- v1.30.5
- v1.30.4
- v1.30.3
- v1.30.2
- v1.30.1
- v1.30.0
- v1.30.0-rc.2
- v1.30.0-rc.1
- v1.30.0-rc.0
- v1.30.0-beta.0
- v1.30.0-alpha.3
- v1.30.0-alpha.2
- v1.30.0-alpha.1
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 986a10e5458e91d0349a9a394cdcab1c8273de33739072c1feb9e5e412027fe0cfebf032a25984f80292948942fb77bc27f671d40e8c5e476f2dd13d8400898a |
kubernetes-src.tar.gz | bd253329edc37763e41940533669c39fab38756722089ad5b88394d7916c6458cc938254c75599ab5649abe5a9ab6e57a9d851539bd0ef954777c388ba1dca77 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | ea8f1224926a1e571b3b6315af4a959c54fda3af868a5a4f81fa34c17ae1e86b46316922f7ae25514718e135e0f67d3d393fa802d5d6ffc80be61eba2b1371b3 |
kubernetes-client-darwin-arm64.tar.gz | a806a9982cdec9b4394f9419267e9926ca8de565b6df9ba5dbd96a37bce594b287cf70716a19630d58b8ea9dcc8dfd4f08e2f34d31298c8801f676088de4cbe6 |
kubernetes-client-linux-386.tar.gz | 6913f29f1bc148153aa39640da2a34ccc8e6911d0b7dbe9c26b409738ef4b0086ca2af3cb5463220c6cf8c5b2ca25f5fd295d67bec06c4f2895793d0efab4d47 |
kubernetes-client-linux-amd64.tar.gz | 7551aba20eef3e2fb2076994a1a524b2ea2ecd85d47525845af375acf236b8afd1cd6873815927904fb7d6cf7375cfa5c56cedefad06bf18aa7d6d46bd28d287 |
kubernetes-client-linux-arm.tar.gz | 24a55e57ff56b5d8ba5e46f13c64bf23d33b864f943b9fc1de38a116a2b4e8964860d23dc997fac6b89a12b9bc3dbeec1829042ed87657c21d339c57e6ac5985 |
kubernetes-client-linux-arm64.tar.gz | 1f5874dbbdd85aa48d698f0e06272abb36cc0e587d9427764d29024e18d00e9393d66cda3b176675df9c00196dc7b801fee5a10efa73aad734fa15496d8b226a |
kubernetes-client-linux-ppc64le.tar.gz | 4a74f8cbf2c49ca220d72eb076364ad8654734e1548ec19d969dee636c5ed1693c7f97d37ab7880cc69faac53fd3cbe34d12a1ce4048a8a49f6b711eda66bd21 |
kubernetes-client-linux-s390x.tar.gz | 3a8abd5fb291462f266a71ce7ed82ef6c9d9d02a9fbe9c6d71c7a377e77fbaa2bc850a1e8489d4e84568ff1d5019a9d1ba5369078e1a85f74243686954b7f335 |
kubernetes-client-windows-386.tar.gz | b022584e388f9ccd54cd9fabe6ecec094a9a1a475ff303041a6392fd03d44f086945f6b5308f49f208d565d6424bb94c9ffc3049edb0a43cad0430d345bcfcaa |
kubernetes-client-windows-amd64.tar.gz | e0b31ba4533d2c26d4c82f442d094d53482880a2302dc3199ec843ef645099e9c605193380125938a6593355416a4063b1fa52f701fa51dd88b83200d35fc8ea |
kubernetes-client-windows-arm64.tar.gz | 8d1eb7740dd7ca865e4f3b027b24e905da653a7c5be2736972270b6151b8922575377c4e78cdb4c132a4c9ebc27f6b4300111e6c4be0bc8cf177dfd91077e29f |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 9228f51b172ffe30d2a2b0a8283dcdabaa255ccc68ec790f61f06690c11949699068a429c6a37ab4d087416b7a57caacbc9eca49f824c63ace72c2fa666d28c3 |
kubernetes-server-linux-arm64.tar.gz | 36d9afb99a959d1d55a253e823abef797db9c42fb6dee9800956e9d6d4a8109cfab781f55bd9e8da9ce09975396c756c29ce532cc4f0b47ad54411a7f19482df |
kubernetes-server-linux-ppc64le.tar.gz | 312efddfeeea69b97248827156b2152781b3e4ae96b9a03520bd34373dd824ba96fcafd42b8048497b90d7beffcaee304e6972597006fa082dc8c563763f7e4d |
kubernetes-server-linux-s390x.tar.gz | b8b7b318be6340ac4d85b464aaeb0eba5568e7dab64cc587942d1928f70a7d0a24539fdf9b726e3c40b46c4988746db4184663d212c24da6b0428d4454edac5c |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | cd909b5059cb902d41317256387b95cb97c3b931e3bf3ecc93448e84e375ab794a60701c36c6f1aa0263cc96601de3b83f16a7b387647e00aba6270ade626fd1 |
kubernetes-node-linux-arm64.tar.gz | 97a72ed03b584450d37eaac14052cc8f4375646c7291431cf921a40e342ae43a3551a57f7519e03959c041448eba602b672ec39f26f811446b10e3106785854f |
kubernetes-node-linux-ppc64le.tar.gz | 4de6ac8000071eb2be563bfe472be6bc1d0c20997e899ec651d28f226820200fdb7db1ad33154f5106d9a1b3e858ac4f5d004cbaa4558d0395200d42b2f3bbff |
kubernetes-node-linux-s390x.tar.gz | 94f892b383795107c8d2bfd139cc45a3e2dea475826f334a083163b6a7f84409f117c9e58ee59ffeb58ef185267439557cdc3faa4b000fde477aacf7a0cb26b7 |
kubernetes-node-windows-amd64.tar.gz | 821638e57bbf45d0947e58a87f7b0bb81ba99d420ff7efc59745cd7a4076ab94439234371d1854b8fa05095acf52c1f332c767645f80b158acebbb38bc987db9 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Fixes a regression in openapi descriptions of PodIP.IP and HostIP.IP fields to mark the fields used as keys in those lists as required. (#126666, @thockin) [SIG API Machinery]
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126693, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126688, @wedaly) [SIG Network]
- Fixed a bug that doesn't allow to install k8s.io/kube-openapi dependency on execute kube::codegen::gen_openapi. (#126923, @kannon92) [SIG API Machinery]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127213, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127203, @SergeyKanzhelev) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127208, @SergeyKanzhelev) [SIG Node and Testing]
- Upgrade coreDNS to v1.11.3 (#126797, @BenTheElder) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Network and Node]
Nothing has changed.
- github.com/coredns/corefile-migration: v1.0.21 → v1.0.24
- github.com/coreos/etcd: v3.3.13+incompatible → v3.3.10+incompatible
- github.com/magiconair/properties: v1.8.1 → v1.8.0
- github.com/spf13/viper: v1.7.0 → v1.4.0
- github.com/armon/go-metrics: f0300d1
- github.com/armon/go-radix: 7fddfc3
- github.com/bgentry/speakeasy: v0.1.0
- github.com/bketelsen/crypt: 5cbc8cc
- github.com/fatih/color: v1.7.0
- github.com/gopherjs/gopherjs: 0766667
- github.com/hashicorp/consul/api: v1.1.0
- github.com/hashicorp/consul/sdk: v0.1.1
- github.com/hashicorp/errwrap: v1.0.0
- github.com/hashicorp/go-cleanhttp: v0.5.1
- github.com/hashicorp/go-immutable-radix: v1.0.0
- github.com/hashicorp/go-msgpack: v0.5.3
- github.com/hashicorp/go-multierror: v1.0.0
- github.com/hashicorp/go-rootcerts: v1.0.0
- github.com/hashicorp/go-sockaddr: v1.0.0
- github.com/hashicorp/go-syslog: v1.0.0
- github.com/hashicorp/go-uuid: v1.0.1
- github.com/hashicorp/go.net: v0.0.1
- github.com/hashicorp/logutils: v1.0.0
- github.com/hashicorp/mdns: v1.0.0
- github.com/hashicorp/memberlist: v0.1.3
- github.com/hashicorp/serf: v0.8.2
- github.com/jtolds/gls: v4.20.0+incompatible
- github.com/mattn/go-colorable: v0.0.9
- github.com/mattn/go-isatty: v0.0.3
- github.com/miekg/dns: v1.0.14
- github.com/mitchellh/cli: v1.0.0
- github.com/mitchellh/go-testing-interface: v1.0.0
- github.com/mitchellh/gox: v0.4.0
- github.com/mitchellh/iochan: v1.0.0
- github.com/pascaldekloe/goe: 57f6aae
- github.com/posener/complete: v1.1.1
- github.com/ryanuber/columnize: 9b3edd6
- github.com/sean-/seed: e2103e2
- github.com/smartystreets/assertions: b2de0cb
- github.com/smartystreets/goconvey: v1.6.4
- github.com/subosito/gotenv: v1.2.0
- gopkg.in/ini.v1: v1.51.0
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 25edd785e9b2aac5971f61ddca8bf9840c0ffcd86f6e7115705dec35525f9efd73ebcc5b720a6af514d5dc36bfa6e46994cbcafda9cda591208233b2fea0ae7e |
kubernetes-src.tar.gz | 483893d82cb4a7232f51a95fc80f0963f95226898ddc271af9c9ecb6f56dd263b0661da2c2548665df18e32b08825e15614f9b03399765fb3f421c74d12cfec4 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | c0f75bb60acaccc782eada23a69ece3b92d7046bab680551714df5a5b89645f01b773fcaec9c00a72765181625d77f012f680e121b12085f95044c5ccc813974 |
kubernetes-client-darwin-arm64.tar.gz | 9525045bacdf8df0d101b41070c90ee90896e9b9339408523a9b097935417029f339229d2ade08b8eb5bc8f578104d463254550e555f2468523e4956aedbd34b |
kubernetes-client-linux-386.tar.gz | d9f9ba0da286d59e6fa3492e5635a8a5b42f6d3045ef46af83ff906a309c4823d39390951d3229820af516d5e2413d5d175d27c5db9120f64eecec0366537fd9 |
kubernetes-client-linux-amd64.tar.gz | 4ade487edf35c035dd711e91d5989261c4cc211a8e24983097612e9c83e332b015acda478d9415878e7cbe54f16b324c951c83bde09ebb8ddaf9ca371dd790de |
kubernetes-client-linux-arm.tar.gz | 62edbefb82a4fbe7913ca7057d329ddb5ea8b0b8fa2bec214bb68d6f0f4f8bd3a18644fa88cdca230f43f3b0362c2c38090c2f456204f3bcb8f0da52a1a50b8f |
kubernetes-client-linux-arm64.tar.gz | 0bfceaed91665537a44ccdd98ed2d3ab9a0a160005b2f368d811e8f46a2c575a0ba6cf94d3adce1d9cb1f61f4445cec8703090d7d154e38b70a6b76e38accb3e |
kubernetes-client-linux-ppc64le.tar.gz | c49fa194dea40376f2fcd90d5fc83a57558102de559befcbf37cf8836f55515576751796d4fba4e5030e68a919914d2b08ea148f11a62f06f92d7914a9e5c0b4 |
kubernetes-client-linux-s390x.tar.gz | 99d0639a99f0f11a705027a06bf5b6f3f6f08c3e27c828200ed8118232c5d17bc7b7810b0a4ded642f11d47c8514b22f010c689a3a72c3718efda2d457031987 |
kubernetes-client-windows-386.tar.gz | a222c185e15bb1bbaa0a608b0572f4ee20869877f20cd0d74a060477e678a0f3f7cc3a2073d1c5b0d8b0457a3735ae930c676d5532b90284d8ecb2b053a606c5 |
kubernetes-client-windows-amd64.tar.gz | 49751905d3cdb96dd132163be850d5269c86ba61c05aa517f73909011641a9b87d6e972974efafa02e78c92fc2dd3f4bdc7ac45587dd9bf5877ebbe574862a2f |
kubernetes-client-windows-arm64.tar.gz | e4c5e5ebeac9267987bcf393be899aa7eeaae6d0ef7dc6b6b90af0f78e42b5dd102e3a6e5656cc240a164e571f61279724e79e631168ef399042ba256c60a671 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 9253f7c15ade7c042ba806c24c8c80aa29c7ac85b0fb771945dcea6502efcc2962fcb2f743f56320bad0c3b76b146b0e6ec08faefb42f55e1ff20f3c7a08d400 |
kubernetes-server-linux-arm64.tar.gz | 5b58138d39ed4d4a7d35b08b811cee5805fed211a6c7eb9ce6f20236643b795f85f11448e2bfd8ae831d6725535db0460d460feae76d5fc87b54f9a02c88dfc4 |
kubernetes-server-linux-ppc64le.tar.gz | 7732fdcddf77b0480cd18951aebe9b35ae91450f26dface693c0b2f7a920312a40c7e1dd1b1fecb87a3a1b19f369b89bdefc139f5553e928a5ec1e605b8fd9ac |
kubernetes-server-linux-s390x.tar.gz | 6c813534f7f9d000667fc92de271dccb7019c2d3dde07efb253975ac554f6d74c1151979674f5c5b6a3bf57fac4380aed0337786cb67f388f66179588eceaf72 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | fe8af89543e80d4b248f24dc094f1f326848699caf504266ced619f75b8dd02d5154549022c5bf43bf9df98512dca677f0e0d92095bf3417229048183fc4ea46 |
kubernetes-node-linux-arm64.tar.gz | 7415107a5b91cdd60a5d18ff287ca8eb517d35abfcfa3992c6c833803d8aeff98856cb0161bfa9656462c56dee0502a9db9f1c91298cb131e537ed80ec9be2ac |
kubernetes-node-linux-ppc64le.tar.gz | 9c41a1c5aa8b9b54ef014a9b59e5c7ed06d66be4431ea8faacc3af35e837ea2e70661b7dab57ab606b768b6c334e1b72544ee140a2f28b69b940f2f9a4157dd8 |
kubernetes-node-linux-s390x.tar.gz | 56b4812d265b635590b9e7778895891513378c02efa9365ee22368b9ed26400cf7386913f6e556c3767aaddee22a2fd6b80cd1b9198be983a9f84a2ccf55f547 |
kubernetes-node-windows-amd64.tar.gz | 80adfaa4a98b233878df32eac9f4dc494b8c8a0c25fb172a3dfc35a7eb5824f44d468e05be1f7e64476b06b835569bb0fa656ffbda20d604d48aa7f525543068 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an
items
field. (#126146, @xyz-li) [SIG API Machinery] - Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]
- Disabled a previously on-by-default optimization for the API server where each watch response used a dedicated goroutine. The
APIServingWithRoutine
feature gate has been demoted from beta to alpha, and is now off by default. (#126481, @benluddy) [SIG API Machinery] - Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
- Fixed a bug that init containers with
Always
restartPolicy may not terminate gracefully if the pod hasn't initialized yet. (#126331, @gjkim42) [SIG Node and Testing] - Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126153, @xyz-li) [SIG API Machinery and Testing]
- Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
- Kubeadm: Added
--yes
flag to the list of allowed flags so that it can be mixed withkubeadm upgrade apply --config
(#125566, @xmudrii) [SIG Cluster Lifecycle] - Kubeadm: fixed a bug on 'kubeadm join' where using patches with a kubeletconfiguration target was not respected when performing the local kubelet healthz check. (#126251, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: fixed a regression where the JoinConfiguration.discovery.timeout was no longer respected and the value was always hardcoded to "5m" (5 minutes). (#125481, @neolit123) [SIG Cluster Lifecycle]
- Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
- Resolve a regression in 1.30 default behavior for kubectl exec, cp, and attach which fail when using an HTTPS proxy. (#126253, @seans3) [SIG API Machinery and CLI]
- StatefulSet autodelete will respect controlling owners on PVC claims as described in kubernetes/enhancements#4375 (#125389, @mattcary) [SIG Apps and Testing]
- Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 8909e96a0ff757f498bf3778026738bb50cb937bfcbaee5a6b97317f183a02b22282339cc107a1df6557f832d0cd4980c51a15b14124be1a9cbf61535d696574 |
kubernetes-src.tar.gz | 46ada506e05bc34269fa6cf3b98791cd33040dac21dd11a606aa34c77532a06a43c605a3cf70270bc747ffa6c31f9bb2f37c509f150d218a323fdcaecdbff7f6 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 1284533de44f47e66ebd0e142eedec2eb0f09b1dcf4da0302d3d3c4372ccda385d089bd4deca07c079f53575eaf26c121f581704cab3cc38b81e30095e44e485 |
kubernetes-client-darwin-arm64.tar.gz | 03039f131416dc6bcd26acfaaecea59a58d6b63b1b01256c38c7f5f6eb8fc6283eb18ef206e2c38b11b91e65990c9e88e462e99c7e8cbb90d6075e9985046e00 |
kubernetes-client-linux-386.tar.gz | 7bea2c715e930b046827db6d4a547be798e01cf77e650d7193dbc41d413cb4637dabde6573efeaa92237049ef9f37598160a0bf3354c102543f9cf61a01d7a1f |
kubernetes-client-linux-amd64.tar.gz | 88ad514acfc33b49161dedbbbb6559660f7a091319806daa124098f9c3d17c760e72324e5d09167a0a8d80275195b9012596da7ee974f628414179159ad4f3de |
kubernetes-client-linux-arm.tar.gz | 75453d1069bf1c1ec9e5ff57ebe6d3f775144d0e9123dcf6c1c05b7971e54e53a4f47683b413bd4eb1c3ed6c7df6ab22a40dd2ae79a948347485eae5408e422d |
kubernetes-client-linux-arm64.tar.gz | 37f79009ac14f0aef4a4dc833ee0e43632d03dc6d7a58622987b667e920907e4f3dd0181381a35b4cfebd5e4f5949d32a2f5b1d757b46b4adb4dd80181f87f7a |
kubernetes-client-linux-ppc64le.tar.gz | e20d7dde800fa10328c73b4947dc7cbf215f51b949641390c22a894bf6853010dc29ec96cf227648076e34b63204600bcc7fe1a08aec22ad47490111e17a69b4 |
kubernetes-client-linux-s390x.tar.gz | d6206b7d4bf6c88169c663234f32851447863380f12fd04e49a24cddf3ce93d1f609e49f0bbf84a739a909067851cad76e9179e81e9a53e0a540217fde4c0220 |
kubernetes-client-windows-386.tar.gz | 7ad7410d2a82f87e41fd3e0dd8354feb3e0166ba3c5b96eacb0c54de90c6fcf6921121cfa97a00f0c7b538a7a0b84a58cc0e90fa1c5facce3d207210c15924fd |
kubernetes-client-windows-amd64.tar.gz | eeed8188713a73df12ddc8cb8d0ad2227778e0789b70599f89b81e06ab3d1475597730040b7a276e45740769e52652f935a16d7178c7f34edd8bdb59b5308bdd |
kubernetes-client-windows-arm64.tar.gz | cb804579034e0abe45835e95d9f5b57cfae0bee821bdf83c684d352b58e79b5be54b7cd52a0a107fa355f3633056fa83dd1a251fbdde83412d7d87013e784b4c |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 67282a349bd203fcc8d5d1d59d5b82fc56a14ea66f5a769ef457177ac5bcfb2fb65c239503a68f06a256f8919521fc96b5aad563bfec74eec13afb79a174f96b |
kubernetes-server-linux-arm64.tar.gz | 35fcd3748f0c526094a16c5f220f406b89e26e245c1e7f013891e96864251d371fffe3d1903df583bc1033be072a89ad56bd0df497814777b17a7090d3193229 |
kubernetes-server-linux-ppc64le.tar.gz | d12ab8bc81752e20d118d86282c9db3d2792ffd5671c46619ecdff6cd43e2d48ce081f0cfb65e35b1c473157d7cdff1d98ff270b2a7ff53d43137168d285e038 |
kubernetes-server-linux-s390x.tar.gz | 473c70d56232f22e73b7fbb8fde3f64699ae3b695389ba61b11e64f60805241320ead1b4737a95a3bdf975da4e8e8a52ddbb14a36731ff12de80a02894ad9af6 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | dc53c66ddd9a2d72d92d9142ec1a6b00b79b4456f843831356c4dc424c8e44e55d1984528b968f1b943adc531a9af19de1070bda893d112982f5405cf9eb3934 |
kubernetes-node-linux-arm64.tar.gz | 1a16ac829c4f402543170e88e792fe4cf20ebd615a42afcb67420855c42e289cf7c1c92a268fdfb581b6bf32603a1c15d5eea54fe25d3a2662cac109d673f422 |
kubernetes-node-linux-ppc64le.tar.gz | 767e9d116e01554ebe9a62f2a64d310ad0f70277c491293943cf2b540fbf2b1bf2013dfb6b93ea4c7ad6a6e1e66c795f73ca698fcb5caffac0f8ce6de510cf34 |
kubernetes-node-linux-s390x.tar.gz | a413fac81f8b6d36f4d788ddeb2ba92f9c8fbabb1beea1bf307fbc26ca7c46720074bf47906d48be613f391973bb978be674870e018efb464896721cd7f18b93 |
kubernetes-node-windows-amd64.tar.gz | 1b27368d05ccd8ef5e50d7938c04932e7c5af3611875204c15fd7296a317a43bf8631f7440c90b778089e047c500f8747cb73e18e1b01b8716281066223a3cd6 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
This release contains changes that address the following vulnerabilities:
A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.
Affected Versions:
- kubelet <= 1.27.15
- kubelet <= 1.28.11
- kubelet <= 1.29.6
- kubelet <= 1.30.2
Fixed Versions:
- kubelet 1.27.16
- kubelet 1.28.12
- kubelet 1.29.7
- kubelet 1.30.3
This vulnerability was reported by Paulo Gomes @pjbgf from SUSE.
CVSS Rating: Medium (6.1) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
-
Add
/sys/devices/virtual/powercap
to default masked paths. It avoids the potential security risk that the ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. (#125970, @carlory) [SIG Node] -
Fix a bug that Pods could stuck in the unschedulable pod pool if they're rejected by PreEnqueue plugins that could change its result by a change in resources apart from Pods.
DRA plugin is the only plugin that meets the criteria of the bug in in-tree, and hence if you have
DynamicResourceAllocation
feature flag enabled, your DRA Pods could be affected by this bug. (#125643, @sanposhiho) [SIG Scheduling and Testing] -
Fix endpoints status out-of-sync when the pod state changes rapidly (#125675, @tnqn) [SIG Apps, Network and Testing]
-
For statically provisioned PVs, if its volume source is CSI type or it has migrated annotation, when it's deleted, the PersisentVolume controller won't changes its phase to the Failed state.
With this patch, the external provisioner can remove the finalizer in next reconcile loop. Unfortunately if the provious existing pv has the Failed state, this patch won't take effort. It requires users to remove finalizer. (#126043, @carlory) [SIG Apps and Storage]
-
Job: Fix a bug that the SuccessCriteriaMet could be added to the Job with successPolicy regardless of the featureGate enabling (#125455, @tenzen-y) [SIG Apps]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | f217dbe38478d20d99f45206df3b516f6aa49d153fe8789690a7ed9a70ad60689f38c8ac5e8cee8f9e11ca343a7b9ab8dd3baf0178a0d8c1e92ae80e999d1aee |
kubernetes-src.tar.gz | 94ed343eb7606eb0d8dbce3cdbba89bd823e57be344e74dddfa97060ac269130db6804927933e6e3242a6249e71f02951876dc46e70da6967ff3b1ea3d78e2d5 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 0ccc6091ac956e108169b282dc085a0bde956dd22d32ce53594ae5c7eac9157f118170b1240b65a918c5d3f4c9d693b492463225428c6fb51a9fb5419eb949a8 |
kubernetes-client-darwin-arm64.tar.gz | 7a322c0a68da795f3691ea58ffafd3f7e4694f8f74291733290a61354435966e44ea32172a68f614b45c5eb9932e943c4ff8b98f5fc74c68d62ea4048c37e5a4 |
kubernetes-client-linux-386.tar.gz | 6c54486d34e9cc09f5c08b2f52dd13b0b928ba33e6d1ba9a1fb3ef14a414873596c34edca1393863ded0140839d5113cf2f42cfb434a16b587e5e455dc2e38a0 |
kubernetes-client-linux-amd64.tar.gz | 3e3a18138e0436c055322e433398d7ae375e03862cabae71b51883bb78cf969846b9968e426b816e3543c978a4af542e0b292428b00b481d7196e52cf366edbe |
kubernetes-client-linux-arm.tar.gz | 4e7dd88b4d1ead7375e1dc73c328c1ad824f76b7b04305a20459379be17ca5874d53701e4d21aca4ed794791e1851c912437541768d5d99084e33acec5333fb7 |
kubernetes-client-linux-arm64.tar.gz | cfe9bf3aa4188813607b2c7cad3333dbc1d8a72b1828751261cdd7b21e6ae8c641addd48940bb08cc193ce6901bbf372ad2006e30d0c66b6affbecd5a730b6cf |
kubernetes-client-linux-ppc64le.tar.gz | 1c9aa010bf0947de9cf74204f906a51f01d4500c831b4bcf5c2f9b7a721da8660199206b84a2a9cad5b2f2258329b3fc820acff7b922eb2843ad3c84bcbbbb71 |
kubernetes-client-linux-s390x.tar.gz | 6a78df18ab07b3c683fd8226317d7435ca05c21ce6f5afe242895aab3ffcdbe92db43dc3d71f01ede664651c3f25bb4e2bd6ff06211d535d1ee3db76d701f52e |
kubernetes-client-windows-386.tar.gz | ff7a7e6c87d325e19d4f7ad0588e9a93dbf55ed9757914cab181af52d5ab2919ed6e5cb1447fca4b3a627a440adf01d83bac74831d197b98fd5fc0c88918e3e9 |
kubernetes-client-windows-amd64.tar.gz | aa8a4e2bf8894c5b07ecbe15f9e703e5ca102cb13d84edec7c58c3e4c6100b0217238dc6e0f9cd91482aee5774296435cbb49802cb29bc42c4c08114d74390c8 |
kubernetes-client-windows-arm64.tar.gz | 6278cce91b7ded7ce0df6df37a3086b93febc026c849241d6be4511464861e458dea1d8b3e4ce3ec5c8483191d0be42608e5a4d4ae3681fde2f34a3f65f62dcf |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 5e22892a98dbdb100cdc8798aeb1b10a0d3f015de530fd5b23c663e894f5c90b6e763de052fcb303b92006a5da5a4bcc10e937964c6633eb7b919888b73147c1 |
kubernetes-server-linux-arm64.tar.gz | f4c7a0495fdd87ad1f3f81b4e1c8a548d5bb36f1bd3b3c66e56d8d18d5378bae8286da995ae3afffa002cfedbdf36d8a6b93a10a1e48d1d2aa99642debc7e804 |
kubernetes-server-linux-ppc64le.tar.gz | 829dcb504a0fcf3293da2069967a9ae45ed171538d3300092117220289c0a3b4089ddac089e9312c30f36ff9d3fee2fa33c5202ff54c224e5d7a584136fec828 |
kubernetes-server-linux-s390x.tar.gz | d39df747f5159a054e66ca3e5569a13a154f29a18b239f859485975b78bb56674c7097a7c43b5bc3e18c029b0b04eefbe75781418811e20c8ddb35ed3c50bf16 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | c9427a0b0ae23c2aec347240bf516101b1021d91a5a931c9d2c5914db3d287858cf7f29215830715ff500974350dae5e5796857ffb38be30f2b606842483a87c |
kubernetes-node-linux-arm64.tar.gz | 34454c9c35e12b87ed08a73c31718ef1a015dc4338064ff36357d4c21c27cb4b0430a467afbf5dc09ae914bf95bc78adab01347470e2e645499ccd62eb3c8392 |
kubernetes-node-linux-ppc64le.tar.gz | ea05858a2093d22f043758ac4a4f526ca839ec62ae1ef50659310f47f323d7285604c4a2ada35089a51eb29c6252b8fa5ffc528fa2afca3c3ef28f672db93431 |
kubernetes-node-linux-s390x.tar.gz | 933fd0004c33d96ac2e352eb12534dbb695b1d22f133795157f8016d36910d0ef1d4b606c3efa795624b1f64bbf217141bf5250327741ca31108dbab2b3d990b |
kubernetes-node-windows-amd64.tar.gz | db441e1875960ef306517404ed18ee25204ef1a98074c1ec7196338914fc887b8e371dfe321648b04ba9211137289c24406c289898570fa4d0505f7ecee0b2bd |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
-
Added the feature gates
StrictCostEnforcementForVAP
andStrictCostEnforcementForWebhooks
to enforce the strct cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. (#124676, @cici37) [SIG API Machinery, Auth, Node and Testing] -
Improved scheduling performance when many nodes, and prefilter returns 1-2 nodes (e.g. daemonset)
For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status (#125306, @gabesaba) [SIG Scheduling]
- Kubernetes is now built with go 1.22.3 (#124829, @cpanato) [SIG Release and Testing]
- Kubernetes is now built with go 1.22.4 (#125366, @cpanato) [SIG Architecture, Cloud Provider, Release, Storage and Testing]
- Drop additional rule requirement (cronjobs/finalizers) in the roles who use kubectl create cronjobs to be backwards compatible (#124883, @ardaguclu) [SIG CLI]
- Emition of RecreatingFailedPod and RecreatingTerminatedPod events has been removed from stateful set lifecycle. (#123809, @atiratree) [SIG Apps and Testing]
- Improved scheduling latency when many gated pods (#124848, @gabesaba) [SIG Scheduling and Testing]
- Kube-apiserver: fixes a 1.28 regression printing pods with invalid initContainer status (#124908, @liggitt) [SIG Node]
- Kube-scheduler: fixes a 1.30 regression that can lead to a scheduler crash when processing pods with affinity that doesn't match a real/valid node (#125039, @AxeZhan) [SIG Scheduling and Testing]
- Kubeadm: during kubelet health checks, respect the healthz address:port configured in the KubeletConfiguration instead of hardcoding localhost:10248. (#125286, @neolit123) [SIG Cluster Lifecycle]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | d3cd5b6343545f28be4757cdf2fd1bab445ed55ca96305677fab6fd785bacc977479a53e4689628dc6156e7cdd135c1dd331ab189840af4f5aedeeb9b11d3d3d |
kubernetes-src.tar.gz | e850e0431d6e3cf3e69050478ab249144ee8b300f97820840c8c40200287d3b0c8b39d94cc0932a1170d86f175b8c0796f62718cb648550a655d8c8fc0f01210 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | a2451d9e0015f2ca5e3596e1bacbfe690482f4fa968336250603217335225abd445c9584741e37ef017726de49322939901b69d8543085dbf250b7c593621457 |
kubernetes-client-darwin-arm64.tar.gz | c571af8316b9afa75e488bef7913ec142dda48e227ce74f9be3bc2e796c22f80b9e8e14776b63d91ea8db9f313309cae2e606c727c0d8db5f4109e9a8407073c |
kubernetes-client-linux-386.tar.gz | 729c18fbc57e1d092fd68173668c690a035fa4135b53b4615000f1a28ccf04bd00edfec37ee630872dd939597962e934fa257f43866dbfe2208723104ef07a16 |
kubernetes-client-linux-amd64.tar.gz | 15e200a6697b1b3d526c4f21f92e3cc9f40eedf8ed9355654b48371b20cd598834bf471aa9330b92c55ef6521a8e71570e2b9c76ecf489f7f694a0ad97e4cf3b |
kubernetes-client-linux-arm.tar.gz | 1056e0db65964f35923889afb2b4d18a7e31b1266fc0cef7841458cc4431614482e55e63a75483dd451994f6c56fa12b1cb043b54d81a63dd96a110d2fb8fa9f |
kubernetes-client-linux-arm64.tar.gz | 713eb73fe1fe55236d97a7e2c61d3086b5831f85ccdeaed6a149cf20228a2d22d1bea9b22a8583f99e73d3d4391b2f5226dc085e8bd775bb0009424bdff543cd |
kubernetes-client-linux-ppc64le.tar.gz | 37abf1a26c6a91b4b2e3475cbe643d2658130dd817084ab97a42544c234fb0d6c8243f70bc0fd88634fe64aa50214059b7c512beb85dc8f9ecb3170ead6928ff |
kubernetes-client-linux-s390x.tar.gz | c5f8774bf3fb30d1d4de804aa9de6333f1717702c707558a6854c8208aaca73ba5844bf0395477f033b45e4b9dccf291b8558c385df0b2afe1ea1ec689cf680c |
kubernetes-client-windows-386.tar.gz | 39969b1b9dc340b0547a09739a243388cedadae80cf594bccf4a38f3db228744c5510f17f7de32a03f3edc62091714d606371d05e0c480c77f1b98259b55db5d |
kubernetes-client-windows-amd64.tar.gz | 4100fad76ebd0f884e4567acdf119ac6842d8f8ad53ec9fab3af42be2e3f8b0e27eeeaffc6339523f04a81be3c2888d173c50305c85e8c64f3a88f7cb3b0b808 |
kubernetes-client-windows-arm64.tar.gz | 08298b0d4fb8cf909d8474cb29698bcb163b699d0ca7790c66c7f89419c6394e1701b2f6399492b270badd07e970c4c4a5c0850833deac62271f8e4a9a25ef97 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | e8f113c72cc0b79f9d44617f9442138be8a888b6acc9620591da629dd6f5facb001f5305df932f02f11747aef31a9d34fc9c6de06d3aa38dafcfb9740310ff49 |
kubernetes-server-linux-arm64.tar.gz | 251557b54ff1ac248a4520b30ee06a827e53e8a941c15b085e5d9d00b576aff5b45f580722b2caed4fe37d6f00eb9fbf422e4c0a55603b9dec5146f1caa778ec |
kubernetes-server-linux-ppc64le.tar.gz | a3f6378c8cfdeb7ff528635a9ae2cc71a6b7cf41e7059aacdabdcf79931350e130e9e882ee83b47efecbe6c9b71fc4a9aed8fdf83efbcb40a7bf79da3df3f803 |
kubernetes-server-linux-s390x.tar.gz | 5daef0d44d640411009fe2a160ccb588863e8ee8ec1e8dcfd59f0fe7669f0710de72833b8b560158e2e2ecbbcdc6b5b22d6c3035110273aba91bc1b687229444 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 50e07838d4e418f74e2f59e7d3d9d15e8ca049e3e9e368e8b1a51aff52004e0e3ea620c1e4798441f1a68778ecadb3e881b41dbb22d83fdad108b1122477ebe9 |
kubernetes-node-linux-arm64.tar.gz | f6e2d26ea6eed678f25db0242b2facc2f6db23b3baf5e6d5cc98d03fcfe226049998d8217788e9bbe3b948123f6a3e39997b2ba9c5ae138fc35a1f6a8a92e36c |
kubernetes-node-linux-ppc64le.tar.gz | e906adc2d0ba461a77116b6867c723d8b1e4cdab342e25a0b3e448e7c4c7101ca60e2fa7377693622d9ca918c69c30f06609fdd5f24a79d1a46fc831d5891dc8 |
kubernetes-node-linux-s390x.tar.gz | 12999d8428ab7b6c74398896eb1e87d167cfd73f17bfd554f72b9f4aa7b15ef9caf5f605e079fd700d7753b28f589fb53f4a5c8b951021c14f13721d3ab86898 |
kubernetes-node-windows-amd64.tar.gz | b3f680b4442a2cdacf3a9fe073ae9f24809d700040989585b4eb21a9828a9107a328d575d81a8c47791b4235064a15bd78801e37bd90c5534474ad486f11120a |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (#124553, @pmalek) [SIG API Machinery]
- Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. (#124694, @pmalek) [SIG API Machinery]
- Expose --applyconfig-openapi-schema flag for client generation and fix applyconfig-gen to not create import cycles (#124371, @soltysh) [SIG API Machinery]
- Fix throughput when scheduling daemonset pods to reach 300 pods/s, if the configured qps allows it. (#124753, @sanposhiho) [SIG Scheduling]
- Fixed PersistentVolumeLabel admission plugin refusing in-tree Azure Disk and vSphere PersistentVolumes. (#124794, @jsafrane) [SIG Cloud Provider and Storage]
- Fixes a 1.29.0 regression that introduced a possible data race that could cause panics in kube-controller-manager and kube-scheduler (#124517, @wojtek-t) [SIG API Machinery and Scheduling]
- Kubeadm: during the preflight check "CreateJob" of "kubeadm upgrade", check if there are no nodes where a Pod can schedule. If there are none, show a warning and skip this preflight check. This can happen in single node clusters where the only node was drained. (#124570, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: fix a regression where the KubeletConfiguration is not properly downloaded during "kubeadm upgrade" commands from the kube-system/kubelet-config ConfigMap, resulting in the local '/var/lib/kubelet/config.yaml' file being written as a defaulted config. (#124497, @neolit123) [SIG Cluster Lifecycle]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 1abe2ea09c08787dfa85450d026499a7a716bb771ff5af0aff1ac651b0059c0aac7a4e8558ef1eddffd4ccf1871daa9086d0be2e3ed8bed47f8c9930e52578ef |
kubernetes-src.tar.gz | 69a4ae4e4d227f784e241078b5667b7b7eb3cf787d237475cb311e6d417ceb2057624db6d2a5dded81e97db6250fb2e642388b564107fa86ac3c4b5e75980843 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 3a98e32c6e912b0d7e8af31a1e49be20983dd6ddfbc54024cf58eab551cba5398fb04d69138c39b3bc672c962b5a038f4404ac603a6e338218f00511e0bbf41e |
kubernetes-client-darwin-arm64.tar.gz | 98fa1d19bb9250ff7c9536090a3d939fc2c7cc7253efd91e1fba4613acf44557bf5cdae9d7fd4fc5c209eeacc8bc2b584d281b92fc6e3d1ccea7cf43853d64cc |
kubernetes-client-linux-386.tar.gz | 608388b0233e08b7b68fb62721275c271356db4c95b2686821a0b6e2c002e26b5d453ea470adddc9b3c17c623d29cec0a2ff66adb75b1e74f9a2f77101e8679e |
kubernetes-client-linux-amd64.tar.gz | 7983b34128518610a63b500bc9a612b5c334180555af534940a3ec839d4e0b476c9d7742cb6cc57c9ba15de609561fafef5854b3708e48c1e9f822480f3e60b6 |
kubernetes-client-linux-arm.tar.gz | 36955e5c1637d0b1f679f2ae7e8bf780b9e70fc8a7e64c5194aa8a44035982b97bf8ca631dbc1af4c46d91ff686fdd24bd49b5076fc1617a18bc496b0aee6367 |
kubernetes-client-linux-arm64.tar.gz | edc3cc941996235d578c59f80e88cdadbc5259a9b3505073deac8632ef3cc08f53bc70959304f4aed5ccf2f99cab02f097730cdab9e8e691f5ffe8217be497fe |
kubernetes-client-linux-ppc64le.tar.gz | 45a0119f4e5953eebe3cdf2e714d2cce376a800ca8194030880c0b3b5a5f9e462aa2e73bab97d16c9094dac290e3e55ba3df006fc7cd50f1ee1acdedc4dba7a1 |
kubernetes-client-linux-s390x.tar.gz | 6a15fe0ad5ca4fbff89ea38d0390cf9c822971a50bb18bc37c23dfe3655a7072ed60f87408a47733c7ecb64cebe6201b43140ce6978f2a3c7753ff98bb0e4156 |
kubernetes-client-windows-386.tar.gz | aea2df663dc841a513ceb060fb7368f492ec864c75c87569594c1d1a09cae2caa6e67846517fd246214395716ec7809e5b9bd6a92adae7afed1a4b087e9a3831 |
kubernetes-client-windows-amd64.tar.gz | 5483baf908e22de9347fa965ffb1487afec12dc3c3b8642895ac91811154e2cee5de4a3218369f55929badff0466ae9437b59c0922a3699c2bec44a7c4841c47 |
kubernetes-client-windows-arm64.tar.gz | fe922ecb57a0313ff461438db130416ad3dc4c849f243cf4f29010288351afe3a9ec786b1c820784bd51ca8f7a74f7436797565339d0d0583d93b0a91d5d50aa |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 320c934728b8720b08da5a2d4c95cea111e4bc2efa508a8e48393f45037b0cb3c5331e3ec1f744f83dd57644c6fdd684bdcad9c2fa01108ed2cca6b1046cb821 |
kubernetes-server-linux-arm64.tar.gz | ddf0c4a47f1cd1ad44e9773b2cf8255c6fb11ef84fa42e73dd9479b9a8b8c94a8dd5ba6581ee3aa152354d9a2fe1ad219ba5289c64aa6b9ddd7ddbca000525d4 |
kubernetes-server-linux-ppc64le.tar.gz | 5a1e839e38f5b4329dd8d0bac38c0dade336952821c8a4dc550221290481dc8d65f8b2995fc4330c7d0ea6a68fcbe81ae4085edd80b4194761bc86dac3ed380b |
kubernetes-server-linux-s390x.tar.gz | 30fa3358a0b0e32ed7dfcaaba7d4403cdcf3a305124e7419c898db87c9ba1dc1ae5fc8f71c6caf744d35ea85d3526069596204c18f23449a759703b2ae797bbf |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | e3e8f443a5397029a26a30852f47a9406dc17622638a7b03d37b384283880503af85d134d2a5dfdcfd7a0a5cb11eef8312b37dec77c90062e29d7e0ea1da6026 |
kubernetes-node-linux-arm64.tar.gz | d1299f54a2ec4343eb23be36071e3560f339d535b4c2eeb60c09cf40b3357f4371ca198aa4af0c41bde73bef1221a839c846a9f9b497f47f2fdf553238a7dab9 |
kubernetes-node-linux-ppc64le.tar.gz | cd78d5811ac15aefb3392c9bc10ad97c69d9d87add1237ebfc8c72d12be6137d8a4933967a5294932ceff58ffadaddf541cff8d0ae3b663359ef5f6a9ad98b84 |
kubernetes-node-linux-s390x.tar.gz | 26cec1a3f76289394966f98eab1e27a6dc122ac58f1d7c1ea94eb6b96e74377c449aa282d788655a1f752ff31add47be5389543a75e52cb4de947b7c613fe1e6 |
kubernetes-node-windows-amd64.tar.gz | b6eed059c8e9c816ca5e26d9fd8154dd904eefd5024e71af59757b801bfd9b232b63d6c74c824b59891a2689b209d1dd7622f86ec3fd8530ebeffab36e3b504c |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- kubectl: Removed the deprecated flag
prune-whitelist
for apply. Please use the flagprune-allowlist
instead. (#120246, @pacoxu) - The deprecated
SecurityContextDeny
admission plugin, which has been deprecated sincev1.27
, has been removed. It is recommended to use the Pod Security Admission plugin instead, which has been available since v1.25. Refer to the Kubernetes documentation for more information. (#122612, @mtardy)
-
Added (alpha) support for the
managedBy
field on Jobs. Jobs with a custom value of this field - any value other thankubernetes.io/job-controller
- were skipped by the job controller, and their reconciliation was delegated to an external controller, indicated by the value of the field. Jobs that didn't have this field at all, or where the field value was the reserved stringkubernetes.io/job-controller
, were reconciled by the built-in job controller. (#123273, @mimowo) -
Added alpha-level support for the SuccessPolicy in Jobs. (#123412, @tenzen-y)
-
Added the
CEL
library for IP Addresses and CIDRs. This was made available for use starting from version1.31
. (#121912, @JoelSpeed) -
Allowed container runtimes to fix an image garbage collection bug by adding an
image_id
field to the CRI Container message. (#123508, @saschagrunert) -
Dynamic Resource Allocation: DRA drivers can now use "structured parameters" to let the scheduler handle claim allocation. (#123516, @pohly)
-
Fixed accidental enablement of the new alpha
optionalOldSelf
API field inCustomResourceDefinition
validation rules, which should only have been allowed to be set when theCRDValidationRatcheting
feature gate is enabled. (#122329, @jpbetz) -
Implemented the
prescore
extension point for thevolumeBinding
plugin. It now returns skip if it doesn't do anything in Score. (#115768, @AxeZhan) -
Kubelet would fail if NodeSwap was used with LimitedSwap and cgroupv1 node. (#123738, @kannon92)
-
Promoted
AdmissionWebhookMatchConditions
to GA. The feature is now stable, and the feature gate is now locked to default. (#123560, @ivelichkovich) -
Structured Authentication Configuration now supports
DiscoveryURL
. If specified,discoveryURL
overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). (#123527, @aramase) -
The
StorageVersionMigration
API, previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (#123344, @nilekhc) -
When configuring a JWT authenticator:
If
username.expression
used 'claims.email', then 'claims.email_verified' must have been used inusername.expression
orextra[*].valueExpression
orclaimValidationRules[*].expression
. An example claim validation rule expression that matches the validation automatically applied whenusername.claim
is set to 'email' is 'claims.?email_verified.orValue(true)'. (#123737, @enj) -
readOnly
volumes now support recursive read-only mounts for kernel versions >= 5.12." (#123180, @AkihiroSuda) -
cri-api: Implemented KEP-3857: Recursive Read-only (RRO) mounts. (#123272, @AkihiroSuda)
-
kube-apiserver: the AuthenticationConfiguration type accepted in
--authentication-config
files has been promoted toapiserver.config.k8s.io/v1beta1
. (#123696, @aramase) -
kubelet allowed specifying a custom root directory for pod logs (instead of the default /var/log/pods) using the
podLogsDir
key in kubelet configuration. (#112957, @mxpv) -
resource.k8s.io/ResourceClaim (alpha API): The strategic merge patch strategy for the
status.reservedFor
array was changed so that a strategic-merge-patch can now add individual entries. This change may break clients using strategic merge patch to update status, which rely on the previous behavior (replacing the entire array). (#122276, @pohly) -
Added a CBOR implementation of
runtime.Serializer
. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (#122881, @benluddy) -
Added a alpha feature, behind the
RelaxedEnvironmentVariableValidation
feature gate. When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names of environment variables for containers in Pods. (#123385, @HirazawaUi) -
Added a new (alpha) field,
trafficDistribution
, to the Servicespec
to express preferences for traffic distribution to endpoints. Enabled through theServiceTrafficDistribution
feature gate. (#123487, @gauravkghildiyal) -
Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences. The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field. The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (#123165, @aramase)
-
Added consistent vanity import to files and provided tooling for verifying and updating them. (#120642, @jcchavezs)
-
Added the
disable-force-detach
CLI option forkube-controller-manager
. By default, it's set tofalse
. When enabled, it prevents force detaching volumes based on maximum unmount time and node status. If activated, the non-graceful node shutdown feature must be used to recover from node failure. Additionally, if a pod needs to be forcibly terminated at the risk of corruption, the appropriate VolumeAttachment object must be deleted. (#120344, @rohitssingh) -
Added to
MutableFeatureGate
the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all affected components simultaneously. (#122647, @benluddy) -
Aggregated discovery supports both
v2beta1
and v2 types and feature is promoted to GA. (#122882, @Jefftree) -
Alpha support for field selectors on custom resources has been added. With the
CustomResourceFieldSelectors
feature gate enabled, the CustomResourceDefinition API now allows specifyingselectableFields
. Listing a field there enables filtering custom resources for that CustomResourceDefinition in list or watch requests. (#122717, @jpbetz) -
AppArmor profiles can now be configured through fields on the
PodSecurityContext
and containerSecurityContext
. The beta AppArmor annotations are deprecated, and AppArmor status is no longer included in the node ready condition. (#123435, @tallclair) -
Contextual logging is now in beta and enabled by default. Check out the KEP and official documentation for more details. (#122589, @pohly)
-
Enabled concurrent log rotation in kubelet. You can now configure the maximum number of concurrent rotations with the
containerLogMaxWorkers
setting, and adjust the monitoring interval withcontainerLogMonitorInterval
. (#114301, @harshanarayana) -
Graduated pod scheduling gates to general availability. The
PodSchedulingReadiness
feature gate no longer has any effect, and the.spec.schedulingGates
field is always available within the Pod and PodTemplate APIs. (#123575, @Huang-Wei) -
Graduated support for
minDomains
in pod topology spread constraints, to general availability. TheMinDomainsInPodTopologySpread
feature gate no longer has any effect, and the field is always available within the Pod and PodTemplate APIs. (#123481, @sanposhiho) -
In kubelet configuration, the
.memorySwap.swapBehavior
field now accepts a new valueNoSwap
, which becomes the default if unspecified. The previously acceptedUnlimitedSwap
value has been dropped. (#122745, @kannon92) -
Kube-apiserver: the AuthorizationConfiguration type accepted in
--authorization-config
files has been promoted toapiserver.config.k8s.io/v1beta1
. (#123640, @liggitt) -
OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (#123568, @enj)
-
Removed note that
hostAliases
are not supported on hostNetwork Pods from the PodSpec API. The feature has been supported since v1.8. (#122422, @neolit123) -
Structured Authentication Configuration now supports configuring multiple JWT authenticators. The maximum allowed JWT authenticators in the authentication configuration is 64. (#123431, @aramase)
-
Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (#114672, @pohly)
-
The API server now detects and fails on startup if there are conflicting issuers between JWT authenticators and service account configurations. Previously, such configurations would run but could be inconsistently effective depending on the credential. (#123561, @enj)
-
The JWT authenticator configuration set via the
--authentication-config
flag is now dynamically reloaded as the file changes on disk. (#123525, @enj) -
The
StructuredAuthenticationConfiguration
feature is now beta and enabled. (#123719, @enj) -
The
kube_codegen
tool now ignores the vendor folder during code generation. (#122729, @jparrill) -
The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (#123529, @thockin)
-
Updated an audit annotation key used by the
…/serviceaccounts/<name>/token
resource handler. The annotation used to persist the issued credential identifier is nowauthentication.kubernetes.io/issued-credential-id
. (#123098, @munnerz) [SIG Auth] -
Users are now allowed to mutate
FSGroupPolicy
andPodInfoOnMount
inCSIDriver.Spec
. (#116209, @haoruan) -
ValidatingAdmissionPolicy was promoted to GA and will be
enabled
by default. (#123405, @cici37) -
When scheduling a mix of pods using
ResourceClaims
and others that don't, scheduling a pod withResourceClaims
has a lower impact on scheduling latency. (#121876, @pohly) -
When working with client-go events, it's now recommended to use
NewEventBroadcasterAdapterWithContext
instead ofNewEventBroadcasterAdapter
if contextual logging support is needed. (#122142, @pohly)
- Added Timezone column in the output of the 'kubectl get cronjob' command. (#122231, @ardaguclu)
- Added
WatchListClient
feature gate toclient-go
. When enabled, it allows the client to receive a stream of individual items instead of chunking from the server. (#122571, @p0lyn0mial) - Added the
apiserver_watch_cache_read_wait
metric to measure the watch cache impact on request latency. (#123190, @padlar) - Allowed scheduling framework plugins that implement
io.Closer
to be gracefully closed. (#122498, @Gekko0114) - Bumped cAdvisor to
v0.49.0
. (#123599, @bobbypage) - Changed
--nodeport-addresses
behavior to default to "primary node IP(s) only" rather than "all node IPs". (#122724, @nayihz) - In the Pod API, setting the alpha
procMount
field toUnmasked
in a container now required settingspec.hostUsers=false
as well. (#123520, @haircommander) - Informers now supports adding Indexers after the informer starts. (#117046, @howardjohn)
- Printed more information when
kubectl describe
aVolumeAttributesClass
. (#122640, @carlory) - Promoted the
CRDValidationRatcheting
feature gate to beta and made it enabled by default. (#121461, @alexzielenski) - Scheduler now skips the
NodeAffinity Score
plugin when it has nothing to do with a Pod. You might have noticed an increase in the metricplugin_execution_duration_seconds
forextension_point=score
andplugin=NodeAffinity
, because the plugin only runs when it's relevant. (#117024, @sanposhiho) - Some interfaces' signatures in the scheduler were updated: - PluginsRunner: used NodeInfo in
RunPreScorePlugins
andRunScorePlugins
. - PreScorePlugin: used NodeInfo inPreScore
. - Extender: used NodeInfo inFilter
andPrioritize
. (#121954, @AxeZhan) - The watch cache now waits until it is at least as fresh as the given requestedWatchRV if sendInitialEvents was requested. (#122830, @p0lyn0mial)
- Updated
ImageGCMaxAge
behavior in the kubelet to wait theMaxAge
duration after the kubelet has restarted before garbage collecting. (#123343, @haircommander) - Updated
distroless-iptables
tov0.5.0
, debian-base tobookworm-v1.0.1
, and setcap tobookworm-v1.0.1
. (#123170, @cpanato) NewVolumeManagerReconstruction
feature is now GA. (#123442, @jsafrane)kubectl describe
: Added Suspend to job and Node-Selectors and Tolerations to pod template output. (#122618, @ivanvc)kubectl get job
now displays the status for the listed jobs. (#123226, @ivanvc)- etcd: Built image for
v3.5.11
. (#122233, @mzaian) - kube-apiserver now reloads the
--authorization-config
file when it changes. Reloads increment theapiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds
timestamp metric, withstatus="success"
for successful reloads andstatus="failed"
for failed reloads. Failed reloads keep using the previously loaded authorization configuration. (#121946, @liggitt) - kube-apiserver now reported the following metrics for authorization webhook match conditions: -
apiserver_authorization_match_condition_evaluation_errors_total
counter metric labeled by authorizer type and name -apiserver_authorization_match_condition_exclusions_total
counter metric labeled by authorizer type and name -apiserver_authorization_match_condition_evaluation_seconds
histogram metric labeled by authorizer type and name. (#123611, @ritazh) - kube-apiserver: JWT authenticator now reports the following metrics: - apiserver_authentication_config_controller_automatic_reloads_total - apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds (#123793, @aramase)
- kube-apiserver: The StructuredAuthorizationConfiguration feature gate has been promoted to beta and now allows the use of the
--authorization-configuration
flag. (#123641, @liggitt) - kube-scheduler implemented scheduling hints for the
NodeUnschedulable
plugin. The scheduling hints allowed the scheduler to only retry scheduling a Pod that had been previously rejected by theNodeSchedulable
plugin if a new Node or a Node update had set.spec.unschedulable
to false. (#122334, @carlory) - kubeadm: Added better handling of errors during unmount when calling
kubeadm reset
. When failing to unmount directories under/var/run/kubelet
, kubeadm will now throw an error instead of showing a warning and continuing to clean up said directory. In such situations, it is better for you to inspect the problem and resolve it manually. Then, you can callkubeadm reset
again to complete the cleanup. (#122530, @neolit123) - kubeadm: Added support for machine-readable output with
-o yaml
and-o json
to the commandkubeadm certs check-expiration
. This change is introduced in a new API:kind: CertificateExpirationInfo apiVersion: output.kubeadm.k8s.io/v1alpha3
The existing non-structured formatting is preserved. The output API version v1alpha2 is now deprecated and will be removed in a future release. Please migrate to using v1alpha3. (#123372, @carlory) - kubeadm: added the
WaitForAllControlPlaneComponents
feature gate. It could be used to tell kubeadm to wait for all control plane components to be ready when running "kubeadm init" or "kubeadm join --control-plane". Previously, kubeadm only waited for the kube-apiserver. The "kubeadm join" workflow now includes a new experimental phase called "wait-control-plane". This phase was marked as non-experimental when WaitForAllControlPlaneComponents became GA. Accordingly, a "kubeadm init" phase "wait-control-plane" was also available once WaitForAllControlPlaneComponents became GA. These phases could be skipped if the user preferred not to wait for the control plane components. (#123341, @neolit123) - kubectl
port-forward
over websockets (tunneling SPDY) can now be enabled using anAlpha
feature flag environment variable: KUBECTL_PORT_FORWARD_WEBSOCKETS=true. The API Server being communicated to must also have anAlpha
feature flag enabled: PortForwardWebsockets. (#123413, @seans3) - A new flag called
custom
has been introduced inkubectl debug
, allowing users to customize pre-defined profiles. (#120346, @ardaguclu) - A new kubelet metric
image_pull_duration_seconds
was added. The metric tracks the duration (in seconds) it takes for an image to be pulled, including the time spent in the waiting queue of image puller. The metric is broken down by bucketed image size. (#121719, @ruiwen-zhao) - A new metric
lifecycle_handler_sleep_terminated_total
is added to record how many times LifecycleHandler sleep got unexpectedly terminated. (#122456, @AxeZhan) - Added
client-go
support for upgrading subresource fields from client-side to server-side management. (#123484, @erikgb) - Added
exec-interactive-mode
andexec-provide-cluster-info
flags in kubectl config set-credentials command. (#122023, @ardaguclu) - Added
process_start_time_seconds
to/metrics/slis
endpoint of all components. (#122750, @richabanker) - Added a "reason" field to the "image_garbage_collected_total" metric, allowing administrators to differentiate between images that were collected for reasons "age" vs "space". (#123345, @haircommander)
- Added a new metric
apiserver_encryption_config_controller_automatic_reloads_total
to measure the total number of API server encryption configuration reload successes and failures. This metric now contains thestatus
label with a value that is eithersuccess
orfailure
. Deprecated the metricsapiserver_encryption_config_controller_automatic_reload_success_total
andapiserver_encryption_config_controller_automatic_reload_failure_total
. Please useapiserver_encryption_config_controller_automatic_reloads_total
instead. (#123179, @aramase) - Added feature gate
MutatingAdmissionPolicy
for enabling mutation policy in admission chain. (#123425, @cici37) - Added kubelet metrics to track the memory manager allocation and pinning. (#121778, @Tal-or)
- Added the
access_mode
label tovolume_manager_selinux_*
metrics. (#123667, @jsafrane) - Enhanced cloud provider integrations to support optional, per-Node custom labels that can be supplied and applied to Nodes by the node controller. These extra labels will only be applied where the cloud provider integration supports this feature. (#123223, @mmerkes)
- Graduated "Forensic Container Checkpointing" (KEP #2008) from Alpha to Beta. (#123215, @adrianreber)
- Graduated HorizontalPodAutoscaler support for per-container metrics to stable. (#123482, @sanposhiho)
- Graduated support for passing dual-stack
kubelet --node-ip
values when using a cloud provider. The feature is now GA, and theCloudDualStackNodeIPs
feature gate is always enabled. (#123134, @danwinship) - In the PriorityLevelConfiguration object, the
nominalConcurrencyShares
field now accepts a zero value in both theflowcontrol.apiserver.k8s.io/v1
andflowcontrol.apiserver.k8s.io/v1beta3
APIs. (#123001, @tkashem) - Introduced a feature gate mechanism to
client-go
. Depending on the actual implementation, users can control features via environmental variables or command line options. (#122555, @p0lyn0mial) - Introduced a new alpha feature gate,
SELinuxMount
, which can now be enabled to accelerate SELinux relabeling. (#123157, @jsafrane) - Kube-apiserver now reports latency metric for JWT authenticator authenticate token decisions in the
apiserver_authentication_jwt_authenticator_latency_seconds
metric, labeled by jwtIssuer hash and result. (#123225, @aramase) - Kube-apiserver now reports metrics for authorization decisions in the
apiserver_authorization_decisions_total
metric, labeled by authorizer type, name, and decision. (#123333, @liggitt) - Kube-apiserver: Authorization webhooks now report the following metrics:
- Kube-controller-manager: increased the global level for broadcaster's logging to 3 so that users can ignore event messages by lowering the logging level. It reduces information noise. (#122293, @mengjiao-liu)
- Kube-scheduler implemented scheduling hints for the
NodeAffinity
plugin. The scheduling hints allowed the scheduler to only retry scheduling a Pod that had been previously rejected by theNodeAffinity
plugin if a new Node or a Node update matched the Pod's node affinity. (#122309, @carlory) - Kube-scheduler implemented scheduling hints for the
NodeResourceFit
plugin. The scheduling hints allowed the scheduler to only retry scheduling a Pod that had been previously rejected by theNodeResourceFit
plugin if a new Node or a Node update matched the Pod's resource requirements or if an old pod update or delete matched the Pod's resource requirements. (#119177, @carlory) - Kube-scheduler now retries scheduling Pods rejected by the PodTopologySpread plugin when related Pods are created, deleted, updated, or when a node matches the specified topologyKey. (#122195, @nayihz)
- Kubeadm now prints all the kubelets and nodes that need to be upgraded when running "upgrade plan". (#123578, @carlory)
- Kubectl debug now includes the sysadmin profile. (#119200, @eiffel-fl)
- Kubelet now supports configuring the IDs used to create user namespaces. (#123593, @giuseppe)
- Kubernetes is now built with Go
1.21.6
. (#122705, @cpanato) - Kubernetes is now built with Go
1.22.1
. (#123750, @cpanato) - Kubernetes is now built with Go
1.22
. (#123217, @cpanato) - Kubernetes is now built with go
1.22rc2
. (#122889, @cpanato) - LoadBalancerIPMode feature is now marked as Beta. (#123418, @rikatz)
- Node information is now embedded into Pod-bound service account tokens as additional metadata. The 'JTI' field is set in issued service account tokens, and this information is embedded as
authentication.kubernetes.io/credential-id
in the user's ExtraInfo. (#123135, @munnerz) - Node podresources API now includes init containers with containerRestartPolicy of
Always
whenSidecarContainers
feature is enabled. (#120718, @gjkim42) - Promoted
KubeProxyDrainingTerminatingNodes
toBeta
. (#122914, @alexanderConstantinescu) - Promoted feature gate
StableLoadBalancerNodeSet
toGA
. (#122961, @alexanderConstantinescu) - Promoted the
ImageMaximumGCAge
feature to beta. (#123424, @haircommander) - Promoted the
status.hostIPs
field for Pods to general availability. ThePodHostIPs
feature gate no longer has any effect, and thestatus.hostIPs
field is always available within the Pod API. (#122870, @wzshiming) - RemoteCommand feature gates for kubectl exec, cp, and attach over WebSockets are now enabled by default (Beta):
- Server-side feature gate:
TranslateStreamCloseWebsocketRequests
- Client-side (kubectl) feature gate:
KUBECTL_REMOTE_COMMAND_WEBSOCKETS
- To disable RemoteCommand over WebSockets for kubectl, the environment variable feature gate must be explicitly set to
false
:KUBECTL_REMOTE_COMMAND_WEBSOCKETS=false
. (#123281, @seans3)
- Server-side feature gate:
- Revised node selection based on container image location. The kube-scheduler now considers whether nodes have the required images available for init containers, and for sidecar containers if the cluster has 'SidecarContainers' enabled. (#123366, @kerthcet)
- Scheduler extender
ignorable
option now handles errors for both filter and bind phases. (#122503, @sunbinnnnn) - The NodeLogQuery feature has been promoted to beta. No functional changes have been made from the alpha version. (#123205, @aravindhp)
- The
apiserver.latency.k8s.io/decode-response-object
annotation was added to the audit log to record the decoding time. (#121512, @HirazawaUi) - The drop-in kubelet configuration directory feature has been targeted for Beta. (#122907, @sohankunkerkar)
- The kubelet now rejects creating the pod if
hostUserns=false
and the CRI runtime does not support user namespaces. (#123216, @giuseppe) - The scheduler now retries Pods, which are failed by
nodevolumelimits
due to not found PVCs, only when new PVCs are added. (#121952, @sanposhiho) - Updated
kubedns
andnodelocaldns
to release version1.22.28
. (#121908, @mzaian) - Users can now traverse all the pods that are in the scheduler and waiting in the permit stage through method
IterateOverWaitingPods
. In other words, all waitingPods in scheduler can be obtained from any profiles. Before this commit, each profile could only obtainwaitingPods
within that profile (#122946, @NoicFank) - ValidatingAdmissionPolicy now exclude TokenReview, SelfSubjectReview, LocalSubjectAccessReview, and SubjectAccessReview from all versions of authentication.k8s.io and authorization.k8s.io group. (#123543, @jiahuif)
- When a PreFilterResult filters out certain Nodes, the scheduling framework now categorizes them as rejected via
UnschedulableAndUnresolvable
. Consequently, these nodes are excluded from the candidates for the preemption process. Additionally, this update corrects how the scheduling framework handles the Unschedulable status from PreFilter. Previously, if PreFilter returnedUnschedulable
, it could lead to an unexpected abortion in the preemption process, which shouldn't occur in the default scheduler but might occur in schedulers with custom plugins. (#119779, @sanposhiho) - When the
RetryGenerateName
feature gate is enabled on the kube-apiserver, create requests using generateName are retried automatically by the apiserver when the generated name conflicts with an existing resource name, up to a max limit of 7 retries. This feature is in alpha. (#122887, @jpbetz) ValidatingAdmissionPolicy
now supports type checking policies that utilize variables. (#123083, @jiahuif)
- Added a new internal metric
kubelet_first_network_pod_start_sli_duration_second
in the kubelet that allowed developers to understand the source of the latency problems on node startups. (#121720, @aojea) - A deprecated flag
--pod-max-in-unschedulable-pods-duration
was initially planned to be removed in v1.26, but we had to change this plan. We found an issue in which Pods can be stuck in the unschedulable pod pool for 5 min, and using this flag is the only workaround for this issue. This issue only could happen if you use custom plugins or if you change plugin set being used in your scheduler via the scheduler config. (#122013, @sanposhiho) - Modified the error message of
unmanagedFatal
to enhance clarity while preserving grammatical consistency withunmanagedWarning
. This improvement ensures a more understandable prompt for users. (#120159, @Ithrael)
- Reverted the change to "support sharing waitingPods across different scheduler profiles". (#124001, @kerthcet)
- Added
imagefs.inodesfree
to defaultEvictionHard
settings. (#121834, @vaibhav2107) - Changed the API server so that for admission webhooks that have a URL matching the hostname 'localhost' or a loopback IP address, the connection supports HTTP/2 where it could be negotiated. (#122558, @linxiulei)
- Fixed CEL estimated cost for expressions that perform operations on the result of
map()
operations (e.g.,.map(...).exists(...)
) to have the correct estimated cost instead of an unbounded cost. (#123562, @jpbetz) - Fixed a
1.27.0+
regression in kubeadm: The kubelet patch configuration will not be uploaded into thekube-system/kubelet-config
ConfigMap anymore. (#123093, @SataQiu) - Fixed a bug in
ValidatingAdmissionPolicy
that caused policies using CRD parameters to fail to synchronize. (#123003, @alexzielenski) - Fixed a non-recursive list returning "resource version too high" error when consistent listing from cache is enabled. (#123674, @serathius)
- Fixed a regression in
kube-proxy
introduced in version1.26.0+
to make externalIPs workwith externalTrafficPolicy: Local. (#121919, @uablrek) - Fixed a regression in migration of in-tree vSphere volumes to the CSI driver introduced in version
1.29.0
+. (#122341, @jsafrane) - Fixed a regression since
1.24
in the scheduling framework when overriding MultiPoint plugins (e.g. default plugins). The incorrect loop logic might have led to a plugin being loaded multiple times, consequently preventing any Pod from being scheduled, which was unexpected. (#122068, @caohe) - Fixed an issue where
AvailableBytes
sometimes did not report correctly on WindowsNodes when thePodAndContainerStatsFromCRI
feature was enabled. (#122846, @marosset) - Fixed an issue where mount points could become local without calling
NodePublishVolume
after node rebooting. (#119923, @cvvz) - Fixed cleanup of Pod volume mounts when a file was used as a subpath. (#123052, @jsafrane)
- Fixed error handling in
EnsureAdminClusterRoleBindingImpl
. (#122893, @danwinship) - Fixed incorrect error logging for
syncCronJob
. (#122493, @mengjiao-liu) - Fixed the deprecated version for
pod_scheduling_duration_seconds
that caused the metric to be hidden by default in1.29
. (#123038, @alculquicondor) - Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056, @dhenkel92)
- Improved scheduler performance when no scoring plugins were defined. (#122058, @aleksandra-malinowska)
- Improved scheduler performance when no scoring plugins were defined. (#122435, @aleksandra-malinowska)
- Improved scheduler performance when no scoring plugins were defined. (#123384, @aleksandra-malinowska)
- In kubeadm, in the new output API 'output.kubeadm.k8s.io/v1alpha3', the UpgradePlan structure that is used when calling 'kubeadm upgrade plan ... -o yaml|json' was modified to include a list of multiple available upgrades. (#123461, @carlory)
- Made decoding etcd's response respect the timeout context. (#121815, @HirazawaUi)
- Previously, the scheduling queue didn't notice any extenders' failures, potentially resulting in missed cluster events and Pods rejected by Extenders being stuck in the unschedulable pod pool for up to 5 minutes in the worst-case scenario. Now, the scheduling queue notices extenders' failures and requeues Pods rejected by Extenders appropriately. (#122022, @sanposhiho)
- QueueingHint implementation for
NodeAffinity
was reverted because potential scenarios were found where events that make Pods schedulable could be missed. (#122285, @sanposhiho) - Removed the incorrect warning event
FileSystemResizeFailed
during pod creation if it uses a readonly volume and the capacity of the volume is greater than or equal to its requested storage. (#122508, @carlory) - Restored the
--verify-only
function in code generation wrappers. (#123261, @skitt) - Reverted the
EventedPLEG
feature (beta, but disabled by default) back to alpha due to a known issue. (#122697, @pacoxu) - Used
errors.Is()
to handle errors returned byLookPath()
. (#122600, @lzhecheng) - kube-proxy: Fixed
LoadBalancerSourceRanges
not working fornftables
mode. (#122614, @tnqn) - kubeadm: fixed a bug where "kubeadm upgrade plan -o yaml|json" included unneeded output and was missing component config information. (#123492, @carlory)
- Added metric name along with the utilization information when running
kubectl get hpa
. (#122804, @sreeram-venkitesh) - Addressed an issue where a JWT authenticator set up via
--authentication-config
would encounter failures in verifying tokens not signed with RS256. (#123282, @enj) - DRA: ResourceClaim and PodSchedulingContext status updates no longer allow changing object meta data. (#123730, @pohly)
- Enabled deletion of pods that use raw block volumes on node reboot. (#122211, @gnufied)
- Etcd: Updated to
v3.5.11
. (#122393, @mzaian) - Fixed Pod stuck in
Terminating
because ofGenerateUnmapVolumeFunc
missingglobalUnmapPath
when kubelet tries to clean up all volumes that failed reconstruction. (#123032, @carlory) - Fixed Windows credential provider, cannot find binary. Windows credential provider binary path may have ".exe" suffix so it is better to use
LookPath()
to support it flexibly. (#120291, @lzhecheng) - Fixed
kubectl explain
to show enum for field types if they were defined. (#123023, @ah8ad3) - Fixed a bug in kubeadm where the
--rootfs
global flag didn't work with "kubeadm upgrade node" for control plane nodes. (#123077, @neolit123) - Fixed a bug that an init container with containerRestartPolicy with
Always
cannot update its state from terminated to non-terminated for the pod with restartPolicy withNever
orOnFailure
. (#123323, @gjkim42) - Fixed a bug where
kubectl
drain would consider a pod as having been deleted if an error occurs while calling the API. (#122574, @brianpursley) - Fixed a potential data race in DRA with no known real-world implications. (#123222, @pohly)
- Fixed a race condition in the iptables mode of kube-proxy in
1.27
and later that could result in some updates getting lost (e.g., when a service gets a new endpoint, the rules for the new endpoint might not be added until much later). (#122204, @danwinship) - Fixed a regression in "kubeadm init" where a user-specified --kubeconfig file was being ignored. (#122735, @avorima)
- Fixed a regression in kubectl version
1.29.0
where the--attach
flag was not honored. (#122447, @ardaguclu) - Fixed an error when trying to expand a volume that does not require node expansion. (#123055, @gnufied)
- Fixed an issue calculating total CPU usage reported for Windows nodes. (#122999, @marosset)
- Fixed an issue to ignore unnecessary node events and improve daemonset controller performance. (#121669, @xigang)
- Fixed an issue where the
configmap
,secret
,projected
, anddownwardAPI
volume types didn't create user-visible files after a kubelet restart. This fix ensures data persistence and accessibility after restarts. (#122807, @carlory) - Fixed bug where health check could pass while APIServices are missing from aggregated discovery. (#122883, @Jefftree)
- Fixed bug where providing a FieldPath to a CRD Validation Rule would erroneously affect the reported field path of other unrelated CRD Validation Rules on the same schema. (#123475, @alexzielenski)
- Fixed enabling consistent list from watch cache that used to work for resourceVersion=0 (#123676, @serathius)
- Fixed node lifecycle controller panic when conditionType ready is been patch
nil
by mistake. (#122874, @fusida) - Fixed panic of Evented
PLEG
during kubelet start-up. (#122475, @pacoxu) - Fixed resource deletion failure caused by quota calculation error when
InPlacePodVerticalScaling
is turned on. (#122701, @carlory) - For statically provisioned PVs, if their volume source is of CSI type or they have a migrated annotation, when they are deleted, the PersistentVolume controller won't change their phase to the Failed state. With this patch, the external provisioner can remove the finalizer in the next reconcile loop. Unfortunately, if a previously existing PV has the Failed state, this patch won't take effect. Users are required to remove the finalizer manually. (#122030, @carlory)
- Improved the efficiency of NodeAdded QueueingHint by registering UpdateNodeTaint event for plugins that have NodeAdded event but don't have UpdateNodeTaint event. This ensures better requeuing efficiency and prevents Pods from being stuck in the unschedulable pod pool. (#122292, @sanposhiho)
- JWTs used in service account and OIDC authentication are now strictly parsed to confirm that they use compact serialization. Other encodings were not previously accepted, but would result in different unspecific errors. (#123540, @enj)
- Kube-apiserver: Fixed a
1.27
+ regression in watch stability by serving watch requests without aresourceVersion
from the watch cache by default, as in <1.27
(disabling the change in PR 115096 by default). This mitigates the impact of an etcd watch bug (etcd-io/etcd#17555). If the 1.27 change in PR 115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with aWatchFromStorageWithoutResourceVersion
feature gate. (#123935, @serathius) - Kubeadm: avoided uploading a defaulted flag value "--authorization-mode=Node,RBAC" for the kube-apiserver in the ClusterConfiguration stored in the "kube-system/kubeadm-config" ConfigMap. "Node,RBAC" are already the kubeadm defaults for this flag, so this action is redundant. (#123555, @neolit123)
- Kubeadm: fixed a bug during kubeadm upgrade, where it is not possible to mount a new device and create a symbolic link for /etc/kubernetes (or a sub-directory) so that kubeadm stores its information on the mounted device. (#123406, @SataQiu)
- Kubeadm: the
kubelet-finalize
phase ofkubeadm init
no longer requires the kubelet kubeconfig to have a specific authinfo. (#123171, @vrutkovs) - OpenAPI V2 will no longer publish aggregated API server OpenAPI for group versions that do not match the APIService specified group version. (#123570, @Jefftree)
- Patched a leak of a discovery document that would occur when an Aggregated APIService changed its Spec.Service field and did not change it back. (#123517, @Jefftree)
- Prevented watch cache starvation by moving its watch to separate RPC. Added a
SeparateCacheWatchRPC
feature flag to disable this behavior. (#123532, @serathius) - Reverted the
QueueingHint
implementation forNodeUnschedulable
due to potential scenarios where events that make Pods schedulable could be missed. (#122288, @sanposhiho) - The PersistentVolume controller no longer automatically assigns a default
StorageClass
to Persistent Volume Claims (PVCs) with an emptystorageClassName
. (#122704, @carlory) - The initialization of nodes using external cloud providers now waits for the providerID value to be available before untainting it. This ensures that nodes are not declared Ready without necessary information such as the providerID and zone labels, which are required for integrations like load balancers to function correctly. Cloud providers that do not implement the GetInstanceProviderID method will not require the providerID to be set and will not fail to initialize the node for backward compatibility. (#123713, @aojea)
- Updated google.golang.org/protobuf to
v1.33.0
to resolveCVE-2024-24786
. (#123758, @liggitt) - Updated the sample-apiserver manifest example to include correct RBAC configurations. (#123479, @Jefftree)
- When initializing nodes using external cloud-providers, the process now waits for the providerID value to be available before declaring the node ready. This ensures that nodes are not marked as Ready prematurely due to communication errors with the cloud-provider. The providerID and zone labels are necessary for integrations such as load balancers to function correctly. Users can choose to opt out of this behavior by setting the feature flag OptionalProviderID in the cloud-controller-manager. (#123331, @aojea)
- When using
kubectl logs <pod-name>
and the pod is not found, the error message now includes the namespace. Previously, the message would be "Error from server (NotFound): pods "my-pod-name" not found". Now, it reflects the namespace in the message as follows: "Error from server (NotFound): pods "my-pod-name" not found in namespace "default"". (#120111, @newtondev) - When using a claim with immediate allocation and a pod referencing that claim couldn't get scheduled, the scheduler incorrectly may have tried to deallocate that claim. (#122415, @pohly)
- [kubeadam][structured authz] avoided setting default
--authorization-mode
when--authorization-config
is provided (#123654, @LiorLieberman) ValidateVolumeAttributesClassUpdate
also validates new VolumeAttributesClass object. (#122449, @carlory)
- Accepted zero as a default value for
kubectl create
token duration. (#123565, @ah8ad3) - Cleanup: removed
getStorageAccountName
warning messages. (#121983, @andyzhangx) - Client-go: Optimized leaders renewing leases by updating leader lock optimistically without getting the record from the API server first. Also, a new metric
leader_election_slowpath_total
was added to allow users to monitor how many leader elections are updated non-optimistically. (#122069, @linxiulei) - Locked the GA feature-gate
ConsistentHTTPGetHandlers
to default. (#122578, @carlory) - Migrated
client-go/metadata
to contextual logging. (#122225, @ricardoapl) - Removed the GA feature gate
RemoveSelfLink
. (#122468, @carlory) - Removed the generally available feature gate
ExpandedDNSConfig
. (#122086, @bzsuni) - Removed the generally available feature gate
KubeletPodResourcesGetAllocatable
. (#122138, @ii2day) - Removed the generally available feature gate
KubeletPodResources
. (#122139, @bzsuni) - Removed the generally available feature gate
MinimizeIPTablesRestore
. (#122136, @ty-dc) - The GA feature-gate
APISelfSubjectReview
has been removed, and the feature is unconditionally enabled. (#122032, @carlory) - Updated
etcd
to version3.5.12
. (#123150, @bzsuni) - Updated cri-tools to
v1.29.0
. (#122271, @saschagrunert) - Upgraded metrics server to
v0.7.0
. (#123504, @pacoxu) kubeadm completion
error message now displayed supported shell types when an invalid shell was specified. (#122477, @SataQiu)- kubeadm: ensured that a variety of API server requests were retried during "init", "join", "upgrade", "reset" workflows. Prior to this change, some API server requests, such as creating or updating ConfigMaps, were "one-shot" - i.e., they could fail if the API server dropped connectivity for a very short period of time. (#123271, @neolit123)
- kubeadm: improved the overall logic, error handling, and output messages when waiting for the kubelet and API server
/healthz
endpoints to returnOK
. The kubelet and API server checks no longer ran in parallel, but one after another (in serial). (#121958, @neolit123) - Added an optimization to reduce stack memory usage for watch requests. It can be disabled with the feature gate:
APIServingWithRoutine=false
(#120902, @linxiulei) - Added warning for
PV
on reclaim policy when it isRecycle
. (#122339, @carlory) - Deprecated the
azureFile
in-tree storage plugin. (#122576, @carlory) - Etcd image
v3.5.12
has been built. (#123069, @bzsuni) - Fixed a bug in scheduler requeueing where registered wildcard cluster event sources didn't work. (#123117, @kerthcet)
- Kubeadm: the
bridge-nf-call-iptables=1
andbridge-nf-call-ip6tables=1
preflight checks are removed since not all the network implementations require this setting, network plugins are responsible for setting this correctly depending on whether or not they connect containers to Linux bridges or use some other mechanism. (#123464, @SataQiu) - Kubeadm: used
ttlSecondsAfterFinished
to automatically clean up theupgrade-health-check
Job that runs during upgrade preflighting. (#122079, @carlory) - Migrated the kube-proxy to use contextual logging. (#122197, @fatsheep9146)
- Promoted feature-gate
LegacyServiceAccountTokenCleanUp
to GA and locked it to default. (#122635, @carlory) - Removed GA featuregate about
ExperimentalHostUserNamespaceDefaultingGate
in1.30
. (#122088, @bzsuni) - Removed the GA feature gate for
IPTablesOwnershipCleanup
in version1.30
. (#122137, @bzsuni) - Removed the generally available feature gate
ProxyTerminatingEndpoints
. (#122134, @ty-dc) - The
--cidr-allocator-type
option set toCloudAllocator
forkube-controller-manager
will be deprecated and removed in a future release. Users are advised to transition to and explore the available options provided by their external cloud provider. (#123011, @dims) - The feature gate
LegacyServiceAccountTokenTracking
(GA since 1.28) is now removed because the feature is unconditionally enabled. (#122409, @Rei1010) - The in-tree cloud provider for Azure has now been removed. Please use the external cloud provider and CSI driver from https://github.com/kubernetes/cloud-provider-azure instead. (#122857, @nilo19)
- The in-tree cloud provider for vSphere has been deprecated and removed. Users are advised to utilize the external cloud provider and CSI driver available at https://github.com/kubernetes/cloud-provider-vsphere. (#122937, @dims)
- Updated
kube-dns
tov1.22.27
. (#121736, @ty-dc) - Updated cni-plugins to version
v1.4.0
. (#122178, @saschagrunert) - Updated kubedns and nodelocaldns to version
v1.23.0
. (#123310, @bzsuni) kube-proxy
nftables mode is now compatible with kernel5.4
. (#122296, @tnqn)- Renamed Label cluster to
storage_cluster_id
forapiserver_storage_size_bytes metric
(#124283, dims) - Bumped the stability level of apiserver_storage_size_bytes to
STABLE
(#123342, @logicalhan)
- github.com/fxamacker/cbor/v2: v2.6.0
- github.com/pkg/diff: 20ebb0f
- github.com/x448/float16: v0.8.4
- golang.org/x/telemetry: b75ee88
- k8s.io/gengo/v2: 51d4e06
- sigs.k8s.io/knftables: v0.0.14
- github.com/docker/docker: v20.10.24+incompatible → v20.10.27+incompatible
- github.com/go-logr/logr: v1.3.0 → v1.4.1
- github.com/go-logr/zapr: v1.2.3 → v1.3.0
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- github.com/google/cadvisor: v0.48.1 → v0.49.0
- github.com/google/cel-go: v0.17.7 → v0.17.8
- github.com/onsi/ginkgo/v2: v2.13.0 → v2.15.0
- github.com/onsi/gomega: v1.29.0 → v1.31.0
- github.com/opencontainers/runc: v1.1.10 → v1.1.12
- go.uber.org/atomic: v1.10.0 → v1.7.0
- go.uber.org/goleak: v1.2.1 → v1.3.0
- go.uber.org/zap: v1.19.0 → v1.26.0
- golang.org/x/crypto: v0.14.0 → v0.21.0
- golang.org/x/mod: v0.12.0 → v0.15.0
- golang.org/x/net: v0.17.0 → v0.23.0
- golang.org/x/sync: v0.3.0 → v0.6.0
- golang.org/x/sys: v0.13.0 → v0.18.0
- golang.org/x/term: v0.13.0 → v0.18.0
- golang.org/x/text: v0.13.0 → v0.14.0
- golang.org/x/tools: v0.12.0 → v0.18.0
- google.golang.org/protobuf: v1.31.0 → v1.33.0
- k8s.io/klog/v2: v2.110.1 → v2.120.1
- k8s.io/kube-openapi: 2dd684a → 70dd376
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.28.0 → v0.29.0
- github.com/Azure/azure-sdk-for-go: v68.0.0+incompatible
- github.com/Azure/go-autorest/autorest/adal: v0.9.23
- github.com/Azure/go-autorest/autorest/date: v0.3.0
- github.com/Azure/go-autorest/autorest/mocks: v0.4.2
- github.com/Azure/go-autorest/autorest/to: v0.4.0
- github.com/Azure/go-autorest/autorest/validation: v0.3.1
- github.com/Azure/go-autorest/autorest: v0.11.29
- github.com/Azure/go-autorest/logger: v0.2.1
- github.com/Azure/go-autorest/tracing: v0.6.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/a8m/tree: 10a5fd5
- github.com/benbjohnson/clock: v1.1.0
- github.com/danwinship/knftables: v0.0.13
- github.com/dnaeon/go-vcr: v1.2.0
- github.com/dougm/pretty: 2ee9d74
- github.com/gofrs/uuid: v4.4.0+incompatible
- github.com/rasky/go-xdr: 4930550
- github.com/rubiojr/go-vhd: 02e2102
- github.com/vmware/govmomi: v0.30.6
- github.com/vmware/vmw-guestinfo: 25eff15
- k8s.io/gengo: 9cce18d
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 4834d393925d329bb5de6e23a82b1e632595e1323495d2bf7a27842c8a1f350cf8d5800880241db27b5fdbaba850113a18276690ffad6286cfe6d7765307d3d4 |
kubernetes-src.tar.gz | d361a5042c0b3124da9f3d4e0c88b29ab201da5ca115b0d1e8d1da9422458b7381382ba42ab57addb61f79115087e1c35f1c9b1eea932dc5f0bdedf0a6634b28 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 2d7867965ad4a50b3c139863c1915addc04a1e8c76018857dc89d82950be26d1eb763b9622839fd99223d920b708cf2f730a5ff95352e763bf47b561547285f6 |
kubernetes-client-darwin-arm64.tar.gz | 45d3b3495b28aed600b58518c43bdc72a1d96e67b504198faab79a598181c7f33bf565625b4282d74d279a7c82508aaafad69341d627285b5988516797068c04 |
kubernetes-client-linux-386.tar.gz | c4629a88e5b51442ff88788b191e0bbf7fa3299400a6ef761f2c08f65682b1c8c79de8c229cb92a37f905f6f8aaa4aa658a1effd5ad4103dc77e5e92791784f4 |
kubernetes-client-linux-amd64.tar.gz | 60df082e84b43a32da13f9934c4e129a088373f08bd78d9cf15ab3e88987f4be03dc26c11c68f57e126cf8723418077dcaef502ace3dc4ee3cad94bb8da44627 |
kubernetes-client-linux-arm.tar.gz | 6ed4749434f54e0c661d1bd802f7de9b3063cd6621b13740e7d94367fd9c74ade82b8fc7702532ceee3b364db20ab180df983f2475efea04916287ca39c15179 |
kubernetes-client-linux-arm64.tar.gz | b28c136862aed282e1896c55c0810358d04c27738c94de3d85cfd51e290158d158aa163f2765033db7f283571b3c4432eb40a86169f4732bd6a2c0224fcc3643 |
kubernetes-client-linux-ppc64le.tar.gz | d489d34710458d609f1519268ab0dd4f03b770468f5f3d2dbc8f55ad8626a4e7b5d625077f1c0e2f44c9571352d9ceecd11ff67072594dd9b7e997112f8d4e85 |
kubernetes-client-linux-s390x.tar.gz | bb43c82e4bfe267ec55c0c817139b738e94230744fd5893220cc44d062274df03f4662301e44bd811cf1f918c4c00d09bed8bd7f7f6f0c809c40278ea8fd019b |
kubernetes-client-windows-386.tar.gz | ce532ff54e1c6a499868b9840248a09353ff8de18d3b53e1dae1a2efbd7886adeaa204dffd2ec9213694598829c7c99ed1980e7942201f923e820ae6641d3e48 |
kubernetes-client-windows-amd64.tar.gz | d848ce0f9e0de9d44b2e3c4d2fab622ebab2229d248bf8a7d4c79d44c56f7f55e04436d94a693ef5279514908e6a50b515d255f9b65f9fa3a196f30530e6f30f |
kubernetes-client-windows-arm64.tar.gz | 11436d4485752a5ac1b7a7669abe737242da7014b6128a34f3e3dda749ff94a7700195e3ccafc314019012d44bd29b8e2a51a5a94aef423f668a46ce08b353cf |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 2fb5914a0cecd59dd9f6ccca46967f1a3718b8dfd9d66d48c27c5b5d4b5431c99e0e4004ee4ddb9a6009a9569fc2d273bb23572792e5a414af54e6738835e934 |
kubernetes-server-linux-arm64.tar.gz | b9fc3029ed742ee5ec78bb7c01d12377a6e9c9bb56173a2cbd80293edac97a27eaa1ca8cb72a8417a767eb9901e8ef7e92cdc6dd6973be1529038b486c88a300 |
kubernetes-server-linux-ppc64le.tar.gz | 5f1461ef401fe6e967787600d3c4aa9c31e673a237bd2cf94e57171bc3fb1f5acaedc4667480f6e495f1cc02be5e824373df22e3b551b938f58dd1bbfd95fe8e |
kubernetes-server-linux-s390x.tar.gz | a4a39cb9a6ae2319a57a23a2fd9e3f6e5692da5e9a8f7094ca3868b3522141d071517ea4b9cc572c28ecc61b8866375c459fa934ab466521560fa613fc4f3168 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 8c168b82df1341217c9264c7f7c3cf64d8eb360c4a70ba50dcc45a4626b66ba08526a10e5e427fece2dba7223515574a5fe0eac68257a232e75c5cc5532b8c24 |
kubernetes-node-linux-arm64.tar.gz | 7a516522e2f1ac25ce6fe57ff6b311afbacf992b5dc1b34c54606640868bf49a10fdc56ba26161ed10ce8f520125a62333f69535c0fa59715872fb30d159c27e |
kubernetes-node-linux-ppc64le.tar.gz | f0e66ebe8f7ba0c8580482ce7346a3c315ed2cefd6383ed3369e1af00ae271ad245b709f91f53387aaa5c47b3f593df62c47e28eac10841e8384b1444a627da8 |
kubernetes-node-linux-s390x.tar.gz | ba14ed098f72ba4b79d1c5f1981439160f0453dd95c840e3aad917ab92cc8c0aef0c6d13215646a9abbceb5baf1dac074b2a591c1fd649a86b1a896075b28504 |
kubernetes-node-windows-amd64.tar.gz | c5b79e9ce7b61965e87da52ef8b61deed546ea6ec7629fb81be0d025e9869c19b0f1ecc83a110eee15f2100c03b2325e926d4afcec18915aa4b166a61a2da211 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124174, @dims) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
Nothing has changed.
- golang.org/x/crypto: v0.19.0 → v0.21.0
- golang.org/x/net: v0.21.0 → v0.23.0
- golang.org/x/sys: v0.17.0 → v0.18.0
- golang.org/x/term: v0.17.0 → v0.18.0
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | ae0a262dd4c5893c3141b9976ef0ff9510db1abf21ed2492c4b37e531f8e8577b3fc589ed35e04da067f2a51690785f803700b3cd14482879bbacac8062d842c |
kubernetes-src.tar.gz | e23b1e1b0e56c7c21b215fa693acf1c6023b97e6971d17e40dd9b7401f7011f3cfd0535a8e0bf8c15b3cc1542f338fc717ad1123757950442c4e26e1cf94ac60 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 4aa22e689797607899922552c73fd0b219894bfc89a97afabafe3710f4c1b6c332a3fbba47ffa0709a875f6138557f7f8eec0785d70caf4e968f9bdb69d1ce33 |
kubernetes-client-darwin-arm64.tar.gz | 4b89957e5c668db48545f1d64d12e1c53f624f7ca5d992409cf63f571f2b717328cbc5545103adaa813f9cff1cca24f8acadeeceab4c025f102371a8c5c848f4 |
kubernetes-client-linux-386.tar.gz | fa676d36ead1cc36e4a21a8fc150b5d97b148ea38c5e450c23a541968dc46f771875c028dbdb525555cdf976ed39cea69fad9ad6ab350e0471a79edb453cc4bc |
kubernetes-client-linux-amd64.tar.gz | 0470f761e42a12808a87763139162203dd9a282793c4f2f38e34ba624b987a18ce6a021b47fec3f422ef3673358128e68f02bd215de94a0c88036275a1933851 |
kubernetes-client-linux-arm.tar.gz | ba6e5983681d288bb689f9ea70631d303b9d293ff61ca53543da5b987e8447e68657dc318ddec35e9f91a6a96b96924f038875d0df59de6b96ada5d539ccfdf0 |
kubernetes-client-linux-arm64.tar.gz | 498eacde178389d2cc74a7ce10afdf779d18262d7bde9a09a71b432b654b81b4a9a9a6b59d23556825013c20f9bf50511399dc24d2c8744f89651330e0502527 |
kubernetes-client-linux-ppc64le.tar.gz | d3d0d61cf0d41ba64b2551fb33fc05f36cb6ff78883ff777f5947e4e02c0fa81fcc1a1dfda52b83535b57ba9d9b50607ad4ae0b78a7df937ae77f4198d1140ce |
kubernetes-client-linux-s390x.tar.gz | 19ee977f0e42d9592e11d2fa2d387561ef64b5291a893edce199679eaf50bffdda3c630b393495f6b2479abcde2d45da267abe82a3c72cd1db57710af68e34bf |
kubernetes-client-windows-386.tar.gz | ceaa9fdca37e589aee36f5f76e861fdb02d3499fac40030837281500ccd521d2bea6e2fab1cc6e88b835e9bc97a87fd89f50edcec4d5180f21779b6fda5864e0 |
kubernetes-client-windows-amd64.tar.gz | 020badd82b7809341619a132937a63d03595efa6bb360578899b6c70c272686dd2cc73bc9156185cf5b2c56d8c4fccab348b7e2e194e636fb3b0aaebb4dbf54a |
kubernetes-client-windows-arm64.tar.gz | 60ec37789304fc9dc4dcb42adfbeb79ec1092e112a6b804dd90ab60f0bfc12cbb705d78596a44e58322cdbf02c9100814f08ab296b393621872f5000a0e61e84 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | d6226ac429c8118998c4bb9e7a5dad33239f7174710b19c15c1700327a8994f877f74d16e02adb72ac0ca2f9533774f17480f99b6215f0c1ad196cbbd869d19d |
kubernetes-server-linux-arm64.tar.gz | 93cf320848a3999550c813fc09d26b692043d35ea04bd2238ba40044334447f04d44c920edbd1c329128dd336a4fec6c98808058c9600a438145b954ca83a825 |
kubernetes-server-linux-ppc64le.tar.gz | 69bfd86f9160a5eac40ffbca918caa2ab9404cbc675f12f2d0bb1ecde84f3445aa78ba626745863e5eeefb6ae31579f1bda7c893b068d1cff789dbaedcfb415d |
kubernetes-server-linux-s390x.tar.gz | 821ddbfa7c170e591e0129b59f5132f24e87ec3aff6e72643bca2c5e2aef2521fcfa9a09c42e6ce80c1c1b66c61e4b3a36326bd4849988604e3ba59e786000bd |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 350901333780cb449a9b8d6c01d00e2447a1db370d693d6e64181edc7fbf8101b4aca71cdccccd8e9d39d505da3b587df095305a91b79be9933a0e77662ac5f5 |
kubernetes-node-linux-arm64.tar.gz | fb977f5a2e7b93cbb66f90d6fbe7f79189b1c7abf012df60032aa0954a380f648f1ee7a0c35eb253f002b398782693b3dda4cbf63a79b9fa12517f511488cc9b |
kubernetes-node-linux-ppc64le.tar.gz | ec0faab2ec6b3abcf5ec45d21422e206bb20e1cabbfb0d124e561b0b1a7f6f93e65197a851bb494f149ae008aa161f7dc8ab199f8283e21a46d4fc0ce322bcb9 |
kubernetes-node-linux-s390x.tar.gz | 89a0cce40824d0b7a2e48fcd1a1c02615e42d3873e2baaac44137f5887778383818897fa92818bab3e93b600cff7d5142cf0f72fdacc1d5a323f363220ade1c0 |
kubernetes-node-windows-amd64.tar.gz | 1c55187e74dfde31e5c45204d4a8e5fb86dbc187fc96d7fe1f71ffce61b8c608cad5f06762eb47eed79011204dcae8caf92e55b5abfc4af164b375e6c9650169 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled (#124048, @bertinatto) [SIG Node]
- Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot be read. (#124124, @carlory) [SIG Cluster Lifecycle]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | e6b5adbfa00a7f36c6e3fbe1fac98264ba364d1bb212d1af8409e28f9fa4a73465ab45f13835c2a069cba9e92916e0ffcbb821cbe16c56d1772bd092f5509209 |
kubernetes-src.tar.gz | 2fb6a5f8db7a1251a5cbdebe07008ce1ab328caf7d89f9e63cb54cf961905194eaf6cca0e3fc4ba381fca92366cfa7f33ad53966c9483496b8b1905ae852f794 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 8b3f64eb99652dc0868dfc1686e1240c91d103d87802940b614b79ac5a965cae49a7ce207ca4758e72e027f2cbd35d01866d2a6e5ecc3dbf8098b6bbd3b96560 |
kubernetes-client-darwin-arm64.tar.gz | a2d8f7cfda53940e2c804be4d070aa7675c35fb3bc102aa235dbd33eed2a5aaa6cb34a67e89ac4dff70fb67eae7ce56c6761bcb5695247d755a8401ce23d9e70 |
kubernetes-client-linux-386.tar.gz | ad9c3302781496b332f74de97c5034afe265005b779c5ddf8294e0c89d3e01edf0f55963b823821a94f3f852d1ce453c5a2c8234d0d17e2e41cfa1ebe400ded6 |
kubernetes-client-linux-amd64.tar.gz | c64e2acaa2f4bc072ff407b5fbd59fff683524b6302501130c74291cd2981a04b70598102d47276d6cf135d63649b0c4e935989d76b5f1d14fa86d84cf138530 |
kubernetes-client-linux-arm.tar.gz | 6e273ed9eb3a73772f24d2a2de6faaec45d860ee721627e457b4f431d30bbd54128a018a66e8914c13ed1d0bcea19daf4022410e9e02e6a8ba74771523df8859 |
kubernetes-client-linux-arm64.tar.gz | 6d873fdfe0cddfe7f64e501f34410d55bc42d1e3dfdaf09fb77b800e16026e8ef56cbe47788d7c26540a56c139743825b62f4b5d1817a083c6c4e5957714b02b |
kubernetes-client-linux-ppc64le.tar.gz | 2a85913a7950b0556ef3ca60b90e0488d98208b39c7c726ab0e2be92ef21b5d3fc66bbcf3a53d758867445acdf2a7069a35530fd09bdb7df9a11ff054bd7666b |
kubernetes-client-linux-s390x.tar.gz | 51c44df26ca635a9f8d4ccaefd9f73ce7eb140dc9c97dcf20790942a052873fef068fcf5341dcb603fc090d4d55639fd1c962e849aee900334ec18deac83b0e8 |
kubernetes-client-windows-386.tar.gz | 53b422d9d7ddf68c307b3c582293fa10d1bc93ea5ab05ad0551782e89e207436947a66db3020d649978745d3d669b492382e124a01f8102c5487e5d712781c79 |
kubernetes-client-windows-amd64.tar.gz | d2a07e65ea1c86f177081932723a404295c2011baeb3c1a8da82f95165d912af3c7dc5fb2f1f99071da43747ef21a9070715b011adbbd0fe1dfe61d3e58f3af5 |
kubernetes-client-windows-arm64.tar.gz | 90a6b2afabc327c5149e3337361c642ce7ea1cf9cbd7eecca0244d93a8ae76ed647ddb5ade005dc7965d27081346c8af70a0c3b3ccf84364a99225fed2d3c655 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | ac9cfc068f4ccf6cade570fcf06eb318254b05a6ba35c953281f2fe23f21649745199d252078301e078301906ef10e995fab1d99b9d1ed85a5640bcad87f5f72 |
kubernetes-server-linux-arm64.tar.gz | 06d34cb5ed5931008259aa11cb3fe5b8d055f984ace62ddc1e1f6aa700ebd1cb9b4fad13977cd93c20207c7119748f10f7c84be097d1fea6b9500b1148f9009f |
kubernetes-server-linux-ppc64le.tar.gz | da7df0c17a60fcfa302b7a6445f194af300152641e2a0c6c9c88ebc130d276543994d6fa82d012caad4d850be37d5dbb25d2816fc20129e575ff12945da09ea3 |
kubernetes-server-linux-s390x.tar.gz | cabc0e81aecd3616454834eba63bb1a7dfb5058095c8854ee8ecf90512201525cf4957ffe4ea33e7029f90f4cf8bb6a455d4580f112695e9afdb3168a8f8339e |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 908f4145b9a44e7191a6385029bd05fc10ae70314c2342491ebc618340727dd9578bee0ea904a59dcfe569a1f346d9d1d9e3591bd64e0d93aa2aa23c5bb6bae2 |
kubernetes-node-linux-arm64.tar.gz | 4a8227aa5f3792e15afdd773b6e25f610af8790f0024766bb946f01d643628e341c5d05f877acc862435abcd23af17d83f3c6a8846ba5182078d253846bf5548 |
kubernetes-node-linux-ppc64le.tar.gz | d9401943959a8f5cc96806ec4986394ece3fd12b3b9b98815190b573ddd88558eae37a263246d2d8032110f9876bf7d8339a740b0e998a7df70f3c55fddaa48f |
kubernetes-node-linux-s390x.tar.gz | cad41da775fc3325962d0181a5a7ae4b3b4a80ef65d3bea06a939306e6e6da3d5f165ee27d991524520b5778e01c481655a9bd3302c0ce5b3443612eaaa4914e |
kubernetes-node-windows-amd64.tar.gz | 9b70bb3c6d65b0d2cfadcca3104a832d3072a0c7931bacfca4bd620dc40dc66d6960c16a1ccb6a06f0a82b3a6b37453069d60de91e9615ecb816a6411a192a6e |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Revert "support sharing waitingPods across different scheduler profiles" (#124001, @kerthcet) [SIG Scheduling]
- Currently, NodeAdded QueueingHint could not always be called because of the internal feature called preCheck. It's definitely not something expected for plugin developers, and we're trying to eventually remove preCheck completely to fix this. Until then we'll register UpdateNodeTaint event for plugins that have NodeAdded event, but don't have UpdateNodeTaint event. It'd result in a bad impact on the requeuing efficiency though, a lot better than some Pods being stuck in the unschedulable pod pool. (#122292, @sanposhiho) [SIG Node, Scheduling, Storage and Testing]
- Fix enabling consistent list from watch cache also works for resourceVersion=0 (#123676, @serathius) [SIG API Machinery]
- Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (etcd-io/etcd#17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a
WatchFromStorageWithoutResourceVersion
feature gate. (#123935, @serathius) [SIG API Machinery and Etcd]
Nothing has changed.
Nothing has changed.
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | e83f477aed051274437987d7b3fa30e923c04950c15d4a7bec20e87f54c017d5938a8d822885b0b458e31c692cade1d26567ac10ffa90934ed15890516376236 |
kubernetes-src.tar.gz | a32078a0547d093bbf7d1c323d89cbe50fa04c8d98fe9f0decf2be63d206ad11872009971fd9937336f6a7a187294b058e441297a2ae8d7620d77965ad287ecc |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 948db15a9905704d08517c530f903d321103ba2c863c307d5afaa06036aa4ebca24e8674187399f9a92210e58eb7db8e0b46c7dc9f6abada19fcf64334c1ebf6 |
kubernetes-client-darwin-arm64.tar.gz | 67312baa29835f99ca81e3f241e4f08d776ac606364b4bfbe4bdfb07b1c0a7efdb68bd2b279e07816a7779b560accf4d70e71bbae739326c19844f33c25e97f5 |
kubernetes-client-linux-386.tar.gz | 0d83df79b845d22e7a0cb98a51b0f4d5e3b3c4558aea128cde5c16c0a1076096dd64569bed4485a419a755d72ba2ac27a364b0dc31319abfe1fbbc01a9b9b9eb |
kubernetes-client-linux-amd64.tar.gz | 6dc7c48f7418c2375a2c0b264005aff04dca88fb6b2607b71acd5083f7ef62d907b4cdcc6353615855e675f2575fdddce0e010e994553e380ce45fd76f33a7f0 |
kubernetes-client-linux-arm.tar.gz | 98988fc90a23a5ef6e552192f44812858cb33e01378806a53853409d15927bc153b422f67563f81bb0eb0807584b08376ea76e584c5ab9faf5fab15ff73f9298 |
kubernetes-client-linux-arm64.tar.gz | aadab5f9253cd313a85575a1c39d4b06966826b0e76ac1b647736dadc9545b57a9a3c9663528f13fb9432e3ca4c8a59698cf445f81402d7d3fbca76f5268d2b5 |
kubernetes-client-linux-ppc64le.tar.gz | 710bfde17dc991a4e5a233e26ca55dcbd021e75d10d70dbdba71ad791235dbe6607322b97bd3f22eb3e4d843eefdc8f38d1f0b28fac0ce0743fb063135a136c9 |
kubernetes-client-linux-s390x.tar.gz | b036defee013a7187eeade78df0ab4dd221da347602cd33f977560fb89b27b82ecd7c2a9df1b63c3cef786c36ea054b735ef31fc9ad0fc4af980542a520375ef |
kubernetes-client-windows-386.tar.gz | dd4f20363812d781f9a4d7e985285418ddfd05b8ba05fd1c07c0ebbb2b3df1b940a8d57472a9b0647a6f71498be28cd8d8b71500a5576dbf7e8c3d8902b9005c |
kubernetes-client-windows-amd64.tar.gz | 29f71f746dc3987d0187f6039b5e9c897b790c5f31882f7d3d6b138a592e384981856ced87c7cd892574566735d4c9f8972b90cd8a3370adf298f289ce32fc9d |
kubernetes-client-windows-arm64.tar.gz | 805d8c10e562e45553f1a0978814924e3df5fc244868d20de77d8eea2e978ce524b4d87c5bd06a6250f087237db8566aa46edf6253e47b5b8f2651b14eb6ccdc |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 8332ba0e47eece25af1864fe95849cabe5a208a48e5b8b4d311c545244ae1d05f0569b51f12887e97d8288ab80bc57044490153325e4af43082a65097579ded5 |
kubernetes-server-linux-arm64.tar.gz | e215b58ac54169d50e9a0247b08de1255990c77bdc80838dc226f165aacb84bd46605c3e3102a23ef590548b431a74bf9e3547fa24f3b5f84de4d68ba32965cb |
kubernetes-server-linux-ppc64le.tar.gz | d71917d0853b448b1541b4a437a40caef3624a2dacaafb918b2f3679fbb68b94a44ac3d13bcc7b5f6adbf65913342777af39b65b31742bf5c130893d47b65f10 |
kubernetes-server-linux-s390x.tar.gz | d347add21100106c7fc057cfe0ac940fd0f80741faff9b9dc6093d3c99db17abf29b7cd713cd91f728cc1dae217ac9ad2446801f3f92c9aa18291829497aae01 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | c853ce453e49aa520e20c934849eeeca4e841d49c94bbd8951d94ebade34ed92aecc841715023e0853f23d78e9bb884d5234d790a5ffe9a9a2fa580114bd849c |
kubernetes-node-linux-arm64.tar.gz | 91a8de520f17062f4680d7b0a7f8073cabbc0996010d4ecc0d907d0bc89bd8641bef1ace3f5d5c050ffa30ce6dec1019b80ee5acea1e3d947666a5bac826b466 |
kubernetes-node-linux-ppc64le.tar.gz | ed17879b3b43183f5a537a1bad44a56140f809f182f131dbf95b4cbd4c91d90d79016d1c6fd108025a756f408c2dee68d5c458df29b4891a7b598fa41a119a94 |
kubernetes-node-linux-s390x.tar.gz | bbbcde49cfa7dd52560865816b2c0ac92ce1e7d9a5bf17cce979adecc1b258f13cd07118e0b6c1959cca102c172ec8c950e14207d352b943d14153bb5f864555 |
kubernetes-node-windows-amd64.tar.gz | 952472d1b65a7b647d6e3f661ea36c975cf82482c32936ea2aa11ae0e828237391e7ae97d5b8a65b194178953c7725b092027ee545439a754e28702e60383e70 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
-
A new (alpha) field,
trafficDistribution
, has been added to the Servicespec
. This field provides a way to express preferences for how traffic is distributed to the endpoints for a Service. It can be enabled through theServiceTrafficDistribution
feature gate. (#123487, @gauravkghildiyal) [SIG API Machinery, Apps and Network] -
Add alpha-level support for the SuccessPolicy in Jobs (#123412, @tenzen-y) [SIG API Machinery, Apps and Testing]
-
Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any value other than
kubernetes.io/job-controller
- are skipped by the job controller, and their reconciliation is delegated to an external controller, indicated by the value of the field. Jobs that don't have this field at all, or where the field value is the reserved stringkubernetes.io/job-controller
, are reconciled by the built-in job controller. (#123273, @mimowo) [SIG API Machinery, Apps and Testing] -
Added a alpha feature, behind the
RelaxedEnvironmentVariableValidation
feature gate. When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names of environment variables for containers in Pods. (#123385, @HirazawaUi) [SIG Apps, Node and Testing] -
Added alpha support for field selectors on custom resources. Provided that the
CustomResourceFieldSelectors
feature gate is enabled, the CustomResourceDefinition API now lets you specifyselectableFields
. Listing a field there allows filtering custom resources for that CustomResourceDefinition in list or watch requests. (#122717, @jpbetz) [SIG API Machinery] -
Added support for configuring multiple JWT authenticators in Structured Authentication Configuration. The maximum allowed JWT authenticators in the authentication configuration is 64. (#123431, @aramase) [SIG Auth and Testing]
-
Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA (#122882, @Jefftree) [SIG API Machinery and Testing]
-
Allowing container runtimes to fix an image garbage collection bug by adding an
image_id
field to the CRI Container message. (#123508, @saschagrunert) [SIG Node] -
AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext.
- The beta AppArmor annotations are deprecated.
- AppArmor status is no longer included in the node ready condition (#123435, @tallclair) [SIG API Machinery, Apps, Auth, Node and Testing]
-
Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup. Previously such a config would run but would be inconsistently effective depending on the credential. (#123561, @enj) [SIG API Machinery and Auth]
-
Dynamic Resource Allocation: DRA drivers may now use "structured parameters" to let the scheduler handle claim allocation. (#123516, @pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Instrumentation, Node, Release, Scheduling, Storage and Testing]
-
Graduated pod scheduling gates to general availability. The
PodSchedulingReadiness
feature gate no longer has any effect, and the.spec.schedulingGates
field is always available within the Pod and PodTemplate APIs. (#123575, @Huang-Wei) [SIG API Machinery, Apps, Node, Scheduling and Testing] -
Graduated support for
minDomains
in pod topology spread constraints, to general availability. TheMinDomainsInPodTopologySpread
feature gate no longer has any effect, and the field is always available within the Pod and PodTemplate APIs. (#123481, @sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing] -
JWT authenticator config set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (#123525, @enj) [SIG API Machinery, Auth and Testing]
-
Kube-apiserver: the AuthenticationConfiguration type accepted in
--authentication-config
files has been promoted toapiserver.config.k8s.io/v1beta1
. (#123696, @aramase) [SIG API Machinery, Auth and Testing] -
Kube-apiserver: the AuthorizationConfiguration type accepted in
--authorization-config
files has been promoted toapiserver.config.k8s.io/v1beta1
. (#123640, @liggitt) [SIG Auth and Testing] -
Kubelet should fail if NodeSwap is used with LimitedSwap and cgroupv1 node. (#123738, @kannon92) [SIG API Machinery, Node and Testing]
-
Kubelet: a custom root directory for pod logs (instead of default /var/log/pods) can be specified using the
podLogsDir
key in kubelet configuration. (#112957, @mxpv) [SIG API Machinery, Node, Scalability and Testing] -
Kubelet: the
.memorySwap.swapBehavior
field in kubelet configuration accepts a new valueNoSwap
and makes this the default if unspecified; the previously acceptedUnlimitedSwap
value has been dropped. (#122745, @kannon92) [SIG API Machinery, Node and Testing] -
OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (#123568, @enj) [SIG API Machinery, Auth and Testing]
-
PodSpec API: remove note that hostAliases are not supported on hostNetwork Pods. The feature has been supported since v1.8. (#122422, @neolit123) [SIG API Machinery and Apps]
-
Promote AdmissionWebhookMatchConditions to GA. The feature is now stable and the feature gate is now locked to default. (#123560, @ivelichkovich) [SIG API Machinery and Testing]
-
Structured Authentication Configuration now supports
DiscoveryURL
. discoveryURL if specified, overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). (#123527, @aramase) [SIG API Machinery, Auth and Testing] -
Support Recursive Read-only (RRO) mounts (KEP-3857) (#123180, @AkihiroSuda) [SIG API Machinery, Apps, Node and Testing]
-
The StructuredAuthenticationConfiguration feature is now beta and enabled by default. (#123719, @enj) [SIG API Machinery and Auth]
-
The
StorageVersionMigration
API, which was previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (#123344, @nilekhc) [SIG API Machinery, Apps, Auth, CLI and Testing] -
The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (#123529, @thockin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Testing]
-
ValidatingAdmissionPolicy is promoted to GA and will be enabled by default. (#123405, @cici37) [SIG API Machinery, Apps, Auth and Testing]
-
When configuring a JWT authenticator:
If username.expression uses 'claims.email', then 'claims.email_verified' must be used in username.expression or extra[].valueExpression or claimValidationRules[].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'. (#123737, @enj) [SIG API Machinery and Auth]
-
Added
access_mode
label tovolume_manager_selinux_*
metrics. (#123667, @jsafrane) [SIG Node, Storage and Testing] -
Added
client-go
support for upgrading subresource fields from client-side to server-side management (#123484, @erikgb) [SIG API Machinery] -
Added apiserver_watch_cache_read_wait metric to measure watch cache impact on request latency. (#123190, @padlar) [SIG API Machinery and Instrumentation]
-
Adds new flag, namely
custom
, in kubectl debug to let users customize pre-defined profiles. (#120346, @ardaguclu) [SIG CLI] -
Bump cAdvisor to v0.49.0 (#123599, @bobbypage) [SIG Node]
-
Embed Node information into Pod-bound service account tokens as additional metadata
-
Feature gates for RemoteCommand (kubectl exec, cp, and attach) over WebSockets are now enabled by default (Beta).
- Server-side feature gate: TranslateStreamCloseWebsocketRequests
- Client-side (kubectl) feature gate: KUBECTL_REMOTE_COMMAND_WEBSOCKETS
- To turn off RemoteCommand over WebSockets for kubectl, the environment variable feature gate must be explicitly set - KUBECTL_REMOTE_COMMAND_WEBSOCKETS=false (#123281, @seans3) [SIG API Machinery, CLI and Testing]
-
Graduated HorizontalPodAutoscaler support for per-container metrics to stable. (#123482, @sanposhiho) [SIG API Machinery, Apps and Autoscaling]
-
Graduated forensic container checkpointing KEP #2008 from Alpha to Beta. (#123215, @adrianreber) [SIG Node and Testing]
-
In the Pod API, setting the alpha
procMount
field toUnmasked
in a container now requires settingspec.hostUsers=false
as well. (#123520, @haircommander) [SIG Apps, Auth and Testing] -
InitContainer's image location will be considered in scheduling when prioritizing nodes. (#123366, @kerthcet) [SIG Scheduling]
-
It is possible to configure the IDs that the Kubelet uses to create user namespaces.
User namespaces support is a Beta feature now. (#123593, @giuseppe) [SIG Node]
-
Kube-apiserver now reports latency metric for JWT authenticator authenticate token decisions in the
apiserver_authentication_jwt_authenticator_latency_seconds
metric, labeled by jwtIssuer hash and result. (#123225, @aramase) [SIG API Machinery and Auth] -
Kube-apiserver now reports the following metrics for authorization webhook match conditions:
apiserver_authorization_match_condition_evaluation_errors_total
counter metric labeled by authorizer type and nameapiserver_authorization_match_condition_exclusions_total
counter metric labeled by authorizer type and nameapiserver_authorization_match_condition_evaluation_seconds
histogram metric labeled by authorizer type and name (#123611, @ritazh) [SIG API Machinery, Auth and Testing]
-
Kube-apiserver: Authorization webhooks now report the following metrics:
-
Kube-apiserver: JWT authenticator now report the following metrics:
-
Kube-apiserver: the StructuredAuthorizationConfiguration feature gate is promoted to beta and allows using the
--authorization-configuration
flag (#123641, @liggitt) [SIG API Machinery and Auth] -
Kube-controller-manager: increase the global level for broadcaster's logging to 3 so that users can ignore event messages by lowering the logging level. It reduces information noise. (#122293, @mengjiao-liu) [SIG API Machinery, Apps, Autoscaling, Network, Node, Scheduling, Storage and Testing]
-
Kubeadm: add the WaitForAllControlPlaneComponents feature gate. It can be used to tell kubeadm to wait for all control plane components to be ready when running "kubeadm init" or "kubeadm join --control-plane". Currently kubeadm only waits for the kube-apiserver. The "kubeadm join" workflow now includes a new experimental phase called "wait-control-plane". This phase will be marked as non-experimental when WaitForAllControlPlaneComponents becomes GA. Accordingly a "kubeadm init" phase "wait-control-plane" will also be available once WaitForAllControlPlaneComponents becomes GA. These phases can be skipped if the user prefers to not wait for the control plane components. (#123341, @neolit123) [SIG Cluster Lifecycle]
-
Kubeadm: print all the kubelets and nodes that need to be upgraded on "upgrade plan". (#123578, @carlory) [SIG Cluster Lifecycle]
-
Kubectl port-forward over websockets (tunneling SPDY) can be enabled using an
Alpha
feature flag environment variable: KUBECTL_PORT_FORWARD_WEBSOCKETS=true. The API Server being communicated to must also have anAlpha
feature flag enabled: PortForwardWebsockets. (#123413, @seans3) [SIG API Machinery, CLI, Node and Testing] -
Kubernetes is now built with go 1.22.1 (#123750, @cpanato) [SIG Release and Testing]
-
Node podresources API now includes init containers with containerRestartPolicy of
Always
whenSidecarContainers
feature is enabled. (#120718, @gjkim42) [SIG Node and Testing] -
Promote ImageMaximumGCAge feature to beta (#123424, @haircommander) [SIG Node and Testing]
-
Promote PodHostIPs condition to GA and lock to default. (#122870, @wzshiming) [SIG Apps, Network, Node and Testing]
-
Target drop-in kubelet configuration dir feature to Beta (#122907, @sohankunkerkar) [SIG Node and Testing]
-
The Kubelet rejects creating the pod if hostUserns=false and the CRI runtime does not support user namespaces. (#123216, @giuseppe) [SIG Node]
-
The watch cache waits until it is at least as fresh as given requestedWatchRV if sendInitialEvents was requested. (#122830, @p0lyn0mial) [SIG API Machinery, Network and Testing]
-
ValidatingAdmissionPolicy now exclude TokenReview, SelfSubjectReview, LocalSubjectAccessReview, and SubjectAccessReview from all versions of authentication.k8s.io and authorization.k8s.io group. (#123543, @jiahuif) [SIG API Machinery and Testing]
-
kubectl get job
now displays the status for the listed jobs. (#123226, @ivanvc) [SIG Apps and CLI]
- Adds the namespace when using 'kubectl logs ' and the pod is not found. Previously the message returned would be 'Error from server (NotFound): pods "my-pod-name" not found'. This has been updated to reflect the namespace in the message as follows: 'Error from server (NotFound): pods "my-pod-name" not found in namespace "default"' (#120111, @newtondev) [SIG CLI]
- DRA: ResourceClaim and PodSchedulingContext status updates no longer allow changing object meta data. (#123730, @pohly) [SIG Node]
- Fix CEL estimated cost to for expressions that perform operations on the result of
map()
operations, (e.g..map(...).exists(...)
) to have the correct estimated instead of an unbounded cost. (#123562, @jpbetz) [SIG API Machinery, Auth and Cloud Provider] - Fix node lifecycle controller panic when conditionType ready is been patch nil by mistake (#122874, @fusida) [SIG Apps, Network and Node]
- Fix non-recursive list returning "resource version too high" error when consistent list from cache is enabled (#123674, @serathius) [SIG API Machinery]
- Fixed a bug that an init container with containerRestartPolicy with
Always
cannot update its state from terminated to non-terminated for the pod with restartPolicy withNever
orOnFailure
. (#123323, @gjkim42) [SIG Apps and Node] - Fixed incorrect syncCronJob error logging. (#122493, @mengjiao-liu) [SIG Apps]
- Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056, @dhenkel92) [SIG Apps]
- Fixes bug where providing a fieldpath to a CRD Validation Rule would erroneously affect the reported field path of other unrelated CRD Validation Rules on the same schema (#123475, @alexzielenski) [SIG API Machinery]
- JWTs used in service account and OIDC authentication are now strictly parsed to confirm that they use compact serialization. Other encodings were not previously accepted, but would result in different unspecific errors. (#123540, @enj) [SIG API Machinery and Auth]
- Kubeadm: in the new output API "output.kubeadm.k8s.io/v1alpha3" modify the UpgradePlan structure that is used when calling "kubeadm upgrade plan ... -o yaml|json", to include a list of multiple available upgrades. (#123461, @carlory) [SIG Cluster Lifecycle]
- Kubeadm: avoid uploading a defaulted flag value "--authorization-mode=Node,RBAC" for the kube-apiserver in the ClusterConfiguration stored in the "kube-system/kubeadm-config" ConfigMap. "Node,RBAC" are already the kubeadm defaults for this flag, so this action is redundant. (#123555, @neolit123) [SIG Cluster Lifecycle]
- OpenAPI V2 will no longer publish aggregated apiserver OpenAPI for group-versions not matching the APIService specified group version (#123570, @Jefftree) [SIG API Machinery]
- Prevent watch cache starvation by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior (#123532, @serathius) [SIG API Machinery]
- The initialization of nodes using external cloud-providers now waits for the providerID value to be available before declaring the node ready. This is required because previously, if there were errors of communication with the cloud-provider on the cloud-controller-manager, nodes may have been declared Ready without having this field or the zone labels, and the information was never reconciled. The providerID and the zone labels are required for integrations like loadbalancers to work correctly. Users still can opt-out to this new behavior by setting the feature flag OptionalProviderID in the cloud-controller-manager. (#123331, @aojea) [SIG API Machinery, Cloud Provider and Testing]
- The initialization of nodes using external cloud-providers now waits for the providerID value to be available before untainting it. This is required because , if there are communication errors with the cloud-provider on the cloud-controller-manager, nodes may have been declared Ready without having this field or the zone labels, and this information was never reconciled. The providerID and the zone labels are required for integrations like loadbalancers to work correctly. Cloud providers that does not implement the
GetInstanceProviderID
method will not require the providerID to be set and will not fail to initialize the node for backward compatibility issues. (#123713, @aojea) [SIG Cloud Provider] - Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123758, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
- [kubeadam][structured authz] avoid setting default
--authorization-mode
when--authorization-config
is provided (#123654, @LiorLieberman) [SIG Cluster Lifecycle]
- Accept zero as a default value for kubectl create token duration (#123565, @ah8ad3) [SIG CLI]
- Update kubedns and nodelocaldns to v1.23.0 (#123310, @bzsuni) [SIG Cloud Provider]
- github.com/pkg/diff: 20ebb0f
- golang.org/x/telemetry: b75ee88
- k8s.io/gengo/v2: 51d4e06
- github.com/docker/docker: v20.10.24+incompatible → v20.10.27+incompatible
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- github.com/google/cadvisor: v0.48.1 → v0.49.0
- github.com/google/cel-go: v0.17.7 → v0.17.8
- golang.org/x/mod: v0.14.0 → v0.15.0
- golang.org/x/net: v0.19.0 → v0.21.0
- golang.org/x/sync: v0.5.0 → v0.6.0
- golang.org/x/tools: v0.16.1 → v0.18.0
- google.golang.org/protobuf: v1.31.0 → v1.33.0
- k8s.io/kube-openapi: 778a556 → 70dd376
- k8s.io/gengo: 9cce18d
filename | sha512 hash |
---|---|
kubernetes.tar.gz | adbf45f5a9c6efb135c8632e330e24e46b3ae8179372e96fbc5a016bbe089c629ee86683bdd13254a78c5f37c8576cf2364bca19961087f47c4d11a8605b7a92 |
kubernetes-src.tar.gz | d1bbeed0aca09cc6df72de4e11bd4f6869a422b947604e2a7fc32cc23f01d8a822719486f0f039ef554012e0896faf6738471412296dea069615fd48be611cda |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | b1aeb5eb6480832c8ef899d7f4a7fd679d317d8704a925b426d97e49022bd4dd7bc661c530f46720d62669b0b6a0be9a94144545852108cb3062eedfd32b70d0 |
kubernetes-client-darwin-arm64.tar.gz | 13c34d52999172a3b73d3e4eba4029c686a8a6d3a0fa16e81d2fa1b3a9d6f7bdb37de9495fb09f783d8edfea8302e648f71d37b131826c89715baa068d555a16 |
kubernetes-client-linux-386.tar.gz | 5465059af2ecf092d71d30bd5021e175590bc802c2796c366cf1eedb26fb9927f8bd637784a672242aa351a519ff807126953d6c3b940464d72bb1e46b9fbb43 |
kubernetes-client-linux-amd64.tar.gz | f00211e115ed1d42fc5794bbdd2f2cf9d78ab28844cf9f3b0d5abe4dcdaedca8ce66fb8045ce8688e05fd9e7b9488fcc40d9a691fc4a529cbeb7909868a092bb |
kubernetes-client-linux-arm.tar.gz | 1bf579ba6aa68fd2ec6f539a69771c933f1df8c21f3d798d130ea6fa13a4d36919926c4212ff4f67cbc2941099720f2924ae8f5f7feab21f669cbef16a082318 |
kubernetes-client-linux-arm64.tar.gz | 90da779e19ccdd95673b830c9434e316d7ddd676675ce403fd4858e22e1c5afe3103a6f28c45370ff8847b62a689f279310fb390b3f9140aa77987d437ef44e2 |
kubernetes-client-linux-ppc64le.tar.gz | 4ecf1e5c8520c4370ad0bbf22ba3d54209224bae573836659fd0c0eca43991700bdcac609baea792a9957b497da9c20d8afa8c5152d8a2e272cca5a93a1f0e95 |
kubernetes-client-linux-s390x.tar.gz | 174beb0691ccfef8f0ba8fcbc2d7bda9015321b69d38e5ccd87fa0609070d8e194af435f372c76e2b65971bc2c58a053e3c5a97bca29d703305cd125e4ae7f7e |
kubernetes-client-windows-386.tar.gz | 4815aa9032e2d3d3b7a25bd1c07353ded15eda073a31b3894463e47cde0a9197324947f56f239faa671cf95caeb9c6dd377d38b4672a819f9ef781ca4b64ef18 |
kubernetes-client-windows-amd64.tar.gz | 40fd08d6827eb182f79cefc80cc31f661aa2800e5a5cdc778f16b30a7f583ff3ee266bef04e042f598fdce34c899e5acba75ea4c5ecd84651215646bbbc15285 |
kubernetes-client-windows-arm64.tar.gz | 24367addf42cc786aa3b39b51d344df65aa92fc0a4270faa9d733301ecd757d16120c70a54fd8a2d17bbff4c85ed7ff623ed2ece6e6f9a436637aba743b99aa7 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 18bfcd3615789df2361f6acbff9a1407d5891168710264334bc60f8fbbe04dd26d88c96d02f744d2280e91dc550f0df24cd021602dcba2ae28204b1dcf723a1f |
kubernetes-server-linux-arm64.tar.gz | 3a31aa6b074bb8ebc7fc0200a7c7821931108a572503ff2995460e28d581b3cf7beaa4407232ee22a4a52afc63f40ac549809254693289b12ddd66893f4ab2fe |
kubernetes-server-linux-ppc64le.tar.gz | ae0602c5aa2565ef2b8afb10d28088be41c1802ed537c1d33a6a2fdba6f5c0e9ca2af8597a64a9c7244a7d2b4d75e0829eeca68f88e2de669f6a6ee7c52897ba |
kubernetes-server-linux-s390x.tar.gz | ea3466f44bdfb250cff319f4ddf854402bc25492548b290a64b5b4e0b027dbed9e17b04ae03b2ae14cb5e30d31447d19219951dde0f2de03255ab1f6a1c3a531 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 378c42d0640a1b845af7bb46224a19b5451452ce6ee7c4dfdb7e912f3248ec6be35c1679cc78202c548ad91b345d2ce470407db39d50dbb0cd0518a526e4429c |
kubernetes-node-linux-arm64.tar.gz | a5ec415b0c3fbf3003f354fcf913a9851105963e5ba38c68bdebd8427eabb3f2a1598bc2688133f2ad84229218ebe18171e4a123827b9ffcb94436f69bfb43ff |
kubernetes-node-linux-ppc64le.tar.gz | 8d9b49c3375a1dbfa24fdc46397f929b2f029a94af9cbe36387a8b22ad80f65711d10df2c5327f25cb4e4c3f91135c2f07b8726198fd8ecf1ee8aef005d2531c |
kubernetes-node-linux-s390x.tar.gz | 99ded87a16331941cd56076cd50892446b40f09771d938552aeb9d858677bc4564472ac470273b681841c2f061836588813eb6e1065322a9ee9c72f3dfb7d58e |
kubernetes-node-windows-amd64.tar.gz | 5e9b2b95b4751c125cb3e5182ed2095829af968be3d1e9899f31febb8eaf6dd0b037e8fac48bd51a9100c1f1e90829299c117abc23e40fc66c7d709b83d1222d |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
-
Added a CBOR implementation of
runtime.Serializer
. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (#122881, @benluddy) [SIG API Machinery] -
Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences.
-
Contextual logging is now beta and enabled by default. (#122589, @pohly) [SIG Instrumentation]
-
Cri-api: KEP-3857: Recursive Read-only (RRO) mounts (#123272, @AkihiroSuda) [SIG Node]
-
Enabled a mechanism for concurrent log rotatation via
kubelet
using a configuration entity ofcontainerLogMaxWorkers
which controls the maximum number of concurrent rotation that can be performed and an interval configuration ofcontainerLogMonitorInterval
that can aid is configuring the monitoring duration to best suite your cluster's log generation standards. (#114301, @harshanarayana) [SIG API Machinery, Node and Testing] -
Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (#114672, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Storage and Testing]
-
This change adds the following CLI option for
kube-controller-manager
:disable-force-detach
(defaults tofalse
): Prevent force detaching volumes based on maximum unmount time and node status. If enabled, the non-graceful node shutdown feature must be used to recover from node failure (see https://kubernetes.io/blog/2023/08/16/kubernetes-1-28-non-graceful-node-shutdown-ga/). If enabled and a pod must be forcibly terminated at the risk of corruption, then the appropriate VolumeAttachment object (see here: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/) must be deleted. (#120344, @rohitssingh) [SIG API Machinery, Apps, Storage and Testing]
- A new kubelet metric image_pull_duration_seconds is added. The metric tracks the duration (in seconds) it takes for an image to be pulled, including the time spent in the waiting queue of image puller. The metric is broken down by bucketed image size. (#121719, @ruiwen-zhao) [SIG Instrumentation and Node]
- A new metric
lifecycle_handler_sleep_terminated_total
is added to record how many times LifecycleHandler sleep got unexpectedly terminated. (#122456, @AxeZhan) [SIG Node and Testing] - Add "reason" field to image_garbage_collected_total metric, so admins can differentiate images that were collected for reason "age" vs "space" (#123345, @haircommander) [SIG Node]
- Add feature gate
MutatingAdmissionPolicy
for enabling mutation policy in admission chain. (#123425, @cici37) [SIG API Machinery] - Add kubelet metrics to track the memory manager allocation and pinning (#121778, @Tal-or) [SIG Node and Testing]
- Added support for cloud provider integrations to supply optional, per-Node custom labels that will be applied to Nodes by the node controller. Extra labels will only be applied where the cloud provider integration implements this. (#123223, @mmerkes) [SIG Cloud Provider]
- Kube-apiserver now reloads the
--authorization-config
file when it changes. Reloads increment theapiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds
timestamp metric, withstatus="success"
for successful reloads andstatus="failed"
for failed reloads. Failed reloads keep using the previously loaded authorization configuration. (#121946, @liggitt) [SIG API Machinery, Auth and Testing] - Kube-apiserver now reports metrics for authorization decisions in the
apiserver_authorization_decisions_total
metric, labeled by authorizer type, name, and decision. (#123333, @liggitt) [SIG API Machinery, Auth and Testing] - Kubeadm: add support for machine readable output with "-o yaml" and "-o json" to the command "kubeadm certs check-expiration". This change is added in a new API "kind": "CertificateExpirationInfo", "apiVersion": "output.kubeadm.k8s.io/v1alpha3". The existing non structured formatting is preserved. The output API version v1alpha2 is now deprecated and will be removed in a future release. Please migrate to using v1alpha3. (#123372, @carlory) [SIG Cluster Lifecycle]
- LoadBalancerIPMode feature is now marked as Beta (#123418, @rikatz) [SIG Network and Testing]
- New alpha feature gate
SELinuxMount
can be used to speed up SELinux relabeling of volumes. (#123157, @jsafrane) [SIG Node and Storage] - NewVolumeManagerReconstruction feature is now GA. (#123442, @jsafrane) [SIG Node]
- Promoted the
CRDValidationRatcheting
feature gate to beta, and made it enabled by default. (#121461, @alexzielenski) [SIG API Machinery and Testing] - Update ImageGCMaxAge behavior in the kubelet to wait the MaxAge duration after the kubelet has restarted before garbage collecting (#123343, @haircommander) [SIG Node and Testing]
- When the RetryGenerateName feature gate is enabled on the kube-apiserver, create requests using generateName are retried automatically by the apiserver when the generated name conflicts with an existing resource name, up to a max limit of 7 retries. This feature is in alpha. (#122887, @jpbetz) [SIG API Machinery]
-
Add a new internal metric in the kubelet that allow developers to understand the source of the latency problems on node startups.
kubelet_first_network_pod_start_sli_duration_seconds (#121720, @aojea) [SIG Instrumentation, Network and Node]
- DRA: fixed potential data race with no known real-world implications. (#123222, @pohly) [SIG Node]
- Fix bug where health check could pass while APIServices are missing from aggregated discovery (#122883, @Jefftree) [SIG API Machinery and Testing]
- Fixed an issue where a JWT authenticator configured via --authentication-config would fail to verify tokens that were not signed using RS256. (#123282, @enj) [SIG API Machinery, Auth and Testing]
- Improves scheduler performance when no scoring plugins are defined. (#123384, @aleksandra-malinowska) [SIG Scheduling]
- Kubeadm: fix a bug during kubeadm upgrade, where it is not possible to mount a new device and create a symbolic link for /etc/kubernetes (or a sub-directory) so that kubeadm stores its information on the mounted device. (#123406, @SataQiu) [SIG Cluster Lifecycle]
- Kubeadm: fix a bug where "kubeadm upgrade plan -o yaml|json" includes unneeded output and was missing component config information. (#123492, @carlory) [SIG Cluster Lifecycle]
- Patches a leak of a discovery document that would occur when an Aggregated APIService changed its Spec.Service field and did not change it back. (#123517, @Jefftree) [SIG API Machinery]
- Restore --verify-only function in code generation wrappers. (#123261, @skitt) [SIG API Machinery]
- Sample-apiserver manifest example will have correct RBAC (#123479, @Jefftree) [SIG API Machinery and Testing]
- An optimization is implemented to reduce stack memory usage for watch requests. It is can be disabled with the feature gate: APIServingWithRoutine=false (#120902, @linxiulei) [SIG API Machinery]
- Kubeadm: make sure that a variety of API server requests are retried during "init", "join", "upgrade", "reset" workflows. Prior to this change some API server requests, such as, creating or updating ConfigMaps were "one-shot" - i.e. they could fail if the API server dropped connectivity for a very short period of time. (#123271, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: the bridge-nf-call-iptables=1 and bridge-nf-call-ip6tables=1 preflight checks are removed since not all the network implementations require this setting, network plugins are responsible for setting this correctly depending on whether or not they connect containers to Linux bridges or use some other mechanism. (#123464, @SataQiu) [SIG Cluster Lifecycle]
- Upgrade metrics server to v0.7.0 (#123504, @pacoxu) [SIG Cloud Provider and Instrumentation]
Nothing has changed.
- github.com/fxamacker/cbor/v2: v2.5.0 → v2.6.0
- golang.org/x/crypto: v0.16.0 → v0.19.0
- golang.org/x/sys: v0.15.0 → v0.17.0
- golang.org/x/term: v0.15.0 → v0.17.0
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | b6946e906e2d089431132ff4d8e24cb1b61f676f4df09b21b22a472c5aa796513ce8d7c39a312c8c0447ba0bb6cb5c4157c2be7645f91d6cf949a03a01cf9458 |
kubernetes-src.tar.gz | a339603f532774a24d9dcbde8ebc2188729a469cc670ba5f00a09cf8465f2e00bb364b5f6739d79dfac9d20a7347f495672d2f184cfce73407925e0314633a3b |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 2930b28b275662ac7a78e6d59539809138b173a930c360a417f429bbcf31e7c3ef0a1a544028c5f81e1972a9f07ac0b459f6c02e97d7c0ccbcaa39ed229ef60a |
kubernetes-client-darwin-arm64.tar.gz | 6e8131d70116dce503a6800504ac349c9e4f3d359c31821083ceab936b8bd782a5f2e3027b4222fa133b7d27def3b15312fa022eb421ce2b3cfdd89f75300b5b |
kubernetes-client-linux-386.tar.gz | 9272c915586ab46cd9cef8b7029958e7c9771a0109f83eb0d9991bfe7c0468a5c6d55329e656be9cf13217b6a06875bdde2eec1a870328397a54500836267ab8 |
kubernetes-client-linux-amd64.tar.gz | fd8d6c83b91b13b80dd2a3000ae11746e664039fcf4bd7f1704dc6e53391e0114ab9d53dee83edb29d54ddd22d6ec042735b1e6e0930626f441147e6f4b4cfe7 |
kubernetes-client-linux-arm.tar.gz | 57b1df4ea4fedd6555dd297808ac23e9ffd7da4b5fd4876088863a287edef34b0d697f296c3da405649146c4c84f72e41155dcf858990ae6e810adb800452539 |
kubernetes-client-linux-arm64.tar.gz | 83e61c039bd2a7d113b68c97a06e55deff2633abd9e6f1afa98ef22a4308383f2fba3309e3b9ba23f27d0d6a3a99232e0b3404f3848c94f927d654e6317f300a |
kubernetes-client-linux-ppc64le.tar.gz | cf78c218e4c23e1ad13dc75b465d38c57c2fc284eafe342adaf3b84568965f3629e2c5543c38f2c24e93ca8f5ef72c755c401fd9b5f46e8742095734784f324a |
kubernetes-client-linux-s390x.tar.gz | 64913790635f51dc012d463b4f2483453483d21c6d228f2c2ac740b8c1abcf25251baffca8331c7d34a8eb945df96efd24f4d23089cc13c992baddb678ebe2b3 |
kubernetes-client-windows-386.tar.gz | 066fe65b02c68858f09119b657d23b19d770f1432790666e80fd2644251cfc949d323857d5e2308a865442714138be40ee7269e8109314d3e9e99e7917380786 |
kubernetes-client-windows-amd64.tar.gz | 057b9d0eac9d6f8f96b29a237692f346bab054947d6493fa1b75d143d457c146e46713694e5987e5fc7adf2950d5a16a974f1eb6ffb204a992b6d852435910b6 |
kubernetes-client-windows-arm64.tar.gz | 0338179407fca68fc67e019fa89075eef497a130d7a09f974692b715a803e1d6521d8d31d55421117e6cefc5aee2902b3afc095fdcacd06438a1673ba9a23cd6 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | fb41f7e577b6e2501819cbb71761e29e38d50d0279fa41508af63ea3857c0c05ca5feb584f65d784d1fb6f765d6c7e9d479c91f904feebd297b05ef296567ce8 |
kubernetes-server-linux-arm64.tar.gz | 273796e1bcea82151b64974f000813f9e8e63bf8314dc2980d99610363967a8928e52d4958a03f413cb762d69b3d89918e43dac33921f2855acace09d5a74e47 |
kubernetes-server-linux-ppc64le.tar.gz | 14061e55d204a09e0c1ac7c55931ee62ca1ce9e4c843bd4c7ad42c746a5ab6812d74642bf16146d6191dc72432ebb1fc1304e9486643adfcc8419c46753b4d74 |
kubernetes-server-linux-s390x.tar.gz | d1a4ef0c30d68eda1710c032ded345acfc295a33aff37b01cb185bc5643efb1a9c27ac90dfb5afa4f95741b03ff4a55a11063e06b720715f425e9178da9ed3f9 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 6c9589d2dc82cc838ef27f2370d503f2750aa8feaef592dd7353bd74a482a2904078df3a3488ccd3e6f64f180f1d27b8931b75f7cc97f4a1f9d543299f0b8db8 |
kubernetes-node-linux-arm64.tar.gz | 862d0c46d911ce78d191b0996e74263fc14db461cacfb8fb4fdddf4b6b982f4f72feaa1cba960c30dc0af007e718f2266a18e87cdda87fca54c511ab667773da |
kubernetes-node-linux-ppc64le.tar.gz | 35bcf7be699b443f69b76b7133e94da69c234e3d4d021a3e41a0f09837466521d032422eaf6fd7dbc9b96eccdc97ec5c3a339bd410d1befcd1cad2de1efbd7f6 |
kubernetes-node-linux-s390x.tar.gz | 15a52713d9640ca4365a9ba40b3523e658a2889bd1e25b3e40d97d78bc03ce3d2e189d9696210059438393a4decc636e164d92d716d0c7eadd35ff7c22bcd3b3 |
kubernetes-node-windows-amd64.tar.gz | 0452a35597a22014571bac052947cc751d3ac78ac02cc6b9cee206e12717930f847cde3fe84d7f44c52b274c00513c2d7c4423b1d69ee50c25973371803e49cb |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Removed the
SecurityContextDeny
admission plugin, deprecated since v1.27. The Pod Security Admission plugin, available since v1.25, is recommended instead. See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information. (#122612, @mtardy) [SIG Auth, Security and Testing]
- Updated an audit annotation key used by the
…/serviceaccounts/<name>/token
resource handler. The annotation used to persist the issued credential identifier is nowauthentication.kubernetes.io/issued-credential-id
. (#123098, @munnerz) [SIG Auth]
- Add apiserver.latency.k8s.io/decode-response-object annotation to the audit log to record the decoding time (#121512, @HirazawaUi) [SIG API Machinery]
- Added apiserver_encryption_config_controller_automatic_reloads_total to measure total number of reload successes and failures of encryption configuration. This metric contains the
status
label with enum value ofsuccess
andfailure
. - Allow a zero value for the 'nominalConcurrencyShares' field of the PriorityLevelConfiguration object either using the flowcontrol.apiserver.k8s.io/v1 or flowcontrol.apiserver.k8s.io/v1beta3 API (#123001, @tkashem) [SIG API Machinery]
- Graduated support for passing dual-stack
kubelet --node-ip
values when using a cloud provider. The feature is now GA and theCloudDualStackNodeIPs
feature gate is always enabled. (#123134, @danwinship) [SIG API Machinery, Cloud Provider and Node] - Kubernetes is now built with go 1.22 (#123217, @cpanato) [SIG Release and Testing]
- The scheduler retries Pods, which are failed by nodevolumelimits due to not found PVCs, only when new PVCs are added. (#121952, @sanposhiho) [SIG Scheduling and Storage]
- Update distroless-iptables to v0.5.0 debian-base to bookworm-v1.0.1 and setcap to bookworm-v1.0.1 (#123170, @cpanato) [SIG API Machinery, Architecture, Cloud Provider, Release, Storage and Testing]
- Users can traverse all the pods that are in the scheduler and waiting in the permit stage through method
IterateOverWaitingPods
. In other words, all waitingPods in scheduler can be obtained from any profiles. Before this commit, each profile could only obtain waitingPods within that profile. (#122946, @NoicFank) [SIG Scheduling] - ValidatingAdmissionPolicy now supports type checking policies that make use of
variables
. (#123083, @jiahuif) [SIG API Machinery]
- Fix Pod stuck in Terminating because of GenerateUnmapVolumeFunc missing globalUnmapPath when kubelet tries to clean up all volumes that failed reconstruction. (#123032, @carlory) [SIG Storage]
- Fix deprecated version for pod_scheduling_duration_seconds that caused the metric to be hidden by default in 1.29. (#123038, @alculquicondor) [SIG Instrumentation and Scheduling]
- Fix error when trying to expand a volume that does not require node expansion (#123055, @gnufied) [SIG Node and Storage]
- Fix the following volume plugins may not create user visible files after kubelet was restarted.
- Fixed cleanup of Pod volume mounts when a file was used as a subpath. (#123052, @jsafrane) [SIG Node]
- Fixes an issue calculating total CPU usage reported for Windows nodes (#122999, @marosset) [SIG Node and Windows]
- Fixing issue where AvailableBytes sometimes does not report correctly on WindowsNodes when PodAndContainerStatsFromCRI feature is enabled. (#122846, @marosset) [SIG Node and Windows]
- Kubeadm: do not upload kubelet patch configuration into
kube-system/kubelet-config
ConfigMap (#123093, @SataQiu) [SIG Cluster Lifecycle] - Kubeadm: fix a bug where the --rootfs global flag does not work with "kubeadm upgrade node" for control plane nodes. (#123077, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: kubelet-finalize phase of "kubeadm init" no longer requires kubelet kubeconfig to have a specific authinfo (#123171, @vrutkovs) [SIG Cluster Lifecycle]
- Show enum values in kubectl explain if they were defined (#123023, @ah8ad3) [SIG CLI]
- Build etcd image v3.5.12 (#123069, @bzsuni) [SIG API Machinery and Etcd]
- Fix registered wildcard clusterEvents doesn't work in scheduler requeueing. (#123117, @kerthcet) [SIG Scheduling]
- Promote feature-gate LegacyServiceAccountTokenCleanUp to GA and lock to default (#122635, @carlory) [SIG API Machinery, Auth and Testing]
- Update etcd to version 3.5.12 (#123150, @bzsuni) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
- github.com/opencontainers/runc: v1.1.11 → v1.1.12
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.28.0 → v0.29.0
Nothing has changed.
filename | sha512 hash |
---|---|
kubernetes.tar.gz | f9e74c1f8400e8c85a65cf85418a95e06a558d230539f4b2f7882b96709eeb3656277a7a1e59ccd699a085d6c94d31bd2dcc83a48669d610ca2064a0c978cbeb |
kubernetes-src.tar.gz | 413f02b4cba6db36625a14095fb155b12685991ae4ece29e9d91016714aadcfbd06ac88f7766a0943445d05145980a54208cc2ed9bc29f3976f0b61a1492ace2 |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | d06d723da34e021db3dba1890970f5dc5e27209befb4da9cc5a8255bd124e1ea31c273d71c0ee864166acb2afa0cb08a492896c3e85efeccbbb02685c1a3b271 |
kubernetes-client-darwin-arm64.tar.gz | 7132d1a1ad0f6222eae02251ecd9f6df5dfbf26c6f7f789d1e81d756049eccdd68fc3f6710606bce12b24b887443553198efc801be55e94d83767341f306650e |
kubernetes-client-linux-386.tar.gz | 09500370309fe1d6472535ed048a5f173ef3bd3e12cbc74ba67e48767b07e7b295df78cabffa5eda140e659da602d17b961563a2ef2a20b2d38074d826a47a35 |
kubernetes-client-linux-amd64.tar.gz | 154dafa5fae88a8aeed82c0460fa37679da60327fdab8f966357fbcb905e6e6b5473eacb524c39adddccf245fcf3dea8d5715a497f0230d98df21c4cb3b450eb |
kubernetes-client-linux-arm.tar.gz | d055b29111a90b2c19e9f45bd56e2ba0b779dc35562f21330cda7ed57d945a65343552019f0efe159a87e3a2973c9f0b86f8c16edebdb44b8b8f773354fec7b3 |
kubernetes-client-linux-arm64.tar.gz | c498a0c7b4ce59b198105c88ef1d29a8c345f3e1b31ba083c3f79bfcca35ae32776fd38a3b6b0bad187e14f7d54eeb0e2471634caac631039a989bd6119ab244 |
kubernetes-client-linux-ppc64le.tar.gz | 50e5c8bb07fac4304b067a161c34021d0c090bb5d04aed2eff4d43cab5a8cdcffc72fe97b4231f986a5b55987ebc6f6142a7e779b82ad49a109d772c3eade979 |
kubernetes-client-linux-s390x.tar.gz | 91b10c0f531ba530ca9766e509d1bb717531ff70061735082664da8a2bd7b3282743f53a60d74a5cb1867206f06287aa60fdec1bb41c77b14748330c5ce1199c |
kubernetes-client-windows-386.tar.gz | eaa83eab240ccf54ad54e0f66eba55bd4b15c7c37ea9a015b2b69638d90a1d5e146f989912c7745e0cbb52f846aa0135dd943b2b4b600fcbc3f9c43352f678f3 |
kubernetes-client-windows-amd64.tar.gz | 874ad471bc887f0ae2c73d636475793716021b688baf9ae85bd9229d9ceb5ec4bab3bc9f423e2665b2a6f33697d0f5c0a838f274bb4539ea0031018687f39e85 |
kubernetes-client-windows-arm64.tar.gz | 5f20a1efba7eec42f1ff1811af3b7c2703d7323e5577fd131fe79c8e53da33973a7922e794f4bc64f1fa16696cdc01e4826d0878a2e46158350a9b6de4eb345b |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | fd631b9f8e500eee418a680bd5ee104508192136701642938167f8b42ee4d2577092bada924e7b56d05db534920faeca416292bf0c1636f816ac35db30d80693 |
kubernetes-server-linux-arm64.tar.gz | cc20574eac935a61e9c23c056d8c325cf095e4217d7d23d278dcf0d2ca32c2651febd3eb3de51536fd48e0fd17cf6ec156bdcf53178c1959efc92e078d9aed44 |
kubernetes-server-linux-ppc64le.tar.gz | e8aa36ba41856b7e73fe4a52e725b1b52c70701822f17af10b3ddd03566cf41ab280b69a99c39b8dca85a0b7d80c3f88f7b0b5d5cd1da551701958f8bd176a11 |
kubernetes-server-linux-s390x.tar.gz | fdf61522374eeccda5c32b6c9dc5927a92f68c78af811976f798dce483856ebc1e52a6a2b08a121ba7a3b60f0f8e2d727814ff7aed7edd1e7282288a1cacb742 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | cc8d03394114c292eca5be257b667d5114d7934f58d1c14365ea0a68fdb4e699437f3ea1a28476c65a1247cf5b877e40c0dabd295792d2d0de160f2807f9a7de |
kubernetes-node-linux-arm64.tar.gz | 1602ecf70f2d9e8ec077bdb4d45a18027c702be24d474c3fdaf6ad2e3a56527ee533b53a1b4bbbe501404cc3f2d7d60a88f7f083352a57944e20b4d7109109e6 |
kubernetes-node-linux-ppc64le.tar.gz | 6494efec3efb3b0cc20170948eb2eb2e1a51c4913d26c0682de4ddcb4c20629232bc83020f62c1c618986df598008047258019e31d0ec444308064fafdbc861c |
kubernetes-node-linux-s390x.tar.gz | 265041c73c045f567e6d014b594910524daef10cc0ce27ad760fb0188c34aeee52588dc1fbef1d9f474d11d032946bdbd527e9c04196294991d0fbe71ae5e678 |
kubernetes-node-windows-amd64.tar.gz | faa5b4598326a9bd08715f5d6d0c1ac2f47fb20c0eb5745352f76b779d99a20480a9a79c6549e352d2a092b829e1926990b5fa859392603c1c510bf571b6094f |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
- Kubectl: remove deprecated flag prune-whitelist for apply, use flag prune-allowlist instead. (#120246, @pacoxu) [SIG CLI and Testing]
- Add CEL library for IP Addresses and CIDRs. This will not be available for use until 1.31. (#121912, @JoelSpeed) [SIG API Machinery]
- Added to MutableFeatureGate the ability to override the default setting of feature gates, to allow default-enabling a feature on a component-by-component basis instead of for all affected components simultaneously. (#122647, @benluddy) [SIG API Machinery and Cluster Lifecycle]
- Adds a rule on the kube_codegen tool to ignore vendor folder during the code generation. (#122729, @jparrill) [SIG API Machinery and Cluster Lifecycle]
- Allow users to mutate FSGroupPolicy and PodInfoOnMount in CSIDriver.Spec (#116209, @haoruan) [SIG API Machinery, Storage and Testing]
- Client-go events:
NewEventBroadcasterAdapterWithContext
should be used instead ofNewEventBroadcasterAdapter
if the goal is to support contextual logging. (#122142, @pohly) [SIG API Machinery, Instrumentation and Scheduling] - Fixes accidental enablement of the new alpha
optionalOldSelf
API field in CustomResourceDefinition validation rules, which should only be allowed to be set when the CRDValidationRatcheting feature gate is enabled. (#122329, @jpbetz) [SIG API Machinery] - Implement
prescore
extension point forvolumeBinding
plugin. Return skip if it doesn't do anything in Score. (#115768, @AxeZhan) [SIG Scheduling, Storage and Testing] - Resource.k8s.io/ResourceClaim (alpha API): the strategic merge patch strategy for the
status.reservedFor
array was changed such that a strategic-merge-patch can add individual entries. This breaks clients using strategic merge patch to update status which rely on the previous behavior (replacing the entire array). (#122276, @pohly) [SIG API Machinery] - When scheduling a mixture of pods using ResourceClaims and others which don't, scheduling a pod with ResourceClaims impacts scheduling latency less. (#121876, @pohly) [SIG API Machinery, Node, Scheduling and Testing]
-
Add Timezone column in the output of kubectl get cronjob command (#122231, @ardaguclu) [SIG CLI]
-
Add
WatchListClient
feature gate toclient-go
. When enabled it allows the client to get a stream of individual items instead of chunking from the server. (#122571, @p0lyn0mial) [SIG API Machinery] -
Add process_start_time_seconds to /metrics/slis endpoint of all components (#122750, @Richabanker) [SIG Architecture, Instrumentation and Testing]
-
Adds exec-interactive-mode and exec-provide-cluster-info flags in kubectl config set-credentials command (#122023, @ardaguclu) [SIG CLI]
-
Allow scheduling framework plugins that implement io.Closer to be gracefully closed. (#122498, @Gekko0114) [SIG Scheduling]
-
Change --nodeport-addresses behavior to default to "primary node IP(s) only" rather than "all node IPs". (#122724, @nayihz) [SIG Network and Windows]
-
Etcd: build image for v3.5.11 (#122233, @mzaian) [SIG API Machinery]
-
Informers now support adding Indexers after the informer starts (#117046, @howardjohn) [SIG API Machinery]
-
Introduce a feature gate mechanism to client-go. Depending on the actual implementation, users can control features via environmental variables or command line options. (#122555, @p0lyn0mial) [SIG API Machinery]
-
Kube-scheduler implements scheduling hints for the NodeAffinity plugin. The scheduling hints allow the scheduler to only retry scheduling a Pod that was previously rejected by the NodeAffinity plugin if a new Node or a Node update matches the Pod's node affinity. (#122309, @carlory) [SIG Scheduling]
-
Kube-scheduler implements scheduling hints for the NodeResourceFit plugin. The scheduling hints allow the scheduler to only retry scheduling a Pod that was previously rejected by the NodeResourceFit plugin if a new Node or a Node update matches the Pod's resource requirements or if an old pod update or delete matches the Pod's resource requirements. (#119177, @carlory) [SIG Scheduling]
-
Kube-scheduler implements scheduling hints for the NodeUnschedulable plugin. The scheduling hints allow the scheduler to only retry scheduling a Pod that was previously rejected by the NodeSchedulable plugin if a new Node or a Node update sets .spec.unschedulable to false. (#122334, @carlory) [SIG Scheduling]
-
Kube-scheduler implements scheduling hints for the PodTopologySpread plugin. The scheduling hints allow the scheduler to retry scheduling a Pod that was previously rejected by the PodTopologySpread plugin if create/delete/update a related Pod or a node which matches the toplogyKey. (#122195, @nayihz) [SIG Scheduling]
-
Kubeadm: add better handling of errors during unmount when calling "kubeadm reset". When failing to unmount directories under "/var/run/kubelet", kubeadm will now throw an error instead of showing a warning and continuing to cleanup said directory. In such situations it is better for you to inspect the problem and resolve it manually, then you can call "kubeadm reset" again to complete the cleanup. (#122530, @neolit123) [SIG Cluster Lifecycle]
-
Kubectl debug: add sysadmin profile (#119200, @eiffel-fl) [SIG CLI and Testing]
-
Kubernetes is now built with Go 1.21.6 (#122705, @cpanato) [SIG Architecture, Release and Testing]
-
Kubernetes is now built with go 1.22rc2 (#122889, @cpanato) [SIG Release and Testing]
-
Print more information when kubectl describe a VolumeAttributesClass (#122640, @carlory) [SIG CLI]
-
Promote KubeProxyDrainingTerminatingNodes to Beta (#122914, @alexanderConstantinescu) [SIG Network]
-
Promote feature gate StableLoadBalancerNodeSet to GA (#122961, @alexanderConstantinescu) [SIG API Machinery, Cloud Provider and Network]
-
Scheduler skips NodeAffinity Score plugin when NodeAffinity Score plugin has nothing to do with a Pod. You might notice an increase in the metric plugin_execution_duration_seconds for extension_point=score plugin=NodeAffinity, because the plugin will only run when the plugin is relevant (#117024, @sanposhiho) [SIG Scheduling and Testing]
-
The option
ignorable
of scheduler extender can skip error both filter and bind. (#122503, @sunbinnnnn) [SIG Scheduling] -
Update kubedns and nodelocaldns to release version 1.22.28 (#121908, @mzaian) [SIG Cloud Provider]
-
Update some interfaces' signature in scheduler:
-
When PreFilterResult filters out some Nodes, the scheduling framework assumes them as rejected via
UnschedulableAndUnresolvable
, that is those nodes won't be in the candidates of preemption process. Also, corrected how the scheduling framework handle Unschedulable status from PreFilter. Before this PR, if PreFilter returnUnschedulable
, it may result in an unexpected abortion in the preemption, which shouldn't happen in the default scheduler, but may happen in schedulers with a custom plugin. (#119779, @sanposhiho) [SIG Scheduling] -
kubectl describe
: added Suspend to job, and Node-Selectors and Tolerations to pod template output (#122618, @ivanvc) [SIG CLI]
- A deprecated flag
--pod-max-in-unschedulable-pods-duration
was initially planned to be removed in v1.26, but we have to change this plan. We found an issue in which Pods can be stuck in the unschedulable pod pool for 5 min, and using this flag is the only workaround for this issue. This issue only could happen if you use custom plugins or if you change plugin set being used in your scheduler via the scheduler config. (#122013, @sanposhiho) [SIG Scheduling] - Fix delete pod declare no controllor note. (#120159, @Ithrael) [SIG CLI]
-
Add imagefs.inodesfree to default EvictionHard settings (#121834, @vaibhav2107) [SIG Node]
-
Added metric name along with the utilization information when running kubectl get hpa (#122804, @sreeram-venkitesh) [SIG CLI]
-
Allow deletion of pods that use raw block volumes on node reboot (#122211, @gnufied) [SIG Node and Storage]
-
Changed the API server so that for admission webhooks that have a URL matching the hostname
localhost
, or a loopback IP address, the connection supports HTTP/2 where it can be negotiated. (#122558, @linxiulei) [SIG API Machinery and Testing] -
Etcd: Update to v3.5.11 (#122393, @mzaian) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
-
Fix Windows credential provider cannot find binary. Windows credential provider binary path may have ".exe" suffix so it is better to use LookPath() to support it flexibly. (#120291, @lzhecheng) [SIG Cloud Provider]
-
Fix an issue where kubectl apply could panic when imported as a library (#122346, @Jefftree) [SIG CLI]
-
Fix panic of Evented PLEG during kubelet start-up (#122475, @pacoxu) [SIG Node]
-
Fix resource deletion failure caused by quota calculation error when InPlacePodVerticalScaling is turned on (#122701, @carlory) [SIG API Machinery, Node and Testing]
-
Fix the following volume plugins may not create user visible files after kubelet was restarted.
-
Fix: Ignore unnecessary node events and improve daemonset controller performance. (#121669, @xigang) [SIG Apps]
-
Fix: Mount point may become local without calling NodePublishVolume after node rebooting. (#119923, @cvvz) [SIG Node and Storage]
-
Fixed a bug where kubectl drain would consider a pod as having been deleted if an error occurs while calling the API. (#122574, @brianpursley) [SIG CLI]
-
Fixed a regression since 1.24 in the scheduling framework when overriding MultiPoint plugins (e.g. default plugins). The incorrect loop logic might lead to a plugin being loaded multiple times, consequently preventing any Pod from being scheduled, which is unexpected. (#122068, @caohe) [SIG Scheduling]
-
Fixed migration of in-tree vSphere volumes to the CSI driver. (#122341, @jsafrane) [SIG Storage]
-
Fixes a race condition in the iptables mode of kube-proxy in 1.27 and later that could result in some updates getting lost (e.g., when a service gets a new endpoint, the rules for the new endpoint might not be added until much later). (#122204, @danwinship) [SIG Network]
-
Fixes bug in ValidatingAdmissionPolicy which caused policies using CRD params to not successfully sync (#123003, @alexzielenski) [SIG API Machinery and Testing]
-
For statically provisioned PVs, if its volume source is CSI type or it has migrated annotation, when it's deleted, the PersisentVolume controller won't changes its phase to the Failed state.
With this patch, the external provisioner can remove the finalizer in next reconcile loop. Unfortunately if the provious existing pv has the Failed state, this patch won't take effort. It requires users to remove finalizer. (#122030, @carlory) [SIG Apps and Storage]
-
If a pvc has an empty storageClassName, persistentvolume controller won't try to assign a default StorageClass (#122704, @carlory) [SIG Apps and Storage]
-
Improves scheduler performance when no scoring plugins are defined. (#122058, @aleksandra-malinowska) [SIG Scheduling]
-
Improves scheduler performance when no scoring plugins are defined. (#122435, @aleksandra-malinowska) [SIG Scheduling]
-
Kube-proxy: fixed LoadBalancerSourceRanges not working for nftables mode (#122614, @tnqn) [SIG Network]
-
Kubeadm: fix a regression in "kubeadm init" that caused a user-specified --kubeconfig file to be ignored. (#122735, @avorima) [SIG Cluster Lifecycle]
-
Make decoding etcd's response respect the timeout context. (#121815, @HirazawaUi) [SIG API Machinery]
-
QueueingHint implementation for NodeAffinity is reverted because we found potential scenarios where events that make Pods schedulable could be missed. (#122285, @sanposhiho) [SIG Scheduling]
-
QueueingHint implementation for NodeUnschedulable is reverted because we found potential scenarios where events that make Pods schedulable could be missed. (#122288, @sanposhiho) [SIG Scheduling]
-
Remove wrong warning event (FileSystemResizeFailed) during a pod creation if it uses a readonly volume and the capacity of the volume is greater or equal to its request storage. (#122508, @carlory) [SIG Storage]
-
Reverts the EventedPLEG feature (beta, but disabled by default) back to alpha for a known issue (#122697, @pacoxu) [SIG Node]
-
The scheduling queue didn't notice any extenders' failures, it could miss some cluster events, and it could end up Pods rejected by Extenders stuck in unschedulable pod pool in 5min in the worst-case scenario. Now, the scheduling queue notices extenders' failures and requeue Pods rejected by Extenders appropriately. (#122022, @sanposhiho) [SIG Scheduling]
-
Use errors.Is() to handle err returned by LookPath() (#122600, @lzhecheng) [SIG Cloud Provider]
-
ValidateVolumeAttributesClassUpdate also validates new vac object. (#122449, @carlory) [SIG Storage]
-
When using a claim with immediate allocation and a pod referencing that claim couldn't get scheduled, the scheduler incorrectly may have tried to deallocate that claim. (#122415, @pohly) [SIG Node and Scheduling]
- Add warning for PV on relaim policy when it is Recycle (#122339, @carlory) [SIG Storage]
- Cleanup: remove getStorageAccountName warning messages (#121983, @andyzhangx) [SIG Cloud Provider and Storage]
- Client-go: Optimized leaders renewing leases by updating leader lock optimistically without getting the record from the apiserver first. Also added a new metric
leader_election_slowpath_total
that allow users to monitor how many leader elections are updated non-optimistically. (#122069, @linxiulei) [SIG API Machinery, Architecture and Instrumentation] - Kube-proxy nftables mode is now compatible with kernel 5.4 (#122296, @tnqn) [SIG Network]
- Kubeadm: improve the overall logic, error handling and output messages when waiting for the kubelet and API server /healthz endpoints to return 'ok'. The kubelet and API server checks no longer run in parallel, but one after another (in serial). (#121958, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: show the supported shell types of 'kubeadm completion' in the error message when an invalid shell was specified (#122477, @SataQiu) [SIG Cluster Lifecycle]
- Kubeadm: use
ttlSecondsAfterFinished
to automatically clean up theupgrade-health-check
Job that runs during upgrade preflighting. (#122079, @carlory) [SIG Cluster Lifecycle] - Lock GA feature-gate ConsistentHTTPGetHandlers to default (#122578, @carlory) [SIG Node]
- Migrate client-go/metadata to contextual logging (#122225, @ricardoapl) [SIG API Machinery]
- Migrated the cmd/kube-proxy to use contextual logging. (#122197, @fatsheep9146) [SIG Network]
- Remove GA featuregate RemoveSelfLink (#122468, @carlory) [SIG API Machinery]
- Remove GA featuregate about ExperimentalHostUserNamespaceDefaultingGate in 1.30 (#122088, @bzsuni) [SIG Node]
- Remove GA featuregate about IPTablesOwnershipCleanup in 1.30 (#122137, @bzsuni) [SIG Network]
- Removed generally available feature gate
ExpandedDNSConfig
. (#122086, @bzsuni) [SIG Network] - Removed generally available feature gate
KubeletPodResourcesGetAllocatable
. (#122138, @ii2day) [SIG Node] - Removed generally available feature gate
KubeletPodResources
. (#122139, @bzsuni) [SIG Node] - Removed generally available feature gate
MinimizeIPTablesRestore
. (#122136, @ty-dc) [SIG Network] - Removed generally available feature gate
ProxyTerminatingEndpoints
. (#122134, @ty-dc) [SIG Network] - Removed the deprecated
azureFile
in-tree storage plugin (#122576, @carlory) [SIG API Machinery, Cloud Provider, Node and Storage] - Setting
--cidr-allocator-type
toCloudAllocator
forkube-controller-manager
will be removed in a future release. Please switch to and explore the options available in your external cloud provider (#123011, @dims) [SIG API Machinery and Network] - The GA feature-gate APISelfSubjectReview is removed, and the feature is unconditionally enabled. (#122032, @carlory) [SIG Auth and Testing]
- The feature gate
LegacyServiceAccountTokenTracking
(GA since 1.28) is now removed, since the feature is unconditionally enabled. (#122409, @Rei1010) [SIG Auth] - The in-tree cloud provider for azure has now been removed. Please use the external cloud provider and CSI driver from https://github.com/kubernetes/cloud-provider-azure instead. (#122857, @nilo19) [SIG API Machinery, Cloud Provider, Instrumentation, Node and Testing]
- The in-tree cloud provider for vSphere has now been removed. Please use the external cloud provider and CSI driver from https://github.com/kubernetes/cloud-provider-vsphere instead. (#122937, @dims) [SIG API Machinery, Cloud Provider, Storage and Testing]
- Update kube-dns to v1.22.27 (#121736, @ty-dc) [SIG Cloud Provider]
- Updated cni-plugins to v1.4.0. (#122178, @saschagrunert) [SIG Cloud Provider, Node and Testing]
- Updated cri-tools to v1.29.0. (#122271, @saschagrunert) [SIG Cloud Provider]
- sigs.k8s.io/knftables: v0.0.14
- github.com/go-logr/logr: v1.3.0 → v1.4.1
- github.com/go-logr/zapr: v1.2.3 → v1.3.0
- github.com/onsi/ginkgo/v2: v2.13.0 → v2.15.0
- github.com/onsi/gomega: v1.29.0 → v1.31.0
- github.com/opencontainers/runc: v1.1.10 → v1.1.11
- go.uber.org/atomic: v1.10.0 → v1.7.0
- go.uber.org/goleak: v1.2.1 → v1.3.0
- go.uber.org/zap: v1.19.0 → v1.26.0
- golang.org/x/crypto: v0.14.0 → v0.16.0
- golang.org/x/mod: v0.12.0 → v0.14.0
- golang.org/x/net: v0.17.0 → v0.19.0
- golang.org/x/sync: v0.3.0 → v0.5.0
- golang.org/x/sys: v0.13.0 → v0.15.0
- golang.org/x/term: v0.13.0 → v0.15.0
- golang.org/x/text: v0.13.0 → v0.14.0
- golang.org/x/tools: v0.12.0 → v0.16.1
- k8s.io/klog/v2: v2.110.1 → v2.120.1
- k8s.io/kube-openapi: 2dd684a → 778a556
- github.com/Azure/azure-sdk-for-go: v68.0.0+incompatible
- github.com/Azure/go-autorest/autorest/adal: v0.9.23
- github.com/Azure/go-autorest/autorest/date: v0.3.0
- github.com/Azure/go-autorest/autorest/mocks: v0.4.2
- github.com/Azure/go-autorest/autorest/to: v0.4.0
- github.com/Azure/go-autorest/autorest/validation: v0.3.1
- github.com/Azure/go-autorest/autorest: v0.11.29
- github.com/Azure/go-autorest/logger: v0.2.1
- github.com/Azure/go-autorest/tracing: v0.6.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/a8m/tree: 10a5fd5
- github.com/benbjohnson/clock: v1.1.0
- github.com/danwinship/knftables: v0.0.13
- github.com/dnaeon/go-vcr: v1.2.0
- github.com/dougm/pretty: 2ee9d74
- github.com/gofrs/uuid: v4.4.0+incompatible
- github.com/rasky/go-xdr: 4930550
- github.com/rubiojr/go-vhd: 02e2102
- github.com/vmware/govmomi: v0.30.6
- github.com/vmware/vmw-guestinfo: 25eff15