message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
  // allowed values are Ignore or Fail. Defaults to Ignore.
  // +optional
  optional string failurePolicy = 4;

  // matchPolicy defines how the "rules" list is used to match incoming requests.
  // Allowed values are "Exact" or "Equivalent".
  //
  // - Exact: match a request only if it exactly matches a specified rule.

  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
  // +optional
  repeated string resourceNames = 4;

  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path

  // Note the following deviations from the "host" part of the
  // URI as defined in RFC 3986:
  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
  //    the IP in the Spec of the parent Ingress.
  // 2. The `:` delimiter is not respected because ports are not allowed.
  // 	  Currently the port of an Ingress is implicitly :80 for http and
  // 	  :443 for https.
  // Both these may change in the future.

  // resources have not been allocated yet.
  // +optional
  optional AllocationResult allocation = 2;

  // ReservedFor indicates which entities are currently allowed to use
  // the claim. A Pod which references a ResourceClaim which is not
  // reserved for that Pod will not be started.
  //
  // There can be at most 32 such reservations. This may get increased in

// the scheduler assumes that capacity is insufficient and tries some other
// node.
message CSIStorageCapacity {
  // Standard object's metadata. The name has no particular meaning. It must be
  // be a DNS subdomain (dots allowed, 253 characters). To ensure that
  // there are no conflicts with other CSI drivers on the cluster, the recommendation
  // is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends

  // This must be copied over from the corresponding AdmissionRequest.
  optional string uid = 1;

  // Allowed indicates whether or not the admission request was permitted.
  optional bool allowed = 2;

  // Result contains extra details into why an admission request was denied.
  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;

  //  4. Required, permitted, or forbidden key usages / extended key usages.
  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  // Note the following deviations from the "host" part of the
  // URI as defined in RFC 3986:
  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
  //    the IP in the Spec of the parent Ingress.
  // 2. The `:` delimiter is not respected because ports are not allowed.
  // 	  Currently the port of an Ingress is implicitly :80 for http and
  // 	  :443 for https.
  // Both these may change in the future.