- Fixed a bug where adding an ephemeral container to a pod which references a new secret or config map doesn't give the pod access to that new secret or config map. (#114984, @cslink) ([#129670](https://github.com/kubernetes/kubernetes/pull/129670), [@cslink](https://github.com/cslink)) [SIG Auth]

	"github.com/minio/mux"
	"github.com/minio/pkg/v3/policy"
	"github.com/minio/sio"
)

// Multipart objectAPIHandlers

// NewMultipartUploadHandler - New multipart upload.
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
//   - X-Amz-Server-Side-Encryption-Customer-Key

- Graduated the `LegacyServiceAccountTokenTracking` feature gate to Beta. The usage of auto-generated secret-based service account token now produces warnings by default, and relevant Secrets are labeled with a last-used timestamp (label key `kubernetes.io/l...

This setting will be removed in Go 1.27.

Go 1.22 disabled
[`ConnectionState.ExportKeyingMaterial`](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial)
when the connection supports neither TLS 1.3 nor Extended Master Secret
(implemented in Go 1.21). It can be reenabled with the [`tlsunsafeekm`
setting](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial).
This setting will be removed in Go 1.27.

from the early secret // and the transcript up to the ClientHello. func (s *EarlySecret) EarlyExporterMasterS(transcript fips140.Hash) *ExporterMasterSecret { return &ExporterMasterSecret{ secret: deriveSecret(s.hash, s.secret, earlyExporterLabel, transcript), hash: s.hash, } } func (s *ExporterMasterSecret) Exporter(label string, context []byte, length int) []byte { secret := deriveSecret(s.hash, s.secret, label, nil) h := s.hash() h.Write(context) return ExpandLabel(s.hash, secret, "exporter", h.Sum(nil),...

### Secrets
* Populate environment variables from a secrets. ([#39446](https://github.com/kubernetes/kubernetes/pull/39446), [@fraenkel](https://github.com/fraenkel))

### Immutable Secrets and ConfigMaps

Immutable Secrets and ConfigMaps graduates to GA. This feature allows users to specify that the contents of a particular Secret or ConfigMap is immutable for its object lifetime. For such instances, Kubelet will not watch/poll for changes and therefore reducing apiserver load.

ExporterMasterSecret struct { secret []byte hash func() hash.Hash } // ExporterMasterSecret derives the exporter_master_secret from the master secret // and the transcript up to the server Finished. func (s *MasterSecret) ExporterMasterSecret(transcript hash.Hash) *ExporterMasterSecret { return &ExporterMasterSecret{ secret: deriveSecret(s.hash, s.secret, exporterLabel, transcript), hash: s.hash, } } // EarlyExporterMasterS derives the exporter_master_secret from the early secret // and the transcript up...

### Immutable Secrets and ConfigMaps (beta)

Secret and ConfigMap volumes can be marked as immutable, which significantly reduces load on the API server if there are many Secret and ConfigMap volumes in the cluster.
See [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) for more information.

### CSI Proxy for Windows

- Kubelet now cleans up orphaned volume directories automatically ([#95301](https://github.com/kubernetes/kubernetes/pull/95301), [@lorenz](https://github.com/lorenz)) [SIG Node and Storage]
- Resolves spurious `Failed to list *v1.Secret` or `Failed to list *v1.ConfigMap` messages in kubelet logs. ([#99538](https://github.com/kubernetes/kubernetes/pull/99538), [@liggitt](https://github.com/liggitt)) [SIG Auth and Node]