* Federation: separate notion of zone-name & dns-suffix ([#35372](https://github.com/kubernetes/kubernetes/pull/35372), [@justinsb](https://github.com/justinsb))

  /** Returns {@code null} if unable to parse into a {@code byte[]}. */
  private static byte @Nullable [] ipStringToBytes(String ipStringParam, @Nullable Scope scope) {
    String ipString = ipStringParam;
    // Make a first pass to categorize the characters in this string.
    boolean hasColon = false;
    boolean hasDot = false;
    int percentIndex = -1;
    for (int i = 0; i < ipString.length(); i++) {
      char c = ipString.charAt(i);

  - [Changelog since v1.32.5](#changelog-since-v1325)
  - [Important Security Information](#important-security-information-1)
    - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks)
  - [Changes by Kind](#changes-by-kind-5)
    - [Feature](#feature-4)
    - [Bug or Regression](#bug-or-regression-5)

   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
   *     java.nio.file.Path#toFile() toFile()} if needed. To restrict permissions as this method
   *     does, pass {@code
   *     PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"))} to your
   *     call to {@code createTempDirectory}.
   */
  @Beta
  @Deprecated
  @J2ObjCIncompatible

  - [Changelog since v1.33.1](#changelog-since-v1331)
  - [Important Security Information](#important-security-information-1)
    - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks)
  - [Changes by Kind](#changes-by-kind-5)
    - [Feature](#feature-4)
    - [Bug or Regression](#bug-or-regression-5)

### CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

**Affected Versions**:

  }

  /**
   * Process the bytes of the given input stream using the given processor.
   *
   * @param input the input stream to process
   * @param processor the object to which to pass the bytes of the stream
   * @return the result of the byte processor
   * @throws IOException if an I/O error occurs
   * @since 14.0
   */
  @CanIgnoreReturnValue // some processors won't return a useful result

    - [CVE-2021-25749: <code>runAsNonRoot</code> logic bypass for Windows containers](#cve-2021-25749-runasnonroot-logic-bypass-for-windows-containers)
    - [Am I vulnerable?](#am-i-vulnerable)
      - [Affected Versions](#affected-versions)

*   [stable] [cri-o](https://github.com/kubernetes-incubator/cri-o): CRI implementation for OCI-based runtimes is now v1.9. [[@mrunalp](https://github.com/mrunalp)]
    *   Pass all the Kubernetes 1.9 end-to-end test suites and now gating PRs as well
    *   Pass all the CRI validation tests
    *   Release has been focused on bug fixes, stability and performance with runc and Clear Containers
    *   Minikube integration

  }

  private static void assertListImmutable(List<Integer> result) {
    try {
      result.set(0, 1);
      fail();
    } catch (UnsupportedOperationException expected) {
      // pass
    }
  }

  public void testIteratorMinAndMax() {
    List<Integer> ints = Lists.newArrayList(5, 3, 0, 9);
    assertEquals(9, (int) numberOrdering.max(ints.iterator()));