Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency kubernetes-asyncio to v32 #69

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency kubernetes-asyncio to v32 #69

wants to merge 1 commit into from

Conversation

marvin-serp-bot
Copy link
Contributor

This PR contains the following updates:

Package Update Change
kubernetes-asyncio major ==28.2.1 -> ==32.0.0

Release Notes

tomplus/kubernetes_asyncio (kubernetes-asyncio)

v32.0.0

Compare Source

Breaking changes:

  • fix rest api aiohttp timeout (#​337, @​soamicharan)

    This fix may affect you if you don't configure timeout for watch/stream. Previously it was treated as 5 min, now it's forever.

API Change

  • ACTION REQUIRED for custom scheduler plugin developers:
    PodEligibleToPreemptOthers in the preemption interface now includes ctx in the parameters.
    Please update your plugins' implementation accordingly. (#​126465, @​googs1025) [SIG Scheduling]

  • Changed NodeToStatusMap from a map to a struct and exposed methods to access the entries. Added absentNodesStatus, which informs the status of nodes that are absent in the map. For developers of out-of-tree PostFilter plugins, ensure to update the usage of NodeToStatusMap. Additionally, NodeToStatusMap should eventually be renamed to NodeToStatusReader. (#​126022, @​macsko) [SIG Node, Scheduling, and Testing]

  • A new /resize subresource was added to request pod resource resizing. Update your k8s client code to utilize the /resize subresource for Pod resizing operations. (#​128266, @​AnishShah) [SIG API Machinery, Apps, Node and Testing]

  • A new feature that allows unsafe deletion of corrupt resources has been added, it is disabled by default,
    and it can be enabled by setting the option --feature-gates=AllowUnsafeMalformedObjectDeletion=true.
    It comes with an API change, a new delete option ignoreStoreReadErrorWithClusterBreakingPotential has
    been introduced, it is not set by default, this maintains backward compatibility.
    In order to perform an unsafe deletion of a corrupt resource, the user must enable the option for the delete
    request. A resource is considered corrupt if it can not be successfully retrieved from the storage due to
    a) transformation error e.g. decryption failure, or b) the object failed to decode. Normal deletion flow is
    attempted first, and if it fails with a corrupt resource error then it triggers unsafe delete.
    In addition, when this feature is enabled, the 'details' field of 'Status' from the LIST response
    includes information that identifies the corrupt object(s).
    NOTE: unsafe deletion ignores finalizer constraints, and skips precondition checks.
    WARNING: this may break the workload associated with the resource being unsafe-deleted, if it relies on
    the normal deletion flow, so cluster breaking consequences apply. (#​127513, @​tkashem) [SIG API Machinery, Etcd, Node and Testing]

  • Added singleProcessOOMKill flag to the kubelet configuration. Setting that to true enable single process OOM killing in cgroups v2. In this mode, if a single process is OOM killed within a container, the remaining processes will not be OOM killed. (#​126096, @​utam0k) [SIG API Machinery, Node, Testing and Windows]

  • Added a /flagz endpoint for kube-apiserver endpoint. (#​127581, @​richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]

  • Added a Stream field to PodLogOptions, which allows clients to request certain log stream (stdout or stderr) of the container.
    Please also note that the combination of a specific Stream and TailLines is not supported. (#​127360, @​knight42) [SIG API Machinery, Apps, Architecture, Node, Release and Testing]

  • Added alpha support for asynchronous Pod preemption.
    When the SchedulerAsyncPreemption feature gate is enabled, the scheduler now runs API calls to trigger preemptions asynchronously for better performance. (#​128170, @​sanposhiho) [SIG Scheduling and Testing]

  • Added driver-owned fields in ResourceClaim.Status to report device status data for each allocated device. (#​128240, @​LionelJouin) [SIG API Machinery, Network, Node and Testing]

  • Added enforcement of an upper cost bound for DRA evaluations of CEL. The API server and scheduler now enforce an upper bound on the cost and runtime steps required for evaluating a CEL expression. (#​128101, @​pohly) [SIG API Machinery and Node]

  • Added the ability to change the maximum backoff delay accrued between container restarts for a node for containers in CrashLoopBackOff. To set this for a node, turn on the feature gate KubeletCrashLoopBackoffMax and set the CrashLoopBackOff.MaxContainerRestartPeriod field between "1s" and "300s" in your kubelet config file. (#​128374, @​lauralorenz) [SIG API Machinery and Node]

  • Allow for Pod search domains to be a single dot . or contain an underscore _ (#​127167, @​adrianmoisey) [SIG Apps, Network and Testing]

  • Annotation batch.kubernetes.io/cronjob-scheduled-timestamp added to Job objects scheduled from CronJobs is promoted to stable. (#​128336, @​soltysh)

  • Apply fsGroup policy for ReadWriteOncePod volumes. (#​128244, @​gnufied) [SIG Storage and Testing]

  • Changed the Pod API to support resources at spec level for pod-level resources. (#​128407, @​ndixita) [SIG API Machinery, Apps, CLI, Cluster Lifecycle, Node, Release, Scheduling and Testing]

  • ContainerStatus.AllocatedResources is now guarded by a separate feature gate, InPlacePodVerticalSaclingAllocatedStatus (#​128377, @​tallclair) [SIG API Machinery, CLI, Node, Scheduling and Testing]

  • Coordination.v1alpha1 API is dropped and replaced with coordination.v1alpha2. Old coordination.v1alpha1 types must be deleted before upgrade (#​127857, @​Jefftree) [SIG API Machinery, Etcd, Scheduling and Testing]

  • DRA: Restricted the length of opaque device configuration parameters. At admission time, Kubernetes enforces a 10KiB size limit. (#​128601, @​pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]

  • DRA: scheduling pods is up to 16x faster, depending on the scenario. Scheduling throughput depends a lot on cluster utilization. It is higher for lightly loaded clusters with free resources and gets lower when the cluster utilization increases. (#​127277, @​pohly) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Instrumentation, Node, Scheduling and Testing]

  • DRA: the DeviceRequestAllocationResult struct now has an "AdminAccess" field which should be used instead of the corresponding field in the DeviceRequest field when dealing with an allocation. If a device is only allocated for admin access, allocating it again for normal usage is now supported, as originally intended. To allow admin access, starting with 1.32 the DRAAdminAccess feature gate must be enabled. (#​127266, @​pohly) [SIG API Machinery, Apps, Auth, Etcd, Network, Node, Scheduling and Testing]

  • Disallow k8s.io and kubernetes.io namespaced extra key in structured authentication configuration. (#​126553, @​aramase) [SIG Auth]

  • Fixed a bug in the NestedNumberAsFloat64 Unstructured field accessor that could have caused it to return rounded float64 values instead of errors when accessing very large int64 values. (#​128099, @​benluddy)

  • Fixed the bug where spec.terminationGracePeriodSeconds of the pod will always be overwritten by the MaxPodGracePeriodSeconds of the soft eviction, you can enable the AllowOverwriteTerminationGracePeriodSeconds feature gate, which will restore the previous behavior. If you do need to set this, please file an issue with the Kubernetes project to help contributors understand why you needed it. (#​122890, @​HirazawaUi) [SIG API Machinery, Architecture, Node and Testing]

  • Graduated Job's ManagedBy field to beta. (#​127402, @​mimowo) [SIG API Machinery, Apps and Testing]

  • Implemented a new, alpha seLinuxChangePolicy field within a Pod-level securityContext, under SELinuxChangePolicy feature gate. This field allows for opting out from mounting Pod volumes with SELinux label when SELinuxMount feature is enabled (it is alpha and disabled by default now).
    Please see the KEP how we expect to warn users before any SELinux behavior changes and how they can opt-out before. Note that this field and feature gate is useful only with clusters that run with SELinux enabled. No action is required on clusters without SELinux. (#​127981, @​jsafrane) [SIG API Machinery, Apps, Architecture, Node, Storage and Testing]

  • Introduced v1alpha1 API for mutating admission policies, enabling extensible # admission control via CEL expressions (KEP 3962: Mutating Admission Policies). # To use, enable the MutatingAdmissionPolicy feature gate and the admissionregistration.k8s.io/v1alpha1 # API via --runtime-config. (#​127134, @​jpbetz) [SIG API Machinery, Auth, Etcd and Testing]

  • Introduced compressible resource setting on system reserved and kube reserved slices. (#​125982, @​harche)

  • kube-apiserver: Promoted the StructuredAuthorizationConfiguration feature gate to GA. The --authorization-config flag now accepts AuthorizationConfiguration in version apiserver.config.k8s.io/v1 (with no changes from apiserver.config.k8s.io/v1beta1). (#​128172, @​liggitt) [SIG API Machinery, Auth and Testing]

  • kube-proxy now reconciles Service/Endpoint changes with conntrack table and cleans up only stale UDP flow entries (#​127318, @​aroradaman) [SIG Network and Windows]

  • kube-scheduler removed AzureDiskLimits ,CinderLimits EBSLimits and GCEPDLimits plugin. Given the corresponding CSI driver reports how many volumes a node can handle in NodeGetInfoResponse, the kubelet stores this limit in CSINode and the scheduler then knows the limit of the driver on the node. Removed plugins AzureDiskLimits, CinderLimits, EBSLimits and GCEPDLimits if you explicitly enabled them in the scheduler config. (#​124003, @​carlory) [SIG Scheduling, Storage and Testing]

  • kubelet: the --image-credential-provider-config file was loaded with strict deserialization, which failed if the config file contained duplicate or unknown fields. This protected against accidentally running with malformed config files, unindented files, or typos in field names, and it prevented unexpected behavior. (#​128062, @​aramase) [SIG Auth and Node]

  • NodeRestriction admission now validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate ServiceAccountNodeAudienceRestriction that's enabled by default. (#​128077, @​aramase) [SIG Auth, Storage and Testing]

  • Promoted CustomResourceFieldSelectors to stable; the feature was enabled by default. The --feature-gates=CustomResourceFieldSelectors=true flag was no longer needed on kube-apiserver binaries and would be removed in a future release. (#​127673, @​jpbetz) [SIG API Machinery and Testing]

  • Promoted feature gate StatefulSetAutoDeletePVC from beta to stable. (#​128247, @​mattcary) [SIG API Machinery, Apps, Auth and Testing]

  • Removed all support for classic dynamic resource allocation (DRA). The DRAControlPlaneController feature gate, formerly alpha, is no longer available. Kubernetes now only uses the structured parameters model (also alpha) for allocating dynamic resources to Pods.

    if and only if classic DRA was enabled in a cluster, remove all workloads (pods, app deployments, etc. ) which depend on classic DRA and make sure that all PodSchedulingContext resources are gone before upgrading. PodSchedulingContext resources cannot be removed through the apiserver after an upgrade and workloads would not work properly. (#​128003, @​pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]

  • Removed generally available feature gate HPAContainerMetrics (#​126862, @​carlory) [SIG API Machinery, Apps and Autoscaling]

  • Removed restrictions on subresource flag in kubectl commands (#​128296, @​AnishShah) [SIG CLI]

  • Revised the kubelet API Authorization with new subresources, that allow finer-grained authorization checks and access control for kubelet endpoints.
    Provided you enable the KubeletFineGrainedAuthz feature gate, you can access kubelet's /healthz endpoint by granting the caller nodes/helathz permission in RBAC.
    Similarly you can also access kubelet's /pods endpoint to fetch a list of Pods bound to that node by granting the caller nodes/pods permission in RBAC.
    Similarly you can also access kubelet's /configz endpoint to fetch kubelet's configuration by granting the caller nodes/configz permission in RBAC.
    You can still access kubelet's /healthz, /pods and /configz by granting the caller nodes/proxy permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. (#​126347, @​vinayakankugoyal) [SIG API Machinery, Auth, Cluster Lifecycle and Node]

  • The core functionality of Dynamic Resource Allocation (DRA) got promoted to beta. No action is required when upgrading, the previous v1alpha3 API is still supported, so existing deployments and DRA drivers based on v1alpha3 continue to work. Downgrading from 1.32 to 1.31 with DRA resources in the cluster (resourceclaims, resourceclaimtemplates, deviceclasses, resourceslices) is not supported because the new v1beta1 is used as storage version and not readable by 1.31. (#​127511, @​pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]

  • The default value for node-monitor-grace-period has been increased to 50s (earlier 40s) (Ref - https://github.com/kubernetes/kubernetes/issues/121793) (#​126287, @​devppratik) [SIG API Machinery, Apps and Node]

  • The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#​126749, @​thockin) [SIG API Machinery]

  • The synthetic "Bookmark" event for the watch stream requests will now include a new annotation: kubernetes.io/initial-events-list-blueprint. THe annotation contains an empty, versioned list that is encoded in the requested format (such as protobuf, JSON, or CBOR), then base64-encoded and stored as a string. (#​127587, @​p0lyn0mial) [SIG API Machinery]

  • To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions.
    Name format CEL library is supported in new expressions. (#​126977, @​aaron-prindle) [SIG API Machinery, Architecture, Auth, Etcd, Instrumentation, Release, Scheduling and Testing]

  • Updated incorrect description of persistentVolumeClaimRetentionPolicy (#​126545, @​yangjunmyfm192085) [SIG API Machinery, Apps and CLI]

  • X.509 client certificate authentication to the kube-apiserver now produces credential IDs (derived from the certificate's signature) , for use in audit logging. (#​125634, @​ahmedtd) [SIG API Machinery, Auth and Testing]

v31.1.1

Compare Source

Changes:

v31.1.0

Compare Source

Breaking changes:

  • Websocket connect method returns an asynchronous context manager instead of a websocket (#​328, @​olivier-matz-6wind)

    Example:

    websocket = await core_v1_ws.connect_get_namespaced_pod_exec(...)

v30.3.1

Compare Source

v30.3.0

Compare Source

API Change
  • Added the feature gates StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks to enforce the strct cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. (#​124676, @​cici37) [SIG API Machinery, Auth, Node and Testing]
  • Improved scheduling performance when many nodes, and prefilter returns 1-2 nodes (e.g. daemonset)
    For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status (#​125306, @​gabesaba) [SIG Scheduling]

v30.1.1

Compare Source

v30.1.0

Compare Source

API Change

  • Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (kubernetes/kubernetes#124553, @​pmalek) [SIG API Machinery]

  • Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (kubernetes/kubernetes#124694, @​pmalek) [SIG API Machinery]

  • Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any value other than kubernetes.io/job-controller - were skipped by the job controller, and their reconciliation was delegated to an external controller, indicated by the value of the field. Jobs that didn't have this field at all, or where the field value was the reserved string kubernetes.io/job-controller, were reconciled by the built-in job controller.
    (kubernetes/kubernetes#123273, @​mimowo)

  • Added alpha-level support for the SuccessPolicy in Jobs.
    (kubernetes/kubernetes#123412, @​tenzen-y)

  • Added the CEL library for IP Addresses and CIDRs. This was made available for use starting from version 1.31.
    (kubernetes/kubernetes#121912, @​JoelSpeed)

  • Allowed container runtimes to fix an image garbage collection bug by adding an image_id field to the CRI Container message.
    (kubernetes/kubernetes#123508, @​saschagrunert)

  • Dynamic Resource Allocation: DRA drivers can now use "structured parameters" to let the scheduler handle claim allocation.
    (kubernetes/kubernetes#123516, @​pohly)

  • Fixed accidental enablement of the new alpha optionalOldSelf API field in CustomResourceDefinition validation rules, which should only have been allowed to be set when the CRDValidationRatcheting feature gate is enabled.
    (kubernetes/kubernetes#122329, @​jpbetz)

  • Implemented the prescore extension point for the volumeBinding plugin. It now returns skip if it doesn't do anything in Score.
    (kubernetes/kubernetes#115768, @​AxeZhan)

  • Kubelet would fail if NodeSwap was used with LimitedSwap and cgroupv1 node.
    (kubernetes/kubernetes#123738, @​kannon92)

  • Promoted AdmissionWebhookMatchConditions to GA. The feature is now stable, and the feature gate is now locked to default.
    (kubernetes/kubernetes#123560, @​ivelichkovich)

  • Structured Authentication Configuration now supports DiscoveryURL. If specified, discoveryURL overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster).
    (kubernetes/kubernetes#123527, @​aramase)

  • The StorageVersionMigration API, previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes.
    (kubernetes/kubernetes#123344, @​nilekhc)

  • When configuring a JWT authenticator:

    If username.expression used 'claims.email', then 'claims.email_verified' must have been used in username.expression or extra[*].valueExpression or claimValidationRules[*].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'.
    (kubernetes/kubernetes#123737, @​enj)

  • readOnly volumes now support recursive read-only mounts for kernel versions >= 5.12."
    (kubernetes/kubernetes#123180, @​AkihiroSuda)

  • cri-api: Implemented KEP-3857: Recursive Read-only (RRO) mounts.
    (kubernetes/kubernetes#123272, @​AkihiroSuda)

  • kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1beta1.
    (kubernetes/kubernetes#123696, @​aramase)

  • kubelet allowed specifying a custom root directory for pod logs (instead of the default /var/log/pods) using the podLogsDir key in kubelet configuration.
    (kubernetes/kubernetes#112957, @​mxpv)

  • resource.k8s.io/ResourceClaim (alpha API): The strategic merge patch strategy for the status.reservedFor array was changed so that a strategic-merge-patch can now add individual entries. This change may break clients using strategic merge patch to update status, which rely on the previous behavior (replacing the entire array).
    (kubernetes/kubernetes#122276, @​pohly)

  • Added a CBOR implementation of runtime.Serializer. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (kubernetes/kubernetes#122881, @​benluddy)

  • Added a alpha feature, behind the RelaxedEnvironmentVariableValidation feature gate.
    When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names
    of environment variables for containers in Pods. (kubernetes/kubernetes#123385, @​HirazawaUi)

  • Added a new (alpha) field, trafficDistribution, to the Service spec to express preferences for traffic distribution to endpoints. Enabled through the ServiceTrafficDistribution feature gate. (kubernetes/kubernetes#123487, @​gauravkghildiyal)

  • Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences.
    The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field.
    The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (kubernetes/kubernetes#123165, @​aramase)

  • Added consistent vanity import to files and provided tooling for verifying and updating them. (kubernetes/kubernetes#120642, @​jcchavezs)

  • Added the disable-force-detach CLI option for kube-controller-manager. By default, it's set to false. When enabled, it prevents force detaching volumes based on maximum unmount time and node status. If activated, the non-graceful node shutdown feature must be used to recover from node failure. Additionally, if a pod needs to be forcibly terminated at the risk of corruption, the appropriate VolumeAttachment object must be deleted. (kubernetes/kubernetes#120344, @​rohitssingh)

  • Added to MutableFeatureGate the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all affected components simultaneously. (kubernetes/kubernetes#122647, @​benluddy)

  • Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA. (kubernetes/kubernetes#122882, @​Jefftree)

  • Alpha support for field selectors on custom resources has been added. With the CustomResourceFieldSelectors feature gate enabled, the CustomResourceDefinition API now allows specifying selectableFields. Listing a field there enables filtering custom resources for that CustomResourceDefinition in list or watch requests. (kubernetes/kubernetes#122717, @​jpbetz)

  • AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext. The beta AppArmor annotations are deprecated, and AppArmor status is no longer included in the node ready condition. (kubernetes/kubernetes#123435, @​tallclair)

  • Contextual logging is now in beta and enabled by default. Check out the KEP and official documentation for more details. (kubernetes/kubernetes#122589, @​pohly)

  • Enabled concurrent log rotation in kubelet. You can now configure the maximum number of concurrent rotations with the containerLogMaxWorkers setting, and adjust the monitoring interval with containerLogMonitorInterval. (kubernetes/kubernetes#114301, @​harshanarayana)

  • Graduated pod scheduling gates to general availability.
    The PodSchedulingReadiness feature gate no longer has any effect, and the
    .spec.schedulingGates field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123575, @​Huang-Wei)

  • Graduated support for minDomains in pod topology spread constraints, to general availability.
    The MinDomainsInPodTopologySpread feature gate no longer has any effect, and the field is
    always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123481, @​sanposhiho)

  • In kubelet configuration, the .memorySwap.swapBehavior field now accepts a new value NoSwap, which becomes the default if unspecified. The previously accepted UnlimitedSwap value has been dropped.
    (kubernetes/kubernetes#122745, @​kannon92)

  • Kube-apiserver: the AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123640, @​liggitt)

  • OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (kubernetes/kubernetes#123568, @​enj)

  • Removed note that hostAliases are not supported on hostNetwork Pods from the PodSpec API. The feature has been supported since v1.8. (kubernetes/kubernetes#122422, @​neolit123)

  • Structured Authentication Configuration now supports configuring multiple JWT authenticators. The maximum allowed JWT authenticators in the authentication configuration is 64. (kubernetes/kubernetes#123431, @​aramase)

  • Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (kubernetes/kubernetes#114672, @​pohly)

  • The API server now detects and fails on startup if there are conflicting issuers between JWT authenticators and service account configurations. Previously, such configurations would run but could be inconsistently effective depending on the credential. (kubernetes/kubernetes#123561, @​enj)

  • The JWT authenticator configuration set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (kubernetes/kubernetes#123525, @​enj)

  • The StructuredAuthenticationConfiguration feature is now beta and enabled. (kubernetes/kubernetes#123719, @​enj)

  • The kube_codegen tool now ignores the vendor folder during code generation.
    (kubernetes/kubernetes#122729, @​jparrill)

  • The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (kubernetes/kubernetes#123529, @​thockin)

  • Updated an audit annotation key used by the …/serviceaccounts/<name>/token resource handler.
    The annotation used to persist the issued credential identifier is now authentication.kubernetes.io/issued-credential-id. (kubernetes/kubernetes#123098, @​munnerz) [SIG Auth]

  • Users are now allowed to mutate FSGroupPolicy and PodInfoOnMount in CSIDriver.Spec. (kubernetes/kubernetes#116209, @​haoruan)

  • ValidatingAdmissionPolicy was promoted to GA and will be enabled by default. (kubernetes/kubernetes#123405, @​cici37)

  • When scheduling a mix of pods using ResourceClaims and others that don't, scheduling a pod with ResourceClaims has a lower impact on scheduling latency. (kubernetes/kubernetes#121876, @​pohly)

  • When working with client-go events, it's now recommended to use NewEventBroadcasterAdapterWithContext instead of NewEventBroadcasterAdapter if contextual logging support is needed. (kubernetes/kubernetes#122142, @​pohly)

  • A new (alpha) field, trafficDistribution, has been added to the Service spec.
    This field provides a way to express preferences for how traffic is distributed to the endpoints for a Service.
    It can be enabled through the ServiceTrafficDistribution feature gate. (kubernetes/kubernetes#123487, @​gauravkghildiyal) [SIG API Machinery, Apps and Network]

  • Add alpha-level support for the SuccessPolicy in Jobs (kubernetes/kubernetes#123412, @​tenzen-y) [SIG API Machinery, Apps and Testing]

  • Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any
    value other than kubernetes.io/job-controller - are skipped by the job controller, and their
    reconciliation is delegated to an external controller, indicated by the value of the field. Jobs that
    don't have this field at all, or where the field value is the reserved string kubernetes.io/job-controller,
    are reconciled by the built-in job controller. (kubernetes/kubernetes#123273, @​mimowo) [SIG API Machinery, Apps and Testing]

  • Added a alpha feature, behind the RelaxedEnvironmentVariableValidation feature gate.
    When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names
    of environment variables for containers in Pods. (kubernetes/kubernetes#123385, @​HirazawaUi) [SIG Apps, Node and Testing]

  • Added alpha support for field selectors on custom resources.
    Provided that the CustomResourceFieldSelectors feature gate is enabled, the CustomResourceDefinition
    API now lets you specify selectableFields. Listing a field there allows filtering custom resources for that
    CustomResourceDefinition in list or watch requests. (kubernetes/kubernetes#122717, @​jpbetz) [SIG API Machinery]

  • Added support for configuring multiple JWT authenticators in Structured Authentication Configuration. The maximum allowed JWT authenticators in the authentication configuration is 64. (kubernetes/kubernetes#123431, @​aramase) [SIG Auth and Testing]

  • Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA (kubernetes/kubernetes#122882, @​Jefftree) [SIG API Machinery and Testing]

  • Allowing container runtimes to fix an image garbage collection bug by adding an image_id field to the CRI Container message. (kubernetes/kubernetes#123508, @​saschagrunert) [SIG Node]

  • AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext.

    • The beta AppArmor annotations are deprecated.
    • AppArmor status is no longer included in the node ready condition (kubernetes/kubernetes#123435, @​tallclair) [SIG API Machinery, Apps, Auth, Node and Testing]

  • Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup. Previously such a config would run but would be inconsistently effective depending on the credential. (kubernetes/kubernetes#123561, @​enj) [SIG API Machinery and Auth]

  • Dynamic Resource Allocation: DRA drivers may now use "structured parameters" to let the scheduler handle claim allocation. (kubernetes/kubernetes#123516, @​pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Instrumentation, Node, Release, Scheduling, Storage and Testing]

  • Graduated pod scheduling gates to general availability.
    The PodSchedulingReadiness feature gate no longer has any effect, and the
    .spec.schedulingGates field is always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123575, @​Huang-Wei) [SIG API Machinery, Apps, Node, Scheduling and Testing]

  • Graduated support for minDomains in pod topology spread constraints, to general availability.
    The MinDomainsInPodTopologySpread feature gate no longer has any effect, and the field is
    always available within the Pod and PodTemplate APIs. (kubernetes/kubernetes#123481, @​sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing]

  • JWT authenticator config set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (kubernetes/kubernetes#123525, @​enj) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123696, @​aramase) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: the AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1beta1. (kubernetes/kubernetes#123640, @​liggitt) [SIG Auth and Testing]

  • Kubelet should fail if NodeSwap is used with LimitedSwap and cgroupv1 node. (kubernetes/kubernetes#123738, @​kannon92) [SIG API Machinery, Node and Testing]

  • Kubelet: a custom root directory for pod logs (instead of default /var/log/pods) can be specified using the podLogsDir
    key in kubelet configuration. (kubernetes/kubernetes#112957, @​mxpv) [SIG API Machinery, Node, Scalability and Testing]

  • Kubelet: the .memorySwap.swapBehavior field in kubelet configuration accepts a new value NoSwap and makes this the default if unspecified; the previously accepted UnlimitedSwap value has been dropped. (kubernetes/kubernetes#122745, @​kannon92) [SIG API Machinery, Node and Testing]

  • OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (kubernetes/kubernetes#123568, @​enj) [SIG API Machinery, Auth and Testing]

  • PodSpec API: remove note that hostAliases are not supported on hostNetwork Pods. The feature has been supported since v1.8. (kubernetes/kubernetes#122422, @​neolit123) [SIG API Machinery and Apps]

  • Promote AdmissionWebhookMatchConditions to GA. The feature is now stable and the feature gate is now locked to default. (kubernetes/kubernetes#123560, @​ivelichkovich) [SIG API Machinery and Testing]

  • Structured Authentication Configuration now supports DiscoveryURL.
    discoveryURL if specified, overrides the URL used to fetch discovery information.
    This is for scenarios where the well-known and jwks endpoints are hosted at a different
    location than the issuer (such as locally in the cluster). (kubernetes/kubernetes#123527, @​aramase) [SIG API Machinery, Auth and Testing]

  • Support Recursive Read-only (RRO) mounts (KEP-3857) (kubernetes/kubernetes#123180, @​AkihiroSuda) [SIG API Machinery, Apps, Node and Testing]

  • The StructuredAuthenticationConfiguration feature is now beta and enabled by default. (kubernetes/kubernetes#123719, @​enj) [SIG API Machinery and Auth]

  • The StorageVersionMigration API, which was previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (kubernetes/kubernetes#123344, @​nilekhc) [SIG API Machinery, Apps, Auth, CLI and Testing]

  • The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (kubernetes/kubernetes#123529, @​thockin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Testing]

  • ValidatingAdmissionPolicy is promoted to GA and will be enabled by default. (kubernetes/kubernetes#123405, @​cici37) [SIG API Machinery, Apps, Auth and Testing]

  • When configuring a JWT authenticator:

    If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
    username.expression or extra[].valueExpression or claimValidationRules[].expression.
    An example claim validation rule expression that matches the validation automatically
    applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'. (kubernetes/kubernetes#123737, @​enj) [SIG API Machinery and Auth]

  • Added a CBOR implementation of runtime.Serializer. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (kubernetes/kubernetes#122881, @​benluddy) [SIG API Machinery]

  • Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences.

    • The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field.
    • The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (kubernetes/kubernetes#123165, @​aramase) [SIG API Machinery, Auth and Testing]

  • Contextual logging is now beta and enabled by default. (kubernetes/kubernetes#122589, @​pohly) [SIG Instrumentation]

  • Cri-api: KEP-3857: Recursive Read-only (RRO) mounts (kubernetes/kubernetes#123272, @​AkihiroSuda) [SIG Node]

  • Enabled a mechanism for concurrent log rotatation via kubelet using a configuration entity of containerLogMaxWorkers which controls the maximum number of concurrent rotation that can be performed and an interval configuration of containerLogMonitorInterval that can aid is configuring the monitoring duration to best suite your cluster's log generation standards. (kubernetes/kubernetes#114301, @​harshanarayana) [SIG API Machinery, Node and Testing]

  • Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (kubernetes/kubernetes#114672, @​pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Storage and Testing]

  • This change adds the following CLI option for kube-controller-manager:

  • Updated an audit annotation key used by the …/serviceaccounts/<name>/token resource handler.
    The annotation used to persist the issued credential identifier is now authentication.kubernetes.io/issued-credential-id. (kubernetes/kubernetes#123098, @​munnerz) [SIG Auth]

  • Add CEL library for IP Addresses and CIDRs. This will not be available for use until 1.31. (kubernetes/kubernetes#121912, @​JoelSpeed) [SIG API Machinery]

  • Added to MutableFeatureGate the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all aff

Configuration

📅 Schedule: Branch creation - "after 10pm,before 5am" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions GitHub Actions
Copy link

✒️ PR Title Commitlint - ✔️ Lint success!

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 17, 2024
edited
Loading

🛠️ 🐳 Build PR Container - canary-container - 🏷️ Commit: ffd4dd1 - ⚙️ Workflow: 12699216643

harbor.ukserp.ac.uk/canary/canary:pr-69
harbor.ukserp.ac.uk/canary/canary:pr-69-ffd4dd1
sha256:b9f306bf09fe9882c705a41dd1d20af57a931916a05e3988fddb1863a84718fa

@marvin-serp-bot marvin-serp-bot force-pushed the renovate/kubernetes-asyncio-32.x branch from e599c6d to ffd4dd1 Compare January 9, 2025 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JossWhittle JossWhittle Awaiting requested review from JossWhittle JossWhittle is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marvin-serp-bot @renovate-bot