* Enable the PodSecurityPolicy API (which is not enabled by default):
  * `--runtime-config=extensions/v1beta1/podsecuritypolicy=true`
* Enable the PodSecurityPolicy admission plugin (which is not enabled by default):
  * `--admission-control=...,PodSecurityPolicy,...`
* Use authorization to limit users' ability to use specific PodSecurityPolicy objects

**What is the impact?**

- If you are using the PodSecurityPolicy feature (eg: `kubectl get podsecuritypolicy` does not error, and returns one or more objects), be aware that init containers have moved from alpha to beta.  If there are any pods with the key `pods.beta.kubernetes.io/init-containers`, then that pod may not have been filtered by the PodSecurityPolicy. You should find such pods and either delete them or audit them to ensure they do not use features...

### **Auth**

  * PodSecurityPolicy admission sets `podsecuritypolicy.admission.k8s.io/admit-policy` and `podsecuritypolicy.admission.k8s.io/validate-policy` annotations containing the name of the policy that allowed a pod to be admitted. (PodSecurityPolicy also gained the ability to [limit hostPath volume mounts to be read-only](https://kubernetes.io/docs/concepts/policy/pod-security-...

    - [Node Binaries](#node-binaries-14)
  - [Changelog since v1.20.0](#changelog-since-v1200)
  - [What's New (Major Themes)](#whats-new-major-themes)
    - [Deprecation of PodSecurityPolicy](#deprecation-of-podsecuritypolicy)
    - [Kubernetes API Reference Documentation](#kubernetes-api-reference-documentation)
    - [Kustomize Updates in Kubectl](#kustomize-updates-in-kubectl)

- The deprecated kubelet security controls `AllowPrivileged`, `HostNetworkSources`, `HostPIDSources`, and `HostIPCSources` have been removed. Enforcement of these restrictions should be done through admission control (such as `PodSecurityPolicy`) instead. ([#77820](https://github.com/kubernetes/kubernetes/pull/77820), [@dims](https://github.com/dims))

* Fix kube-proxy PodSecurityPolicy binding on GCE & GKE. This was only an issue when running kube-proxy as a DaemonSet, with PodSecurityPolicy enabled. ([#72761](https://github.com/kubernetes/kubernetes/pull/72761), [@tallclair](https://github.com/tallclair))

## Changelog since v1.24.0

## What's New (Major Themes)

### PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable

## Changelog since v1.8.0

### Action Required

  * L7 LB controller and disk attach controllers run on master, so nodes do not need those privileges.
  * Setting TLS1.2 minimum
  * `kubectl create secret tls` command
  * Webhook Token Authenticator
  * **beta** PodSecurityPolicy objects limits use of security-sensitive features by pods.
* Kubectl
  * Display line number on JSON errors
  * Add flag -t as shorthand for --tty
* Resources