- [Changelog since v1.26.5](#changelog-since-v1265)
  - [Important Security Information](#important-security-information-2)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-9)
    - [Feature](#feature-9)

  - [Changelog since v1.27.2](#changelog-since-v1272)
  - [Important Security Information](#important-security-information-3)
    - [CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2023-2728-bypassing-enforce-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-10)
    - [Feature](#feature-10)

  // +optional
  optional ScopeSelector scopeSelector = 3;
}

// ResourceQuotaStatus defines the enforced hard limits and observed use.
message ResourceQuotaStatus {
  // Hard is the set of enforced hard limits for each named resource.
  // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
  // +optional

* Fix incorrect retry logic in scheduler ([#50106](https://github.com/kubernetes/kubernetes/pull/50106), [@julia-stripe](https://github.com/julia-stripe))
* Enforce explicit references to API group client interfaces in clientsets to avoid ambiguity. ([#49370](https://github.com/kubernetes/kubernetes/pull/49370), [@sttts](https://github.com/sttts))

    /** The key of the configuration. e.g. default */
    String QUERY_HIGHLIGHT_ENCODER = "query.highlight.encoder";

    /** The key of the configuration. e.g. false */
    String QUERY_HIGHLIGHT_FORCE_SOURCE = "query.highlight.force.source";

    /** The key of the configuration. e.g. span */
    String QUERY_HIGHLIGHT_FRAGMENTER = "query.highlight.fragmenter";

    /** The key of the configuration. e.g. -1 */

- `TopologyManagerPolicyOptions` feature-flag is promoted to beta and enabled by default. ([#118816](https://github.com/kubernetes/kubernetes/pull/118816), [@PiotrProkop](https://github.com/PiotrProkop))
- `force_delete_pods_total` and `force_delete_pod_errors_total` metrics count all pod deletion behaviors. ([#118480](https://github.com/kubernetes/kubernetes/pull/118480), [@carlory](https://github.com/carlory))

### CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

**Affected Versions**:
  - kube-apiserver v1.29.0 - v1.29.3

FieldName     = identifier .
Element       = Expression | LiteralValue .
</pre>

<p>
The LiteralType's <a href="#Core_types">core type</a> <code>T</code>
must be a struct, array, slice, or map type
(the syntax enforces this constraint except when the type is given
as a TypeName).
The types of the elements and keys must be <a href="#Assignability">assignable</a>
to the respective field, element, and key types of type <code>T</code>;