// audiences of the token, and otherwise should reject the token. A
  // token issued for multiple audiences may be used to authenticate
  // against any of the audiences listed but implies a high degree of
  // trust between the target audiences.
  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a

  //  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
  //   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
  //

  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different
  // validity duration so a client must check the delta between the notBefore and
  // and notAfter fields in the issued certificate to determine the actual duration.
  //

  // must handle different types of addresses in the context of their own
  // capabilities. This must contain at least one address but no more than
  // 100. These are all assumed to be fungible and clients may choose to only
  // use the first element. Refer to: https://issue.k8s.io/106267
  // +listType=set
  repeated string addresses = 1;

  // conditions contains information about the current status of the endpoint.

    # Note that AWS ELB will by default perform health checks on the first port
    # on this list. Setting this to the health check port will ensure that health
    # checks always work. https://github.com/istio/istio/issues/12503
    - port: 15021
      targetPort: 15021
      name: status-port
    - port: 80
      targetPort: 8080
      name: http2
    - port: 443
      targetPort: 8443
      name: https
    - port: 31400

	ExitDataError      = 65 // some format error with input data

	// below here are non-zero exit codes that don't indicate an error with istioctl itself
	ExitAnalyzerFoundIssues = 79 // istioctl analyze found issues, for CI/CD
)

func GetExitCode(e error) int {
	if strings.Contains(e.Error(), "unknown command") {
		e = util.CommandParseError{Err: e}
	}

	switch e.(type) {
	case util.CommandParseError:

	cd, _ := os.ReadFile("testdata/ecds/configdump.json")
	cw.Prime(cd)
	err := cw.PrintEcds("json")
	assert.NoError(t, err)

	// protojson opt out of whitespace randomization, see more details: https://github.com/golang/protobuf/issues/1082
	var rm json.RawMessage = gotOut.Bytes()
	jsonOutput, err := json.MarshalIndent(rm, "", "    ")
	if err != nil {
		assert.NoError(t, err)
	}
	jsonOutput = append(jsonOutput, '\n')

## Reporting a Vulnerability

Instructions for reporting a vulnerability can be found on the
[Istio Security Vulnerabilities] page. The Istio Product Security Working Group receives
vulnerability and security issue reports, and the company affiliation of the members of
the group can be found at [Early Disclosure Membership].

## Security Bulletins

Information about previous Istio vulnerabilities can be found on the

	}
	if isMCP {
		return mcpDialOptions(ctx, opts.GCPProject, k8sCreds)
	}
	return []grpc.DialOption{
		// nolint: gosec
		// Only runs over istioctl experimental
		// TODO: https://github.com/istio/istio/issues/41937
		grpc.WithTransportCredentials(credentials.NewTLS(
			&tls.Config{
				// Always skip verifying, because without it we always get "certificate signed by unknown authority".

    verbs: ["get", "list", "watch", "update"]

  # istio configuration
  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
  # please proceed with caution
  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]