optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional
  optional bool denied = 4;

  // Reason is optional.  It indicates why a request was allowed or denied.

  // plugin once it lands on a node. This data is returned by the driver
  // after a successful allocation and is opaque to Kubernetes. Driver
  // documentation may explain to users how to interpret this data if needed.
  //
  // Setting this field is optional. It has a maximum size of 32 entries.
  // If null (or empty), it is assumed this allocation will be processed by a

  // volume claims created from volumeClaimTemplates. By default, all persistent
  // volume claims are created as needed and retained until manually deleted. This
  // policy allows the lifecycle to be altered, for example by deleting persistent
  // volume claims when their stateful set is deleted, or when their pod is scaled
  // down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,

  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //

  // +optional
  optional Time creationTimestamp = 8;

  // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
  // field is set by the server when a graceful deletion is requested by the user, and is not
  // directly settable by a client. The resource is expected to be deleted (no longer visible
  // from resource lists, and not reachable by name) after the time in this field, once the

  optional string uid = 1;

  // Allowed indicates whether or not the admission request was permitted.
  optional bool allowed = 2;

  // Result contains extra details into why an admission request was denied.
  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;

  // can have their a new pod created before the old pod is marked as deleted.
  // The update starts by launching new pods on 30% of nodes. Once an updated
  // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
  // on that node is marked deleted. If the old pod becomes unavailable for any
  // reason (Ready transitions to false, is evicted, or is drained) an updated

  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional
  optional bool denied = 4;

  // Reason is optional.  It indicates why a request was allowed or denied.

}

// UserInfo holds the information about the user needed to implement the
// user.Info interface.
message UserInfo {
  // The name that uniquely identifies this user among all active users.
  // +optional
  optional string username = 1;

  // A unique value that identifies this user across time. If this user is
  // deleted and another user by the same name is added, they will have
  // different UIDs.

}

message CertificateSigningRequestCondition {
  // type of the condition. Known conditions include "Approved", "Denied", and "Failed".
  optional string type = 1;

  // Status of the condition, one of True, False, Unknown.
  // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
  // Defaults to "True".
  // If unset, should be treated as "True".
  // +optional