- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([#134826](https://github.com/kuber...

C’est le même mécanisme utilisé lorsque vous donnez des permissions en vous connectant avec Facebook, Google, GitHub, etc. :

<img src="/img/tutorial/security/image11.png">

## Jeton JWT avec scopes { #jwt-token-with-scopes }

Modifiez maintenant le *chemin d’accès* du jeton pour renvoyer les scopes demandés.

testdata/huffman-zero.wb.expect", "src/compress/flate/testdata/huffman-zero.wb.expect-noinput", "src/compress/flate/testdata/null-long-match.dyn.expect-noinput", "src/compress/flate/testdata/null-long-match.wb.expect-noinput", "src/compress/flate/token.go", "src/compress/flate/writer_test.go", "src/compress/gzip/", "src/compress/gzip/example_test.go", "src/compress/gzip/gunzip.go", "src/compress/gzip/gunzip_test.go", "src/compress/gzip/gzip.go", "src/compress/gzip/gzip_test.go", "src/compress/gz...

## 依存関係 { #dependencies }

アプリケーションの複数箇所で使う依存関係が必要になります。

そのため、専用の `dependencies` モジュール（`app/dependencies.py`）に置きます。

ここではカスタムヘッダー `X-Token` を読む簡単な依存関係を使います:

{* ../../docs_src/bigger_applications/app_an_py310/dependencies.py hl[3,6:8] title["app/dependencies.py"] *}

/// tip | 豆知識

この例を簡単にするために架空のヘッダーを使っています。

		}
		if !isTokenSelfRevoke && user != parentUser {
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
			return
		}
		user = parentUser
	}

	// Infer token revoke type from the request if requestor is STS.
	if isTokenSelfRevoke && tokenRevokeType == "" && !fullRevoke {
		if cred.IsTemp() {
			tokenRevokeType, _ = cred.Claims[tokenRevokeTypeClaim].(string)
		}

그리고 접근을 허용할 스코프를 선택할 수 있게 됩니다: `me`와 `items`.

이는 Facebook, Google, GitHub 등으로 로그인하면서 권한을 부여할 때 사용되는 것과 동일한 메커니즘입니다:

<img src="/img/tutorial/security/image11.png">

## 스코프를 포함한 JWT 토큰 { #jwt-token-with-scopes }

이제 토큰 *경로 처리*를 수정해, 요청된 스코프를 반환하도록 합니다.

여전히 동일한 `OAuth2PasswordRequestForm`을 사용합니다. 여기에는 요청에서 받은 각 스코프를 담는 `scopes` 속성이 있으며, 타입은 `str`의 `list`입니다.

그리고 JWT 토큰의 일부로 스코프를 반환합니다.

/// danger | 위험

- When the alpha `LegacyServiceAccountTokenTracking` feature gate is enabled, secret-based service account tokens will have a `kubernetes.io/legacy-token-last-used` applied to them containing the date they were last used. ([#108858](https://github.com/kubernetes/kubernetes/pull/108858), [@zshihang](https://github.com/zshihang)) [SIG API Machinery, Auth and Testing]

### Auth

- Service account tokens now include the JWT Key ID field in their header. ([#78502](https://github.com/kubernetes/kubernetes/pull/78502), [@ahmedtd](https://github.com/ahmedtd))
- The nbf (not before) claim, if present in ID token, is now enforced. ([#81413](https://github.com/kubernetes/kubernetes/pull/81413), [@anderseknert](https://github.com/anderseknert))

","matcherFromTokens","checkContext","leadingRelative","implicitRelative","matchContext","matchAnyContext","elementMatchers","setMatchers","bySet","byElement","superMatcher","outermost","matchedCount","setMatched","contextBackup","dirrunsUnique","token","compiled","filters","unique","getText","isXML","selectors","until","truncate","is","siblings","n","rneedsContext","rsingleTag","winnow","qualifier","self","rootjQuery","parseHTML","ready","rparentsprev","guaranteedUnique","children","contents","...

pkg errors, func Unwrap(error) error
pkg go/constant, func Make(interface{}) Value
pkg go/constant, func Val(Value) interface{}
pkg go/token, func IsExported(string) bool
pkg go/token, func IsIdentifier(string) bool
pkg go/token, func IsKeyword(string) bool
pkg go/types, func CheckExpr(*token.FileSet, *Package, token.Pos, ast.Expr, *Info) error
pkg log, func Writer() io.Writer
pkg log/syslog (netbsd-arm64-cgo), const LOG_ALERT = 1