### CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Affected Versions**:
  - kubelet <= v1.28.0
  - kubelet <= v1.27.4
  - kubelet <= v1.26.7

- For GCE cluster provider, fix bug of not being able to create internal type load balancer for clusters with more than 1000 nodes in a single zone. ([#89902](https://github.com/kubernetes/kubernetes/pull/89902), [@wojtek-t](https://github.com/wojtek-t)) [SIG Cloud Provider, Network and Scalability]

har
om
vi
min
mitt
ha
hadde
hun
nå
over
da
ved
fra
du
ut
sin
dem
oss
opp
man
kan
hans
hvor
eller
hva
skal
selv
sjøl
her
alle
vil
bli
ble
blei
blitt
kunne
inn
når
være
kom
noen
noe
ville
dere
som
deres
kun
ja
etter
ned
skulle
denne
for
deg
si
sine
sitt
mot
å
meget

### Bug or Regression

- Fix endpoint reconciler not being able to delete the apiserver lease on shutdown ([#114153](https://github.com/kubernetes/kubernetes/pull/114153), [@aojea](https://github.com/aojea)) [SIG API Machinery]

This release contains changes that address the following vulnerabilities:

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

**Affected Versions**:
  - kubelet v1.22.0 - v1.22.1

aa.no
aaa
aaa.pro
aaa.vodka
aarborte.no
aarp
ab.ca
abashiri.hokkaido.jp
abb
abbott
abbvie
abc
abc.br
abeno.osaka.jp
abiko.chiba.jp
abira.hokkaido.jp
abkhazia.su
able
abo.pa
abogado
abr.it
abruzzo.it
abu.yamaguchi.jp
abudhabi
ac
ac.ae
ac.at
ac.be
ac.ci
ac.cn
ac.cr
ac.cy
ac.fj
ac.gn
ac.gov.br
ac.id
ac.il
ac.im

For example, if you had a database session in a dependency with `yield`, the `StreamingResponse` would not be able to use that session while streaming data because the session would have already been closed in the exit code after `yield`.

### Service

[@fabianofranz](https://github.com/fabianofranz))

* [alpha] The Kubernetes API supports retrieving tabular output for API resources via a new mime-type application/json;as=Table;v=v1alpha1;g=meta.k8s.io. The returned object (if the server supports it) will be of type meta.k8s.io/v1alpha1 with Table, and contain column and row information related to the resource. Each row will contain information about the resource - by default it will be the object metadata, but callers can add the...

    vocabulary file.
*   Added `index_to_string_table` which returns a lookup table that maps indices
    to strings.
*   Add `string_to_index_table`, which returns a lookup table that matches
    strings to indices.
*   Add a `ParallelForWithWorkerId` function.
*   Add `string_to_index_table`, which returns a lookup table that matches
    strings to indices.