- [Changelog since v1.19.14](#changelog-since-v11914)
  - [Important Security Information](#important-security-information)
    - [CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access](#cve-2021-25741-symlink-exchange-can-allow-host-filesystem-access)
  - [Changes by Kind](#changes-by-kind-1)
    - [Bug or Regression](#bug-or-regression-1)
    - [Other (Cleanup or Flake)](#other-cleanup-or-flake)
  - [Dependencies](#dependencies-1)

		if !rd || !wr {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, AdminError{
				Code: "XMinioSpeedtestInsufficientPermissions",
				Message: fmt.Sprintf("%s does not have read and write access to '%s' bucket", creds.AccessKey,
					globalObjectPerfBucket),
				StatusCode: http.StatusForbidden,
			}), r.URL)
			return
		}
	}

	sizeStr := r.Form.Get(peerRESTSize)

 - `kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters` Group, which was undesired. Executing `kubeadm...

   * the pipeline is done, even if the pipeline is canceled or fails.
   *
   * <p>Cancelling the pipeline will not cancel {@code future}, so that the pipeline can access its
   * value in order to close it.
   *
   * @param future the future to create the {@code ClosingFuture} from. For discussion of the

      for (int i = delegateIndex; i < delegates.size(); i++) {
        if (delegates.get(i).setFuture(inputFuture)) {
          recordCompletion();
          // this is technically unnecessary, but should speed up later accesses
          delegateIndex = i + 1;
          return;
        }
      }
      // If all the delegates were complete, no reason for the next listener to have to

  // +optional
  optional bool blockOwnerDeletion = 7;
}

// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
// to get access to a particular ObjectMeta schema without knowing the details of the version.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
message PartialObjectMetadata {
  // Standard object's metadata.

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.

	defer func() {
		if r := recover(); r != nil {
			t.Fatalf("NewReader panicked: %s", r)
		}
	}()
	// Previously, this would trigger a panic as we attempt to read from
	// an io.SectionReader which would access a slice at a negative offset
	// as the section reader offset & size were < 0.
	NewReader(bytes.NewReader(data), int64(len(data))+1875)

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.

- Fix OpenAPI v3 not being cleaned up after deleting APIServices ([#120108](https://github.com/kubernetes/kubernetes/pull/120108), [@tnqn](https://github.com/tnqn)) [SIG API Machinery and Testing]
- Fix a concurrent map access in TopologyCache's `HasPopulatedHints` method. ([#120323](https://github.com/kubernetes/kubernetes/pull/120323), [@Miciah](https://github.com/Miciah)) [SIG Apps and Network]