-->
    <root-XML localName="html"/>
    <root-XML localName="HTML"/>
    <root-XML localName="link"/>
    <root-XML localName="LINK"/>
    <root-XML localName="body"/>
    <root-XML localName="BODY"/>
    <root-XML localName="p"/>
    <root-XML localName="P"/>
    <root-XML localName="script"/>
    <root-XML localName="SCRIPT"/>
    <root-XML localName="frameset"/>

  // +optional
  optional int64 runAsGroup = 6;

  // Indicates that the container must run as a non-root user.
  // If true, the Kubelet will validate the image at runtime to ensure that it
  // does not run as UID 0 (root) and fail to start the container if it does.
  // If unset or false, no such validation will be performed.

    /** The key of the configuration. e.g. false */
    String CRAWLER_IGNORE_ROBOTS_TXT = "crawler.ignore.robots.txt";

    /** The key of the configuration. e.g. false */
    String CRAWLER_IGNORE_ROBOTS_TAGS = "crawler.ignore.robots.tags";

    /** The key of the configuration. e.g. true */
    String CRAWLER_IGNORE_CONTENT_EXCEPTION = "crawler.ignore.content.exception";

- kube-dns add-on:
  - All containers are now being executed under more restrictive privileges.
  - Most of the containers now run as non-root user and has the root filesystem set as read-only.
  - The remaining container running as root only has the minimum Linux capabilities it requires to run.

* Changed ext3/ext4 volume creation to not reserve any portion of the volume for the root user. When creating ext3/ext4 volume, mkfs defaults to reserving 5% of the volume for the super-user (root). This patch changes the mkfs to pass -m0 to disable this setting.
([#64102](https://github.com/kubernetes/kubernetes/pull/64102), [@atombender](https://github.com/atombender))

options for kube-proxy running in winkernel mode. `--forward-healthcheck-vip`, if specified as true, health check traffic whose destination is service VIP will be forwarded to kube-proxy's healthcheck service. `--root-hnsendpoint-name` specifies the name of the hns endpoint for the root network namespace. This option enables the pass-through load balancers like Google's GCLB to correctly health check the backend services. Without this change, the health check packets is dropped, and Windows node...

### Deploy a more secure control plane with kubeadm

A new alpha feature allows running the kubeadm control plane components as non-root users. This is a long requested security measure in kubeadm. To try it you must enable the kubeadm-specific `RootlessControlPlane` feature gate. When you deploy a cluster using this alpha feature, your control plane runs with lower privileges.

This setting enables a pod to specify a `PodFSGroupChangePolicy` that indicates that volume ownership and permissions will be changed only when permission and ownership of the root directory do not match with expected permissions on the volume.

### CSIDriver policy for FSGroup graduates to Beta

* Fixes issue where subpath volume content was deleted during orphaned pod cleanup for Local volumes that are directories (and not mount points) on the root filesystem. ([#72291](https://github.com/kubernetes/kubernetes/pull/72291), [@msau42](https://github.com/msau42))...

* Fix broken detection of non-root image user ID ([#78261](https://github.com/kubernetes/kubernetes/pull/78261), [@tallclair](https://github.com/tallclair))