- Kube-apiserver: `--audit-log-version` and `--audit-webhook-version` now only support the default value of `audit.k8s.io/v1`. The v1alpha1 and v1beta1 audit log versions, deprecated since 1.13, have been removed. ([#108092](https://github.com/kubernetes/kubernetes/pull/108092), [@carlory](https://github.com/carlory))

- Audit events for API requests to deprecated API versions now include a `"k8s.io/deprecated": "true"` audit annotation. If a target removal release is identified, the audit event includes a `"k8s.io/removal-release": "<majorVersion>.<minorVersion>"` audit annotation as well. ([#92842](https://github.com/kubernetes/kubernetes/pull/92842), [@liggitt](https://github.com/liggitt))...

    public void test_isLogFilename_withLogExtension() {
        assertTrue(AdminLogAction.isLogFilename("fess.log"));
        assertTrue(AdminLogAction.isLogFilename("crawler.log"));
        assertTrue(AdminLogAction.isLogFilename("audit.log"));
        assertTrue(AdminLogAction.isLogFilename("application-2024-01-01.log"));
    }

    @Test
    public void test_isLogFilename_withLogGzExtension() {

- `kube-apiserver` added:
  - `alpha` support (guarded by the `ServiceAccountTokenJTI` feature gate) for adding a `jti` (JWT ID) claim to service account tokens it issues, adding an `authentication.kubernetes.io/credential-id` audit annotation in audit logs when the tokens are issued, and `authentication.kubernetes.io/credential-id` entry in the extra user info when the token is used to authenticate.

	if err != nil {
		apiErr := errorCodes.ToAPIErr(ErrInvalidArgument)
		apiErr.Description = err.Error()
		writeErrorResponse(ctx, w, apiErr, r.URL)
		return
	}

	// Audit log tags.
	reqInfo := logger.GetReqInfo(ctx)
	reqInfo.SetTags("retention", config.String())

	configData, err := xml.Marshal(config)
	if err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)

- Added `auditAnnotations` to `ValidatingAdmissionPolicy`, enabling CEL to be used to add audit annotations to request audit events.
  Added `validationActions` to `ValidatingAdmissionPolicyBinding`, enabling validation failures to be handled by any combination of the warn, audit and deny enforcement actions. ([#115973](https://github.com/kubernetes/kubernetes/pull/115973), [@jpbetz](https://github.com/jpbetz))

  - kube-apiserver v1.25.4
  - kube-apiserver v1.24.8
  - kube-apiserver v1.23.14
  - kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit


**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    /** The key of the configuration. e.g.  */
    String APP_AUDIT_LOG_FORMAT = "app.audit.log.format";

    /** The key of the configuration. e.g. true */
    String SCRIPT_AUDIT_LOG_ENABLED = "script.audit.log.enabled";

    /** The key of the configuration. e.g. 100 */
    String SCRIPT_AUDIT_LOG_MAX_LENGTH = "script.audit.log.max.length";

    /** The key of the configuration. e.g. -Djava.awt.headless=true<br>

        // Default constructor
    }

    /**
     * The logger.
     */
    protected Logger logger = null;

    /**
     * The logger name.
     */
    protected String loggerName = "fess.log.audit";

    /**
     * The permission separator.
     */
    protected String permissionSeparator = "|";

    /**
     * The flag to use ECS format.
     */
    protected boolean useEcsFormat = false;

- Updated an audit annotation key used by the `…/serviceaccounts/<name>/token` resource handler.