This release contains changes that address the following vulnerabilities:

### CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3

- `readOnly` volumes now support recursive read-only mounts for kernel versions >= 5.12."
   ([#123180](https://github.com/kubernetes/kubernetes/pull/123180), [@AkihiroSuda](https://github.com/AkihiroSuda))
- cri-api: Implemented KEP-3857: Recursive Read-only (RRO) mounts.

    - [Container Images](#container-images-15)
  - [Changelog since v1.27.0](#changelog-since-v1270)
  - [Urgent Upgrade Notes](#urgent-upgrade-notes)
    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)
  - [Changes by Kind](#changes-by-kind-15)
    - [Deprecation](#deprecation)
    - [API Change](#api-change-4)
    - [Feature](#feature-12)

                            return -1;
                        }
                        int toRead = Math.min(length, remaining);
                        System.arraycopy(includeContent, index[0], buffer, offset, toRead);
                        index[0] += toRead;
                        return toRead;
                    });
                })) {

  }

  /** Receive frames until there are no more. Invoked only by the reader thread. */
  @Throws(IOException::class)
  fun loopReader(response: Response) {
    try {
      listener.onOpen(this@RealWebSocket, response)
      while (receivedCloseCode == -1) {
        // This method call results in one or more onRead* methods being called on this thread.
        reader!!.processNextFrame()
      }
    } catch (e: Exception) {

  @Footprint(exclude = {Runnable.class, Executor.class, Thread.class, Exception.class})
  public Object measureSize() {
    for (Thread thread : blockedThreads) {
      thread.interrupt();
    }
    blockedThreads.clear();
    Facade<Object> f = impl.newFacade();
    for (int i = 0; i < numThreads; i++) {
      Thread thread =
          new Thread() {
            @Override
            public void run() {

        // Verify that thread dump was processed
        assertFalse("Should capture some thread dump output", capturedOutput.isEmpty());

        // Verify format - should contain "Thread:" entries
        boolean hasThreadEntry = capturedOutput.stream().anyMatch(line -> line.startsWith("Thread:"));
        assertTrue("Should contain Thread: entries", hasThreadEntry);

    }

    /**
     * Cleans up the transport thread.
     *
     * @param timeout the maximum time to wait for thread cleanup in milliseconds
     * @throws TransportException if thread cleanup fails
     */
    private synchronized void cleanupThread(final long timeout) throws TransportException {
        final Thread t = this.thread;
        if (t != null && Thread.currentThread() != t) {
            this.thread = null;

    }

    // Test constructor with different thread context
    public void test_constructorInDifferentThread() throws Exception {
        // Test that constructor works in different thread
        final CrawlerEngineClient[] clientHolder = new CrawlerEngineClient[1];
        final Exception[] exceptionHolder = new Exception[1];

        Thread thread = new Thread(() -> {
            try {

        for (Thread thread : threads) {
            thread.join();
        }

        // Check all providers were created successfully
        for (int i = 0; i < threadCount; i++) {
            assertNull("Thread " + i + " threw exception", exceptions[i]);
            assertNotNull("Thread " + i + " failed to create provider", providers[i]);
        }
    }

    // Test with very large time adjustment values