message ImageReviewStatus {
  // Allowed indicates that all images were allowed to be run.
  optional bool allowed = 1;

  // Reason should be empty unless Allowed is false in which case it
  // may contain a short description of what is wrong.  Kubernetes
  // may truncate excessively long errors when displaying to the user.
  // +optional
  optional string reason = 2;

// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional

  optional string requestSubResource = 15;

  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
  // +optional
  optional string name = 5;

  // Namespace is the namespace associated with the request (if any).
  // +optional
  optional string namespace = 6;

  // the oldObject and newObject that would be sent to the cel validation, and
  // is considered to match if either object matches the selector. A null
  // object (oldObject in the case of create, or newObject in the case of
  // delete) or an object that cannot have labels (like a
  // DeploymentRollback or a PodProxyOptions object) is not considered to
  // match.

  repeated AllowedCSIDriver allowedCSIDrivers = 23;

  // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
  // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
  // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
  //
  // Examples:

  optional string requestSubResource = 15;

  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
  // +optional
  optional string name = 5;

  // Namespace is the namespace associated with the request (if any).
  // +optional
  optional string namespace = 6;

// package's DefaultScheme has conversion functions installed which will unpack the
// JSON stored in RawExtension, turning it into the correct object type, and storing it
// in the Object. (TODO: In the case where the object is of an unknown type, a
// runtime.Unknown object will be created and stored.)
//
// +k8s:deepcopy-gen=true
// +protobuf=true
// +k8s:openapi-gen=true
message RawExtension {

// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional

  // +optional
  repeated string resourceNames = 4;
}

// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
// to check whether they can perform an action
message SelfSubjectAccessReview {
  // Standard list metadata.

  // This is to help clients reach servers in the most network-efficient way possible.
  // Clients can use the appropriate server address as per the CIDR that they match.
  // In case of multiple matches, clients should use the longest matching CIDR.
  // The server returns only those CIDRs that it thinks that the client can match.