Greetings from one of your friendly SIG K8s Infra TLs!
tl;dr You can stop reading unless some part of your workflow involves issuing certificates for kubernetes.io
This morning we deployed a CAA record  for kubernetes.io
. Essentially this means no CA other than the ones we have specified are allowed to issue certificates for kubernetes.io
or any of its subdomains.
We plan on letting this soak for O(weeks) before doing the same for k8s.io
If this has broken some part of your workflow, or is going to break your workflow, please reach out to us on this thread, or in #sig-k8s-infra on kubernetes.slack.com