"type": "string"
          },
          "type": {
            "default": "",

$omitCertProvidersFor)) }} - apiGroups: ["certificates.k8s.io"] resources: - "certificatesigningre" - "certificatesigningre/approval" - "certificatesigningre/status" verbs: ["update", "create", "get", "delete", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - "signers" resourceNames: - "kubernetes.io/legacy-unknown" {{- range .Values.global.certSigners }} - {{ . | quote }} {{- end }} verbs: ["approve"] {{- end}} # Used by Istiod to verify the JWT tokens - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"]...

	return []metav1.TableRow{row}, nil
}

func extractCSRStatus(csr *certificates.CertificateSigningRequest) string {
	var approved, denied, failed bool
	for _, c := range csr.Status.Conditions {
		switch c.Type {
		case certificates.CertificateApproved:
			approved = true
		case certificates.CertificateDenied:
			denied = true
		case certificates.CertificateFailed:
			failed = true
		}
	}

			// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
			expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "7d1h", "Approved"}}},
		},
		// Basic CSR with Spec and Status=Approved; certificate issued.
		{
			csr: certificates.CertificateSigningRequest{
				ObjectMeta: metav1.ObjectMeta{
					Name:              "csr2",

  fi
  iptables -w -t mangle -I OUTPUT -s 169.254.169.254 -j DROP

  # Log all metadata access not from approved processes.
  case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
    log)
      echo "Installing metadata firewall logging rules"
      gce-metadata-fw-helper -I LOG "MetadataServerFirewallReject" !