* Role bindings since the default scopes now include the "userinfo.email"
    * scope. This is a breaking change if the numeric uniqueIDs of the Google
    * service accounts were being used in RBAC role bindings. The behavior
    * can be overridden by explicitly specifying the scope values as
    * comma-separated string in the "users[*].config.scopes" field in the
    * KUBECONFIG file.

### Not Very Notable (that is, non-user-facing)

- Unit tests have been added for scopes and scope selectors in the quota spec ([#66351](https://github.com/kubernetes/kubernetes/pull/66351), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) Courtesy of SIG Node, and SIG Scheduling

- Volume mount cleanup now considers only plugin directory and not the entire kubelet root ([#112607](https://github.com/kubernetes/kubernetes/pull/112607), [@mattcary](https://github.com/mattcary))
- `kubectl` now escapes terminal special characters in output. This fixes CVE-2021-25743.
   ([#112553](https://github.com/kubernetes/kubernetes/pull/112553), [@dgl](https://github.com/dgl))

### Other (Cleanup or Flake)

  * The oidc client plugin has reduce round trips and fix scopes requested ([#45317](https://github.com/kubernetes/kubernetes/pull/45317), [@ericchiang](https://github.com/ericchiang))