- We’re working to simplify the Windows node join experience with better scripts and kubeadm. Scripts and doc updates are still in the works, but some of the needed improvements are included in 1.15.  These include:
    - Windows kube-proxy will wait for HNS network creation on start ([#78612](https://github.com/kubernetes/kubernetes/pull/78612), [@ksubrmnn](https://github.com/ksubrmnn))

- The `system:aggregate-to-edit` role no longer includes write access to the Endpoints API. For new Kubernetes 1.22 clusters, the `edit` and `admin` roles will no longer include that access in newly created Kubernetes 1.22 clusters. This will have no affect on existing clusters upgrading to Kubernetes 1.22. To retain write access to Endpoints in the aggregated `edit`...

		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSSEMultipartEncrypted: {
		Code:           "InvalidRequest",
		Description:    "The multipart upload initiate requested encryption. Subsequent part requests must include the appropriate encryption parameters.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSSEEncryptedObject: {
		Code:           "InvalidRequest",

// This input was created by taking the instruction productions in
// the old assembler's (5a's) grammar and hand-writing complete
// instructions for each rule, to guarantee we cover the same space.

#include "../../../../../runtime/textflag.h"

TEXT	foo(SB), DUPOK|NOSPLIT, $0

// ADD
//
//	LTYPE1 cond imsr ',' spreg ',' reg
//	{
//		outcode($1, $2, &$3, $5, &$7);
//	}
// Cover some operand space here too.

	apiEndpoints := getAPIEndpoints()
	for _, ep := range apiEndpoints {
		if len(ep) == 0 {
			continue
		}
		if url, err := xnet.ParseHTTPURL(ep); err == nil {
			// In FS mode the drive names don't include the host.
			// So mapping just the host should be sufficient.
			hostAnonymizer[url.Host] = "server1"
		}
	}
	return hostAnonymizer
}

  - [Changelog since v1.5.0-beta.3](#changelog-since-v150-beta3)
    - [Other notable changes](#other-notable-changes-7)
    - [Previous Releases Included in v1.5.0](#previous-releases-included-in-v150)
- [v1.5.0-beta.3](#v150-beta3)
  - [Downloads for v1.5.0-beta.3](#downloads-for-v150-beta3)
    - [Client Binaries](#client-binaries-9)
    - [Server Binaries](#server-binaries-9)

- Do not include preemptor pod metadata in the event message ([#114946](https://github.com/kubernetes/kubernetes/pull/114946), [@mimowo](https://github.com/mimowo)) [SIG Scheduling]

		Groups:   set.CreateStringSet(q.Groups...),
		Policies: set.CreateStringSet(q.Policy...),
	}

	if ldap {
		// Validate and normalize users, then fetch and normalize their groups
		// Also include unvalidated users for backward compatibility.
		for _, user := range q.Users {
			lookupRes, actualGroups, _ := sys.LDAPConfig.GetValidatedDNWithGroups(user)
			if lookupRes != nil {

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Affected Versions**:
  - kubelet <= v1.28.0
  - kubelet <= v1.27.4
  - kubelet <= v1.26.7
  - kubelet <= v1.25.12
  - kubelet <= v1.24.16

**Fixed Versions**:

- Supported fine-grained supplemental groups policy (KEP-3619), which enabled
  fine-grained control for supplementary groups in the first container processes.
  This allows you to choose whether to include groups defined in the container image (/etc/groups)
  for the container's primary UID or not. ([#117842](https://github.com/kubernetes/kubernetes/pull/117842), [@everpeace](https://github.com/everpeace)) [SIG API Machinery, Apps and Node]