.Values.metrics.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} {{- end }} {{- if not .Values.metrics.serviceMonitor.public }} bearerTokenSecret: name: {{ template "minio.fullname" . }}-prometheus key: token {{- end }} namespaceSelector: matchNames: - {{ .Release.Namespace | quote }} selector: matchLabels: app: {{ include "minio.name" . }} release: {{ .Release.Name }} monitoring: "true" {{- end }} minio/templates/statefulset.yaml {{- if eq .Values.mode...

  is now available as alpha (off by default). When enabled, the `legacy-service-account-token-cleaner`
  controller loop removes service account token secrets that have not been used
  in the time specified by `--legacy-service-account-token-clean-up-period` (defaulting
  to one year), **and are** referenced from the `.secrets` list of a ServiceAccount

- Fixed ambiguous behavior when bearer token (kubectl --token=..) and an exec credential plugin was configured in the same context - the bearer token now takes precedence. ([#91745](https://github.com/kubernetes/kubernetes/pull/91745), [@anderseknert](https://github.com/anderseknert)) [SIG API Machinery, Auth and Testing]

- If BoundServiceAccountTokenVolume is enabled, cluster admins can use metric `serviceaccount_stale_tokens_total` to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting `kube-apiserver` with flag `--service-account-extend-token-expiration=false` ([#96273](https://github.com/kubernetes/kubernetes/pull/96273), [@zshihang](https://github.com/zshihang)) [SIG API Machinery and Auth]

.Values.metrics.serviceMonitor.relabelConfigs }} {{ toYaml .Values.metrics.serviceMonitor.relabelConfigs | indent 6 }} {{- end }} {{- if not .Values.metrics.serviceMonitor.public }} bearerTokenSecret: name: {{ template "minio.fullname" . }}-prometheus key: token {{- end }} namespaceSelector: matchNames: - {{ .Release.Namespace | quote }} selector: matchLabels: app: {{ include "minio.name" . }} release: {{ .Release.Name }} monitoring: "true" {{- end }} minio/templates/statefulset.yaml {{- if eq .Values.mode...

- Node information is now embedded into Pod-bound service account tokens as additional metadata. The 'JTI' field is set in issued service account tokens, and this information is embedded as `authentication.kubernetes.io/credential-id` in the user's ExtraInfo. ([#123135](https://github.com/kubernetes/kubernetes/pull/123135), [@munnerz](https://github.com/munnerz))...

// applicable here.
//
// Service accounts are replicated as long as they are not meant for the root
// user.
//
// STS accounts are replicated, but only if the session token is verifiable
// using the local cluster's root credential.
func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIAMItem) error {
	// The IAM item has already been applied to the local cluster at this

    * kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.

.Values.metrics.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} {{- end }} {{- if not .Values.metrics.serviceMonitor.public }} bearerTokenSecret: name: {{ template "minio.fullname" . }}-prometheus key: token {{- end }} namespaceSelector: matchNames: - {{ .Release.Namespace | quote }} selector: matchLabels: app: {{ include "minio.name" . }} release: {{ .Release.Name }} monitoring: true {{- end }} minio/templates/statefulset.yaml {{- if eq .Values.mode "distributed"...

.Values.metrics.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} {{- end }} {{- if not .Values.metrics.serviceMonitor.public }} bearerTokenSecret: name: {{ template "minio.fullname" . }}-prometheus key: token {{- end }} namespaceSelector: matchNames: - {{ .Release.Namespace | quote }} selector: matchLabels: app: {{ include "minio.name" . }} release: {{ .Release.Name }} monitoring: "true" {{- end }} minio/templates/statefulset.yaml {{- if eq .Values.mode...