* Fix CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal ([#80436](https://github.com/kubernetes/kubernetes/pull/80436))
* Fix CVE-2019-11247: API server allows access to custom resources via wrong scope ([#80750](https://github.com/kubernetes/kubernetes/pull/80750))

  // only if the traffic matches at least one port in the list.
  // +optional
  repeated NetworkPolicyPort ports = 1;

  // List of sources which should be able to access the pods selected for this rule.
  // Items in this list are combined using a logical OR operation.
  // If this field is empty or missing, this rule matches all sources (traffic not restricted by source).

- Fixed bug in CPUManager with race on container map access ([#97427](https://github.com/kubernetes/kubernetes/pull/97427), [@klueska](https://github.com/klueska)) [SIG Node]

- Fix a concurrent map access in TopologyCache's `HasPopulatedHints` method. ([#120372](https://github.com/kubernetes/kubernetes/pull/120372), [@Miciah](https://github.com/Miciah)) [SIG Network]

  - [Changelog since v1.20.10](#changelog-since-v12010)
  - [Important Security Information](#important-security-information)
    - [CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access](#cve-2021-25741-symlink-exchange-can-allow-host-filesystem-access)
  - [Changes by Kind](#changes-by-kind-4)
    - [Bug or Regression](#bug-or-regression-4)
    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1)
  - [Dependencies](#dependencies-4)

		if !rd || !wr {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, AdminError{
				Code: "XMinioSpeedtestInsufficientPermissions",
				Message: fmt.Sprintf("%s does not have read and write access to '%s' bucket", creds.AccessKey,
					globalObjectPerfBucket),
				StatusCode: http.StatusForbidden,
			}), r.URL)
			return
		}
	}

	sizeStr := r.Form.Get(peerRESTSize)

 - `kubeadm`: a separate "super-admin.conf" file is now deployed. The User in `admin.conf` is now bound to a new RBAC Group `kubeadm:cluster-admins` that has `cluster-admin` `ClusterRole` access. The User in `super-admin.conf` is now bound to the `system:masters` built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default `admin.conf` was bound to `system:masters` Group, which was undesired. Executing `kubeadm...

   * the pipeline is done, even if the pipeline is canceled or fails.
   *
   * <p>Cancelling the pipeline will not cancel {@code future}, so that the pipeline can access its
   * value in order to close it.
   *
   * @param future the future to create the {@code ClosingFuture} from. For discussion of the

  // +optional
  optional bool blockOwnerDeletion = 7;
}

// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
// to get access to a particular ObjectMeta schema without knowing the details of the version.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
message PartialObjectMetadata {
  // Standard object's metadata.

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.