message ClusterTrustBundleSpec {
  // signerName indicates the associated signer, if any.
  //
  // In order to create or update a ClusterTrustBundle that sets signerName,
  // you must have the following cluster-scoped permission:
  // group=certificates.k8s.io resource=signers resourceName=<the signer name>
  // verb=attest.
  //
  // If signerName is not empty, then the ClusterTrustBundle object must be

//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
//
// This API can be used to request client certificates to authenticate to kube-apiserver
// (with the "kubernetes.io/kube-apiserver-client" signerName),
// or to obtain certificates from custom non-Kubernetes signers.

  //  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
  // Distribution of trust for signers happens out of band.
  // You can select on this field using `spec.signerName`.
  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different

- Consumers of the 'certificatesigningrequests/approval' API must now grant permission to 'approve' CSRs for the 'signerName' specified on the CSR. More information on the new signerName field can be found at https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1513-certificate-signing-request/README.md/#signers ([#88246](https://github.com/kubernetes/kubernetes/pull/88246), [@munn...

- consumers of the 'certificatesigningrequests/approval' API must now have permission to 'approve' CSRs for the specific signer requested by the CSR. More information on the new signerName field and the required authorization can be found at https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests#authorization ([#88246](https://github.com/kubernetes/kubernetes/pull/88246), [@munnerz](https://github.com/munnerz))...