### VMware

- SAML token delegation (required for Zones support in vSphere) is now supported ([#78876](https://github.com/kubernetes/kubernetes/pull/78876), [@dougm](https://github.com/dougm))
- vSphere SAML token auth is now supported when using Zones ([#75515](https://github.com/kubernetes/kubernetes/pull/75515), [@dougm](https://github.com/dougm))

* <abbr title="Getting Things Done - S'organiser pour réussir">GTD</abbr>
* <abbr title="less than - inférieur à"><code>lt</code></abbr>
* <abbr title="XML Web Token - Jeton Web XML">XWT</abbr>
* <abbr title="Parallel Server Gateway Interface - Interface passerelle serveur parallèle">PSGI</abbr>

Это тот же механизм, когда вы даёте разрешения при входе через Facebook, Google, GitHub и т.д.:

<img src="/img/tutorial/security/image11.png">

## JWT-токены со scopes { #jwt-token-with-scopes }

Теперь измените операцию пути, выдающую токен, чтобы возвращать запрошенные scopes.

				iamLogIf(ctx, nerr.Err)
			}
		}
	}
	return updatedAt, nil
}

// RevokeTokens - revokes all STS tokens, or those of specified type, for a user
// If `tokenRevokeType` is empty, all tokens are revoked.
func (sys *IAMSys) RevokeTokens(ctx context.Context, accessKey, tokenRevokeType string) error {
	if !sys.Initialized() {
		return errServerNotInitialized
	}

Це той самий механізм, який використовується, коли ви надаєте дозволи під час входу через Facebook, Google, GitHub тощо:

<img src="/img/tutorial/security/image11.png">

## JWT токен зі scopes { #jwt-token-with-scopes }

Тепер змініть операцію шляху токена, щоб повертати запитані scopes.

errors.failed_to_download_mapping_file = Failed to download a mapping file.
errors.failed_to_upload_mapping_file = Failed to upload a mapping file.
errors.invalid_kuromoji_token={0} is invalid as a token.
errors.invalid_kuromoji_segmentation=The number of segmentation for {0} and {1} is different.
errors.invalid_str_is_included = {1} is invalid for {0}.
errors.blank_password = Password is required.

errors.failed_to_download_mapping_file = Failed to download a mapping file.
errors.failed_to_upload_mapping_file = Failed to upload a mapping file.
errors.invalid_kuromoji_token={0} is invalid as a token.
errors.invalid_kuromoji_segmentation=The number of segmentation for {0} and {1} is different.
errors.invalid_str_is_included = {1} is invalid for {0}.
errors.blank_password = Password is required.

	}
	data.CommonPrefixes = prefixes
	return data
}

// generates an ListObjectsV2 response for the said bucket with other enumerated options.
func generateListObjectsV2Response(ctx context.Context, bucket, prefix, token, nextToken, startAfter, delimiter, encodingType string, fetchOwner, isTruncated bool, maxKeys int, objects []ObjectInfo, prefixes []string, metadata metaCheckFn) ListObjectsV2Response {
	contents := make([]Object, 0, len(objects))

- If BoundServiceAccountTokenVolume is enabled, cluster admins can use metric `serviceaccount_stale_tokens_total` to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting `kube-apiserver` with flag `--service-account-extend-token-expiration=false` ([#96273](https://github.com/kubernetes/kubernetes/pull/96273), [@zshihang](https://github.com/zshihang)) [SIG API Machinery and Auth]

        System.arraycopy(err, 0, buf, bodyStart + 8, bc);

        int decoded = resp.decode(buf, headerStart);
        assertTrue(decoded > 0);

        // When error path is taken, no blob should be parsed
        assertNull(resp.getBlob(), "Blob should be null on error path");
        assertNotNull(resp.getErrorData(), "Error data should be present");
        assertArrayEquals(err, resp.getErrorData());