chore(deps): update dependency kubernetes-asyncio to v30 - autoclosed (!2463) · Merge requests · YAOOK / operator

This MR contains the following updates:

Package	Update	Change
kubernetes-asyncio	major	`==24.2.3` -> `==30.3.1`

Release Notes

tomplus/kubernetes_asyncio (kubernetes-asyncio)

`v30.3.1`

Compare Source

`v30.3.0`

Compare Source

fix: Timeout related fixes (#320, @olivier-matz-6wind)
fix: Fix reconnecting in watch for custom resources (#321, @tomplus)
fix: fix unittests to work with aiohttp 3.10+ (#326, @tomplus)

API Change

Added the feature gates StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks to enforce the strct cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. (#124676, @cici37) [SIG API Machinery, Auth, Node and Testing]
Improved scheduling performance when many nodes, and prefilter returns 1-2 nodes (e.g. daemonset) For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status (#125306, @gabesaba) [SIG Scheduling]

`v30.1.1`

Compare Source

feat: remove setuptools from requirements (#318, @tomplus)
fix: restore rest client ablity to handle "application/apply-patch+yaml" content type (#317, @Meallia)

`v30.1.0`

Compare Source

feat: add support for different type of patch (#303, @tomplus)
feat: models do not copy default configuration (#300, @tomplus)
fix: Make the kube config path os agnostic (#307, @shtlrs)
fix: improve merging kube-configs (#301, @tomplus)
chore: Add Python 3.12 in CI (#313, @Wh1isper)
chore: removed orphaned files (#306, @tomplus)
chore: rename example scripts, reformat with Black (#304, @tomplus)

API Change

Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (kubernetes/kubernetes#124553, @pmalek) [SIG API Machinery]
Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (kubernetes/kubernetes#124694, @pmalek) [SIG API Machinery]
Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any value other than kubernetes.io/job-controller - were skipped by the job controller, and their reconciliation was delegated to an external controller, indicated by the value of the field. Jobs that didn't have this field at all, or where the field value was the reserved string kubernetes.io/job-controller, were reconciled by the built-in job controller. (kubernetes/kubernetes#123273, @mimowo)
Added alpha-level support for the SuccessPolicy in Jobs. (kubernetes/kubernetes#123412, @tenzen-y)
Added the CEL library for IP Addresses and CIDRs. This was made available for use starting from version 1.31. (kubernetes/kubernetes#121912, @JoelSpeed)
Allowed container runtimes to fix an image garbage collection bug by adding an image_id field to the CRI Container message. (kubernetes/kubernetes#123508, @saschagrunert)
Dynamic Resource Allocation: DRA drivers can now use "structured parameters" to let the scheduler handle claim allocation. (kubernetes/kubernetes#123516, @pohly)
Fixed accidental enablement of the new alpha optionalOldSelf API field in CustomResourceDefinition validation rules, which should only have been allowed to be set when the CRDValidationRatcheting feature gate is enabled. (kubernetes/kubernetes#122329, @jpbetz)
Implemented the prescore extension point for the volumeBinding plugin. It now returns skip if it doesn't do anything in Score. (kubernetes/kubernetes#115768, @AxeZhan)
Kubelet would fail if NodeSwap was used with LimitedSwap and cgroupv1 node. (kubernetes/kubernetes#123738, @kannon92)
Promoted AdmissionWebhookMatchConditions to GA. The feature is now stable, and the feature gate is now locked to default. (kubernetes/kubernetes#123560, @ivelichkovich)
Structured Authentication Configuration now supports DiscoveryURL. If specified, discoveryURL overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). (kubernetes/kubernetes#123527, @aramase)
The StorageVersionMigration API, previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (kubernetes/kubernetes#123344, @nilekhc)
When configuring a JWT authenticator:

If username.expression used 'claims.email', then 'claims.email_verified' must have been used in username.expression or extra[*].valueExpression or claimValidationRules[*].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'. (kubernetes/kubernetes#123737, @enj)
readOnly volumes now support recursive read-only mounts for kernel versions >= 5.12." (kubernetes/kubernetes#123180, @AkihiroSuda)
cri-api: Implemented KEP-3857: Recursive Read-only (RRO) mounts. (kubernetes/kubernetes#123272, @AkihiroSuda)
kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123696, @aramase)
kubelet allowed specifying a custom root directory for pod logs (instead of the default /var/log/pods) using the podLogsDir key in kubelet configuration. (kubernetes/kubernetes#112957, @mxpv)
resource.k8s.io/ResourceClaim (alpha API): The strategic merge patch strategy for the status.reservedFor array was changed so that a strategic-merge-patch can now add individual entries. This change may break clients using strategic merge patch to update status, which rely on the previous behavior (replacing the entire array). (kubernetes/kubernetes#122276, @pohly)
Added a CBOR implementation of runtime.Serializer. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (kubernetes/kubernetes#122881, @benluddy)
Added a alpha feature, behind the RelaxedEnvironmentVariableValidation feature gate. When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names of environment variables for containers in Pods. (kubernetes/kubernetes#123385, @HirazawaUi)
Added a new (alpha) field, trafficDistribution, to the Service spec to express preferences for traffic distribution to endpoints. Enabled through the ServiceTrafficDistribution feature gate. (kubernetes/kubernetes#123487, @gauravkghildiyal)
Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences. The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field. The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (kubernetes/kubernetes#123165, @aramase)
Added consistent vanity import to files and provided tooling for verifying and updating them. (kubernetes/kubernetes#120642, @jcchavezs)
Added the disable-force-detach CLI option for kube-controller-manager. By default, it's set to false. When enabled, it prevents force detaching volumes based on maximum unmount time and node status. If activated, the non-graceful node shutdown feature must be used to recover from node failure. Additionally, if a pod needs to be forcibly terminated at the risk of corruption, the appropriate VolumeAttachment object must be deleted. (kubernetes/kubernetes#120344, @rohitssingh)
Added to MutableFeatureGate the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all affected components simultaneously. (kubernetes/kubernetes#122647, @benluddy)
Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA. (kubernetes/kubernetes#122882, @Jefftree)
Alpha support for field selectors on custom resources has been added. With the CustomResourceFieldSelectors feature gate enabled, the CustomResourceDefinition API now allows specifying selectableFields. Listing a field there enables filtering custom resources for that CustomResourceDefinition in list or watch requests. (kubernetes/kubernetes#122717, @jpbetz)
AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext. The beta AppArmor annotations are deprecated, and AppArmor status is no longer included in the node ready condition. (kubernetes/kubernetes#123435, @tallclair)
Contextual logging is now in beta and enabled by default. Check out the KEP and official documentation for more details. (kubernetes/kubernetes#122589, @pohly)
Enabled concurrent log rotation in kubelet. You can now configure the maximum number of concurrent rotations with the containerLogMaxWorkers setting, and adjust the monitoring interval with containerLogMonitorInterval. (kubernetes/kubernetes#114301, @harshanarayana)
Graduated pod scheduling gates to general availability. The PodSchedulingReadiness feature gate no longer has any effect, and the .spec.schedulingGates field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123575, @Huang-Wei)
Graduated support for minDomains in pod topology spread constraints, to general availability. The MinDomainsInPodTopologySpread feature gate no longer has any effect, and the field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123481, @sanposhiho)
In kubelet configuration, the .memorySwap.swapBehavior field now accepts a new value NoSwap, which becomes the default if unspecified. The previously accepted UnlimitedSwap value has been dropped. (kubernetes/kubernetes#122745, @kannon92)
Kube-apiserver: the AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123640, @liggitt)
OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (kubernetes/kubernetes#123568, @enj)
Removed note that hostAliases are not supported on hostNetwork Pods from the PodSpec API. The feature has been supported since v1.8. (kubernetes/kubernetes#122422, @neolit123)
Structured Authentication Configuration now supports configuring multiple JWT authenticators. The maximum allowed JWT authenticators in the authentication configuration is 64. (kubernetes/kubernetes#123431, @aramase)
Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (kubernetes/kubernetes#114672, @pohly)
The API server now detects and fails on startup if there are conflicting issuers between JWT authenticators and service account configurations. Previously, such configurations would run but could be inconsistently effective depending on the credential. (kubernetes/kubernetes#123561, @enj)
The JWT authenticator configuration set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (kubernetes/kubernetes#123525, @enj)
The StructuredAuthenticationConfiguration feature is now beta and enabled. (kubernetes/kubernetes#123719, @enj)
The kube_codegen tool now ignores the vendor folder during code generation. (kubernetes/kubernetes#122729, @jparrill)
The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (kubernetes/kubernetes#123529, @thockin)
Updated an audit annotation key used by the …/serviceaccounts/<name>/token resource handler. The annotation used to persist the issued credential identifier is now authentication.kubernetes.io/issued-credential-id. (kubernetes/kubernetes#123098, @munnerz) [SIG Auth]
Users are now allowed to mutate FSGroupPolicy and PodInfoOnMount in CSIDriver.Spec. (kubernetes/kubernetes#116209, @haoruan)
ValidatingAdmissionPolicy was promoted to GA and will be enabled by default. (kubernetes/kubernetes#123405, @cici37)
When scheduling a mix of pods using ResourceClaims and others that don't, scheduling a pod with ResourceClaims has a lower impact on scheduling latency. (kubernetes/kubernetes#121876, @pohly)
When working with client-go events, it's now recommended to use NewEventBroadcasterAdapterWithContext instead of NewEventBroadcasterAdapter if contextual logging support is needed. (kubernetes/kubernetes#122142, @pohly)
A new (alpha) field, trafficDistribution, has been added to the Service spec. This field provides a way to express preferences for how traffic is distributed to the endpoints for a Service. It can be enabled through the ServiceTrafficDistribution feature gate. (kubernetes/kubernetes#123487, @gauravkghildiyal) [SIG API Machinery, Apps and Network]
Add alpha-level support for the SuccessPolicy in Jobs (kubernetes/kubernetes#123412, @tenzen-y) [SIG API Machinery, Apps and Testing]
Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any value other than kubernetes.io/job-controller - are skipped by the job controller, and their reconciliation is delegated to an external controller, indicated by the value of the field. Jobs that don't have this field at all, or where the field value is the reserved string kubernetes.io/job-controller, are reconciled by the built-in job controller. (kubernetes/kubernetes#123273, @mimowo) [SIG API Machinery, Apps and Testing]
Added a alpha feature, behind the RelaxedEnvironmentVariableValidation feature gate. When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names of environment variables for containers in Pods. (kubernetes/kubernetes#123385, @HirazawaUi) [SIG Apps, Node and Testing]
Added alpha support for field selectors on custom resources. Provided that the CustomResourceFieldSelectors feature gate is enabled, the CustomResourceDefinition API now lets you specify selectableFields. Listing a field there allows filtering custom resources for that CustomResourceDefinition in list or watch requests. (kubernetes/kubernetes#122717, @jpbetz) [SIG API Machinery]
Added support for configuring multiple JWT authenticators in Structured Authentication Configuration. The maximum allowed JWT authenticators in the authentication configuration is 64. (kubernetes/kubernetes#123431, @aramase) [SIG Auth and Testing]
Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA (kubernetes/kubernetes#122882, @Jefftree) [SIG API Machinery and Testing]
Allowing container runtimes to fix an image garbage collection bug by adding an image_id field to the CRI Container message. (kubernetes/kubernetes#123508, @saschagrunert) [SIG Node]
AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext.
- The beta AppArmor annotations are deprecated.
- AppArmor status is no longer included in the node ready condition (kubernetes/kubernetes#123435, @tallclair) [SIG API Machinery, Apps, Auth, Node and Testing]
Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup. Previously such a config would run but would be inconsistently effective depending on the credential. (kubernetes/kubernetes#123561, @enj) [SIG API Machinery and Auth]
Dynamic Resource Allocation: DRA drivers may now use "structured parameters" to let the scheduler handle claim allocation. (kubernetes/kubernetes#123516, @pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Instrumentation, Node, Release, Scheduling, Storage and Testing]
Graduated pod scheduling gates to general availability. The PodSchedulingReadiness feature gate no longer has any effect, and the .spec.schedulingGates field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123575, @Huang-Wei) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Graduated support for minDomains in pod topology spread constraints, to general availability. The MinDomainsInPodTopologySpread feature gate no longer has any effect, and the field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123481, @sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing]
JWT authenticator config set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (kubernetes/kubernetes#123525, @enj) [SIG API Machinery, Auth and Testing]
Kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123696, @aramase) [SIG API Machinery, Auth and Testing]
Kube-apiserver: the AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123640, @liggitt) [SIG Auth and Testing]
Kubelet should fail if NodeSwap is used with LimitedSwap and cgroupv1 node. (kubernetes/kubernetes#123738, @kannon92) [SIG API Machinery, Node and Testing]
Kubelet: a custom root directory for pod logs (instead of default /var/log/pods) can be specified using the podLogsDir key in kubelet configuration. (kubernetes/kubernetes#112957, @mxpv) [SIG API Machinery, Node, Scalability and Testing]
Kubelet: the .memorySwap.swapBehavior field in kubelet configuration accepts a new value NoSwap and makes this the default if unspecified; the previously accepted UnlimitedSwap value has been dropped. (kubernetes/kubernetes#122745, @kannon92) [SIG API Machinery, Node and Testing]
OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (kubernetes/kubernetes#123568, @enj) [SIG API Machinery, Auth and Testing]
PodSpec API: remove note that hostAliases are not supported on hostNetwork Pods. The feature has been supported since v1.8. (kubernetes/kubernetes#122422, @neolit123) [SIG API Machinery and Apps]
Promote AdmissionWebhookMatchConditions to GA. The feature is now stable and the feature gate is now locked to default. (kubernetes/kubernetes#123560, @ivelichkovich) [SIG API Machinery and Testing]
Structured Authentication Configuration now supports DiscoveryURL. discoveryURL if specified, overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). (kubernetes/kubernetes#123527, @aramase) [SIG API Machinery, Auth and Testing]
Support Recursive Read-only (RRO) mounts (KEP-3857) (kubernetes/kubernetes#123180, @AkihiroSuda) [SIG API Machinery, Apps, Node and Testing]
The StructuredAuthenticationConfiguration feature is now beta and enabled by default. (kubernetes/kubernetes#123719, @enj) [SIG API Machinery and Auth]
The StorageVersionMigration API, which was previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (kubernetes/kubernetes#123344, @nilekhc) [SIG API Machinery, Apps, Auth, CLI and Testing]
The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (kubernetes/kubernetes#123529, @thockin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Testing]
ValidatingAdmissionPolicy is promoted to GA and will be enabled by default. (kubernetes/kubernetes#123405, @cici37) [SIG API Machinery, Apps, Auth and Testing]
When configuring a JWT authenticator:

If username.expression uses 'claims.email', then 'claims.email_verified' must be used in username.expression or extra[].valueExpression or claimValidationRules[].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'. (kubernetes/kubernetes#123737, @enj) [SIG API Machinery and Auth]
Added a CBOR implementation of runtime.Serializer. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (kubernetes/kubernetes#122881, @benluddy) [SIG API Machinery]
Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences.
- The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field.
- The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (kubernetes/kubernetes#123165, @aramase) [SIG API Machinery, Auth and Testing]
Contextual logging is now beta and enabled by default. (kubernetes/kubernetes#122589, @pohly) [SIG Instrumentation]
Cri-api: KEP-3857: Recursive Read-only (RRO) mounts (kubernetes/kubernetes#123272, @AkihiroSuda) [SIG Node]
Enabled a mechanism for concurrent log rotatation via kubelet using a configuration entity of containerLogMaxWorkers which controls the maximum number of concurrent rotation that can be performed and an interval configuration of containerLogMonitorInterval that can aid is configuring the monitoring duration to best suite your cluster's log generation standards. (kubernetes/kubernetes#114301, @harshanarayana) [SIG API Machinery, Node and Testing]
Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (kubernetes/kubernetes#114672, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Storage and Testing]
This change adds the following CLI option for kube-controller-manager:
- disable-force-detach (defaults to false): Prevent force detaching volumes based on maximum unmount time and node status. If enabled, the non-graceful node shutdown feature must be used to recover from node failure (see https://kubernetes.io/blog/2023/08/16/kubernetes-1-28-non-graceful-node-shutdown-ga/). If enabled and a pod must be forcibly terminated at the risk of corruption, then the appropriate VolumeAttachment object (see here: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/) must be deleted. (kubernetes/kubernetes#120344, @rohitssingh) [SIG API Machinery, Apps, Storage and Testing]
Updated an audit annotation key used by the …/serviceaccounts/<name>/token resource handler. The annotation used to persist the issued credential identifier is now authentication.kubernetes.io/issued-credential-id. (kubernetes/kubernetes#123098, @munnerz) [SIG Auth]
Add CEL library for IP Addresses and CIDRs. This will not be available for use until 1.31. (kubernetes/kubernetes#121912, @JoelSpeed) [SIG API Machinery]
Added to MutableFeatureGate the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all affected components simultaneously. (kubernetes/kubernetes#122647, @benluddy) [SIG API Machinery and Cluster Lifecycle]
Adds a rule on the kube_codegen tool to ignore vendor folder during the code generation. (kubernetes/kubernetes#122729, @jparrill) [SIG API Machinery and Cluster Lifecycle]
Allow users to mutate FSGroupPolicy and PodInfoOnMount in CSIDriver.Spec (kubernetes/kubernetes#116209, @haoruan) [SIG API Machinery, Storage and Testing]
Client-go events: NewEventBroadcasterAdapterWithContext should be used instead of NewEventBroadcasterAdapter if the goal is to support contextual logging. (kubernetes/kubernetes#122142, @pohly) [SIG API Machinery, Instrumentation and Scheduling]
Fixes accidental enablement of the new alpha optionalOldSelf API field in CustomResourceDefinition validation rules, which should only be allowed to be set when the CRDValidationRatcheting feature gate is enabled. (kubernetes/kubernetes#122329, @jpbetz) [SIG API Machinery]
Implement prescore extension point for volumeBinding plugin. Return skip if it doesn't do anything in Score. (kubernetes/kubernetes#115768, @AxeZhan) [SIG Scheduling, Storage and Testing]
Resource.k8s.io/ResourceClaim (alpha API): the strategic merge patch strategy for the status.reservedFor array was changed such that a strategic-merge-patch can add individual entries. This breaks clients using strategic merge patch to update status which rely on the previous behavior (replacing the entire array). (kubernetes/kubernetes#122276, @pohly) [SIG API Machinery]
When scheduling a mixture of pods using ResourceClaims and others which don't, scheduling a pod with ResourceClaims impacts scheduling latency less. (kubernetes/kubernetes#121876, @pohly) [SIG API Machinery, Node, Scheduling and Testing]

`v29.0.1`

Compare Source

`v29.0.0`

Compare Source

feat: Support loading a custom TLS server name from kubeconfig (#270, @multani)

API Change

'kube-apiserver: adds --authentication-config flag for reading AuthenticationConfiguration files. --authentication-config flag is mutually exclusive with the existing --oidc-* flags.' (kubernetes/kubernetes#119142, @aramase)
'kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta3 is removed in v1.29. Migrated kube-scheduler configuration files to kubescheduler.config.k8s.io/v1.' (kubernetes/kubernetes#119994, @SataQiu)
A new sleep action for the PreStop lifecycle hook was added, allowing containers to pause for a specified duration before termination. (kubernetes/kubernetes#119026, @AxeZhan)
Added CEL expressions to v1alpha1 AuthenticationConfiguration. (kubernetes/kubernetes#121078, @aramase)
Added Windows support for InPlace Pod Vertical Scaling feature. (kubernetes/kubernetes#112599, @fabi200123) [SIG Autoscaling, Node, Scalability, Scheduling and Windows]
Added ImageMaximumGCAge field to Kubelet configuration, which allows a user to set the maximum age an image is unused before it's garbage collected. (kubernetes/kubernetes#121275, @haircommander)
Added UserNamespacesPodSecurityStandards feature gate to enable user namespace support for Pod Security Standards. Enabling this feature will modify all Pod Security Standard rules to allow setting: spec[.*].securityContext.[runAsNonRoot,runAsUser]. This feature gate should only be enabled if all nodes in the cluster support the user namespace feature and have it enabled. The feature gate will not graduate or be enabled by default in future Kubernetes releases. (kubernetes/kubernetes#118760, @saschagrunert) [SIG API Machinery, Auth, Node and Release]
Added optionalOldSelf to x-kubernetes-validations to support ratcheting CRD schema constraints. (kubernetes/kubernetes#121034, @alexzielenski)
Added a new ServiceCIDR type that allows to dynamically configure the cluster range used to allocate Service ClusterIPs addresses. (kubernetes/kubernetes#116516, @aojea)
Added a new ipMode field to the .status of Services where type is set to LoadBalancer. The new field is behind the LoadBalancerIPMode feature gate. (kubernetes/kubernetes#119937, @RyanAoh) [SIG API Machinery, Apps, Cloud Provider, Network and Testing]
Added options for configuring nf_conntrack_udp_timeout, and nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem. (kubernetes/kubernetes#120808, @aroradaman)
Added support for CEL expressions to v1alpha1 AuthorizationConfiguration webhook matchConditions. (kubernetes/kubernetes#121223, @ritazh)
Added support for projecting certificates.k8s.io/v1alpha1 ClusterTrustBundle objects into pods. (kubernetes/kubernetes#113374, @ahmedtd)
Added the DisableNodeKubeProxyVersion feature gate. If DisableNodeKubeProxyVersion is enabled, the kubeProxyVersion field is not set. (kubernetes/kubernetes#120954, @HirazawaUi)
Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps. The incorrect cost was evident when the result of a function was used in subsequent operations. (kubernetes/kubernetes#119800, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
Fixed the API comments for the Job Ready field in status. (kubernetes/kubernetes#121765, @mimowo)
Fixed the API comments for the FailIndex Job pod failure policy action. (kubernetes/kubernetes#121764, @mimowo)
Go API: the ResourceRequirements struct was replaced with VolumeResourceRequirements for use with volumes. (kubernetes/kubernetes#118653, @pohly)
Graduated Job BackoffLimitPerIndex feature to beta. (kubernetes/kubernetes#121356, @mimowo)
Marked the onPodConditions field as optional in Job's pod failure policy. (kubernetes/kubernetes#120204, @mimowo)
Promoted PodReadyToStartContainers condition to beta. (kubernetes/kubernetes#119659, @kannon92)
The flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema and PriorityLevelConfiguration APIs has been promoted to flowcontrol.apiserver.k8s.io/v1, with the following changes:
- PriorityLevelConfiguration: the .spec.limited.nominalConcurrencyShares field defaults to 30 only if the field is omitted (v1beta3 also defaulted an explicit 0 value to 30). Specifying an explicit 0 value is not allowed in the v1 version in v1.29 to ensure compatibility with v1.28 API servers. In v1.30, explicit 0 values will be allowed in this field in the v1 API. The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer be served in v1.32. All existing objects are available via the v1 APIs. Transition clients and manifests to use the v1 APIs before upgrading to v1.32. (kubernetes/kubernetes#121089, @tkashem)
The kube-proxy command-line documentation was updated to clarify that --bind-address does not actually have anything to do with binding to an address, and you probably don't actually want to be using it. (kubernetes/kubernetes#120274, @danwinship)
The kube-scheduler selectorSpread plugin has been removed, please use the podTopologySpread plugin instead. (kubernetes/kubernetes#117720, @kerthcet)
The matchLabelKeys/mismatchLabelKeys feature is introduced to the hard/soft PodAffinity/PodAntiAffinity. (kubernetes/kubernetes#116065, @sanposhiho)
When updating a CRD, per-expression cost limit check are now skipped for x-kubernetes-validations rules of versions that are not mutated. (kubernetes/kubernetes#121460, @jiahuif)
CSINodeExpandSecret feature has been promoted to GA in this release and is enabled by default. The CSI drivers can make use of the secretRef values passed in NodeExpansion request optionally sent by the CSI Client from this release onwards. (kubernetes/kubernetes#121303, @humblec)
NodeStageVolume calls will now be retried if the CSI node driver is not running. (kubernetes/kubernetes#120330, @rohitssingh)
PersistentVolumeLastPhaseTransitionTime is now beta and enabled by default. (kubernetes/kubernetes#120627, @RomanBednar)
ValidatingAdmissionPolicy type checking now supports CRDs and API extensions types. (kubernetes/kubernetes#119109, @jiahuif)
kube-apiserver: added --authorization-config flag for reading a configuration file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration object. The --authorization-config flag is mutually exclusive with --authorization-modes and --authorization-webhook-* flags. The alpha StructuredAuthorizationConfiguration feature flag must be enabled for --authorization-config to be specified. (kubernetes/kubernetes#120154, @palnabarun)
kube-proxy now has a new nftables-based mode, available by running
```
`kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables`
```
This is currently an alpha-level feature and while it probably will not eat your data, it may nibble at it a bit. (It passes e2e testing but has not yet seen real-world use.)

At this point it should be functionally mostly identical to the iptables mode, except that it does not (and will not) support Service NodePorts on 127.0.0.1. (Also note that there are currently no command-line arguments for the nftables-specific config; you will need to use a config file if you want to set the equivalent of any of the --iptables-xxx options.)

As this code is still very new, it has not been heavily optimized yet; while it is expected to eventually have better performance than the iptables backend, very little performance testing has been done so far. (kubernetes/kubernetes#121046, @danwinship)
kube-proxy: Added an option/flag for configuring the nf_conntrack_tcp_be_liberal sysctl (in the kernel's netfilter conntrack subsystem). When enabled, kube-proxy will not install the DROP rule for invalid conntrack states, which currently breaks users of asymmetric routing. (kubernetes/kubernetes#120354, @aroradaman)
Added support for projecting certificates.k8s.io/v1alpha1 ClusterTrustBundle objects into pods. (kubernetes/kubernetes#113374, @ahmedtd) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
Adds optionalOldSelf to x-kubernetes-validations to support ratcheting CRD schema constraints (kubernetes/kubernetes#121034, @alexzielenski) [SIG API Machinery]
Fix API comment for the Job Ready field in status (kubernetes/kubernetes#121765, @mimowo) [SIG API Machinery and Apps]
Fix API comments for the FailIndex Job pod failure policy action. (kubernetes/kubernetes#121764, @mimowo) [SIG API Machinery and Apps]
A new sleep action for the PreStop lifecycle hook is added, allowing containers to pause for a specified duration before termination. (kubernetes/kubernetes#119026, @AxeZhan) [SIG API Machinery, Apps, Node and Testing]
Add ImageMaximumGCAge field to Kubelet configuration, which allows a user to set the maximum age an image is unused before it's garbage collected. (kubernetes/kubernetes#121275, @haircommander) [SIG API Machinery and Node]
Add a new ServiceCIDR type that allows to dynamically configure the cluster range used to allocate Service ClusterIPs addresses (kubernetes/kubernetes#116516, @aojea) [SIG API Machinery, Apps, Auth, CLI, Network and Testing]
Add the DisableNodeKubeProxyVersion feature gate. If DisableNodeKubeProxyVersion is enabled, the kubeProxyVersion field is not set. (kubernetes/kubernetes#120954, @HirazawaUi) [SIG API Machinery, Apps and Node]
Added Windows support for InPlace Pod Vertical Scaling feature. (kubernetes/kubernetes#112599, @fabi200123) [SIG Autoscaling, Node, Scalability, Scheduling and Windows]
Added UserNamespacesPodSecurityStandards feature gate to enable user namespace support for Pod Security Standards. Enabling this feature will modify all Pod Security Standard rules to allow setting: spec[.*].securityContext.[runAsNonRoot,runAsUser]. This feature gate should only be enabled if all nodes in the cluster support the user namespace feature and have it enabled. The feature gate will not graduate or be enabled by default in future Kubernetes releases. (kubernetes/kubernetes#118760, @saschagrunert) [SIG API Machinery, Auth, Node and Release]
Added options for configuring nf_conntrack_udp_timeout, and nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem. (kubernetes/kubernetes#120808, @aroradaman) [SIG API Machinery and Network]
Adds CEL expressions to v1alpha1 AuthenticationConfiguration. (kubernetes/kubernetes#121078, @aramase) [SIG API Machinery, Auth and Testing]
Adds support for CEL expressions to v1alpha1 AuthorizationConfiguration webhook matchConditions. (kubernetes/kubernetes#121223, @ritazh) [SIG API Machinery and Auth]
CSINodeExpandSecret feature has been promoted to GA in this release and enabled by default. The CSI drivers can make use of the secretRef values passed in NodeExpansion request optionally sent by the CSI Client from this release onwards. (kubernetes/kubernetes#121303, @humblec) [SIG API Machinery, Apps and Storage]
Graduate Job BackoffLimitPerIndex feature to Beta (kubernetes/kubernetes#121356, @mimowo) [SIG Apps]
Kube-apiserver: adds --authorization-config flag for reading a configuration file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration object. --authorization-config flag is mutually exclusive with --authorization-modes and --authorization-webhook-* flags. The alpha StructuredAuthorizationConfiguration feature flag must be enabled for --authorization-config to be specified. (kubernetes/kubernetes#120154, @palnabarun) [SIG API Machinery, Auth and Testing]
Kube-proxy now has a new nftables-based mode, available by running
```
kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables
```
This is currently an alpha-level feature and while it probably will not eat your data, it may nibble at it a bit. (It passes e2e testing but has not yet seen real-world use.)

At this point it should be functionally mostly identical to the iptables mode, except that it does not (and will not) support Service NodePorts on 127.0.0.1. (Also note that there are currently no command-line arguments for the nftables-specific config; you will need to use a config file if you want to set the equivalent of any of the --iptables-xxx options.)

As this code is still very new, it has not been heavily optimized yet; while it is expected to eventually have better performance than the iptables backend, very little performance testing has been done so far. (kubernetes/kubernetes#121046, @danwinship) [SIG API Machinery and Network]
Kube-proxy: Added an option/flag for configuring the nf_conntrack_tcp_be_liberal sysctl (in the kernel's netfilter conntrack subsystem). When enabled, kube-proxy will not install the DROP rule for invalid conntrack states, which currently breaks users of asymmetric routing. (kubernetes/kubernetes#120354, @aroradaman) [SIG API Machinery and Network]
PersistentVolumeLastPhaseTransitionTime is now beta, enabled by default. (kubernetes/kubernetes#120627, @RomanBednar) [SIG Storage]
Promote PodReadyToStartContainers condition to beta. (kubernetes/kubernetes#119659, @kannon92) [SIG Node and Testing]
The flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema and PriorityLevelConfiguration APIs has been promoted to flowcontrol.apiserver.k8s.io/v1, with the following changes:
- PriorityLevelConfiguration: the .spec.limited.nominalConcurrencyShares field defaults to 30 only if the field is omitted (v1beta3 also defaulted an explicit 0 value to 30). Specifying an explicit 0 value is not allowed in the v1 version in v1.29 to ensure compatibility with 1.28 API servers. In v1.30, explicit 0 values will be allowed in this field in the v1 API. The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer be served in v1.32. All existing objects are available via the v1 APIs. Transition clients and manifests to use the v1 APIs before upgrading to v1.32. (kubernetes/kubernetes#121089, @tkashem) [SIG API Machinery and Testing]
The kube-proxy command-line documentation was updated to clarify that --bind-address does not actually have anything to do with binding to an address, and you probably don't actually want to be using it. (kubernetes/kubernetes#120274, @danwinship) [SIG Network]
The matchLabelKeys/mismatchLabelKeys feature is introduced to the hard/soft PodAffinity/PodAntiAffinity. (kubernetes/kubernetes#116065, @sanposhiho) [SIG API Machinery, Apps, Cloud Provider, Scheduling and Testing]
ValidatingAdmissionPolicy Type Checking now supports CRDs and API extensions types. (kubernetes/kubernetes#119109, @jiahuif) [SIG API Machinery, Apps, Auth and Testing]
When updating a CRD, per-expression cost limit check is skipped for x-kubernetes-validations rules of versions that are not mutated. (kubernetes/kubernetes#121460, @jiahuif) [SIG API Machinery]
Added a new ipMode field to the .status of Services where type is set to LoadBalancer. The new field is behind the LoadBalancerIPMode feature gate. (kubernetes/kubernetes#119937, @RyanAoh) [SIG API Machinery, Apps, Cloud Provider, Network and Testing]
Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps. The incorrect cost was evident when the result of a function was used in subsequent operations. (kubernetes/kubernetes#119800, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
Go API: the ResourceRequirements struct needs to be replaced with VolumeResourceRequirements for use with volumes. (kubernetes/kubernetes#118653, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling, Storage and Testing]
Kube-apiserver: adds --authentication-config flag for reading AuthenticationConfiguration files. --authentication-config flag is mutually exclusive with the existing --oidc-* flags. (kubernetes/kubernetes#119142, @aramase) [SIG API Machinery, Auth and Testing]
Kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta3 is removed in v1.29. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (kubernetes/kubernetes#119994, @SataQiu) [SIG Scheduling and Testing]
Mark the onPodConditions field as optional in Job's pod failure policy. (kubernetes/kubernetes#120204, @mimowo) [SIG API Machinery and Apps]
Retry NodeStageVolume calls if CSI node driver is not running (kubernetes/kubernetes#120330, @rohitssingh) [SIG Apps, Storage and Testing]
The kube-scheduler selectorSpread plugin has been removed, please use the podTopologySpread plugin instead. (kubernetes/kubernetes#117720, @kerthcet) [SIG Scheduling]

`v28.2.1`

Compare Source

feat: add bookmark support in watcher (#291, @tkauf15k)

`v28.2.0`

Compare Source

Kubernetes API Version: v1.28.2

API Change

Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps. The incorrect cost was evident when the result of a function was used in subsequent operations. (kubernetes/kubernetes#119807, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
Mark Job onPodConditions as optional in pod failure policy (kubernetes/kubernetes#120208, @mimowo) [SIG API Machinery and Apps]
A CDIDevice field is included in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol. (kubernetes/kubernetes#118254, @elezar) [SIG Node and Testing]
ACTION_REQUIRED When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits. (kubernetes/kubernetes#118420, @alculquicondor) [SIG Apps]
Added ServedVersions field to StorageVersion API. (kubernetes/kubernetes#118386, @Richabanker)
Added IP mode field to loadbalancer status ingress. (kubernetes/kubernetes#118895, @RyanAoh)
Added podReplacementPolicy and terminating field to job api. (kubernetes/kubernetes#119301, @kannon92)
Added a new namespaceParamRef field to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy. (kubernetes/kubernetes#119215, @alexzielenski) [SIG API Machinery and Testing]
Added a warning that TLS 1.3 ciphers are not configurable. (kubernetes/kubernetes#115399, @3u13r) [SIG API Machinery and Node]
Added error handling for seccomp localhost configurations that do not properly set a localhostProfile. (kubernetes/kubernetes#117020, @cji)
Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed. (kubernetes/kubernetes#118041, @cici37) [SIG API Machinery]
Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject variable with expressions. (kubernetes/kubernetes#118267, @cici37) [SIG API Machinery and Testing]
Added new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations. (kubernetes/kubernetes#118990, @alexzielenski)
Added new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs. (kubernetes/kubernetes#118137, @helayoty)
Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler (kubernetes/kubernetes#115754, @linxiulei) [SIG API Machinery and Scheduling]
Changed how KMS v2 encryption at rest can generate data encryption keys. When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce. (kubernetes/kubernetes#118828, @enj)
Exposed rest.DefaultServerUrlFor function. (kubernetes/kubernetes#118055, @timofurrer)
Extended the Job API for alpha version of BackoffLimitPerIndex. (kubernetes/kubernetes#119294, @mimowo)
Graduated AdmissionWebhookMatchCondition feature to beta. (kubernetes/kubernetes#119380, @a-hilaly)
If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup. (kubernetes/kubernetes#117793, @tzneal) [SIG Apps, Node and Testing]
In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels. For details see https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness#dispatching . (kubernetes/kubernetes#118782, @MikeSpreitzer) [SIG API Machinery]
Indexed Job pods now have the pod completion index set as a pod label. (kubernetes/kubernetes#118883, @danielvegamyhre) [SIG Apps]
Kube-proxy: added --logging-format flag to support structured logging. (kubernetes/kubernetes#117800, @cyclinder)
NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits. (kubernetes/kubernetes#115398, @tangwz) [SIG Scheduling]
PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase. (kubernetes/kubernetes#116469, @RomanBednar)
Pods which set hostNetwork: true and declare ports, get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this. (kubernetes/kubernetes#117696, @thockin) [SIG Apps]
Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1. (kubernetes/kubernetes#118644, @alexzielenski) [SIG API Machinery, Apps and Testing]
Promoted the feature gate ValidtaingAdmissionPolicy to beta, and it is turned off by default. (kubernetes/kubernetes#119409, @alexzielenski)
Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability. (kubernetes/kubernetes#119264, @logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle and Instrumentation]
Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus. (kubernetes/kubernetes#116335, @gnufied) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
Removed WindowsHostProcessContainers feature-gate. (kubernetes/kubernetes#117570, @marosset) [SIG API Machinery, Apps, Auth, Node and Windows]
Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta. (kubernetes/kubernetes#117802, @kerthcet) [SIG API Machinery and Apps]
StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index. (kubernetes/kubernetes#119232, @danielvegamyhre) [SIG Apps]
Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver (kubernetes/kubernetes#117740, @Richabanker) [SIG API Machinery, Apps, Auth, Cloud Provider, Network, Node and Testing]
Supported BackoffLimitPerIndex in Jobs. (kubernetes/kubernetes#118009, @mimowo)
The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer creates the KUBE-MARK-DROP chain (which has been unused for several releases) or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy). (kubernetes/kubernetes#119374, @danwinship)
The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA. (kubernetes/kubernetes#117713, @nabokihms) [SIG API Machinery, Architecture, Auth, CLI and Testing]
The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions. (kubernetes/kubernetes#117351, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination. (kubernetes/kubernetes#116429, @gjkim42) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Updated the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#118278, @mimowo)
client-go: Improved memory use of reflector caches when watching large numbers of objects which do not change frequently. (kubernetes/kubernetes#113362, @sxllwx)
component-base/logs is now stricter about not applying configurations multiple times and will return an error when that is attempted. Can be overridden by binaries which need to do that. (kubernetes/kubernetes#117108, @pohly)
kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner controller loop removes service account token secrets that have not been used in the time specified by --legacy-service-account-token-clean-up-period (defaulting to one year), and are referenced from the .secrets list of a ServiceAccount object, and are not referenced from pods. (kubernetes/kubernetes#115554, @yt2985)
kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2 is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (kubernetes/kubernetes#117649, @SataQiu)
Aggregated discovery now returns responseKind: {} for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. (kubernetes/kubernetes#119835, @liggitt) [SIG API Machinery and Testing]
Fix CustomResourceDefinition status.storedVersions validation error messages. (kubernetes/kubernetes#119653, @sttts) [SIG API Machinery]
Kube-proxy in Kubernetes >= 1.28 up until v1.28.0-beta.0 ignored the -v command line flag when combined with --config. (kubernetes/kubernetes#119867, @pohly) [SIG Network]
PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase. (kubernetes/kubernetes#116469, @RomanBednar) [SIG API Machinery, Apps, Auth, Node, Release, Storage and Testing]
Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1. (kubernetes/kubernetes#118644, @alexzielenski) [SIG API Machinery, Apps and Testing]
Promoted the feature gate ValidtaingAdmissionPolicy to beta and it is turned off by default. (kubernetes/kubernetes#119409, @alexzielenski) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Release, Storage and Testing]
Changed how KMS v2 encryption at rest can generate data encryption keys. When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce. (kubernetes/kubernetes#118828, @enj) [SIG API Machinery, Auth and Testing]
A CDIDevice field is includes in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol. (kubernetes/kubernetes#118254, @elezar) [SIG Node and Testing]
Add new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs. (kubernetes/kubernetes#118137, @helayoty) [SIG Apps]
Add podReplacementPolicy and terminating field to job api (kubernetes/kubernetes#119301, @kannon92) [SIG API Machinery and Apps]
Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed. (kubernetes/kubernetes#118041, @cici37) [SIG API Machinery]
Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject variable with expressions. (kubernetes/kubernetes#118267, @cici37) [SIG API Machinery and Testing]
Adds new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations. (kubernetes/kubernetes#118990, @alexzielenski) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
Adds new namespaceParamRef to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy (kubernetes/kubernetes#119215, @alexzielenski) [SIG API Machinery and Testing]
Extend the Job API for alpha version of BackoffLimitPerIndex (kubernetes/kubernetes#119294, @mimowo) [SIG API Machinery and Apps]
Graduate AdmissionWebhookMatchCondition feature to beta (kubernetes/kubernetes#119380, @a-hilaly) [SIG API Machinery]
In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels. For details see https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness#dispatching . (kubernetes/kubernetes#118782, @MikeSpreitzer) [SIG API Machinery]
Indexed Job pods now have the pod completion index set as a pod label. (kubernetes/kubernetes#118883, @danielvegamyhre) [SIG Apps]
Kube-proxy: add '--logging-format' flag to support structured logging (kubernetes/kubernetes#117800, @cyclinder) [SIG API Machinery, Architecture, Instrumentation and Network]
Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability. (kubernetes/kubernetes#119264, @logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle and Instrumentation]
Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus (kubernetes/kubernetes#116335, @gnufied) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index. (kubernetes/kubernetes#119232, @danielvegamyhre) [SIG Apps]
Support BackoffLimitPerIndex in Jobs (kubernetes/kubernetes#118009, @mimowo) [SIG API Machinery, Apps and Testing]
Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver (kubernetes/kubernetes#117740, @Richabanker) [SIG API Machinery, Apps, Auth, Cloud Provider, Network, Node and Testing]
The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer creates the KUBE-MARK-DROP chain (which has been unused for several releases) or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy). (kubernetes/kubernetes#119374, @danwinship) [SIG API Machinery, Network and Node]
The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions. (kubernetes/kubernetes#117351, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination. (kubernetes/kubernetes#116429, @gjkim42) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Add ServedVersions field to StorageVersion API (kubernetes/kubernetes#118386, @Richabanker) [SIG API Machinery and Testing]
Component-base/logs is now more strict about not applying configurations multiple times and will return an error when that is attempted. Can be overridden by binaries which need to do that. (kubernetes/kubernetes#117108, @pohly) [SIG API Machinery, Architecture, Cloud Provider, Instrumentation, Scheduling and Testing]
ACTION_REQUIRED When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits. (kubernetes/kubernetes#118420, @alculquicondor) [SIG Apps]
Expose rest.DefaultServerUrlFor function (kubernetes/kubernetes#118055, @timofurrer) [SIG API Machinery]
If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup. (kubernetes/kubernetes#117793, @tzneal) [SIG Apps, Node and Testing]
Update the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#118278, @mimowo) [SIG Apps]
Added a warning that TLS 1.3 ciphers are not configurable. (kubernetes/kubernetes#115399, @3u13r) [SIG API Machinery and Node]
Added error handling for seccomp localhost configurations that do not properly set a localhostProfile (kubernetes/kubernetes#117020, @cji) [SIG API Machinery and Node]
Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler (kubernetes/kubernetes#115754, @linxiulei) [SIG API Machinery and Scheduling]
Client-go: Improved memory use of reflector caches when watching large numbers of objects which do not change frequently (kubernetes/kubernetes#113362, @sxllwx) [SIG API Machinery]
Kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner controller loop removes service account token secrets that have not been used in the time specified by --legacy-service-account-token-clean-up-period (defaulting to one year), and are referenced from the .secrets list of a ServiceAccount object, and are not referenced from pods. (kubernetes/kubernetes#115554, @yt2985) [SIG API Machinery, Apps, Auth, Release and Testing]
Kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2 is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (kubernetes/kubernetes#117649, @SataQiu) [SIG API Machinery, Scheduling and Testing]
NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits. (kubernetes/kubernetes#115398, @tangwz) [SIG Scheduling]
Pods which set hostNetwork: true and declare ports get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this. (kubernetes/kubernetes#117696, @thockin) [SIG Apps]
Removing WindowsHostProcessContainers feature-gate (kubernetes/kubernetes#117570, @marosset) [SIG API Machinery, Apps, Auth, Node and Windows]
Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#117802, @kerthcet) [SIG API Machinery and Apps]
The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA. (kubernetes/kubernetes#117713, @nabokihms) [SIG API Machinery, Architecture, Auth, CLI and Testing]

`v27.6.0`

Compare Source

Kubernetes API Version: v1.27.6

API Change

Added error handling for seccomp localhost configurations that do not properly set a localhostProfile (kubernetes/kubernetes#117020, @cji) [SIG API Machinery and Node]
Fixed an issue where kubelet does not set case-insensitive headers for http probes. (#117182, @dddddai) (kubernetes/kubernetes#117324, @dddddai) [SIG API Machinery, Apps and Node]
Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#117815, @kerthcet) [SIG Apps]
A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (kubernetes/kubernetes#115354, @pohly)
A terminating pod on a node that is not caused by preemption no longer prevents kube-scheduler from preempting pods on that node
- Rename PreemptionByKubeScheduler to PreemptionByScheduler (kubernetes/kubernetes#114623, @Huang-Wei)
API: resource.k8s.io/v1alpha1.PodScheduling was renamed to resource.k8s.io/v1alpha2.PodSchedulingContext. (kubernetes/kubernetes#116556, @pohly) [SIG API Machinery, Apps, Auth, CLI, Node, Scheduling and Testing]
Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost restrictions that already apply to CustomResourceDefinition. If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the admission check that was being performed is aborted; the failurePolicy for the ValidatingAdmissionPolicy determines the outcome. (kubernetes/kubernetes#115747, @cici37)
Added auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to add audit annotations to request audit events. Added validationActions to ValidatingAdmissionPolicyBinding, enabling validation failures to be handled by any combination of the warn, audit and deny enforcement actions. (kubernetes/kubernetes#115973, @jpbetz)
Added messageExpression field to ValidationRule. (kubernetes/kubernetes#115969, @DangerOnTheRanger)
Added messageExpression to ValidatingAdmissionPolicy, to set custom failure message via CEL expression. (kubernetes/kubernetes#116397, @jiahuif) [SIG API Machinery]
Added a new IPAddress object kind
- Added a new ClusterIP allocator. The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64 (kubernetes/kubernetes#115075, @aojea) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Network and Testing]
Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1). A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @ahmedtd) [SIG API Machinery, Auth and Testing]
Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a authorizer variable with expressions. The new variable provides a builder that allows expressions such authorizer.group('').resource('pods').check('create').allowed(). (kubernetes/kubernetes#116054, @jpbetz) [SIG API Machinery and Testing]
Added matchConditions field to ValidatingAdmissionPolicy and enabled support for CEL based custom match criteria. (kubernetes/kubernetes#116350, @maxsmythe)
Added new option to the InterPodAffinity scheduler plugin to ignore existing podspreferred inter-pod affinities if the incoming pod has no preferred inter-pod affinities. This option can be used as an optimization for higher scheduling throughput (at the cost of an occasional pod being scheduled non-optimally/violating existing pods preferred inter-pod affinities). To enable this scheduler option, set theInterPodAffinityscheduler plugin argignorePreferredTermsOfExistingPods: true` (kubernetes/kubernetes#114393, @danielvegamyhre)
Added the MatchConditions field to ValidatingWebhookConfiguration and MutatingWebhookConfiguration for the v1beta and v1 apis.

The AdmissionWebhookMatchConditions featuregate is now in Alpha (kubernetes/kubernetes#116261, @ivelichkovich) [SIG API Machinery and Testing]
Added validation to ensure that if service.kubernetes.io/topology-aware-hints and service.kubernetes.io/topology-mode annotations are both set, they are set to the same value.Also Added deprecation warning if service.kubernetes.io/topology-aware-hints annotation is used. (kubernetes/kubernetes#116612, @robscott)
Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, CronJobs, or ReplicationControllers) whose names are not valid DNS labels. (kubernetes/kubernetes#114412, @thockin)
Adds feature gate NodeLogQuery which provides cluster administrators with a streaming view of logs using kubectl without them having to implement a client side reader or logging into the node. (kubernetes/kubernetes#96120, @LorbusChris)
Api: validation of a PodSpec now rejects invalid ResourceClaim and ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim when using a template also must be valid. (kubernetes/kubernetes#116576, @pohly)
Bump default API QPS limits for Kubelet. (kubernetes/kubernetes#116121, @wojtek-t)
Enabled the StatefulSetStartOrdinal feature gate in beta (kubernetes/kubernetes#115260, @pwschuurman)
Enabled usage of kube-proxy, kube-scheduler and kubelet HTTP APIs for changing the logging verbosity at runtime for JSON output. (kubernetes/kubernetes#114609, @pohly)
Encryption of API Server at rest configuration now allows the use of wildcards in the list of resources. For example, . can be used to encrypt all resources, including all current and future custom resources. (kubernetes/kubernetes#115149, @nilekhc)
Extended the kubelet's PodResources API to include resources allocated in ResourceClaims via DynamicResourceAllocation. Additionally, added a new Get() method to query a specific pod for its resources. (kubernetes/kubernetes#115847, @moshe010) [SIG Node]
Forbid to set matchLabelKeys when labelSelector is not set in topologySpreadConstraints (kubernetes/kubernetes#116535, @denkensk)
GCE does not support LoadBalancer Services with ports with different protocols (TCP and UDP) (kubernetes/kubernetes#115966, @aojea) [SIG Apps and Cloud Provider]
GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked to default value and will be removed in v1.29. If you were setting this feature gate explicitly, please remove it now. (kubernetes/kubernetes#116233, @SergeyKanzhelev)
Graduated Kubelet Topology Manager to GA. (kubernetes/kubernetes#116093, @swatisehgal)
Graduated KubeletTracing to beta, which means that the feature gate is now enabled by default. (kubernetes/kubernetes#115750, @saschagrunert)
Graduated seccomp profile defaulting to GA.

Set the kubelet --seccomp-default flag or seccompDefault kubelet configuration field to true to make pods on that node default to using the RuntimeDefault seccomp profile.

Enabling seccomp for your workload can have a negative performance impact depending on the kernel and container runtime version in use.

Guidance for identifying and mitigating those issues is outlined in the Kubernetes seccomp tutorial. (kubernetes/kubernetes#115719, @saschagrunert) [SIG API Machinery, Node, Storage and Testing]
Graduated the container resource metrics feature on HPA to beta. (kubernetes/kubernetes#116046, @sanposhiho)
Implemented API streaming for the watch-cache

When sendInitialEvents ListOption is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#110960, @p0lyn0mial)
Introduced API for streaming.

Added SendInitialEvents field to the ListOptions. When the new option is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#115402, @p0lyn0mial)
Introduced a breaking change to the resource.k8s.io API in its AllocationResult struct. This change allows a kubelet plugin for the DynamicResourceAllocation feature to service allocations from multiple resource driver controllers. (kubernetes/kubernetes#116332, @klueska)
Introduces new alpha functionality to the reflector, allowing user to enable API streaming.

To activate this feature, users can set the ENABLE_CLIENT_GO_WATCH_LIST_ALPHA environmental variable. It is important to note that the server must support streaming for this feature to function properly. If streaming is not supported by the server, the reflector will revert to the previous method of obtaining data through LIST/WATCH semantics. (kubernetes/kubernetes#110772, @p0lyn0mial) [SIG API Machinery]
K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, the broadcaster now gives up immediately after a failure to write an event to a sink. Previously it tried multiple times for 12 seconds in a goroutine. (kubernetes/kubernetes#115514, @pohly) [SIG API Machinery]
K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (kubernetes/kubernetes#114680, @pohly) [SIG Instrumentation]
Kubeadm: explicitly set priority for static pods with priorityClassName: system-node-critical (kubernetes/kubernetes#114338, @champtar) [SIG Cluster Lifecycle]
Kubelet: a "maxParallelImagePulls" field can now be specified in the kubelet configuration file to control how many image pulls the kubelet can perform in parallel. (kubernetes/kubernetes#115220, @ruiwen-zhao) [SIG API Machinery, Node and Scalability]
Kubelet: changed MemoryThrottlingFactor default value to 0.9 and formulas to calculate memory.high (kubernetes/kubernetes#115371, @pacoxu)
Kubernetes components that perform leader election now only support using Leases for this. (kubernetes/kubernetes#114055, @aimuz)
Migrated the DaemonSet controller (within kube-controller-manager) to use contextual logging (kubernetes/kubernetes#113622, @249043822)
New service.kubernetes.io/topology-mode annotation has been introduced as a replacement for the service.kubernetes.io/topology-aware-hints annotation.
- service.kubernetes.io/topology-aware-hints annotation has been deprecated.
- kube-proxy now accepts any value that is not "disabled" for these annotations, enabling custom implementation-specific and/or future built-in heuristics to be used. (kubernetes/kubernetes#116522, @robscott) [SIG Apps, Network and Testing]
Pods owned by a Job now uses the labels batch.kubernetes.io/job-name and batch.kubernetes.io/controller-uid. The legacy labels job-name and controller-uid are still added for compatibility. (kubernetes/kubernetes#114930, @kannon92)
Promoted CronJobTimeZone feature to GA (kubernetes/kubernetes#115904, @soltysh)
Promoted SelfSubjectReview to Beta (kubernetes/kubernetes#116274, @nabokihms) [SIG API Machinery, Auth, CLI and Testing]
Relaxed API validation to allow pod node selector to be mutable for gated pods (additions only, no deletions or mutations). (kubernetes/kubernetes#116161, @danielvegamyhre)
Remove kubernetes.io/grpc standard appProtocol (kubernetes/kubernetes#116866, @LiorLieberman) [SIG API Machinery and Apps]
Remove deprecated --enable-taint-manager and --pod-eviction-timeout CLI (kubernetes/kubernetes#115840, @atosatto)
Removed support for the v1alpha1 kubeletplugin API of DynamicResourceManagement. All plugins must be updated to v1alpha2 in order to function properly. (kubernetes/kubernetes#116558, @klueska)
The API server now re-uses data encryption keys while the kms v2 plugin key ID is stable. Data encryption keys are still randomly generated on server start but an atomic counter is used to prevent nonce collisions. (kubernetes/kubernetes#116155, @enj)
The PodDisruptionBudget spec.unhealthyPodEvictionPolicy field has graduated to beta and is enabled by default. On servers with the feature enabled, this field may be set to AlwaysAllow to always allow unhealthy pods covered by the PodDisruptionBudget to be evicted. (kubernetes/kubernetes#115363, @ravisantoshgudimetla) [SIG Apps, Auth and Node]
The DownwardAPIHugePages kubelet feature graduated to stable / GA. (kubernetes/kubernetes#115721, @saschagrunert) [SIG Apps and Node]
The following feature gates for volume expansion GA features have now been removed and must no longer be referenced in --feature-gates flags: ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes (kubernetes/kubernetes#113942, @mengjiao-liu)
The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from set to map, resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (kubernetes/kubernetes#114585, @JoelSpeed)
Updated API reference for Requests, specifying they must not exceed limits (kubernetes/kubernetes#115434, @ehashman)
Updated KMSv2 to beta (kubernetes/kubernetes#115123, @aramase)
Updated: Redefine AppProtocol field description and add new standard values (kubernetes/kubernetes#115433, @LiorLieberman) [SIG API Machinery, Apps and Network]
/metrics/slis is now available for control plane components allowing you to scrape health check metrics. (kubernetes/kubernetes#114997, @Richabanker)
APIServerTracing feature gate is now enabled by default. Tracing in the API Server is still disabled by default, and requires a config file to enable. (kubernetes/kubernetes#116144, @dashpole)
NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore extension point for a more performant calculation. (kubernetes/kubernetes#115655, @tangwz)
PodSchedulingReadiness is graduated to beta. (kubernetes/kubernetes#115815, @Huang-Wei)
PodSpec.Container.Resources became mutable for CPU and memory resource types.
- PodSpec.Container.ResizePolicy (new object) gives users control over how their containers are resized.
- PodStatus.Resize status describes the state of a requested Pod resize.
- PodStatus.ResourcesAllocated describes node resources allocated to Pod.
- PodStatus.Resources describes node resources applied to running containers by CRI.
- UpdateContainerResources CRI API now supports both Linux and Windows. (kubernetes/kubernetes#102884, @vinaykul)
SELinuxMountReadWriteOncePod graduated to Beta. (kubernetes/kubernetes#116425, @jsafrane)
StatefulSetAutoDeletePVC feature gate promoted to beta. (kubernetes/kubernetes#116501, @mattcary)
StatefulSet names must be DNS labels, rather than subdomains. Any StatefulSet which took advantage of subdomain validation (by having dots in the name) can't possibly have worked, because we eventually set pod.spec.hostname from the StatefulSetName, and that is validated as a DNS label. (kubernetes/kubernetes#114172, @thockin)
ValidatingAdmissionPolicy now provides a status field that contains results of type checking the validation expression. The type checking is fully informational, and the behavior of the policy is unchanged. (kubernetes/kubernetes#115668, @jiahuif)
cacheSize field in EncryptionConfiguration is not supported for KMSv2 provider (kubernetes/kubernetes#113121, @aramase)
k8s.io/component-base/logs now also supports adding command line flags to a flag.FlagSet. (kubernetes/kubernetes#114731, @pohly)
kubelet: migrated --container-runtime-endpoint and --image-service-endpoint to kubelet config (kubernetes/kubernetes#112136, @pacoxu)
resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, ResourceClaimTemplate, ResourceClass, PodScheduling) must be deleted. The changes are internal, so YAML files which create pods and resource claims don't need changes except for the newer apiVersion. (kubernetes/kubernetes#116299, @pohly)
volumes: resource.claims is now cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (kubernetes/kubernetes#115928, @pohly)
Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1). A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @ahmedtd) [SIG API Machinery, Auth and Testing]
Remove kubernetes.io/grpc standard appProtocol (kubernetes/kubernetes#116866, @LiorLieberman) [SIG API Machinery and Apps]
API: resource.k8s.io/v1alpha1.PodScheduling was renamed to resource.k8s.io/v1alpha2.PodSchedulingContext. (kubernetes/kubernetes#116556, @pohly) [SIG API Machinery, Apps, Auth, CLI, Node, Scheduling and Testing]
APIServerTracing feature gate is now enabled by default. Tracing in the API Server is still disabled by default, and requires a config file to enable. (kubernetes/kubernetes#116144, @dashpole) [SIG API Machinery and Testing]
Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost restrictions that already apply to CustomResourceDefinition. If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the admission check that was being performed is aborted; the failurePolicy for the ValidatingAdmissionPolicy determines the outcome. (kubernetes/kubernetes#115747, @cici37) [SIG API Machinery]
Added messageExpression to ValidatingAdmissionPolicy, to set custom failure message via CEL expression. (kubernetes/kubernetes#116397, @jiahuif) [SIG API Machinery]
Added a new IPAddress object kind
- Added a new ClusterIP allocator. The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64 (kubernetes/kubernetes#115075, @aojea) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Network and Testing]
Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1). A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @ahmedtd) [SIG API Machinery, Auth and Testing]
Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a authorizer variable with expressions. The new variable provides a builder that allows expressions such authorizer.group('').resource('pods').check('create').allowed(). (kubernetes/kubernetes#116054, @jpbetz) [SIG API Machinery and Testing]
Added matchConditions field to ValidatingAdmissionPolicy, enabled support for CEL based custom match criteria. (kubernetes/kubernetes#116350, @maxsmythe) [SIG API Machinery and Testing]
Added messageExpression field to ValidationRule. (#115969, @DangerOnTheRanger) (kubernetes/kubernetes#115969, @DangerOnTheRanger) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Node and Testing]
Added the MatchConditions field to ValidatingWebhookConfiguration and MutatingWebhookConfiguration for the v1beta and v1 apis.

The AdmissionWebhookMatchConditions featuregate is now in Alpha (kubernetes/kubernetes#116261, @ivelichkovich) [SIG API Machinery and Testing]
Added validation to ensure that if service.kubernetes.io/topology-aware-hints and service.kubernetes.io/topology-mode annotations are both set, they are set to the same value.
- Added deprecation warning if service.kubernetes.io/topology-aware-hints annotation is used. (kubernetes/kubernetes#116612, @robscott) [SIG Apps, Network and Testing]
Adds auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to add audit annotations to request audit events. Adds validationActions to ValidatingAdmissionPolicyBinding, enabling validation failures to be handled by any combination of the warn, audit and deny enforcement actions. (kubernetes/kubernetes#115973, @jpbetz) [SIG API Machinery and Testing]
Adds feature gate NodeLogQuery which provides cluster administrators with a streaming view of logs using kubectl without them having to implement a client side reader or logging into the node. (kubernetes/kubernetes#96120, @LorbusChris) [SIG API Machinery, Apps, CLI, Node, Testing and Windows]
Api: validation of a PodSpec now rejects invalid ResourceClaim and ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim when using a template also must be valid. (kubernetes/kubernetes#116576, @pohly) [SIG Apps]
Bump default API QPS limits for Kubelet. (kubernetes/kubernetes#116121, @wojtek-t) [SIG API Machinery and Node]
Enable the "StatefulSetStartOrdinal" feature gate in beta (kubernetes/kubernetes#115260, @pwschuurman) [SIG API Machinery and Apps]
Extended the kubelet's PodResources API to include resources allocated in ResourceClaims via DynamicResourceAllocation. Additionally, added a new Get() method to query a specific pod for its resources. (kubernetes/kubernetes#115847, @moshe010) [SIG Node]
Forbid to set matchLabelKeys when labelSelector isn’t set in topologySpreadConstraints (kubernetes/kubernetes#116535, @denkensk) [SIG API Machinery, Apps and Scheduling]
GCE does not support LoadBalancer Services with ports with different protocols (TCP and UDP) (kubernetes/kubernetes#115966, @aojea) [SIG Apps and Cloud Provider]
GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked to default value and will be removed in v1.29. If you were setting this feature gate explicitly, please remove it now. (kubernetes/kubernetes#116233, @SergeyKanzhelev) [SIG API Machinery, Apps and Node]
Graduate Kubelet Topology Manager to GA. (kubernetes/kubernetes#116093, @swatisehgal) [SIG API Machinery, Node and Testing]
Graduate KubeletTracing to beta, which means that the feature gate is now enabled by default. (kubernetes/kubernetes#115750, @saschagrunert) [SIG Instrumentation and Node]
Graduate the container resource metrics feature on HPA to beta. (kubernetes/kubernetes#116046, @sanposhiho) [SIG Autoscaling]
Introduced a breaking change to the resource.k8s.io API in its AllocationResult struct. This change allows a kubelet plugin for the DynamicResourceAllocation feature to service allocations from multiple resource driver controllers. (kubernetes/kubernetes#116332, @klueska) [SIG API Machinery, Apps, CLI, Node, Scheduling and Testing]
Introduces new alpha functionality to the reflector, allowing user to enable API streaming.

To activate this feature, users can set the ENABLE_CLIENT_GO_WATCH_LIST_ALPHA environmental variable. It is important to note that the server must support streaming for this feature to function properly. If streaming is not supported by the server, the reflector will revert to the previous method of obtaining data through LIST/WATCH semantics. (kubernetes/kubernetes#110772, @p0lyn0mial) [SIG API Machinery]
Kubelet: change MemoryThrottlingFactor default value to 0.9 and formulas to calculate memory.high (kubernetes/kubernetes#115371, @pacoxu) [SIG API Machinery, Apps and Node]
Migrated the DaemonSet controller (within `kube-controller-manager) to use contextual logging (kubernetes/kubernetes#113622, @249043822) [SIG API Machinery, Apps, Instrumentation and Testing]
New service.kubernetes.io/topology-mode annotation has been introduced as a replacement for the service.kubernetes.io/topology-aware-hints annotation.
- service.kubernetes.io/topology-aware-hints annotation has been deprecated.
- kube-proxy now accepts any value that is not "disabled" for these annotations, enabling custom implementation-specific and/or future built-in heuristics to be used. (kubernetes/kubernetes#116522, @robscott) [SIG Apps, Network and Testing]
NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore extension point for a more performant calculation. (kubernetes/kubernetes#115655, @tangwz) [SIG Scheduling]
Pods owned by a Job will now use the labels batch.kubernetes.io/job-name and batch.kubernetes.io/controller-uid. The legacy labels job-name and controller-uid are still added for compatibility. (kubernetes/kubernetes#114930, @kannon92) [SIG Apps]
Promote CronJobTimeZone feature to GA (kubernetes/kubernetes#115904, @soltysh) [SIG API Machinery and Apps]
Promoted SelfSubjectReview to Beta (kubernetes/kubernetes#116274, @nabokihms) [SIG API Machinery, Auth, CLI and Testing]
Relax API validation to allow pod node selector to be mutable for gated pods (additions only, no deletions or mutations). (kubernetes/kubernetes#116161, @danielvegamyhre) [SIG Apps, Scheduling and Testing]
Remove deprecated --enable-taint-manager and --pod-eviction-timeout CLI flags (kubernetes/kubernetes#115840, @atosatto) [SIG API Machinery, Apps, Node and Testing]
Resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, ResourceClaimTemplate, ResourceClass, PodScheduling) must be deleted. The changes will be internal, so YAML files which create pods and resource claims don't need changes except for the newer apiVersion. (kubernetes/kubernetes#116299, @pohly) [SIG API Machinery, Apps, CLI, Node, Scheduling and Testing]
SELinuxMountReadWriteOncePod graduated to Beta. (kubernetes/kubernetes#116425, @jsafrane) [SIG Storage and Testing]
StatefulSetAutoDeletePVC feature gate promoted to beta. (kubernetes/kubernetes#116501, @mattcary) [SIG Apps, Auth and Testing]
The API server now re-uses data encryption keys while the kms v2 plugin's key ID is stable. Data encryption keys are still randomly generated on server start but an atomic counter is used to prevent nonce collisions. (kubernetes/kubernetes#116155, @enj) [SIG API Machinery, Auth and Testing]
The API server's encryption at rest configuration now allows the use of wildcards in the list of resources. For example, '.' can be used to encrypt all resources, including all current and future custom resources. (kubernetes/kubernetes#115149, @nilekhc) [SIG API Machinery, Auth and Testing]
Update KMSv2 to beta (kubernetes/kubernetes#115123, @aramase) [SIG API Machinery, Auth and Testing]
Updated: Redefine AppProtocol field description and add new standard values (kubernetes/kubernetes#115433, @LiorLieberman) [SIG API Machinery, Apps and Network]
ValidatingAdmissionPolicy now provides a status field that contains results of type checking the validation expression. The type checking is fully informational, and the behavior of the policy is unchanged. (kubernetes/kubernetes#115668, @jiahuif) [SIG API Machinery, Auth, Cloud Provider and Testing]
We have removed support for the v1alpha1 kubeletplugin API of DynamicResourceManagement. All plugins must update to v1alpha2 in order to function properly going forward. (kubernetes/kubernetes#116558, @klueska) [SIG API Machinery, Apps, CLI, Node, Scheduling and Testing]
Graduated seccomp profile defaulting to GA.

Set the kubelet --seccomp-default flag or seccompDefault kubelet configuration field to true to make pods on that node default to using the RuntimeDefault seccomp profile.

Enabling seccomp for your workload can have a negative performance impact depending on the kernel and container runtime version in use.

Guidance for identifying and mitigating those issues is outlined in the Kubernetes seccomp tutorial. (kubernetes/kubernetes#115719, @saschagrunert) [SIG API Machinery, Node, Storage and Testing]
Implements API for streaming for the watch-cache

When sendInitialEvents ListOption is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#110960, @p0lyn0mial) [SIG API Machinery]
Introduce API for streaming.

Add SendInitialEvents field to the ListOptions. When the new option is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#115402, @p0lyn0mial) [SIG API Machinery]
Kubelet: a "maxParallelImagePulls" field can now be specified in the kubelet configuration file to control how many image pulls the kubelet can perform in parallel. (kubernetes/kubernetes#115220, @ruiwen-zhao) [SIG API Machinery, Node and Scalability]
PodSchedulingReadiness is graduated to beta. (kubernetes/kubernetes#115815, @Huang-Wei) [SIG API Machinery, Apps, Scheduling and Testing]
In-place resize feature for Kubernetes Pods
- Changed the Pod API so that the resources defined for containers are mutable for cpu and memory resource types.
- Added resizePolicy for containers in a pod to allow users control over how their containers are resized.
- Added allocatedResources field to container status in pod status that describes the node resources allocated to a pod.
- Added resources field to container status that reports actual resources applied to running containers.
- Added resize field to pod status that describes the state of a requested pod resize. For details, see KEPs below. (kubernetes/kubernetes#102884, @vinaykul) [SIG API Machinery, Apps, Instrumentation, Node, Scheduling and Testing]
The PodDisruptionBudget spec.unhealthyPodEvictionPolicy field has graduated to beta and is enabled by default. On servers with the feature enabled, this field may be set to AlwaysAllow to always allow unhealthy pods covered by the PodDisruptionBudget to be evicted. (kubernetes/kubernetes#115363, @ravisantoshgudimetla) [SIG Apps, Auth and Node]
The DownwardAPIHugePages kubelet feature graduated to stable / GA. (kubernetes/kubernetes#115721, @saschagrunert) [SIG Apps and Node]
Volumes: resource.claims gets cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (kubernetes/kubernetes#115928, @pohly) [SIG API Machinery, Apps and Storage]
A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (kubernetes/kubernetes#115354, @pohly) [SIG API Machinery]
CacheSize field in EncryptionConfiguration is not supported for KMSv2 provider (kubernetes/kubernetes#113121, @aramase) [SIG API Machinery, Auth and Testing]
K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, the broadcaster now gives up immediately after a failure to write an event to a sink. Previously it tried multiple times for 12 seconds in a goroutine. (kubernetes/kubernetes#115514, @pohly) [SIG API Machinery]
K8s.io/component-base/logs now also supports adding command line flags to a flag.FlagSet. (kubernetes/kubernetes#114731, @pohly) [SIG Architecture]
Update API reference for Requests, specifying they must not exceed limits (kubernetes/kubernetes#115434, @ehashman) [SIG Architecture, Docs and Node]
/metrics/slis is made available for control plane components allowing you to scrape health check metrics. (kubernetes/kubernetes#114997, @Richabanker) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
A terminating pod on a node that is not caused by preemption won't prevent kube-scheduler from preempting pods on that node
- Rename 'PreemptionByKubeScheduler' to 'PreemptionByScheduler' (kubernetes/kubernetes#114623, @Huang-Wei) [SIG Scheduling]
Added new option to the InterPodAffinity scheduler plugin to ignore existing pods` preferred inter-pod affinities if the incoming pod has no preferred inter-pod affinities. This option can be used as an optimization for higher scheduling throughput (at the cost of an occasional pod being scheduled non-optimally/violating existing pods' preferred inter-pod affinities). To enable this scheduler option, set the InterPodAffinity scheduler plugin arg "ignorePreferredTermsOfExistingPods: true". (kubernetes/kubernetes#114393, @danielvegamyhre) [SIG API Machinery and Scheduling]
Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, CronJobs, or ReplicationControllers) whose names are not valid DNS labels. (kubernetes/kubernetes#114412, @thockin) [SIG API Machinery and Apps]
K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (kubernetes/kubernetes#114680, @pohly) [SIG Instrumentation]
Kube-proxy, kube-scheduler and kubelet have HTTP APIs for changing the logging verbosity at runtime. This now also works for JSON output. (kubernetes/kubernetes#114609, @pohly) [SIG API Machinery, Architecture, Cloud Provider, Instrumentation and Testing]
Kubeadm: explicitly set priority for static pods with priorityClassName: system-node-critical (kubernetes/kubernetes#114338, @champtar) [SIG Cluster Lifecycle]
Kubelet: migrate "--container-runtime-endpoint" and "--image-service-endpoint" to kubelet config (kubernetes/kubernetes#112136, @pacoxu) [SIG API Machinery, Node and Scalability]
Kubernetes components that perform leader election now only support using Leases for this. (kubernetes/kubernetes#114055, @aimuz) [SIG API Machinery, Cloud Provider and Scheduling]
StatefulSet names must be DNS labels, rather than subdomains. Any StatefulSet which took advantage of subdomain validation (by having dots in the name) can't possibly have worked, because we eventually set pod.spec.hostname from the StatefulSetName, and that is validated as a DNS label. (kubernetes/kubernetes#114172, @thockin) [SIG Apps]
The following feature gates for volume expansion GA features have been removed and must no longer be referenced in --feature-gates flags: ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes (kubernetes/kubernetes#113942, @mengjiao-liu) [SIG API Machinery, Apps and Testing]
The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from "set" to "map", resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (kubernetes/kubernetes#114585, @JoelSpeed) [SIG API Machinery]

`v26.9.0`

Compare Source

Kubernetes API Version: v1.26.9

API Change

The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from "set" to "map", resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (kubernetes/kubernetes#114617, @JoelSpeed) [SIG API Machinery]
'A new preEnqueue extension point was added to scheduler's component config v1beta2/v1beta3/v1.' (kubernetes/kubernetes#113275, @Huang-Wei)
'Added a ResourceClaim API (in the resource.k8s.io/v1alpha1 API group and behind the DynamicResourceAllocation feature gate). The new API is now more flexible than the existing Device Plugins feature of Kubernetes because it allows Pods to request (claim) special kinds of resources, which can be available at node level, cluster level, or following any other model you implement.' (kubernetes/kubernetes#111023, @pohly)
'Container preStop and postStart lifecycle handlers using httpGet now honor the specified scheme and headers fields. This enables setting custom headers and changing the scheme to HTTPS, consistent with container startup/readiness/liveness probe capabilities. Lifecycle handlers configured with scheme: HTTPS that encounter errors indicating the endpoint is actually using HTTP fall back to making the request over HTTP for compatibility with previous releases. When this happens, a LifecycleHTTPFallback event is recorded in the namespace of the pod and a kubelet_lifecycle_handler_http_fallbacks_total metric in the kubelet is incremented. Cluster administrators can opt out of the expanded lifecycle handler capabilities by setting --feature-gates=ConsistentHTTPGetHandlers=false in kubelet.' (kubernetes/kubernetes#86139, @jasimmons)
'Graduated JobTrackingWithFinalizers to stable. Jobs created before the feature was enabled are still tracked without finalizers. Jobs tracked with finalizers have the annotation batch.kubernetes.io/job-tracking. If the annotation is present and the user attempts to remove it, the control plane adds it back. The annotation batch.kubernetes.io/job-tracking is now deprecated. The control plane will ignore it and stop adding it for new Jobs in v1.27.' (kubernetes/kubernetes#113510, @alculquicondor)
'Kubelet added the following Pod failure conditions:
- DisruptionTarget (graceful node shutdown, node pressure eviction)' (kubernetes/kubernetes#112360, @mimowo)
'Priority and Fairness has introduced a new feature called borrowing that allows an API priority level to borrow a number of seats from other priority level(s). As a cluster operator, you can enable borrowing for a certain priority level configuration object via the two newly introduced fields lendablePercent, and borrowingLimitPercent located under the .spec.limited field of the designated priority level. This change added the following metrics:
- apiserver_flowcontrol_nominal_limit_seats: Nominal number of execution seats configured for each priority level
- apiserver_flowcontrol_lower_limit_seats: Configured lower bound on number of execution seats available to each priority level
- apiserver_flowcontrol_upper_limit_seats: Configured upper bound on number of execution seats available to each priority level
- apiserver_flowcontrol_demand_seats: Observations, at the end of every nanosecond, of (the number of seats each priority level could use) / (nominal number of seats for that level)
- apiserver_flowcontrol_demand_seats_high_watermark: High watermark, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_average: Time-weighted average, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_stdev: Time-weighted standard deviation, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_smoothed: Smoothed seat demands
- apiserver_flowcontrol_target_seats: Seat allocation targets
- apiserver_flowcontrol_seat_fair_frac: Fair fraction of server's concurrency to allocate to each priority level that can use it
- apiserver_flowcontrol_current_limit_seats: current derived number of execution seats available to each priority level The possibility of borrowing means that the old metric apiserver_flowcontrol_request_concurrency_limit can no longer mean both the configured concurrency limit and the enforced concurrency limit. Henceforth it means the configured concurrency limit.' (kubernetes/kubernetes#113485, @MikeSpreitzer)
'NodeInclusionPolicy in podTopologySpread plugin is now enabled by default.' (kubernetes/kubernetes#113500, @kerthcet)
'PodDisruptionBudget now adds an alpha spec.unhealthyPodEvictionPolicy field. When the PDBUnhealthyPodEvictionPolicy feature-gate is enabled in kube-apiserver, setting this field to "AlwaysAllow" allows pods to be evicted if they do not have a ready condition, regardless of whether the PodDisruptionBudget is currently healthy.' (kubernetes/kubernetes#113375, @atiratree)
'metav1.LabelSelectors specified in API objects are now validated to ensure they do not contain invalid label values that will error at time of use. Existing invalid objects can be updated, but new objects are required to contain valid label selectors.' (kubernetes/kubernetes#113699, @liggitt)
Add percentageOfNodesToScore as a scheduler profile level parameter to API version v1. When a profile percentageOfNodesToScore is set, it will override global percentageOfNodesToScore. (kubernetes/kubernetes#112521, @yuanchen8911)
Add auth API to get self subject attributes (new selfsubjectreviews API is added). The corresponding command for kubctl is provided - kubectl auth whoami. (kubernetes/kubernetes#111333, @nabokihms) [SIG API Machinery, Auth, CLI and Testing]
Added kubernetes_feature_enabled metric series to track whether each active feature gate is enabled. (kubernetes/kubernetes#112690, @logicalhan)
Added a --topology-manager-policy-options flag to the kubelet to support fine tuning the topology manager policies. The first policy option, prefer-closest-numa-nodes, allows these policies to favor sets of NUMA nodes with shorter distance between nodes when making admission decisions. (kubernetes/kubernetes#112914, @PiotrProkop)
Added a feature that allows a StatefulSet to start numbering replicas from an arbitrary non-negative ordinal, using the .spec.ordinals.start field. (kubernetes/kubernetes#112744, @pwschuurman)
Added a kube-proxy flag (--iptables-localhost-nodeports, default true) to allow disabling NodePort services on loopback addresses. Note: this only applies to iptables mode and ipv4. (kubernetes/kubernetes#108250, @cyclinder)
Added a new namespace alpha field to DataSourceRef field in PersistentVolumeClaim API. (kubernetes/kubernetes#113186, @ttakahashi21)
Aggregated discovery will be alpha and can be toggled with the AggregatedDiscoveryEndpoint feature flag. (kubernetes/kubernetes#113171, @Jefftree)
Clarified the CFS quota as 100ms in the code comments and set the minimum cpuCFSQuotaPeriod to 1ms to match Linux kernel expectations. (kubernetes/kubernetes#112123, @paskal)
Component-base: make the validation logic about LeaderElectionConfiguration consistent between component-base and client-go (kubernetes/kubernetes#111758, @SataQiu) [SIG API Machinery and Scheduling]
Deprecated the apiserver_request_slo_duration_seconds metric for v1.27 in favor of apiserver_request_sli_duration_seconds for naming consistency purposes with other SLI-specific metrics and to avoid any confusion between SLOs and SLIs. (kubernetes/kubernetes#112679, @dgrisonnet)
Enable the "Retriable and non-retriable pod failures for jobs" feature into beta. (kubernetes/kubernetes#113360, @mimowo)
Enabled kube-controller-manager to support '--concurrent-horizontal-pod-autoscaler-syncs' flag to set the number of horizontal pod autoscaler controller workers. (kubernetes/kubernetes#108501, @zroubalik)
Fixed spurious field is immutable errors validating updates to Event API objects via the events.k8s.io/v1 API. (kubernetes/kubernetes#112183, @liggitt)
Graduated ServiceInternalTrafficPolicy feature to GA. (kubernetes/kubernetes#113496, @avoltz)
In 'kube-proxy`: The "userspace" proxy mode (deprecated for over a year) is no longer supported on either Linux or Windows. Users should use "iptables" or "ipvs" on Linux, or "kernelspace" on Windows. (kubernetes/kubernetes#112133, @knabben)
Introduce v1beta3 for Priority and Fairness with the following changes to the API spec:
- rename 'assuredConcurrencyShares' (located under `spec.limited') to 'nominalConcurrencyShares'.
- apply strategic merge patch annotations to 'Conditions' of flowschemas and prioritylevelconfigurations. (kubernetes/kubernetes#112306, @tkashem)
Introduced v1alpha1 API for validating admission policies, enabling extensible admission control via CEL expressions (KEP 3488: CEL for Admission Control). To use, enable the ValidatingAdmissionPolicy feature gate and the admissionregistration.k8s.io/v1alpha1 API via --runtime-config. (kubernetes/kubernetes#113314, @cici37)
KMS: added validation for duplicate kms config name when auto reload is enabled. If you enabled automatic reload of encryption configuration with API server flag --encryption-provider-config-automatic-reload, ensure all the KMS provider names (v1 and v2) in the encryption configuration are unique. (kubernetes/kubernetes#113697, @aramase)
Kubelet external Credential Provider feature is moved to GA. Credential Provider Plugin and Credential Provider Config APIs updated from v1beta1 to v1 with no API changes. (kubernetes/kubernetes#111616, @ndixita)
Legacy klog flags are no longer available. Only -v and -vmodule are still supported. (kubernetes/kubernetes#112120, @pohly) [SIG Architecture, CLI, Instrumentation, Node and Testing]
Moved MixedProtocolLBService from beta to GA. (kubernetes/kubernetes#112895, @janosi)
New Pod API field .spec.schedulingGates is introduced to enable users to control when to mark a Pod as scheduling ready. (kubernetes/kubernetes#113274, @Huang-Wei)
Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (kubernetes/kubernetes#111936, @haoruan)
Removed feature gates ServiceLoadBalancerClass and ServiceLBNodePortControl. These feature gates were enabled (and locked) since v1.24. (kubernetes/kubernetes#112577, @andrewsykim)
Reverted regression that prevented client-go latency metrics to be reported with a template URL to avoid label cardinality. (kubernetes/kubernetes#111752, @aanm)
The EndpointSliceTerminatingCondition feature gate was graduated to GA. The gate is now locked and will be removed in v1.28. (kubernetes/kubernetes#113351, @andrewsykim)
DynamicKubeletConfig feature gate has been removed from the API server. Dynamic kubelet reconfiguration now can't be used even when older nodes are still attempting to rely on it. This is aligned with the Kubernetes version skew policy. (kubernetes/kubernetes#112643, @SergeyKanzhelev)
kubectl wait command with jsonpath flag will wait for target path until timeout. (kubernetes/kubernetes#109525, @jonyhy96)
Add a ResourceClaim API (in the resource.k8s.io/v1alpha1 API group and behind the DynamicResourceAllocation feature gate). The new API is more flexible than the existing Device Plugins feature of Kubernetes because it allows Pods to request (claim) special kinds of resources, which can be available at node level, cluster level, or following any other model you implement. (kubernetes/kubernetes#111023, @pohly) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Release, Scheduling, Storage and Testing]
PodDisruptionBudget adds an alpha spec.unhealthyPodEvictionPolicy field. When the PDBUnhealthyPodEvictionPolicy feature-gate is enabled in kube-apiserver, setting this field to "AlwaysAllow" allows pods to be evicted if they do not have a ready condition, regardless of whether the PodDisruptionBudget is currently healthy. (kubernetes/kubernetes#113375, @atiratree) [SIG API Machinery, Apps, Auth and Testing]
A new preEnqueue extension point is added to scheduler's component config v1beta2/v1beta3/v1. (kubernetes/kubernetes#113275, @Huang-Wei) [SIG API Machinery, Apps, Instrumentation, Scheduling and Testing]
Add a new namespace alpha field to dataSourceRef field in PersistentVolumeClaim API. (kubernetes/kubernetes#113186, @ttakahashi21) [SIG API Machinery, Apps, Storage and Testing]
Add a kube-proxy flag (--iptables-localhost-nodeports, default true) to allow disabling NodePort services on loopback addresses. Note: this only applies to iptables mode and ipv4. (kubernetes/kubernetes#108250, @cyclinder) [SIG API Machinery, Cloud Provider, Network, Node, Scalability, Storage and Testing]
Added a --topology-manager-policy-options flag to the kubelet to support fine tuning the topology manager policies. The first policy option, prefer-closest-numa-nodes, allows these policies to favor sets of NUMA nodes with shorter distance between nodes when making admission decisions. (kubernetes/kubernetes#112914, @PiotrProkop) [SIG API Machinery and Node]
Added a feature that allows a StatefulSet to start numbering replicas from an arbitrary non-negative ordinal, using the .spec.ordinals.start field. (kubernetes/kubernetes#112744, @pwschuurman) [SIG API Machinery and Apps]
Deprecate the apiserver_request_slo_duration_seconds metric for v1.27 in favor of apiserver_request_sli_duration_seconds for naming consistency purposes with other SLI-specific metrics and to avoid any confusion between SLOs and SLIs. (kubernetes/kubernetes#112679, @dgrisonnet) [SIG API Machinery and Instrumentation]
Enable the "Retriable and non-retriable pod failures for jobs" feature into beta (kubernetes/kubernetes#113360, @mimowo) [SIG Apps, Auth, Node, Scheduling and Testing]
Graduate JobTrackingWithFinalizers to stable. Jobs created before the feature was enabled are still tracked without finalizers. Users can choose to migrate jobs to tracking with finalizers by adding the annotation batch.kubernetes.io/job-tracking. If the annotation was already present and the user attempts to remove it, the control plane adds the annotation back. (kubernetes/kubernetes#113510, @alculquicondor) [SIG API Machinery, Apps and Testing]
Graduate ServiceInternalTrafficPolicy feature to GA (kubernetes/kubernetes#113496, @avoltz) [SIG Apps and Network]
If you enabled automatic reload of encryption configuration with API server flag --encryption-provider-config-automatic-reload, ensure all the KMS provider names (v1 and v2) in the encryption configuration are unique. (kubernetes/kubernetes#113697, @aramase) [SIG API Machinery and Auth]
Introduce v1alpha1 API for validating admission policies, enabling extensible admission control via CEL expressions (KEP 3488: CEL for Admission Control). To use, enable the ValidatingAdmissionPolicy feature gate and the admissionregistration.k8s.io/v1alpha1 API via --runtime-config. (kubernetes/kubernetes#113314, @cici37) [SIG API Machinery, Auth, Cloud Provider and Testing]
Kubelet adds the following pod failure conditions:
- DisruptionTarget (graceful node shutdown, node pressure eviction) (kubernetes/kubernetes#112360, @mimowo) [SIG Apps, Node and Testing]
Metav1.LabelSelectors specified in API objects are now validated to ensure they do not contain invalid label values that will error at time of use. Existing invalid objects can be updated, but new objects are required to contain valid label selectors. (kubernetes/kubernetes#113699, @liggitt) [SIG API Machinery, Apps, Auth, Network and Storage]
Moving MixedProtocolLBService from beta to GA (kubernetes/kubernetes#112895, @janosi) [SIG Apps, Network and Testing]
New Pod API field .spec.schedulingGates is introduced to enable users to control when to mark a Pod as scheduling ready. (kubernetes/kubernetes#113274, @Huang-Wei) [SIG Apps, Scheduling and Testing]
NodeInclusionPolicy in podTopologySpread plugin is enabled by default. (kubernetes/kubernetes#113500, @kerthcet) [SIG API Machinery, Apps, Scheduling and Testing]
Priority and Fairness has introduced a new feature called borrowing that allows an API priority level to borrow a number of seats from other priority level(s). As a cluster operator, you can enable borrowing for a certain priority level configuration object via the two newly introduced fields lendablePercent, and borrowingLimitPercent located under the .spec.limited field of the designated priority level. This MR adds the following metrics.
- apiserver_flowcontrol_nominal_limit_seats: Nominal number of execution seats configured for each priority level
- apiserver_flowcontrol_lower_limit_seats: Configured lower bound on number of execution seats available to each priority level
- apiserver_flowcontrol_upper_limit_seats: Configured upper bound on number of execution seats available to each priority level
- apiserver_flowcontrol_demand_seats: Observations, at the end of every nanosecond, of (the number of seats each priority level could use) / (nominal number of seats for that level)
- apiserver_flowcontrol_demand_seats_high_watermark: High watermark, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_average: Time-weighted average, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_stdev: Time-weighted standard deviation, over last adjustment period, of demand_seats
- apiserver_flowcontrol_demand_seats_smoothed: Smoothed seat demands
- apiserver_flowcontrol_target_seats: Seat allocation targets
- apiserver_flowcontrol_seat_fair_frac: Fair fraction of server's concurrency to allocate to each priority level that can use it
- apiserver_flowcontrol_current_limit_seats: current derived number of execution seats available to each priority level The possibility of borrowing means that the old metric apiserver_flowcontrol_request_concurrency_limit can no longer mean both the configured concurrency limit and the enforced concurrency limit. Henceforth it means the configured concurrency limit. (kubernetes/kubernetes#113485, @MikeSpreitzer) [SIG API Machinery and Testing]
The EndpointSliceTerminatingCondition feature gate has graduated to GA. The gate is now locked and will be removed in v1.28. (kubernetes/kubernetes#113351, @andrewsykim) [SIG API Machinery, Apps, Network and Testing]
Yes, aggregated discovery will be alpha and can be toggled with the AggregatedDiscoveryEndpoint feature flag (kubernetes/kubernetes#113171, @Jefftree) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Network, Node, Release, Scalability, Scheduling, Storage and Testing]
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
(kubernetes/kubernetes#86139, @jasimmons) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Contributor Experience, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
Add percentageOfNodesToScore as a scheduler profile level parameter to API version v1. If a profile percentageOfNodesToScore is set, it will override global percentageOfNodesToScore. (kubernetes/kubernetes#112521, @yuanchen8911) [SIG API Machinery, Scheduling and Testing]
Kube-controller-manager supports '--concurrent-horizontal-pod-autoscaler-syncs' flag to set the number of horizontal pod autoscaler controller workers. (kubernetes/kubernetes#108501, @zroubalik) [SIG API Machinery, Apps and Autoscaling]
Kube-proxy: The "userspace" proxy mode (deprecated for over a year) is no longer supported on either Linux or Windows. Users should use "iptables" or "ipvs" on Linux, or "kernelspace" on Windows. (kubernetes/kubernetes#112133, @knabben) [SIG API Machinery, Network, Scalability, Testing and Windows]
Kubectl wait command with jsonpath flag will wait for target path appear until timeout. (kubernetes/kubernetes#109525, @jonyhy96) [SIG CLI and Testing]
Kubelet external Credential Provider feature is moved to GA. Credential Provider Plugin and Credential Provider Config APIs updated from v1beta1 to v1 with no API changes. (kubernetes/kubernetes#111616, @ndixita) [SIG API Machinery, Node, Scheduling and Testing]
The DynamicKubeletConfig feature gate has been removed from the API server. Dynamic kubelet reconfiguration now cannot be used even when older nodes are still attempting to rely on it. This is aligned with the Kubernetes version skew policy. (kubernetes/kubernetes#112643, @SergeyKanzhelev) [SIG API Machinery, Apps, Auth, Node and Testing]
Add kubernetes_feature_enabled metric series to track whether each active feature gate is enabled. (kubernetes/kubernetes#112690, @logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle, Instrumentation, Network, Node and Scheduling]
Introduce v1beta3 for Priority and Fairness with the following changes to the API spec:
- rename 'assuredConcurrencyShares' (located under spec.limited') to 'nominalConcurrencyShares'
- apply strategic merge patch annotations to 'Conditions' of flowschemas and prioritylevelconfigurations (kubernetes/kubernetes#112306, @tkashem) [SIG API Machinery and Testing]
Legacy klog flags are no longer available. Only -v and -vmodule are still supported. (kubernetes/kubernetes#112120, @pohly) [SIG Architecture, CLI, Instrumentation, Node and Testing]
The feature gates ServiceLoadBalancerClass and ServiceLBNodePortControl have been removed. These feature gates were enabled (and locked) since v1.24. (kubernetes/kubernetes#112577, @andrewsykim) [SIG Apps]
Add auth API to get self subject attributes (new selfsubjectreviews API is added). The corresponding command for kubctl is provided - kubectl auth whoami. (kubernetes/kubernetes#111333, @nabokihms) [SIG API Machinery, Auth, CLI and Testing]
Clarified the CFS quota as 100ms in the code comments and set the minimum cpuCFSQuotaPeriod to 1ms to match Linux kernel expectations. (kubernetes/kubernetes#112123, @paskal) [SIG API Machinery and Node]
Component-base: make the validation logic about LeaderElectionConfiguration consistent between component-base and client-go (kubernetes/kubernetes#111758, @SataQiu) [SIG API Machinery and Scheduling]
Fixes spurious field is immutable errors validating updates to Event API objects via the events.k8s.io/v1 API (kubernetes/kubernetes#112183, @liggitt) [SIG Apps]
Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (kubernetes/kubernetes#111936, @haoruan) [SIG API Machinery]
Revert regression that prevented client-go latency metrics to be reported with a template URL to avoid label cardinality. (kubernetes/kubernetes#111752, @aanm) [SIG API Machinery]
[kubelet] Change default cpuCFSQuotaPeriod value with enabled cpuCFSQuotaPeriod flag from 100ms to 100µs to match the Linux CFS and k8s defaults. cpuCFSQuotaPeriod of 100ms now requires customCPUCFSQuotaPeriod flag to be set to work. (kubernetes/kubernetes#111520, @paskal) [SIG API Machinery and Node]

`v25.11.0`

Compare Source

fix: use local logger instance to prevent reconfiguring user's logger (#271, @tomplus)
feat: load certificates from plugin exec (#269, @multani)
fix: add dynamic package to setup.py and init.py (#266, @Jean-Daniel)
feat: add Dynamic Client support (#260, @bobh66)
feat: support refreshing exec api credentials (#258, @harryharpel)

Kubernetes API Version: v1.25.11

API Change

Revert regression that prevented client-go latency metrics to be reported with a template URL to avoid label cardinality. (kubernetes/kubernetes#112055, @aanm) [SIG API Machinery]
Add NodeInclusionPolicy to TopologySpreadConstraints in PodSpec. (kubernetes/kubernetes#108492, @kerthcet)
Added KMS v2alpha1 support. (kubernetes/kubernetes#111126, @aramase)
Added a deprecated warning for node beta label usage in PV/SC/RC and CSI Storage Capacity. (kubernetes/kubernetes#108554, @pacoxu)
Added a new feature gate CheckpointRestore to enable support to checkpoint containers. If enabled it is possible to checkpoint a container using the newly kubelet API (/checkpoint/{podNamespace}/{podName}/{containerName}). (kubernetes/kubernetes#104907, @adrianreber) [SIG Node and Testing]
Added alpha support for user namespaces in pods phase 1 (KEP 127, feature gate: UserNamespacesStatelessPodsSupport) (kubernetes/kubernetes#111090, @rata)
As of v1.25, the PodSecurity restricted level no longer requires pods that set .spec.os.name="windows" to also set Linux-specific securityContext fields. If a 1.25+ cluster has unsupported out-of-skew nodes prior to v1.23 and wants to ensure namespaces enforcing the restricted policy continue to require Linux-specific securityContext fields on all pods, ensure a version of the restricted prior to v1.25 is selected by labeling the namespace (for example, pod-security.kubernetes.io/enforce-version: v1.24) (kubernetes/kubernetes#105919, @ravisantoshgudimetla)
Changed ownership semantics of PersistentVolume's spec.claimRef from atomic to granular. (kubernetes/kubernetes#110495, @alexzielenski)
Extended ContainerStatus CRI API to allow runtime response with container resource requests and limits that are in effect.
- UpdateContainerResources CRI API now supports both Linux and Windows. (kubernetes/kubernetes#111645, @vinaykul)
For v1.25, Kubernetes will be using Golang 1.19, In this MR the version is updated to 1.19rc2 as GA is not yet available. (kubernetes/kubernetes#111254, @dims)
Introduced NodeIPAM support for multiple ClusterCIDRs (kubernetes/kubernetes#2593) as an alpha feature. Set feature gate MultiCIDRRangeAllocator=true, determines whether the MultiCIDRRangeAllocator controller can be used, while the kube-controller-manager flag below will pick the active controller. Enabled the MultiCIDRRangeAllocator by setting --cidr-allocator-type=MultiCIDRRangeAllocator flag in kube-controller-manager. (kubernetes/kubernetes#109090, @sarveshr7)
Introduced PodHasNetwork condition for pods. (kubernetes/kubernetes#111358, @ddebroy)
Introduced support for handling pod failures with respect to the configured pod failure policy rules. (kubernetes/kubernetes#111113, @mimowo)
Introduction of the DisruptionTarget pod condition type. Its reason field indicates the reason for pod termination:
- PreemptionByKubeScheduler (Pod preempted by kube-scheduler)
- DeletionByTaintManager (Pod deleted by taint manager due to NoExecute taint)
- EvictionByEvictionAPI (Pod evicted by Eviction API)
- DeletionByPodGC (an orphaned Pod deleted by PodGC) (kubernetes/kubernetes#110959, @mimowo)
Kube-Scheduler ComponentConfig is graduated to GA, kubescheduler.config.k8s.io/v1 is available now. Plugin SelectorSpread is removed in v1. (kubernetes/kubernetes#110534, @kerthcet)
Local Storage Capacity Isolation feature is GA in 1.25 release. For systems (rootless) that cannot check root file system, please use kubelet config --local-storage-capacity-isolation=false to disable this feature. Once disabled, pod cannot set local ephemeral storage request/limit, and emptyDir sizeLimit niether. (kubernetes/kubernetes#111513, @jingxu97)
Make PodSpec.Ports' description clearer on how this information is only informational and how it can be incorrect. (kubernetes/kubernetes#110564, @j4m3s-s) [SIG API Machinery, Network and Node]
On compatible systems, a mounter's Unmount implementation is changed to not return an error when the specified target can be detected as not a mount point. On Linux, the behavior of detecting a mount point depends on umount command is validated when the mounter is created. Additionally, mount point checks will be skipped in CleanupMountPoint/CleanupMountWithForce if the mounter's Unmount having the changed behavior of not returning error when target is not a mount point. (kubernetes/kubernetes#109676, @cartermckinnon) [SIG Storage]
PersistentVolumeClaim objects are no longer left with storage class set to nil forever, but will be updated retroactively once any StorageClass is set or created as default. (kubernetes/kubernetes#111467, @RomanBednar)
Promote StatefulSet minReadySeconds to GA. This means --feature-gates=StatefulSetMinReadySeconds=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation (kubernetes/kubernetes#110896, @ravisantoshgudimetla) [SIG API Machinery, Apps and Testing]
Promoted CronJob's TimeZone support to beta. (kubernetes/kubernetes#111435, @soltysh)
Promoted DaemonSet MaxSurge to GA. This means --feature-gates=DaemonSetUpdateSurge=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation . (kubernetes/kubernetes#111194, @ravisantoshgudimetla)
Scheduler: included supported ScoringStrategyType list in error message for NodeResourcesFit plugin (kubernetes/kubernetes#111206, @SataQiu)
The Go API for logging configuration in k8s.io/component-base was moved to k8s.io/component-base/logs/api/v1. The configuration file format and command line flags are the same as before. (kubernetes/kubernetes#105797, @pohly)
The Pod spec.podOS field is promoted to GA. The IdentifyPodOS feature gate unconditionally enabled, and will no longer be accepted as a --feature-gates parameter in 1.27. (kubernetes/kubernetes#111229, @ravisantoshgudimetla)
The PodTopologySpread is respected after rolling upgrades. (kubernetes/kubernetes#111441, @denkensk)
The CSIInlineVolume feature has moved from beta to GA. (kubernetes/kubernetes#111258, @dobsonj)
The PodSecurity admission plugin has graduated to GA and is enabled by default. The admission configuration version has been promoted to pod-security.admission.config.k8s.io/v1. (kubernetes/kubernetes#110459, @wangyysde)
The endPort field in Network Policy is now promoted to GA Network Policy providers that support endPort field now can use it to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port. Please be aware that endPort field MUST BE SUPPORTED by the Network Policy provider. In case your provider does not support endPort and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port). (kubernetes/kubernetes#110868, @rikatz)
The metadata.clusterName field is completely removed. This should not have any user-visible impact. (kubernetes/kubernetes#109602, @lavalamp)
The minDomains field in Pod Topology Spread is graduated to beta (kubernetes/kubernetes#110388, @sanposhiho) [SIG API Machinery and Apps]
The command line flag enable-taint-manager for kube-controller-manager is deprecated and will be removed in 1.26. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. (kubernetes/kubernetes#111411, @alculquicondor)
This release added support for NodeExpandSecret for CSI driver client which enables the CSI drivers to make use of this secret while performing node expansion operation based on the user request. Previously there was no secret provided as part of the nodeexpansion call, thus CSI drivers did not make use of the same while expanding the volume at the node side. (kubernetes/kubernetes#105963, @zhucan)
Ephemeral Containers are now generally available (GA). The EphemeralContainers feature gate is always enabled and should be removed from --feature-gates flag on the kube-apiserver and the kubelet command lines. The EphemeralContainers feature gate is deprecated and scheduled for removal in a future release. (kubernetes/kubernetes#111402, @verb)
Introduces support for handling pod failures with respect to the configured pod failure policy rules (kubernetes/kubernetes#111113, @mimowo) [SIG API Machinery, Apps, Auth, Scheduling and Testing]
NodeIPAM support for multiple ClusterCIDRs (https://github.com/kubernetes/enhancements/issues/2593) introduced as an alpha feature. Setting feature gate MultiCIDRRangeAllocator=true, determines whether the MultiCIDRRangeAllocator controller can be used, while the kube-controller-manager flag below will pick the active controller. Enable the MultiCIDRRangeAllocator by setting --cidr-allocator-type=MultiCIDRRangeAllocator flag in kube-controller-manager. (kubernetes/kubernetes#109090, @sarveshr7) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Instrumentation, Network and Testing]
The CSIInlineVolume feature has moved from beta to GA. (kubernetes/kubernetes#111258, @dobsonj) [SIG API Machinery, Apps, Auth, Instrumentation, Storage and Testing]
Added alpha support for user namespaces in pods phase 1 (KEP 127, feature gate: UserNamespacesSupport) (kubernetes/kubernetes#111090, @rata) [SIG Apps, Auth, Network, Node, Storage and Testing]
Adds KMS v2alpha1 support (kubernetes/kubernetes#111126, @aramase) [SIG API Machinery, Auth, Instrumentation and Testing]
As of v1.25, the PodSecurity restricted level no longer requires pods that set .spec.os.name="windows" to also set Linux-specific securityContext fields. If a 1.25+ cluster has unsupported out-of-skew nodes prior to v1.23 and wants to ensure namespaces enforcing the restricted policy continue to require Linux-specific securityContext fields on all pods, ensure a version of the restricted prior to v1.25 is selected by labeling the namespace (for example, pod-security.kubernetes.io/enforce-version: v1.24) (kubernetes/kubernetes#105919, @ravisantoshgudimetla) [SIG API Machinery, Apps, Auth, Testing and Windows]
Changes ownership semantics of PersistentVolume's spec.claimRef from atomic to granular. (kubernetes/kubernetes#110495, @alexzielenski) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Instrumentation and Testing]
Extends ContainerStatus CRI API to allow runtime response with container resource requests and limits that are in effect.
- UpdateContainerResources CRI API now supports both Linux and Windows. For details, see KEPs below. (kubernetes/kubernetes#111645, @vinaykul) [SIG Node]
For v1.25, Kubernetes will be using golang 1.19, In this MR we update to 1.19rc2 as GA is not yet available. (kubernetes/kubernetes#111254, @dims) [SIG Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
Introduce PodHasNetwork condition for pods (kubernetes/kubernetes#111358, @ddebroy) [SIG Apps, Node and Testing]
Introduction of the DisruptionTarget pod condition type. Its reason field indicates the reason for pod termination:
- PreemptionByKubeScheduler (Pod preempted by kube-scheduler)
- DeletionByTaintManager (Pod deleted by taint manager due to NoExecute taint)
- EvictionByEvictionAPI (Pod evicted by Eviction API)
- DeletionByPodGC (an orphaned Pod deleted by PodGC) (kubernetes/kubernetes#110959, @mimowo) [SIG Apps, Auth, Node, Scheduling and Testing]
Kube-Scheduler ComponentConfig is graduated to GA, kubescheduler.config.k8s.io/v1 is available now. Plugin SelectorSpread is removed in v1. (kubernetes/kubernetes#110534, @kerthcet) [SIG API Machinery, Scheduling and Testing]
Local Storage Capacity Isolation feature is GA in 1.25 release. For systems (rootless) that cannot check root file system, please use kubelet config --local-storage-capacity-isolation=false to disable this feature. Once disabled, pod cannot set local ephemeral storage request/limit, and emptyDir sizeLimit niether. (kubernetes/kubernetes#111513, @jingxu97) [SIG API Machinery, Node, Scalability and Scheduling]
PersistentVolumeClaim objects are no longer left with storage class set to nil forever, but will be updated retroactively once any StorageClass is set or created as default. (kubernetes/kubernetes#111467, @RomanBednar) [SIG Apps, Storage and Testing]
Promote CronJob's TimeZone support to beta (kubernetes/kubernetes#111435, @soltysh) [SIG API Machinery, Apps and Testing]
Promote DaemonSet MaxSurge to GA. This means --feature-gates=DaemonSetUpdateSurge=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation (kubernetes/kubernetes#111194, @ravisantoshgudimetla) [SIG Apps]
Respect PodTopologySpread after rolling upgrades (kubernetes/kubernetes#111441, @denkensk) [SIG API Machinery, Apps, Scheduling and Testing]
Scheduler: include supported ScoringStrategyType list in error message for NodeResourcesFit plugin (kubernetes/kubernetes#111206, @SataQiu) [SIG Scheduling]
The Pod spec.podOS field is promoted to GA. The IdentifyPodOS feature gate unconditionally enabled, and will no longer be accepted as a --feature-gates parameter in 1.27. (kubernetes/kubernetes#111229, @ravisantoshgudimetla) [SIG API Machinery, Apps and Windows]
The command line flag enable-taint-manager for kube-controller-manager is deprecated and will be removed in 1.26. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. (kubernetes/kubernetes#111411, @alculquicondor) [SIG API Machinery]
Ephemeral Containers are now generally available. The EphemeralContainers feature gate is always enabled and should be removed from --feature-gates flag on the kube-apiserver and the kubelet command lines. The EphemeralContainers feature gate is deprecated and scheduled for removal in a future release. (kubernetes/kubernetes#111402, @verb) [SIG API Machinery, Apps, Node, Storage and Testing]
Added a new feature gate CheckpointRestore to enable support to checkpoint containers. If enabled it is possible to checkpoint a container using the newly kubelet API (/checkpoint/{podNamespace}/{podName}/{containerName}). (kubernetes/kubernetes#104907, @adrianreber) [SIG Node and Testing]
EndPort field in Network Policy is now promoted to GA Network Policy providers that support endPort field now can use it to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port. Please be aware that endPort field MUST BE SUPPORTED by the Network Policy provider. In case your provider does not support endPort and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port). (kubernetes/kubernetes#110868, @rikatz) [SIG API Machinery, Network and Testing]
Make PodSpec.Ports' description clearer on how this information is only informational and how it can be incorrect. (kubernetes/kubernetes#110564, @j4m3s-s) [SIG API Machinery, Network and Node]
On compatible systems, a mounter's Unmount implementation is changed to not return an error when the specified target can be detected as not a mount point. On Linux, the behavior of detecting a mount point depends on umount command is validated when the mounter is created. Additionally, mount point checks will be skipped in CleanupMountPoint/CleanupMountWithForce if the mounter's Unmount having the changed behavior of not returning error when target is not a mount point. (kubernetes/kubernetes#109676, @cartermckinnon) [SIG Storage]
Promote StatefulSet minReadySeconds to GA. This means --feature-gates=StatefulSetMinReadySeconds=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation (kubernetes/kubernetes#110896, @ravisantoshgudimetla) [SIG API Machinery, Apps and Testing]
The Pod spec.podOS field is promoted to GA. The IdentifyPodOS feature gate unconditionally enabled, and will no longer be accepted as a --feature-gates parameter in 1.27. (kubernetes/kubernetes#111229, @ravisantoshgudimetla) [SIG API Machinery, Apps and Windows]
The minDomains field in Pod Topology Spread is graduated to beta (kubernetes/kubernetes#110388, @sanposhiho) [SIG API Machinery and Apps]
The Go API for logging configuration in k8s.io/component-base was moved to k8s.io/component-base/logs/api/v1. The configuration file format and command line flags are the same as before. (kubernetes/kubernetes#105797, @pohly) [SIG API Machinery, Architecture, Cluster Lifecycle, Instrumentation, Node, Scheduling and Testing]
The PodSecurity admission plugin has graduated to GA and is enabled by default. The admission configuration version has been promoted to pod-security.admission.config.k8s.io/v1. (kubernetes/kubernetes#110459, @wangyysde) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Storage and Testing]
Introduce NodeInclusionPolicies to specify nodeAffinity/nodeTaint strategy when calculating pod topology spread skew. (kubernetes/kubernetes#108492, @kerthcet) [SIG API Machinery, Apps, Scheduling and Testing]
The metadata.clusterName field is completely removed. This should not have any user-visible impact. (kubernetes/kubernetes#109602, @lavalamp) [SIG API Machinery, Apps, Auth and Testing]
This release add support for NodeExpandSecret for CSI driver client which enables the CSI drivers to make use of this secret while performing node expansion operation based on the user request. Previously there was no secret provided as part of the nodeexpansion call, thus CSI drivers were not make use of the same while expanding the volume at node side. (kubernetes/kubernetes#105963, @zhucan) [SIG API Machinery, Apps and Storage]

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Aug 11, 2024 by Yaook Bot

chore(deps): update dependency kubernetes-asyncio to v30 - autoclosed

Release Notes

API Change

API Change

API Change

API Change

API Change

API Change

API Change

Configuration

Merge request reports