optional ParamRef paramRef = 2;

  // MatchResources declares what resources match this binding and will be validated by it.
  // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
  // If this is unset, all resources matched by the policy are validated by this binding

  // trust between the target audiences.
  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a
  // client needs to check the 'expiration' field in a response.
  // +optional
  optional int64 expirationSeconds = 4;

  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty

  // tokens it is mounting volume for to do necessary authentication. Kubelet
  // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
  // The CSI driver should parse and validate the following VolumeContext:
  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },

  // * webhooks that use this option may be reordered to minimize the number of additional invocations.
  // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
  //
  // Defaults to "Never".
  // +optional
  optional string reinvocationPolicy = 10;

  // Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned
  // record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting
  // to load or validate the Assigned config, etc.
  // Errors may occur at different points while syncing config. Earlier errors (e.g. download or
  // checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across

  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different
  // validity duration so a client must check the delta between the notBefore and
  // and notAfter fields in the issued certificate to determine the actual duration.
  //

  // * webhooks that use this option may be reordered to minimize the number of additional invocations.
  // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
  //
  // Defaults to "Never".
  // +optional
  optional string reinvocationPolicy = 10;

  // tokens it is mounting volume for to do necessary authentication. Kubelet
  // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
  // The CSI driver should parse and validate the following VolumeContext:
  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },

  // You can select on this field using `spec.signerName`.
  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different
  // validity duration so a client must check the delta between the notBefore and
  // and notAfter fields in the issued certificate to determine the actual duration.
  //