[Default: false]'
                type: boolean
              bpfEnforceRPF:
                description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
                  with BPF programs regardless of what is the per-interfaces or global
                  setting. Possible values are Disabled, Strict or Loose. [Default:

			return
		}

		if sc.tlsState.ServerName == "" {
			// Client must use SNI, but we don't enforce that anymore,
			// since it was causing problems when connecting to bare IP
			// addresses during development.
			//
			// TODO: optionally enforce? Or enforce at the time we receive
			// a new request, and verify the ServerName matches the :authority?

  - [Changelog since v1.26.5](#changelog-since-v1265)
  - [Important Security Information](#important-security-information-2)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-9)
    - [Feature](#feature-9)

  - [Changelog since v1.25.10](#changelog-since-v12510)
  - [Important Security Information](#important-security-information-2)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-4)
    - [Feature](#feature-4)

* New Kubelet flag `--enforce-node-allocatable` with a default value of `pods` is added which will make kubelet create a top level cgroup for all pods to enforce Node Allocatable. Optionally, `system-reserved` & `kube-reserved` values can also be specified separated by comma to enforce node allocatable on cgroups specified via `--system-reserved-cgroup` & `--kube-reserved-cgroup` respectively. Note the...

  - [Changelog since v1.27.2](#changelog-since-v1272)
  - [Important Security Information](#important-security-information-3)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-12)
    - [Feature](#feature-11)

	// to start, and allow all already-running pods to continue running.
	// Enforced by the scheduler.
	TaintEffectNoSchedule TaintEffect = "NoSchedule"
	// Like TaintEffectNoSchedule, but the scheduler tries not to schedule
	// new pods onto the node, rather than prohibiting new pods from scheduling
	// onto the node entirely. Enforced by the scheduler.
	TaintEffectPreferNoSchedule TaintEffect = "PreferNoSchedule"

  // +optional
  optional ScopeSelector scopeSelector = 3;
}

// ResourceQuotaStatus defines the enforced hard limits and observed use.
message ResourceQuotaStatus {
  // Hard is the set of enforced hard limits for each named resource.
  // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
  // +optional

	"binaryData": "BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.",...

### Extensibility around core Kubernetes APIs

#### CustomResourceDefinitions Pruning