b := NewReader(new(negativeReader))
	defer func() {
		switch err := recover().(type) {
		case nil:
			t.Fatal("read did not panic")
		case error:
			if !strings.Contains(err.Error(), "reader returned negative count from Read") {
				t.Fatalf("wrong panic: %v", err)
			}
		default:
			t.Fatalf("unexpected panic value: %T(%v)", err, err)
		}
	}()

## Changelog since v1.20.10

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to

## Changelog since v1.21.4

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to

## Changelog since v1.30.9

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API

## Changelog since v1.24.16

## Important Security Information

This release contains changes that address the following vulnerabilities:

### CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

		}
	} else {
		// SSEC objects will refuse HeadObject without the decryption key.
		// Ignore the error, since we know the object exists and versioning prevents overwriting existing versions.
		if isSSEC && strings.Contains(cerr.Error(), errorCodes[ErrSSEEncryptedObject].Description) {
			rinfo.ReplicationStatus = replication.Completed
			rinfo.ReplicationAction = replicateNone
			goto applyAction
		}

### Other notable changes

* Fix creation of custom resources when the CRD contains non-conventional pluralization and subresources ([#66249](https://github.com/kubernetes/kubernetes/pull/66249), [@deads2k](https://github.com/deads2k))

restrictions" within the meaning of section 10.  If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term.  If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms

retrieving tabular output for API resources via a new mime-type application/json;as=Table;v=v1alpha1;g=meta.k8s.io. The returned object (if the server supports it) will be of type meta.k8s.io/v1alpha1 with Table, and contain column and row information related to the resource. Each row will contain information about the resource - by default it will be the object metadata, but callers can add the ?includeObject=Object query parameter and receive the full object. In the future kubectl will use this to retrieve...

### Auth

- Fixed OpenID Connect (OIDC) token refresh when the client secret contains a special character. ([#76914](https://github.com/kubernetes/kubernetes/pull/76914), [@tsuna](https://github.com/tsuna))