The client-go credential plugins can now be passed in the current cluster information via the `KUBERNETES_EXEC_INFO` environment variable. Learn more about this on [client-go credential plugins documentation](https://docs.k8s.io/reference/access-authn-authz/authentication/#client-go-credential-plugins/).

### CronJob controller v2 is available through feature gate

- The `gcp` and `azure` auth plugins have been removed from client-go and kubectl. See https://github.com/Azure/kubelogin and https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke for details about the cloud-specific replacements. ([#110013](https://github.com/kubernetes/kubernetes/pull/110013), [@enj](https://github.com/enj)) [SIG API Machinery and Auth]

	"github.com/minio/minio/internal/logger"
	"github.com/minio/pkg/v3/env"
	xnet "github.com/minio/pkg/v3/net"
)

func authNLogIf(ctx context.Context, err error) {
	logger.LogIf(ctx, "authN", err)
}

// Authentication Plugin config and env variables
const (
	URL        = "url"
	AuthToken  = "auth_token"
	RolePolicy = "role_policy"
	RoleID     = "role_id"

* delegated authn/z: optionally opt-out of mandatory authn/authz kubeconfig ([#67545](https://github.com/kubernetes/kubernetes/pull/67545), [@sttts](https://github.com/sttts))

**Note**: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the `kubernetes.io/enforce-mountable-secrets` annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.

**Affected Versions**:

        assertFalse(auth.matches("ftp://hoge/"));
        assertFalse(auth.matches("ftp://hoge"));
        assertFalse(auth.matches("ftp://"));
        assertFalse(auth.matches("http://hostname/"));
        assertFalse(auth.matches("http://hostname:21/"));
        assertFalse(auth.matches(""));
        assertFalse(auth.matches(null));

        // Test with different ports
        auth.setPort(8080);

        Kerb5Authenticator auth = new Kerb5Authenticator(subj, "DOM", "user", "pass");
        auth.setUser("alice");
        auth.setRealm("EXAMPLE.COM");
        auth.setService("cifs");
        auth.setUserLifeTime(123);
        auth.setLifeTime(456);
        auth.setForceFallback(true);

        Kerb5Authenticator cloned = auth.clone();

        assertNotSame(auth, cloned);

        @Override
        public HashMap getTrustedDomains(NtlmPasswordAuthentication auth) throws SmbAuthException {
            if (disabled || auth.domain == "?")
                return null;
            return super.getTrustedDomains(auth);
        }

        @Override
        public SmbTransport getDc(String domain, NtlmPasswordAuthentication auth) throws SmbAuthException {
            if (disabled)
                return null;

        JAASAuthenticator auth = spy(new JAASAuthenticator());
        // Avoid real JAAS by stubbing getSubject
        doReturn(new Subject()).when(auth).getSubject();

        // Act
        CredentialsInternal result = auth.renew();

        // Assert interaction and return value
        assertSame(auth, result);
        verify(auth, times(1)).getSubject();
    }

* Ensure the KUBE-MARK-DROP chain in kube-proxy mode=ipvs....