This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4

### How do I mitigate this vulnerability?

    `tf.compat.v1.image.extract_glimpse` does not change. The behavior of
    existing C++ kernel `ExtractGlimpse` does not change either, so saved models
    using `tf.raw_ops.ExtractGlimpse` will not be impacted.

## Known Caveats

*   `tf.lite`
    *   Keras-based LSTM models must be converted with an explicit batch size in
        the input layer.

## Bug Fixes and Other Changes

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4

### How do I mitigate this vulnerability?

unschedulable from the candidate nodes. The service load balancer exclusion label should be used instead.
  
  Users upgrading from 1.18 who have cordoned nodes should set the `node.kubernetes.io/exclude-from-external-load-balancers` label on the impacted nodes before upgrading if they wish those nodes to remain excluded from service load balancers. ([#90823](https://github.com/kubernetes/kubernetes/pull/90823), [@smarterclayton](https://github.com/smarterclayton)) [SIG Apps, Cloud Provider and Network]...