}

// ImageReviewContainerSpec is a description of a container within the pod creation request.
message ImageReviewContainerSpec {
  // This can be in the form image:tag or image@SHA:012345679abcdef.
  // +optional
  optional string image = 1;
}

// ImageReviewSpec is a description of the pod creation request.
message ImageReviewSpec {

  //  4. Required, permitted, or forbidden key usages / extended key usages.
  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;

  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
  // the admission webhook to add additional context to the audit log for this request.

// concepts during lookup stages without having partially valid types
//
// +protobuf.options.(gogoproto.goproto_stringer)=false
message GroupKind {
  optional string group = 1;

  optional string kind = 2;
}

// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
// concepts during lookup stages without having partially valid types
//

  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // spec contains the certificate request, and is immutable after creation.
  // Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
  // Other fields are derived by Kubernetes and cannot be modified by users.
  optional CertificateSigningRequestSpec spec = 2;

  // Derived information about the request.
  // +optional

  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
  // the admission webhook to add additional context to the audit log for this request.

  repeated string items = 1;
}

// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
// checking.
message LocalSubjectAccessReview {
  // Standard list metadata.

  repeated string items = 1;
}

// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
// checking.
message LocalSubjectAccessReview {
  // Standard list metadata.

  // More info: https://kubernetes.io/docs/concepts/containers/images.
  optional string image = 6;

  // ImageID is the image ID of the container's image. The image ID may not
  // match the image ID of the image used in the PodSpec, as it may have been
  // resolved by the runtime.
  optional string imageID = 7;

  // ContainerID is the ID of the container in the format '<type>://<container_id>'.

// +protobuf.options.marshal=false
// +protobuf.options.(gogoproto.goproto_stringer)=false
// +k8s:deepcopy-gen=true
// +k8s:openapi-gen=true
message Quantity {
  optional string string = 1;
}

// QuantityValue makes it possible to use a Quantity as value for a command
// line parameter.
//
// +protobuf=true
// +protobuf.embed=string
// +protobuf.options.marshal=false
// +protobuf.options.(gogoproto.goproto_stringer)=false