* kubeadm: add optional self-hosted deployment for apiserver, controller-manager and scheduler. ([#40075](https://github.com/kubernetes/kubernetes/pull/40075), [@pires](https://github.com/pires))
* kubelet tears down pod volumes on pod termination rather than pod deletion ([#37228](https://github.com/kubernetes/kubernetes/pull/37228), [@sjenning](https://github.com/sjenning))

- Kubernetes is now built with go 1.22.5 ([#125897](https://github.com/kubernetes/kubernetes/pull/125897), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]

### Bug or Regression

- Fixed a regression preventing garbage collection of RBAC role and binding objects ([#90534](https://github.com/kubernetes/kubernetes/pull/90534), [@apelisse](https://github.com/apelisse)) [SIG Auth]
- Fixed cleanup of raw block devices after kubelet restart. ([#83451](https://github.com/kubernetes/kubernetes/pull/83451), [@jsafrane](https://github.com/jsafrane)) [SIG Node, Storage and Testing]

- Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. ([#129182](https://github.com/kubernetes/kubernetes/pull/129182), [@RomanBednar](https://github.com/RomanBednar)) [SIG Storage]

babyblue.jp
babymilk.jp
bacgiang.vn
backan.vn
backdrop.jp
baclieu.vn
bacninh.vn
badaddja.no
bahcavuotna.no
bahccavuotna.no
baidar.no
baidu
bajddar.no
balashov.su
balat.no
balena-devices.com
balestrand.no
ballangen.no
ballooning.aero
balsan-sudtirol.it
balsan-suedtirol.it
balsan-südtirol.it
balsan.it
balsfjord.no
bambina.jp
bamble.no
banamex
band

11914         ; disallowed                             # NA   <reserved-11914>
11915..11916  ; valid                                  # 13.0 DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA
11917         ; disallowed                             # NA   <reserved-11917>
11918..11935  ; valid                                  # 13.0 DIVES AKURU LETTER DDA..DIVES AKURU VOWEL SIGN E

A security issue was discovered in kube-apiserver that could allow node
updates to bypass a Validating Admission Webhook. You are only affected
by this vulnerability if you run a Validating Admission Webhook for Nodes
that denies admission based at least partially on the old state of the
Node object.

**Note**: This only impacts validating admission plugins that rely on old
values in certain fields, and does not impact calls from kubelets that go

most likely error would be a pod set to `Failed` phase with reason set to `OutOfCpu` or `OutOfMemory`, but any resource on the node that has some fixed limit (including persistent volume counts on cloud nodes, exclusive CPU cores, or unique hardware devices) could trigger the failure. While this behavior is correct it reduces the throughput of pod execution and creates user-visible warnings - [future versions of Kubernetes will minimize the likelihood users see pod failures due to this issue](https:...

- Fixes regression in 1.25.10 causing running pods with devices to be terminated if kubelet is restarted ([#119707](https://github.com/kubernetes/kubernetes/pull/119707), [@ffromani](https://github.com/ffromani)) [SIG Node and Testing]

A security issue was discovered in kube-apiserver that could allow node
updates to bypass a Validating Admission Webhook. You are only affected
by this vulnerability if you run a Validating Admission Webhook for Nodes
that denies admission based at least partially on the old state of the
Node object.

**Note**: This only impacts validating admission plugins that rely on old
values in certain fields, and does not impact calls from kubelets that go