- In the course of admitting a single request, the ValidatingAdmissionPolicy plugin will perform no more than one authorization check per unique authorizer expression. All evaluations of identical authorizer expressions will produce the same decision. ([#116443](https://github.com/kubernetes/kubernetes/pull/116443), [@benluddy](https://github.com/benluddy)) [SIG API Machinery and Testing]

        }
      }
    ```

### Handling authentication ([.kt][AuthenticateKotlin], [.java][AuthenticateJava])

OkHttp can automatically retry unauthenticated requests. When a response is `401 Not Authorized`, an `Authenticator` is asked to supply credentials. Implementations should build a new request that includes the missing credentials. If no credentials are available, return null to skip the retry.

* Add support for the webhook authorizer to make a Deny decision that short-circuits the union authorizer and immediately returns Deny.  ([#53273](https://github.com/kubernetes/kubernetes/pull/53273), [@mikedanese](https://github.com/mikedanese))

        * Nodes must use client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` in order to be authorized by the node authorizer (the credentials obtained by the kubelet...

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

- Improves performance of the node authorizer ([#87696](https://github.com/kubernetes/kubernetes/pull/87696), [@liggitt](https://github.com/liggitt)) [SIG Auth]

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields