`kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters` Group, which was undesired. Executing `kubeadm init phase kubeconfig all` or just `kubeadm init` will now generate...

- Fix handling of aws-load-balancer-security-groups annotation. Security-Groups assigned with this annotation are no longer modified by kubernetes which is the expected behaviour of most users. Also no unnecessary Security-Groups are created anymore if this annotation is used. ([#83446](https://github.com/kubernetes/kubernetes/pull/83446), [@Elias481](https://github.com/Elias481)) [SIG...

* kube-apiserver: `--runtime-config` can once again be used to enable/disable serving specific resources in the `extensions/v1beta1` API group. Note that specific resource enablement/disablement is only allowed for the `extensions/v1beta1` API group for legacy reasons. Attempts to enable/disable individual resources in other API groups will print a warning, and will return an error in future releases. ([#72249](https://github.com/kubernetes/kubernetes/pull/72249), [@liggitt](https:/...

            }
            this.groupSid = new SID(domainId, groupId);

            // Compute Group IDs with Domain ID to get Group SIDs
            this.groupSids = new SID[groups.length];
            for (int i = 0; i < groups.length; i++) {
                this.groupSids[i] = new SID(domainId, groups[i].getId());
            }
        } catch (final IOException e) {

- Fixed AWS Cloud Provider attempting to delete LoadBalancer security group it didn’t provision, and fixed AWS Cloud Provider creating a default LoadBalancer security group even if annotation `service.beta.kubernetes.io/aws-load-balancer-security-groups` is present because the intended behavior of aws-load-balancer-security-groups is to replace all security groups assigned to the load balancer. ([#84265](https://github.com/kubernetes/kubernetes/pull/84265), [@bhag...

* The `PodSecurityPolicy` API has been moved to the `policy/v1beta1` API group. The `PodSecurityPolicy` API in the `extensions/v1beta1` API group is deprecated and will be removed in a future release. Authorizations for using pod security policy resources should change to reference the `policy` API group after upgrading to 1.11. ([#54933](https://github.com/kubernetes/kubernetes/pull/54933), [@php-coder](https://github.com/php-coder))

### Bug or Regression

- Bump system-validators to v1.9.2: remove version-specific cgroup kernel config checks to avoid false failures on cgroup v2 systems when v1-only configs are missing. ([#134086](https://github.com/kubernetes/kubernetes/pull/134086), [@pacoxu](https://github.com/pacoxu)) [SIG Cluster Lifecycle]

Shinsuke Sugaya <******@****.***> 1638450896 +0900

        });

    }

    /**
     * Deletes a group from both LDAP and the database, and removes the group
     * association from all users that belong to this group.
     *
     * @param group the group entity to delete
     */
    public void delete(final Group group) {
        ComponentUtil.getLdapManager().delete(group);

        groupBhv.delete(group, op -> {
            op.setRefreshPolicy(Constants.TRUE);

     * This method retrieves only direct group memberships and collects group IDs for later
     * asynchronous parent group lookup.
     * @param user The Entra ID user.
     * @param groupList The list to add group names to.
     * @param roleList The list to add role names to.
     * @param groupIdsForParentLookup The list to collect group IDs for later parent lookup.