//   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
  //  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
  //   to allow for explanatory text as described in section 5.2 of RFC7468.
  //
  // If more than one PEM block is present, and the definition of the requested spec.signerName

  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
  // policies that contain an Egress section are assumed to affect Egress, and all policies
  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].

  // If specified, the time in seconds before the operation should be retried. Some errors may indicate
  // the client must take an alternate action - for those errors this field may indicate how long to wait
  // before taking the alternate action.
  // +optional
  optional int32 retryAfterSeconds = 5;
}

// TableOptions are used when a Table is requested by the caller.

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  optional string reportingInstance = 5;

  // action is what action was taken/failed regarding to the regarding object. It is machine-readable.
  // This field cannot be empty for new Events and it can have at most 128 characters.
  optional string action = 6;

  // reason is why the action was taken. It is human-readable.

  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
  //
  // Valid values are:
  //  "signing",
  //  "digital signature",
  //  "content commitment",
  //  "key encipherment",
  //  "key agreement",

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  optional string handler = 2;

  // overhead represents the resource overhead associated with running a pod for a
  // given RuntimeClass. For more details, see
  //  https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
  // +optional
  optional Overhead overhead = 3;

  // scheduling holds the scheduling constraints to ensure that pods running
  // with this RuntimeClass are scheduled to nodes that support it.

  repeated string verbs = 1;

  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
  // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
  // +optional
  repeated string apiGroups = 2;

  // Healthy pods will be subject to the PDB for eviction.
  //
  // Additional policies may be added in the future.
  // Clients making eviction decisions should disallow eviction of unhealthy pods
  // if they encounter an unrecognized policy in this field.
  //
  // This field is beta-level. The eviction API uses this field when