// +listType=atomic
  // +optional
  repeated Validation validations = 3;

  // failurePolicy defines how to handle failures for the admission policy. Failures can
  // occur from CEL expression parse errors, type check errors, runtime errors and invalid
  // or mis-configured policy definitions or bindings.
  //
  // A policy is invalid if spec.paramKind refers to a non-existent Kind.

  optional bool allowed = 1;

  // Reason should be empty unless Allowed is false in which case it
  // may contain a short description of what is wrong.  Kubernetes
  // may truncate excessively long errors when displaying to the user.
  // +optional
  optional string reason = 2;

  // AuditAnnotations will be added to the attributes object of the
  // admission controller request using 'AddAnnotation'.  The keys should

  // DisruptionAllowed condition. The following are known values for the reason field
  // (additional reasons could be added in the future):
  // - SyncFailed: The controller encountered an error and wasn't able to compute
  //               the number of allowed disruptions. Therefore no disruptions are
  //               allowed and the status of the condition will be False.

  // still succeed if there are no other errors, and will only persist
  // the last of any duplicate fields. This is the default in v1.23+
  // - Strict: This will fail the request with a BadRequest error if
  // any unknown fields would be dropped from the object, or if any
  // duplicate fields are present. The error returned from the server
  // will contain all unknown and duplicate fields encountered.

  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by

}

// IngressPortStatus represents the error condition of a service port
message IngressPortStatus {
  // Port is the port number of the ingress port.
  optional int32 port = 1;

  // Protocol is the protocol of the ingress port.
  // The supported values are: "TCP", "UDP", "SCTP"
  optional string protocol = 2;

  // Error is to record the problem with the service port

  // responseKind describes the group, version, and kind of the serialization schema for the object type this endpoint typically returns.
  // APIs may return other objects types at their discretion, such as error conditions, requests for alternate representations, or other operation specific behavior.
  // This value will be null if an APIService reports subresources but supports no operations on the parent resource

  // Reason is optional.  It indicates why a request was allowed or denied.
  // +optional
  optional string reason = 2;

  // EvaluationError is an indication that some error occurred during the authorization check.
  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.

  // valid against the audience of the Kubernetes API server.
  // +optional
  repeated string audiences = 4;

  // Error indicates that the token couldn't be checked
  // +optional
  optional string error = 3;
}

// UserInfo holds the information about the user needed to implement the
// user.Info interface.
message UserInfo {

  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by