- [Important Security Information](#important-security-information)
    - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference)
  - [Changes by Kind](#changes-by-kind-2)
    - [Feature](#feature-2)
    - [Bug or Regression](#bug-or-regression-2)
  - [Dependencies](#dependencies-2)
    - [Added](#added-2)

// Submitted by registry <******@****.***>
bv

// bw : https://www.iana.org/domains/root/db/bw.html
// http://www.gobin.info/domainname/bw.doc
// list of other 2nd level tlds ?
bw
co.bw
org.bw

// by : https://www.iana.org/domains/root/db/by.html
// http://tld.by/rules_2006_en.html
// list of other 2nd level tlds ?
by
gov.by
mil.by

* kubeadm now makes the CoreDNS container more secure by dropping (root) capabilities and improves the integrity of the container by running the whole container in read-only.  ([#64473](https://github.com/kubernetes/kubernetes/pull/64473), [@nberlee](https://github.com/nberlee))

  - [Important Security Information](#important-security-information-1)
    - [CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-3)
    - [Feature](#feature-2)
    - [Bug or Regression](#bug-or-regression-3)
  - [Dependencies](#dependencies-3)
    - [Added](#added-3)

  - [Important Security Information](#important-security-information-2)
    - [CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-11)
    - [Feature](#feature-7)
    - [Bug or Regression](#bug-or-regression-8)
  - [Dependencies](#dependencies-11)

  - [Important Security Information](#important-security-information)
    - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference)
  - [Changes by Kind](#changes-by-kind-3)
    - [API Change](#api-change)
    - [Feature](#feature-3)
    - [Bug or Regression](#bug-or-regression-3)
  - [Dependencies](#dependencies-3)

- Fixed admission metrics in seconds. ([#72343](https://github.com/kubernetes/kubernetes/pull/72343), [@danielqsj](https://github.com/danielqsj))
- When a watch is closed by an HTTP2 load balancer and we are told to go away, skip printing the message to stderr by default.
- Spedup kubectl by >10 when calling out to kube-apiserver for discovery information. ([#73345](https://github.com/kubernetes/kubernetes/pull/73345), [@sttts](https://github.com/sttts))

  - kubelet 1.30.9
  - kubelet 1.31.5
  - kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.


**CVSS Rating:** Medium (5.9) [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

## Changes by Kind

### API Change

  - [Changes by Kind](#changes-by-kind-11)
    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4)
  - [Dependencies](#dependencies-12)
    - [Added](#added-12)
    - [Changed](#changed-12)
    - [Removed](#removed-12)
- [v1.18.7](#v1187)
  - [Downloads for v1.18.7](#downloads-for-v1187)
- [Changelog since v1.18.6](#changelog-since-v1186)
  - [Changes by Kind](#changes-by-kind-12)

- Feature gates CSIMigration to Beta (on by default) and CSIMigrationGCE to Beta (off by default since it requires installation of the GCE PD CSI Driver) ([#85231](https://github.com/kube...