MOVQ CR0, (AX)                  // ERROR "invalid instruction"
	MOVQ CR2, (AX)                  // ERROR "invalid instruction"
	MOVQ CR3, (AX)                  // ERROR "invalid instruction"
	MOVQ CR4, (AX)                  // ERROR "invalid instruction"
	MOVQ CR8, (AX)                  // ERROR "invalid instruction"
	MOVQ (AX), CR0                  // ERROR "invalid instruction"
	MOVQ (AX), CR2                  // ERROR "invalid instruction"

at two levels. For distributing workload certificates, Envoy will send [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
requests to the agent, causing the agent to submit a CSR to the configured CA (generally Istiod). For other configuration,
Envoy will send [ADS](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration#aggregated-xds-ads)

        "1-alpha2snapshot",
        "1-alpha2",
        "1-alpha-123",
        "1-beta-2",
        "1-beta123",
        "1-m2",
        "1-m11",
        "1-rc",
        "1-cr2",
        "1-rc123",
        "1-SNAPSHOT",
        "1",
        "1-sp",
        "1-sp2",
        "1-sp123",
        "1-abc",
        "1-def",
        "1-pom-1",
        "1-1-snapshot",
        "1-1",

  repeated CertificateSigningRequest items = 2;
}

// CertificateSigningRequestSpec contains the certificate request.
message CertificateSigningRequestSpec {
  // Base64-encoded PKCS#10 CSR data
  // +listType=atomic
  optional bytes request = 1;

  // Requested signer for the request. It is a qualified name in the form:
  // `scope-hostname.io/name`.
  // If empty, it will be defaulted:

    ```

 *  New: `Cookie.sameSite` determines whether cookies should be sent on cross-site requests. This
    is used by servers to defend against Cross-Site Request Forgery (CSRF) attacks.

 *  New: Log the total time of the HTTP call in `HttpLoggingInterceptor`.

 *  New: `OkHttpClient.Builder` now has APIs that use `kotlin.time.Duration`.

        * requests for a TLS client certificate for any node are approved if the CSR creator has `create` permission on the `certificatesigningrequests` resource...

- consumers of the 'certificatesigningrequests/approval' API must now have permission to 'approve' CSRs for the specific signer requested by the CSR. More information on the new signerName field and the required authorization can be found at https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests#authorization ([#88246](https://github.com/kube...

	quarkus/extensions/amazon-lambda/event-server/pom.xml
	quarkus/extensions/amazon-lambda-rest/runtime/pom.xml
	quarkus/extensions/resteasy-classic/rest-client/runtime/pom.xml
quarkus/integration-tests/csrf-reactive/pom.xml
	quarkus/extensions/csrf-reactive/runtime/pom.xml
	quarkus/extensions/elytron-security-properties-file/runtime/pom.xml
	quarkus/test-framework/junit5/pom.xml
quarkus/extensions/resteasy-classic/rest-client-jsonb/runtime/pom.xml

- kube-controller-manager
  - The deprecated `--insecure-experimental-approve-all-kubelet-csrs-for-group` flag has been removed.
- kubelet

- Kubeadm: deprecate the "--csr-only" and "--csr-dir" flags of the "kubeadm init phase certs" subcommands. Please use "kubeadm alpha certs generate-csr" instead. This new command allows you to generate new private keys and certificate signing requests for all the control-plane components, so that the certificates can be signed by an external...