message ClusterTrustBundleSpec {
  // signerName indicates the associated signer, if any.
  //
  // In order to create or update a ClusterTrustBundle that sets signerName,
  // you must have the following cluster-scoped permission:
  // group=certificates.k8s.io resource=signers resourceName=<the signer name>
  // verb=attest.
  //
  // If signerName is not empty, then the ClusterTrustBundle object must be

//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
//
// This API can be used to request client certificates to authenticate to kube-apiserver
// (with the "kubernetes.io/kube-apiserver-client" signerName),
// or to obtain certificates from custom non-Kubernetes signers.

  //  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
  // Distribution of trust for signers happens out of band.
  // You can select on this field using `spec.signerName`.
  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different

- Consumers of the 'certificatesigningrequests/approval' API must now grant permission to 'approve' CSRs for the 'signerName' specified on the CSR. More information on the new signerName field can be found at https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1513-certificate-signing-request/README.md/#signers ([#88246](https://github.com/kubernetes/kubernetes/pull/88246), [@munn...