//  "crl sign",
  //  "encipher only",
  //  "decipher only",
  //  "any",
  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",
  //  "ipsec tunnel",
  //  "ipsec user",
  //  "timestamping",
  //  "ocsp signing",
  //  "microsoft sgc",
  //  "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

  // +optional
  optional DaemonSetSpec spec = 2;

  // The current status of this daemon set. This data may be
  // out of date by some window of time.
  // Populated by the system.
  // Read-only.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
  // +optional
  optional DaemonSetStatus status = 3;
}

  // The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
  // database by the API server during CronJob validation and the controller manager during execution.
  // If no system-wide time zone database can be found a bundled version of the database is used instead.

  // This field enables Kubernetes to communicate with storage systems that do
  // not share the same nomenclature for nodes. For example, Kubernetes may
  // refer to a given node as "node1", but the storage system may refer to
  // the same node as "nodeA". When Kubernetes issues a command to the storage
  // system to attach a volume to a specific node, it can use this field to

// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.

message PolicyRulesWithSubjects {
  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

message PolicyRulesWithSubjects {
  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

  // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
  // rejected by a future step in the admission chain and the side effects therefore need to be undone.
  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with

}

// EndpointConditions represents the current condition of an endpoint.
message EndpointConditions {
  // ready indicates that this endpoint is prepared to receive traffic,
  // according to whatever system is managing the endpoint. A nil value
  // indicates an unknown state. In most cases consumers should interpret this
  // unknown state as ready. For compatibility reasons, ready should never be
  // "true" for terminating endpoints.

  // +optional
  optional string unhealthyPodEvictionPolicy = 4;
}

// PodDisruptionBudgetStatus represents information about the status of a
// PodDisruptionBudget. Status may trail the actual state of a system.
message PodDisruptionBudgetStatus {
  // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
  // status information is valid only if observedGeneration equals to PDB's object generation.