### CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

	if err != nil {
		t.Fatal(err)
	}
	return req
}

// setupKMSUser is a test helper that creates a new user with the provided access key and secret key
// and applies the given policy to the user.
func setupKMSUser(t *testing.T, accessKey, secretKey, p string) {
	ctx := t.Context()
	createUserParams := madmin.AddOrUpdateUserReq{
		SecretKey: secretKey,

- On finding at least one associated policy, MinIO generates temporary credentials for the user storing the list of groups in a cryptographically secure session token. The temporary access key, secret key and session token are returned to the user.
- The user can now use these credentials to make requests to the MinIO server.

# Configurações e Variáveis de Ambiente { #settings-and-environment-variables }

Em muitos casos, sua aplicação pode precisar de configurações externas, por exemplo chaves secretas, credenciais de banco de dados, credenciais para serviços de e-mail, etc.

A maioria dessas configurações é variável (pode mudar), como URLs de banco de dados. E muitas podem ser sensíveis, como segredos.

Por esse motivo, é comum fornecê-las em variáveis de ambiente lidas pela aplicação.

        .build()
    val response =
      getResponse(
        Request
          .Builder()
          .url("https://android.com/foo".toHttpUrl())
          .header("Private", "Secret")
          .header("Proxy-Authorization", "bar")
          .header("User-Agent", "baz")
          .build(),
      )
    assertContent("encrypted response from the origin server", response)

### SIG CLI

* You can now use the `base64decode` function in kubectl go templates to decode base64-encoded data, such as `kubectl get secret SECRET -o go-template='{{ .data.KEY | base64decode }}'`. ([#60755](https://github.com/kubernetes/kubernetes/pull/60755), [@glb](https://github.com/glb))

- Fixed a bug where adding an ephemeral container to a pod which references a new secret or config map doesn't give the pod access to that new secret or config map. (#114984, @cslink) ([#129670](https://github.com/kubernetes/kubernetes/pull/129670), [@cslink](https://github.com/cslink)) [SIG Auth]

    public static final String STORAGE_ENDPOINT = "storage.endpoint";

    /** Storage access key configuration key. */
    public static final String STORAGE_ACCESS_KEY = "storage.accesskey";

    /** Storage secret key configuration key. */
    public static final String STORAGE_SECRET_KEY = "storage.secretkey";

    /** Storage bucket configuration key. */
    public static final String STORAGE_BUCKET = "storage.bucket";

- ServiceAccount metadata.annotations[kubernetes.io/enforce-mountable-secrets]: deprecated since v1.32; no removal deadline. Prefer separate namespaces to isolate access to mounted secrets. ([#128396](https://github.com/kubernetes/kubernetes/pull/128396), [@ritazh](https://github.com/ritazh)) [SIG API Machinery, Apps, Auth, CLI and Testing]

### API Change

### CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin