docs: update relnotes for 1.29 for deferred deletion

Document our deferred deletion flows.

docs/releases/1.29-NOTES.md

@@ -6,6 +6,25 @@ This is a document to gather the release notes prior to the release.
 
 # Significant changes
 
+## Deferred deletion / pruning phase
+
+Some infrastructure changes are potentially disruptive to the continued
+operation of the cluster.  For the most disruptive operations, particularly
+those that break rolling-update of the cluster, we have started to use deferred
+deletion to minimize the impact.  For example, on AWS we create a second NLB
+during the `kops update` phase when we cannot change the NLB directly.
+`kops update` will report that a `--prune` is needed.  To minimize disruption,
+we recommend you perform this after a rolling-update, for example:
+
+```
+kops update $MYCLUSTER --yes --admin
+kops rolling-update $MYCLUSTER --yes
+kops update $MYCLUSTER --yes --admin --prune # NEW!
+```
+
+Deferred deletion is currently used to safely introduce security groups for NLBs on AWS,
+and to move to an internal load balancer for `kops-controller` on GCP.
+
 ## Initial OpenTelemetry Support
 
 We are starting to add (experimental) support for OpenTelemetry,
@@ -38,6 +57,9 @@ instances.
 
 * As of Kubernetes version 1.29, credentials for private GCR/AR repositories will be handled by the out-of-tree credential provider. This is an additional binary that each instance downloads from the assets repository.
 
+* We now use a private load-balancer for in-cluster traffic on GCP, which allows us
+  to use network tags to restrict access only to the cluster nodes.
+
 ## Openstack
 
 # Breaking changes