### CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)

A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL.  This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties. 

obligations, You may act only on Your own behalf and on Your sole 
responsibility, not on behalf of any other Contributor, and only if You 
agree to indemnify, defend, and hold each Contributor harmless for any 
liability incurred by, or claims asserted against, such Contributor by 

- Fix the bug which could result in Job status updates failing with the error:
  status.startTime: Required value: startTime cannot be removed for unsuspended job

                    process.destroy();
                    teminated = true;
                } catch (final Exception e) {
                    if (logger.isInfoEnabled()) {
                        logger.info("Could not kill subprocess: process={}", process, e);
                    }
                }
            }
        }

        /**
         * Sets the finished flag to indicate whether the process has completed.

   *
   * @param hostPortString the input string to parse.
   * @return if parsing was successful, a populated HostAndPort object.
   * @throws IllegalArgumentException if nothing meaningful could be parsed.
   */
  @CanIgnoreReturnValue // TODO(b/219820829): consider removing
  public static HostAndPort fromString(String hostPortString) {
    checkNotNull(hostPortString);
    String host;

    long next = doubleToRawLongBits(newValue);
    longs.lazySet(i, next);
  }

  /**
   * Atomically sets the element at position {@code i} to the given value and returns the old value.
   *
   * @param i the index
   * @param newValue the new value
   * @return the previous value
   */
  public final double getAndSet(int i, double newValue) {

- Fixed a bug that Pods could stuck in the unschedulable pod pool 
  if they're rejected by PreEnqueue plugins that could change its result by a change in resources apart from Pods.
  
  DRA plugin is the only plugin that meets the criteria of the bug in in-tree, 
  and hence if you have `DynamicResourceAllocation` feature flag enabled, 

* Actually fix local-cluster-up on 1.5 branch ([#40501](https://github.com/kubernetes/kubernetes/pull/40501), [@lavalamp](https://github.com/lavalamp))
* Prevent hotloops on error conditions, which could fill up the disk faster than log rotation can free space. ([#40497](https://github.com/kubernetes/kubernetes/pull/40497), [@lavalamp](https://github.com/lavalamp))

            }
        } catch (final ResourceNotFoundRuntimeException e) {
            // No alias configuration found - create aliases normally (does NOT remove old aliases)
            logger.warn("[Rebuild] No alias config found for {}, falling back to createAlias (old aliases NOT removed)", configIndex);
            createAlias(configIndex, newIndexName);
            return true;
        } catch (final Exception e) {

A security issue was discovered in kube-apiserver that could allow node
updates to bypass a Validating Admission Webhook. You are only affected
by this vulnerability if you run a Validating Admission Webhook for Nodes
that denies admission based at least partially on the old state of the
Node object.

**Note**: This only impacts validating admission plugins that rely on old