e potente.
* Sicurezza e autenticazione, incluso il supporto per **OAuth2** con **token JWT** e autenticazione **HTTP Basic**.
* Tecniche più avanzate (ma ugualmente semplici) per dichiarare **modelli JSON altamente nidificati** (grazie a Pydantic).
* E altre funzionalità (grazie a Starlette) come:

### VMware

- SAML token delegation (required for Zones support in vSphere) is now supported ([#78876](https://github.com/kubernetes/kubernetes/pull/78876), [@dougm](https://github.com/dougm))
- vSphere SAML token auth is now supported when using Zones ([#75515](https://github.com/kubernetes/kubernetes/pull/75515), [@dougm](https://github.com/dougm))

### **Cluster Lifecycle**

*   You must either specify the `--discovery-token-ca-cert-hash` flag to `kubeadm join`, or opt out of the CA pinning feature using `--discovery-token-unsafe-skip-ca-verification`.
*   The default `auto-detect` behavior of the kubelet's `--cloud-provider` flag is removed.

ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). ([#108309](https://github.com/kubernetes/kubernetes/pull/108309), [@zshihang](https://github.com/zshihang))...

* `--service-account-lookup` now defaults to true, requiring the Secret API object containing the token to exist in order for a service account token to be valid. This enables service account tokens to be revoked by deleting the Secret object containing the token. ([#44071](https://github.com/kubernetes/kubernetes/pull/44071), [@liggitt](https://github.com/liggitt))

labels.purgeUserInfoDay=刪除以前的使用者日誌
labels.reading=讀音
labels.roleTypeIds=角色ID
labels.scriptData=腳本
labels.scriptResult=結果
labels.scriptType=執行方法
labels.segmentation=分段
labels.startTime=開始時間
labels.target=目標
labels.token=令牌
labels.synonymFile=同義詞檔案
labels.stopwordsFile=停用詞檔案
labels.stemmerOverrideFile=詞幹覆蓋檔案
labels.mappingFile=映射檔案
labels.protwordsFile=Protwords檔案
labels.kuromojiFile=Kuromoji檔案
labels.elevateWordFile=提升詞檔案

pkg go/token, const COLON = 58
pkg go/token, const COMMA = 52
pkg go/token, const COMMENT = 2
pkg go/token, const CONST = 64
pkg go/token, const CONTINUE = 65
pkg go/token, const DEC = 38
pkg go/token, const DEFAULT = 66
pkg go/token, const DEFER = 67
pkg go/token, const DEFINE = 47
pkg go/token, const ELLIPSIS = 48
pkg go/token, const ELSE = 68
pkg go/token, const EOF = 1
pkg go/token, const EQL = 39

`get_current_user`を更新して、先ほどと同じトークンを受け取るようにしますが、今回はJWTトークンを使用します。

受け取ったトークンを復号して検証し、現在のユーザーを返します。

トークンが無効な場合は、すぐにHTTPエラーを返します。

{* ../../docs_src/security/tutorial004.py hl[89:106] *}

## `/token` パスオペレーションの更新

トークンの有効期限を表す`timedelta`を作成します。

JWTアクセストークンを作成し、それを返します。

{* ../../docs_src/security/tutorial004.py hl[115:130] *}

### JWTの"subject" `sub` についての技術的な詳細

- Upon receiving a LIST request with an expired continue token, the apiserver now returns a continue token together with the 410 "the from parameter is too old" error. If the client does not care about getting a list from a consistent snapshot, the client can use this token to continue listing from the next key, but the returned chunk will be from the latest snapshot. ([#67284](https://github.com/kubernetes/kubernetes/pull/67284),...

    // ============================================================

    /** User information session key. */
    public static final String USER_INFO = "LoginInfo";

    /** Search engine API access token key. */
    public static final String SEARCH_ENGINE_API_ACCESS_TOKEN = "searchEngineApiAccessToken";

    /** Default field name identifier. */
    public static final String DEFAULT_FIELD = "_default";