// Well-known Kubernetes signers are:
  //  1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
  //   Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
  //  2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.

  // The server returns only those CIDRs that it thinks that the client can match.
  // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
  // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
  repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 2;
}

  // +optional
  map<string, string> auditAnnotations = 6;

  // warnings is a list of warning messages to return to the requesting API client.
  // Warning messages describe a problem the client making the API request should correct or be aware of.
  // Limit warnings to 120 characters if possible.
  // Warnings over 256 characters and large numbers of warnings may be truncated.
  // +optional

message NetworkPolicySpec {
  // Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
  // is applied to any pods selected by this field. Multiple network policies can select the
  // same set of pods.  In this case, the ingress rules for each are combined additively.
  // This field is NOT optional and follows standard label selector semantics.

  // corresponding HTTP response code, are used in the
  // HTTP response to the client.
  // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
  // If not set, StatusReasonInvalid is used in the response to the client.
  // +optional
  optional string reason = 3;

  // budget.
  // A null selector selects no pods.
  // An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods.
  // In policy/v1, an empty selector will select all pods in the namespace.
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;

  // An eviction is allowed if at most "maxUnavailable" pods selected by

  //  1. If it's a kubelet client certificate, it is assigned
  //     "kubernetes.io/kube-apiserver-client-kubelet".
  //  2. If it's a kubelet serving certificate, it is assigned
  //     "kubernetes.io/kubelet-serving".
  //  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
  // Distribution of trust for signers happens out of band.
  // You can select on this field using `spec.signerName`.
  // +optional

  // +optional
  map<string, string> auditAnnotations = 6;

  // warnings is a list of warning messages to return to the requesting API client.
  // Warning messages describe a problem the client making the API request should correct or be aware of.
  // Limit warnings to 120 characters if possible.
  // Warnings over 256 characters and large numbers of warnings may be truncated.
  // +optional

  // compatible with both the TokenReview and token. An identifier is any
  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview

// EventSeries contain information on series of events, i.e. thing that was/is happening
// continuously for some time. How often to update the EventSeries is up to the event reporters.
// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows
// how this struct is updated on heartbeats and can guide customized reporter implementations.
message EventSeries {