// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
  // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
  // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
  //
  // Examples:
  // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

* `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">simple CORS...

  optional string namespace = 3;
}

// ImageReviewStatus is the result of the review for the pod creation request.
message ImageReviewStatus {
  // Allowed indicates that all images were allowed to be run.
  optional bool allowed = 1;

  // Reason should be empty unless Allowed is false in which case it
  // may contain a short description of what is wrong.  Kubernetes
  // may truncate excessively long errors when displaying to the user.

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

  // This must be copied over from the corresponding AdmissionRequest.
  optional string uid = 1;

  // Allowed indicates whether or not the admission request was permitted.
  optional bool allowed = 2;

  // Result contains extra details into why an admission request was denied.
  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;

    "--connect-timeout",
    help = "Maximum time allowed for connection (seconds)",
  ).int().default(DEFAULT_TIMEOUT)

  val readTimeout: Int by option("--read-timeout", help = "Maximum time allowed for reading data (seconds)").int().default(DEFAULT_TIMEOUT)

  val callTimeout: Int by option(
    "--call-timeout",
    help = "Maximum time allowed for the entire call (seconds)",
  ).int().default(DEFAULT_TIMEOUT)

```Python hl_lines="2  6-8"
{!../../../docs_src/advanced_middleware/tutorial002.py!}
```

The following arguments are supported:

* `allowed_hosts` - A list of domain names that should be allowed as hostnames. Wildcard domains such as `*.example.com` are supported for matching subdomains. To allow any hostname either use `allowed_hosts=["*"]` or omit the middleware.

If an incoming request does not validate correctly then a `400` response will be sent.

  // This should be copied over from the corresponding AdmissionRequest.
  optional string uid = 1;

  // Allowed indicates whether or not the admission request was permitted.
  optional bool allowed = 2;

  // Result contains extra details into why an admission request was denied.
  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;

  //  4. Required, permitted, or forbidden key usages / extended key usages.
  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;