- Rename `AllowlistEntry.Name` to `AllowlistEntry.Command` in the credential plugin allowlist ([#137272](https://github.com/kubernetes/kubernetes/pull/137272), [@pmengelbert](https://github.com/pmengelbert)) [SIG API Machinery, Auth, CLI and Testing]

### API Change

	return MetricDescription{
		Namespace: namespace,
		Subsystem: replicationSubsystem,
		Name:      credentialErrors,
		Help:      "Total number of replication credential errors since server uptime",
		Type:      counterMetric,
	}
}

func getClusterReplCurrQueuedOperationsMD() MetricDescription {
	return MetricDescription{
		Namespace: nodeMetricNamespace,

* vendor: update github.com/coreos/go-oidc client package ([#31564](https://github.com/kubernetes/kubernetes/pull/31564), [@ericchiang](https://github.com/ericchiang))
* Fixed an issue that caused a credential error when deploying federation control plane onto a GKE cluster. ([#31747](https://github.com/kubernetes/kubernetes/pull/31747), [@madhusudancs](https://github.com/madhusudancs))

* Match GroupVersionKind against specific version ([#34010](https://github.com/kubernetes/kubernetes/pull/34010), [@soltysh](https://github.com/soltysh))
* Fixed an issue that caused a credential error when deploying federation control plane onto a GKE cluster. ([#31747](https://github.com/kubernetes/kubernetes/pull/31747), [@madhusudancs](https://github.com/madhusudancs))

	now := UTCNow()

	req = signer.StreamingUnsignedV4(req, "", 8, now)

	maliciousHeaders := http.Header{
		"Authorization":                []string{fmt.Sprintf("AWS4-HMAC-SHA256 Credential=%s/%s/us-east-1/s3/aws4_request, SignedHeaders=invalidheader, Signature=deadbeefdeadbeefdeadbeeddeadbeeddeadbeefdeadbeefdeadbeefdeadbeef", s.accessKey, now.Format(yyyymmdd))},

     * Get the value for the key 'api.cors.allow.credentials'. <br>
     * The value is, e.g. true <br>
     * comment: Whether to allow credentials for CORS.
     * @return The value of found property. (NotNull: if not found, exception but basically no way)
     */
    String getApiCorsAllowCredentials();

    /**
     * Is the property for the key 'api.cors.allow.credentials' true? <br>
     * The value is, e.g. true <br>

pkg syscall (darwin-arm64), type Cmsghdr struct, Type int32
pkg syscall (darwin-arm64), type Credential struct
pkg syscall (darwin-arm64), type Credential struct, Gid uint32
pkg syscall (darwin-arm64), type Credential struct, Groups []uint32
pkg syscall (darwin-arm64), type Credential struct, NoSetGroups bool
pkg syscall (darwin-arm64), type Credential struct, Uid uint32
pkg syscall (darwin-arm64), type Dirent struct

- Fixed ambiguous behavior when bearer token (kubectl --token=..) and an exec credential plugin was configured in the same context - the bearer token now takes precedence. ([#91745](https://github.com/kubernetes/kubernetes/pull/91745), [@anderseknert](https://github.com/anderseknert)) [SIG API Machinery, Auth and Testing]

    * The `kube-cloud-controller-manager` flag `--use-service-account-credentials` is now honored consistently, regardless of whether `--service-account-private-key-file` was specified.
* Fix credentials providers for docker sandbox image. ([#51870](https://github.com/kubernetes/kubernetes/pull/51870), [@feiskyer](https://github.com/feiskyer))

Então nós podemos utilizar o `secrets.compare_digest()` para garantir que o `credentials.username` é `"stanleyjobson"`, e que o `credentials.password` é `"swordfish"`.

{* ../../docs_src/security/tutorial007_an_py310.py hl[1,12:24] *}

Isso seria parecido com:

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # Return some error
    ...
```