### Bug or Regression

- Added jitter factor to lease controller that better smears load on kube-apiserver over time. ([#101652](https://github.com/kubernetes/kubernetes/pull/101652), [@marseel](https://github.com/marseel)) [SIG API Machinery and Scalability]

### **Cluster Federation**
#### Placement Policy
* [alpha] The federation-apiserver now supports a SchedulingPolicy admission controller that enables policy-based control over placement of federated resources. For more information, see [Set up placement policies in Federation](https://kubernetes.io/docs/tasks/federation/set-up-placement-policies-federation/).

#### Cluster Selection

variables. oidc: enabled: false configUrl: "https://identity-provider-url/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret` existingClientSecret: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix: "" comment: "" networkPolicy: enabled: false...

variables. oidc: enabled: false configUrl: "https://identity-provider-url/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret` existingClientSecret: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix: "" comment: "" networkPolicy: enabled: false...

* 'kubectl describe pv' now shows events ([#27431](https://github.com/kubernetes/kubernetes/pull/27431), [@jsafrane](https://github.com/jsafrane))
* AWS kube-up: set net.ipv4.neigh.default.gc_thresh1=0 to avoid ARP over-caching ([#27682](https://github.com/kubernetes/kubernetes/pull/27682), [@justinsb](https://github.com/justinsb))

variables. oidc: enabled: false configUrl: "https://identity-provider-url/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientId` and/or `clientSecret`` existingClientSecret: "" existingClientIdKey: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix:...

  KEPs or supporting documentation, please reference a specific commit and avoid
  linking directly to the master branch. This ensures that links reference a
  specific point in time, rather than a document that may change over time.
  
  See here for guidance on getting permanent links to files: https://help.github.com/en/articles/getting-permanent-links-to-files
  
  Please use the following format for linking documentation:

	if globalSiteReplicationSys.isEnabled() {
		secretKey, err := getTokenSigningKey()
		if err != nil {
			return nil, err
		}
		keys = append(keys, secretKey)
	}

	// Iterate over all keys and return with the first successful claim extraction
	for _, key := range keys {
		jwtClaims, err = getClaimsFromTokenWithSecret(u.Credentials.SessionToken, key)
		if err == nil {
			break
		}
	}

variables. oidc: enabled: false configUrl: "https://identity-provider-url/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientId` and/or `clientSecret`` existingClientSecret: "" existingClientIdKey: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix:...

variables. oidc: enabled: false configUrl: "https://identity-provider-url/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientId` and/or `clientSecret`` existingClientSecret: "" existingClientIdKey: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix:...