message ExtraValue {
  // items, if empty, will result in an empty slice

  repeated string items = 1;
}

// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
// checking.
message LocalSubjectAccessReview {
  // Standard list metadata.

    
    # Settings related to the untaint controller
    # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
    # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
    taint:
      # Controls whether or not the untaint controller is active
      enabled: false

// By this way, even if istioctl cannot access a specific `istiod` instance directly,
// `istioctl` can access the debug endpoint.
// If `all` is true, `queryDebugSynczViaAgents` iterates all the pod having a proxy
// except the pods of which status information is already queried.
func queryDebugSynczViaAgents(all bool, dr *discovery.DiscoveryRequest, istioNamespace string, kubeClient kube.CLIClient,

message ExtraValue {
  // items, if empty, will result in an empty slice

  repeated string items = 1;
}

// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
// checking.
message LocalSubjectAccessReview {
  // Standard list metadata.

Next, we terminate the CONNECT.
From the [headers](#headers), we know the target destination.
If the target destination has a waypoint, we enforce that the request is coming from that waypoint. Otherwise, the request is rejected.
If there is no waypoint, ztunnel will enforce RBAC policies against the request.

		"-j", "CONNMARK",
		"--set-xmark", inpodTproxyMark)

	// Handle healthcheck probes from the host node. In the host netns, before the packet enters the pod, we SNAT
	// the healthcheck packet to a fixed IP if the packet is coming from a node-local process with a socket.
	//
	// We do this so we can exempt this traffic from ztunnel capture/proxy - otherwise both kube-proxy (legit)

  optional ContainerResourceMetricSource containerResource = 7;

  // external refers to a global metric that is not associated
  // with any Kubernetes object. It allows autoscaling based on information
  // coming from components running outside of cluster
  // (for example length of queue in cloud messaging service, or
  // QPS from loadbalancer running outside of cluster).
  // +optional
  optional ExternalMetricSource external = 5;

  optional ContainerResourceMetricSource containerResource = 7;

  // external refers to a global metric that is not associated
  // with any Kubernetes object. It allows autoscaling based on information
  // coming from components running outside of cluster
  // (for example length of queue in cloud messaging service, or
  // QPS from loadbalancer running outside of cluster).
  // +optional
  optional ExternalMetricSource external = 5;

option go_package = "k8s.io/api/certificates/v1";

// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
// by submitting a certificate signing request, and having it asynchronously approved and issued.
//
// Kubelets use this API to obtain:
//  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).

    # Settings related to the untaint controller
    # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
    # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
    taint:
      # Controls whether or not the untaint controller is active
      enabled: false