caCrl:
                                    description: 'OPTIONAL: The path to the file containing
                                      the certificate revocation list (CRL) to use
                                      in verifying a presented server certificate.'
                                    type: string
                                  clientCertificate:

// See the License for the specific language governing permissions and
// limitations under the License.

// This tests the k8s installation.  It validates the CNI plugin configuration
// and the existence of the CNI plugin binary locations.
package install_test

import (
	"testing"

	install "istio.io/istio/cni/test"
	"istio.io/istio/pkg/test/env"
)

var (
	Hub = "gcr.io/istio-release"
	Tag = "master-latest-daily"
)

// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
message SelfSubjectRulesReview {
  // Standard list metadata.

                                  caCrl:
                                    description: 'OPTIONAL: The path to the file containing
                                      the certificate revocation list (CRL) to use
                                      in verifying a presented server certificate.'
                                    type: string
                                  clientCertificate:

// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
message SelfSubjectRulesReview {
  // Standard list metadata.

Instead, an Istio specific field like `ExpectedTLSIdentity: spiffe://foo.bar` can encode the same information, at a fraction of the cost.

In our testing, even the most generous representations give custom types a 10x edge (in size, allocations, and CPU time) over Envoy types.
In addition, they are more clear and strictly typed; using Envoy types would require us to put a lot of information in untyped `metadata` maps.

description: If set to true, the original token will be kept for the upstream request. type: boolean fromCookies: description: List of cookie names from which JWT is expected. items: type: string type: array fromHeaders: description: List of header locations from which JWT is expected. items: properties: name: description: The HTTP header name. type: string prefix: description: The prefix that should be stripped before decoding the token. type: string required: - name type: object type: array fromParams:...

// Package-wide variables from generator "generated".
option go_package = "k8s.io/api/networking/v1alpha1";

// ClusterCIDR represents a single configuration for per-Node Pod CIDR
// allocations when the MultiCIDRRangeAllocator is enabled (see the config for
// kube-controller-manager).  A cluster may have any number of ClusterCIDR
// resources, all of which will be considered when allocating a CIDR for a

  // NOTE: The API server's TokenReview endpoint will validate the
  // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds
  // small if you want prompt revocation.
  // +optional
  optional BoundObjectReference boundObjectRef = 3;
}

// TokenRequestStatus is the result of a token request.
message TokenRequestStatus {
  // Token is the opaque bearer token.

//     and the version of the actual struct is irrelevant.
//  5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
//     will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
//