//  "cert sign", "crl sign", "encipher only", "decipher only", "any",
  //  "server auth", "client auth",
  //  "code signing", "email protection", "s/mime",
  //  "ipsec end system", "ipsec tunnel", "ipsec user",
  //  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

- one end of the socket is in the application pod
- and the other end is in ztunnel's pod

and setting up iptables rules to funnel traffic thru that socket "tube" to ztunnel and back.

    and `www.squareup.com`. If a server refuses such sharing it will return HTTP 421 and OkHttp will
    automatically retry on an unshared connection.
 *  Fix: Don't crash if a TLS tunnel's response body is truncated.
 *  Fix: Don't track unusable routes beyond their usefulness. We had a bug where we could track
    certain bad routes indefinitely; now we only track the ones that could be necessary.

 *  Fix: Allow interceptors to change the request method.
 *  Fix: Don’t use the request's `User-Agent` or `Proxy-Authorization` when
    connecting to an HTTPS server via an HTTP tunnel. The `Proxy-Authorization`
    header was being leaked to the origin server.
 *  Fix: Digits may be used in a URL scheme.
 *  Fix: Improve connection timeout recovery.

                              items:
                                type: string
                              type: array
                          type: object
                        tunnel:
                          description: Configuration of tunneling TCP over other transport
                            or application layers for the host configured in the DestinationRule.
                          properties:

                              items:
                                type: string
                              type: array
                          type: object
                        tunnel:
                          description: Configuration of tunneling TCP over other transport
                            or application layers for the host configured in the DestinationRule.
                          properties:

- `reflector_watches_total`

### Deprecated metrics

- `rest_client_request_latency_seconds` -> `rest_client_request_duration_seconds`
- `apiserver_proxy_tunnel_sync_latency_secs` -> `apiserver_proxy_tunnel_sync_duration_seconds`
- `scheduler_scheduling_latency_seconds` -> `scheduler_scheduling_duration_seconds`
- `kubelet_pod_worker_latency_microseconds` -> `kubelet_pod_worker_duration_seconds`

* Version-guard Kubectl client Guestbook application test against deployments ([#24478](https://github.com/kubernetes/kubernetes/pull/24478), [@ihmccreery](https://github.com/ihmccreery))
* Fix goroutine leak in ssh-tunnel healthcheck. ([#24487](https://github.com/kubernetes/kubernetes/pull/24487), [@cjcullen](https://github.com/cjcullen))

 *  **OkHttp now supports TLS 1.3.** This requires either Conscrypt or Java 11+.

 *  **Proxy authenticators are now asked for preemptive authentication.** OkHttp will now request
    authentication credentials before creating TLS tunnels through HTTP proxies (HTTP `CONNECT`).
    Authenticators should identify preemptive authentications by the presence of a challenge whose
    scheme is "OkHttp-Preemptive".

   * connections are requested concurrently OkHttp will pessimistically connect multiple times, then
   * close any unnecessary connections. This test confirms that behavior works as intended.
   *
   * This test uses proxy tunnels to get a hook while a connection is being established.
   */
  @ParameterizedTest
  @ArgumentsSource(ProtocolParamProvider::class)
  fun concurrentHttp2ConnectionsDeduplicated(
    protocol: Protocol,