```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-and-permissive-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    9090:
      mode: PERMISSIVE
```

will be translated into this `Authorization`:

```yaml
action: DENY
groups:
- rules:
  - matches:

# This configures all services within the namespace to use mTLS with permissive mode (allowing plaintext).

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: ns-default
  namespace: {{ .To.NamespaceName }}
spec:
  mtls:
    mode: PERMISSIVE

---
# This configures requests to any service in the namespace to use mTLS.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

		if features.DisableMxALPN {
			ctx.CommonTlsContext.AlpnProtocols = util.ALPNDownstream
		} else {
			ctx.CommonTlsContext.AlpnProtocols = util.ALPNDownstreamWithMxc
		}
	} else {
		// Note that in the PERMISSIVE mode, we match filter chain on "istio" ALPN,
		// which is used to differentiate between service mesh and legacy traffic.
		//
		// Client sidecar outbound cluster's TLSContext.ALPN must include "istio".
		//

        where:
        // We can't test against Java 6 since the gradleApi dependencies are compiled to java 8.
        // However, the java 7 compiler is permissive enough to compile against the java 8 API classes.
        version << [JavaVersion.VERSION_1_7]
    }

    def "succeeds when running with compatible java version"() {
        given:

    /**
     * Meant as a temporary solution for situations where we need to declare dependencies against a consumable configuration.
     *
     * This <strong>SHOULD NOT</strong> be necessary, and is a symptom of an over-permissive configuration.
     */
    @Deprecated
    public static final ConfigurationRole CONSUMABLE_DEPENDENCY_SCOPE = createNonDeprecatedRole("Consumable Dependency Scope", true, false, true);

    /**

)

type Options struct {
	// StoredExpressions must be true if and only if validating CEL
	// expressions that were already stored persistently. This makes
	// validation more permissive by enabling CEL definitions that are not
	// valid yet for new expressions.
	StoredExpressions bool
}

func ValidateResources(resources *resource.NamedResourcesResources, fldPath *field.Path) field.ErrorList {

 *
 * This implements non-transitional processing by preserving deviation characters.
 *
 * This implementation's STD3 rules are configured to `UseSTD3ASCIIRules=false`. This is
 * permissive and permits the `_` character.
 *
 * [mapping table]: https://www.unicode.org/reports/tr46/#IDNA_Mapping_Table
 * [mapping step]: https://www.unicode.org/reports/tr46/#ProcessingStepMap
 */

# golangci-lint is used in Kubernetes with different configurations that
# enable an increasing amount of checks:
# - golangci.yaml is the most permissive configuration. All existing code
#   passed.
# - golangci-strict.yaml adds checks that all new code in pull requests
#   must pass.
# - golangci-hints.yaml adds checks for code patterns where developer
#   and reviewer may decide whether findings should get addressed before