// +optional
  repeated ImageReviewContainerSpec containers = 1;

  // Annotations is a list of key-value pairs extracted from the Pod's annotations.
  // It only includes keys which match the pattern `*.image-policy.k8s.io/*`.
  // It is up to each webhook backend to determine how to interpret these annotations, if at all.
  // +optional

message AuditAnnotation {
  // key specifies the audit annotation key. The audit annotation keys of
  // a ValidatingAdmissionPolicy must be unique. The key must be a qualified
  // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
  //
  // The key is combined with the resource name of the
  // ValidatingAdmissionPolicy to construct an audit annotation key:
  // "{ValidatingAdmissionPolicy name}/{key}".
  //

  // A pod will be in this map from the time when the API server processed the
  // eviction request to the time when the pod is seen by PDB controller
  // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
  // and the value is the time when the API server processed the eviction request. If
  // the deletion didn't occur and a pod is still there it will be removed from

// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  optional string nodeID = 2;

  // topologyKeys is the list of keys supported by the driver.
  // When a driver is initialized on a cluster, it provides a set of topology
  // keys that it understands (e.g. "company.com/zone", "company.com/region").
  // When a driver is initialized on a node, it provides the same topology keys
  // along with values. Kubelet will expose these topology keys as labels
  // on its own node object.

// the triple <key,value,effect> using the matching operator <operator>.
message Toleration {
  // Key is the taint key that the toleration applies to. Empty means match all taint keys.
  // If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  // +optional
  optional string key = 1;

  // Operator represents a key's relationship to the value.

  // +optional
  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by

// 'f:<name>', where <name> is the name of a field in a struct, or key in a map
// 'v:<value>', where <value> is the exact json formatted value of a list item
// 'i:<index>', where <index> is position of a item in a list
// 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
// If a key maps to an empty Fields value, the field that key represents is part of the set.
//

// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  // +optional
  optional string patchType = 5;

  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by