attacks may choose not to enable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may choose not to enable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated...

  - apiserver_flowcontrol_dispatch_r: R(the time of the latest request dispatch)
  - apiserver_flowcontrol_latest_s: S(the request last dispatched) = R(when that request starts executing in the virtual world)
  - apiserver_flowcontrol_next_s_bounds: min and max next S among non-empty queues

- Fixes a regression in v1beta1 PodDisruptionBudget handling of `strategic merge patch`-type API requests for the `selector` field. Prior to 1.21, these requests would merge `matchLabels` content and replace `matchExpressions` content. In 1.21, patch requests touching the `selector` field started replacing the entire selector. This is consistent with server-side apply and the v1 PodDisruptionBudget behavior, but should not have...

* Requests with invalid credentials no longer match audit policy rules where users or groups are set, correcting a problem where authorized requests were getting through. ([#59398](https://github.com/kubernetes/kubernetes/pull/59398), [@CaoShuFeng](https://github.com/CaoShuFeng))

        * requests for a TLS client certificate for any node are approved if the CSR creator has `create` permission on the `certificatesigningrequests` resource and `nodeclient` subresource in the `certificates.k8s.io` API group

In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`).

So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted.

der" "math/bits" ) // Counter is an SP 800-90A Rev. 1 CTR_DRBG instantiated with AES-256. // // Per Table 3, it has a security strength of 256 bits, a seed size of 384 bits, // a counter length of 128 bits, a reseed interval of 2^48 requests, and a // maximum request size of 2^19 bits (2^16 bytes, 64 KiB). // // We support a narrow range of parameters that fit the needs of our RNG: // AES-256, no derivation function, no personalization string, no prediction // resistance, and 384-bit additional input....

der" "math/bits" ) // Counter is an SP 800-90A Rev. 1 CTR_DRBG instantiated with AES-256. // // Per Table 3, it has a security strength of 256 bits, a seed size of 384 bits, // a counter length of 128 bits, a reseed interval of 2^48 requests, and a // maximum request size of 2^19 bits (2^16 bytes, 64 KiB). // // We support a narrow range of parameters that fit the needs of our RNG: // AES-256, no derivation function, no personalization string, no prediction // resistance, and 384-bit additional input....

- If the user specifies an invalid timeout in the request URL, the request will be aborted with an HTTP 400.

pkg net/http, type Request struct, Proto string
pkg net/http, type Request struct, ProtoMajor int
pkg net/http, type Request struct, ProtoMinor int
pkg net/http, type Request struct, RemoteAddr string
pkg net/http, type Request struct, RequestURI string
pkg net/http, type Request struct, TLS *tls.ConnectionState
pkg net/http, type Request struct, Trailer Header
pkg net/http, type Request struct, TransferEncoding []string