// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
  // +optional
  optional Probe livenessProbe = 10;

  // Periodic probe of container service readiness.
  // Container will be removed from service endpoints if the probe fails.
  // Cannot be updated.
  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
  // +optional

    - [Scheduling](#scheduling)
  - [Notable Features](#notable-features)
    - [Workloads API (apps/v1beta2)](#workloads-api-appsv1beta2)
      - [API Object Additions and Migrations](#api-object-additions-and-migrations)
      - [Behavioral Changes](#behavioral-changes)
      - [Defaults](#defaults)
    - [Workloads API (batch)](#workloads-api-batch)
      - [CLI Changes](#cli-changes)
      - [Scheduling](#scheduling-1)

- If BoundServiceAccountTokenVolume is enabled, cluster admins can use metric `serviceaccount_stale_tokens_total` to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting `kube-apiserver` with flag `--service-account-extend-token-expiration=false` ([#96273](https://github.com/kubernetes/kubernetes/pull/96273), [@zshihang](https://github.com/zshihang))...

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

    - [**Network**](#network-2)
    - [**Storage**](#storage-2)
    - [**Scheduling**](#scheduling-1)
    - [**Node**](#node-2)
  - [Notable Changes](#notable-changes)
    - [**Workloads API (apps/v1)**](#workloads-api-appsv1)
    - [**API Machinery**](#api-machinery-3)
      - [**Admission Control**](#admission-control)
      - [**API & API server**](#api-&-api-server)
      - [**Audit**](#audit)

extended lifetime so they remain valid even after a new refreshed token is provided. The metric `serviceaccount_stale_tokens_total` can be used to monitor for workloads that are depending on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container. If that metric indicates no existing workloads are depending on extended lifetimes, injected token lifetime can be shortened to 1 hour by starting `kube-apiserver` with `--service-account-extend-token-expiration=false`....

### Bug or Regression

- Add `/sys/devices/virtual/powercap` to default masked paths. It avoids the potential security risk that the ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. ([#125970](https://github.com/kubernetes/kubernetes/pull/125970), [@carlory](https://github.com/carlory)) [SIG Node]

- Fix: azure file latency issue for metadata-heavy workloads ([#97082](https://github.com/kubernetes/kubernetes/pull/97082), [@andyzhangx](https://github.com/andyzhangx)) [SIG Cloud Provider and Storage]

#### StatefulSet
* [beta] StatefulSet supports [RollingUpdate](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates) and [OnDelete](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#on-delete) update strategies.

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

**Am I vulnerable?**

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

**Affected Versions**: