t.Errorf("Expected action %d resource to be %s, got %s", i, resource, action.GetResource().Resource)
		}
		subresource := expected[i][2]
		if action.GetSubresource() != subresource {
			t.Errorf("Expected action %d subresource to be %s, got %s", i, subresource, action.GetSubresource())
		}
	}
}

func TestController_canDeleteCIDR(t *testing.T) {
	tests := []struct {
		name       string

	// +optional
	Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
	// Subresource is one of the existing resource types.  "" means none.
	// +optional
	Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
	// +optional

	//
	// An "Approved" condition is added via the /approval subresource,
	// indicating the request was approved and should be issued by the signer.
	//
	// A "Denied" condition is added via the /approval subresource,
	// indicating the request was denied and should not be issued by the signer.
	//
	// A "Failed" condition is added via the /status subresource,
	// indicating the signer failed to issue the certificate.
	//

			namespace,
			name,
			scope.Resource,
			scope.Subresource,
			admission.Create,
			patchToCreateOptions(options),
			dryrun.IsDryRun(options.DryRun),
			userInfo)
		staticUpdateAttributes := admission.NewAttributesRecord(
			nil,
			nil,
			scope.Kind,
			namespace,
			name,
			scope.Resource,
			scope.Subresource,
			admission.Update,
			patchToUpdateOptions(options),

	// corrupt them.  the pod status strategy ensures status updates cannot mutate
	// ownerRef.
	whiteList := []whiteListItem{
		{
			groupResource: schema.GroupResource{Resource: "pods"},
			subresource:   "status",
		},
	}
	gcAdmit := &gcPermissionsEnforcement{
		Handler:   apiserveradmission.NewHandler(apiserveradmission.Create, apiserveradmission.Update),
		whiteList: whiteList,
	}

	// - `pods/log` matches the log subresource of pods.
	// - `*` matches all resources and their subresources.
	// - `pods/*` matches all subresources of pods.
	// - `*/scale` matches all scale subresources.
	//
	// If wildcard is present, the validation rule will ensure resources do not
	// overlap with each other.
	//
	// An empty list implies all resources and subresources in this API groups apply.
	// +optional

  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //
  // A "Failed" condition is added via the /status subresource,
  // indicating the signer failed to issue the certificate.
  //

  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //
  // A "Failed" condition is added via the /status subresource,
  // indicating the signer failed to issue the certificate.
  //

			expectMatches:       true,
			expectMatchResource: gvr("apps", "v1beta1", "deployments"),
			expectMatchKind:     gvk("apps", "v1beta1", "Deployment"),
		},

		{
			name: "specific rules, subresource prefer exact match",
			criteria: &v1.MatchResources{
				NamespaceSelector: &metav1.LabelSelector{},
				ObjectSelector:    &metav1.LabelSelector{},
				ResourceRules: []v1.NamedRuleWithOperations{{

				ResourceRequest: true,
				APIGroup:        "",
				Resource:        "endpoints",
				Subresource:     "",
				Namespace:       "default",
				Name:            "endpoints1",
				Verb:            "custom-verb",
				APIVersion:      "*",
			}),
		},
		{
			name: "test subresource request resource authorizer allow check",
			validations: []ExpressionAccessor{
				&condition{