// the 'null' version. We add a free-version to track its tiered
	// content for asynchronous deletion.
	//
	// Note: RestoreObject and HealObject requests don't end up replacing the
	// null version and therefore don't require the free-version to track
	// anything
	if fi.VersionID == "" && !fi.IsRestoreObjReq() && !fi.Healing() {
		// Note: Restore object request reuses PutObject/Multipart

*   If multiple PodSecurityPolicy objects allow a submitted pod, priority is given to policies that do not require default values for any fields in the pod spec. If default values are required, the first policy ordered by name that allows the pod is used. ([#52849](https://github.com/kubernetes/kubernetes/pull/52849),[ @liggitt](https://github.com/liggitt))

- Kubeadm: allow the "certs check-expiration" command to not require the existence of the cluster CA key (ca.key file) when checking the expiration of managed certificates in kubeconfig files. ([#106930](https://github.com/kubernetes/kubernetes/pull/106930), [@neolit123](https://github.com/neolit123)) [SIG Cluster...

0X_1FFFP-16  // == 0.1249847412109375
0x15e-2      // == 0x15e - 2 (integer subtraction)

0x.p1        // invalid: mantissa has no digits
1p-2         // invalid: p exponent requires hexadecimal mantissa
0x1.5e-2     // invalid: hexadecimal mantissa requires p exponent
1_.5         // invalid: _ must separate successive digits
1._5         // invalid: _ must separate successive digits
1.5_e1       // invalid: _ must separate successive digits

- The test "[sig-network] EndpointSlice should have Endpoints and EndpointSlices pointing to API Server [Conformance]" only requires that there is an EndpointSlice that references the "kubernetes.default" service, it no longer requires that its named "kubernetes". ([#104664](https://github.com/kubernetes/kubernetes/pull/104664), [@aojea](https://github.com/aojea))

      <match value="X-Notes-Item:" type="string" offset="0">
        <match value="Message-ID:" type="string" offset="0:8192"/>
      </match>
      <!-- match X- DKIM- ARC- at start of file and then require at least one
           of the usual: from, received, date...but look farther into the file
           because of the X|DKIM|ARC headers-->
      <match value="(X|DKIM|ARC)-" type="regex" offset="0">

    - [Action Required](#action-required-2)
    - [Other notable changes](#other-notable-changes-20)
- [v1.6.0-beta.1](#v160-beta1)
  - [Downloads for v1.6.0-beta.1](#downloads-for-v160-beta1)
    - [Client Binaries](#client-binaries-18)
    - [Server Binaries](#server-binaries-18)
  - [Changelog since v1.6.0-alpha.3](#changelog-since-v160-alpha3)
    - [Action Required](#action-required-3)

  - `response.patch` and `response.patchType` are not permitted from validating admission webhooks
  - `apiVersion: "admission.k8s.io/v1"` is required
  - `kind: "AdmissionReview"` is required
  - `response.uid: "<value of request.uid>"` is required
  - `response.patchType: "JSONPatch"` is required (if `response.patch` is set) ([#80231](https://github.com/kubernetes/kubernetes/pull/80231), [@liggitt](https://github.com/liggitt))

exact same computation again. SP 800-56A // Rev. 3, Section 5.6.2.1.4 acknowledges that, and doesn't require it. // However, ISO 19790:2012, Section 7.10.3.3 has a blanket requirement for a // PCT for all generated keys (AS10.35) and FIPS 140-3 IG 10.3.A, Additional // Comment 1 goes out of its way to say that "the PCT shall be performed // consistent [...], even if the underlying standard does not require a // PCT". So we do it. And make ECDH nearly 50% slower (only) in FIPS mode. if err := fips140.PCT("ECDH...

    - [Action Required](#action-required-3)
    - [Other notable changes](#other-notable-changes-7)
- [v1.17.0-alpha.1](#v1170-alpha1)
  - [Downloads for v1.17.0-alpha.1](#downloads-for-v1170-alpha1)
    - [Client Binaries](#client-binaries-24)
    - [Server Binaries](#server-binaries-24)
    - [Node Binaries](#node-binaries-24)
  - [Changelog since v1.16.0](#changelog-since-v1160)
    - [Action Required](#action-required-4)