assertFalse(user.isEditable());

        // Test with different user configurations
        user = new TestFessUser("admin", new String[] { "admin" }, new String[] { "admins" }, new String[] { "*" });
        assertFalse(user.isEditable());

        user = new TestFessUser("", new String[] {}, new String[] {}, new String[] {});
        assertFalse(user.isEditable());

 - `kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters` Group, which was undesired. Executing `kubeadm...

- DRA: Starting Kubernetes 1.33, only users with access to an admin namespace with the `kubernetes.io/dra-admin-access` label are authorized to create ResourceClaim or ResourceClaimTemplate objects with the `adminAccess` field in this admin namespace if they want to and only they can reference these ResourceClaims or ResourceClaimTemplates in their pod or deployment specs. ([#130225](https://github...

There is no mitigation from this issue.  Cluster admins should take care to secure aggregated API servers and should not grant access to mutate `APIService`s to untrusted parties.

**Affected Versions**:
  - kube-apiserver v1.25.0
  - kube-apiserver v1.24.0 - v1.24.4

- CSIServiceAccountToken graduates to Beta and enabled by default. ([#99298](https://github.com/kubernetes/kubernetes/pull/99298), [@zshihang](https://github.com/zshihang))

* - Add PodSecurityPolicies for cluster addons ([#55509](https://github.com/kubernetes/kubernetes/pull/55509), [@tallclair](https://github.com/tallclair))
    * - Remove SSL cert HostPath volumes from heapster addons

- DRA: Starting with Kubernetes 1.34, the alpha-level `resource.k8s.io/admin-access` label has been updated to `resource.kubernetes.io/admin-access`. Admins using the alpha feature and updating from 1.33 can set both labels, upgrade, then remove `resource.k8s.io/admin-access` when no downgrade is going to happen anymore. ([#131996](https://github.com/kubernetes/kubernetes/pull/131996), [@ritazh](https://github.com/ritazh))...

There is no mitigation from this issue.  Cluster admins should take care to secure aggregated API servers and should not grant access to mutate `APIService`s to untrusted parties.

**Affected Versions**:
  - kube-apiserver v1.25.0
  - kube-apiserver v1.24.0 - v1.24.4

        for (String val : updatedList) {
            assertEquals(val, "{role}admin-api2");
        }
    }

    private void testPermission() {
        // Create access token
        final String name = NAME_PREFIX + 0;
        final Map<String, Object> requestBody = new HashMap<>();
        requestBody.put("name", name);
        requestBody.put("permissions", "Radmin-api");

                .body("{\"index\":{\"_index\":\"fess_config.access_token\",\"_id\":\"" + DEFAULT_TEST_TOKEN_ID
                        + "\"}}\n{\"updatedTime\":1490250145200,\"updatedBy\":\"admin\",\"createdBy\":\"admin\",\"permissions\":[\"Radmin-api\",\"Rguest\"],\"name\":\"Admin API\",\"createdTime\":1490250145200,\"token\":\""
                        + DEFAULT_TEST_TOKEN + "\"}\n")
                .when()
                .post(getEsUrl() + "/_bulk");