repeated AllowedCSIDriver allowedCSIDrivers = 23;

  // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
  // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
  // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
  //
  // Examples:

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
  // allowed values are Ignore or Fail. Defaults to Ignore.
  // +optional
  optional string failurePolicy = 4;

  // matchPolicy defines how the "rules" list is used to match incoming requests.
  // Allowed values are "Exact" or "Equivalent".
  //
  // - Exact: match a request only if it exactly matches a specified rule.

		Groups:          cred.Groups,
		Action:          policy.Action(action),
		ConditionValues: getConditionValues(r, "", cred),
		IsOwner:         owner,
		Claims:          cred.Claims,
	}) {
		// Request is allowed return the appropriate access key.
		return cred, ErrNone
	}

	return cred, ErrAccessDenied
}

// Fetch the security token set by the client.
func getSessionToken(r *http.Request) (token string) {

   ├─ CAs
   ├─ private.key
   └─ public.crt
```

You can provide a custom certs directory using `--certs-dir` command line option.

#### Credentials

On MinIO admin credentials or root credentials are only allowed to be changed using ENVs namely `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD`.

```sh
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio13
minio server /data
```

#### Site

```
KEY:

  // Note the following deviations from the "host" part of the
  // URI as defined in RFC 3986:
  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
  //    the IP in the Spec of the parent Ingress.
  // 2. The `:` delimiter is not respected because ports are not allowed.
  // 	  Currently the port of an Ingress is implicitly :80 for http and
  // 	  :443 for https.
  // Both these may change in the future.

  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
  // allowed values are Ignore or Fail. Defaults to Fail.
  // +optional
  optional string failurePolicy = 4;

  // matchPolicy defines how the "rules" list is used to match incoming requests.
  // Allowed values are "Exact" or "Equivalent".
  //
  // - Exact: match a request only if it exactly matches a specified rule.

	// as well as the value to use for the part-number-marker request parameter
	// in a subsequent request.
	NextPartNumberMarker int

	// Maximum number of parts that were allowed in the response.
	MaxParts int

	// Indicates whether the returned list of parts is truncated.
	IsTruncated bool

	// List of all parts.
	Parts []PartInfo

   * @throws IndexOutOfBoundsException if either index is negative, {@code rowIndex} is greater than
   *     or equal to the number of allowed row keys, or {@code columnIndex} is greater than or equal
   *     to the number of allowed column keys
   */
  @CheckForNull
  public V at(int rowIndex, int columnIndex) {
    // In GWT array access never throws IndexOutOfBoundsException.