cross:
	hack/make-rules/cross.sh
cross-in-a-container: KUBE_OUTPUT_SUBPATH = $(OUT_DIR)/dockerized
cross-in-a-container:
ifeq (,$(wildcard /.dockerenv))
	echo -e "\nThe 'cross-in-a-container' target can only be used from within a docker container.\n"
else
	hack/make-rules/cross.sh
endif
endif

define CMD_HELP_INFO
# Add rules for all directories in cmd/
#
# Example:

	// Rules holds all the PolicyRules for this ClusterRole
	// +optional
	// +listType=atomic
	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`

	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
	// stomped by the controller.

groups:
- rules:
  - matches:
    - destinationPorts:
      - 80
  - matches:
    - namespaces:
      - exact: only-l4-ns
      principals:
      - exact: only-l4-principals
- rules:
  - matches:
    - namespaces:
      - exact: when-l4-ns
  - matches:
    - sourceIps:
      - address: CgoKCg==
        length: 32
name: groups

// 1. Available in our $PATH
// 2. Matches where rules are actually defined in the netns we're operating in
// (legacy or nft, with a preference for the latter if both present)
//
// This is designed to handle situations where, for instance, the host has nft-defined rules, and our default container
// binary is `legacy`, or vice-versa - we must match the binaries we have in our $PATH to what rules are actually defined
// in our current netns context.

  // Rules holds all the PolicyRules for this ClusterRole
  // +optional
  // +listType=atomic
  repeated PolicyRule rules = 2;

  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
  // stomped by the controller.
  // +optional

        version << TestedVersions.nebulaDependencyLock
    }

    @Issue('https://plugins.gradle.org/plugin/com.netflix.nebula.resolution-rules')
    @Requires(UnitTestPreconditions.Jdk11OrEarlier)
    def 'nebula resolution rules plugin'() {
        when:
        file('rules.json') << """
            {
                "replace" : [
                    {
                        "module" : "asm:asm",

name: envoy.filters.http.rbac
typedConfig:
  '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
  rules:
    policies:
      ns[foo]-policy[allow-all]-rule[0]:
        permissions:
        - andRules:
            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - any: true

		extended:  g,
	}

	p.rules = append([]*rule{r}, p.rules...)
}

func (p *ruleList) appendLast(g generator, key string, values, notValues []string) {
	if len(values) == 0 && len(notValues) == 0 {
		return
	}
	r := &rule{
		key:       key,
		values:    values,
		notValues: notValues,
		g:         g,
	}

	p.rules = append(p.rules, r)
}

typedConfig:
  '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
  shadowRules:
    policies:
      ns[foo]-policy[httpbin-1]-rule[0]:
        permissions:
        - andRules:
            rules:
            - orRules:
                rules:
                - urlPath:
                    path:
                      exact: /allow
        principals:
        - andIds:
            ids:
            - any: true

	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	// Rules are OR-ed (e.g. ANY rule can match)
	// This is a generic form of the authz policy's to, from and when
	Rules []*Rules `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
}

func (x *Group) Reset() {
	*x = Group{}
	if protoimpl.UnsafeEnabled {