// Requests will be matched against the Host field in the following way:
  // 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
  // 2. If Host is a wildcard, then the request matches this rule if the http host header
  // is to equal to the suffix (removing the first label) of the wildcard rule.
  // +optional
  optional string host = 1;

// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.

  // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
  // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
  // +optional
  repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 4;
}

// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.

  // Requests will be matched against the Host field in the following way:
  // 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
  // 2. If Host is a wildcard, then the request matches this rule if the http host header
  // is to equal to the suffix (removing the first label) of the wildcard rule.
  // +optional
  optional string host = 1;

  // +optional
  optional string scheme = 4;

  // Custom headers to set in the request. HTTP allows repeated headers.
  // +optional
  repeated HTTPHeader httpHeaders = 5;
}

// HTTPHeader describes a custom header to be used in HTTP probes
message HTTPHeader {
  // The header field name
  optional string name = 1;

  // The header field value
  optional string value = 2;
}

  // Requests will be matched against the Host field in the following way:
  // 1. If host is precise, the request matches this rule if the http host header is equal to Host.
  // 2. If host is a wildcard, then the request matches this rule if the http host header
  // is to equal to the suffix (removing the first label) of the wildcard rule.
  // +optional
  optional string host = 1;

  // contain duplicate certificates, or that use PEM block headers.
  //
  // Users of ClusterTrustBundles, including Kubelet, are free to reorder and
  // deduplicate certificate blocks in this file according to their own logic,
  // as well as to drop PEM block headers and inter-block data.
  optional string trustBundle = 2;

  // +optional
  optional BoundObjectReference boundObjectRef = 3;
}

// TokenRequestStatus is the result of a token request.
message TokenRequestStatus {
  // Token is the opaque bearer token.
  optional string token = 1;

  // ExpirationTimestamp is the time of expiration of the returned token.
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time expirationTimestamp = 2;
}

  //
  // Validation requirements:
  //  1. certificate must contain one or more PEM blocks.
  //  2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
  //   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
  //  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,