// Improved attribute caching with more granular cache validation
        long currentTime = System.currentTimeMillis();
        if (this.attrExpiration > currentTime) {
            log.trace("Using cached attributes (expires in {}ms)", this.attrExpiration - currentTime);
            return this.isExists;
        }

        // Fast path for already resolved existence with recent cache

 Extended resources cannot be overcommitted, so make sure that request and limit are equal
 if both are present in a container spec.

 - The default Bootstrap Token created with `kubeadm init` v1.8 expires
 and is deleted after 24 hours by default to limit the exposure of the
 valuable credential. You can create a new Bootstrap Token with
 `kubeadm token create` or make the default token permanently valid by specifying

        .addHeader("icy-url:http://www.A2Rradio.com")
        .addHeader("Server: Icecast 2.3.3-kh8")
        .addHeader("Cache-Control: no-cache")
        .addHeader("Pragma: no-cache")
        .addHeader("Expires: Mon, 26 Jul 1997 05:00:00 GMT")
        .addHeader("icy-metaint:16000")
        .body("mp3 data")
        .build(),
    )
    val response = getResponse(newRequest("/"))

		Client:      s.TestSuiteCommon.client,
		STSEndpoint: s.endPoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token:  token,
				Expiry: 900,
			}, nil
		},
	}

	// Create policy - with name as one of the groups in OpenID the user is
	// a member of.
	policy := "projecta"
	policyTmpl := `{
 "Version": "2012-10-17",

		"Content-Encoding",
		"Content-Length",
		"Content-Type",
		"Content-Disposition",
		"Last-Modified",
		"Content-Language",
		"Cache-Control",
		"Retry-After",
		"X-Amz-Bucket-Region",
		"Expires",
		"X-Amz*",
		"X-Amz*",
		"*",
	}
	expectedMap.Set("Vary", "Origin")

	req, _ := http.NewRequest(http.MethodOptions, s.endPoint, nil)
	req.Header.Set("Origin", "http://foobar.com")

- Added two client certificate metrics for exec auth:
    - `rest_client_certificate_expiration_seconds` a gauge reporting the lifetime of the current client certificate. Reports the time of expiry in seconds since January 1, 1970 UTC.

* Native support for token based bootstrap flow.  This includes signing a well known ConfigMap in the `kube-public` namespace and cleaning out expired tokens. ([#36101](https://github.com/kubernetes/kubernetes/pull/36101), [@jbeda](https://github.com/jbeda))

### ConfigMap

- Allow ImageReview backend to return annotations to be added to the created pod. ([#64597](https://github.com/kubernetes/kubernetes/pull/64597), [@wteiken](https://github.com/wteiken))

- Fixed an issue blocking azure auth to prompt to device code authentication flow when refresh token expires. ([#102063](https://github.com/kubernetes/kubernetes/pull/102063), [@tdihp](https://github.com/tdihp))

- Kube-apiserver now deletes expired kube-apiserver Lease objects:
  - The feature is under feature gate `APIServerIdentity`.