# See the OWNERS docs at https://go.k8s.io/owners

options:
  # make root approval non-recursive
  no_parent_owners: true
reviewers:
  - aojea
  - bentheelder
  - cheftako
  - dims
  - justaugustus
  - liggitt
  - wojtek-t
approvers:
  - aojea
  - bentheelder
  - cheftako
  - dims
  - liggitt
  - wojtek-t
emeritus_approvers:
  - mikedanese
  - spiffxp
  - eparis
  - roberthbailey # 2019-03-08

aliases:
  # Note: sig-architecture-approvers has approval on root files (including go.mod/go.sum) until https://github.com/kubernetes/test-infra/pull/21398 is resolved.
  # People with approve rights via this alias should defer dependency update PRs to dep-approvers.
  sig-architecture-approvers:
    - dims
    - derekwaynecarr
    - johnbelamaric
  # sig-auth subproject aliases
  sig-auth-audit-approvers:
    - sttts
    - tallclair

1. Send an email to the SIG Architecture [mailing
   list](https://groups.google.com/forum/#!forum/kubernetes-sig-architecture)
   and the mailing list of the SIG which would own the repo requesting approval
   for creating the staging repository.

2. Once approval has been granted, create the new staging repository.

3. Update
   [`import-restrictions.yaml`](/staging/publishing/import-restrictions.yaml)

type CertificateSigningRequestCondition struct {
	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
	//
	// An "Approved" condition is added via the /approval subresource,
	// indicating the request was approved and should be issued by the signer.
	//
	// A "Denied" condition is added via the /approval subresource,
	// indicating the request was denied and should not be issued by the signer.
	//

      - "certificatesigningrequests"
      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

      - "certificatesigningrequests"
      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

				t.Helper()
				if len(errors) == 0 {
					t.Fatal("expected errors, got none")
				}
				if e, a := `metadata.annotations[api-approved.kubernetes.io]: Invalid value: "invalid": protected groups must have approval annotation "api-approved.kubernetes.io" with either a URL or a reason starting with "unapproved", see https://github.com/kubernetes/enhancements/pull/1111`, errors.ToAggregate().Error(); e != a {

	"k8s.io/kubernetes/plugin/pkg/admission/admit"
	"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
	"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
	certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
	"k8s.io/kubernetes/plugin/pkg/admission/certificates/ctbattest"
	certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"

//     compression). This is an optional area; by default, there should be no <SystemRecommendations> section in the
//     system.xml. Vendors can work with Veeam Product Management and the Alliances team on getting approval to integrate
//     specific system recommendations based on current support case statistics and storage performance possibilities.

	// if the approval state hasn't changed, never fail on approval validation
	// this is allowed so that a v1 client that is simply updating spec and not mutating this value doesn't get rejected.  Imagine a controller controlling a CRD spec.
	if oldApprovalState != nil && *oldApprovalState == newApprovalState {
		return nil
	}

	// in v1, we require valid approval strings
	switch newApprovalState {