[overwrite of manual edits to GCP Health Checks](https://github.com/kubernetes/ingress/issues/842)
  managed by the GLBC Ingress Controller. This can cause the health checks to start failing,
  requiring you to reapply the manual edits.
  * This issue does not affect clusters that were already running Kubernetes v1.6.4 or higher.
  * This issue does not affect Health Checks that were left in the configuration

- Kubeadm: during kubelet health checks, respect the healthz address:port configured in the KubeletConfiguration instead of hardcoding localhost:10248. ([#125265](https://github.com/kubernetes/kubernetes/pull/125265), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]

* RBAC: all configured authorizers are now checked to determine if an RBAC role or clusterrole escalation (setting permissions the...

* kubeadm: use the CRI for preflights checks ([#55055](https://github.com/kubernetes/kubernetes/pull/55055), [@runcom](https://github.com/runcom))

## Release Notes From SIGs

### SIG API Machinery

- The OwnerReferencesPermissionEnforcement admission plugin now checks authorization for the correct scope (namespaced or cluster-scoped) of the owner resource type. Previously, it always checked permissions at the same scope as the child resource. ([#70389](https://github.com/kubernetes/kubernetes/pull/70389), [@caesarxuchao](https://github.com/caesarxuchao))

- Upon successful authorization check, an impersonated user is added to the system:authenticated group.
  system:anonymous when impersonated is added to the system:unauthenticated group. ([#94410](https://github.com/kubernetes/kubernetes/pull/94410), [@tkashem](https://github.com/tkashem)) [SIG API Machinery and Testing]

- kubeadm no longer performs IPVS checks as part of its preflight checks ([#81791](https://github.com/kubernetes/kubernetes/pull/81791), [@yastij](https://github.com/yastij))
- kubeadm: fix for HTTPProxy check for IPv6 addresses ([#82267](https://github.com/kubernetes/kubernetes/pull/82267), [@kad](https://github.com/kad))

- Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a `authorizer`

- Removed `/livez` livezchecks for KMS v1 and v2 to ensure KMS health does not cause `kube-apiserver` restart. KMS health checks are still in place as a healthz and readiness checks. ([#120583](https://github.com/kubernetes/kubernetes/pull/120583), [@ritazh](https://github.com/ritazh))

* kubeadm: fix "upgrade plan" not defaulting to a "stable" version if no version argument is passed ([#75900](https://github.com/kubernetes/kubernetes/pull/75900), [@neolit123](https://github.com/neolit123))