// this list must have at least one matching (by name) volumeMount in one
  // container in the template. A claim in this list takes precedence over
  // any volumes in the template, with the same name.
  // TODO: Define the behavior if a claim already exists with the same name.
  // +optional
  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;

  // serviceName is the name of the service that governs this StatefulSet.

  // implementation will use to handle pods of this class. The possible values
  // are specific to the node & CRI configuration.  It is assumed that all
  // handlers are available on every node, and handlers of the same name are
  // equivalent on every node.
  // For example, a handler called "runc" might specify that the runc OCI
  // runtime (using native Linux containers) will be used to run the containers
  // in a pod.

  // +optional
  optional string username = 1;

  // A unique value that identifies this user across time. If this user is
  // deleted and another user by the same name is added, they will have
  // different UIDs.
  // +optional
  optional string uid = 2;

  // The names of groups this user is a part of.
  // +optional
  repeated string groups = 3;

// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.
message SubjectRulesReviewStatus {
  // ResourceRules is the list of actions the subject is allowed to perform on resources.

// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.
message SubjectRulesReviewStatus {
  // ResourceRules is the list of actions the subject is allowed to perform on resources.