* these three certificates are used.
 *
 * ```
 * www.squareup.com certificate:
 *
 * Common Name: www.squareup.com
 * Subject Alternative Names: www.squareup.com, squareup.com, account.squareup.com...
 * Validity: 2018-07-03T20:18:17Z – 2019-08-01T20:48:15Z
 * Public Key: d107beecc17325f55da976bcbab207ba4df68bd3f8fce7c3b5850311128264fd53e1baa342f58d93...

            assertEquals("S-1-5-10-20", unknown.getDomainName());
            assertEquals("30", unknown.getAccountName());

            // Domain type: domain name as-is, account name empty
            SID domain = new SID(buildSidT((byte) 1, ident, 10, 20), jcifs.SID.SID_TYPE_DOMAIN, "MYDOM", "ignored", false);
            assertEquals("MYDOM", domain.getDomainName());

[@caesarxuchao](https://github.com/caesarxuchao))

* Using kubectl gcp auth plugin with a Google Service Account to authenticate to a cluster now additionally requests a token with the  "userinfo.email" scope. This way, users can write ClusterRoleBindings/RoleBindings with the email address of the service account directly. (This is a breaking change if the numeric uniqueIDs of the Google service accounts were being used in RBAC role bindings. The behavior can be overridden by explicitly specifying the...

resource belongs to. ([#43338](https://github.com/kubernetes/kubernetes/pull/43338), [@fabianofranz](https://github.com/fabianofranz))

* `--service-account-lookup` now defaults to true, requiring the Secret API object containing the token to exist in order for a service account token to be valid. This enables service account tokens to be revoked by deleting the Secret object containing the token. ([#44071](https://github.com/kubernetes/kubernetes/pull/44071), [@liggitt](https://github.com/liggitt))...

  - `--service-account-issuer`, should be set to a URL identifying the API server that will be stable over the cluster lifetime.
  - `--service-account-key-file`, set to one or more files containing one or more public keys used to verify tokens.

* An `automountServiceAccountToken` field was added to ServiceAccount and PodSpec objects. If set to `false` on a pod spec, no service account token is automounted in the pod. If set to `false` on a service account, no service account token is automounted for that service account unless explicitly overridden in the pod spec. ([#37953](https://github.com/kubernetes/kubernetes/pull/37953), [@liggitt](https://github.com/liggitt))

    /** LDAP initial context factory configuration key. */
    public static final String LDAP_INITIAL_CONTEXT_FACTORY = "ldap.initial.context.factory";

    /** LDAP account filter configuration key. */
    public static final String LDAP_ACCOUNT_FILTER = "ldap.account.filter";

    /** LDAP group filter configuration key. */
    public static final String LDAP_GROUP_FILTER = "ldap.group.filter";

        SID domainSid = new SID(rpcSid, SID.SID_TYPE_DOMAIN, "MYDOMAIN", null, true);
        assertThrows(IllegalArgumentException.class, domainSid::getRid);
    }

    /**
     * Test getting the account name.
     */
    @Test
    void testGetAccountName() {
        rpc.sid_t rpcSid = new rpc.sid_t();
        SID sid = new SID(rpcSid, SID.SID_TYPE_USER, "DOMAIN", "user", false);

	},
	ErrAccountNotEligible: {
		Code:           "XMinioInvalidIAMCredentials",
		Description:    "The account key is not eligible for this operation",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrAdminServiceAccountNotFound: {
		Code:           "XMinioInvalidIAMCredentials",
		Description:    "The specified service account is not found",
		HTTPStatusCode: http.StatusNotFound,
	},
	ErrPostPolicyConditionInvalidFormat: {

* The `kube-cloud-controller-manager` flag `--service-account-private-key-file` was non-functional and is now deprecated. ([#50289](https://github.com/kubernetes/kubernetes/pull/50289), [@liggitt](https://github.com/liggitt))
    * The `kube-cloud-controller-manager` flag `--use-service-account-credentials` is now honored consistently, regardless of whether `--service-account-private-key-file` was specified.