<li>The scope of an identifier denoting a constant, type, variable,
	    or function (but not method) declared at top level (outside any
	    function) is the package block.</li>

	<li>The scope of the package name of an imported package is the file block
	    of the file containing the import declaration.</li>

es/kubernetes/issues/49213](https://github.com/kubernetes/kubernetes/issues/49213) sig-cluster-lifecycle has decided to phase out the cluster/ directory over the next couple of releases in favor of deployment automations maintained outside of the core repo and outside of kubernetes orgs. ([@kubernetes/sig-cluster-lifecycle-misc](https://github.com/orgs/kubernetes/teams/sig-cluster-lifecycle-misc))

    * Remove deprecated ContainerVM support from GCE kube-up.  ([#58247](https://githu...

* kubectl cp now safely allows unpacking of symlinks that may point outside the destination directory ([#82384](https://github.com/kubernetes/kubernetes/pull/82384), [@tallclair](https://github.com/tallclair))

  If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the
  admission check that was being performed is aborted; the `failurePolicy` for the ValidatingAdmissionPolicy
  determines the outcome. ([#115747](https://github.com/kubernetes/kubernetes/pull/115747), [@cici37](https://github.com/cici37))
- Added `auditAnnotations` to `ValidatingAdmissionPolicy`, enabling CEL to be used to add audit annotations to request audit events.

### Scheduling

  - Opaque Integer Resources (OIRs) are deprecated and will be removed in
    version 1.9. Extended Resources (ERs) are a drop-in replacement for OIRs. You can use
    any domain name prefix outside of the `kubernetes.io/` domain instead of the
    `pod.alpha.kubernetes.io/opaque-int-resource-` prefix.

## Notable Features

### Workloads API (apps/v1beta2)

* kubectl cp now safely allows unpacking of symlinks that may point outside the destination directory ([#82384](https://github.com/kubernetes/kubernetes/pull/82384), [@tallclair](https://github.com/tallclair))

- Fixed NetworkPolicy validation that `Except` values are accepted when they are outside the CIDR range. ([#86578](https://github.com/kubernetes/kubernetes/pull/86578), [@tnqn](https://github.com/tnqn)) [SIG Network]

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

- Fixed bug which caused the status of Indexed Jobs to only be updated when there are newly completed indexes. The completed indexes are now updated if the .status.completedIndexes has values outside of the [0, .spec.completions> range ([#115462](https://github.com/kubernetes/kubernetes/pull/115462), [@danielvegamyhre](https://github.com/danielvegamyhre)) [SIG Apps]