- [Changelog since v1.26.5](#changelog-since-v1265)
  - [Important Security Information](#important-security-information-2)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-9)
    - [Feature](#feature-9)

  - [Changelog since v1.25.10](#changelog-since-v12510)
  - [Important Security Information](#important-security-information-2)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-4)
    - [Feature](#feature-4)

  - [Changelog since v1.27.2](#changelog-since-v1272)
  - [Important Security Information](#important-security-information-3)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-10)
    - [Feature](#feature-10)

* New Kubelet flag `--enforce-node-allocatable` with a default value of `pods` is added which will make kubelet create a top level cgroup for all pods to enforce Node Allocatable. Optionally, `system-reserved` & `kube-reserved` values can also be specified separated by comma to enforce node allocatable on cgroups specified via `--system-reserved-cgroup` & `--kube-reserved-cgroup` respectively. Note the...

  // +optional
  optional ScopeSelector scopeSelector = 3;
}

// ResourceQuotaStatus defines the enforced hard limits and observed use.
message ResourceQuotaStatus {
  // Hard is the set of enforced hard limits for each named resource.
  // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
  // +optional

### Extensibility around core Kubernetes APIs

#### CustomResourceDefinitions Pruning

  - [Changelog since v1.24.14](#changelog-since-v12414)
  - [Important Security Information](#important-security-information-1)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-2)
    - [Feature](#feature-2)

workload types.  Examples include native linux containers, and “sandboxed” containers that isolate the container from the host kernel.

The CustomCFSQuotaPeriod alpha feature enables node administrators to change the default period used to enforce CFS quota on a node.  This can improve performance for some workloads that experience latency while using CFS quota with the default measurement period.  Finally, the SIG continues to focus on improving reliability by fixing bugs while working out...

* 'none' can now be specified in KubeletConfiguration.EnforceNodeAllocatable (--enforce-node-allocatable) to explicitly disable enforcement. ([#59515](https://github.com/kubernetes/kubernetes/pull/59515), [@mtaufen](https://github.com/mtaufen))

  
  The enforcement level that allowed or denied a Pod during PodSecurity admission is now marked by the `pod-security.kubernetes.io/enforce-policy` annotation.