//  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
  //   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
  //

  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different
  // validity duration so a client must check the delta between the notBefore and
  // and notAfter fields in the issued certificate to determine the actual duration.
  //

  // be a positive number. The server's concurrency limit (SCL) is
  // divided among the concurrency-controlled priority levels in
  // proportion to their assured concurrency shares. This produces
  // the assured concurrency value (ACV) --- the number of requests
  // that may be executing at a time --- for each such priority
  // level:
  //

  // +optional
  optional QueuingConfiguration queuing = 2;
}

// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
// It addresses two issues:
//   - How are requests for this priority level limited?
//   - What should be done with requests that exceed the limit?
message LimitedPriorityLevelConfiguration {

  // audiences of the token, and otherwise should reject the token. A
  // token issued for multiple audiences may be used to authenticate
  // against any of the audiences listed but implies a high degree of
  // trust between the target audiences.
  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a

  //
  // The server guarantees that the objects returned when using continue will be identical to issuing
  // a single list call without a limit - that is, no objects created, modified, or deleted after the
  // first request is issued will be included in any subsequent continued requests. This is sometimes
  // referred to as a consistent snapshot, and ensures that a client that is using limit to receive

  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
  // policies that contain an Egress section are assumed to affect Egress, and all policies
  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].

  // ---
  // TODO: Update this to follow our convention for oneOf, whatever we decide it
  // to be. Same as Deployment `strategy.rollingUpdate`.
  // See https://github.com/kubernetes/kubernetes/issues/35345
  // +optional
  optional RollingUpdateDaemonSet rollingUpdate = 2;
}

// Deployment enables declarative updates for Pods and ReplicaSets.
message Deployment {
  // Standard object's metadata.

  // must handle different types of addresses in the context of their own
  // capabilities. This must contain at least one address but no more than
  // 100. These are all assumed to be fungible and clients may choose to only
  // use the first element. Refer to: https://issue.k8s.io/106267
  // +listType=set
  repeated string addresses = 1;

  // conditions contains information about the current status of the endpoint.

  // not share the same nomenclature for nodes. For example, Kubernetes may
  // refer to a given node as "node1", but the storage system may refer to
  // the same node as "nodeA". When Kubernetes issues a command to the storage
  // system to attach a volume to a specific node, it can use this field to
  // refer to the node name using the ID that the storage system will