// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
  // +optional
  optional bool readOnly = 2;
}

// Eviction evicts a pod from its node subject to certain policies and safety constraints.
// This is a subresource of Pod.  A request to cause such an eviction is
// created by POSTing to .../pods/<pod name>/evictions.
message Eviction {
  // ObjectMeta describes the pod that is being evicted.

> NOTE: Dex supports groups with external connectors so you can use `groups` as policy claim instead of `name`.

```
export MINIO_IDENTITY_OPENID_CLAIM_NAME=groups
```

and add relevant policies on MinIO using `mc admin policy create myminio/ <group_name> group-access.json`

## Explore Further

- [MinIO STS Quickstart Guide](https://min.io/docs/minio/linux/developers/security-token-service.html)

  // +optional
  optional string selectPolicy = 1;

  // policies is a list of potential scaling polices which can be used during scaling.
  // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
  // +listType=atomic
  // +optional
  repeated HPAScalingPolicy policies = 2;
}

// HorizontalPodAutoscaler is the configuration for a horizontal pod

| *Required*    | *No*                                               |

### Policy

		// this out pro-actively.
		if !strings.HasPrefix(targetID.ID, "httpclient+") {
			arns = append(arns, targetID.ToARN(region).String())
		}
	}

	return arns
}

// Loads notification policies for all buckets into EventNotifier.
func (evnot *EventNotifier) set(bucket string, meta BucketMetadata) {
	config := meta.notificationConfig
	if config == nil {
		return
	}
	region := globalSite.Region()

iam-assets/policies.json {"consoleAdmin":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["admin:*"]},{"Effect":"Allow","Action":["kms:*"]},{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::*"]}]},diagnostics":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["admin:ConsoleLog","admin:ServerInfo","admin:TopLocksInfo","admin:OBDInfo","admin:BandwidthMonitor","admin:Prometheus","admin:Profiling","admin:ServerTrace"],"Resource":["arn:aws:s3:::*"]}]},rea...

		err = s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
		if err != nil {
			c.Fatalf("Unable to set user: %v", err)
		}

		userReq := madmin.PolicyAssociationReq{
			Policies: []string{policy},
			User:     accessKey,
		}
		if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
			c.Fatalf("Unable to attach policy: %v", err)
		}

		accessKeys[i] = accessKey

MINIO_IDENTITY_PLUGIN_AUTH_TOKEN    (string)    authorization token for plugin hook endpoint
MINIO_IDENTITY_PLUGIN_ROLE_POLICY*  (string)    policies to apply for plugin authorized users
MINIO_IDENTITY_PLUGIN_ROLE_ID       (string)    unique ID to generate the ARN
MINIO_IDENTITY_PLUGIN_COMMENT       (sentence)  optionally add a comment to this setting
```

### 2. Create a new admin user with CreateUser, DeleteUser and ConfigUpdate permissions

Use [`mc admin policy`](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-policy.html#command-mc.admin.policy) to create custom admin policies.

Create new canned policy file `adminManageUser.json`. This policy enables admin user to
manage other users.

```json
cat > adminManageUser.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {

| *Required*    | *No*                                               |

### Policy