var supportedKexAlgos = []string{
	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
	// P384 and P521 are not constant-time yet, but since we don't
	// reuse ephemeral keys, using them for ECDH should be OK.
	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
	kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1,
	kexAlgoDH1SHA1,
}

      "coverage" : {
        "per_day" : [ "linux" ]
      }
    } ]
  }, {
    "testId" : "org.gradle.performance.regression.buildcache.TaskOutputCachingJavaPerformanceTest.clean check on ephemeral ci with remote http cache",
    "groups" : [ {
      "testProject" : "smallJavaMultiProjectManyExternalDependencies",
      "coverage" : {
        "per_day" : [ "linux" ]
      }
    } ]
  }, {

  }, {
    "testProject" : "largeMonolithicJavaProject",
    "linux" : 648
  } ]
}, {
  "scenario" : "org.gradle.performance.regression.buildcache.TaskOutputCachingJavaPerformanceTest.clean check on ephemeral ci with remote http cache",
  "durations" : [ {
    "testProject" : "smallJavaMultiProjectManyExternalDependencies",
    "linux" : 616
  } ]
}, {

the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

**Note**: This only impacts the cluster if the ServiceAccount admission...

* a CSI driver that supports ephemeral inline volumes must explicitly declare that by providing a CSIDriver object where the new "mode" field is set to "ephemeral" or "persistent+ephemeral" ([#80568](https://github.com/kubernetes/kubernetes/pull/80568), [@pohly](https://github.com/pohly))

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

**Affected Versions**:
  - kube-apiserver v1.29.0 - v1.29.3
  - kube-apiserver v1.28.0 - v1.28.8
  - kube-apiserver <= v1.27.12

**Fixed Versions**:

the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

**Note**: This only impacts the cluster if the ServiceAccount admission...

- Fixed a bug where adding an ephemeral container to a pod which references a new secret or config map doesn't give the pod access to that new secret or config map. (#114984, @cslink) ([#129670](https://github.com/kubernetes/kubernetes/pull/129670), [@cslink](https://github.com/cslink))...

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

**Affected Versions**:
  - kube-apiserver v1.29.0 - v1.29.3
  - kube-apiserver v1.28.0 - v1.28.8
  - kube-apiserver <= v1.27.12

**Fixed Versions**:

Consistency Test (if operated in FIPS mode) and // aborts the program (stopping the module input/output and entering the "error // state") if the test fails. // // PCTs are mandatory for every generated (but not imported) key pair, including // ephemeral keys (which effectively doubles the cost of key establishment). See // Implementation Guidance 10.3.A Additional Comment 1. // // The name must not contain commas, colons, hashes, or equal signs. // // If a package p calls PCT during key generation,...