labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

- Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a `authorizer`

object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. By default, node users are authorized for create and patch requests but not delete requests against their node object. Since the NodeRestriction admission controller does not prevent patching OwnerReferences, a compromised node could leverage this vulnerability to delete and then recreate...

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

     * SearchHelper applies role-based access control filtering through
     * SearchRequestType.JSON and the role filter mechanism, ensuring
     * users only see documents they are authorized to access.
     * <p>
     * This is the primary extension point for subclasses to customize search behavior.
     *
     * @param query the search query
     * @param fields the field filters (e.g., label)

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

* `list`/`watch` API requests with a `fieldSelector` that specifies `metadata.name` can now be authorized as requests for an individual named resource ([#63469](https://github.com/kubernetes/kubernetes/pull/63469), [@wojtek-t](https://github.com/wojtek-t))