Resource: "pods",
							Name:     "foo",
							UID:      "1",
						})
				}
				return claim
			},
		},
		"invalid-reserved-for-not-shared": {
			wantFailures: field.ErrorList{field.Forbidden(field.NewPath("status", "reservedFor"), "may not be reserved more than once")},
			oldClaim: func() *resource.ResourceClaim {
				claim := validAllocatedClaim.DeepCopy()
				claim.Status.Allocation.Shareable = false

            return "Called from a write action."
        }

        permissionRegistry.explicitAnalysisRestriction?.let { restriction ->
            return "Resolve is explicitly forbidden in the current action: ${restriction.description}."
        }

        error("Cannot get a rejection reason when analysis is allowed.")
    }

    private fun isProhibitedEdtAnalysis(application: Application): Boolean =

                    } else {
                        events.add(new SimpleConditionEvent(method, true, method.getFullName() + " is not using forbidden Nullable"));
                    }
                }

		if resourceClaim.Status.Allocation == nil {
			allErrs = append(allErrs, field.Forbidden(fldPath.Child("reservedFor"), "may not be specified when `allocated` is not set"))
		} else {
			if !resourceClaim.Status.Allocation.Shareable && len(resourceClaim.Status.ReservedFor) > 1 {
				allErrs = append(allErrs, field.Forbidden(fldPath.Child("reservedFor"), "may not be reserved more than once"))
			}

        "UnsolicitedServerNameAck-TLS-TLS13": "TODO: first pass, this should be fixed",
        "RenegotiationInfo-Forbidden-TLS13": "TODO: first pass, this should be fixed",
        "EMS-Forbidden-TLS13": "TODO: first pass, this should be fixed",
        "SendUnsolicitedOCSPOnCertificate-TLS13": "TODO: first pass, this should be fixed",

 * - be lightweight and not build the whole file structure inside.
 * - not use Kotlin resolve inside, as these functions are called during session initialization, so Analysis API access is forbidden.
 *
 * #### Lifecycle Management
 *
 * A [KaResolveExtension] is tied to the lifetime of its module's analysis session. It is created by [KaResolveExtensionProvider] during

 * entities retrieved from it will become invalid. An analysis session also shouldn't be leaked from the [analyze] call it was created in.
 *
 * It is forbidden to store an analysis session in a variable, parameter, or property. From the [analyze] block which provides the analysis

						schema.GroupResource{}, "name", errors.New(""))
				})
			},
			expectedError: true,
		},
		{
			// A "create" call against a real server can return a forbidden error and a non-nil CRB
			name: "admin.conf: handle forbidden error and returned CRBs, when the super-admin.conf client is nil",
			setupAdminClient: func(client *clientsetfake.Clientset) {

			return
		}
		if decision != authorizer.DecisionAllow {
			klog.V(2).InfoS("Forbidden", "user", attrs.GetUser().GetName(), "verb", attrs.GetVerb(), "resource", attrs.GetResource(), "subresource", attrs.GetSubresource())
			msg := fmt.Sprintf("Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)", attrs.GetUser().GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())

			if _, err := adminClient.RbacV1().ClusterRoleBindings().Create(
				ctx,
				clusterRoleBinding,
				metav1.CreateOptions{},
			); err != nil {
				if apierrors.IsForbidden(err) {
					// If it encounters a forbidden error this means that the API server was reached
					// but the CRB is missing - i.e. the admin.conf user does not have permissions
					// to create its own permission RBAC yet.
					return true, nil