// There are a maximum of 64 match conditions allowed.
  //
  // The exact matching logic is (in order):
  //   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
  //   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
  //   3. If any matchCondition evaluates to an error (but none are FALSE):
  //      - If failurePolicy=Fail, reject the request

  // There are a maximum of 64 match conditions allowed.
  //
  // The exact matching logic is (in order):
  //   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
  //   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
  //   3. If any matchCondition evaluates to an error (but none are FALSE):
  //      - If failurePolicy=Fail, reject the request

// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
message SelfSubjectRulesReviewSpec {
  // Namespace to evaluate rules for. Required.
  optional string namespace = 1;
}

// SubjectAccessReview checks whether or not a user or group can perform an action.
message SubjectAccessReview {
  // Standard list metadata.

// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
message SelfSubjectRulesReviewSpec {
  // Namespace to evaluate rules for. Required.
  optional string namespace = 1;
}

// SubjectAccessReview checks whether or not a user or group can perform an action.
message SubjectAccessReview {
  // Standard list metadata.

  // Required.
  optional string key = 1;

  // valueExpression represents the expression which is evaluated by CEL to
  // produce an audit annotation value. The expression must evaluate to either
  // a string or null value. If the expression evaluates to a string, the
  // audit annotation is included with the string value. If the expression
  // evaluates to null or empty string the audit annotation will be omitted.

  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated
  optional TokenReviewSpec spec = 2;

  // Status is filled in by the server and indicates whether the token can be authenticated.
  // +optional
  optional TokenReviewStatus status = 3;
}

  // +kubebuilder:validation:MaxLength=316
  optional string error = 3;
}

// IngressRule represents the rules mapping the paths under a specified host to
// the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue.
message IngressRule {
  // host is the fully qualified domain name of a network host, as defined by RFC 3986.

  // +optional
  optional JobSpec spec = 2;
}

// PodFailurePolicy describes how failed pods influence the backoffLimit.
message PodFailurePolicy {
  // A list of pod failure policy rules. The rules are evaluated in order.
  // Once a rule matches a Pod failure, the remaining of the rules are ignored.
  // When no rule matches the Pod failure, the default handling applies - the

  // +kubebuilder:validation:MaxLength=316
  optional string error = 3;
}

// IngressRule represents the rules mapping the paths under a specified host to
// the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue.
message IngressRule {
  // host is the fully qualified domain name of a network host, as defined by RFC 3986.

  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated
  optional TokenRequestSpec spec = 2;

  // Status is filled in by the server and indicates whether the token can be authenticated.
  // +optional
  optional TokenRequestStatus status = 3;
}