authorizer.DecisionAllow,
				"RBAC: allowed to patch pod",
				nil,
			},
			want: `
			# HELP authorization_attempts_total [ALPHA] Counter of authorization attempts broken down by result. It can be either 'allowed', 'denied', 'no-opinion' or 'error'.
			# TYPE authorization_attempts_total counter
			authorization_attempts_total{result="allowed"} 1
				`,
		},
		{
			desc: "decision forbid",

package aaa

import (
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/allowed"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/allowed/a1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/forbidden"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/forbidden/f1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/neither"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/inverse/neither/n1"
)

package aaa

import (
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/allowed"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/allowed/a1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/forbidden"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/forbidden/f1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/neither"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/transitive/neither/n1"
)

			shouldBeAllowed: false,
		},
		{
			name:            "package path not fully matching forbidden prefix is allowed",
			pkgPath:         "bar/foo",
			shouldBeAllowed: true,
		},
		{
			name:            "package path containing forbidden prefix (not as prefix) is allowed",
			pkgPath:         "k8s.io/bar/foo/baz/etc",
			shouldBeAllowed: true,
		},
	}

package aaa

import (
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/allowed"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/allowed/a1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/forbidden"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/forbidden/f1"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/neither"
	_ "k8s.io/kubernetes/cmd/import-boss/testdata/simple-fwd/neither/n1"
)

			validations: []ExpressionAccessor{
				&condition{
					Expression: "!authorizer.group('').resource('endpoints').check('create').allowed() && !authorizer.group('').resource('endpoints').check('create').allowed() && !authorizer.group('').resource('endpoints').check('create').allowed()",
				},
			},
			attributes:                  newValidAttribute(nil, false),
			hasParamKind:                true,

    }
    expectUnchanged();
  }

  @MapFeature.Require(absent = SUPPORTS_PUT)
  public void testReplaceEntry_unsupportedAbsentKey() {
    try {
      getMap().replace(k3(), v3(), v4());
    } catch (UnsupportedOperationException tolerated) {
      // the operation would be a no-op, so exceptions are allowed but not required
    }
    expectUnchanged();

 * <ul>
 * <li>Constructors are not allowed.</li>
 * <li>Inheritance hierarchies are not allowed (i.e. all rules sources must directly extend {@link RuleSource}).</li>
 * <li>Instance variables are not allowed.</li>
 * <li>Non-final static variables are not allowed (i.e. constants are allowed).</li>
 * <li>Methods cannot be overloaded.</li>

rules:
  - selectorRegexp: k8s[.]io
    allowedPrefixes:
      - k8s.io/kubernetes/cmd/import-boss/testdata/nested-fwd/allowed-by-root
      - k8s.io/kubernetes/cmd/import-boss/testdata/nested-fwd/allowed-by-both
    forbiddenPrefixes:
      - k8s.io/kubernetes/cmd/import-boss/testdata/nested-fwd/forbidden-by-root

}

// PrivilegedSources defines the pod sources allowed to make privileged requests for certain types
// of capabilities like host networking, sharing the host IPC namespace, and sharing the host PID namespace.
type PrivilegedSources struct {
	// List of pod sources for which using host network is allowed.
	HostNetworkSources []string

	// List of pod sources for which using host pid namespace is allowed.
	HostPIDSources []string