DDEDPDQCC:      "ddedpdq.",
	DDIV:           "ddiv",
	DDIVCC:         "ddiv.",
	DDIVQ:          "ddivq",
	DDIVQCC:        "ddivq.",
	DENBCD:         "denbcd",
	DENBCDCC:       "denbcd.",
	DENBCDQ:        "denbcdq",
	DENBCDQCC:      "denbcdq.",
	DIEX:           "diex",
	DIEXCC:         "diex.",
	DIEXQCC:        "diexq.",
	DIEXQ:          "diexq",
	DMUL:           "dmul",

      from:
        - source:
            namespaces: [ "{{ .Denied.NamespaceName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            namespaces: [ "{{ .Denied.NamespaceName }}" ]
    - to:
        - operation: # TCP

	"type":               "type of the condition. Known conditions are \"Approved\", \"Denied\", and \"Failed\".\n\nAn \"Approved\" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.\n\nA \"Denied\" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.\n\nA \"Failed\" condition is added via the /status subresource, indicating the...

apiVersion: release-notes/v2
kind: bug-fix
area: security
issue:
- 46951
releaseNotes:
- |

const (
	// Approved indicates the request was approved and should be issued by the signer.
	CertificateApproved RequestConditionType = "Approved"
	// Denied indicates the request was denied and should not be issued by the signer.
	CertificateDenied RequestConditionType = "Denied"
	// Failed indicates the signer failed to issue the certificate.
	CertificateFailed RequestConditionType = "Failed"
)

  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //

  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //

	framework.NewTest(t).
		Run(func(t framework.TestContext) {
			allowed := apps.Ns1.A
			denied := apps.Ns2.A

			newTrafficTest(t, apps.Ns1.All.Instances().Append(denied)).
				Config(config.File("testdata/authz/plaintext.yaml.tmpl").WithParams(param.Params{
					"Denied": denied,
					// The namespaces for each resource are specified in the file. Use "" as the ns to apply to.

      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # TCP

			// User lacks permission: either the call requires root permission and the
			// user is not root, or the call is denied by a container security policy.
			return true
		case syscall.EINVAL:
			// Some containers return EINVAL instead of EPERM if a system call is
			// denied by security policy.
			return true
		}
	}

	if errors.Is(err, fs.ErrPermission) || errors.Is(err, errors.ErrUnsupported) {