// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
  optional bool incomplete = 3;

  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
  // ResourceRules and/or NonResourceRules may be incomplete.

  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
  optional bool incomplete = 3;

  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
  // ResourceRules and/or NonResourceRules may be incomplete.

  // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
  //   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
  // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
  //   request resource.
  //

// or a value for non-objects such as user and group names.
message Subject {
  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
  optional string kind = 1;

  // APIGroup holds the API group of the referenced subject.
  // Defaults to "" for ServiceAccount subjects.

// +structType=atomic
message Subject {
  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
  optional string kind = 1;

  // APIGroup holds the API group of the referenced subject.
  // Defaults to "" for ServiceAccount subjects.

  //
  // 'object' - The object from the incoming request. The value is null for DELETE requests.
  // 'oldObject' - The existing object. The value is null for CREATE requests.
  // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).

// or a value for non-objects such as user and group names.
message Subject {
  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
  optional string kind = 1;

  // APIVersion holds the API group and version of the referenced subject.
  // Defaults to "v1" for ServiceAccount subjects.

  //
  // 'object' - The object from the incoming request. The value is null for DELETE requests.
  // 'oldObject' - The existing object. The value is null for CREATE requests.
  // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).

   ([#123611](https://github.com/kubernetes/kubernetes/pull/123611), [@ritazh](https://github.com/ritazh))

- Kube-apiserver: Promoted `AuthorizeWithSelectors` feature to beta, which includes field and label selector information from requests in webhook authorization calls. Promoted `AuthorizeNodeWithSelectors` feature to beta, which changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes...