"mode": "fixed"
                }
              }
            ]
          },
          {
            "matcher": {
              "id": "byName",
              "options": "S3 Requests"
            },
            "properties": [
              {
                "id": "color",
                "value": {
                  "fixedColor": "light-green",
                  "mode": "fixed"

		Help:      "Number of GET requests proxied to replication target",
		Type:      counterMetric,
	}
}

func getClusterReplProxiedHeadOperationsMD(ns MetricNamespace) MetricDescription {
	return MetricDescription{
		Namespace: ns,
		Subsystem: replicationSubsystem,
		Name:      proxiedHeadRequestsTotal,
		Help:      "Number of HEAD requests proxied to replication target",

    // No authorization header for the first request...
    var request = server.takeRequest()
    assertThat(request.headers["Authorization"]).isNull()

    // ...but the three requests that follow requests include an authorization header.
    for (i in 0..2) {
      request = server.takeRequest()
      assertThat(request.requestLine).isEqualTo("GET / HTTP/1.1")
      assertThat(request.headers["Authorization"])

- Kube-apiserver: Promoted `AuthorizeWithSelectors` feature to beta, which includes field and label selector information from requests in webhook authorization calls. Promoted `AuthorizeNodeWithSelectors` feature to beta, which changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients...

        .build()
    assertFailsWith<IOException> {
      client.newCall(Request.Builder().url(server.url("/0")).build()).execute()
    }.also { expected ->
      assertThat(expected.message).isEqualTo("Too many follow-up requests: 21")
    }
  }

  /**
   * We had a bug where we were passing a null route to the authenticator.
   * https://github.com/square/okhttp/issues/3809
   */
  @Test

			}
			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
			return
		}
	}
	defer gr.Close()

	objInfo := gr.ObjInfo

	if !proxy.Proxy { // apply lifecycle rules only for local requests
		// Automatically remove the object/version if an expiry lifecycle rule can be applied
		if lc, err := globalLifecycleSys.Get(bucket); err == nil {
			rcfg, err := globalBucketObjectLockSys.Get(bucket)
			if err != nil {

          "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}",
          "refId": "B",
          "step": 2
        }
      ],
      "title": "Incoming Requests By Source And Response Code",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${datasource}"
      },
      "fieldConfig": {

	for _, input := range objectInputs {
		uploadTestObject(t, apiRouter, credentials, bucketName, input.objectName, input.partLengths, input.metaData, false)
	}

	// function type for creating signed requests - used to repeat
	// requests with V2 and V4 signing.
	type testSignedReqFn func(method, urlStr string, contentLength int64,
		body io.ReadSeeker, accessKey, secretKey string, metamap map[string]string) (*http.Request,
		error)

  * kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
  * Authenticated users are decorated with a 'system:authenticated' group.

          "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}",
          "refId": "B",
          "step": 2
        }
      ],
      "title": "Incoming Requests By Source And Response Code",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${datasource}"
      },
      "fieldConfig": {