verbs: ["watch", "get", "list"]
{{- if .Values.cni.repair.repairPods }}
{{- /*  No privileges needed*/}}
{{- else if .Values.cni.repair.deletePods }}
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete"]
{{- else if .Values.cni.repair.labelPods }}
  - apiGroups: [""]
    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
    resources: ["pods/status"]

	Remove(ctx context.Context, object string, rv remoteVersionID) error
	InUse(ctx context.Context) (bool, error)
}

const probeObject = "probeobject"

// checkWarmBackend checks if tier config credentials have sufficient privileges
// to perform all operations defined in the WarmBackend interface.
func checkWarmBackend(ctx context.Context, w WarmBackend) error {
	remoteVersionID, err := w.Put(ctx, probeObject, strings.NewReader("MinIO"), 5)

              port: 8000
          securityContext:
            privileged: true # always requires privilege to be useful (install node plugin, etc)
            runAsGroup: 0
            runAsUser: 0
            runAsNonRoot: false
            # Both ambient and sidecar repair mode require elevated node privileges to function.
            # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.

## Privileges required

This client could be a browser with a frontend, a code from someone else, an IoT device, etc.

You could need to tell the client that:

* The client doesn't have enough privileges for that operation.
* The client doesn't have access to that resource.
* The item the client was trying to access doesn't exist.
* etc.

  repeated PodSecurityPolicy items = 2;
}

// PodSecurityPolicySpec defines the policy enforced.
message PodSecurityPolicySpec {
  // privileged determines if a pod can request to be run as privileged.
  // +optional
  optional bool privileged = 1;

  // defaultAddCapabilities is the default set of capabilities that will be added to the container

```

This tells Traefik to listen on port 9999 and to use another file `routes.toml`.

!!! tip
    We are using port 9999 instead of the standard HTTP port 80 so that you don't have to run it with admin (`sudo`) privileges.

Now create that other file `routes.toml`:

```TOML hl_lines="5  12  20"
[http]
  [http.middlewares]

    [http.middlewares.api-stripprefix.stripPrefix]
      prefixes = ["/api/v1"]

		if parentInClaim != parentUser {
			return false
		}
	} else {
		// This is needed so a malicious user cannot
		// use a leaked session key of another user
		// to widen its privileges.
		return false
	}

	isOwnerDerived := parentUser == globalActiveCred.AccessKey

	var err error
	var svcPolicies []string
	roleArn := args.GetRoleArn()

	switch {

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

        </field>
      </fields>
    </class>
    <class>
      <name>Contributor</name>
      <description>Description of a person who has contributed to the project, but who does not have
        commit privileges. Usually, these contributions come in the form of patches submitted.</description>
      <version>3.0.0+</version>
      <fields>
        <field>
          <name>name</name>
          <version>3.0.0+</version>