- If BoundServiceAccountTokenVolume is enabled, cluster admins can use metric `serviceaccount_stale_tokens_total` to monitor workloads that are depending on the extended tokens. If there are no such workloads, turn off extended tokens by starting `kube-apiserver` with flag `--service-account-extend-token-expiration=false` ([#96273](https://github.com/kubernetes/kubernetes/pull/96273), [@zshihang](https://github.com/zshihang)) [SIG API Machinery...

    difficult we will backport critical fixes to the 3.12.x branch through December 31, 2021. (This
    commitment was originally through December 31, 2020; we have since extended it.)

 *  **TLSv1 and TLSv1.1 are no longer enabled by default.** Major web browsers are working towards
    removing these versions altogether in early 2020. If your servers aren't ready yet you can

- The scheduling queue didn't notice any extenders' failures, it could miss some cluster events,
  and it could end up Pods rejected by Extenders stuck in unschedulable pod pool in 5min in the worst-case scenario.

- Adds two kubemark flags, `--max-pods` and `--extended-resources`. ([#100267](https://github.com/kubernetes/kubernetes/pull/100267), [@Jeffwan](https://github.com/Jeffwan))

	FMOVD	0x44332211(R1), F2	// FMOVD	1144201745(R1), F2
	FMOVQ	0x1000000(R1), F2	// FMOVQ	16777216(R1), F2
	FMOVQ	0x44332211(R1), F2	// FMOVQ	1144201745(R1), F2

// shifted or extended register offset.
	MOVD	(R2)(R6.SXTW), R4               // 44c866f8
	MOVD	(R3)(R6), R5                    // 656866f8
	MOVD	(R3)(R6*1), R5                  // 656866f8
	MOVD	(R2)(R6), R4                    // 446866f8

- The scheduling queue didn't notice any extenders' failures, it could miss some cluster events,
  and it could end up Pods rejected by Extenders stuck in unschedulable pod pool in 5min in the worst-case scenario.

- Extended the kube-apiserver loopback client certificate validity to 14 months to align with the updated Kubernetes support lifecycle. ([#130047](https://github.com/kubernetes/kubernetes/pull/130047), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery and Auth]

pkg unicode, var Diacritic *RangeTable
pkg unicode, var Digit *RangeTable
pkg unicode, var Egyptian_Hieroglyphs *RangeTable
pkg unicode, var Ethiopic *RangeTable
pkg unicode, var Extender *RangeTable
pkg unicode, var FoldCategory map[string]*RangeTable
pkg unicode, var FoldScript map[string]*RangeTable
pkg unicode, var Georgian *RangeTable
pkg unicode, var Glagolitic *RangeTable

- The scheduling queue didn't notice any extenders' failures, it could miss some cluster events,
  and it could end up Pods rejected by Extenders stuck in unschedulable pod pool in 5min in the worst-case scenario.

- Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strict cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. ([#124675](https://github.com/kubernetes/kubernetes/pull/124675), [@cici37](https://github.com/cici37)) [SIG API Machinery, Auth, Node and Testing]