* [Kubelet] Optionally consume configuration from <node-name> named config maps ([#30090](https://github.com/kubernetes/kubernetes/pull/30090), [@mtaufen](https://github.com/mtaufen))

* When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript. ([#33242](https://github.com/kubernetes/kubernetes/pull/33242), [@dims](https://github.com/dims))

- Fixed an issue with Kubernetes-style sidecar containers (in other words: init containers 
with an Always restart policy) and Services. Before the fix, named ports 
exposed by a sidecar could not be accessed using a Service. ([#128850](https://github.com/kubernetes/kubernetes/pull/128850), [@toVersus](https://github.com/toVersus)) [SIG Network and Testing]

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

FB24          ; mapped                 ; 05DB          # 1.1  HEBREW LETTER WIDE KAF
FB25          ; mapped                 ; 05DC          # 1.1  HEBREW LETTER WIDE LAMED
FB26          ; mapped                 ; 05DD          # 1.1  HEBREW LETTER WIDE FINAL MEM
FB27          ; mapped                 ; 05E8          # 1.1  HEBREW LETTER WIDE RESH

  The `EventsToRegister` in `EnqueueExtension` changed the return value from `ClusterEvent` to `ClusterEventWithHint`. `ClusterEventWithHint` allows each plugin to filter out more useless events via the callback function named `QueueingHintFn`.
  When the scheduling queue receives a cluster event, before moving each Pod from unschedulable pod pool to activeQ/backoffQ, it will call QueueingHintFn of plugins that rejected each Pod in the previous scheduling cycle.

* Updates Calico version to v2.6.7 (Fixed a bug where Felix would crash when parsing a NetworkPolicy with a named port. See https://github.com/projectcalico/calico/releases/tag/v2.6.7) ([#59130](https://github.com/kubernetes/kubernetes/pull/59130), [@caseydavenport](https://github.com/caseydavenport))

const, a, b, c, d, e, f, g, h) \ LOAD0(index); \ SHA256ROUND(const, a, b, c, d, e, f, g, h) #define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \ LOAD1(index); \ SHA256ROUND(const, a, b, c, d, e, f, g, h) // A stack frame size of 64 bytes is required here, because // the frame size used for data expansion is 64 bytes. // See the definition of the macro LOAD1 above (4 bytes * 16 entries). // //func block(dig *Digest, p []byte) TEXT ·block(SB),NOSPLIT,$64-32 MOVV p_base+8(FP), R5 MOVV p_len+16(FP),...

Troubleshoot on a node by creating a container running in the host namespaces and with access to the host’s filesystem.
Note that as a new builtin command, `kubectl debug` takes priority over any `kubectl` plugin named “debug”. You will need to rename the affected plugin.
Invocations using `kubectl alpha debug` are now deprecated and will be removed in a subsequent release. Update your scripts to use `kubectl debug` instead of `kubectl alpha debug`!

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions