err = msgp.WrapError(err, "SuccessorModTime")
		return
	}
	z.Fresh, err = dc.ReadBool()
	if err != nil {
		err = msgp.WrapError(err, "Fresh")
		return
	}
	z.Idx, err = dc.ReadInt()
	if err != nil {
		err = msgp.WrapError(err, "Idx")
		return
	}
	if dc.IsNil() {
		err = dc.ReadNil()
		if err != nil {
			err = msgp.WrapError(err)
			return
		}
		z.Checksum = nil
	} else {

by ByteEncode, according to FIPS 203, Algorithm 5. func ringCompressAndEncod(s []byte, f ringElement, d uint8) []byte { var b byte var bIdx uint8 for i := 0; i < n; i++ { c := compress(f[i], d) var cIdx uint8 for cIdx < d { b |= byte(c>>cIdx) << bIdx bits := min(8-bIdx, d-cIdx) bIdx += bits cIdx += bits if bIdx == 8 { s = append(s, b) b = 0 bIdx = 0 } } } if bIdx != 0 { panic("mlkem: internal error: bitsFilled != 0") } return s } // ringDecodeAndDecompr decodes an encoding of a ring element where...

        * At Request audit level or higher, an annotation with key "patch.webhook.admission.k8s.io/round_{round idx}_index_{order idx}" get logged with the JSON payload logging the patch sent by a webhook for given request.

		c.Fatalf("GetLDAPPolicyEntities should not fail: %v", err)
	}
	{
		// Check that the mapping we created exists.
		idx := slices.IndexFunc(policyResult.PolicyMappings, func(e madmin.PolicyEntities) bool {
			return e.Policy == policy && slices.Contains(e.Groups, actualGroupDN)
		})
		if idx < 0 {
			c.Fatalf("expected groupDN (%s) to be present in mapping list: %#v", actualGroupDN, policyResult)
		}
	}

			// server).
			//
			// The "policy not found" error is ignored because the STS account may
			// not have a policy mapped via its parent (for e.g. in
			// OIDC/AssumeRoleWithCustomToken/AssumeRoleWithCertificate).
			err := iamOS.loadMappedPolicy(ctx, svcParent, stsUser, false, cache.iamSTSPolicyMap)
			if err != nil && !errors.Is(err, errNoSuchPolicy) {

- Reverted a kubectl azure auth module change where oidc claim spn: prefix was omitted resulting a breaking behavior with existing Azure AD OIDC enabled api-server ([#87507](https://github.com/kubernetes/kubernetes/pull/87507), [@weinong](https://github.com/weinong)) [SIG API Machinery, Auth and Cloud Provider]

* Fix PVC.Status.Capacity and AccessModes after binding ([#29982](https://github.com/kubernetes/kubernetes/pull/29982), [@jsafrane](https://github.com/jsafrane))
* oidc authentication plugin: don't trim issuer URLs with trailing slashes ([#29860](https://github.com/kubernetes/kubernetes/pull/29860), [@ericchiang](https://github.com/ericchiang))

- Reverted a kubectl azure auth module change where oidc claim spn: prefix was omitted resulting a breaking behavior with existing Azure AD OIDC enabled api-server ([#87507](https://github.com/kubernetes/kubernetes/pull/87507), [@weinong](https://github.com/weinong)) [SIG API Machinery, Auth and Cloud Provider]

				return
			}
			targetUser = requestorParentUser
		}
		targetGroups = requestorGroups

		// In case of LDAP/OIDC we need to set `opts.claims` to ensure
		// it is associated with the LDAP/OIDC user properly.
		for k, v := range cred.Claims {
			if k == expClaim {
				continue
			}
			opts.claims[k] = v
		}
	} else if globalIAMSys.LDAPConfig.Enabled() {

github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=