if _, ok := cleanQ.Users[user]; !ok {
				cleanQ.Users[user] = nil
			}
		}

		// Validate and normalize groups.
		for _, group := range q.Groups {
			lookupRes, underDN, _ := sys.LDAPConfig.GetValidatedGroupDN(nil, group)
			if lookupRes != nil && underDN {
				cleanQ.Groups.Add(lookupRes.NormDN)
			}
		}
	} else {
		for _, user := range q.Users {
			info, err := sys.store.GetUserInfo(user)

  // that are managed by that workflow. This is mostly for internal
  // housekeeping, and users typically shouldn't need to set or
  // understand this field. A workflow can be the user's name, a
  // controller's name, or the name of a specific apply path like
  // "ci-cd". The set of fields is always in the version that the
  // workflow used when modifying the object.
  //
  // +optional

  Once core Kubernetes support for user namespaces is generally available and kubeadm has started to support running the control plane in userns pods, the kubeadm `RootlessControlPlane` feature gate will be removed entirely.

        .url(server.url("/"))
        .head()
        .header("User-Agent", "SyncApiTest")
        .build()
    executeSynchronously(request)
      .assertCode(200)
      .assertHeader("Content-Type", "text/plain")
    val recordedRequest = server.takeRequest()
    assertThat(recordedRequest.method).isEqualTo("HEAD")
    assertThat(recordedRequest.headers["User-Agent"]).isEqualTo("SyncApiTest")

   * -viper-config can be used to set also the options defined by command line flags
   * the default config file is "e2e.yaml/toml/json/..." and the test starts when no such config is found (as before) but if -viper-config is used, the config file must exist
   * -viper-config can be used to select a file with full path, with or without file suffix

		}
	}

	// Remove functions only used as expressions, so their respective
	// bridge functions are not generated.
	for name, used := range functions {
		if !used {
			delete(f.Name, name)
		}
	}
}

// rewriteName returns the expression used to rewrite a reference.
// If addPosition is true, add position info in the ident name.

- kube-apiserver:

- Updated an audit annotation key used by the `…/serviceaccounts/<name>/token` resource handler.
  The annotation used to persist the issued credential identifier is now `authentication.kubernetes.io/issued-credential-id`. ([#123098](https://github.com/kubernetes/kubernetes/pull/123098), [@munnerz](https://github.com/munnerz)) [SIG Auth]

* `kubectl create rolebinding` and `kubectl create clusterrolebinding` invocations must be updated to  specify multiple subjects as repeated  `--user`, `--group`, or `--serviceaccount` arguments instead of comma-separated arguments to a single `--user`, `--group`, or `--serviceaccount`.  E.g. `--user=x,y` must become `--user x --user y`  ([#43903](https://github.com/kubernetes/kubernetes/pull/43903), [@xilabao](https://github.com/xilabao))


### kubeadm

```Python
def get_current_user(token: str):
    # authenticate user
    return User()


@app.get("/items/")
def read_items(user: User = Depends(get_current_user)):
    ...


@app.post("/items/")
def create_item(*, user: User = Depends(get_current_user), item: Item):
    ...


@app.get("/items/{item_id}")
def read_item(*, user: User = Depends(get_current_user), item_id: int):
    ...