### Immutable Secrets and ConfigMaps

Immutable Secrets and ConfigMaps graduates to GA. This feature allows users to specify that the contents of a particular Secret or ConfigMap is immutable for its object lifetime. For such instances, Kubelet will not watch/poll for changes and therefore reducing apiserver load.

search_engine.heartbeat_interval=10000

# Cipher algorithm used for encryption.
app.cipher.algorism=aes
# Secret key for encryption (change this value for production).
app.cipher.key=___change__me___
# Algorithm for digest calculation.
app.digest.algorism=sha256
# Regex pattern for properties to encrypt.
app.encrypt.property.pattern=.*password|.*key|.*token|.*secret

# Extension names for application customization.
app.extension.names=

- Kubelet now cleans up orphaned volume directories automatically ([#95301](https://github.com/kubernetes/kubernetes/pull/95301), [@lorenz](https://github.com/lorenz)) [SIG Node and Storage]
- Resolves spurious `Failed to list *v1.Secret` or `Failed to list *v1.ConfigMap` messages in kubelet logs. ([#99538](https://github.com/kubernetes/kubernetes/pull/99538), [@liggitt](https://github.com/liggitt)) [SIG Auth and Node]

}

// CopyObjectHandler - Copy Object
// ----------
// This implementation of the PUT operation adds an object to a bucket
// while reading the object from another source.
// Notice: The S3 client can send secret keys in headers for encryption related jobs,
// the handler should ensure to remove these keys before sending them to the object layer.
// Currently these keys are:
//   - X-Amz-Server-Side-Encryption-Customer-Key

labels.ldap_memberof_attribute=memberOf Attribute
labels.notification_login=Login Page
labels.notification_search_top=Search Top Page
labels.storage_endpoint=Endpoint
labels.storage_access_key=Access Key
labels.storage_secret_key=Secret Key
labels.storage_bucket=Bucket
labels.send_testmail=Send Test Mail
labels.backup_configuration=Backup
labels.backup_name=Name
labels.backup_bulk_file=Bulk File
labels.backup_button_upload=Upload

- The helping message of commands which have sub-commands is now clearer and more instructive. It will show the full command instead of `kubectl <command> --help ...`
  
  Changed `kubectl create secret --help` description. There will be a short introduction to the three secret types and clearer guidance on how to use the command. ([#117930](https://github.com/kubernetes/kubernetes/pull/117930), [@LronDC](https://github.com/LronDC))

### Immutable Secrets and ConfigMaps (beta)

Secret and ConfigMap volumes can be marked as immutable, which significantly reduces load on the API server if there are many Secret and ConfigMap volumes in the cluster.
See [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) for more information.

### CSI Proxy for Windows

- Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. ([#129675](https://github.com/kubernetes/kubernetes/pull/129675), [@gohilankit](https://github.com/gohilankit)) [SIG Storage]

### Bug or Regression

- Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. ([#129674](https://github.com/kubernetes/kubernetes/pull/129674), [@gohilankit](https://github.com/gohilankit)) [SIG Storage]

improves the security posture in the mounting process where the volumes are ACL’ed on the pods’ service account without handing out unnecessary permissions to the CSI drivers’ service account. This feature is especially important for secret-handling CSI drivers, such as the secrets-store-csi-driver. Since these tokens can be rotated and short-lived, this feature also provides a knob for CSI drivers to receive `NodePublishVolume` RPC calls periodically with the new token. This knob is also useful when volumes...