}

// AdmissionReview describes an admission review request/response.
message AdmissionReview {
  // Request describes the attributes for the admission request.
  // +optional
  optional AdmissionRequest request = 1;

  // Response describes the attributes for the admission response.
  // +optional
  optional AdmissionResponse response = 2;

* It should not be client-specific.
  * In Istio sidecars, historically we had a lot of client-specific xDS. For example, putting the xDS-client's IP back into the xDS response. This makes efficient control plane implementation (most notably, caching), extremely challenging.

  // identical to the value in the first response, unless you have received this token from an error
  // message.
  optional string continue = 3;

  // remainingItemCount is the number of subsequent items in the list which are not included in this
  // list response. If the list request contained label or field selectors, then the number of

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a
  // client needs to check the 'expiration' field in a response.
  // +optional
  optional int64 expirationSeconds = 4;

  // BoundObjectRef is a reference to an object that the token will be bound to.
  // The token will only be valid for as long as the bound object exists.

  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
  // +optional
  optional Probe startupProbe = 22;

  // Actions that the management system should take in response to container lifecycle events.
  // Cannot be updated.
  // +optional
  optional Lifecycle lifecycle = 12;

  // Optional: Path at which the file to which the container's termination message

}

// AdmissionReview describes an admission review request/response.
message AdmissionReview {
  // Request describes the attributes for the admission request.
  // +optional
  optional AdmissionRequest request = 1;

  // Response describes the attributes for the admission response.
  // +optional
  optional AdmissionResponse response = 2;

   1. The most common method (pictured above) is to sign a new certificate by calling the configured CA. Typically, this is Istiod.
   1. If the certificate is not yet expired, the `SecretManager` also can return a cache response. In practice, this would
       only happen in cases where Envoy were to re-request a resource, which is fairly rare.
   1. `SecretManager` can also read certificates from files. When this is configured, no CA client is used.

    aex-->ksd
```

#### VMs

Virtual Machine support consists of two controllers.

  // If this is the first validation in the list to fail, this reason, as well as the
  // corresponding HTTP response code, are used in the
  // HTTP response to the client.
  // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
  // If not set, StatusReasonInvalid is used in the response to the client.
  // +optional
  optional string reason = 3;