* The node authorizer now allows nodes to request service account tokens for the service accounts of pods running on them. This allows agents using the node identity to take actions on behalf of local pods. ([#55019](https://github.com/kubernetes/kubernetes/pull/55019), [@mikedanese](https://github.com/mikedanese))

	if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) {
		return nil, ErrHeader
	}

	// Parse for all member entries.
	// numEntries is trusted after this since feedTokens limits the number of
	// tokens based on maxSpecialFileSize.
	if err := feedTokens(2 * numEntries); err != nil {
		return nil, err
	}
	spd := make(sparseDatas, 0, numEntries)
	for i := int64(0); i < numEntries; i++ {

  - `--service-account-key-file`, set to one or more files containing one or more public keys used to verify tokens.

- Promoted the `ServiceAccountTokenJTI` feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info

				iamLogIf(ctx, nerr.Err)
			}
		}
	}
	return updatedAt, nil
}

// RevokeTokens - revokes all STS tokens, or those of specified type, for a user
// If `tokenRevokeType` is empty, all tokens are revoked.
func (sys *IAMSys) RevokeTokens(ctx context.Context, accessKey, tokenRevokeType string) error {
	if !sys.Initialized() {
		return errServerNotInitialized
	}

* **[alpha]** New Bootstrap Token authentication and management method. Works well with kubeadm. kubeadm now supports managing tokens, including time based expiration, after the cluster is launched.  See [kubeadm reference docs](https://kubernetes.io/docs/admin/kubeadm/#manage-tokens) for details.
* **[alpha]** Adds a new cloud-controller-manager binary that may be used for testing the new out-of-core cloudprovider flow.

* vSphere: Fix attach volume failing on the first try. ([#51217](https://github.com/kubernetes/kubernetes/pull/51217), [@BaluDontu](https://github.com/BaluDontu))
* azure: support retrieving access tokens via managed identity extension ([#48854](https://github.com/kubernetes/kubernetes/pull/48854), [@colemickens](https://github.com/colemickens))

labels.boost_document_rule_list=Lista de regras de boost de documento
labels.bad_word_list=Lista de palavras proibidas
labels.backup_list=Lista de backups
labels.access_token_list=Lista de tokens de acesso
labels.suggest_search_log_enabled=Sugerir por termo de pesquisa
labels.suggest_documents_enabled=Sugerir por documentos
labels.purge_suggest_search_log_day=Excluir informações de sugestão anteriores

labels.boost_document_rule_list=Lista de reglas de impulso de documentos
labels.bad_word_list=Lista de palabras prohibidas
labels.backup_list=Lista de copias de seguridad
labels.access_token_list=Lista de tokens de acceso
labels.suggest_search_log_enabled=Sugerir por término de búsqueda
labels.suggest_documents_enabled=Sugerir por documentos
labels.purge_suggest_search_log_day=Eliminar información de sugerencias anterior

	res := map[string]ParentUserInfo{}
	for _, ui := range cache.iamUsersMap {
		cred := ui.Credentials
		// Only consider service account or STS credentials with
		// non-empty session tokens.
		if (!cred.IsServiceAccount() && !cred.IsTemp()) ||
			cred.SessionToken == "" {
			continue
		}

		var (
			err    error
			claims *jwt.MapClaims
		)