### **Cluster Lifecycle**

*   You must either specify the `--discovery-token-ca-cert-hash` flag to `kubeadm join`, or opt out of the CA pinning feature using `--discovery-token-unsafe-skip-ca-verification`.
*   The default `auto-detect` behavior of the kubelet's `--cloud-provider` flag is removed.

* `--service-account-lookup` now defaults to true, requiring the Secret API object containing the token to exist in order for a service account token to be valid. This enables service account tokens to be revoked by deleting the Secret object containing the token. ([#44071](https://github.com/kubernetes/kubernetes/pull/44071), [@liggitt](https://github.com/liggitt))

labels.purgeUserInfoDay=刪除以前的使用者日誌
labels.reading=讀音
labels.roleTypeIds=角色ID
labels.scriptData=腳本
labels.scriptResult=結果
labels.scriptType=執行方法
labels.segmentation=分段
labels.startTime=開始時間
labels.target=目標
labels.token=令牌
labels.synonymFile=同義詞檔案
labels.stopwordsFile=停用詞檔案
labels.stemmerOverrideFile=詞幹覆蓋檔案
labels.mappingFile=映射檔案
labels.protwordsFile=Protwords檔案
labels.kuromojiFile=Kuromoji檔案
labels.elevateWordFile=提升詞檔案

                return appValue.get();
            }

            @Override
            public String getAppEncryptPropertyPattern() {
                return ".*password|.*key|.*token|.*secret";
            }
        });
        final String now = String.valueOf(System.currentTimeMillis());
        helper.updateSystemProperties();
        assertNull(System.getProperty("fess." + now));

    /** The key of the message: Target */
    public static final String LABELS_TARGET = "{labels.target}";

    /** The key of the message: Token */
    public static final String LABELS_TOKEN = "{labels.token}";

    /** The key of the message: Synonym File */
    public static final String LABELS_SYNONYM_FILE = "{labels.synonymFile}";

    /** The key of the message: Stopwords File */

### VMware

- SAML token delegation (required for Zones support in vSphere) is now supported ([#78876](https://github.com/kubernetes/kubernetes/pull/78876), [@dougm](https://github.com/dougm))
- vSphere SAML token auth is now supported when using Zones ([#75515](https://github.com/kubernetes/kubernetes/pull/75515), [@dougm](https://github.com/dougm))

ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). ([#108309](https://github.com/kubernetes/kubernetes/pull/108309), [@zshihang](https://github.com/zshihang))...

* Some components like kube-dns and kube-proxy could fail to load the service account token when started within a pod. Properly handle empty configurations to try loading the service account config. ([#31947](https://github.com/kubernetes/kubernetes/pull/31947), [@smarterclayton](https://github.com/smarterclayton))

* Google Compute Engine PD Detach fails if node no longer exists ([29358](https://github.com/kubernetes/kubernetes/issues/29358))
* Mounting (only 'default-token') volume takes a long time when creating a batch of pods  (parallelization issue) ([28616](https://github.com/kubernetes/kubernetes/issues/28616))

- Upon receiving a LIST request with an expired continue token, the apiserver now returns a continue token together with the 410 "the from parameter is too old" error. If the client does not care about getting a list from a consistent snapshot, the client can use this token to continue listing from the next key, but the returned chunk will be from the latest snapshot. ([#67284](https://github.com/kubernetes/kubernetes/pull/67284),...