- [Notable Features](#notable-features)
  - [API Changes](#api-changes)
  - [Detailed Bug Fixes And Changes](#detailed-bug-fixes-and-changes)
    - [API Machinery](#api-machinery)
    - [Apps](#apps)
    - [Auth](#auth)
    - [AWS](#aws)
    - [Azure](#azure)
    - [CLI](#cli)
    - [Cloud Provider](#cloud-provider)
    - [Cluster Lifecycle](#cluster-lifecycle)
    - [GCP](#gcp)
    - [Network](#network)
    - [Node](#node)

  - [New Features](#new-features)
  - [API Changes](#api-changes)
  - [Other Notable Changes](#other-notable-changes-10)
    - [SIG API Machinery](#sig-api-machinery-1)
    - [SIG Apps](#sig-apps)
    - [SIG Auth](#sig-auth)
    - [SIG Autoscaling](#sig-autoscaling-1)
    - [SIG AWS](#sig-aws)
    - [SIG Azure](#sig-azure-1)
    - [SIG CLI](#sig-cli-1)
    - [SIG Cloud Provider](#sig-cloud-provider-1)

            return new AzureAdCredential(authData);
        }
        final AuthenticationErrorResponse oidcResponse = (AuthenticationErrorResponse) authResponse;
        throw new SsoLoginException(String.format("Request for auth code failed: %s - %s", oidcResponse.getErrorObject().getCode(),
                oidcResponse.getErrorObject().getDescription()));
    }

    /**
     * Parses the authentication response from Azure AD.

- **Auth**

equality-based selector in 1.1).
  * Running against a secured etcd requires these flags to be passed to
kube-apiserver (instead of --etcd-config):
     * --etcd-certfile, --etcd-keyfile (if using client cert auth)
     * --etcd-cafile (if not using system roots)
  * As part of preparation in 1.2 for adding support for protocol buffers (and the
direct YAML support in the API available today), the Content-Type and Accept

    - [API-machinery](#api-machinery)
    - [Auth](#auth)
    - [Azure](#azure)
    - [CLI](#cli)
    - [Network](#network)
  - [Before Upgrading](#before-upgrading)
  - [Known Issues](#known-issues)
  - [Deprecations](#deprecations)
  - [Other Notable Changes](#other-notable-changes-13)
    - [Apps](#apps)
    - [AWS](#aws)
    - [Auth](#auth-1)
    - [CLI](#cli-1)

    created before HTTP/2 settings have been acknowledged.
 *  Fix: Improve recovery from failed routes.
 *  Fix: Accommodate tunneling proxies that close the connection after an auth
    challenge.
 *  Fix: Use the proxy authenticator when authenticating HTTP proxies. This
    regression was introduced in OkHttp 3.0.
 *  Fix: Fail fast if network interceptors transform the response body such that

* Updating:
  * Retry Pod/RC updates in kubectl rolling-update.
  * Stop 'kubectl drain' deleting pods with local storage.
  * Add `kubectl rollout status`
* Security/Auth
  * L7 LB controller and disk attach controllers run on master, so nodes do not need those privileges.
  * Setting TLS1.2 minimum
  * `kubectl create secret tls` command
  * Webhook Token Authenticator

      MockResponse
        .Builder()
        .code(HttpURLConnection.HTTP_PROXY_AUTH)
        .headers(headersOf("Proxy-Authenticate", "Basic realm=\"localhost\""))
        .inTunnel()
        .body("proxy auth required")
        .build(),
    )
    server.enqueue(
      MockResponse
        .Builder()
        .inTunnel()
        .build(),
    )
    server.enqueue(MockResponse())

0;\n  border-top-right-radius: 0.25rem;\n  color: #777;\n  transition: border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;\n}\n\n.login-box-msg,\n.register-box-msg {\n  margin: 0;\n  padding: 0 20px 20px;\n  text-align: center;\n}\n\n.social-auth-links {\n  margin: 10px 0;\n}\n\n.dark-mode .login-card-body,\n.dark-mode .register-card-body {\n  background-color: #343a40;\n  border-color: #6c757d;\n  color: #fff;\n}\n\n.dark-mode .login-logo a,\n.dark-mode .register-logo a {\n  color: #fff;\n}\n\n.error-page...