labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

- kubeadm: prevent PSP blocking of upgrade image prepull by using a non-root user ([#77792](https://github.com/kubernetes/kubernetes/pull/77792), [@neolit123](https://github.com/neolit123))
- kubeadm: fix "certificate-authority" files not being pre-loaded when using file discovery ([#80966](https://github.com/kubernetes/kubernetes/pull/80966), [@neolit123](https://github.com/neolit123))

### CVE-2024-5321: Incorrect permissions on Windows containers logs

A security issue was discovered in Kubernetes clusters with Windows nodes
where BUILTIN\Users may be able to read container logs and NT
AUTHORITY\Authenticated Users may be able to modify container logs.

**Affected Versions**:
  - kubelet <= 1.27.15
  - kubelet <= 1.28.11
  - kubelet <= 1.29.6
  - kubelet <= 1.30.2 

**Fixed Versions**:

- Kubeadm: fixed a bug when using `kubeadm init --dry-run` with certificate authority files (`ca.key` / `ca.crt`) present in `/etc/kubernetes/pki`) ([#108410](https://github.com/kubernetes/kubernetes/pull/108410), [@Haleygo](https://github.com/Haleygo))

### CVE-2024-5321: Incorrect permissions on Windows containers logs

A security issue was discovered in Kubernetes clusters with Windows nodes
where BUILTIN\Users may be able to read container logs and NT
AUTHORITY\Authenticated Users may be able to modify container logs.

**Affected Versions**:
  - kubelet <= 1.27.15
  - kubelet <= 1.28.11
  - kubelet <= 1.29.6
  - kubelet <= 1.30.2 

**Fixed Versions**:

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120765](https://github.com/kubernetes/kubernetes/pull/120765), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

### Introducing `RootCAConfigMap`

`RootCAConfigMap` graduates to Beta, separating from `BoundServiceAccountTokenVolume`. The `kube-root-ca.crt` ConfigMap is now available to every namespace, by default. It contains the Certificate Authority bundle for verify kube-apiserver connections.

### `kubectl debug` graduates to Beta

`kubectl alpha debug` graduates from alpha to beta in 1.20, becoming `kubectl debug`.

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120766](https://github.com/kubernetes/kubernetes/pull/120766), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]