* [IPVS] Introduces flag ipvs-strict-arp to configure stricter ARP sysctls, defaulting to false to preserve existing behaviors. This was enabled by default in 1.13.0, which impacted a few CNI plugins. ([#75295](https://github.com/kubernetes/kubernetes/pull/75295), [@lbernail](https://github.com/lbernail))

### Action Required

* ACTION REQUIRED: Removes defaulting of CSI file system type to ext4. All the production drivers listed under https://kubernetes-csi.github.io/docs/drivers.html were inspected and should not be impacted after this change. If you are using a driver not in that list, please test the drivers on an updated test cluster first. ``` ([#65499](https://github.com/kubernetes/kubernetes/pull/65499), [@krunaljain](https://github.com/krunaljain))

### Action Required

* ACTION REQUIRED: Removes defaulting of CSI file system type to ext4. All the production drivers listed under https://kubernetes-csi.github.io/docs/drivers.html were inspected and should not be impacted after this change. If you are using a driver not in that list, please test the drivers on an updated test cluster first. ([#65499](https://github.com/kubernetes/kubernetes/pull/65499), [@krunaljain](https://github.com/krunaljain))

* ACTION REQUIRED: Removes defaulting of CSI file system type to ext4. All the production drivers listed under https://kubernetes-csi.github.io/docs/drivers.html were inspected and should not be impacted after this change. If you are using a driver not in that list, please test the drivers on an updated test cluster first. ([#65499](https://github.com/kubernetes/kubernetes/pull/65499), [@krunaljain](https://github.com/krunaljain))

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4

### How do I mitigate this vulnerability?

    `tf.compat.v1.image.extract_glimpse` does not change. The behavior of
    existing C++ kernel `ExtractGlimpse` does not change either, so saved models
    using `tf.raw_ops.ExtractGlimpse` will not be impacted.

## Known Caveats

*   `tf.lite`
    *   Keras-based LSTM models must be converted with an explicit batch size in
        the input layer.

## Bug Fixes and Other Changes

unschedulable from the candidate nodes. The service load balancer exclusion label should be used instead.
  
  Users upgrading from 1.18 who have cordoned nodes should set the `node.kubernetes.io/exclude-from-external-load-balancers` label on the impacted nodes before upgrading if they wish those nodes to remain excluded from service load balancers. ([#90823](https://github.com/kubernetes/kubernetes/pull/90823), [@smarterclayton](https://github.com/smarterclayton)) [SIG Apps, Cloud Provider and Network]...

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4

### How do I mitigate this vulnerability?