If you find evidence that this vulnerability has been exploited, please contact ******@****.***

**Additional Details**:

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192 

**Acknowledgements**:

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

Otherwise, two types are identical if their <a href="#Types">underlying</a> type literals are
structurally equivalent; that is, they have the same literal structure and corresponding
components have identical types. In detail:
</p>

<ul>
	<li>Two array types are identical if they have identical element types and
	    the same array length.</li>

	<li>Two slice types are identical if they have identical element types.</li>

of the Kubernetes Workloads API. We plan to move them to v1 in an upcoming release, so you might want to plan your migration accordingly.

For more information, see [the issue that describes this work in detail](https://github.com/kubernetes/enhancements/issues/353)

#### API Object Additions and Migrations

- The DaemonSet, Deployment, ReplicaSet, and StatefulSet kinds
  are now in the apps/v1beta2 group and version.

`kubeadm` applies a number of deprecations and removals of deprecated features in this release. More details are available in the Urgent Upgrade Notes and Kind / Deprecation sections.

### Pod Hostname as FQDN graduates to Beta

  
  When configuring a JWT authenticator:
  
  If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
  username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
  An example claim validation rule expression that matches the validation automatically
  applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. 

    clusters post upgrade where kubelet hard eviction has been turned on for
    memory. To opt-out set `--experimental-allocatable-ignore-eviction=true`.
  * More details on these feature here:
    https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/
* Drop the support for docker 1.9.x. Docker versions 1.10.3, 1.11.2, 1.12.6
  have been validated.

    - [How do I mitigate this vulnerability?](#how-do-i-mitigate-this-vulnerability)
      - [Fixed Versions](#fixed-versions)
    - [Detection](#detection)
      - [Additional Details](#additional-details)
      - [Acknowledgements](#acknowledgements)
  - [Changes by Kind](#changes-by-kind-2)
    - [Bug or Regression](#bug-or-regression-2)
  - [Dependencies](#dependencies-3)
    - [Added](#added-3)

- cloud.google.com/go/redis: v1.11.0 → v1.13.1
- cloud.google.com/go/resourcemanager: v1.7.0 → v1.9.1
- cloud.google.com/go/resourcesettings: v1.5.0 → v1.6.1
- cloud.google.com/go/retail: v1.12.0 → v1.14.1
- cloud.google.com/go/run: v0.9.0 → v1.2.0
- cloud.google.com/go/scheduler: v1.9.0 → v1.10.1
- cloud.google.com/go/secretmanager: v1.10.0 → v1.11.1
- cloud.google.com/go/security: v1.13.0 → v1.15.1

* OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`. ([#61508](https://github.com/kubernetes/kubernetes/pull/61508), [@rithujohn191](https://github.com/rithujohn191))

## Changelog since v1.7.13

### Other notable changes

* Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details ([#61047](https://github.com/kubernetes/kubernetes/pull/61047), [@liggitt](https://github.com/liggitt))