- Enhanced the daemonset sync logic to avoid a problem where pods are thought to be unavailable when the controller's clock is slower than the node's clock. ([#77208](https://github.com/kubernetes/kubernetes/pull/77208), [@DaiHao](https://github.com/DaiHao))

- github.com/Microsoft/hcsshim: [5eafd15 → v0.8.22](https://github.com/Microsoft/hcsshim/compare/5eafd15...v0.8.22)
- github.com/benbjohnson/clock: [v1.0.3 → v1.1.0](https://github.com/benbjohnson/clock/compare/v1.0.3...v1.1.0)
- github.com/bketelsen/crypt: [5cbc8cc → v0.0.4](https://github.com/bketelsen/crypt/compare/5cbc8cc...v0.0.4)

## Dependencies

### Added
- github.com/antihax/optional: [v1.0.0](https://github.com/antihax/optional/tree/v1.0.0)
- github.com/benbjohnson/clock: [v1.0.3](https://github.com/benbjohnson/clock/tree/v1.0.3)
- github.com/bits-and-blooms/bitset: [v1.2.0](https://github.com/bits-and-blooms/bitset/tree/v1.2.0)
- github.com/certifi/gocertifi: [2c3bb06](https://github.com/certifi/gocertifi/tree/2c3bb06)

### Feature

- Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync.
  client-go: allow to set NotBefore in NewSelfSignedCACert() ([#119113](https://github.com/kubernetes/kubernetes/pull/119113), [@champtar](https://github.com/champtar)) [SIG API Machinery, Auth and Cluster Lifecycle]

- `kubeadm`: generate CA certificates with a start time that is offset 5
  minutes in the past relative to the current system time to workaround cases of
  clock desync. ([#118922](https://github.com/kubernetes/kubernetes/pull/118922), [@champtar](https://github.com/champtar))
- `plugin_evaluation_total` metric supports prescore/score extension point.

after any previously sent values have been received.
</p>

<pre>
v1 := &lt;-ch
v2 = &lt;-ch
f(&lt;-ch)
&lt;-strobe  // wait until clock pulse and discard received value
</pre>

<p>
If the operand type is a <a href="#Type_parameter_declarations">type parameter</a>,
all types in its type set must be channel types that permit receive operations, and

### Feature

- Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync.
  client-go: allow to set NotBefore in NewSelfSignedCACert() ([#119114](https://github.com/kubernetes/kubernetes/pull/119114), [@champtar](https://github.com/champtar)) [SIG API Machinery, Auth and Cluster Lifecycle]

pkg time, method (Time) Add(Duration) Time
pkg time, method (Time) AddDate(int, int, int) Time
pkg time, method (Time) After(Time) bool
pkg time, method (Time) Before(Time) bool
pkg time, method (Time) Clock() (int, int, int)
pkg time, method (Time) Date() (int, Month, int)
pkg time, method (Time) Day() int
pkg time, method (Time) Equal(Time) bool
pkg time, method (Time) Format(string) string