m:    metaCacheEntries{inputSerialized[0], inputSerialized[0], inputSerialized[0], inputSerialized[2]},
			r:    metadataResolutionParams{dirQuorum: 1, objQuorum: 1, strict: true},
			// We get the both versions, since we only request quorum 1
			wantSelected: &inputSerialized[2],
			wantOk:       true,
		},
		{
			name:         "additional version, quorum two",

## Changes to API Resources
### ABAC
* ABAC policies using `"user":"*"` or `"group":"*"` to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify `"group":"system:unauthenticated"` ([#38968](https://github.com/kubernetes/kubernetes/pull/38968), [@liggitt](https://github.com/liggitt))

### Admission Control

                                execution. While this /may/ work fine, please look for plugin updates and/or \
                                request plugins be made thread-safe. If reporting an issue, report it against the \
                                plugin in question, not against Apache Maven.""")) {
                        logger.warn(s);
                    }

- Apiserver add a new flag --goaway-chance which is the fraction of requests that will be closed gracefully(GOAWAY) to prevent HTTP/2 clients from getting stuck on a single apiserver. 
  After the connection closed(received GOAWAY), the client's other in-flight requests won't be affected, and the client will reconnect. 
  The flag min value is 0 (off), max is .02 (1/50 requests); .001 (1/1000) is a recommended starting point.

        }
    }

    /**
     * Executes a request within the context of an open file handle
     *
     * @param <T> the response type
     * @param th the tree handle
     * @param first the first request to execute
     * @param others additional requests to chain
     * @return the response from the first request
     * @throws CIFSException if an error occurs
     */

- Kube-apiserver: Added Alpha features to allow API server authz to check the context of requests:
  - The `AuthorizeWithSelectors` feature gate enables including field and label selector information from requests in webhook authorization calls.

- The apiserver debug endpoint `/debug/api_priority_and_fairness/dump_requests` has been extended to dump executing requests as well as queued ones.  A column for StartTime has been added to the returned table, with the queued requests having a StartTime of "0001-01-01T00:00:00Z".  The executing requests have a RequestIndexInQueue of -1, and the QueueIndex is also -1 for priority levels without queues. ([#119009](https://github.com/kubernetes/kubernetes/pull/119009),...

labels.labeltype_details=Labeltype 詳情
labels.pathmap_details=Pathmap 詳情
labels.related_content_details=Related Content 詳情
labels.related_query_details=Related Query 詳情
labels.request_header_details=Request Header 詳情
labels.role_details=Role 詳情
labels.scheduledjob_details=Scheduledjob 詳情
labels.search_log_details=Search Log 詳情
labels.user_details=User 詳情
labels.web_auth_details=Web Auth 詳情

  - Adds apiserver.latency.k8s.io/authorization annotation to the audit log to record the time spent authorizing slow requests. ([#130571](https://github.com/kubernetes/kubernetes/pull/130571), [@hakuna-matatah](https://github.com/hakuna-matatah)) [SIG Auth]

attacks may choose not to enable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may choose not to enable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated...