by this vulnerability if you run a Validating Admission Webhook for Nodes
that denies admission based at least partially on the old state of the
Node object.

**Note**: This only impacts validating admission plugins that rely on old
values in certain fields, and does not impact calls from kubelets that go
through the built-in NodeRestriction admission plugin.

**Affected Versions**:

- Kube-proxy in iptables mode now only logs the full iptables input at `-v=9` rather than `-v=5`. ([#108224](https://github.com/kubernetes/kubernetes/pull/108224), [@danwinship](https://github.com/danwinship))
- Kube-proxy will no longer hold service node ports open on the node. Users are still advised not to run any listener on node ports range used by kube-proxy. ([#108496](https://github.com/kubernetes/kubernetes/pull/108496), [@khenidak](https://github.com/khenidak))

<div class="termy">

```console
$ cd ~/code/prisoner-of-azkaban

// You don't need to be in the old directory to deactivate, you can do it wherever you are, even after going to the other project 😎
$ deactivate

// Activate the virtual environment in prisoner-of-azkaban/.venv 🚀
$ source .venv/bin/activate

 *  Fix: MockWebServer is now usable with JUnit 5. That update [broke the rules][junit_5_rules].
 *  New: Support `Expect: 100-continue` as a request header. Callers can use this header to
    pessimistically hold off on transmitting a request body until a server gives the go-ahead.
 *  New: Permit network interceptors to rewrite the host header for HTTP/2. This makes it possible
    to do domain fronting.

	}
	var arns []string
	for arn := range sys.rolesMap {
		arns = append(arns, arn.String())
	}
	sort.Strings(arns)
	msgs := make([]string, 0, len(arns))
	for _, arn := range arns {
		msgs = append(msgs, color.Bold(arn))
	}

	logger.Info(fmt.Sprintf("%s %s", color.Blue("IAM Roles:"), strings.Join(msgs, " ")))
}

// HasWatcher - returns if the IAM system has a watcher to be notified of
// changes.

by this vulnerability if you run a Validating Admission Webhook for Nodes
that denies admission based at least partially on the old state of the
Node object.

**Note**: This only impacts validating admission plugins that rely on old
values in certain fields, and does not impact calls from kubelet that go
through the built-in NodeRestriction admission plugin.

**Affected Versions**:

	FADDD (R11), F0                         // 41d803 or 41dc03
	FADDDP F0, F2                           // dec2
	FADDDP F0, F3                           // dec3
	FBLD (BX)                               // df23
	FBLD (R11)                              // 41df23
	FBSTP (BX)                              // df33
	FBSTP (R11)                             // 41df33
	FCHS                                    // d9e0

- Kube-log-runner: Added the `-log-file-size` parameter to rotate log output into a new file once it reached a certain size. Introduced `-log-file-age` to enable automatic removal of old output files, and `-flush-interval` to support periodic flushing. ([#127667](https://github.com/kubernetes/kubernetes/pull/127667), [@zylxjtu](https://github.com/zylxjtu)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider,...

* Fixes a case when Deployment with recreate strategy could get stuck on old failed Pod. ([#60493](https://github.com/kubernetes/kubernetes/pull/60493), [@tnozicka](https://github.com/tnozicka))
* Build using go1.9.3. ([#59012](https://github.com/kubernetes/kubernetes/pull/59012), [@ixdy](https://github.com/ixdy))

- Fix the bug PIP's DNS is deleted if no DNS label service annotation isn't set. ([#87311](https://github.com/kubernetes/kubernetes/pull/87311), [@nilo19](https://github.com/nilo19)) [SIG Cloud Provider]
- Fix: set nil cache entry based on old cache ([#87592](https://github.com/kubernetes/kubernetes/pull/87592), [@aramase](https://github.com/aramase)) [SIG Cloud Provider]