&condition{
					Expression: "authorizer.group('').resource('endpoints').check('create').errored()",
				},
				&condition{
					Expression: "authorizer.group('').resource('endpoints').check('create').error() == 'fake authz error'",
				},
				&condition{
					Expression: "authorizer.group('').resource('endpoints').check('create').allowed()",
				},
			},
			attributes: newValidAttribute(&podObject, false),

  # Build just the images needed for tests
  targets="docker.pilot docker.proxyv2 "

  # use ubuntu:jammy to test vms by default
  nonDistrolessTargets="docker.app docker.app_sidecar_ubuntu_noble docker.ext-authz "
  if [[ "${JOB_TYPE:-presubmit}" == "postsubmit" ]]; then
    # We run tests across all VM types only in postsubmit

					},
				},
				operation: admission.Update,
			},
			allowed: true,
		},
	}

	for _, tc := range tests {
		t.Run(tc.description, func(t *testing.T) {
			p := Plugin{
				authz: fakeAuthorizer{
					t:           t,
					verb:        "attest",
					allowedName: tc.allowedName,
					decision:    authorizer.DecisionAllow,
					err:         tc.authzErr,
				},
			}

	// The set of environment variables to set for `DeployAsVM` instances.
	VMEnvironment map[string]string

	// If enabled, an additional ext-authz container will be included in the deployment. This is mainly used to test
	// the CUSTOM authorization policy when the ext-authz server is deployed locally with the application container in
	// the same pod.
	IncludeExtAuthz bool

}

// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (sys *IAMSys) IsAllowed(args policy.Args) bool {
	// If opa is configured, use OPA always.
	if authz := newGlobalAuthZPluginFn(); authz != nil {
		ok, err := authz.IsAllowed(args)
		if err != nil {
			authZLogIf(GlobalContext, err)
		}
		return ok
	}

	// Policies don't apply to the owner.
	if args.IsOwner {

			{kind.AuthorizationPolicy, "authz", "default"}: true,
		}},
		{"AuthorizationPolicy in a different ns from workload", []string{"*/*"}, map[ConfigKey]bool{
			{kind.AuthorizationPolicy, "authz", "ns1"}: false,
		}},
		{"AuthorizationPolicy in the root namespace", []string{"*/*"}, map[ConfigKey]bool{
			{kind.AuthorizationPolicy, "authz", constants.IstioSystemNamespace}: true,
		}},

			Kind:      kind.PeerAuthentication,
			Name:      "selector-strict",
			Namespace: "ns1",
		}))})
	s.assertEvent(t, xdsSelector)

	s.authz.Delete("selector", testNS)
	s.assertEvent(t, s.podXdsName("pod1"), s.podXdsName("pod3"), xdsSelector)
	assert.Equal(t,
		s.lookup(s.addrXdsName("127.0.0.1"))[0].Address.GetWorkload().AuthorizationPolicies,

											Host: "http.com",
										},
									},
								},
							},
						},
					},
				},
				{
					Meta: config.Meta{Name: "wasm-authz", Namespace: "istio-system", GroupVersionKind: gvk.WasmPlugin},
					Spec: &extensions.WasmPlugin{
						Phase: extensions.PluginPhase_AUTHZ,
						Type:  extensions.PluginType_NETWORK,
					},
				},
				{

	rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
	matcherpb "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"

	"istio.io/istio/pilot/pkg/networking/util"
	"istio.io/istio/pilot/pkg/security/authz/matcher"
	"istio.io/istio/pilot/pkg/xds/filters"
	"istio.io/istio/pkg/config/security"
	"istio.io/istio/pkg/spiffe"
)

type generator interface {
	permission(key, value string, forTCP bool) (*rbacpb.Permission, error)

	"istio.io/istio/pilot/pkg/model"
	"istio.io/istio/pilot/pkg/networking/core/route/retry"
	"istio.io/istio/pilot/pkg/networking/telemetry"
	"istio.io/istio/pilot/pkg/networking/util"
	authz "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pilot/pkg/util/protoconv"
	"istio.io/istio/pkg/config"
	"istio.io/istio/pkg/config/constants"
	"istio.io/istio/pkg/config/host"
	"istio.io/istio/pkg/config/labels"