- kubelet
  - The deprecated `--google-json-key` flag has been removed. Remove the `--google-json-key` flag from kubelet invocations before upgrading. ([#69354](https://github.com/kubernetes/kubernetes/pull/69354), [@yujuhong](https://github.com/yujuhong))

	}

	installLog.Debugf("CNI config file %s exists, proceeding", cniConfigFilepath)

	return cniConfigFilepath, err
}

// Follows the same semantics as kubelet
// https://github.com/kubernetes/kubernetes/blob/954996e231074dc7429f7be1256a579bedd8344c/pkg/kubelet/dockershim/network/cni/cni.go#L144-L184
func getDefaultCNINetwork(confDir string) (string, error) {
	files, err := libcni.ConfFiles(confDir, []string{".conf", ".conflist"})

**Affected Versions**:
  - kubelet <= v1.28.0
  - kubelet <= v1.27.4
  - kubelet <= v1.26.7
  - kubelet <= v1.25.12
  - kubelet <= v1.24.16

**Fixed Versions**:
  - kubelet v1.28.1
  - kubelet v1.27.5
  - kubelet v1.26.8
  - kubelet v1.25.13
  - kubelet v1.24.17

// they use the node-driver-registrar sidecar container, the kubelet will
// automatically populate the CSINode object for the CSI driver as part of
// kubelet plugin registration.
// CSINode has the same name as a node. If the object is missing, it means either
// there are no CSI Drivers available on the node, or the Kubelet version is low
// enough that it doesn't create this object.

  // Empty if not yet allocated.
  // +optional
  optional string carpIP = 6;

  // RFC 3339 date and time at which the object was acknowledged by the Kubelet.
  // This is before the Kubelet pulled the container image(s) for the carp.
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startTime = 7;

directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1
  - kubelet v1.21.0 - v1.21.4
  - kubelet v1.20.0 - v1.20.10
  - kubelet <= v1.19.14

**Fixed Versions**:
  - kubelet v1.22.2
  - kubelet v1.21.5
  - kubelet v1.20.11
  - kubelet v1.19.15

This vulnerability was reported by Fabricio Voznika and Mark Wolters of Google.

* Kubelet will set extended resource capacity to zero after it restarts. If the extended resource is exported by a device plugin, its capacity will change to a valid value after the device plugin re-connects with the Kubelet. If the extended resource is exported by an external component through direct node status capacity patching, the component should repatch the field after kubelet becomes ready again. During the time gap, pods previously...

* [alpha] Rotation of the server TLS certificate on the kubelet. See [TLS bootstrapping - approval controller](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller).

* [alpha] Rotation of the client TLS certificate on the kubelet. See [TLS bootstrapping - kubelet configuration](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration).

#### Affected Versions

- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4

### How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.

#### Fixed Versions

- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.24.5
- kubelet v1.25.0

// they use the node-driver-registrar sidecar container, the kubelet will
// automatically populate the CSINode object for the CSI driver as part of
// kubelet plugin registration.
// CSINode has the same name as a node. If the object is missing, it means either
// there are no CSI Drivers available on the node, or the Kubelet version is low
// enough that it doesn't create this object.