- Kubeadm: during 'upgrade apply', if the kube-proxy ConfigMap is missing, assume that kube-proxy...

- Adds "volume.beta.kubernetes.io/migrated-to" annotation to PV's and PVC's when they are migrated to signal external provisioners to pick up those objects for Provisioning and Deleting. ([#87098](https://github.com/kubernetes/kubernetes/pull/87098), [@davidz627](https://github.com/davidz627)) [SIG  Storage]

### Signing Release Artifacts

Release artifacts are [signed](https://github.com/kubernetes/enhancements/issues/3031) using [cosign](https://github.com/sigstore/cosign)
signatures
and there is experimental support for [verifying image signatures](https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/).

(The jury all brightened up again.)

  `Please your Majesty,' said the Knave, `I didn't write it, and
they can't prove I did:  there's no name signed at the end.'

  `If you didn't sign it,' said the King, `that only makes the
matter worse.  You MUST have meant some mischief, or else you'd
have signed your name like an honest man.'

  There was a general clapping of hands at this:  it was the

  - The requested name did not match the set of authorized names (`x509.HostnameError`)
  - The error surfaced after attempting a connection contained one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority". ([#120736](https://github.com/kubernetes/kubernetes/pull/120736), [@MadhavJivrajani](https://github.com/MadhavJivrajani))

- Addressed an issue where a JWT authenticator set up via `--authentication-config` would encounter failures in verifying tokens not signed with RS256. ([#123282](https://github.com/kubernetes/kubernetes/pull/123282), [@enj](https://github.com/enj))

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120765](https://github.com/kubernetes/kubernetes/pull/120765), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all entries in the output table is included - for both certificates on disk and in kubeconfig files. ([#106923](https://github.com/kubernetes/kubernetes/pull/106923), [@neolit123](https://gi...

  <mime-type type="application/vnd.uplanet.list-wbxml"/>
  <mime-type type="application/vnd.uplanet.listcmd"/>
  <mime-type type="application/vnd.uplanet.listcmd-wbxml"/>
  <mime-type type="application/vnd.uplanet.signal"/>
  <mime-type type="application/vnd.vcx">
    <glob pattern="*.vcx"/>
  </mime-type>
  <mime-type type="application/vnd.vd-study"/>
  <mime-type type="application/vnd.vectorworks"/>

- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all entries in the output table is included - for both certificates on disk and in kubeconfig files. ([#106925](https://github.com/kubernetes/kubernetes/pull/106925), [@neolit123](https://gi...