From eb3caa3378077a9f8ac7a49ab4a9f0afa137a910 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Wed, 18 Mar 2026 10:26:28 +0100
Subject: [PATCH 1/6] docs: add: Choosing Between Update, Patch, and Apply

---
 docs/book/src/SUMMARY.md                      |   1 +
 docs/book/src/getting-started.md              |  13 +-
 docs/book/src/reference/reference.md          |   3 +
 docs/book/src/reference/update-patch-apply.md | 184 ++++++++++++++++++
 .../secondary-owned-resources.md              |  12 ++
 5 files changed, 212 insertions(+), 1 deletion(-)
 create mode 100644 docs/book/src/reference/update-patch-apply.md

diff --git a/docs/book/src/SUMMARY.md b/docs/book/src/SUMMARY.md
index fb5ee8e082f..2d2bfa85106 100644
--- a/docs/book/src/SUMMARY.md
+++ b/docs/book/src/SUMMARY.md
@@ -67,6 +67,7 @@
   - [Generating CRDs](./reference/generating-crd.md)
   - [Using Finalizers](./reference/using-finalizers.md)
   - [Good Practices](./reference/good-practices.md)
+  - [Choosing Update, Patch, or Apply](./reference/update-patch-apply.md)
   - [Raising Events](./reference/raising-events.md)
   - [Watching Resources](./reference/watching-resources.md)
     - [Owned Resources](./reference/watching-resources/secondary-owned-resources.md)
diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md
index 90683b2b19b..94d3efb27dd 100644
--- a/docs/book/src/getting-started.md
+++ b/docs/book/src/getting-started.md
@@ -299,6 +299,17 @@ The following example illustrates this process:
     ...
 ```
 
+<aside class="note">
+<h1>Choosing the Write Method</h1>
+
+This example uses `Update` to keep the first controller easy to read. In production controllers, do
+not treat `Update` as the default answer. It writes the full object and conflicts more often. When
+you only need to change a few fields, `Patch` with optimistic concurrency is usually the safer
+choice. For a practical decision guide, see [Choosing Between Update, Patch, and
+Apply](./reference/update-patch-apply).
+
+</aside>
+
 Now, you can review the complete controller responsible for managing Custom Resources of the
 Memcached Kind. This controller ensures that the desired state is maintained in the cluster,
 making sure that our Memcached instance continues running with the number of replicas specified
@@ -460,4 +471,4 @@ implemented for your controller.
 [deploy-image]: ./plugins/available/deploy-image-plugin-v1-alpha.md
 [GOPATH-golang-docs]: https://golang.org/doc/code.html#GOPATH
 [go-modules-blogpost]: https://blog.golang.org/using-go-modules
-[autoupdate-plugin]: ./plugins/available/autoupdate-v1-alpha.md
\ No newline at end of file
+[autoupdate-plugin]: ./plugins/available/autoupdate-v1-alpha.md
diff --git a/docs/book/src/reference/reference.md b/docs/book/src/reference/reference.md
index 6228ccdfa8a..cccb042aa43 100644
--- a/docs/book/src/reference/reference.md
+++ b/docs/book/src/reference/reference.md
@@ -5,6 +5,9 @@
     Finalizers are a mechanism to
     execute any custom logic related to a resource before it gets deleted from
     Kubernetes cluster.
+  - [Choosing Update, Patch, or Apply](update-patch-apply.md)
+    Compare the tradeoffs between `Update`, `Patch`, and server-side `Apply`
+    when writing reconcilers.
   - [Watching Resources](watching-resources.md)
     Watch resources in the Kubernetes cluster to be informed and take actions on changes.
       - [Watching Secondary Resources that are `Owned` ](watching-resources/secondary-owned-resources.md)
diff --git a/docs/book/src/reference/update-patch-apply.md b/docs/book/src/reference/update-patch-apply.md
new file mode 100644
index 00000000000..c87bf15b485
--- /dev/null
+++ b/docs/book/src/reference/update-patch-apply.md
@@ -0,0 +1,184 @@
+# Choosing Between Update, Patch, and Apply
+
+New controller authors often ask for one rule that is always correct. There is no such rule.
+The right choice depends on what fields your controller owns, how much of the object it wants
+to manage, and how likely it is that other actors also write to that object.
+
+If you want a default that is rarely wrong, prefer `Patch` with optimistic concurrency.
+
+## Quick Decision Guide
+
+| If your controller needs to... | Usually use | Why |
+| --- | --- | --- |
+| Replace most of an object or most of its `status` after a fresh read | `Update` | Simple, but it writes the full object and conflicts more often |
+| Change only a few fields on an existing object | `Patch` | Safer for shared objects and less likely to overwrite unrelated fields |
+| Declaratively manage a known subset of fields, often on owned child resources | `Apply` | Good create-or-update flow with field ownership tracked by the API server |
+
+For controller authors, this is a useful starting point:
+
+- `Update` is the blunt tool.
+- `Patch` is the safest general-purpose tool.
+- `Apply` is best when your controller clearly owns specific fields and can send its full intent every time.
+
+## `Update`
+
+`Update` uses HTTP `PUT`. You send back the full object for that resource or subresource.
+
+Use `Update` when:
+
+- your controller has just read the object and is intentionally writing back most of it
+- your controller is effectively the main writer for that object or subresource
+- you are comfortable handling `409 Conflict` errors and retrying
+
+Be careful with `Update` because:
+
+- it requires a current `resourceVersion`
+- it rewrites the whole object, not just the fields you changed
+- it can accidentally drop fields your client does not know about
+- it conflicts more often when other actors update unrelated fields
+
+For many controllers, `Status().Update(...)` is still reasonable because the controller is often
+the only writer of that `status` subresource. Even then, you should expect conflicts and retry or
+requeue when needed.
+
+## `Patch`
+
+`Patch` changes only part of an object. For controller code, this is often the best default because
+controllers usually change a small number of fields while other actors may be updating the same object.
+
+Use `Patch` when:
+
+- you only want to change a few fields
+- the object may also be changed by users, admission webhooks, or other controllers
+- you want to reduce the chance of overwriting unrelated changes
+
+For controller-runtime clients, `MergeFrom` is a common choice. To make it safer, add optimistic
+concurrency so the patch includes `metadata.resourceVersion`:
+
+```go
+base := deployment.DeepCopy()
+
+deployment.Spec.Replicas = &size
+
+if err := r.Patch(
+    ctx,
+    deployment,
+    client.MergeFromWithOptions(base, client.MergeFromWithOptimisticLock{}),
+); err != nil {
+    return ctrl.Result{}, err
+}
+```
+
+This keeps the lost-update protection of `Update` while avoiding a full-object write.
+
+Use `Patch` especially for:
+
+- finalizers
+- labels and annotations
+- small changes to `spec`
+- small changes to `status`
+- shared secondary resources
+
+### A Note About Patch Types
+
+Kubernetes supports multiple patch types. For controllers, the most relevant ones are:
+
+- JSON merge patch, which controller-runtime uses for `client.MergeFrom(...)`
+- Server-Side Apply, covered below
+
+Avoid relying on Strategic Merge Patch for custom resources served via CRDs. Kubernetes does not
+support `application/strategic-merge-patch+json`
+([StrategicMergeFrom()](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/client#StrategicMergeFrom))
+for APIs defined using `CustomResourceDefinition`.
+
+Also note that merge patch replaces lists rather than merging them item by item. If you patch a list,
+be explicit about the full list value you want.
+
+For CRDs, markers such as [`+listType` and
+`+listMapKey`](./markers/crd-processing.md) describe
+schema-level list semantics, which are relevant for [Server-Side Apply merge
+behavior](https://kubernetes.io/docs/reference/using-api/server-side-apply/#merge-strategy), not for
+JSON merge patch used by `client.MergeFrom(...)`.
+
+If you want `Create`, `Update`, and non-apply `Patch` requests to fail fast when they contain
+unknown fields, see [Strict Field Validation](./strict-field-validation.md). In controller-runtime,
+`Apply` requests are already strict.
+
+## `Apply`
+
+`Apply` means [Server-Side Apply][k8s-ssa]. Instead of sending a read-modify-write update, your controller
+sends its declarative intent and lets the API server merge that intent with the live object.
+In this section, `Apply` refers to the Kubernetes API operation over HTTP, not the `kubectl apply`
+command-line workflow.
+
+Use `Apply` when:
+
+- your controller owns the fields it is writing
+- your controller can send the complete desired value for those owned fields on every reconcile
+- you want create-or-update behavior without a separate `Get`
+
+`Apply` is often a good fit for child objects such as:
+
+- `Deployment`
+- `Service`
+- `ConfigMap`
+- `Job`
+
+especially when your controller created those resources and clearly owns their managed fields.
+
+`Apply` is usually a poor fit when:
+
+- the new value depends on the current live value
+- you need read-modify-write behavior
+- field ownership is unclear
+- users or other controllers are expected to edit the same fields
+
+When using SSA in a controller:
+
+- use a stable field manager name
+- send the full intent for the fields your controller owns
+- force conflicts only for objects your controller truly owns and manages
+
+`Apply` and [strict field validation](./strict-field-validation.md) are still separate concepts, but
+controller-runtime does not expose a separate `fieldValidation` setting for `Apply`. `Apply`
+requests are already strict and fail if they contain unknown or duplicate fields.
+
+<aside class="note">
+<h1>Unknown Fields and Version Skew</h1>
+
+Strict field validation is separate from choosing `Update`, `Patch`, or `Apply`.
+It controls whether the API server drops unknown fields, warns, or returns an error.
+This is especially useful for catching skew between controller code and installed CRDs.
+For controller-runtime, `Apply` already fails on unknown or duplicate fields, while `Create`,
+`Update`, and non-apply `Patch` can be configured to ignore, warn, or fail.
+For built-in resources, be more careful: strict validation can reduce compatibility across
+Kubernetes versions if your controller writes fields that do not exist on every target cluster.
+See [Strict Field Validation](./strict-field-validation.md).
+
+</aside>
+
+## Practical Recommendations for New Controller Authors
+
+For a typical Kubebuilder project:
+
+- For the primary Custom Resource `spec`: usually do not write it from the controller at all. Users own desired state.
+- For the primary Custom Resource `status`: `Status().Update(...)` is fine when your controller is the only status writer. Use `Status().Patch(...)` if you only change part of `status` or expect concurrent writers.
+- For finalizers on the primary resource: prefer `Patch`.
+- For owned child resources: prefer `Apply` if you want declarative ownership, or `Patch` if the update depends on the current live object.
+- For shared resources: prefer `Patch` with optimistic concurrency.
+
+If you are unsure, start with `Patch` plus optimistic concurrency. It is not always the shortest code,
+but it is a strong default for avoiding accidental overwrites.
+
+## Further Reading
+
+For the underlying Kubernetes semantics, see:
+
+- [Kubernetes API Concepts][k8s-api-concepts]
+- [Server-Side Apply][k8s-ssa]
+- [Strict Field Validation](./strict-field-validation.md)
+- [controller-runtime client package][controller-runtime-client]
+
+[k8s-api-concepts]: https://kubernetes.io/docs/reference/using-api/api-concepts/
+[k8s-ssa]: https://kubernetes.io/docs/reference/using-api/server-side-apply/
+[controller-runtime-client]: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/client
diff --git a/docs/book/src/reference/watching-resources/secondary-owned-resources.md b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
index 0ac35fed018..684f0bd8ad9 100644
--- a/docs/book/src/reference/watching-resources/secondary-owned-resources.md
+++ b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
@@ -134,6 +134,16 @@ func (r *BusyboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 }
 ```
 
+<aside class="note">
+<h1>Choosing the Write Method</h1>
+
+This example uses `Update` and `Status().Update` to keep the reconciliation flow readable. For
+production controllers, `Patch` with optimistic concurrency is usually safer when you only change a
+few fields, especially on shared objects. Use `Apply` when your controller declaratively owns fields
+on child resources. See [Choosing Between Update, Patch, and Apply][update-patch-apply].
+
+</aside>
+
 ## Watching Secondary Resources
 
 To ensure that changes to the secondary resource (such as the `Deployment`) trigger
@@ -186,3 +196,5 @@ Note that we are granting permissions to `watch` the resources.
 [cr-owner-ref-doc]: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil#SetOwnerReference
 [controller-gen]: ./../controller-gen.md
 [markers]:./../markers/rbac.md
+[update-patch-apply]: ../update-patch-apply.md
+[strict-field-validation]: ../strict-field-validation.md

From e6214f6b8487b93a0fb729b8042875173e706c7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Mon, 13 Apr 2026 11:25:13 +0200
Subject: [PATCH 2/6] docs: remove broken strict-field-validation links

---
 docs/book/src/reference/update-patch-apply.md        | 12 +++++-------
 .../watching-resources/secondary-owned-resources.md  |  1 -
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/docs/book/src/reference/update-patch-apply.md b/docs/book/src/reference/update-patch-apply.md
index c87bf15b485..8c219155e52 100644
--- a/docs/book/src/reference/update-patch-apply.md
+++ b/docs/book/src/reference/update-patch-apply.md
@@ -101,8 +101,8 @@ behavior](https://kubernetes.io/docs/reference/using-api/server-side-apply/#merg
 JSON merge patch used by `client.MergeFrom(...)`.
 
 If you want `Create`, `Update`, and non-apply `Patch` requests to fail fast when they contain
-unknown fields, see [Strict Field Validation](./strict-field-validation.md). In controller-runtime,
-`Apply` requests are already strict.
+unknown fields, use strict field validation. In controller-runtime, `Apply` requests are already
+strict.
 
 ## `Apply`
 
@@ -139,9 +139,9 @@ When using SSA in a controller:
 - send the full intent for the fields your controller owns
 - force conflicts only for objects your controller truly owns and manages
 
-`Apply` and [strict field validation](./strict-field-validation.md) are still separate concepts, but
-controller-runtime does not expose a separate `fieldValidation` setting for `Apply`. `Apply`
-requests are already strict and fail if they contain unknown or duplicate fields.
+`Apply` and strict field validation are still separate concepts, but controller-runtime does not
+expose a separate `fieldValidation` setting for `Apply`. `Apply` requests are already strict and
+fail if they contain unknown or duplicate fields.
 
 <aside class="note">
 <h1>Unknown Fields and Version Skew</h1>
@@ -153,7 +153,6 @@ For controller-runtime, `Apply` already fails on unknown or duplicate fields, wh
 `Update`, and non-apply `Patch` can be configured to ignore, warn, or fail.
 For built-in resources, be more careful: strict validation can reduce compatibility across
 Kubernetes versions if your controller writes fields that do not exist on every target cluster.
-See [Strict Field Validation](./strict-field-validation.md).
 
 </aside>
 
@@ -176,7 +175,6 @@ For the underlying Kubernetes semantics, see:
 
 - [Kubernetes API Concepts][k8s-api-concepts]
 - [Server-Side Apply][k8s-ssa]
-- [Strict Field Validation](./strict-field-validation.md)
 - [controller-runtime client package][controller-runtime-client]
 
 [k8s-api-concepts]: https://kubernetes.io/docs/reference/using-api/api-concepts/
diff --git a/docs/book/src/reference/watching-resources/secondary-owned-resources.md b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
index 684f0bd8ad9..8aa94e3c445 100644
--- a/docs/book/src/reference/watching-resources/secondary-owned-resources.md
+++ b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
@@ -197,4 +197,3 @@ Note that we are granting permissions to `watch` the resources.
 [controller-gen]: ./../controller-gen.md
 [markers]:./../markers/rbac.md
 [update-patch-apply]: ../update-patch-apply.md
-[strict-field-validation]: ../strict-field-validation.md

From a219d0a8052b49f512608660d4c4beb5c5ae6b43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Tue, 14 Apr 2026 10:24:39 +0200
Subject: [PATCH 3/6] docs: fix title consistency and Status().Update() typo

Align SUMMARY.md and reference.md nav entries with the page H1
("Choosing Between Update, Patch, and Apply"). Fix missing parentheses
on Status().Update() in the secondary-owned-resources aside.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docs/book/src/SUMMARY.md                                        | 2 +-
 docs/book/src/reference/reference.md                            | 2 +-
 .../reference/watching-resources/secondary-owned-resources.md   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/book/src/SUMMARY.md b/docs/book/src/SUMMARY.md
index 0156f135222..f51ea556ad6 100644
--- a/docs/book/src/SUMMARY.md
+++ b/docs/book/src/SUMMARY.md
@@ -67,7 +67,7 @@
   - [Generating CRDs](./reference/generating-crd.md)
   - [Using Finalizers](./reference/using-finalizers.md)
   - [Good Practices](./reference/good-practices.md)
-  - [Choosing Update, Patch, or Apply](./reference/update-patch-apply.md)
+  - [Choosing Between Update, Patch, and Apply](./reference/update-patch-apply.md)
   - [License Header](./reference/license-header.md)
   - [Raising Events](./reference/raising-events.md)
   - [Watching Resources](./reference/watching-resources.md)
diff --git a/docs/book/src/reference/reference.md b/docs/book/src/reference/reference.md
index cccb042aa43..b18d764171f 100644
--- a/docs/book/src/reference/reference.md
+++ b/docs/book/src/reference/reference.md
@@ -5,7 +5,7 @@
     Finalizers are a mechanism to
     execute any custom logic related to a resource before it gets deleted from
     Kubernetes cluster.
-  - [Choosing Update, Patch, or Apply](update-patch-apply.md)
+  - [Choosing Between Update, Patch, and Apply](update-patch-apply.md)
     Compare the tradeoffs between `Update`, `Patch`, and server-side `Apply`
     when writing reconcilers.
   - [Watching Resources](watching-resources.md)
diff --git a/docs/book/src/reference/watching-resources/secondary-owned-resources.md b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
index 8aa94e3c445..699f87947f4 100644
--- a/docs/book/src/reference/watching-resources/secondary-owned-resources.md
+++ b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
@@ -137,7 +137,7 @@ func (r *BusyboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 <aside class="note">
 <h1>Choosing the Write Method</h1>
 
-This example uses `Update` and `Status().Update` to keep the reconciliation flow readable. For
+This example uses `Update` and `Status().Update()` to keep the reconciliation flow readable. For
 production controllers, `Patch` with optimistic concurrency is usually safer when you only change a
 few fields, especially on shared objects. Use `Apply` when your controller declaratively owns fields
 on child resources. See [Choosing Between Update, Patch, and Apply][update-patch-apply].

From 81d5f350268bcfb11a21af8ac7b35380e125dd3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Tue, 21 Apr 2026 08:46:05 +0200
Subject: [PATCH 4/6] reduced text size.

---
 docs/book/src/reference/update-patch-apply.md | 177 +++---------------
 1 file changed, 31 insertions(+), 146 deletions(-)

diff --git a/docs/book/src/reference/update-patch-apply.md b/docs/book/src/reference/update-patch-apply.md
index 8c219155e52..5edc2a44366 100644
--- a/docs/book/src/reference/update-patch-apply.md
+++ b/docs/book/src/reference/update-patch-apply.md
@@ -1,10 +1,12 @@
 # Choosing Between Update, Patch, and Apply
 
-New controller authors often ask for one rule that is always correct. There is no such rule.
-The right choice depends on what fields your controller owns, how much of the object it wants
-to manage, and how likely it is that other actors also write to that object.
+Use `Update` (HTTP `PUT`) for replacement-style changes and `Patch` (HTTP
+`PATCH`) for partial changes. In Kubernetes, server-side apply is implemented
+as a specialized `PATCH` operation with field ownership tracked by the API
+server.
 
-If you want a default that is rarely wrong, prefer `Patch` with optimistic concurrency.
+If you want a default that is rarely wrong, prefer `Patch` with optimistic
+concurrency.
 
 ## Quick Decision Guide
 
@@ -12,167 +14,50 @@ If you want a default that is rarely wrong, prefer `Patch` with optimistic concu
 | --- | --- | --- |
 | Replace most of an object or most of its `status` after a fresh read | `Update` | Simple, but it writes the full object and conflicts more often |
 | Change only a few fields on an existing object | `Patch` | Safer for shared objects and less likely to overwrite unrelated fields |
-| Declaratively manage a known subset of fields, often on owned child resources | `Apply` | Good create-or-update flow with field ownership tracked by the API server |
-
-For controller authors, this is a useful starting point:
-
-- `Update` is the blunt tool.
-- `Patch` is the safest general-purpose tool.
-- `Apply` is best when your controller clearly owns specific fields and can send its full intent every time.
+| Declaratively manage a known subset of fields on owned child resources | `Apply` | The API server tracks field ownership and merges intent |
 
 ## `Update`
 
-`Update` uses HTTP `PUT`. You send back the full object for that resource or subresource.
-
-Use `Update` when:
-
-- your controller has just read the object and is intentionally writing back most of it
-- your controller is effectively the main writer for that object or subresource
-- you are comfortable handling `409 Conflict` errors and retrying
-
-Be careful with `Update` because:
+Use `Update` when your controller has just read the object and intentionally
+plans to write back most of it.
 
-- it requires a current `resourceVersion`
-- it rewrites the whole object, not just the fields you changed
-- it can accidentally drop fields your client does not know about
-- it conflicts more often when other actors update unrelated fields
-
-For many controllers, `Status().Update(...)` is still reasonable because the controller is often
-the only writer of that `status` subresource. Even then, you should expect conflicts and retry or
-requeue when needed.
+- It sends the full object or subresource.
+- It requires handling `409 Conflict` errors and retrying or requeueing.
+- `Status().Update(...)` is often reasonable when the controller is the only
+  status writer.
 
 ## `Patch`
 
-`Patch` changes only part of an object. For controller code, this is often the best default because
-controllers usually change a small number of fields while other actors may be updating the same object.
-
-Use `Patch` when:
-
-- you only want to change a few fields
-- the object may also be changed by users, admission webhooks, or other controllers
-- you want to reduce the chance of overwriting unrelated changes
-
-For controller-runtime clients, `MergeFrom` is a common choice. To make it safer, add optimistic
-concurrency so the patch includes `metadata.resourceVersion`:
-
-```go
-base := deployment.DeepCopy()
-
-deployment.Spec.Replicas = &size
-
-if err := r.Patch(
-    ctx,
-    deployment,
-    client.MergeFromWithOptions(base, client.MergeFromWithOptimisticLock{}),
-); err != nil {
-    return ctrl.Result{}, err
-}
-```
-
-This keeps the lost-update protection of `Update` while avoiding a full-object write.
-
-Use `Patch` especially for:
-
-- finalizers
-- labels and annotations
-- small changes to `spec`
-- small changes to `status`
-- shared secondary resources
-
-### A Note About Patch Types
-
-Kubernetes supports multiple patch types. For controllers, the most relevant ones are:
-
-- JSON merge patch, which controller-runtime uses for `client.MergeFrom(...)`
-- Server-Side Apply, covered below
+Use `Patch` when your controller changes only part of an object or when other
+actors may also update it.
 
-Avoid relying on Strategic Merge Patch for custom resources served via CRDs. Kubernetes does not
-support `application/strategic-merge-patch+json`
-([StrategicMergeFrom()](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/client#StrategicMergeFrom))
-for APIs defined using `CustomResourceDefinition`.
-
-Also note that merge patch replaces lists rather than merging them item by item. If you patch a list,
-be explicit about the full list value you want.
-
-For CRDs, markers such as [`+listType` and
-`+listMapKey`](./markers/crd-processing.md) describe
-schema-level list semantics, which are relevant for [Server-Side Apply merge
-behavior](https://kubernetes.io/docs/reference/using-api/server-side-apply/#merge-strategy), not for
-JSON merge patch used by `client.MergeFrom(...)`.
-
-If you want `Create`, `Update`, and non-apply `Patch` requests to fail fast when they contain
-unknown fields, use strict field validation. In controller-runtime, `Apply` requests are already
-strict.
+- It is usually the safest general-purpose choice for controllers.
+- Prefer it for finalizers, labels, annotations, and other small changes.
+- For CRDs, do not rely on strategic merge patch semantics.
 
 ## `Apply`
 
-`Apply` means [Server-Side Apply][k8s-ssa]. Instead of sending a read-modify-write update, your controller
-sends its declarative intent and lets the API server merge that intent with the live object.
-In this section, `Apply` refers to the Kubernetes API operation over HTTP, not the `kubectl apply`
-command-line workflow.
-
-Use `Apply` when:
-
-- your controller owns the fields it is writing
-- your controller can send the complete desired value for those owned fields on every reconcile
-- you want create-or-update behavior without a separate `Get`
-
-`Apply` is often a good fit for child objects such as:
-
-- `Deployment`
-- `Service`
-- `ConfigMap`
-- `Job`
-
-especially when your controller created those resources and clearly owns their managed fields.
-
-`Apply` is usually a poor fit when:
+`Apply` means [Server-Side Apply][k8s-ssa]. It is a `PATCH` operation, not a
+separate HTTP method.
 
-- the new value depends on the current live value
-- you need read-modify-write behavior
-- field ownership is unclear
-- users or other controllers are expected to edit the same fields
+- Use it when your controller clearly owns the fields it writes.
+- It often fits owned child resources such as `Deployment` or `Service`.
+- Avoid it when the new value depends on the current live value or field
+  ownership is unclear.
 
-When using SSA in a controller:
-
-- use a stable field manager name
-- send the full intent for the fields your controller owns
-- force conflicts only for objects your controller truly owns and manages
-
-`Apply` and strict field validation are still separate concepts, but controller-runtime does not
-expose a separate `fieldValidation` setting for `Apply`. `Apply` requests are already strict and
-fail if they contain unknown or duplicate fields.
-
-<aside class="note">
-<h1>Unknown Fields and Version Skew</h1>
-
-Strict field validation is separate from choosing `Update`, `Patch`, or `Apply`.
-It controls whether the API server drops unknown fields, warns, or returns an error.
-This is especially useful for catching skew between controller code and installed CRDs.
-For controller-runtime, `Apply` already fails on unknown or duplicate fields, while `Create`,
-`Update`, and non-apply `Patch` can be configured to ignore, warn, or fail.
-For built-in resources, be more careful: strict validation can reduce compatibility across
-Kubernetes versions if your controller writes fields that do not exist on every target cluster.
-
-</aside>
-
-## Practical Recommendations for New Controller Authors
+## Practical Recommendations
 
 For a typical Kubebuilder project:
 
-- For the primary Custom Resource `spec`: usually do not write it from the controller at all. Users own desired state.
-- For the primary Custom Resource `status`: `Status().Update(...)` is fine when your controller is the only status writer. Use `Status().Patch(...)` if you only change part of `status` or expect concurrent writers.
-- For finalizers on the primary resource: prefer `Patch`.
-- For owned child resources: prefer `Apply` if you want declarative ownership, or `Patch` if the update depends on the current live object.
-- For shared resources: prefer `Patch` with optimistic concurrency.
-
-If you are unsure, start with `Patch` plus optimistic concurrency. It is not always the shortest code,
-but it is a strong default for avoiding accidental overwrites.
+- avoid writing the primary Custom Resource `spec` from the controller unless
+  the API is explicitly designed for it
+- use `Status().Update(...)` when the controller is the only status writer, or
+  `Status().Patch(...)` when only part of `status` changes
+- prefer `Patch` for shared resources and for changes that affect only part of
+  an object
 
 ## Further Reading
 
-For the underlying Kubernetes semantics, see:
-
 - [Kubernetes API Concepts][k8s-api-concepts]
 - [Server-Side Apply][k8s-ssa]
 - [controller-runtime client package][controller-runtime-client]

From 4684ee03a194b08a4b0f42c3666f0eca763e6c02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Tue, 21 Apr 2026 09:19:04 +0200
Subject: [PATCH 5/6] docs: clean up related guide wording

---
 docs/book/src/getting-started.md              | 117 +++++++++---------
 .../secondary-owned-resources.md              |  42 +++----
 2 files changed, 79 insertions(+), 80 deletions(-)

diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md
index 535c901c43a..ff48c3b4a42 100644
--- a/docs/book/src/getting-started.md
+++ b/docs/book/src/getting-started.md
@@ -1,10 +1,10 @@
-# Getting Started
+# Getting started
 
-We will create a sample project to let you know how it works. This sample will:
+This guide creates a sample project to show you how it works. This sample:
 
 - Reconcile a Memcached CR - which represents an instance of a Memcached deployed/managed on cluster
 - Create a Deployment with the Memcached image
-- Not allow more instances than the size defined in the CR which will be applied
+- Not allow more instances than the size you define in the CR
 - Update the Memcached CR status
 
 <aside class="note" role="note">
@@ -24,8 +24,6 @@ Note that most of this tutorial is generated from literate Go files that
 form a runnable project, and live in the book source directory:
 [docs/book/src/getting-started/testdata/project][tutorial-source].
 
-[tutorial-source]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/docs/book/src/cronjob-tutorial/testdata/project
-
 </aside>
 
 ## Create a project
@@ -41,16 +39,16 @@ kubebuilder init --domain=example.com
 <aside class="note" role="note">
 <p class="note-title">Developing in $GOPATH</p>
 
-If your project is initialized within [`GOPATH`][GOPATH-golang-docs], the implicitly called `go mod init` will interpolate the module path for you.
+If you initialize your project within [`GOPATH`][GOPATH-golang-docs], the implicitly called `go mod init` will interpolate the module path for you.
 Otherwise `--repo=<module path>` must be set.
 
 Read the [Go modules blogpost][go-modules-blogpost] if unfamiliar with the module system.
 
 </aside>
 
-## Create the Memcached API (CRD):
+## Create the Memcached API (CRD)
 
-Next, we'll create the API which will be responsible for deploying and
+Next, create the API which is responsible for deploying and
 managing Memcached(s) instances on the cluster.
 
 ```shell
@@ -61,9 +59,9 @@ kubebuilder create api --group cache --version v1alpha1 --kind Memcached
 
 This command's primary aim is to produce the Custom Resource (CR) and Custom Resource Definition (CRD) for the Memcached Kind.
 It creates the API with the group `cache.example.com` and version `v1alpha1`, uniquely identifying the new CRD of the Memcached Kind.
-By leveraging the Kubebuilder tool, we can define our APIs and objects representing our solutions for these platforms.
+By leveraging the Kubebuilder tool, you can define your APIs and objects representing your solutions for these platforms.
 
-While we've added only one Kind of resource in this example, we can have as many `Groups` and `Kinds` as necessary.
+While this example adds only one Kind of resource, you can have as many `Groups` and `Kinds` as necessary.
 To make it easier to understand, think of CRDs as the definition of our custom Objects, while CRs are instances of them.
 
 <aside class="note" role="note">
@@ -75,10 +73,10 @@ To make it easier to understand, think of CRDs as the definition of our custom O
 
 ### Defining our API
 
-#### Defining the Specs
+#### Defining the specs
 
-Now, we will define the values that each instance of your Memcached resource on the cluster can assume. In this example,
-we will allow configuring the number of instances with the following:
+Now, define the values that each instance of your Memcached resource on the cluster can assume. In this example,
+the configuration allows setting the number of instances with the following:
 
 ```go
 type MemcachedSpec struct {
@@ -89,12 +87,12 @@ type MemcachedSpec struct {
 }
 ```
 
-#### Creating Status definitions
+#### Creating status definitions
 
-We also want to track the status of our Operations which will be done to manage the Memcached CR(s).
-This allows us to verify the Custom Resource's description of our own API and determine if everything
+The controller also needs to track the status of operations done to manage the Memcached CR(s).
+This allows verification of the Custom Resource's description of your API and determines if everything
 occurred successfully or if any errors were encountered,
-similar to how we do with any resource from the Kubernetes API.
+similar to how you would with any resource from the Kubernetes API.
 
 ```go
 // MemcachedStatus defines the observed state of Memcached
@@ -109,8 +107,8 @@ type MemcachedStatus struct {
 <aside class="note" role="note">
 <p class="note-title"> Status Conditions </p>
 
-Kubernetes has established conventions, and because of this, we use
-Status Conditions here. We want our custom APIs and controllers to behave
+Kubernetes has established conventions, and because of this, use
+Status Conditions here. Your custom APIs and controllers should behave
 like Kubernetes resources and their controllers, following these standards
 to ensure a consistent and intuitive experience.
 
@@ -120,8 +118,8 @@ Please ensure that you review: [Kubernetes API Conventions](https://github.com/k
 
 #### Markers and validations
 
-Furthermore, we want to validate the values added in our CustomResource
-to ensure that those are valid. To achieve this, we will use [markers][markers],
+Furthermore, validate the values added in your CustomResource
+to ensure that those are valid. To achieve this, use [markers][markers],
 such as `+kubebuilder:validation:Minimum=1`.
 
 Now, see our example fully completed.
@@ -146,7 +144,7 @@ Both commands use [controller-gen][controller-gen] with different flags for code
 
 </details>
 
-#### Sample of Custom Resources
+#### Sample of custom resources
 
 The manifests located under the `config/samples` directory serve as examples of Custom Resources that can be applied to the cluster.
 In this particular example, by applying the given resource to the cluster, we would generate
@@ -156,11 +154,11 @@ a Deployment with a single instance size (see `size: 1`).
 {{#include ./getting-started/testdata/project/config/samples/cache_v1alpha1_memcached.yaml}}
 ```
 
-### Reconciliation Process
+### Reconciliation process
 
-In a simplified way, Kubernetes works by allowing us to declare the desired state of our system, and then its controllers continuously observe the cluster and take actions to ensure that the actual state matches the desired state. For our custom APIs and controllers, the process is similar. Remember, we are extending Kubernetes' behaviors and its APIs to fit our specific needs.
+In a simplified way, Kubernetes works by allowing you to declare the desired state of your system, and then its controllers continuously observe the cluster and take actions to ensure that the actual state matches the desired state. For your custom APIs and controllers, the process is similar. Remember, you are extending Kubernetes' behaviors and its APIs to fit your specific needs.
 
-In our controller, we will implement a reconciliation process.
+In our controller, we implement a reconciliation process.
 
 Essentially, the reconciliation process functions as a loop, continuously checking conditions and performing necessary actions until the desired state is achieved. This process will keep running until all conditions in the system align with the desired state defined in our implementation.
 
@@ -170,20 +168,20 @@ Here's a pseudo-code example to illustrate this:
 reconcile App {
 
   // Check if a Deployment for the app exists, if not, create one
-  // If there's an error, then restart from the beginning of the reconcile
+  // If there is an error, then restart from the beginning of the reconcile
   if err != nil {
     return reconcile.Result{}, err
   }
 
   // Check if a Service for the app exists, if not, create one
-  // If there's an error, then restart from the beginning of the reconcile
+  // If there is an error, then restart from the beginning of the reconcile
   if err != nil {
     return reconcile.Result{}, err
   }
 
   // Look for Database CR/CRD
   // Check the Database Deployment's replicas size
-  // If deployment.replicas size doesn't match cr.size, then update it
+  // If deployment.replicas size does not match cr.size, then update it
   // Then, restart from the beginning of the reconcile. For example, by returning `reconcile.Result{Requeue: true}, nil`.
   if err != nil {
     return reconcile.Result{Requeue: true}, nil
@@ -191,7 +189,7 @@ reconcile App {
   ...
 
   // If at the end of the loop:
-  // Everything was executed successfully, and the reconcile can stop
+  // Everything executed successfully, and the reconcile can stop
   return reconcile.Result{}, nil
 
 }
@@ -229,11 +227,11 @@ return ctrl.Result{RequeueAfter: nextRun.Sub(r.Now())}, nil
 
 #### In the context of our example
 
-When our sample Custom Resource (CR) is applied to the cluster (i.e. `kubectl apply -f config/sample/cache_v1alpha1_memcached.yaml`),
-we want to ensure that a Deployment is created for our Memcached image and that it matches the number of replicas defined in the CR.
+When you apply the sample Custom Resource (CR) to the cluster (i.e. `kubectl apply -f config/sample/cache_v1alpha1_memcached.yaml`),
+ensure that the controller creates a Deployment for the Memcached image and that it matches the number of replicas you define in the CR.
 
-To achieve this, we need to first implement an operation that checks whether the Deployment for our Memcached instance already exists on the cluster.
-If it does not, the controller will create the Deployment accordingly. Therefore, our reconciliation process must include an operation to ensure that
+To achieve this, first implement an operation that checks whether the Deployment for the Memcached instance already exists on the cluster.
+If it does not, the controller creates the Deployment accordingly. Therefore, our reconciliation process must include an operation to ensure that
 this desired state is consistently maintained. This operation would involve:
 
 ```go
@@ -253,7 +251,7 @@ this desired state is consistently maintained. This operation would involve:
 	}
 ```
 
-Next, note that the `deploymentForMemcached()` function will need to define and return the Deployment that should be
+Next, note that the `deploymentForMemcached()` function needs to define and return the Deployment that should be
 created on the cluster. This function should construct the Deployment object with the necessary
 specifications, as demonstrated in the following example:
 
@@ -279,10 +277,10 @@ specifications, as demonstrated in the following example:
 	}
 ```
 
-Additionally, we need to implement a mechanism to verify that the number of Memcached replicas
+Additionally, implement a mechanism to verify that the number of Memcached replicas
 on the cluster matches the desired count specified in the Custom Resource (CR). If there is a
 discrepancy, the reconciliation must update the cluster to ensure consistency. This means that
-whenever a CR of the Memcached Kind is created or updated on the cluster, the controller will
+whenever you create or update a CR of the Memcached Kind on the cluster, the controller will
 continuously reconcile the state until the actual number of replicas matches the desired count.
 The following example illustrates this process:
 
@@ -311,16 +309,16 @@ by the users.
 ```
 </details>
 
-### Diving Into the Controller Implementation
+### Diving into the controller implementation
 
-#### Setting Manager to Watching Resources
+#### Setting manager to watching resources
 
 The whole idea is to be Watching the resources that matter for the controller.
 When a resource that the controller is interested in changes, the Watch triggers the controller's
 reconciliation loop, ensuring that the actual state of the resource matches the desired state
 as defined in the controller's logic.
 
-Notice how we configured the Manager to monitor events such as the creation, update, or deletion of a Custom Resource (CR) of the Memcached kind,
+Notice how you configure the Manager to monitor events such as the creation, update, or deletion of a Custom Resource (CR) of the Memcached kind,
 as well as any changes to the Deployment that the controller manages and owns:
 
 ```go
@@ -330,25 +328,25 @@ as well as any changes to the Deployment that the controller manages and owns:
 func (r *MemcachedReconciler) SetupWithManager(mgr ctrl.Manager) error {
     return ctrl.NewControllerManagedBy(mgr).
 		// Watch the Memcached Custom Resource and trigger reconciliation whenever it
-		//is created, updated, or deleted
+		// is created, updated, or deleted
 		For(&cachev1alpha1.Memcached{}).
 		// Watch the Deployment managed by the Memcached controller. If any changes occur to the Deployment
-        // owned and managed by this controller, it will trigger reconciliation, ensuring that the cluster
+        // owned and managed by this controller, it triggers reconciliation, ensuring that the cluster
         // state aligns with the desired state.
 		Owns(&appsv1.Deployment{}).
 		Complete(r)
     }
 ```
 
-#### But, How Does the Manager Know Which Resources Are Owned by It?
+#### But, how does the manager know which resources are owned by it?
 
-We do not want our Controller to watch any Deployment on the cluster and trigger our
-reconciliation loop. Instead, we only want to trigger reconciliation when the specific
-Deployment running our Memcached instance is changed. For example,
-if someone accidentally deletes our Deployment or changes the number of replicas, we want
-to trigger the reconciliation to ensure that it returns to the desired state.
+The Controller should not watch any Deployment on the cluster and trigger the
+reconciliation loop. Instead, trigger reconciliation only when the specific
+Deployment running the Memcached instance is changed. For example,
+if someone accidentally deletes the Deployment or changes the number of replicas, trigger
+the reconciliation to ensure that it returns to the desired state.
 
-The Manager knows which Deployment to observe because we set the `ownerRef` (Owner Reference):
+The Manager knows which Deployment to observe because you set the `ownerRef` (Owner Reference):
 
 ```go
 if err := ctrl.SetControllerReference(memcached, dep, r.Scheme); err != nil {
@@ -360,11 +358,11 @@ if err := ctrl.SetControllerReference(memcached, dep, r.Scheme); err != nil {
 
 <p class="note-title"><code>ownerRef</code> and Cascading Events</p>
 
-The ownerRef is crucial not only for allowing us to observe changes on the specific resource but also because,
-if we delete the Memcached Custom Resource (CR) from the cluster, we want all resources owned by it to be automatically
+The ownerRef is crucial not only for allowing the controller to observe changes on the specific resource but also because,
+if you delete the Memcached Custom Resource (CR) from the cluster, all resources owned by it are automatically
 deleted as well, in a cascading event.
 
-This ensures that when the parent resource (Memcached CR) is removed, all associated resources
+This ensures that when you remove the parent resource (Memcached CR), Kubernetes also removes all associated resources
 (like Deployments, Services, etc.) are also cleaned up, maintaining
 a tidy and consistent cluster state.
 
@@ -372,14 +370,14 @@ For more information, see the Kubernetes documentation on [Owners and Dependents
 
 </aside>
 
-### Granting Permissions
+### Granting permissions
 
 It's important to ensure that the Controller has the necessary permissions(i.e. to create, get, update, and list)
 the resources it manages.
 
-The [RBAC permissions][k8s-rbac] are now configured via [RBAC markers][rbac-markers], which are used to generate and update the
-manifest files present in `config/rbac/`. These markers can be found (and should be defined) on the `Reconcile()` method of each controller, see
-how it is implemented in our example:
+You configure the [RBAC permissions][k8s-rbac] via [RBAC markers][rbac-markers], which [controller-gen][controller-gen] uses to generate and update the
+manifest files in `config/rbac/`. You can find these markers (and should define them) on the `Reconcile()` method of each controller, see
+how the example implements them:
 
 ```go
 // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds,verbs=get;list;watch;create;update;patch;delete
@@ -424,13 +422,13 @@ kubebuilder edit --plugins="autoupdate/v1-alpha"
 
 Inspect the file `.github/workflows/auto-update.yml` to see how it works.
 
-### Checking the Project running in the cluster
+### Checking the project running in the cluster
 
 At this point you can check the steps to validate the project
 on the cluster by looking the steps defined in the Quick Start,
 see: [Run It On the Cluster](./quick-start#run-it-on-the-cluster)
 
-## Next Steps
+## Next steps
 
 - To delve deeper into developing your solution, consider going through the [CronJob Tutorial][cronjob-tutorial]
 - For insights on optimizing your approach, refer to the [Best Practices][best-practices] documentation.
@@ -440,7 +438,7 @@ see: [Run It On the Cluster](./quick-start#run-it-on-the-cluster)
 
 Now that you have a better understanding, you might want to check out the [Deploy Image][deploy-image] Plugin.
 This plugin allows users to scaffold APIs/Controllers to deploy and manage an Operand (image) on the cluster.
-It will provide scaffolds similar to the ones in this guide, along with additional features such as tests
+It provides scaffolds similar to the ones in this guide, along with additional features such as tests
 implemented for your controller.
 
 </aside>
@@ -456,8 +454,9 @@ implemented for your controller.
 [options-manager]: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/manager#Options
 [quick-start]: ./quick-start.md
 [best-practices]: ./reference/good-practices.md
-[cronjob-tutorial]: https://book.kubebuilder.io/cronjob-tutorial/cronjob-tutorial.html
+[cronjob-tutorial]: ./cronjob-tutorial/cronjob-tutorial.md
 [deploy-image]: ./plugins/available/deploy-image-plugin-v1-alpha.md
 [GOPATH-golang-docs]: https://golang.org/doc/code.html#GOPATH
 [go-modules-blogpost]: https://blog.golang.org/using-go-modules
 [autoupdate-plugin]: ./plugins/available/autoupdate-v1-alpha.md
+[tutorial-source]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/docs/book/src/getting-started/testdata/project
diff --git a/docs/book/src/reference/watching-resources/secondary-owned-resources.md b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
index 0ac35fed018..b12203322ce 100644
--- a/docs/book/src/reference/watching-resources/secondary-owned-resources.md
+++ b/docs/book/src/reference/watching-resources/secondary-owned-resources.md
@@ -1,30 +1,30 @@
-# Watching Secondary Resources `Owned` by the Controller
+# Watching secondary resources `Owned` by the controller
 
 In Kubernetes controllers, it’s common to manage both **Primary Resources**
 and **Secondary Resources**. A **Primary Resource** is the main resource
 that the controller is responsible for, while **Secondary Resources**
 are created and managed by the controller to support the **Primary Resource**.
 
-In this section, we will explain how to manage **Secondary Resources**
+This section explains how to manage **Secondary Resources**
 which are `Owned` by the controller. This example shows how to:
 
 - Set the [Owner Reference][cr-owner-ref-doc] between the primary resource (`Busybox`) and the secondary resource (`Deployment`) to ensure proper lifecycle management.
 - Configure the controller to `Watch` the secondary resource using `Owns()` in `SetupWithManager()`. See that `Deployment` is owned by the `Busybox` controller because
-it will be created and managed by it.
+it is created and managed by it.
 
-## Setting the Owner Reference
+## Setting the owner reference
 
 To link the lifecycle of the secondary resource (`Deployment`)
-to the primary resource (`Busybox`), we need to set
+to the primary resource (`Busybox`), set
 an [Owner Reference][cr-owner-ref-doc] on the secondary resource.
 This ensures that Kubernetes automatically handles cascading deletions:
-if the primary resource is deleted, the secondary resource will also be deleted.
+if the primary resource is deleted, the secondary resource is also deleted.
 
 Controller-runtime provides the [controllerutil.SetControllerReference][cr-owner-ref-doc] function, which you can use to set this relationship between the resources.
 
-### Setting the Owner Reference
+### Setting the owner reference
 
-Below, we create the `Deployment` and set the Owner reference between the `Busybox` custom resource and the `Deployment` using `controllerutil.SetControllerReference()`.
+Below, create the `Deployment` and set the Owner reference between the `Busybox` custom resource and the `Deployment` using `controllerutil.SetControllerReference()`.
 
 ```go
 // deploymentForBusybox returns a Deployment object for Busybox
@@ -58,7 +58,7 @@ func (r *BusyboxReconciler) deploymentForBusybox(busybox *examplecomv1alpha1.Bus
     }
 
     // Set the ownerRef for the Deployment, ensuring that the Deployment
-    // will be deleted when the Busybox CR is deleted.
+    // is deleted when the Busybox CR is deleted.
     controllerutil.SetControllerReference(busybox, dep, r.Scheme)
     return dep
 }
@@ -72,7 +72,7 @@ and ensure that the desired state (such as the number of replicas) is maintained
 
 For example, if someone modifies the `Deployment` to change the replica count to 3,
 while the `Busybox` CR defines the desired state as 1 replica,
-the controller will reconcile this and ensure the `Deployment`
+the controller reconciles this and ensures the `Deployment`
 is scaled back to 1 replica.
 
 **Reconcile Function Example**
@@ -134,22 +134,22 @@ func (r *BusyboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 }
 ```
 
-## Watching Secondary Resources
+## Watching secondary resources
 
 To ensure that changes to the secondary resource (such as the `Deployment`) trigger
-a reconciliation of the primary resource (`Busybox`), we configure the controller
+a reconciliation of the primary resource (`Busybox`), configure the controller
 to watch both resources.
 
 The `Owns()` method allows you to specify secondary resources
-that the controller should monitor. This way, the controller will
-automatically reconcile the primary resource whenever the secondary
+that the controller should monitor. This way, the controller
+automatically reconciles the primary resource whenever the secondary
 resource changes (e.g., is updated or deleted).
 
-### Example: Configuring `SetupWithManager` to Watch Secondary Resources
+### Example: Configuring `SetupWithManager` to watch secondary resources
 
 ```go
 // SetupWithManager sets up the controller with the Manager.
-// The controller will watch both the Busybox primary resource and the Deployment secondary resource.
+// The controller watches both the Busybox primary resource and the Deployment secondary resource.
 func (r *BusyboxReconciler) SetupWithManager(mgr ctrl.Manager) error {
     return ctrl.NewControllerManagedBy(mgr).
         For(&examplecomv1alpha1.Busybox{}).  // Watch the primary resource
@@ -158,7 +158,7 @@ func (r *BusyboxReconciler) SetupWithManager(mgr ctrl.Manager) error {
 }
 ```
 
-## Ensuring the Right Permissions
+## Ensuring the right permissions
 
 Kubebuilder uses [markers][markers] to define RBAC permissions
 required by the controller. In order for the controller to
@@ -166,10 +166,10 @@ properly watch and manage both the primary (`Busybox`) and secondary (`Deploymen
 resources, it must have the appropriate permissions granted;
 i.e. to `watch`, `get`, `list`, `create`, `update`, and `delete` permissions for those resources.
 
-### Example: RBAC Markers
+### Example: RBAC markers
 
-Before the `Reconcile` method, we need to define the appropriate RBAC markers.
-These markers will be used by [controller-gen][controller-gen] to generate the necessary
+Before the `Reconcile` method, define the appropriate RBAC markers.
+These markers are used by [controller-gen][controller-gen] to generate the necessary
 roles and permissions when you run `make manifests`.
 
 ```go
@@ -180,7 +180,7 @@ roles and permissions when you run `make manifests`.
 - The first marker gives the controller permission to manage the `Busybox` custom resource (the primary resource).
 - The second marker grants the controller permission to manage `Deployment` resources (the secondary resource).
 
-Note that we are granting permissions to `watch` the resources.
+Note that this grants permissions to `watch` the resources.
 
 [owner-ref-k8s-docs]: https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/
 [cr-owner-ref-doc]: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil#SetOwnerReference

From a30d5ace0a6127f206d5e97bf9412012e9e8a6ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCttler?= <info@thomas-guettler.de>
Date: Tue, 21 Apr 2026 09:30:09 +0200
Subject: [PATCH 6/6] docs: remove unrelated getting started edits

---
 docs/book/src/getting-started.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md
index ff48c3b4a42..7226e52c268 100644
--- a/docs/book/src/getting-started.md
+++ b/docs/book/src/getting-started.md
@@ -328,7 +328,7 @@ as well as any changes to the Deployment that the controller manages and owns:
 func (r *MemcachedReconciler) SetupWithManager(mgr ctrl.Manager) error {
     return ctrl.NewControllerManagedBy(mgr).
 		// Watch the Memcached Custom Resource and trigger reconciliation whenever it
-		// is created, updated, or deleted
+		//when you create, update, or delete it
 		For(&cachev1alpha1.Memcached{}).
 		// Watch the Deployment managed by the Memcached controller. If any changes occur to the Deployment
         // owned and managed by this controller, it triggers reconciliation, ensuring that the cluster
@@ -459,4 +459,4 @@ implemented for your controller.
 [GOPATH-golang-docs]: https://golang.org/doc/code.html#GOPATH
 [go-modules-blogpost]: https://blog.golang.org/using-go-modules
 [autoupdate-plugin]: ./plugins/available/autoupdate-v1-alpha.md
-[tutorial-source]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/docs/book/src/getting-started/testdata/project
+[tutorial-source]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/docs/book/src/cronjob-tutorial/testdata/project
\ No newline at end of file