type pvcEvaluator struct {
	// listFuncByNamespace knows how to list pvc claims
	listFuncByNamespace generic.ListFuncByNamespace
}

// Constraints verifies that all required resources are present on the item.
func (p *pvcEvaluator) Constraints(required []corev1.ResourceName, item runtime.Object) error {
	// no-op for persistent volume claims
	return nil
}

temporary credentials generated in the AssumeRoleWithWebIdentity call.

2. `id_token` claims: When the role policy is not configured, MinIO looks for a specific claim in the `id_token` (JWT) returned by the OpenID provider in the STS request. The default claim is `policy` and can be overridden by the `claim_name` configuration parameter or the `MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable. The claim value can be a string (comma-separated list) or an array of IAM access policy names defined...

			"username claims other than 'email' are prefixed by the issuer URL to avoid "+
			"clashes. To skip any prefixing, provide the value '-'.")

		fs.StringVar(&o.OIDC.GroupsClaim, oidcGroupsClaimFlag, "", ""+
			"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
			"The claim value is expected to be a string or array of strings. This flag is experimental, "+

		}

		// Finally, if there is no parent policy, check if a policy claim is
		// present in the session token.
		if len(policies) == 0 {
			// If there is no parent policy mapping, we fall back to
			// using policy claim from JWT.
			policySet, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
			if !ok {
				// When claims are set, it should have a policy claim field.
				return false
			}

		if !podInOrdinalRange(pod, set) {
			if !hasOwnerRef(claim, pod) || hasOwnerRef(claim, set) {
				return fmt.Errorf("condemned claim %s has bad owner refs: %v", claim.Name, claim.GetOwnerReferences())
			}
		} else {
			if hasOwnerRef(claim, pod) || !hasOwnerRef(claim, set) {
				return fmt.Errorf("live claim %s has bad owner refs: %v", claim.Name, claim.GetOwnerReferences())
			}
		}
	}
	return nil
}

			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimUserinfo,
			Description: `Enable fetching claims from UserInfo Endpoint for authenticated user` + defaultHelpPostfix(ClaimUserinfo),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         KeyCloakRealm,

			if err != nil {
				t.Error(err)
				return
			}

			req := &drapbv1alpha3.NodePrepareResourcesRequest{
				Claims: []*drapbv1alpha3.Claim{
					{
						Namespace:      "dummy-namespace",
						Uid:            "dummy-uid",
						Name:           "dummy-claim",
						ResourceHandle: "dummy-resource",
					},
				},
			}
			client.NodePrepareResources(context.TODO(), req)

		}
		return
	}

	claims := struct{}{}
	if err := json.Unmarshal([]byte(c.claims), &claims); err != nil {
		t.Fatalf("failed to unmarshal claims: %v", err)
	}

	// Sign and serialize the claims in a JWT.
	jws, err := signer.Sign([]byte(c.claims))
	if err != nil {
		t.Fatalf("sign claims: %v", err)
	}
	token, err := jws.CompactSerialize()
	if err != nil {

		},
		{
			name: "@request.auth.claims.key1",
			want: RoutingClaim{Match: true, Separator: Dot, Claims: []string{"key1"}},
		},
		{
			name: "@request.auth.claims.key1.KEY2",
			want: RoutingClaim{Match: true, Separator: Dot, Claims: []string{"key1", "KEY2"}},
		},
		{
			name: "@request.auth.claims.key1-key2",
			want: RoutingClaim{Match: true, Separator: Dot, Claims: []string{"key1-key2"}},
		},
		{

			if err != nil {
				return nil, err
			}
			return []string{ret}, nil
		}
		claims = append(claims, s[begin+1:end])
		begin = end + 1
	}
	return claims, nil
}

func MetadataStringMatcherForJWTClaim(claim string, m *matcherpb.StringMatcher) *matcherpb.MetadataMatcher {
	return MetadataValueMatcherForJWTClaim(claim, &matcherpb.ValueMatcher{
		MatchPattern: &matcherpb.ValueMatcher_StringMatch{
			StringMatch: m,
		},