* After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server. ([#49899](https://github.com/kubernetes/kubernetes/pull/49899), [@ericchiang](https://github.com/ericchiang))

* Native support for token based bootstrap flow.  This includes signing a well known ConfigMap in the `kube-public` namespace and cleaning out expired tokens. ([#36101](https://github.com/kubernetes/kubernetes/pull/36101), [@jbeda](https://github.com/jbeda))

### ConfigMap

- Allow ImageReview backend to return annotations to be added to the created pod. ([#64597](https://github.com/kubernetes/kubernetes/pull/64597), [@wteiken](https://github.com/wteiken))

- Kube-apiserver now deletes expired kube-apiserver Lease objects:
  - The feature is under feature gate `APIServerIdentity`.

        assertNull(path);

        Integer expire = provider.provideDefaultExpire();
        assertNull(expire);
    }

    // Test with different expire values
    @Test
    public void test_differentExpireValues() {
        int[] testExpires = { 0, 1, 60, 3600, 86400, Integer.MAX_VALUE };

        for (int expire : testExpires) {

	Inlined bool

	DataBlocks   int
	ParityBlocks int
}

// ExpiresStr returns a stringified version of Expires header in http.TimeFormat
func (o ObjectInfo) ExpiresStr() string {
	var expires string
	if !o.Expires.IsZero() {
		expires = o.Expires.UTC().Format(http.TimeFormat)
	}
	return expires
}

// ArchiveInfo returns any saved zip archive meta information.
// It will be decrypted if needed.

```
...
        "MetaUsr": {
         "X-Amz-Restore-Expiry-Days": "4",
          "X-Amz-Restore-Request-Date": "Mon, 22 Feb 2021 21:10:09 GMT",
          "x-amz-restore": "ongoing-request=false, expiry-date=Sat, 27 Feb 2021 00:00:00 GMT",
...
```

        } else {
            crawlingInfo.setName(Constants.CRAWLING_INFO_SYSTEM_NAME);
        }
        if (dayForCleanup >= 0) {
            final long expires = getExpiredTime(dayForCleanup);
            crawlingInfo.setExpiredTime(expires);
            documentExpires = expires;
        }
        try {
            getCrawlingInfoService().store(crawlingInfo);
        } catch (final Exception e) {

	LastModified       = "Last-Modified"
	Date               = "Date"
	ETag               = "ETag"
	ContentType        = "Content-Type"
	ContentMD5         = "Content-Md5"
	ContentEncoding    = "Content-Encoding"
	Expires            = "Expires"
	ContentLength      = "Content-Length"
	ContentLanguage    = "Content-Language"
	ContentRange       = "Content-Range"
	Connection         = "Connection"
	AcceptRanges       = "Accept-Ranges"

	if err != nil {
		t.Fatal("Failed to parse batch-job-expire yaml", err)
	}
	if !slices.Equal(job.Expire.Prefix.F(), []string{"myprefix"}) {
		t.Fatal("Failed to parse batch-job-expire yaml")
	}

	multiPrefixExpireYaml := `
expire: # Expire objects that match a condition
  apiVersion: v1
  bucket: mybucket # Bucket where this batch job will expire matching objects from