action required

  then after upgrading to this release, you need to update some objects.
  For any existing PersistentVolumeClaimss with `status.allocatedResourceStatus` set to either
  "ControllerResizeFailed" or "NodeResizeFailed", clear the `status.allocatedResourceStatus`. ([#126108](https://github.com/kubernetes/kubernetes/pull/126108), [@gnufied](https://github.com/gnufied)) [SIG Apps, Auth, Node, Storage and Testing]
 
## Changes by Kind

### Deprecation

credentials have not been used in the time specified by `--legacy-service-account-token-clean-up-period` (defaulting to one year), **and** are referenced from the `.secrets` list of a ServiceAccount object, **and**  are not referenced from pods. This label causes the authentication layer to reject use of the credentials. After being labeled as invalid, if the time specified by `--legacy-service-account-token-clean-up-period` (defaulting to one year) passes without the credential being used, the secret...

- Fixing a bug where a failed node may not have the NoExecute taint set correctly ([#98140](https://github.com/kubernetes/kubernetes/pull/98140), [@CKchen0726](https://github.com/CKchen0726)) [SIG Apps and Node]
- Kubelet now cleans up orphaned volume directories automatically ([#95301](https://github.com/kubernetes/kubernetes/pull/95301), [@lorenz](https://github.com/lorenz)) [SIG Node and Storage]

        specify a class index to be ignored during loss/metric computation (e.g.
        a background/void class).
    *   Added
        [`tf.keras.models.experimental.SharpnessAwareMinimization`](https://www.tensorflow.org/api_docs/python/tf/keras/models/experimental/SharpnessAwareMinimization).
        This class implements the sharpness-aware minimization technique, which

  // to run this pod.  If no RuntimeClass resource matches the named class, the pod will not be run.
  // If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an
  // empty definition that uses the default runtime handler.
  // More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
  // +optional
  optional string runtimeClassName = 29;

</p>

<pre class="ebnf">
TypeDecl = "type" ( TypeSpec | "(" { TypeSpec ";" } ")" ) .
TypeSpec = AliasDecl | TypeDef .
</pre>

<h4 id="Alias_declarations">Alias declarations</h4>

<p>
An alias declaration binds an identifier to the given type.
</p>

<pre class="ebnf">
AliasDecl = identifier "=" Type .
</pre>

<p>

    - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
    - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
  - [Changes by Kind](#changes-by-kind-2)

* Fix issue that vSphere cloud provider cannot delete volume which is provisioned in datastore specified in storageclass ([#65550](https://github.com/kubernetes/kubernetes/pull/65550), [@w-leads](https://github.com/w-leads))
* Fix a scalability issue where high rates of event writes degraded etcd performance. ([#64539](https://github.com/kubernetes/kubernetes/pull/64539), [@ccding](https://github.com/ccding))

    - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
    - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
  - [Changes by Kind](#changes-by-kind)
    - [Feature](#feature)