* Support vSphere SAML token auth when using Zones ([#75515](https://github.com/kubernetes/kubernetes/pull/75515), [@dougm](https://github.com/dougm))
* Transition service account controller clients to TokenRequest API ([#72179](https://github.com/kubernetes/kubernetes/pull/72179), [@WanLinghao](https://github.com/WanLinghao))

* The apiregistration.k8s.io (aggregation) is now generally available. Users should transition from the v1beta1 API to the v1 API. ([#58393](https://github.com/kubernetes/kubernetes/pull/58393), [@deads2k](https://github.com/deads2k))

- The `--cidr-allocator-type` option set to `CloudAllocator` for `kube-controller-manager` will be deprecated and removed in a future release. Users are advised to transition to and explore the available options provided by their external cloud provider. ([#123011](https://github.com/kubernetes/kubernetes/pull/123011), [@dims](https://github.com/dims))

 - Support for the seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io/[name]` has been deprecated since 1.19, will be dropped in 1.25. Transition to using the `seccompProfile` API field. ([#104389](https://github.com/kubernetes/kubernetes/pull/104389), [@saschagrunert](https://github.com/saschagrunert))

the module query whether invoked services // are approved. Three states are stored in a per-goroutine value by the // runtime. The indicator starts at indicatorUnset after a reset. Invoking an // approved service transitions to indicatorTrue. Invoking a non-approved // service transitions to indicatorFalse, and it can't leave that state until a // reset. The idea is that functions can "delegate" checks to inner functions, // and if there's anything non-approved in the stack, the final result is //...