},
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1alpha1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",

Kubernetes 1.11 also makes it easier to see what's happening, as audit events can now be annotated with information about how an API request was handled:
  * Authorization sets `authorization.k8s.io/decision` and `authorization.k8s.io/reason` annotations with the authorization decision ("allow" or "forbid") and a human-readable description of why the decision was made (for example, RBAC includes the name of the role/binding/subject which allowed a request).

          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1alpha1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",

  - The `Node` authorization mode no longer allows kubelets to delete their Node API objects (prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup) ([#71021](https://github.co...

          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",
            "version": "v1alpha1"
          },
          {
            "group": "rbac.authorization.k8s.io",
            "kind": "DeleteOptions",

- The following features...

  In addition, please be careful that:
  - kube-scheduler MUST start with `--authorization-kubeconfig` and `--authentication-kubeconfig` correctly set to get authentication/authorization working.
  - liveness/readiness probes to kube-scheduler MUST use HTTPS now, and the default port has been changed to 10259.

  - `--address`
  The insecure port flags `--port` may only be set to 0 now.
  
  In addtion, please be careful that:
  - controller-manager MUST start with `--authorization-kubeconfig` and `--authentication-kubeconfig` correctly set to get authentication/authorization working.
  - liveness/readiness probes to controller-manager MUST use HTTPS now, and the default port has been changed to 10257.

- CEL authorizer checks no longer raise runtime errors. Calls to "check" will always return a decision object and the authorization error (if any) can be accessed within expressions using the new decision methods "errored" and "error". ([#118804](https://github.com/kubernetes/kubernetes/pull/118804), [@benluddy](https://github.com/benluddy)) [SIG API Machinery]

- `system:kube-controller-manager` and `system:kube-scheduler` users are now permitted to perform delegated authentication/authorization checks by default RBAC policy ([#72491](https://github.com/kubernetes/kubernetes/pull/72491), [@liggitt](https://github.com/liggitt))