Krishnan Parthasarathi <******@****.***> 1701514293 -0800

					return
				}
			}
		case "Batch":
			if dc.IsNil() {
				err = dc.ReadNil()
				if err != nil {
					err = msgp.WrapError(err, "Batch")
					return
				}
				z.Batch = nil
			} else {
				if z.Batch == nil {
					z.Batch = new(int)
				}
				*z.Batch, err = dc.ReadInt()
				if err != nil {
					err = msgp.WrapError(err, "Batch")
					return
				}
			}

jiuker <******@****.***> 1722516810 +0800

Krishnan Parthasarathi <******@****.***> 1701514293 -0800

Quoc Truong <******@****.***> 1731351734 -0800

configurations. `objectSelector` is evaluated the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels....

			claims, err := getClaimsFromTokenWithSecret(ui.Credentials.SessionToken, secret)
			if err != nil {
				continue // skip if token is invalid
			}
			// skip if token type is given and does not match
			if v, _ := claims.Lookup(tokenRevokeTypeClaim); v != tokenRevokeType {
				continue
			}
		}
		if err := store.deleteUserIdentity(ctx, ui.Credentials.AccessKey, stsUser); err != nil {
			return err
		}

### Feature

- 'kubeadm: enhanced the "patches" functionality to be able to patch coredns
  deployment. The new patch target is called "corednsdeployment" (e.g. patch file
  "corednsdeployment+json.json"). This makes it possible to apply custom patches

- Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a `WatchFromStorageWithoutResourceVersion`...

* Requests with invalid credentials no longer match audit policy rules where users or groups are set, correcting a problem where authorized requests were getting through. ([#59398](https://github.com/kubernetes/kubernetes/pull/59398), [@CaoShuFeng](https://github.com/CaoShuFeng))