- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by...

return this.utcOffset()>this.clone().month(0).utcOffset()||this.utcOffset()>this.clone().month(5).utcOffset()},yt.isLocal=function(){return!!this.isValid()&&!this._isUTC},yt.isUtcOffset=function(){return!!this.isValid()&&this._isUTC},yt.isUtc=Ca,yt.isUTC=Ca,yt.zoneAbbr=function(){return this._isUTC?"UTC":""},yt.zoneName=function(){return this._isUTC?"Coordinated Universal Time":""},yt.dates=t("dates accessor is deprecated. Use date instead.",lt),yt.months=t("months accessor is deprecated. Use month...

- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by...

- Kube-apiserver: Made sure that when `--requestheader-client-ca-file` and `--client-ca-file` contain overlapping certificates, `--requestheader-allowed-names` must be specified so that regular client certificates cannot set authenticating proxy headers for arbitrary users. ([#131411](https://github.com/kubernetes/kubernetes/pull/131411),...

    String QUERY_GSA_DEFAULT_PREFERENCE = "query.gsa.default.preference";

    /** The key of the configuration. e.g. ar=ar<br>
     * bg=bg<br>
     * bn=bn<br>
     * ca=ca<br>
     * ckb-iq=ckb-iq<br>
     * ckb_IQ=ckb-iq<br>
     * cs=cs<br>
     * da=da<br>
     * de=de<br>
     * el=el<br>
     * en=en<br>
     * en-ie=en-ie<br>
     * en_IE=en-ie<br>

          0x00, 0x00, 0x00, 0x00,
          0x02, 0x00, 0x00, 0x00,
          0x00, 0x00, 0x00, 0x00
        };
    assertCrc(0xd9963a56, scsiReadCommand);
  }

  // Known values from http://www.evanjones.ca/crc32c.html
  public void testSomeOtherKnownValues() {
    assertCrc(0x22620404, "The quick brown fox jumps over the lazy dog".getBytes(UTF_8));
    assertCrc(0xE3069283, "123456789".getBytes(UTF_8));

- The extension API server can now dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients. ([#66394](https://github.com/kubernetes/kubernetes/pull/66394), [@rtripat](https://github.com/rtripat))

### SIG Autoscaling

- Kubeadm: warn but do not error out on missing "ca.key" files for root CA, front-proxy CA and etcd CA, during "kubeadm join --control-plane" if the user has provided all certificates, keys and kubeconfig files which require signing with the given CA keys. ([#94988](https://github.com/kubernetes/kubernetes/pull/94988),...

   *
   * If [routes] is non-null these are the resolved routes (ie. IP addresses) for the connection.
   * This is used to coalesce related domains to the same HTTP/2 connection, such as `square.com`
   * and `square.ca`.
   */
  internal fun callAcquirePooledConnection(
    doExtensiveHealthChecks: Boolean,
    address: Address,
    call: RealCall,
    routes: List<Route>?,
    requireMultiplexed: Boolean,
  ): RealConnection? {

- The DynamicKubeletConfig and SelfHosting functionality was moved outside of `kubeadm init` and feature gates and is now exposed under `kubeadm alpha`.
- Kubeadm init phase certs now support the `--csr-only` option, simplifying custom CA creation.
- `kubeadm join --experimental-control-plane` now automatically adds a new etcd member for `local etcd` mode, further simplifying required tasks for HA clusters setup.