return nil, errors.New("x509: invalid certificate policies")
		}
		oid, ok := newOIDFromDER(OIDBytes)
		if !ok {
			return nil, errors.New("x509: invalid certificate policies")
		}
		oids = append(oids, oid)
	}
	return oids, nil
}

// isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.

field, [`Policies`](/pkg/crypto/x509/#Certificate.Policies), which supports
certificate policy OIDs with components larger than 31 bits. By default this
field is only used during parsing, when it is populated with policy OIDs, but
not used during marshaling. It can be used to marshal these larger OIDs, instead
of the existing PolicyIdentifiers field, by using the
[`x509usepolicies` setting.](/pkg/crypto/x509/#CreateCertificate).

		{oid: mustNewOIDFromInts(t, []uint64{2, 33, 22}), oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
		{oid: OID{}, oid2: OID{}, eq: true},
		{oid: OID{}, oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
	}

	for _, tt := range cases {
		if eq := tt.oid.Equal(tt.oid2); eq != tt.eq {

			},
		},
		{
			name: "groups claim exists",
			args: []string{
				"--oidc-issuer-url=https://testIssuerURL",
				"--oidc-client-id=testClientID",
				"--oidc-username-claim=sub",
				"--oidc-username-prefix=-",
				"--oidc-groups-claim=groups",
				"--oidc-groups-prefix=oidc:",
				"--oidc-signing-algs=RS256",
				"--oidc-required-claim=foo=bar",
			},
			expectConfig: kubeauthenticator.Config{

                          regex: .*/ns/.*/.*
            - orIds:
                ids:
                - remoteIp:
                    addressPrefix: 1.2.3.4
                    prefixLen: 32
                - remoteIp:
                    addressPrefix: 5.6.0.0
                    prefixLen: 16
            - notId:
                orIds:
                  ids:
                  - remoteIp:

            {{- if .Values.oidc.enabled }}
            - name: MINIO_IDENTITY_OPENID_CONFIG_URL
              value: {{ .Values.oidc.configUrl }}
            - name: MINIO_IDENTITY_OPENID_CLIENT_ID
            {{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientIdKey }}
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.oidc.existingClientSecretName }}

			return nil, err
		}
	}

	var uids []*runtimeapi.IDMapping
	var gids []*runtimeapi.IDMapping

	for _, u := range userNs.UIDMappings {
		uids = append(uids, &runtimeapi.IDMapping{
			HostId:      u.HostId,
			ContainerId: u.ContainerId,
			Length:      u.Length,
		})
	}
	for _, g := range userNs.GIDMappings {
		gids = append(gids, &runtimeapi.IDMapping{
			HostId:      g.HostId,

				Version:      "v1beta1",
				RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
			},
			BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{},
			OIDC:           s.Authentication.OIDC,
			RequestHeader:  &apiserveroptions.RequestHeaderAuthenticationOptions{},
			ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
				Lookup:           true,
				ExtendExpiration: true,

{{- if and .Values.oidc.existingClientSecret .Values.oidc.existingClientSecret }} valueFrom: secretKeyRef: name: {{ .Values.oidc.existingClientSecret }} key: {{ .Values.oidc.existingClientSecret }} {{- else }} value: {{ .Values.oidc.clientSecret }} {{- end }} - name: MINIO_IDENTITY_OPENID_CLAIM_NAME value: {{ .Values.oidc.claimName }} - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX value: {{ .Values.oidc.claimPrefix }} - name: MINIO_IDENTITY_OPENID_SCOPES value: {{ .Values.oidc.scopes }} - name: MINIO...

					Version:      "v1beta1",
					RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
				},
				BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{},
				OIDC:           s.Authentication.OIDC,
				RequestHeader:  &apiserveroptions.RequestHeaderAuthenticationOptions{},
				ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
					Lookup:           true,
					ExtendExpiration: true,