- Get-kube.sh uses the gcloud's current local GCP service account for auth when the provider is GCE or GKE instead of the metadata server default ([#88383](https://github.com/kubernetes/kubernetes/pull/88383), [@BenTheElder](https://github.com/BenTheElder)) [SIG Cluster Lifecycle]

Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

**Note**:...

- E2e tests wait for kube-root-ca.crt to be populated in namespaces for use with projected service account tokens, reducing delays starting those test pods and errors in the logs. ([#108860](https://github.com/kubernetes/kubernetes/pull/108860), [@eddiezane](https://github.com/eddiezane)) [SIG Testing]

- Get-kube.sh uses the gcloud's current local GCP service account for auth when the provider is GCE or GKE instead of the metadata server default ([#88383](https://github.com/kubernetes/kubernetes/pull/88383), [@BenTheElder](https://github.com/BenTheElder)) [SIG Cluster Lifecycle]

               * In guava-android, the only kinds of Exception that may be thrown are
               * RuntimeException and IOException because `closeable` has type `Closeable`—except
               * that we have to account for sneaky checked exception.
               */
              restoreInterruptIfIsInterruptedException(e);
              logger.get().log(WARNING, "thrown by close()", e);
            }
          });

- `kube-controller-manager`: The `LegacyServiceAccountTokenCleanUp` feature gate
  is now available as alpha (off by default). When enabled, the `legacy-service-account-token-cleaner`
  controller loop removes service account token secrets that have not been used
  in the time specified by `--legacy-service-account-token-clean-up-period` (defaulting
  to one year), **and are** referenced from the `.secrets` list of a ServiceAccount

    /** The key of the message: Base DN */
    public static final String LABELS_ldap_base_dn = "{labels.ldap_base_dn}";

    /** The key of the message: Account Filter */
    public static final String LABELS_LDAP_ACCOUNT_FILTER = "{labels.ldapAccountFilter}";

    /** The key of the message: Group Filter */

    assertThat(data2.type).isEqualTo(Http2.TYPE_DATA)
    assertThat(data2.streamId).isEqualTo(3)
    assertArrayEquals("fghi".toByteArray(), data2.data)
  }

  /**
   * Confirm that we account for discarded data frames. It's possible that data frames are in-flight
   * just prior to us canceling a stream.
   */
  @Test fun discardedDataFramesAreCounted() {
    // Write the mocking script.

data.offsets.popper = getClientRect(data.offsets.popper);\n\n  // compute center of the popper\n  const center = reference[side] + reference[len] / 2 - arrowElementSize / 2;\n\n  // Compute the sideValue using the updated popper offsets\n  // take popper margin in account because we don't have this info available\n  const css = getStyleComputedProperty(data.instance.popper);\n  const popperMarginSide = parseFloat(css[`margin${sideCapitalized}`]);\n  const popperBorderSide = parseFloat(css[`border${sideCapitalized}Width`]);\n...

### API Change

- 'ACTION REQUIRED: The Dynamic Resource Allocation (DRA) driver's DaemonSet
  must be deployed with a service account that enables writing ResourceSlice
  and reading ResourceClaim objects.'
   ([#125163](https://github.com/kubernetes/kubernetes/pull/125163), [@pohly](https://github.com/pohly)) [SIG Auth, Node and Testing]