A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

**Affected Versions**:
  - kubelet >= v1.8.0

**Fixed Versions**:
  - kubelet v1.28.4

- Kubeadm: fix a bug where external credentials in an existing admin.conf prevented the CA certificate to be written in the cluster-info ConfigMap. ([#98882](https://github.com/kubernetes/kubernetes/pull/98882), [@kvaps](https://github.com/kvaps)) [SIG Cluster Lifecycle]

  if the names of the objects are not provided. `--all` also makes kubectl
  commands apply to uninitialized objects. See the
  [initializer documentation](https://kubernetes.io/docs/admin/extensible-admission-controllers/) for more details.

- Added RBAC reconcile commands with `kubectl auth reconcile -f FILE`. When
  passed a file which contains RBAC roles, rolebindings, clusterroles, or

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

**Affected Versions**:
  - kubelet >= v1.8.0

**Fixed Versions**:
  - kubelet v1.28.4

`system:aggregate-to-edit` role no longer includes write access to the Endpoints API. For new Kubernetes 1.22 clusters, the `edit` and `admin` roles will no longer include that access in newly created Kubernetes 1.22 clusters. This will have no affect on existing clusters upgrading to Kubernetes 1.22. To retain write access to Endpoints in the aggregated `edit` and `admin` roles for newly created 1.22 clusters, refer to https://github.com/kubernetes/website/pull/29025. ([#103704](https://github.com/k...

### CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Affected Versions**:
  - kubelet <= v1.28.0
  - kubelet <= v1.27.4
  - kubelet <= v1.26.7
  - kubelet <= v1.25.12

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

**Affected Versions**:
  - kubelet >= v1.8.0

**Fixed Versions**:
  - kubelet v1.28.4

  * Also, if the value of adminId in the in-tree Storageclass is different from admin, the adminSecretName mentioned in the in-tree Storageclass has to be patched with the base64 value of the adminId...

options:
  # make root approval non-recursive
  no_parent_owners: true
reviewers:
  - alisondy
  - cblecker
  - guineveresaenger
  - mrbobbytables
  - nikhita
  - parispittman
  - palnabarun
  - kaslin
  - MadhavJivrajani
  - Priyankasaggu11929
approvers:
  - sig-contributor-experience-approvers
  - parispittman
emeritus_approvers:
  - castrojo
  - Phillels
labels:

 - `kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters` Group, which was undesired. Executing `kubeadm...