A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3
  - kube-apiserver v1.24.0 - v1.24.7
  - kube-apiserver v1.23.0 - v1.23.13
  - kube-apiserver v1.22.0 - v1.22.15

## Changes by Kind

### API Change

- Aggregated discovery now returns `responseKind: {}` for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. ([#119835](https://github.com/kubernetes/kubernetes/pull/119835), [@liggitt](https://github.com/liggitt)) [SIG API Machinery and Testing]

### Feature

- Fixed a bug where the kubelet ephemerally failed with `failed to initialize top level QOS containers: root container [kubepods] doesn't exist`, due to the cpuset cgroup being deleted on cgroup v2 with systemd cgroup manager.
   ([#125923](https://github.com/kubernetes/kubernetes/pull/125923), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]

on GitHub for insight into recent issues and development progress.

If you experience any snags when using TF 2.0, please let us know at the
[TF 2.0 Testing User Group](https://groups.google.com/a/tensorflow.org/forum/?utm_medium=email&utm_source=footer#!forum/testing).
We have a support mailing list as well as weekly testing meetings, and would
love to hear your migration feedback and questions.

        User user = new User();
        user.setName(username);
        user.setPassword(password);
        user.setRoles(new String[] { "role1", "role2" });
        user.setGroups(new String[] { "group1", "group2" });
        return user;
    }

    // Test LdapManager implementation
    private static class TestLdapManager extends LdapManager {
        boolean insertCalled = false;

Syntax      = { Production } .
Production  = production_name "=" [ Expression ] "." .
Expression  = Term { "|" Term } .
Term        = Factor { Factor } .
Factor      = production_name | token [ "…" token ] | Group | Option | Repetition .
Group       = "(" Expression ")" .
Option      = "[" Expression "]" .
Repetition  = "{" Expression "}" .
</pre>

<p>
Productions are expressions constructed from terms and the following

	// Set the parent of the temporary access key, this is useful
	// in obtaining service accounts by this cred.
	cred.ParentUser = lookupResult.NormDN

	// Set this value to LDAP groups, LDAP user can be part
	// of large number of groups
	cred.Groups = targetGroups

	// Set the newly generated credentials, policyName is empty on purpose
	// LDAP policies are applied automatically using their ldapUser, ldapGroups
	// mapping.

        return DocumentUtil.getValue(attributes, "email", String.class);
    }

    /**
     * Gets the user groups.
     *
     * @return the user groups
     */
    public String[] getUserGroups() {
        String[] userGroups = DocumentUtil.getValue(attributes, "groups", String[].class);
        if (userGroups == null) {
            userGroups = getDefaultGroupsAsArray();
        }
        return userGroups;

    "groups" : [ {
      "testProject" : "largeEmptyMultiProjectDeclarativeDsl",
      "coverage" : {
        "per_day" : [ "linux", "macOs", "windows" ]
      }
    } ]
  }, {
    "testId" : "org.gradle.performance.experiment.declarativedsl.DeclarativeDslFirstUsePerformanceTest.cold daemon",
    "groups" : [ {
      "testProject" : "largeEmptyMultiProjectDeclarativeDsl",

			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.BypassGovernanceRetentionAction,
			BucketName:      bucketName,
			ObjectName:      objectName,
			ConditionValues: conditions,
			IsOwner:         owner,
			Claims:          cred.Claims,
		})
	}
	if globalIAMSys.IsAllowed(policy.Args{
		AccountName:     cred.AccessKey,
		Groups:          cred.Groups,