- Node information is now embedded into Pod-bound service account tokens as additional metadata. The 'JTI' field is set in issued service account tokens, and this information is embedded as `authentication.kubernetes.io/credential-id` in the user's ExtraInfo. ([#123135](https://github.com/kubernetes/kubernetes/pull/123135), [@munnerz](https://github.com/munnerz))...

    license or settlement) prior to the initiation of patent
    infringement litigation, then the reasonable value of the licenses
    granted by such Participant under Sections 2.1 or 2.2 shall be taken
    into account in determining the amount or value of any payment or
    license.

    6.4. In the event of termination under Sections 6.1 or 6.2 above,
    all end user licenses that have been validly granted by You or any

### Windows

Support for Windows nodes and Windows containers went going stable.

Support for Group Managed Service Accounts (GMSA) for Windows containers in Kubernetes. GMSA are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers.

- E2e tests wait for kube-root-ca.crt to be populated in namespaces for use with projected service account tokens, reducing delays starting those test pods and errors in the logs. ([#108860](https://github.com/kubernetes/kubernetes/pull/108860), [@eddiezane](https://github.com/eddiezane)) [SIG Testing]

    /** The key of the message: by Click Count (asc) */
    public static final String LABELS_search_result_sort_click_count_asc = "{labels.search_result_sort_click_count_asc}";

    /** The key of the message: by Click Count (desc) */
    public static final String LABELS_search_result_sort_click_count_desc = "{labels.search_result_sort_click_count_desc}";

    /** The key of the message: by Favorite Count (asc) */

	}

	if totalBatch != 6 {
		t.Errorf("incorrect total batch, expects: %v, got %v", 6, totalBatch)
	}

	var count int64
	DB.Model(&User{}).Where("name = ?", "find_in_batches_new").Count(&count)
	if count != 6 {
		t.Errorf("incorrect count after update, expects: %v, got %v", 6, count)
	}
}

func TestFindInBatchesWithOffsetLimit(t *testing.T) {
	users := []User{

- `kube-controller-manager`: The `LegacyServiceAccountTokenCleanUp` feature gate
  is now available as alpha (off by default). When enabled, the `legacy-service-account-token-cleaner`
  controller loop removes service account token secrets that have not been used
  in the time specified by `--legacy-service-account-token-clean-up-period` (defaulting
  to one year), **and are** referenced from the `.secrets` list of a ServiceAccount

               * In guava-android, the only kinds of Exception that may be thrown are
               * RuntimeException and IOException because `closeable` has type `Closeable`—except
               * that we have to account for sneaky checked exception.
               */
              restoreInterruptIfIsInterruptedException(e);
              logger.get().log(WARNING, "thrown by close()", e);
            }
          });

    assertThat(data2.type).isEqualTo(Http2.TYPE_DATA)
    assertThat(data2.streamId).isEqualTo(3)
    assertArrayEquals("fghi".toByteArray(), data2.data)
  }

  /**
   * Confirm that we account for discarded data frames. It's possible that data frames are in-flight
   * just prior to us canceling a stream.
   */
  @Test fun discardedDataFramesAreCounted() {
    // Write the mocking script.

Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

**Note**:...