### CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

// registrations (clause 11 "allocated subdomains" in the 2006 TLD
// policy), but the relevant industry partners have not opened them up
// for registration. Current status can be determined from the TLD's
// policy document: 2LDs that are open for registration must list
// their policy in the TLD's policy. Any 2LD without such a policy is
// not open for registrations.
accident-investigation.aero
accident-prevention.aero

from 1.4 to 1.5, you must delete all `PodDisruptionBudget` objects (`policy/v1alpha1/PodDisruptionBudget`) that you have created. It is not possible to delete these objects after you upgrade, and their presence will prevent you from using the beta PodDisruptionBudget feature in 1.5 (which uses `policy/v1beta1/PodDisruptionBudget`). If you have already upgraded, you will need to downgrade the master to 1.4 to delete the `policy/v1alpha1/PodDisruptionBudget` objects.

## External Dependency...

			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         target.KafkaTLSClientAuth,
			Description: "clientAuth determines the Kafka server's policy for TLS client auth",
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         target.KafkaSASL,
			Description: "set to 'on' to enable SASL authentication",
			Optional:    true,

Go 1.22 added a new [`crypto/x509.Certificate`](/pkg/crypto/x509/#Certificate)
field, [`Policies`](/pkg/crypto/x509/#Certificate.Policies), which supports
certificate policy OIDs with components larger than 31 bits. By default this
field is only used during parsing, when it is populated with policy OIDs, but
not used during marshaling. It can be used to marshal these larger OIDs, instead
of the existing PolicyIdentifiers field, by using the

	u, err := xnet.ParseHTTPURL(pluginURL)
	if err != nil {
		return args, err
	}

	rolePolicy := env.Get(EnvIdentityPluginRolePolicy, kv.Get(RolePolicy))
	if rolePolicy == "" {
		return args, config.Errorf("A role policy must be specified for Identity Management Plugin")
	}

	resourceID := "idmp-"
	roleID := env.Get(EnvIdentityPluginRoleID, kv.Get(RoleID))
	if roleID == "" {

    @Test
    public void test_annotationPresence() {
        assertTrue("UriType should be an annotation", UriType.class.isAnnotation());
    }

    // Test annotation retention policy
    @Test
    public void test_retentionPolicy() {
        final Retention retention = UriType.class.getAnnotation(Retention.class);
        assertNotNull(retention, "Retention annotation should be present");

        VersionRange range1 = VersionRange.createFromVersionSpec("1.0");
        VersionRange range2 = VersionRange.createFromVersionSpec("1.1");
        VersionRange mergedRange = range1.restrict(range2);
        // TODO current policy is to retain the original version - is this correct, do we need strategies or is that
        // handled elsewhere?
        //        assertEquals( "1.1", mergedRange.getRecommendedVersion().toString(), CHECK_VERSION_RECOMMENDATION );

- Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the [Kubernetes deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/). ([#126720](https://github.com/kubernetes/kubernetes/pull/126720), [@liggitt](https://github.com/liggitt)) [SIG Architecture and Node]

   * if occurrences == 0. This satisfies both NullPointerTester and
   * CollectionRemoveTester.testRemove_nullAllowed, but it's not clear that it's
   * a good policy, especially because, in order for the test to pass, the
   * parameter must be misleadingly annotated as @Nullable. I suspect that
   * we'll want to remove @Nullable, add an eager checkNotNull, and loosen up