- Kube-apiserver can now specify `--authentication-token-webhook-version=v1` or `--authorization-webhook-version=v1` to use `v1` TokenReview and SubjectAccessReview API objects when communicating with authentication and authorization webhooks. ([#84768](https://github.com/kubernetes/kubernetes/pull/84768), [@liggitt](https://github.com/liggitt))

errors.failed_to_download_mapping_file = No se pudo descargar el archivo de mapeo.
errors.failed_to_upload_mapping_file = No se pudo cargar el archivo de mapeo.
errors.invalid_kuromoji_token={0} no es un token válido.
errors.invalid_kuromoji_segmentation=El número de divisiones de {0} no coincide con el número de divisiones de {1}.
errors.invalid_str_is_included = {1} no es válido en {0}.
errors.blank_password = Se requiere contraseña.

func parsePAXRecord(s string) (k, v, r string, err error) {
	// The size field ends at the first space.
	nStr, rest, ok := strings.Cut(s, " ")
	if !ok {
		return "", "", s, ErrHeader
	}

	// Parse the first token as a decimal integer.
	n, perr := strconv.ParseInt(nStr, 10, 0) // Intentionally parse as native int
	if perr != nil || n < 5 || n > int64(len(s)) {
		return "", "", s, ErrHeader
	}

- If BoundServiceAccountTokenVolume is enabled, cluster admins can use metric `serviceaccount_stale_tokens_total` to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting `kube-apiserver` with flag `--service-account-extend-token-expiration=false` ([#96273](https://github.com/kubernetes/kubernetes/pull/96273), [@zshihang](https://github.com/zshihang)) [SIG API Machinery and Auth]

			Key:   target.NATSUserCredentials,
			Value: cfg.UserCredentials,
		},
		config.KV{
			Key:   target.NATSPassword,
			Value: cfg.Password,
		},
		config.KV{
			Key:   target.NATSToken,
			Value: cfg.Token,
		},
		config.KV{
			Key:   target.NATSNKeySeed,
			Value: cfg.NKeySeed,
		},
		config.KV{
			Key:   target.NATSCertAuthority,
			Value: cfg.CertAuthority,
		},
		config.KV{

			closer.Close()
		}
	})
}

// NoAuthMiddleware no auth middle ware.
func NoAuthMiddleware(h http.Handler) http.Handler {
	return h
}

// AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		tc, ok := r.Context().Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt)

모든 검증은 견고하면서 잘 확립된 **Pydantic**에 의해 처리됩니다.

### 보안과 인증

보안과 인증이 통합되어 있습니다. 데이터베이스나 데이터 모델과의 타협없이 사용할 수 있습니다.

다음을 포함하는, 모든 보안 스키마가 OpenAPI에 정의되어 있습니다.

* HTTP Basic.
* **OAuth2** (**JWT tokens** 또한 포함). [OAuth2 with JWT](tutorial/security/oauth2-jwt.md){.internal-link target=\_blank}에 있는 자습서를 확인해 보세요.
* 다음에 들어 있는 API 키:
    * 헤더.
    * 매개변수.
    * 쿠키 및 그 외.

* 驗證外來的型別，比如:
    * URL
    * Email
    * UUID


### 安全性及身份驗證

FastAPI 已經整合了安全性和身份驗證的功能，但不會強制與特定的資料庫或資料模型進行綁定。

OpenAPI 中定義的安全模式，包括：

* HTTP 基本認證。
* **OAuth2**（也使用 **JWT tokens**）。在 [OAuth2 with JWT](tutorial/security/oauth2-jwt.md){.internal-link target=_blank} 查看教學。
* API 密鑰，在：
    * 標頭（Header）
    * 查詢參數
    * Cookies，等等。

加上来自 Starlette（包括 **session cookie**）的所有安全特性。

    /** The key of the configuration. e.g. 60 */
    String API_ACCESS_TOKEN_LENGTH = "api.access.token.length";

    /** The key of the configuration. e.g. false */
    String API_ACCESS_TOKEN_REQUIRED = "api.access.token.required";

    /** The key of the configuration. e.g.  */
    String API_ACCESS_TOKEN_REQUEST_PARAMETER = "api.access.token.request.parameter";

    /** The key of the configuration. e.g. Radmin-api */

- The alpha feature `ServiceAccountIssuerDiscovery` enables publishing OIDC discovery information and service account token verification keys at `/.well-known/openid-configuration` and `/openid/v1/jwks` endpoints by API servers configured to issue service account tokens. ([#80724](https://github.com/kubernetes/kubernetes/pull/80724), [@cceckman](https://github.com/cceckman)) [SIG API Machinery, Auth, Cluster Lifecycle and Testing]