- Graduated the `LegacyServiceAccountTokenTracking` feature gate to Beta. The usage of auto-generated secret-based service account token now produces warnings by default, and relevant Secrets are labeled with a last-used timestamp (label key `kubernetes.io/legacy-token-last-used`). ([#114523](https://github.com/kubernetes/kubernetes/pull/114523), [@zshihang](https://github.com/zshihang)) [SIG API Machinery and Auth]

  is now available as alpha (off by default). When enabled, the `legacy-service-account-token-cleaner`
  controller loop removes service account token secrets that have not been used
  in the time specified by `--legacy-service-account-token-clean-up-period` (defaulting
  to one year), **and are** referenced from the `.secrets` list of a ServiceAccount

labels.reading=読み
labels.roleTypeIds=ロールID
labels.scriptData=スクリプト
labels.scriptResult=結果
labels.scriptType=実行方法
labels.segmentation=分割
labels.startTime=開始時間
labels.target=対象
labels.token=トークン
labels.synonymFile=同義語ファイル
labels.stopwordsFile=ストップワードファイル
labels.stemmerOverrideFile=Stemmer上書きファイル
labels.mappingFile=マッピングファイル
labels.protwordsFile=Protwordsファイル
labels.kuromojiFile=Kuromojiファイル

* fix pod stuck issue due to corrupt mnt point in flexvol plugin, call Unmount if PathExists returns any error ([#75234](https://github.com/kubernetes/kubernetes/pull/75234), [@andyzhangx](https://github.com/andyzhangx))
* vSphere: allow SAML token delegation (required for Zones support) ([#78876](https://github.com/kubernetes/kubernetes/pull/78876), [@dougm](https://github.com/dougm))

- Updated an audit annotation key used by the `…/serviceaccounts/<name>/token` resource handler.

    public static final String ERRORS_failed_to_upload_mapping_file = "{errors.failed_to_upload_mapping_file}";

    /** The key of the message: {0} is invalid as a token. */
    public static final String ERRORS_invalid_kuromoji_token = "{errors.invalid_kuromoji_token}";

    /** The key of the message: The number of segmentation for {0} and {1} is different. */

    assertThat(response.cacheResponse!!.request.url).isEqualTo(request.url)
  }

  @Test
  fun postWithOverrideResponse() {
    val url = server.url("/abc?token=123")
    val cacheUrlOverride = url.newBuilder().removeAllQueryParameters("token").build()

    val request =
      Request
        .Builder()
        .url(url)
        .method("POST", "XYZ".toRequestBody())

- Fixed ambiguous behavior when bearer token (kubectl --token=..) and an exec credential plugin was configured in the same context - the bearer token now takes precedence. ([#91745](https://github.com/kubernetes/kubernetes/pull/91745), [@anderseknert](https://github.com/anderseknert)) [SIG API Machinery, Auth and Testing]

unprivileged pods, using the proxy to perform privileged storage operations on the node.

Another feature moving to GA in v1.22 is CSI Service Account Token support. This feature allows CSI drivers to use pods' [bound service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume) instead of a more privileged identity. It also provides control over to re-publishing these volumes, so that short-lived tokens can be refreshed....

- Renames the timeout field for the DelegatingAuthenticationOptions to TokenRequestTimeout and set the timeout only for the token review client. Previously the timeout was also applied to watches making them reconnecting every 10 seconds. ([#101103](https://github.com/kubernetes/kubernetes/pull/101103), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery, Auth and...