From 5194f074e1c8565538312bf21a010199e4e13428 Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Thu, 28 Aug 2025 03:41:57 +0000
Subject: [PATCH] fix: CVE-2025-5187

---
 go.mod                                        | 78 ++++++++--------
 go.sum                                        | 60 ++++++-------
 .../apiserver/pkg/storage/etcd3/watcher.go    | 71 ++++++++-------
 .../metrics/prometheus/slis/routes.go         |  4 +-
 .../kubernetes/pkg/features/kube_features.go  |  8 ++
 .../kubernetes/pkg/volume/util/resize_util.go | 21 +++++
 .../kubernetes/test/utils/image/manifest.go   | 29 +++---
 vendor/modules.txt                            | 90 +++++++++----------
 8 files changed, 202 insertions(+), 159 deletions(-)

diff --git a/go.mod b/go.mod
index 746a9122f..362242588 100644
--- a/go.mod
+++ b/go.mod
@@ -31,13 +31,13 @@ require (
 	google.golang.org/protobuf v1.36.3
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
-	k8s.io/apiserver v0.31.6
+	k8s.io/apiserver v0.31.12
 	k8s.io/client-go v0.32.1
-	k8s.io/component-base v0.31.6
+	k8s.io/component-base v0.31.12
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubernetes v1.31.1
+	k8s.io/kubernetes v1.31.12
 	k8s.io/mount-utils v0.32.0
-	k8s.io/pod-security-admission v0.31.1
+	k8s.io/pod-security-admission v0.31.12
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/cloud-provider-azure v1.30.1-0.20250125112532-472fe964b519
 	sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.9
@@ -160,49 +160,49 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.0.0 // indirect
-	k8s.io/cloud-provider v0.31.6 // indirect
-	k8s.io/component-helpers v0.31.6 // indirect
-	k8s.io/controller-manager v0.31.6 // indirect
+	k8s.io/cloud-provider v0.31.12 // indirect
+	k8s.io/component-helpers v0.31.12 // indirect
+	k8s.io/controller-manager v0.31.12 // indirect
 	k8s.io/kms v0.32.0-alpha.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/kubectl v0.31.1 // indirect
-	k8s.io/kubelet v0.31.6 // indirect
+	k8s.io/kubelet v0.31.12 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.31.6
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.6
-	k8s.io/apimachinery => k8s.io/apimachinery v0.31.6
-	k8s.io/apiserver => k8s.io/apiserver v0.31.6
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.6
-	k8s.io/client-go => k8s.io/client-go v0.31.6
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.6
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.6
-	k8s.io/code-generator => k8s.io/code-generator v0.31.6
-	k8s.io/component-base => k8s.io/component-base v0.31.6
-	k8s.io/component-helpers => k8s.io/component-helpers v0.31.6
-	k8s.io/controller-manager => k8s.io/controller-manager v0.31.6
-	k8s.io/cri-api => k8s.io/cri-api v0.31.6
-	k8s.io/cri-client => k8s.io/cri-client v0.31.6
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.6
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.6
-	k8s.io/endpointslice => k8s.io/endpointslice v0.31.6
-	k8s.io/kms => k8s.io/kms v0.31.6
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.6
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.6
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.6
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.6
-	k8s.io/kubectl => k8s.io/kubectl v0.31.6
-	k8s.io/kubelet => k8s.io/kubelet v0.31.6
-	k8s.io/kubernetes => k8s.io/kubernetes v1.31.6
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.6
-	k8s.io/metrics => k8s.io/metrics v0.31.6
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.6
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.6
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.31.6
-	k8s.io/sample-controller => k8s.io/sample-controller v0.31.6
+	k8s.io/api => k8s.io/api v0.31.12
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.12
+	k8s.io/apimachinery => k8s.io/apimachinery v0.31.12
+	k8s.io/apiserver => k8s.io/apiserver v0.31.12
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.12
+	k8s.io/client-go => k8s.io/client-go v0.31.12
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.12
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.12
+	k8s.io/code-generator => k8s.io/code-generator v0.31.12
+	k8s.io/component-base => k8s.io/component-base v0.31.12
+	k8s.io/component-helpers => k8s.io/component-helpers v0.31.12
+	k8s.io/controller-manager => k8s.io/controller-manager v0.31.12
+	k8s.io/cri-api => k8s.io/cri-api v0.31.12
+	k8s.io/cri-client => k8s.io/cri-client v0.31.12
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.12
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.12
+	k8s.io/endpointslice => k8s.io/endpointslice v0.31.12
+	k8s.io/kms => k8s.io/kms v0.31.12
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.12
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.12
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.12
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.12
+	k8s.io/kubectl => k8s.io/kubectl v0.31.12
+	k8s.io/kubelet => k8s.io/kubelet v0.31.12
+	k8s.io/kubernetes => k8s.io/kubernetes v1.31.12
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.12
+	k8s.io/metrics => k8s.io/metrics v0.31.12
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.12
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.12
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.31.12
+	k8s.io/sample-controller => k8s.io/sample-controller v0.31.12
 	sigs.k8s.io/structured-merge-diff/v4 => sigs.k8s.io/structured-merge-diff/v4 v4.4.1
 )
diff --git a/go.sum b/go.sum
index be6b6499b..7259eecf7 100644
--- a/go.sum
+++ b/go.sum
@@ -432,42 +432,42 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.31.6 h1:ocWG/UhC9Mqp5oEfYWy9wCddbZiZyBAFTlBt0LVlhDg=
-k8s.io/api v0.31.6/go.mod h1:i16xSiKMgVIVhsJMxfWq0mJbXA+Z7KhjPgYmwT41hl4=
-k8s.io/apiextensions-apiserver v0.31.6 h1:v9sqyWlrgFZpAPdEb/bEiXfM98TfSppwRF0X/uWKXh0=
-k8s.io/apiextensions-apiserver v0.31.6/go.mod h1:QVH3CFwqzGZtwsxPYzJlA/Qiwgb5FXmRMGls3CjzvbI=
-k8s.io/apimachinery v0.31.6 h1:Pn96A0wHD0X8+l7QTdAzdLQPrpav1s8rU6A+v2/9UEY=
-k8s.io/apimachinery v0.31.6/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/apiserver v0.31.6 h1:FEhEGLsz1PbMOHeQZDbOUlMh36zRZbjgKwJCoMhdGmw=
-k8s.io/apiserver v0.31.6/go.mod h1:dpFh+xqFQ02O8vLYCIqoiV7sJIpZsUULeNuag6Y9HGo=
-k8s.io/client-go v0.31.6 h1:51HT40qVIZ13BrHKeWxFuU52uoPnFhxTYJnv4+LTgp4=
-k8s.io/client-go v0.31.6/go.mod h1:MEq7JQJelUQ0/4fMoPEUrc/OOFyGo/9LmGA38H6O6xY=
-k8s.io/cloud-provider v0.31.6 h1:5vVMyf/m/n8ij/GmSJLRcatchmciRr0gs4peBcxqvKk=
-k8s.io/cloud-provider v0.31.6/go.mod h1:iT6kIEMEXrTIvRBAaRU5qefRzgPaSV6kwTc6mjhhnEw=
-k8s.io/component-base v0.31.6 h1:FgI25PuZtCp2n7AFpOaDpMQOLieFdrpAbpeoZu7VhDI=
-k8s.io/component-base v0.31.6/go.mod h1:aVRrh8lAI1kSShFmwcKLhc3msQoUcmFWPBDf0sXaISM=
-k8s.io/component-helpers v0.31.6 h1:Af8BcE6pElKlLaerwW9s04jTQVFa66wmI1pkaNfDWzE=
-k8s.io/component-helpers v0.31.6/go.mod h1:6CRV6M+7R13eqtz4FBm2ty9eH+QajDcP3y0Bklzh2FA=
-k8s.io/controller-manager v0.31.6 h1:HQRUV6nogHo2N7vr3cgVNjZ+wvHIMvxEMjTeCrHitE4=
-k8s.io/controller-manager v0.31.6/go.mod h1:0HDNTZVapQFa9G96jNxrU99ht7fQJVEKBXDzqKDMez0=
-k8s.io/csi-translation-lib v0.31.6 h1:mBkF3AG8pRcwZv8SY7qT1JWznRsmYjZfT5Lxel9nN4Q=
-k8s.io/csi-translation-lib v0.31.6/go.mod h1:I2F51irYJyt78so7wdral65B7PB7jR3keZ2MpB78mWw=
+k8s.io/api v0.31.12 h1:yysm83xHIoKAwfm2w0dT6Yz7vfWzl841AEMI7Y8wDa8=
+k8s.io/api v0.31.12/go.mod h1:f/srhhI7aDs9K4s0W1GX4/zb+cIf5uWrBjGyoO/XgJc=
+k8s.io/apiextensions-apiserver v0.31.12 h1:d32I3VReAly5Qoc9ZXhO4/iObYmm7Jk6VvAeRAbg/MA=
+k8s.io/apiextensions-apiserver v0.31.12/go.mod h1:KcBI/Z/WQmbffBwfqQmqHhALhvun5JNJJh8Y29CJwUo=
+k8s.io/apimachinery v0.31.12 h1:y34W8rNKc+jDxUvEXarjahqM6vOV5iqgZPuRqRuyEh8=
+k8s.io/apimachinery v0.31.12/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apiserver v0.31.12 h1:W5hKS78HC/llxTLBICR/xXScPkc5sPkDA66pyAin+mQ=
+k8s.io/apiserver v0.31.12/go.mod h1:f0EWMQvAmOfNBrYYVesqnQFrfMyDYlxVUOLm/RNDbP8=
+k8s.io/client-go v0.31.12 h1:JJhouOoU1bKdPWplkZ2CpYA74+lxj3Zsn15aoGLX6Hk=
+k8s.io/client-go v0.31.12/go.mod h1:kjQ5WSec9ShP3T1auTDFW4bTqgmJdBuZPsjq5FqeuYE=
+k8s.io/cloud-provider v0.31.12 h1:la9A7dGy0VpcnI5nNZ7/RhU4/0ZoAVx6QM6T+Lze96s=
+k8s.io/cloud-provider v0.31.12/go.mod h1:VKHFFjRqXQNryOxbW+xE/0tL8qm8ejxaQ0t3TRA2AMc=
+k8s.io/component-base v0.31.12 h1:Z7SYHg782bY1NLGezTJYRZGPeywWVtFpE35iOEam//4=
+k8s.io/component-base v0.31.12/go.mod h1:r6wrhZ7BrjAUhGZttUT6MNJdn0McPWF5RPz/xcQY3xI=
+k8s.io/component-helpers v0.31.12 h1:Mb9/Ijz0euQQ2v2IEgtKkvWBbDeMTq2fqHs1OoXPxGM=
+k8s.io/component-helpers v0.31.12/go.mod h1:62Zm0UNTFymcAUItaHCL+g9Qbco1WcSuiUvVSKEQtvk=
+k8s.io/controller-manager v0.31.12 h1:wrRs4CWP2ZtL5JnyW9QaTgD9DB1YQI7Sr68ifKF9n+M=
+k8s.io/controller-manager v0.31.12/go.mod h1:6EIutOXkyduBppAJuIpDTCr5lJPEMtD2gPLL4jE9W+E=
+k8s.io/csi-translation-lib v0.31.12 h1:SYouspmYCx0y2TQU6Hl4uLG3Pb4esPSwv2p6vmFK1IM=
+k8s.io/csi-translation-lib v0.31.12/go.mod h1:CHOkTS6J9u88oAXt99sOse6zLjIRyFdiAjQsNt6Rg+c=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.31.6 h1:p7OY+9Hp8nPtgzm0vT9TrERNigQQSu8tkgWqn+GvB2w=
-k8s.io/kms v0.31.6/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94=
+k8s.io/kms v0.31.12 h1:1YVbrlxjwG15c3rU4MYUUzCmFNII+tA46EBHWGWD4zY=
+k8s.io/kms v0.31.12/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/kubectl v0.31.6 h1:ngzql/UugqpEbeeyQX678BlVHXks19JR3CFjwKnWuFI=
-k8s.io/kubectl v0.31.6/go.mod h1:m6OXbx9s0sZiaZrfHHSEmJUD5CjWPA5+cVg0GZnVdzM=
-k8s.io/kubelet v0.31.6 h1:lxVvyLNDcb/QTpQNkDySk3iscgq4zubeSZs3cF6PmaA=
-k8s.io/kubelet v0.31.6/go.mod h1:BPghO52ilF7UzFEVBmYFOxdVtLge0P1gixjz84lBzzc=
-k8s.io/kubernetes v1.31.6 h1:zVhgWDFHmIj51o5sNARmjdgNvpq4K2Smya8pS5vxqlc=
-k8s.io/kubernetes v1.31.6/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs=
+k8s.io/kubectl v0.31.12 h1:+f0KlQcVYX/7J7ii0AGRwCZYVx55u4dOj3Irrh17Daw=
+k8s.io/kubectl v0.31.12/go.mod h1:BbqRvKt1mdJLdk+0Qovx38/d2MCLwTA31I8IN+Fql1s=
+k8s.io/kubelet v0.31.12 h1:iSaYgKgLig52YOqsu+3wIXq/p++sawwQM59D7t0gIgQ=
+k8s.io/kubelet v0.31.12/go.mod h1:lOqTjK7k1wmGMPanLMykpEYYyfjNgCu9EDG6kYqu2Jc=
+k8s.io/kubernetes v1.31.12 h1:dPgK1slI7p/D3I2J1NA6UfBeMMHcjB91rHdXMpx8fkU=
+k8s.io/kubernetes v1.31.12/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs=
 k8s.io/mount-utils v0.32.0 h1:KOQAhPzJICATXnc6XCkWoexKbkOexRnMCUW8APFfwg4=
 k8s.io/mount-utils v0.32.0/go.mod h1:Kun5c2svjAPx0nnvJKYQWhfeNW+O0EpzHgRhDcYoSY0=
-k8s.io/pod-security-admission v0.31.6 h1:5WnXyl+UNmQb73O0L1w82uaUEPuvp+sxdhXRiOLdCkY=
-k8s.io/pod-security-admission v0.31.6/go.mod h1:b+ZpSSR+XMx3t9Pvy/GdcXoI0CEpiWGT7IGAhcOBcGM=
+k8s.io/pod-security-admission v0.31.12 h1:lL+0Mn2MqTdFqgRPo0u+nO9/GhaBB/MrOxJLILw3oO4=
+k8s.io/pod-security-admission v0.31.12/go.mod h1:PpqjhNzLvSwjCQ8aufbVGWPZb2gtB226rnQc0tS8gHM=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY=
diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
index 536f2e1c0..4bc3a45de 100644
--- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
+++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
@@ -438,7 +438,12 @@ func (wc *watchChan) serialProcessEvents(wg *sync.WaitGroup) {
 	for {
 		select {
 		case e := <-wc.incomingEventChan:
-			res := wc.transform(e)
+			res, err := wc.transform(e)
+			if err != nil {
+				wc.sendError(err)
+				return
+			}
+
 			if res == nil {
 				continue
 			}
@@ -461,10 +466,8 @@ func (wc *watchChan) serialProcessEvents(wg *sync.WaitGroup) {
 
 func (wc *watchChan) concurrentProcessEvents(wg *sync.WaitGroup) {
 	p := concurrentOrderedEventProcessing{
-		input:           wc.incomingEventChan,
-		processFunc:     wc.transform,
-		output:          wc.resultChan,
-		processingQueue: make(chan chan *watch.Event, processEventConcurrency-1),
+		wc:              wc,
+		processingQueue: make(chan chan *processingResult, processEventConcurrency-1),
 
 		objectType:    wc.watcher.objectType,
 		groupResource: wc.watcher.groupResource,
@@ -481,12 +484,15 @@ func (wc *watchChan) concurrentProcessEvents(wg *sync.WaitGroup) {
 	}()
 }
 
+type processingResult struct {
+	event *watch.Event
+	err   error
+}
+
 type concurrentOrderedEventProcessing struct {
-	input       chan *event
-	processFunc func(*event) *watch.Event
-	output      chan watch.Event
+	wc *watchChan
 
-	processingQueue chan chan *watch.Event
+	processingQueue chan chan *processingResult
 	// Metadata for logging
 	objectType    string
 	groupResource schema.GroupResource
@@ -498,28 +504,29 @@ func (p *concurrentOrderedEventProcessing) scheduleEventProcessing(ctx context.C
 		select {
 		case <-ctx.Done():
 			return
-		case e = <-p.input:
+		case e = <-p.wc.incomingEventChan:
 		}
-		processingResponse := make(chan *watch.Event, 1)
+		processingResponse := make(chan *processingResult, 1)
 		select {
 		case <-ctx.Done():
 			return
 		case p.processingQueue <- processingResponse:
 		}
 		wg.Add(1)
-		go func(e *event, response chan<- *watch.Event) {
+		go func(e *event, response chan<- *processingResult) {
 			defer wg.Done()
+			responseEvent, err := p.wc.transform(e)
 			select {
 			case <-ctx.Done():
-			case response <- p.processFunc(e):
+			case response <- &processingResult{event: responseEvent, err: err}:
 			}
 		}(e, processingResponse)
 	}
 }
 
 func (p *concurrentOrderedEventProcessing) collectEventProcessing(ctx context.Context) {
-	var processingResponse chan *watch.Event
-	var e *watch.Event
+	var processingResponse chan *processingResult
+	var r *processingResult
 	for {
 		select {
 		case <-ctx.Done():
@@ -529,21 +536,25 @@ func (p *concurrentOrderedEventProcessing) collectEventProcessing(ctx context.Co
 		select {
 		case <-ctx.Done():
 			return
-		case e = <-processingResponse:
+		case r = <-processingResponse:
 		}
-		if e == nil {
+		if r.err != nil {
+			p.wc.sendError(r.err)
+			return
+		}
+		if r.event == nil {
 			continue
 		}
-		if len(p.output) == cap(p.output) {
-			klog.V(3).InfoS("Fast watcher, slow processing. Probably caused by slow dispatching events to watchers", "outgoingEvents", outgoingBufSize, "objectType", p.objectType, "groupResource", p.groupResource)
+		if len(p.wc.resultChan) == cap(p.wc.resultChan) {
+			klog.V(3).InfoS("Fast watcher, slow processing. Probably caused by slow dispatching events to watchers", "outgoingEvents", outgoingBufSize, "objectType", p.wc.watcher.objectType, "groupResource", p.wc.watcher.groupResource)
 		}
 		// If user couldn't receive results fast enough, we also block incoming events from watcher.
 		// Because storing events in local will cause more memory usage.
 		// The worst case would be closing the fast watcher.
 		select {
-		case <-ctx.Done():
+		case p.wc.resultChan <- *r.event:
+		case <-p.wc.ctx.Done():
 			return
-		case p.output <- *e:
 		}
 	}
 }
@@ -561,12 +572,11 @@ func (wc *watchChan) acceptAll() bool {
 }
 
 // transform transforms an event into a result for user if not filtered.
-func (wc *watchChan) transform(e *event) (res *watch.Event) {
+func (wc *watchChan) transform(e *event) (res *watch.Event, err error) {
 	curObj, oldObj, err := wc.prepareObjs(e)
 	if err != nil {
 		klog.Errorf("failed to prepare current and previous objects: %v", err)
-		wc.sendError(err)
-		return nil
+		return nil, err
 	}
 
 	switch {
@@ -574,12 +584,11 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) {
 		object := wc.watcher.newFunc()
 		if err := wc.watcher.versioner.UpdateObject(object, uint64(e.rev)); err != nil {
 			klog.Errorf("failed to propagate object version: %v", err)
-			return nil
+			return nil, fmt.Errorf("failed to propagate object resource version: %w", err)
 		}
 		if e.isInitialEventsEndBookmark {
 			if err := storage.AnnotateInitialEventsEndBookmark(object); err != nil {
-				wc.sendError(fmt.Errorf("error while accessing object's metadata gr: %v, type: %v, obj: %#v, err: %v", wc.watcher.groupResource, wc.watcher.objectType, object, err))
-				return nil
+				return nil, fmt.Errorf("error while accessing object's metadata gr: %v, type: %v, obj: %#v, err: %w", wc.watcher.groupResource, wc.watcher.objectType, object, err)
 			}
 		}
 		res = &watch.Event{
@@ -588,7 +597,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) {
 		}
 	case e.isDeleted:
 		if !wc.filter(oldObj) {
-			return nil
+			return nil, nil
 		}
 		res = &watch.Event{
 			Type:   watch.Deleted,
@@ -596,7 +605,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) {
 		}
 	case e.isCreated:
 		if !wc.filter(curObj) {
-			return nil
+			return nil, nil
 		}
 		res = &watch.Event{
 			Type:   watch.Added,
@@ -608,7 +617,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) {
 				Type:   watch.Modified,
 				Object: curObj,
 			}
-			return res
+			return res, nil
 		}
 		curObjPasses := wc.filter(curObj)
 		oldObjPasses := wc.filter(oldObj)
@@ -630,7 +639,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) {
 			}
 		}
 	}
-	return res
+	return res, nil
 }
 
 func transformErrorToEvent(err error) *watch.Event {
diff --git a/vendor/k8s.io/component-base/metrics/prometheus/slis/routes.go b/vendor/k8s.io/component-base/metrics/prometheus/slis/routes.go
index 4e88b7c24..a88607fa5 100644
--- a/vendor/k8s.io/component-base/metrics/prometheus/slis/routes.go
+++ b/vendor/k8s.io/component-base/metrics/prometheus/slis/routes.go
@@ -38,8 +38,8 @@ type SLIMetrics struct{}
 func (s SLIMetrics) Install(m mux) {
 	installOnce.Do(func() {
 		Register(Registry)
-		m.Handle("/metrics/slis", metrics.HandlerFor(Registry, metrics.HandlerOpts{}))
 	})
+	m.Handle("/metrics/slis", metrics.HandlerFor(Registry, metrics.HandlerOpts{}))
 }
 
 type SLIMetricsWithReset struct{}
@@ -48,6 +48,6 @@ type SLIMetricsWithReset struct{}
 func (s SLIMetricsWithReset) Install(m mux) {
 	installWithResetOnce.Do(func() {
 		Register(Registry)
-		m.Handle("/metrics/slis", metrics.HandlerWithReset(Registry, metrics.HandlerOpts{}))
 	})
+	m.Handle("/metrics/slis", metrics.HandlerWithReset(Registry, metrics.HandlerOpts{}))
 }
diff --git a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
index 115644280..66adabcd8 100644
--- a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
+++ b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go
@@ -546,6 +546,12 @@ const (
 	// Permits kubelet to run with swap enabled.
 	NodeSwap featuregate.Feature = "NodeSwap"
 
+	// owner: @cici37
+	// kep: https://kep.k8s.io/5080
+	//
+	// Enables ordered namespace deletion.
+	OrderedNamespaceDeletion featuregate.Feature = "OrderedNamespaceDeletion"
+
 	// owner: @mortent, @atiratree, @ravig
 	// kep: http://kep.k8s.io/3018
 	// alpha: v1.26
@@ -1137,6 +1143,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	NodeSwap: {Default: true, PreRelease: featuregate.Beta},
 
+	OrderedNamespaceDeletion: {Default: false, PreRelease: featuregate.Beta},
+
 	PDBUnhealthyPodEvictionPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.33
 
 	PersistentVolumeLastPhaseTransitionTime: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.33
diff --git a/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go b/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go
index 2bf54b4b8..599f22097 100644
--- a/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go
+++ b/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go
@@ -236,6 +236,27 @@ func MarkFSResizeFinished(
 	return updatedPVC, err
 }
 
+func MarkNodeExpansionFinishedWithRecovery(
+	pvc *v1.PersistentVolumeClaim,
+	newSize resource.Quantity,
+	kubeClient clientset.Interface) (*v1.PersistentVolumeClaim, error) {
+	newPVC := pvc.DeepCopy()
+
+	newPVC.Status.Capacity[v1.ResourceStorage] = newSize
+
+	allocatedResourceStatusMap := newPVC.Status.AllocatedResourceStatuses
+	delete(allocatedResourceStatusMap, v1.ResourceStorage)
+	if len(allocatedResourceStatusMap) == 0 {
+		newPVC.Status.AllocatedResourceStatuses = nil
+	} else {
+		newPVC.Status.AllocatedResourceStatuses = allocatedResourceStatusMap
+	}
+
+	newPVC = MergeResizeConditionOnPVC(newPVC, []v1.PersistentVolumeClaimCondition{}, false /* keepOldResizeConditions */)
+	updatedPVC, err := PatchPVCStatus(pvc /*oldPVC*/, newPVC, kubeClient)
+	return updatedPVC, err
+}
+
 // MarkNodeExpansionInfeasible marks a PVC for node expansion as failed. Kubelet should not retry expansion
 // of volumes which are in failed state.
 func MarkNodeExpansionInfeasible(pvc *v1.PersistentVolumeClaim, kubeClient clientset.Interface, err error) (*v1.PersistentVolumeClaim, error) {
diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
index bfed29232..4312a03d7 100644
--- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
+++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go
@@ -129,13 +129,17 @@ func readFromURL(url string, writer io.Writer) error {
 
 var (
 	initRegistry = RegistryList{
-		GcAuthenticatedRegistry:  "gcr.io/authenticated-image-pulling",
-		PromoterE2eRegistry:      "registry.k8s.io/e2e-test-images",
-		BuildImageRegistry:       "registry.k8s.io/build-image",
-		InvalidRegistry:          "invalid.registry.k8s.io/invalid",
-		GcEtcdRegistry:           "registry.k8s.io",
-		GcRegistry:               "registry.k8s.io",
-		SigStorageRegistry:       "registry.k8s.io/sig-storage",
+		// TODO: https://github.com/kubernetes/kubernetes/issues/130271
+		// Eliminate GcAuthenticatedRegistry.
+		GcAuthenticatedRegistry: "gcr.io/authenticated-image-pulling",
+		PromoterE2eRegistry:     "registry.k8s.io/e2e-test-images",
+		BuildImageRegistry:      "registry.k8s.io/build-image",
+		InvalidRegistry:         "invalid.registry.k8s.io/invalid",
+		GcEtcdRegistry:          "registry.k8s.io",
+		GcRegistry:              "registry.k8s.io",
+		SigStorageRegistry:      "registry.k8s.io/sig-storage",
+		// TODO: https://github.com/kubernetes/kubernetes/issues/130271
+		// Eliminate PrivateRegistry.
 		PrivateRegistry:          "gcr.io/k8s-authenticated-test",
 		DockerLibraryRegistry:    "docker.io/library",
 		CloudProviderGcpRegistry: "registry.k8s.io/cloud-provider-gcp",
@@ -152,15 +156,17 @@ const (
 	// Agnhost image
 	Agnhost
 	// AgnhostPrivate image
+	// TODO: https://github.com/kubernetes/kubernetes/issues/130271
+	// Eliminate this.
 	AgnhostPrivate
 	// APIServer image
 	APIServer
 	// AppArmorLoader image
 	AppArmorLoader
 	// AuthenticatedAlpine image
+	// TODO: https://github.com/kubernetes/kubernetes/issues/130271
+	// Eliminate this.
 	AuthenticatedAlpine
-	// AuthenticatedWindowsNanoServer image
-	AuthenticatedWindowsNanoServer
 	// BusyBox image
 	BusyBox
 	// CudaVectorAdd image
@@ -223,13 +229,12 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config
 	configs[Agnhost] = Config{list.PromoterE2eRegistry, "agnhost", "2.52"}
 	configs[AgnhostPrivate] = Config{list.PrivateRegistry, "agnhost", "2.6"}
 	configs[AuthenticatedAlpine] = Config{list.GcAuthenticatedRegistry, "alpine", "3.7"}
-	configs[AuthenticatedWindowsNanoServer] = Config{list.GcAuthenticatedRegistry, "windows-nanoserver", "v1"}
 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"}
 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"}
 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"}
 	configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"}
 	configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.3"}
-	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.13"}
+	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.12"}
 	configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.15-0"}
 	configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"}
 	configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"}
@@ -276,7 +281,7 @@ func GetMappedImageConfigs(originalImageConfigs map[ImageID]Config, repo string)
 	for i, config := range originalImageConfigs {
 		switch i {
 		case InvalidRegistryImage, AuthenticatedAlpine,
-			AuthenticatedWindowsNanoServer, AgnhostPrivate:
+			AgnhostPrivate:
 			// These images are special and can't be run out of the cloud - some because they
 			// are authenticated, and others because they are not real images. Tests that depend
 			// on these images can't be run without access to the public internet.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 43547ba5b..96148506e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -815,7 +815,7 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/api v0.32.1 => k8s.io/api v0.31.6
+# k8s.io/api v0.32.1 => k8s.io/api v0.31.12
 ## explicit; go 1.22.0
 k8s.io/api/admission/v1
 k8s.io/api/admission/v1beta1
@@ -875,12 +875,12 @@ k8s.io/api/storage/v1
 k8s.io/api/storage/v1alpha1
 k8s.io/api/storage/v1beta1
 k8s.io/api/storagemigration/v1alpha1
-# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.31.6
+# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.31.12
 ## explicit; go 1.22.0
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 k8s.io/apiextensions-apiserver/pkg/features
-# k8s.io/apimachinery v0.32.1 => k8s.io/apimachinery v0.31.6
+# k8s.io/apimachinery v0.32.1 => k8s.io/apimachinery v0.31.12
 ## explicit; go 1.22.0
 k8s.io/apimachinery/pkg/api/equality
 k8s.io/apimachinery/pkg/api/errors
@@ -947,7 +947,7 @@ k8s.io/apimachinery/pkg/watch
 k8s.io/apimachinery/third_party/forked/golang/json
 k8s.io/apimachinery/third_party/forked/golang/netutil
 k8s.io/apimachinery/third_party/forked/golang/reflect
-# k8s.io/apiserver v0.31.6 => k8s.io/apiserver v0.31.6
+# k8s.io/apiserver v0.31.12 => k8s.io/apiserver v0.31.12
 ## explicit; go 1.22.0
 k8s.io/apiserver/pkg/admission
 k8s.io/apiserver/pkg/admission/configuration
@@ -1098,7 +1098,7 @@ k8s.io/apiserver/plugin/pkg/audit/webhook
 k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics
-# k8s.io/client-go v0.32.1 => k8s.io/client-go v0.31.6
+# k8s.io/client-go v0.32.1 => k8s.io/client-go v0.31.12
 ## explicit; go 1.22.0
 k8s.io/client-go/applyconfigurations
 k8s.io/client-go/applyconfigurations/admissionregistration/v1
@@ -1440,7 +1440,7 @@ k8s.io/client-go/util/keyutil
 k8s.io/client-go/util/retry
 k8s.io/client-go/util/watchlist
 k8s.io/client-go/util/workqueue
-# k8s.io/cloud-provider v0.31.6 => k8s.io/cloud-provider v0.31.6
+# k8s.io/cloud-provider v0.31.12 => k8s.io/cloud-provider v0.31.12
 ## explicit; go 1.22.0
 k8s.io/cloud-provider
 k8s.io/cloud-provider/api
@@ -1456,7 +1456,7 @@ k8s.io/cloud-provider/names
 k8s.io/cloud-provider/node/helpers
 k8s.io/cloud-provider/options
 k8s.io/cloud-provider/service/helpers
-# k8s.io/component-base v0.31.6 => k8s.io/component-base v0.31.6
+# k8s.io/component-base v0.31.12 => k8s.io/component-base v0.31.12
 ## explicit; go 1.22.0
 k8s.io/component-base/cli/flag
 k8s.io/component-base/config
@@ -1479,13 +1479,13 @@ k8s.io/component-base/metrics/testutil
 k8s.io/component-base/tracing
 k8s.io/component-base/tracing/api/v1
 k8s.io/component-base/version
-# k8s.io/component-helpers v0.31.6 => k8s.io/component-helpers v0.31.6
+# k8s.io/component-helpers v0.31.12 => k8s.io/component-helpers v0.31.12
 ## explicit; go 1.22.0
 k8s.io/component-helpers/node/util
 k8s.io/component-helpers/node/util/sysctl
 k8s.io/component-helpers/scheduling/corev1
 k8s.io/component-helpers/scheduling/corev1/nodeaffinity
-# k8s.io/controller-manager v0.31.6 => k8s.io/controller-manager v0.31.6
+# k8s.io/controller-manager v0.31.12 => k8s.io/controller-manager v0.31.12
 ## explicit; go 1.22.0
 k8s.io/controller-manager/config
 k8s.io/controller-manager/config/v1
@@ -1508,7 +1508,7 @@ k8s.io/klog/v2/internal/severity
 k8s.io/klog/v2/internal/sloghandler
 k8s.io/klog/v2/internal/verbosity
 k8s.io/klog/v2/textlogger
-# k8s.io/kms v0.32.0-alpha.0 => k8s.io/kms v0.31.6
+# k8s.io/kms v0.32.0-alpha.0 => k8s.io/kms v0.31.12
 ## explicit; go 1.22.0
 k8s.io/kms/apis/v1beta1
 k8s.io/kms/apis/v2
@@ -1535,15 +1535,15 @@ k8s.io/kube-openapi/pkg/validation/errors
 k8s.io/kube-openapi/pkg/validation/spec
 k8s.io/kube-openapi/pkg/validation/strfmt
 k8s.io/kube-openapi/pkg/validation/strfmt/bson
-# k8s.io/kubectl v0.31.1 => k8s.io/kubectl v0.31.6
+# k8s.io/kubectl v0.31.1 => k8s.io/kubectl v0.31.12
 ## explicit; go 1.22.0
 k8s.io/kubectl/pkg/scale
 k8s.io/kubectl/pkg/util/podutils
-# k8s.io/kubelet v0.31.6 => k8s.io/kubelet v0.31.6
+# k8s.io/kubelet v0.31.12 => k8s.io/kubelet v0.31.12
 ## explicit; go 1.22.0
 k8s.io/kubelet/pkg/apis
 k8s.io/kubelet/pkg/apis/stats/v1alpha1
-# k8s.io/kubernetes v1.31.1 => k8s.io/kubernetes v1.31.6
+# k8s.io/kubernetes v1.31.12 => k8s.io/kubernetes v1.31.12
 ## explicit; go 1.22.0
 k8s.io/kubernetes/pkg/api/legacyscheme
 k8s.io/kubernetes/pkg/api/service
@@ -1614,7 +1614,7 @@ k8s.io/kubernetes/test/utils/kubeconfig
 # k8s.io/mount-utils v0.32.0
 ## explicit; go 1.23.0
 k8s.io/mount-utils
-# k8s.io/pod-security-admission v0.31.1 => k8s.io/pod-security-admission v0.31.6
+# k8s.io/pod-security-admission v0.31.12 => k8s.io/pod-security-admission v0.31.12
 ## explicit; go 1.22.0
 k8s.io/pod-security-admission/api
 k8s.io/pod-security-admission/policy
@@ -1808,35 +1808,35 @@ sigs.k8s.io/structured-merge-diff/v4/value
 ## explicit; go 1.12
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/goyaml.v2
-# k8s.io/api => k8s.io/api v0.31.6
-# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.6
-# k8s.io/apimachinery => k8s.io/apimachinery v0.31.6
-# k8s.io/apiserver => k8s.io/apiserver v0.31.6
-# k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.6
-# k8s.io/client-go => k8s.io/client-go v0.31.6
-# k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.6
-# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.6
-# k8s.io/code-generator => k8s.io/code-generator v0.31.6
-# k8s.io/component-base => k8s.io/component-base v0.31.6
-# k8s.io/component-helpers => k8s.io/component-helpers v0.31.6
-# k8s.io/controller-manager => k8s.io/controller-manager v0.31.6
-# k8s.io/cri-api => k8s.io/cri-api v0.31.6
-# k8s.io/cri-client => k8s.io/cri-client v0.31.6
-# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.6
-# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.6
-# k8s.io/endpointslice => k8s.io/endpointslice v0.31.6
-# k8s.io/kms => k8s.io/kms v0.31.6
-# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.6
-# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.6
-# k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.6
-# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.6
-# k8s.io/kubectl => k8s.io/kubectl v0.31.6
-# k8s.io/kubelet => k8s.io/kubelet v0.31.6
-# k8s.io/kubernetes => k8s.io/kubernetes v1.31.6
-# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.6
-# k8s.io/metrics => k8s.io/metrics v0.31.6
-# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.6
-# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.6
-# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.31.6
-# k8s.io/sample-controller => k8s.io/sample-controller v0.31.6
+# k8s.io/api => k8s.io/api v0.31.12
+# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.12
+# k8s.io/apimachinery => k8s.io/apimachinery v0.31.12
+# k8s.io/apiserver => k8s.io/apiserver v0.31.12
+# k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.12
+# k8s.io/client-go => k8s.io/client-go v0.31.12
+# k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.12
+# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.12
+# k8s.io/code-generator => k8s.io/code-generator v0.31.12
+# k8s.io/component-base => k8s.io/component-base v0.31.12
+# k8s.io/component-helpers => k8s.io/component-helpers v0.31.12
+# k8s.io/controller-manager => k8s.io/controller-manager v0.31.12
+# k8s.io/cri-api => k8s.io/cri-api v0.31.12
+# k8s.io/cri-client => k8s.io/cri-client v0.31.12
+# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.12
+# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.12
+# k8s.io/endpointslice => k8s.io/endpointslice v0.31.12
+# k8s.io/kms => k8s.io/kms v0.31.12
+# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.12
+# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.12
+# k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.12
+# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.12
+# k8s.io/kubectl => k8s.io/kubectl v0.31.12
+# k8s.io/kubelet => k8s.io/kubelet v0.31.12
+# k8s.io/kubernetes => k8s.io/kubernetes v1.31.12
+# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.12
+# k8s.io/metrics => k8s.io/metrics v0.31.12
+# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.12
+# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.12
+# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.31.12
+# k8s.io/sample-controller => k8s.io/sample-controller v0.31.12
 # sigs.k8s.io/structured-merge-diff/v4 => sigs.k8s.io/structured-merge-diff/v4 v4.4.1