This release contains changes that address the following vulnerabilities:

### CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

**Affected Versions**:
  - kubelet kubelet v1.30.0 to v1.30.9

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} extraVolumes: [] extraVolumeMounts: [] # Command to run after the main command on exit exitCommand: "" ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: {} annotations:...

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

makeBucketJob: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 resources: requests: memory: 128Mi # Command to run after the main command on exit exitCommand: "" ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: securityContext: enabled:...

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} ## List of command to run after minio install ## NOTE: the mc command TARGET is always "myminio" customCommands: # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'" ## Additional Annotations for the Kubernetes Job customCommandJob customCommandJob: podAnnotations: annotations: securityContext:...

		_, isRegularUser := globalIAMSys.GetUser(ctx, targetUser)
		if !isRegularUser && targetUser != globalActiveCred.AccessKey {
			apiErr := toAdminAPIErr(ctx, errNoSuchUser)
			apiErr.Description = fmt.Sprintf("Specified target user %s does not exist", targetUser)
			writeErrorResponseJSON(ctx, w, apiErr, r.URL)
			return
		}
	}

	// Check if we are creating svc account for request sender.