Go 1.22 disabled
[`ConnectionState.ExportKeyingMaterial`](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial)
when the connection supports neither TLS 1.3 nor Extended Master Secret
(implemented in Go 1.21). It can be reenabled with the [`tlsunsafeekm`
setting](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial).

Go 1.22 changed how the runtime interacts with transparent huge pages on Linux.

	// Presign is not needed for anonymous credentials.
	if accessKeyID == "" || secretAccessKey == "" {
		return errors.New("Presign cannot be generated without access and secret keys")
	}

	region := globalSite.Region()
	date := UTCNow()
	scope := getScope(date, region)
	credential := fmt.Sprintf("%s/%s", accessKeyID, scope)

	// Set URL query.
	query := req.URL.Query()

- Fixed a bug where adding an ephemeral container to a pod which references a new secret or config map doesn't give the pod access to that new secret or config map. (#114984, @cslink) ([#129670](https://github.com/kubernetes/kubernetes/pull/129670), [@cslink](https://github.com/cslink)) [SIG Auth]

- Graduated the `LegacyServiceAccountTokenTracking` feature gate to Beta. The usage of auto-generated secret-based service account token now produces warnings by default, and relevant Secrets are labeled with a last-used timestamp (label key `kubernetes.io/l...

			"X-Minio-Replication-Server-Side-Encryption-Sealed-Key",
			"X-Minio-Replication-Server-Side-Encryption-Iv",
		}
		ssecRep := false
		for _, header := range ssecRepHeaders {
			if val := r.Header.Get(header); val != "" {
				ssecRep = true
				break
			}
		}
		if !ssecRep || !sourceReplReq {
			if err = setEncryptionMetadata(r, bucket, object, encMetadata); err != nil {

* Adds --append-hash flag to kubectl create configmap/secret, which will append a short hash of the configmap/secret contents to the name during creation. ([#49961](https://github.com/kubernetes/kubernetes/pull/49961), [@mtaufen](https://github.com/mtaufen))

from the early secret // and the transcript up to the ClientHello. func (s *EarlySecret) EarlyExporterMasterS(transcript fips140.Hash) *ExporterMasterSecret { return &ExporterMasterSecret{ secret: deriveSecret(s.hash, s.secret, earlyExporterLabel, transcript), hash: s.hash, } } func (s *ExporterMasterSecret) Exporter(label string, context []byte, length int) []byte { secret := deriveSecret(s.hash, s.secret, label, nil) h := s.hash() h.Write(context) return ExpandLabel(s.hash, secret, "exporter", h.Sum(nil),...

### Secrets
* Populate environment variables from a secrets. ([#39446](https://github.com/kubernetes/kubernetes/pull/39446), [@fraenkel](https://github.com/fraenkel))

### CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

    public static final String STORAGE_ENDPOINT = "storage.endpoint";

    /** Storage access key configuration key. */
    public static final String STORAGE_ACCESS_KEY = "storage.accesskey";

    /** Storage secret key configuration key. */
    public static final String STORAGE_SECRET_KEY = "storage.secretkey";

    /** Storage bucket configuration key. */
    public static final String STORAGE_BUCKET = "storage.bucket";