* To create or update an RBAC RoleBinding or ClusterRoleBinding object, a user must: ([#39383](https://github.com/kubernetes/kubernetes/pull/39383), [@liggitt](https://github.com/liggitt))

- Adds feature gate `KubeletInUserNamespace` which enables support for running kubelet in a user namespace.
  
  The user namespace has to be created before running kubelet.
  All the node components such as CRI need to be running in the same user namespace.
  

    - [Additional changes](#additional-changes)
  - [External Dependencies](#external-dependencies)
  - [Bug Fixes](#bug-fixes)
      - [General Fixes and Reliability](#general-fixes-and-reliability)
  - [Non-user-facing changes](#non-user-facing-changes)
- [v1.11.0-rc.3](#v1110-rc3)
  - [Downloads for v1.11.0-rc.3](#downloads-for-v1110-rc3)
    - [Client Binaries](#client-binaries-11)
    - [Server Binaries](#server-binaries-11)

 - `kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters`...

- Removed a warning around Linux user namespaces and kernel version. If the feature gate `UserNamespacesSupport` was enabled, the kubelet previously warned when detecting a Linux kernel version earlier than 6.3.0. User namespace support on Linux typically does still need kernel 6.3 or newer, but it can work in older kernels too. ([#131784](https://github.com/kubernetes/kube...

- Kubelet: a configuration file specified via `--config` is now loaded with strict deserialization,...

- If the user specifies an invalid timeout in the request URL, the request will be aborted with an HTTP 400.

### Detection

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact ******@****.***

#### Additional Details

    - [Autoscaling](#autoscaling)
    - [API-Machinery](#api-machinery-1)
    - [Network](#network-1)
    - [Azure](#azure-1)
    - [Scheduling](#scheduling)
    - [Other changes](#other-changes)
  - [Non-user-facing Changes](#non-user-facing-changes)
  - [External Dependencies](#external-dependencies)
- [v1.10.0-rc.1](#v1100-rc1)
  - [Downloads for v1.10.0-rc.1](#downloads-for-v1100-rc1)
    - [Client Binaries](#client-binaries-14)

**Detection**:

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact ******@****.***

**Additional Details**: