
-			referrerFinal: "",
+			expected:      "",
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -296,7 +270,7 @@ metadata:
 			},
 		},
 		"no name": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -316,10 +290,10 @@ metadata:
  name: newName2
 `,
 			originalNames: []string{"oldName", "oldName"},
-			referrerFinal: "",
+			expected:      "",
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -330,14 +304,14 @@ metadata:

 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
-			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
+			factory := resource.NewFactory(kunstruct.NewKunstructuredFactoryImpl())
+			referrer, err := factory.FromBytes([]byte(tc.input))
 			if err != nil {
 				t.Fatal(err)
 			}
 			tc.filter.Referrer = referrer

-			resMapFactory := resmap.NewFactory(factory)
+			resMapFactory := resmap.NewFactory(factory, nil)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -347,11 +321,11 @@ metadata:
 			candidates := resMapFactory.FromResourceSlice(candidatesRes)
 			tc.filter.ReferralCandidates = candidates

-			_, err = filtertest_test.RunFilterE(t, tc.referrerOriginal, tc.filter)
+			_, err = filtertest_test.RunFilterE(t, tc.input, tc.filter)
 			if err == nil {
 				t.Fatalf("expect an error")
 			}
-			if tc.referrerFinal != "" && !assert.EqualError(t, err, tc.referrerFinal) {
+			if tc.expected != "" && !assert.EqualError(t, err, tc.expected) {
 				t.FailNow()
 			}
 		})
@@ -360,19 +334,19 @@ metadata:

 func TestCandidatesWithDifferentPrefixSuffix(t *testing.T) {
 	testCases := map[string]struct {
-		referrerOriginal string
-		candidates       string
-		referrerFinal    string
-		filter           Filter
-		originalNames    []string
-		prefix           []string
-		suffix           []string
-		inputPrefix      string
-		inputSuffix      string
-		err              bool
+		input         string
+		candidates    string
+		expected      string
+		filter        Filter
+		originalNames []string
+		prefix        []string
+		suffix        []string
+		inputPrefix   string
+		inputSuffix   string
+		err           bool
 	}{
 		"prefix match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -396,7 +370,7 @@ metadata:
 			suffix:        []string{"", "suffix2"},
 			inputPrefix:   "prefix1",
 			inputSuffix:   "",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -405,8 +379,8 @@ ref:
  name: newName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -415,7 +389,7 @@ ref:
 			err: false,
 		},
 		"suffix match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -439,7 +413,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "",
 			inputSuffix:   "suffix1",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -448,8 +422,8 @@ ref:
  name: newName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -458,7 +432,7 @@ ref:
 			err: false,
 		},
 		"prefix suffix both match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -482,7 +456,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix1",
 			inputSuffix:   "suffix1",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -491,8 +465,8 @@ ref:
  name: newName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -501,7 +475,7 @@ ref:
 			err: false,
 		},
 		"multiple match: both": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -525,10 +499,10 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			referrerFinal: "",
+			expected:      "",
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -537,7 +511,7 @@ metadata:
 			err: true,
 		},
 		"multiple match: only prefix": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -561,10 +535,10 @@ metadata:
 			suffix:        []string{"", ""},
 			inputPrefix:   "prefix",
 			inputSuffix:   "",
-			referrerFinal: "",
+			expected:      "",
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -573,7 +547,7 @@ metadata:
 			err: true,
 		},
 		"multiple match: only suffix": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -597,10 +571,10 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "",
 			inputSuffix:   "suffix",
-			referrerFinal: "",
+			expected:      "",
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -609,7 +583,7 @@ metadata:
 			err: true,
 		},
 		"no match: neither match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -633,7 +607,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -642,8 +616,8 @@ ref:
  name: oldName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -652,7 +626,7 @@ ref:
 			err: false,
 		},
 		"no match: prefix doesn't match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -676,7 +650,7 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -685,8 +659,8 @@ ref:
  name: oldName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -695,7 +669,7 @@ ref:
 			err: false,
 		},
 		"no match: suffix doesn't match": {
-			referrerOriginal: `
+			input: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -719,7 +693,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			referrerFinal: `
+			expected: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -728,8 +702,8 @@ ref:
  name: oldName
 `,
 			filter: Filter{
-				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
-				ReferralTarget: resid.Gvk{
+				FieldSpec: types.FieldSpec{Path: "ref/name"},
+				Target: resid.Gvk{
 					Group:   "apps",
 					Version: "v1",
 					Kind:    "Secret",
@@ -741,8 +715,8 @@ ref:

 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
-			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
+			factory := resource.NewFactory(kunstruct.NewKunstructuredFactoryImpl())
+			referrer, err := factory.FromBytes([]byte(tc.input))
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -754,7 +728,7 @@ ref:
 			}
 			tc.filter.Referrer = referrer

-			resMapFactory := resmap.NewFactory(factory)
+			resMapFactory := resmap.NewFactory(factory, nil)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -774,15 +748,13 @@ ref:

 			if !tc.err {
 				if !assert.Equal(t,
-					strings.TrimSpace(tc.referrerFinal),
+					strings.TrimSpace(tc.expected),
 					strings.TrimSpace(
-						filtertest_test.RunFilter(
-							t, tc.referrerOriginal, tc.filter))) {
+						filtertest_test.RunFilter(t, tc.input, tc.filter))) {
 					t.FailNow()
 				}
 			} else {
-				_, err := filtertest_test.RunFilterE(
-					t, tc.referrerOriginal, tc.filter)
+				_, err := filtertest_test.RunFilterE(t, tc.input, tc.filter)
 				if err == nil {
 					t.Fatalf("an error is expected")
 				}
--- a/api/filters/nameref/seqfilter.go
+++ b/api/filters/nameref/seqfilter.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package nameref

 import (
--- a/api/filters/nameref/seqfilter_test.go
+++ b/api/filters/nameref/seqfilter_test.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package nameref

 import (
--- a/api/filters/namespace/namespace.go
+++ b/api/filters/namespace/namespace.go
@@ -4,12 +4,11 @@
 package namespace

 import (
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 	"sigs.k8s.io/kustomize/api/filters/fsslice"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

@@ -19,36 +18,9 @@ type Filter struct {

 	// FsSlice contains the FieldSpecs to locate the namespace field
 	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-
-	// UnsetOnly means only blank namespace fields will be set
-	UnsetOnly bool `json:"unsetOnly" yaml:"unsetOnly"`
-
-	// SetRoleBindingSubjects determines which subject fields in RoleBinding and ClusterRoleBinding
-	// objects will have their namespace fields set. Overrides field specs provided for these types, if any.
-	// - defaultOnly (default): namespace will be set only on subjects named "default".
-	// - allServiceAccounts: namespace will be set on all subjects with "kind: ServiceAccount"
-	// - none: all subjects will be skipped.
-	SetRoleBindingSubjects RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"`
-
-	trackableSetter filtersutil.TrackableSetter
 }

-type RoleBindingSubjectMode string
-
-const (
-	DefaultSubjectsOnly       RoleBindingSubjectMode = "defaultOnly"
-	SubjectModeUnspecified    RoleBindingSubjectMode = ""
-	AllServiceAccountSubjects RoleBindingSubjectMode = "allServiceAccounts"
-	NoSubjects                RoleBindingSubjectMode = "none"
-)
-
 var _ kio.Filter = Filter{}
-var _ kio.TrackableFilter = &Filter{}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (ns *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
-	ns.trackableSetter.WithMutationTracker(callback)
-}

 func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(ns.run)).Filter(nodes)
@@ -56,65 +28,74 @@ func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {

 // Run runs the filter on a single node rather than a slice
 func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
-	// Special handling for metadata.namespace and metadata.name -- :(
-	// never let SetEntry handle metadata.namespace--it will incorrectly include cluster-scoped resources
-	// only update metadata.name if api version is expected one--so-as it leaves other resources of kind namespace alone
-	apiVersion := node.GetApiVersion()
-	ns.FsSlice = ns.removeUnneededMetaFieldSpecs(apiVersion, ns.FsSlice)
-	gvk := resid.GvkFromNode(node)
-	if err := ns.metaNamespaceHack(node, gvk); err != nil {
+	// hacks for hardcoded types -- :(
+	if err := ns.hacks(node); err != nil {
 		return nil, err
 	}

-	// Special handling for (cluster) role binding subjects -- :(
-	if isRoleBinding(gvk.Kind) {
-		ns.FsSlice = ns.removeRoleBindingSubjectFieldSpecs(ns.FsSlice)
-		if err := ns.roleBindingHack(node); err != nil {
-			return nil, err
-		}
-	}
+	// Remove the fieldspecs that are for hardcoded fields.  The fieldspecs
+	// exist for backwards compatibility with other implementations
+	// of this transformation.
+	// This implementation of the namespace transformation
+	// Does not use the fieldspecs for implementing cases which
+	// require hardcoded logic.
+	ns.FsSlice = ns.removeFieldSpecsForHacks(ns.FsSlice)

 	// transformations based on data -- :)
 	err := node.PipeE(fsslice.Filter{
 		FsSlice:    ns.FsSlice,
-		SetValue:   ns.fieldSetter(),
+		SetValue:   filtersutil.SetScalar(ns.Namespace),
 		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
 		CreateTag:  yaml.NodeTagString,
 	})
-	invalidKindErr := &yaml.InvalidNodeKindError{}
-	if err != nil && errors.As(err, &invalidKindErr) && invalidKindErr.ActualNodeKind() != yaml.ScalarNode {
-		return nil, errors.WrapPrefixf(err, "namespace field specs must target scalar nodes")
+	return node, err
+}
+
+// hacks applies the namespace transforms that are hardcoded rather
+// than specified through FieldSpecs.
+func (ns Filter) hacks(obj *yaml.RNode) error {
+	meta, err := obj.GetMeta()
+	if err != nil {
+		return err
 	}
-	return node, errors.WrapPrefixf(err, "namespace transformation failed")
+
+	if err := ns.metaNamespaceHack(obj, meta); err != nil {
+		return err
+	}
+
+	return ns.roleBindingHack(obj, meta)
 }

 // metaNamespaceHack is a hack for implementing the namespace transform
 // for the metadata.namespace field on namespace scoped resources.
-func (ns Filter) metaNamespaceHack(obj *yaml.RNode, gvk resid.Gvk) error {
-	if gvk.IsClusterScoped() {
+// namespace scoped resources are determined by NOT being present
+// in a blacklist of cluster-scoped resource types (by apiVersion and kind).
+//
+// This hack should be updated to allow individual resources to specify
+// if they are cluster scoped through either an annotation on the resources,
+// or through inlined OpenAPI on the resource as a YAML comment.
+func (ns Filter) metaNamespaceHack(obj *yaml.RNode, meta yaml.ResourceMeta) error {
+	gvk := fieldspec.GetGVK(meta)
+	if !gvk.IsNamespaceableKind() {
 		return nil
 	}
 	f := fsslice.Filter{
 		FsSlice: []types.FieldSpec{
 			{Path: types.MetadataNamespacePath, CreateIfNotPresent: true},
 		},
-		SetValue:   ns.fieldSetter(),
+		SetValue:   filtersutil.SetScalar(ns.Namespace),
 		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
 	}
 	_, err := f.Filter(obj)
 	return err
 }

-// roleBindingHack is a hack for implementing the transformer's SetRoleBindingSubjects option
+// roleBindingHack is a hack for implementing the namespace transform
 // for RoleBinding and ClusterRoleBinding resource types.
-//
-// In NoSubjects mode, it does nothing.
-//
-// In AllServiceAccountSubjects mode, it sets the namespace on subjects with "kind: ServiceAccount".
-//
-// In DefaultSubjectsOnly mode (default mode), RoleBinding and ClusterRoleBinding have namespace set on
+// RoleBinding and ClusterRoleBinding have namespace set on
 // elements of the "subjects" field if and only if the subject elements
 // "name" is "default".  Otherwise the namespace is not set.
+//
 // Example:
 //
 // kind: RoleBinding
@@ -123,78 +104,57 @@ func (ns Filter) metaNamespaceHack(obj *yaml.RNode, gvk resid.Gvk) error {
 //   ...
 // - name: "something-else" # this will not have the namespace set
 //   ...
-func (ns Filter) roleBindingHack(obj *yaml.RNode) error {
-	var visitor filtersutil.SetFn
-	switch ns.SetRoleBindingSubjects {
-	case NoSubjects:
+func (ns Filter) roleBindingHack(obj *yaml.RNode, meta yaml.ResourceMeta) error {
+	if meta.Kind != roleBindingKind && meta.Kind != clusterRoleBindingKind {
 		return nil
-	case DefaultSubjectsOnly, SubjectModeUnspecified:
-		visitor = ns.setSubjectsNamedDefault
-	case AllServiceAccountSubjects:
-		visitor = ns.setServiceAccountNamespaces
-	default:
-		return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+
-			"must be one of %q, %q or %q", ns.SetRoleBindingSubjects,
-			DefaultSubjectsOnly, NoSubjects, AllServiceAccountSubjects)
 	}

-	// Lookup the subjects field on all elements.
+	// Lookup the namespace field on all elements.
+	// We should change the fieldspec so this isn't necessary.
 	obj, err := obj.Pipe(yaml.Lookup(subjectsField))
 	if err != nil || yaml.IsMissingOrNull(obj) {
 		return err
 	}
-	// Use the appropriate visitor to set the namespace field on the correct subset of subjects
-	return errors.WrapPrefixf(obj.VisitElements(visitor), "setting namespace on (cluster)role binding subjects")
-}

-func isRoleBinding(kind string) bool {
-	return kind == roleBindingKind || kind == clusterRoleBindingKind
-}
-
-func (ns Filter) setServiceAccountNamespaces(o *yaml.RNode) error {
-	name, err := o.Pipe(yaml.Lookup("kind"), yaml.Match("ServiceAccount"))
-	if err != nil || yaml.IsMissingOrNull(name) {
-		return errors.WrapPrefixf(err, "looking up kind on (cluster)role binding subject")
-	}
-	return setNamespaceField(o, ns.fieldSetter())
-}
-
-func (ns Filter) setSubjectsNamedDefault(o *yaml.RNode) error {
-	name, err := o.Pipe(yaml.Lookup("name"), yaml.Match("default"))
-	if err != nil || yaml.IsMissingOrNull(name) {
-		return errors.WrapPrefixf(err, "looking up name on (cluster)role binding subject")
-	}
-	return setNamespaceField(o, ns.fieldSetter())
-}
-
-func setNamespaceField(node *yaml.RNode, setter filtersutil.SetFn) error {
-	node, err := node.Pipe(yaml.LookupCreate(yaml.ScalarNode, "namespace"))
-	if err != nil {
-		return errors.WrapPrefixf(err, "setting namespace field on (cluster)role binding subject")
-	}
-	return setter(node)
-}
-
-// removeRoleBindingSubjectFieldSpecs removes from the list fieldspecs that
-// have hardcoded implementations
-func (ns Filter) removeRoleBindingSubjectFieldSpecs(fs types.FsSlice) types.FsSlice {
-	var val types.FsSlice
-	for i := range fs {
-		if isRoleBinding(fs[i].Kind) && fs[i].Path == subjectsNamespacePath {
-			continue
+	// add the namespace to each "subject" with name: default
+	err = obj.VisitElements(func(o *yaml.RNode) error {
+		// copied from kunstruct based kustomize NamespaceTransformer plugin
+		// The only case we need to force the namespace
+		// if for the "service account". "default" is
+		// kind of hardcoded here for right now.
+		name, err := o.Pipe(
+			yaml.Lookup("name"), yaml.Match("default"),
+		)
+		if err != nil || yaml.IsMissingOrNull(name) {
+			return err
 		}
-		val = append(val, fs[i])
-	}
-	return val
+
+		// set the namespace for the default account
+		v := yaml.NewScalarRNode(ns.Namespace)
+		return o.PipeE(
+			yaml.LookupCreate(yaml.ScalarNode, "namespace"),
+			yaml.FieldSetter{Value: v},
+		)
+	})
+
+	return err
 }

-func (ns Filter) removeUnneededMetaFieldSpecs(apiVersion string, fs types.FsSlice) types.FsSlice {
+// removeFieldSpecsForHacks removes from the list fieldspecs that
+// have hardcoded implementations
+func (ns Filter) removeFieldSpecsForHacks(fs types.FsSlice) types.FsSlice {
 	var val types.FsSlice
 	for i := range fs {
+		// implemented by metaNamespaceHack
 		if fs[i].Path == types.MetadataNamespacePath {
 			continue
 		}
-		if apiVersion != types.MetadataNamespaceApiVersion && fs[i].Path == types.MetadataNamePath {
+		// implemented by roleBindingHack
+		if fs[i].Kind == roleBindingKind && fs[i].Path == subjectsField {
+			continue
+		}
+		// implemented by roleBindingHack
+		if fs[i].Kind == clusterRoleBindingKind && fs[i].Path == subjectsField {
 			continue
 		}
 		val = append(val, fs[i])
@@ -202,16 +162,8 @@ func (ns Filter) removeUnneededMetaFieldSpecs(apiVersion string, fs types.FsSlic
 	return val
 }

-func (ns *Filter) fieldSetter() filtersutil.SetFn {
-	if ns.UnsetOnly {
-		return ns.trackableSetter.SetEntryIfEmpty("", ns.Namespace, yaml.NodeTagString)
-	}
-	return ns.trackableSetter.SetEntry("", ns.Namespace, yaml.NodeTagString)
-}
-
 const (
 	subjectsField          = "subjects"
-	subjectsNamespacePath  = "subjects/namespace"
 	roleBindingKind        = "RoleBinding"
 	clusterRoleBindingKind = "ClusterRoleBinding"
 )
--- a/api/filters/namespace/namespace_test.go
+++ b/api/filters/namespace/namespace_test.go
@@ -12,11 +12,8 @@ import (
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

-var mutationTrackerStub = filtertest_test.MutationTrackerStub{}
-
 var tests = []TestCase{
 	{
 		name: "add",
@@ -197,47 +194,47 @@ metadata:
 	{
 		name: "update-clusterrolebinding",
 		input: `
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: default
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: default
  namespace: foo
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: something
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: something
  namespace: foo
 `,
 		expected: `
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: default
  namespace: bar
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: default
  namespace: bar
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: something
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: example.com/v1
 kind: ClusterRoleBinding
 subjects:
 - name: something
@@ -286,134 +283,29 @@ a:
 			},
 		},
 	},
-
-	{
-		name: "mutation tracker",
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
---
-apiVersion: example.com/v1
-kind: RoleBinding
-subjects:
- name: default
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-  namespace: bar
-a:
-  b:
-    c: bar
---
-apiVersion: example.com/v1
-kind: RoleBinding
-subjects:
- name: default
-  namespace: bar
-metadata:
-  namespace: bar
-a:
-  b:
-    c: bar
-`,
-		filter: namespace.Filter{Namespace: "bar"},
-		fsslice: []types.FieldSpec{
-			{
-				Path:               "a/b/c",
-				CreateIfNotPresent: true,
-			},
-		},
-		mutationTracker: mutationTrackerStub.MutationTracker,
-		expectedSetValueArgs: []filtertest_test.SetValueArg{
-			{
-				Value:    "bar",
-				Tag:      "!!str",
-				NodePath: []string{"metadata", "namespace"},
-			},
-			{
-				Value:    "bar",
-				Tag:      "!!str",
-				NodePath: []string{"a", "b", "c"},
-			},
-			{
-				Value:    "bar",
-				Tag:      "!!str",
-				NodePath: []string{"metadata", "namespace"},
-			},
-			{
-				Value:    "bar",
-				Tag:      "!!str",
-				NodePath: []string{"namespace"},
-			},
-			{
-				Value:    "bar",
-				Tag:      "!!str",
-				NodePath: []string{"a", "b", "c"},
-			},
-		},
-	},
-
-	{
-		name: "numeric",
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-  namespace: "01234"
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-  namespace: "01234"
-`,
-		filter: namespace.Filter{Namespace: "01234"},
-	},
 }

 type TestCase struct {
-	name                 string
-	input                string
-	expected             string
-	filter               namespace.Filter
-	fsslice              types.FsSlice
-	mutationTracker      func(key, value, tag string, node *yaml.RNode)
-	expectedSetValueArgs []filtertest_test.SetValueArg
+	name     string
+	input    string
+	expected string
+	filter   namespace.Filter
+	fsslice  types.FsSlice
 }

 var config = builtinconfig.MakeDefaultConfig()

 func TestNamespace_Filter(t *testing.T) {
 	for i := range tests {
-		mutationTrackerStub.Reset()
 		test := tests[i]
-		test.filter.WithMutationTracker(test.mutationTracker)
 		t.Run(test.name, func(t *testing.T) {
-			test.filter.FsSlice = append(config.NameSpace, test.fsslice...) //nolint:gocritic
+			test.filter.FsSlice = append(config.NameSpace, test.fsslice...)
 			if !assert.Equal(t,
 				strings.TrimSpace(test.expected),
 				strings.TrimSpace(
 					filtertest_test.RunFilter(t, test.input, test.filter))) {
 				t.FailNow()
 			}
-			assert.Equal(t, test.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }
--- a/api/filters/patchjson6902/patchjson6902.go
+++ b/api/filters/patchjson6902/patchjson6902.go
@@ -6,7 +6,7 @@ package patchjson6902
 import (
 	"strings"

-	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+	jsonpatch "github.com/evanphx/json-patch"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 	k8syaml "sigs.k8s.io/yaml"
--- a/api/filters/patchstrategicmerge/patchstrategicmerge.go
+++ b/api/filters/patchstrategicmerge/patchstrategicmerge.go
@@ -15,22 +15,14 @@ type Filter struct {

 var _ kio.Filter = Filter{}

-// Filter does a strategic merge patch, which can delete nodes.
 func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	var result []*yaml.RNode
 	for i := range nodes {
-		r, err := merge2.Merge(
-			pf.Patch, nodes[i],
-			yaml.MergeOptions{
-				ListIncreaseDirection: yaml.MergeOptionsListPrepend,
-			},
-		)
+		r, err := merge2.Merge(pf.Patch, nodes[i])
 		if err != nil {
 			return nil, err
 		}
-		if r != nil {
-			result = append(result, r)
-		}
+		result = append(result, r)
 	}
 	return result, nil
 }
--- a/api/filters/patchstrategicmerge/patchstrategicmerge_test.go
+++ b/api/filters/patchstrategicmerge/patchstrategicmerge_test.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package patchstrategicmerge

 import (
@@ -18,101 +15,6 @@ func TestFilter(t *testing.T) {
 		patch    *yaml.RNode
 		expected string
 	}{
-		"simple": {
-			input: `apiVersion: v1
-kind: Deployment
-metadata:
-  name: clown
-spec:
-  numReplicas: 1
-`,
-			patch: yaml.MustParse(`apiVersion: v1
-kind: Deployment
-metadata:
-  name: clown
-spec:
-  numReplicas: 999
-`),
-			expected: `apiVersion: v1
-kind: Deployment
-metadata:
-  name: clown
-spec:
-  numReplicas: 999
-`,
-		},
-		"nullMapEntry1": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    B:
-    C: Z
-`,
-			patch: yaml.MustParse(`
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    C: Z
-    D: W
-  baz:
-    hello: world
-`),
-			expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    C: Z
-    D: W
-  baz:
-    hello: world
-`,
-		},
-		"nullMapEntry2": {
-			input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    C: Z
-    D: W
-  baz:
-    hello: world
-`,
-			patch: yaml.MustParse(`
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    B:
-    C: Z
-`),
-			expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: my-foo
-spec:
-  bar:
-    C: Z
-    D: W
-  baz:
-    hello: world
-`,
-		},
 		"simple patch": {
 			input: `
 apiVersion: apps/v1
@@ -165,10 +67,10 @@ spec:
  template:
    spec:
      containers:
-      - name: foo0
      - name: foo1
      - name: foo2
      - name: foo3
+      - name: foo0
 `,
 		},
 		"volumes patch": {
@@ -205,10 +107,10 @@ spec:
  template:
    spec:
      volumes:
-      - name: foo0
      - name: foo1
      - name: foo2
      - name: foo3
+      - name: foo0
 `,
 		},
 		"nested patch": {
@@ -240,669 +142,6 @@ spec:
  - name: nginx
    args:
    - def
-`,
-		},
-		"remove mapping - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-        $patch: delete   
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers: []
-`,
-		},
-		"replace mapping - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      $patch: replace
-      containers:
-      - name: new
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: new
-`,
-		},
-		"merge mapping - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test1
-        $patch: merge   
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test1
-`,
-		},
-		"remove list - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - whatever
-      - $patch: delete
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec: {}
-`,
-		},
-		"replace list - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: replace
-        image: replace
-      - $patch: replace   
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: replace
-        image: replace
-`,
-		},
-		"merge list - directive": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test
-        image: test
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test2
-        image: test2
-      - $patch: merge   
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: myDeploy
-spec:
-  template:
-    spec:
-      containers:
-      - name: test2
-        image: test2
-      - name: test
-        image: test
-`,
-		},
-		"list map keys - add a port, no names": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: TCP
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: UDP
-       - containerPort: 80
-         protocol: UDP
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-spec:
-  template:
-    spec:
-      containers:
-      - image: test-image
-        name: test-deployment
-        ports:
-        - containerPort: 8080
-          protocol: UDP
-        - containerPort: 80
-          protocol: UDP
-        - containerPort: 8080
-          protocol: TCP
-`,
-		},
-		"list map keys - add name to port": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: UDP
-       - containerPort: 8080
-         protocol: TCP
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: UDP
-         name: UDP-name-patch
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-spec:
-  template:
-    spec:
-      containers:
-      - image: test-image
-        name: test-deployment
-        ports:
-        - containerPort: 8080
-          protocol: UDP
-          name: UDP-name-patch
-        - containerPort: 8080
-          protocol: TCP
-`,
-		},
-		"list map keys - replace port name": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: UDP
-         name: UDP-name-original
-       - containerPort: 8080
-         protocol: TCP
-         name: TCP-name-original
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-         protocol: UDP
-         name: UDP-name-patch
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-spec:
-  template:
-    spec:
-      containers:
-      - image: test-image
-        name: test-deployment
-        ports:
-        - containerPort: 8080
-          protocol: UDP
-          name: UDP-name-patch
-        - containerPort: 8080
-          protocol: TCP
-          name: TCP-name-original
-`,
-		},
-		"list map keys - add a port, no protocol": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 8080
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: test-deployment
-spec:
- template:
-   spec:
-     containers:
-     - image: test-image
-       name: test-deployment
-       ports:
-       - containerPort: 80
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-spec:
-  template:
-    spec:
-      containers:
-      - image: test-image
-        name: test-deployment
-        ports:
-        - containerPort: 80
-        - containerPort: 8080
-`,
-		},
-
-		// Test for issue #3513
-		// Currently broken; when one port has only containerPort, the output
-		// should not merge containerPort 8301 together
-		// This occurs because when protocol is missing on the first port,
-		// the merge code uses [containerPort] as the merge key rather than
-		// [containerPort, protocol]
-		"list map keys - protocol only present on some ports": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-spec:
-  template:
-    spec:
-      containers:
-      - name: consul
-        image: "dashicorp/consul:1.9.1"
-        ports:
-        - containerPort: 8500
-          name: http
-        - containerPort: 8301
-          protocol: "TCP"
-        - containerPort: 8301
-          protocol: "UDP"
-`,
-			patch: yaml.MustParse(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-  labels:
-    test: label
-`),
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-deployment
-  labels:
-    test: label
-spec:
-  template:
-    spec:
-      containers:
-      - name: consul
-        image: "dashicorp/consul:1.9.1"
-        ports:
-        - containerPort: 8500
-          name: http
-        - containerPort: 8301
-          protocol: "TCP"
-        - containerPort: 8301
-          protocol: "UDP"
-`,
-		},
-
-		// Issue #4628
-		"should retain existing null values in targets": {
-			input: `
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: chart
-spec:
-  releaseName: helm-chart
-  timeout: 15m
-  values:
-    chart:
-      replicaCount: null
-      autoscaling: true
-`,
-			patch: yaml.MustParse(`
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: chart
-spec:
-  releaseName: helm-chart
-  timeout: 15m
-  values:
-    deepgram-api:
-      some: value
-`),
-			expected: `
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: chart
-spec:
-  releaseName: helm-chart
-  timeout: 15m
-  values:
-    chart:
-      replicaCount: null
-      autoscaling: true
-    deepgram-api:
-      some: value
-`,
-		},
-
-		// Issue #4928
-		"support numeric keys": {
-			input: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "foobar"
-`,
-			patch: yaml.MustParse(`
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "barfoo"
-  "9110": "foo-foo"
-`),
-			expected: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "barfoo"
-  "9110": "foo-foo"
-`,
-		},
-
-		"honor different key style one": {
-			input: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  '6443': "foobar"
-`,
-			patch: yaml.MustParse(`
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "barfoo"
-  9110: "foo-foo"
-`),
-			expected: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  '6443': "barfoo"
-  9110: "foo-foo"
-`,
-		},
-
-		"honor different key style two": {
-			input: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "foobar"
-`,
-			patch: yaml.MustParse(`
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "barfoo"
-  '9110': "foo-foo"
-`),
-			expected: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "barfoo"
-  '9110': "foo-foo"
-`,
-		},
-
-		"different key types": {
-			input: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "key-string-double-quoted"
-`,
-			patch: yaml.MustParse(`
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  6443: "key-int"
-`),
-			expected: `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: blabla
-  namespace: blabla-ns
-data:
-  "6443": "key-int"
 `,
 		},
 	}
--- a/api/filters/prefix/doc.go
+++ b/api/filters/prefix/doc.go
@@ -1,6 +0,0 @@
-// Copyright 2020 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package prefix contains a kio.Filter implementation of the kustomize
-// PrefixTransformer.
-package prefix
--- a/api/filters/prefix/example_test.go
+++ b/api/filters/prefix/example_test.go
@@ -1,47 +0,0 @@
-// Copyright 2020 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package prefix_test
-
-import (
-	"bytes"
-	"log"
-	"os"
-
-	"sigs.k8s.io/kustomize/api/filters/prefix"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/kio"
-)
-
-func ExampleFilter() {
-	err := kio.Pipeline{
-		Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(`
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`)}},
-		Filters: []kio.Filter{prefix.Filter{
-			Prefix: "baz-", FieldSpec: types.FieldSpec{Path: "metadata/name"}}},
-		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
-	}.Execute()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// Output:
-	// apiVersion: example.com/v1
-	// kind: Foo
-	// metadata:
-	//   name: baz-instance
-	// ---
-	// apiVersion: example.com/v1
-	// kind: Bar
-	// metadata:
-	//   name: baz-instance
-}
--- a/api/filters/prefix/prefix.go
+++ b/api/filters/prefix/prefix.go
@@ -1,50 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package prefix
-
-import (
-	"fmt"
-
-	"sigs.k8s.io/kustomize/api/filters/fieldspec"
-	"sigs.k8s.io/kustomize/api/filters/filtersutil"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-// Filter applies resource name prefix's using the fieldSpecs
-type Filter struct {
-	Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
-
-	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
-
-	trackableSetter filtersutil.TrackableSetter
-}
-
-var _ kio.Filter = Filter{}
-var _ kio.TrackableFilter = &Filter{}
-
-// WithMutationTracker registers a callback which will be invoked each time a field is mutated
-func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
-	f.trackableSetter.WithMutationTracker(callback)
-}
-
-func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
-}
-
-func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
-	err := node.PipeE(fieldspec.Filter{
-		FieldSpec:  f.FieldSpec,
-		SetValue:   f.evaluateField,
-		CreateKind: yaml.ScalarNode, // Name is a ScalarNode
-		CreateTag:  yaml.NodeTagString,
-	})
-	return node, err
-}
-
-func (f Filter) evaluateField(node *yaml.RNode) error {
-	return f.trackableSetter.SetScalar(fmt.Sprintf(
-		"%s%s", f.Prefix, node.YNode().Value))(node)
-}
--- a/api/filters/prefix/prefix_test.go
+++ b/api/filters/prefix/prefix_test.go
@@ -1,154 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package prefix_test
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filters/prefix"
-	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-var mutationTrackerStub = filtertest_test.MutationTrackerStub{}
-
-var tests = map[string]TestCase{
-	"prefix": {
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: foo-instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: foo-instance
-`,
-		filter: prefix.Filter{
-			Prefix:    "foo-",
-			FieldSpec: types.FieldSpec{Path: "metadata/name"},
-		},
-	},
-
-	"data-fieldspecs": {
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-a:
-  b:
-    c: d
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-a:
-  b:
-    c: d
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
-a:
-  b:
-    c: foo-d
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-a:
-  b:
-    c: foo-d
-`,
-		filter: prefix.Filter{
-			Prefix:    "foo-",
-			FieldSpec: types.FieldSpec{Path: "a/b/c"},
-		},
-	},
-
-	"mutation tracker": {
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: foo-instance
---
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: foo-instance
-`,
-		filter: prefix.Filter{
-			Prefix:    "foo-",
-			FieldSpec: types.FieldSpec{Path: "metadata/name"},
-		},
-		mutationTracker: mutationTrackerStub.MutationTracker,
-		expectedSetValueArgs: []filtertest_test.SetValueArg{
-			{
-				Value:    "foo-instance",
-				NodePath: []string{"metadata", "name"},
-			},
-			{
-				Value:    "foo-instance",
-				NodePath: []string{"metadata", "name"},
-			},
-		},
-	},
-}
-
-type TestCase struct {
-	input                string
-	expected             string
-	filter               prefix.Filter
-	mutationTracker      func(key, value, tag string, node *yaml.RNode)
-	expectedSetValueArgs []filtertest_test.SetValueArg
-}
-
-func TestFilter(t *testing.T) {
-	for name := range tests {
-		mutationTrackerStub.Reset()
-		test := tests[name]
-		test.filter.WithMutationTracker(test.mutationTracker)
-		t.Run(name, func(t *testing.T) {
-			if !assert.Equal(t,
-				strings.TrimSpace(test.expected),
-				strings.TrimSpace(
-					filtertest_test.RunFilter(t, test.input, test.filter))) {
-				t.FailNow()
-			}
-			assert.Equal(t, test.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
-		})
-	}
-}
--- a/api/filters/prefixsuffix/doc.go
+++ b/api/filters/prefixsuffix/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package prefixsuffix contains a kio.Filter implementation of the kustomize
+// PrefixSuffixTransformer.
+package prefixsuffix
--- a/api/filters/prefixsuffix/example_test.go
+++ b/api/filters/prefixsuffix/example_test.go
@@ -0,0 +1,47 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package prefixsuffix_test
+
+import (
+	"bytes"
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+)
+
+func ExampleFilter() {
+	err := kio.Pipeline{
+		Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(`
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`)}},
+		Filters: []kio.Filter{prefixsuffix.Filter{
+			Prefix: "baz-", FieldSpec: types.FieldSpec{Path: "metadata/name"}}},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: example.com/v1
+	// kind: Foo
+	// metadata:
+	//   name: baz-instance
+	// ---
+	// apiVersion: example.com/v1
+	// kind: Bar
+	// metadata:
+	//   name: baz-instance
+}
--- a/api/filters/prefixsuffix/prefixsuffix.go
+++ b/api/filters/prefixsuffix/prefixsuffix.go
@@ -0,0 +1,43 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package prefixsuffix
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter applies resource name prefix's and suffix's using the fieldSpecs
+type Filter struct {
+	Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+	Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+
+	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+}
+
+var _ kio.Filter = Filter{}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec:  f.FieldSpec,
+		SetValue:   f.evaluateField,
+		CreateKind: yaml.ScalarNode, // Name is a ScalarNode
+		CreateTag:  yaml.NodeTagString,
+	})
+	return node, err
+}
+
+func (f Filter) evaluateField(node *yaml.RNode) error {
+	return filtersutil.SetScalar(fmt.Sprintf(
+		"%s%s%s", f.Prefix, node.YNode().Value, f.Suffix))(node)
+}
--- a/api/filters/prefixsuffix/prefixsuffix_test.go
+++ b/api/filters/prefixsuffix/prefixsuffix_test.go
@@ -0,0 +1,158 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package prefixsuffix_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
+	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+var tests = map[string]TestCase{
+	"prefix": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: foo-instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: foo-instance
+`,
+		filter: prefixsuffix.Filter{Prefix: "foo-"},
+		fs:     types.FieldSpec{Path: "metadata/name"},
+	},
+
+	"suffix": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance-foo
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance-foo
+`,
+		filter: prefixsuffix.Filter{Suffix: "-foo"},
+		fs:     types.FieldSpec{Path: "metadata/name"},
+	},
+
+	"prefix-suffix": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: bar-instance-foo
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: bar-instance-foo
+`,
+		filter: prefixsuffix.Filter{Prefix: "bar-", Suffix: "-foo"},
+		fs:     types.FieldSpec{Path: "metadata/name"},
+	},
+
+	"data-fieldspecs": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+a:
+  b:
+    c: d
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+a:
+  b:
+    c: d
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+a:
+  b:
+    c: foo-d
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+a:
+  b:
+    c: foo-d
+`,
+		filter: prefixsuffix.Filter{Prefix: "foo-"},
+		fs:     types.FieldSpec{Path: "a/b/c"},
+	},
+}
+
+type TestCase struct {
+	input    string
+	expected string
+	filter   prefixsuffix.Filter
+	fs       types.FieldSpec
+}
+
+func TestFilter(t *testing.T) {
+	for name := range tests {
+		test := tests[name]
+		t.Run(name, func(t *testing.T) {
+			test.filter.FieldSpec = test.fs
+			if !assert.Equal(t,
+				strings.TrimSpace(test.expected),
+				strings.TrimSpace(
+					filtertest_test.RunFilter(t, test.input, test.filter))) {
+				t.FailNow()
+			}
+		})
+	}
+}
--- a/api/filters/refvar/doc.go
+++ b/api/filters/refvar/doc.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 // Package refvar contains a kio.Filter implementation of the kustomize
-// refvar transformer (find and replace $(FOO) style variables in strings).
+// refvar transformer.
 package refvar
--- a/api/filters/refvar/expand.go
+++ b/api/filters/refvar/expand.go
@@ -1,147 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package refvar
-
-import (
-	"fmt"
-	"log"
-	"strings"
-)
-
-const (
-	operator        = '$'
-	referenceOpener = '('
-	referenceCloser = ')'
-)
-
-// syntaxWrap returns the input string wrapped by the expansion syntax.
-func syntaxWrap(input string) string {
-	var sb strings.Builder
-	sb.WriteByte(operator)
-	sb.WriteByte(referenceOpener)
-	sb.WriteString(input)
-	sb.WriteByte(referenceCloser)
-	return sb.String()
-}
-
-// MappingFunc maps a string to anything.
-type MappingFunc func(string) interface{}
-
-// MakePrimitiveReplacer returns a MappingFunc that uses a map to do
-// replacements, and a histogram to count map hits.
-//
-// Func behavior:
-//
-// If the input key is NOT found in the map, the key is wrapped up as
-// as a variable declaration string and returned, e.g. key FOO becomes $(FOO).
-// This string is presumably put back where it was found, and might get replaced
-// later.
-//
-// If the key is found in the map, the value is returned if it is a primitive
-// type (string, bool, number), and the hit is counted.
-//
-// If it's not a primitive type (e.g. a map, struct, func, etc.) then this
-// function doesn't know what to do with it and it returns the key wrapped up
-// again as if it had not been replaced.  This should probably be an error.
-func MakePrimitiveReplacer(
-	counts map[string]int, someMap map[string]interface{}) MappingFunc {
-	return func(key string) interface{} {
-		if value, ok := someMap[key]; ok {
-			switch typedV := value.(type) {
-			case string, int, int32, int64, float32, float64, bool:
-				counts[key]++
-				return typedV
-			default:
-				// If the value is some complicated type (e.g. a map or struct),
-				// this function doesn't know how to jam it into a string,
-				// so just pretend it was a cache miss.
-				// Likely this should be an error instead of a silent failure,
-				// since the programmer passed an impossible value.
-				log.Printf(
-					"MakePrimitiveReplacer: bad replacement type=%T val=%v",
-					typedV, typedV)
-				return syntaxWrap(key)
-			}
-		}
-		// If unable to return the mapped variable, return it
-		// as it was found, and a later mapping might be able to
-		// replace it.
-		return syntaxWrap(key)
-	}
-}
-
-// DoReplacements replaces variable references in the input string
-// using the mapping function.
-func DoReplacements(input string, mapping MappingFunc) interface{} {
-	var buf strings.Builder
-	checkpoint := 0
-	for cursor := 0; cursor < len(input); cursor++ {
-		if input[cursor] == operator && cursor+1 < len(input) {
-			// Copy the portion of the input string since the last
-			// checkpoint into the buffer
-			buf.WriteString(input[checkpoint:cursor])
-
-			// Attempt to read the variable name as defined by the
-			// syntax from the input string
-			read, isVar, advance := tryReadVariableName(input[cursor+1:])
-
-			if isVar {
-				// We were able to read a variable name correctly;
-				// apply the mapping to the variable name and copy the
-				// bytes into the buffer
-				mapped := mapping(read)
-				if input == syntaxWrap(read) {
-					// Preserve the type of variable
-					return mapped
-				}
-
-				// Variable is used in a middle of a string
-				buf.WriteString(fmt.Sprintf("%v", mapped))
-			} else {
-				// Not a variable name; copy the read bytes into the buffer
-				buf.WriteString(read)
-			}
-
-			// Advance the cursor in the input string to account for
-			// bytes consumed to read the variable name expression
-			cursor += advance
-
-			// Advance the checkpoint in the input string
-			checkpoint = cursor + 1
-		}
-	}
-
-	// Return the buffer and any remaining unwritten bytes in the
-	// input string.
-	return buf.String() + input[checkpoint:]
-}
-
-// tryReadVariableName attempts to read a variable name from the input
-// string and returns the content read from the input, whether that content
-// represents a variable name to perform mapping on, and the number of bytes
-// consumed in the input string.
-//
-// The input string is assumed not to contain the initial operator.
-func tryReadVariableName(input string) (string, bool, int) {
-	switch input[0] {
-	case operator:
-		// Escaped operator; return it.
-		return input[0:1], false, 1
-	case referenceOpener:
-		// Scan to expression closer
-		for i := 1; i < len(input); i++ {
-			if input[i] == referenceCloser {
-				return input[1:i], true, i + 1
-			}
-		}
-
-		// Incomplete reference; return it.
-		return string(operator) + string(referenceOpener), false, 1
-	default:
-		// Not the beginning of an expression, ie, an operator
-		// that doesn't begin an expression.  Return the operator
-		// and the first rune in the string.
-		return string(operator) + string(input[0]), false, 1
-	}
-}
--- a/api/filters/refvar/refvar.go
+++ b/api/filters/refvar/refvar.go
@@ -1,6 +1,3 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
 package refvar

 import (
@@ -11,13 +8,15 @@ import (
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
+
+	expansion2 "sigs.k8s.io/kustomize/api/internal/accumulator/expansion"
 )

 // Filter updates $(VAR) style variables with values.
 // The fieldSpecs are the places to look for occurrences of $(VAR).
 type Filter struct {
-	MappingFunc MappingFunc     `json:"mappingFunc,omitempty" yaml:"mappingFunc,omitempty"`
-	FieldSpec   types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+	MappingFunc func(string) interface{} `json:"mappingFunc,omitempty" yaml:"mappingFunc,omitempty"`
+	FieldSpec   types.FieldSpec          `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
 }

 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
@@ -50,21 +49,12 @@ func (f Filter) set(node *yaml.RNode) error {

 func updateNodeValue(node *yaml.Node, newValue interface{}) {
 	switch newValue := newValue.(type) {
-	case int:
-		node.Value = strconv.FormatInt(int64(newValue), 10)
-		node.Tag = yaml.NodeTagInt
-	case int32:
-		node.Value = strconv.FormatInt(int64(newValue), 10)
-		node.Tag = yaml.NodeTagInt
 	case int64:
 		node.Value = strconv.FormatInt(newValue, 10)
 		node.Tag = yaml.NodeTagInt
 	case bool:
 		node.SetString(strconv.FormatBool(newValue))
 		node.Tag = yaml.NodeTagBool
-	case float32:
-		node.SetString(strconv.FormatFloat(float64(newValue), 'f', -1, 32))
-		node.Tag = yaml.NodeTagFloat
 	case float64:
 		node.SetString(strconv.FormatFloat(newValue, 'f', -1, 64))
 		node.Tag = yaml.NodeTagFloat
@@ -79,7 +69,7 @@ func (f Filter) setScalar(node *yaml.RNode) error {
 	if !yaml.IsYNodeString(node.YNode()) {
 		return nil
 	}
-	v := DoReplacements(node.YNode().Value, f.MappingFunc)
+	v := expansion2.Expand(node.YNode().Value, f.MappingFunc)
 	updateNodeValue(node.YNode(), v)
 	return nil
 }
@@ -88,14 +78,12 @@ func (f Filter) setMap(node *yaml.RNode) error {
 	contents := node.YNode().Content
 	for i := 0; i < len(contents); i += 2 {
 		if !yaml.IsYNodeString(contents[i]) {
-			return fmt.Errorf(
-				"invalid map key: value='%s', tag='%s'",
-				contents[i].Value, contents[i].Tag)
+			return fmt.Errorf("invalid map key: %s, type: %s", contents[i].Value, contents[i].Tag)
 		}
 		if !yaml.IsYNodeString(contents[i+1]) {
 			continue
 		}
-		newValue := DoReplacements(contents[i+1].Value, f.MappingFunc)
+		newValue := expansion2.Expand(contents[i+1].Value, f.MappingFunc)
 		updateNodeValue(contents[i+1], newValue)
 	}
 	return nil
@@ -106,7 +94,7 @@ func (f Filter) setSeq(node *yaml.RNode) error {
 		if !yaml.IsYNodeString(item) {
 			return fmt.Errorf("invalid value type expect a string")
 		}
-		newValue := DoReplacements(item.Value, f.MappingFunc)
+		newValue := expansion2.Expand(item.Value, f.MappingFunc)
 		updateNodeValue(item, newValue)
 	}
 	return nil
--- a/api/filters/refvar/refvar_test.go
+++ b/api/filters/refvar/refvar_test.go
@@ -1,25 +1,19 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package refvar_test
+package refvar

 import (
 	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	. "sigs.k8s.io/kustomize/api/filters/refvar"
+	expansion2 "sigs.k8s.io/kustomize/api/internal/accumulator/expansion"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

-var makeMf = func(theMap map[string]interface{}) MappingFunc {
-	ignored := make(map[string]int)
-	return MakePrimitiveReplacer(ignored, theMap)
-}
-
 func TestFilter(t *testing.T) {
+	replacementCounts := make(map[string]int)
+
 	testCases := map[string]struct {
 		input    string
 		expected string
@@ -41,7 +35,7 @@ metadata:
 spec:
  replicas: 5`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"VAR": int64(5),
 				}),
 				FieldSpec: types.FieldSpec{Path: "spec/replicas"},
@@ -63,7 +57,7 @@ metadata:
 spec:
  replicas: 1`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"VAR": int64(5),
 				}),
 				FieldSpec: types.FieldSpec{Path: "spec/replicas"},
@@ -85,7 +79,7 @@ metadata:
 spec:
  replicas: 1`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"VAR": int64(5),
 				}),
 				FieldSpec: types.FieldSpec{Path: "a/b/c"},
@@ -117,7 +111,7 @@ data:
 - false
 - 1.23`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"FOO":   "foo",
 					"BAR":   "bar",
 					"BOOL":  false,
@@ -148,7 +142,7 @@ data:
  BAZ: $(BAZ)
  PLUS: foo+bar`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"FOO": "foo",
 					"BAR": "bar",
 				}),
@@ -187,35 +181,13 @@ data:
    SLICE:
    - $(FOO)`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"FOO": "foo",
 					"BAR": "bar",
 				}),
 				FieldSpec: types.FieldSpec{Path: "data/slice2"},
 			},
 		},
-		"null value": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-data:
-  FOO: null`,
-			expected: `
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-data:
-  FOO: null`,
-			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
-					// no replacements!
-				}),
-				FieldSpec: types.FieldSpec{Path: "data/FOO"},
-			},
-		},
 	}

 	for tn, tc := range testCases {
@@ -231,6 +203,8 @@ data:
 }

 func TestFilterUnhappy(t *testing.T) {
+	replacementCounts := make(map[string]int)
+
 	testCases := map[string]struct {
 		input         string
 		expectedError string
@@ -245,9 +219,18 @@ metadata:
 data:
  slice:
  - false`,
-			expectedError: `considering field 'data/slice' of object Deployment.v1.apps/dep.[noNs]: invalid value type expect a string`,
+			expectedError: `obj 'apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+  annotations:
+    config.kubernetes.io/index: '0'
+data:
+  slice:
+  - false
+' at path 'data/slice': invalid value type expect a string`,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"VAR": int64(5),
 				}),
 				FieldSpec: types.FieldSpec{Path: "data/slice"},
@@ -261,14 +244,36 @@ metadata:
  name: dep
 data:
  1: str`,
-			expectedError: `considering field 'data' of object Deployment.v1.apps/dep.[noNs]: invalid map key: value='1', tag='` + yaml.NodeTagInt + `'`,
+			expectedError: `obj 'apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+  annotations:
+    config.kubernetes.io/index: '0'
+data:
+  1: str
+' at path 'data': invalid map key: 1, type: ` + yaml.NodeTagInt,
 			filter: Filter{
-				MappingFunc: makeMf(map[string]interface{}{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{
 					"VAR": int64(5),
 				}),
 				FieldSpec: types.FieldSpec{Path: "data"},
 			},
 		},
+		"null input": {
+			input: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+data:
+  FOO: null`,
+			expectedError: "obj '' at path 'data/FOO': invalid type encountered 0",
+			filter: Filter{
+				MappingFunc: expansion2.MappingFuncFor(replacementCounts, map[string]interface{}{}),
+				FieldSpec:   types.FieldSpec{Path: "data/FOO"},
+			},
+		},
 	}

 	for tn, tc := range testCases {
--- a/api/filters/replacement/doc.go
+++ b/api/filters/replacement/doc.go
@@ -1,7 +0,0 @@
-// Copyright 2022 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package replacement contains a kio.Filter implementation of the kustomize
-// replacement transformer (accepts sources and looks for targets to replace
-// their values with values from the sources).
-package replacement
--- a/api/filters/replacement/example_test.go
+++ b/api/filters/replacement/example_test.go
@@ -1,68 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package replacement
-
-import (
-	"bytes"
-	"log"
-	"os"
-
-	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-func ExampleFilter() {
-	f := Filter{}
-	err := yaml.Unmarshal([]byte(`
-replacements:
- source:
-    kind: Foo2
-    fieldPath: spec.replicas
-  targets:
-  - select:
-      kind: Foo1
-    fieldPaths: 
-    - spec.replicas`), &f)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = kio.Pipeline{
-		Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(`
-apiVersion: example.com/v1
-kind: Foo1
-metadata:
-  name: instance
-spec:
-  replicas: 3
---
-apiVersion: example.com/v1
-kind: Foo2
-metadata:
-  name: instance
-spec:
-  replicas: 99
-`)}},
-		Filters: []kio.Filter{f},
-		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
-	}.Execute()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	// Output:
-	// apiVersion: example.com/v1
-	// kind: Foo1
-	// metadata:
-	//   name: instance
-	// spec:
-	//   replicas: 99
-	// ---
-	// apiVersion: example.com/v1
-	// kind: Foo2
-	// metadata:
-	//   name: instance
-	// spec:
-	//   replicas: 99
-}
--- a/api/filters/replacement/replacement.go
+++ b/api/filters/replacement/replacement.go
@@ -1,401 +0,0 @@
-// Copyright 2021 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package replacement
-
-import (
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"sigs.k8s.io/kustomize/api/internal/utils"
-	"sigs.k8s.io/kustomize/api/resource"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/errors"
-	kyaml_utils "sigs.k8s.io/kustomize/kyaml/utils"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-type Filter struct {
-	Replacements []types.Replacement `json:"replacements,omitempty" yaml:"replacements,omitempty"`
-}
-
-// Filter replaces values of targets with values from sources
-func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	for i, r := range f.Replacements {
-		if (r.SourceValue == nil && r.Source == nil) || r.Targets == nil {
-			return nil, fmt.Errorf("replacements must specify a source and at least one target")
-		}
-		value, err := getReplacement(nodes, &f.Replacements[i])
-		if err != nil {
-			return nil, err
-		}
-		nodes, err = applyReplacement(nodes, value, r.Targets)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return nodes, nil
-}
-
-func getReplacement(nodes []*yaml.RNode, r *types.Replacement) (*yaml.RNode, error) {
-	if r.SourceValue != nil && r.Source != nil {
-		return nil, fmt.Errorf("value and resource selectors are mutually exclusive")
-	}
-	if r.SourceValue != nil {
-		return yaml.NewScalarRNode(*r.SourceValue), nil
-	}
-
-	source, err := selectSourceNode(nodes, r.Source)
-	if err != nil {
-		return nil, err
-	}
-
-	if r.Source.FieldPath == "" {
-		r.Source.FieldPath = types.DefaultReplacementFieldPath
-	}
-	fieldPath := kyaml_utils.SmarterPathSplitter(r.Source.FieldPath, ".")
-
-	rn, err := source.Pipe(yaml.Lookup(fieldPath...))
-	if err != nil {
-		return nil, fmt.Errorf("error looking up replacement source: %w", err)
-	}
-	if rn.IsNilOrEmpty() {
-		return nil, fmt.Errorf("fieldPath `%s` is missing for replacement source %s", r.Source.FieldPath, r.Source.ResId)
-	}
-
-	return getRefinedValue(r.Source.Options, rn)
-}
-
-// selectSourceNode finds the node that matches the selector, returning
-// an error if multiple or none are found
-func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yaml.RNode, error) {
-	var matches []*yaml.RNode
-	for _, n := range nodes {
-		ids, err := utils.MakeResIds(n)
-		if err != nil {
-			return nil, fmt.Errorf("error getting node IDs: %w", err)
-		}
-		for _, id := range ids {
-			if id.IsSelectedBy(selector.ResId) {
-				if len(matches) > 0 {
-					return nil, fmt.Errorf(
-						"multiple matches for selector %s", selector)
-				}
-				matches = append(matches, n)
-				break
-			}
-		}
-	}
-	if len(matches) == 0 {
-		return nil, fmt.Errorf("nothing selected by %s", selector)
-	}
-	return matches[0], nil
-}
-
-func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode, error) {
-	if options == nil || options.Delimiter == "" {
-		return rn, nil
-	}
-	if rn.YNode().Kind != yaml.ScalarNode {
-		return nil, fmt.Errorf("delimiter option can only be used with scalar nodes")
-	}
-	value := strings.Split(yaml.GetValue(rn), options.Delimiter)
-	if options.Index >= len(value) || options.Index < 0 {
-		return nil, fmt.Errorf("options.index %d is out of bounds for value %s", options.Index, yaml.GetValue(rn))
-	}
-	n := rn.Copy()
-	n.YNode().Value = value[options.Index]
-	return n, nil
-}
-
-func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []*types.TargetSelector) ([]*yaml.RNode, error) {
-	for _, selector := range targetSelectors {
-		if selector.Select == nil {
-			return nil, errors.Errorf("target must specify resources to select")
-		}
-		if len(selector.FieldPaths) == 0 {
-			selector.FieldPaths = []string{types.DefaultReplacementFieldPath}
-		}
-		tsr, err := types.NewTargetSelectorRegex(selector)
-		if err != nil {
-			return nil, fmt.Errorf("error creating target selector: %w", err)
-		}
-		for _, possibleTarget := range nodes {
-			ids, err := utils.MakeResIds(possibleTarget)
-			if err != nil {
-				return nil, err
-			}
-
-			// filter targets by label and annotation selectors
-			selectByAnnoAndLabel, err := selectByAnnoAndLabel(possibleTarget, selector)
-			if err != nil {
-				return nil, err
-			}
-			if !selectByAnnoAndLabel {
-				continue
-			}
-
-			if tsr.RejectsAny(ids) {
-				continue
-			}
-
-			// filter targets by matching resource IDs
-			for _, id := range ids {
-				if tsr.Selects(id) {
-					err := copyValueToTarget(possibleTarget, value, selector)
-					if err != nil {
-						return nil, err
-					}
-					break
-				}
-			}
-		}
-	}
-	return nodes, nil
-}
-
-func selectByAnnoAndLabel(n *yaml.RNode, t *types.TargetSelector) (bool, error) {
-	if matchesSelect, err := matchesAnnoAndLabelSelector(n, t.Select); !matchesSelect || err != nil {
-		return false, err
-	}
-	for _, reject := range t.Reject {
-		if reject.AnnotationSelector == "" && reject.LabelSelector == "" {
-			continue
-		}
-		if m, err := matchesAnnoAndLabelSelector(n, reject); m || err != nil {
-			return false, err
-		}
-	}
-	return true, nil
-}
-
-func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool, error) {
-	r := resource.Resource{RNode: *n}
-	annoMatch, err := r.MatchesAnnotationSelector(selector.AnnotationSelector)
-	if err != nil {
-		return false, err
-	}
-	labelMatch, err := r.MatchesLabelSelector(selector.LabelSelector)
-	if err != nil {
-		return false, err
-	}
-	return annoMatch && labelMatch, nil
-}
-
-func copyValueToTarget(target *yaml.RNode, value *yaml.RNode, selector *types.TargetSelector) error {
-	for _, fp := range selector.FieldPaths {
-		createKind := yaml.Kind(0) // do not create
-		if selector.Options != nil && selector.Options.Create {
-			createKind = value.YNode().Kind
-		}
-
-		// Check if this fieldPath contains structured data access
-		if err := setValueInStructuredData(target, value, fp, createKind); err == nil {
-			// Successfully handled as structured data
-			continue
-		}
-
-		// Fall back to normal path handling
-		targetFieldList, err := target.Pipe(&yaml.PathMatcher{
-			Path:   kyaml_utils.SmarterPathSplitter(fp, "."),
-			Create: createKind})
-		if err != nil {
-			return errors.WrapPrefixf(err, "%s", fieldRetrievalError(fp, createKind != 0))
-		}
-		targetFields, err := targetFieldList.Elements()
-		if err != nil {
-			return errors.WrapPrefixf(err, "%s", fieldRetrievalError(fp, createKind != 0))
-		}
-		if len(targetFields) == 0 {
-			return errors.Errorf("%s", fieldRetrievalError(fp, createKind != 0))
-		}
-
-		for _, t := range targetFields {
-			if err := setFieldValue(selector.Options, t, value); err != nil {
-				return fmt.Errorf("%w", err)
-			}
-		}
-	}
-	return nil
-}
-
-func fieldRetrievalError(fieldPath string, isCreate bool) string {
-	if isCreate {
-		return fmt.Sprintf("unable to find or create field %q in replacement target", fieldPath)
-	}
-	return fmt.Sprintf("unable to find field %q in replacement target", fieldPath)
-}
-
-func setFieldValue(options *types.FieldOptions, targetField *yaml.RNode, value *yaml.RNode) error {
-	value = value.Copy()
-	if options != nil && options.Delimiter != "" {
-		if targetField.YNode().Kind != yaml.ScalarNode {
-			return fmt.Errorf("delimiter option can only be used with scalar nodes")
-		}
-		tv := strings.Split(targetField.YNode().Value, options.Delimiter)
-		v := yaml.GetValue(value)
-		// TODO: Add a way to remove an element
-		switch {
-		case options.Index < 0: // prefix
-			tv = append([]string{v}, tv...)
-		case options.Index >= len(tv): // suffix
-			tv = append(tv, v)
-		default: // replace an element
-			tv[options.Index] = v
-		}
-		value.YNode().Value = strings.Join(tv, options.Delimiter)
-	}
-
-	if targetField.YNode().Kind == yaml.ScalarNode {
-		// For scalar, only copy the value (leave any type intact to auto-convert int->string or string->int)
-		targetField.YNode().Value = value.YNode().Value
-	} else {
-		targetField.SetYNode(value.YNode())
-	}
-
-	return nil
-}
-
-// setValueInStructuredData handles setting values within structured data (JSON/YAML) in scalar fields
-func setValueInStructuredData(target *yaml.RNode, value *yaml.RNode, fieldPath string, createKind yaml.Kind) error {
-	pathParts := kyaml_utils.SmarterPathSplitter(fieldPath, ".")
-	if len(pathParts) < 2 {
-		return fmt.Errorf("not a structured data path")
-	}
-
-	// Find the potential scalar field that might contain structured data
-	var scalarFieldPath []string
-	var structuredDataPath []string
-	var foundScalar = false
-
-	// Try to find where the scalar field ends and structured data begins
-	for i := 1; i <= len(pathParts); i++ {
-		potentialScalarPath := pathParts[:i]
-		scalarField, err := target.Pipe(yaml.Lookup(potentialScalarPath...))
-		if err != nil {
-			continue
-		}
-		if scalarField != nil && scalarField.YNode().Kind == yaml.ScalarNode && i < len(pathParts) {
-			// Try to parse the scalar value as structured data
-			scalarValue := scalarField.YNode().Value
-			var parsedNode yaml.Node
-			if err := yaml.Unmarshal([]byte(scalarValue), &parsedNode); err == nil {
-				// Successfully parsed - this is structured data
-				scalarFieldPath = potentialScalarPath
-				structuredDataPath = pathParts[i:]
-				foundScalar = true
-				break
-			}
-		}
-	}
-
-	if !foundScalar {
-		return fmt.Errorf("no structured data found in path")
-	}
-
-	// Get the scalar field containing structured data
-	scalarField, err := target.Pipe(yaml.Lookup(scalarFieldPath...))
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	// Parse the structured data
-	scalarValue := scalarField.YNode().Value
-	var parsedNode yaml.Node
-	if err := yaml.Unmarshal([]byte(scalarValue), &parsedNode); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	structuredData := yaml.NewRNode(&parsedNode)
-
-	// Navigate to the target location within the structured data
-	targetInStructured, err := structuredData.Pipe(&yaml.PathMatcher{
-		Path:   structuredDataPath,
-		Create: createKind,
-	})
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	targetFields, err := targetInStructured.Elements()
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if len(targetFields) == 0 {
-		return fmt.Errorf("unable to find field in structured data")
-	}
-
-	// Set the value in the structured data
-	for _, t := range targetFields {
-		if t.YNode().Kind == yaml.ScalarNode {
-			t.YNode().Value = value.YNode().Value
-		} else {
-			t.SetYNode(value.YNode())
-		}
-	}
-
-	// Serialize the modified structured data back to the scalar field
-	// Try to detect if original was JSON or YAML and preserve formatting
-	serializedData, err := serializeStructuredData(structuredData, scalarValue)
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	// Update the original scalar field
-	scalarField.YNode().Value = serializedData
-
-	return nil
-}
-
-// serializeStructuredData handles the serialization of structured data back to string format
-// preserving the original format (JSON vs YAML) and style (pretty vs compact)
-func serializeStructuredData(structuredData *yaml.RNode, originalValue string) (string, error) {
-	firstChar := rune(strings.TrimSpace(originalValue)[0])
-	if firstChar == '{' || firstChar == '[' {
-		return serializeAsJSON(structuredData, originalValue)
-	}
-
-	// Fallback to YAML format
-	return serializeAsYAML(structuredData)
-}
-
-// serializeAsJSON converts structured data back to JSON format
-func serializeAsJSON(structuredData *yaml.RNode, originalValue string) (string, error) {
-	modifiedData, err := structuredData.String()
-	if err != nil {
-		return "", fmt.Errorf("failed to serialize structured data: %w", err)
-	}
-
-	// Parse the YAML output as JSON
-	var jsonData interface{}
-	if err := yaml.Unmarshal([]byte(modifiedData), &jsonData); err != nil {
-		return "", fmt.Errorf("failed to unmarshal YAML data: %w", err)
-	}
-
-	// Check if original was pretty-printed by looking for newlines and indentation
-	if strings.Contains(originalValue, "\n") && strings.Contains(originalValue, "  ") {
-		// Pretty-print the JSON to match original formatting
-		if prettyJSON, err := json.MarshalIndent(jsonData, "", "  "); err == nil {
-			return string(prettyJSON), nil
-		}
-	}
-
-	// Compact JSON
-	if compactJSON, err := json.Marshal(jsonData); err == nil {
-		return string(compactJSON), nil
-	}
-
-	return "", fmt.Errorf("failed to marshal JSON data")
-}
-
-// serializeAsYAML converts structured data back to YAML format
-func serializeAsYAML(structuredData *yaml.RNode) (string, error) {
-	modifiedData, err := structuredData.String()
-	if err != nil {
-		return "", fmt.Errorf("failed to serialize YAML data: %w", err)
-	}
-
-	return strings.TrimSpace(modifiedData), nil
-}
--- a/Show More
+++ b/Show More