#### Auth

- The Rancher credential provider has now been removed. This only affects you if you are using the downstream Rancher distro. ([#77099](https://github.com/kubernetes/kubernetes/pull/77099), [@dims](https://github.com/dims))


#### AWS

- Fixed a bug in kube-proxy nftables mode (GA as of 1.33) that fails to determine if traffic originates from a local source on the node. The issue was caused by using the wrong meta `iif` instead of `iifname` for name based matches. ([#134117](https://github.com/kubernetes/kubernetes/pull/134117),...

Shoutout to Angular https://github.com/angular/angular/blob/12.2.x/packages/core/src/sanitization/url_sanitizer.ts\n */\nconst SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file|sms):|[^#&/:?]*(?:[#/?]|$))/i\n\n/**\n * A pattern that matches safe data URLs. Only matches image, video and audio types.\n *\n * Shoutout to Angular https://github.com/angular/angular/blob/12.2.x/packages/core/src/sanitization/url_sanitizer.ts\n */\nconst DATA_URL_PATTERN = /^data:(?:image\\/(?:bmp|gif|jpeg|jpg|png|tiff|...

    enum-like constants. Application code that uses enum methods on cipher
    suites (`ordinal()`, `name()`, etc.) will break with this change.

 *  Fix: `CertificatePinner` now matches canonicalized hostnames. Previously
    this was case sensitive. This change should also make it easier to configure
    certificate pinning for internationalized domain names.

// actions. The permission of the parent user is checked first
func (sys *IAMSys) IsAllowedServiceAccount(args policy.Args, parentUser string) bool {
	// Verify if the parent claim matches the parentUser.
	p, ok := args.Claims[parentClaim]
	if ok {
		parentInClaim, ok := p.(string)
		if !ok {
			// Reject malformed/malicious requests.
			return false
		}

	public fun equals (Ljava/lang/Object;)Z
	public final fun expiresAt ()J
	public fun hashCode ()I
	public final fun hostOnly ()Z
	public final fun httpOnly ()Z
	public final fun matches (Lokhttp3/HttpUrl;)Z
	public final fun name ()Ljava/lang/String;
	public final fun newBuilder ()Lokhttp3/Cookie$Builder;
	public static final fun parse (Lokhttp3/HttpUrl;Ljava/lang/String;)Lokhttp3/Cookie;

   * The main mime type should be the canonical one, use aliases for any
     other widely used forms
   * Where there's a hierarchy in the types, list it via a parent
   * Highly specific magic matches get a high priority
   * General magic matches which could trigger a false-positive need
     a low one
   * The priority for containers normally need to be higher than for
     the things they contain, so they don't accidently get detected

		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
		return
	}

	if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {
		// Incoming access key matches parent user then we should
		// reject password change requests.
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
		return
	}

    to strings.
*   Add `string_to_index_table`, which returns a lookup table that matches
    strings to indices.
*   Add a `ParallelForWithWorkerId` function.
*   Add `string_to_index_table`, which returns a lookup table that matches
    strings to indices.
*   Support restore session from checkpoint files in v2 in
    `contrib/session_bundle`.

### Bug or Regression

- EndpointSlice IP validation now matches Endpoints IP validation. ([#101084](https://github.com/kubernetes/kubernetes/pull/101084), [@robscott](https://github.com/robscott)) [SIG Apps and Network]