diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 41daa46..69a85a6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,11 +32,12 @@ jobs:
     strategy:
       matrix:
         k8s-version:
-        - v1.16.15
-        - v1.18.15
-        - v1.19.7
+        - v1.18.19
+        - v1.19.11
+        - v1.20.7
+        - v1.21.1
     env:
-      kind-version: v0.10.0
+      kind-version: v0.11.1
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python 3.8
@@ -70,7 +71,7 @@ jobs:
 
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
+    - run: git checkout HEAD
       if: ${{ github.event_name == 'pull_request' }}
 
     # Initializes the CodeQL tools for scanning.
diff --git a/kube-stale-resources.py b/kube-stale-resources.py
index 32000e8..e547d62 100644
--- a/kube-stale-resources.py
+++ b/kube-stale-resources.py
@@ -20,6 +20,9 @@ BLACKLIST_REGEXS = [
     r'^.*:batch/v1:Job:.*-\d{10,}$',  # jobs created by cron jobs with unix timestamp suffix
     r'^.*:events.k8s.io/v1:Event:.*$',
     r'^.*:metrics.k8s.io/v1beta1:PodMetrics:.*$',
+    # CM with CA bundle to verify kube-apiserver connections,
+    # see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#introducing-rootcaconfigmap
+    r'^.*:v1:ConfigMap:kube-root-ca.crt$',
     r'^.*:v1:Endpoints:.*$',
     r'^.*:.*:EndpointSlice:.*$',
     r'^.*:v1:Event:.*$',