Skip to content

Instantly share code, notes, and snippets.

@superbrothers

superbrothers/CHANGELOG-1.27.md

Created April 12, 2023 07:13
Show Gist options
  • Save superbrothers/d401e2aa3baa7f1f82d9a7e3e242d8da to your computer and use it in GitHub Desktop.
Save superbrothers/d401e2aa3baa7f1f82d9a7e3e242d8da to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CHANGELOG-1.27.md

v1.27.0

Documentation

Downloads for v1.27.0

Source Code

filename sha512 hash
kubernetes.tar.gz 78dbb72f270ab70d0ad70d2da6727eed64bdc54a11892fd6c2157882865f93ab41fedf5fced2f3e71dc0eda5679d06884c262a7960277face4510eed30a3678e
kubernetes-src.tar.gz 4080d2452ff4fd316a823c1c495e7e9a39d364e24225020a91bf0bc0289c3ef90ade746ef5a05172d6e355af9014cbddf144ca71839ec65fc57f3eaf553fb7ab

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz faa0e340f1829ba694326c6ff71f8527249af03d8d78f784289be4122b6ceb0829fa70ee1eab25f64bbb9f5972ae30f3cfdfefe617ce3360b2897d4f6259bd81
kubernetes-client-darwin-arm64.tar.gz 9c4fe911e41ab9c355d39b21d77372bd2a070cc376fdfceac362eb6cc3e8f616754cc61593ea140030a81961b40fa6344b7628d7a4edf7e6dcdef29711bbd064
kubernetes-client-linux-386.tar.gz ba522302624ac7b3a9e5c1a5c80857bdde4c47b44394dbfa8da597ee07b2e1975409e8eac514516329826f593fa82d143a03185ef3c30a97cb1f8011ffb96060
kubernetes-client-linux-amd64.tar.gz 3ea3b4a866815cc08f1897771d63bf4e4f75b481e1d70417e34581d079a58b647b077382a264224acb52e6a76474d6e92efd22a0d4f7fdfde0c244006beef76a
kubernetes-client-linux-arm.tar.gz 5fd69b567ab835b35b8156c66eec02ee109f731acf7d68250b05a1f43a56458be68654f95107cd28859b4b8e73d5f64c78aca2f4b1dc74fff3ca8d942c60d2db
kubernetes-client-linux-arm64.tar.gz f20e579ab71b1cdace22bec0a11314ec44534f0e7040a436c63eb18a47d839e070e5134917ef2b531fe7b8bfee12133fa14de4dac7c0ac7798b4d9fa5679f193
kubernetes-client-linux-ppc64le.tar.gz c56a2d021b1a99fde0871bbe8e71427b8c4f03847e2bf6cbf526a71f6d7d1060481bd0f00d7dce2bd8afa1c969e02422ac1a2283ab58facd3db43f0713c10212
kubernetes-client-linux-s390x.tar.gz 4ad879e2ab2b952cc0fdfcd738b6264db60b72174057947737ab07f40dd0c4c727fb042c24323be3accaf8fbc320973821c915fd1bb3c4ea8a22eb16c03ce4a3
kubernetes-client-windows-386.tar.gz befab85193ce017c647b391606d45d3626e71bf7ea6bbca7f955985e0f505a9c8ca27898ee41c4f3124b7a3788b4a4eab602994415b24b8b0bfc154b938c547e
kubernetes-client-windows-amd64.tar.gz 0fbba06f00713c32c74d9b62733dfb83a597e3a33ee62bfb3a93de7cd883c460a0c56f25cd1577dd7923ef73312788d9b805020297fcf784722783ac1890253f
kubernetes-client-windows-arm64.tar.gz b7edbb25dbbf5b0bd9839f93d43f08262cf5f6e138599c034da0ff402c763a0cff18c1e9b42631d250389ff6b865dec4aa35b577fac75a51e65c825ec8efe234

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz 9726ba173084adade1c1b0de014ccedc5dc5317a80076cbf20d15fdcd6296dd1e9efcf1b1349456757a5c186fa52293f60411397cb6c79765adff335391add9e
kubernetes-server-linux-arm64.tar.gz 657726cd4ae93a9696371717a280689af76c488586c49273086bef4e712228025c6e179c2a5c93b8a33640ac42347dd821053485659f9383dbb1b3e2a17f022c
kubernetes-server-linux-ppc64le.tar.gz 2ff2464453ca8ca2e9e4a024ad730c12fa506379b4a7bd749431fe64ddb13c2dccea05c37dba119799940eac2dc57635e9d70b908d1786a3cdc031a5b70504a5
kubernetes-server-linux-s390x.tar.gz 44ce8faa8710832593b656e3b053207e05def556ad821b8e08e0c2f33b73f280a455fbef933ea70e9efbe8a085ef7deb47139d4e9af43417d8242029a2b60c35

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz 812f5adfafe778200558678af6510f9f315f75b46f7bb4482e92b57d1bed08c4b7f236850bf8e4dcac7018879736d614fc482e3641da06c6f8d0554af4f4ef45
kubernetes-node-linux-arm64.tar.gz a5e353205a93ebaade50dfd652ee5623b28ee4f6fd8ca949fb2303d708468026ba66c10b70f1761f4099706baad8959993a9ec0053259b94b5f4793aeda27adb
kubernetes-node-linux-ppc64le.tar.gz b5dbcf8131bad7ef897c64ac482599ac3bedc99e5c211d189e0566543a13c89d0812d7a7b1e4e9655d8d884ee24dc553616c96cf74df19f4d2cce0ea552015ce
kubernetes-node-linux-s390x.tar.gz 81662d6e14a7500bf2714ae3c0b9070031ea5ef2628c84aaf2a8fe96fed07a52c3677babc74247160cb71ce1fc77b728f549f2c18dfc7dc6a65dfadb7ec17cd7
kubernetes-node-windows-amd64.tar.gz a8b1a53ba6ee416fb9939961d8290ae1f5e0c21117f1cd6cebbc9ba01cafa235730a2887fd91b92552d07eec78aeb65aefac92899eaf9b2f4f195c61f20d05d7

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
registry.k8s.io/conformance:v1.27.0 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.27.0 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.27.0 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.27.0 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.27.0 amd64, arm64, ppc64le, s390x

Changelog since v1.26.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

  • 'The IPv6DualStack feature gate for external cloud providers was removed. (The feature became GA in 1.23 and the gate was removed for all other components several releases ago.) If you were still manually enabling it you must stop now.' (#116255, @danwinship) [sig/network,sig/api-machinery,sig/cloud-provider]
  • Give terminal phase correctly to all pods that will not be restarted.

In particular, assign Failed phase to pods which are deleted while pending. Also, assign a terminal phase (Succeeded or Failed, depending on the exit statuses of the pod containers) to pods which are deleted while running.

This fixes the issue for jobs using pod failure policy (with JobPodFailurePolicy and PodDisruptionConditions feature gates enabled) that their pods could get stuck in the pending phase when deleted.

Users who maintain controllers which relied on the fact that pods with RestartPolicy=Always never enter the Succeeded phase may need to adapt their controllers. This is because as a consequence of the change pods which use RestartPolicy=Always may end up in the Succeeded phase in two scenarios: pod deletion and graceful node shutdown. (#115331, @mimowo) [SIG Cloud Provider, Node and Testing] [sig/node,sig/testing,sig/cloud-provider]

Changes by Kind

Deprecation

  • Added a warning response when handling requests that set the deprecated spec.externalID field for a Node. (#115944, @SataQiu) [SIG Node] [sig/node]
  • Added warnings to the Services API. Kubernetes now warns for Services in the case of:
  • IPv4 addresses with leading zeros
  • IPv6 address in non-canonical format (RFC 5952) (#114505, @aojea) [sig/network]
  • Support for the alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io were deprecated since v1.19, now have been completely removed. The seccomp fields are no longer auto-populated when pods with seccomp annotations are created. Pods should use the corresponding pod or container securityContext.seccompProfile field instead. (#114947, @saschagrunert)
  • The SecurityContextDeny admission plugin is going deprecated and will be removed in future versions. (#115879, @mtardy) [sig/auth]

API Change

  • A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (#115354, @pohly) [sig/api-machinery]
  • A terminating pod on a node that is not caused by preemption no longer prevents kube-scheduler from preempting pods on that node
  • Rename PreemptionByKubeScheduler to PreemptionByScheduler (#114623, @Huang-Wei) [sig/scheduling]
  • API: resource.k8s.io/v1alpha1.PodScheduling was renamed to resource.k8s.io/v1alpha2.PodSchedulingContext. (#116556, @pohly) [SIG API Machinery, Apps, Auth, CLI, Node, Scheduling and Testing] [sig/scheduling,sig/node,sig/api-machinery,sig/auth,sig/apps,sig/cli,sig/testing]
  • Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost restrictions that already apply to CustomResourceDefinition. If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the admission check that was being performed is aborted; the failurePolicy for the ValidatingAdmissionPolicy determines the outcome. (#115747, @cici37) [sig/api-machinery]
  • Added auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to add audit annotations to request audit events. Added validationActions to ValidatingAdmissionPolicyBinding, enabling validation failures to be handled by any combination of the warn, audit and deny enforcement actions. (#115973, @jpbetz) [sig/api-machinery,sig/testing]
  • Added messageExpression field to ValidationRule. (#115969, @DangerOnTheRanger) [sig/node,sig/api-machinery,sig/auth,sig/cli,sig/instrumentation,sig/testing,sig/architecture,sig/cloud-provider]
  • Added messageExpression to ValidatingAdmissionPolicy, to set custom failure message via CEL expression. (#116397, @jiahuif) [SIG API Machinery] [sig/api-machinery]
  • Added a new IPAddress object kind
  • Added a new ClusterIP allocator. The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64 (#115075, @aojea) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Network and Testing] [sig/network,sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/apps,sig/cli,sig/testing]
  • Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1). A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (#113218, @ahmedtd) [SIG API Machinery, Auth and Testing] [sig/api-machinery,sig/auth,sig/testing]
  • Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a authorizer variable with expressions. The new variable provides a builder that allows expressions such authorizer.group('').resource('pods').check('create').allowed(). (#116054, @jpbetz) [SIG API Machinery and Testing] [sig/api-machinery,sig/testing]
  • Added matchConditions field to ValidatingAdmissionPolicy and enabled support for CEL based custom match criteria. (#116350, @maxsmythe) [sig/api-machinery,sig/testing]
  • Added new option to the InterPodAffinity scheduler plugin to ignore existing podspreferred inter-pod affinities if the incoming pod has no preferred inter-pod affinities. This option can be used as an optimization for higher scheduling throughput (at the cost of an occasional pod being scheduled non-optimally/violating existing pods preferred inter-pod affinities). To enable this scheduler option, set theInterPodAffinityscheduler plugin argignorePreferredTermsOfExistingPods: true` (#114393, @danielvegamyhre) [sig/scheduling,sig/api-machinery]
  • Added the MatchConditions field to ValidatingWebhookConfiguration and MutatingWebhookConfiguration for the v1beta and v1 apis.

The AdmissionWebhookMatchConditions featuregate is now in Alpha (#116261, @ivelichkovich) [SIG API Machinery and Testing] [sig/api-machinery,sig/testing]

  • Added validation to ensure that if service.kubernetes.io/topology-aware-hints and service.kubernetes.io/topology-mode annotations are both set, they are set to the same value.Also Added deprecation warning if service.kubernetes.io/topology-aware-hints annotation is used. (#116612, @robscott) [sig/network,sig/apps,sig/testing]
  • Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, CronJobs, or ReplicationControllers) whose names are not valid DNS labels. (#114412, @thockin) [sig/api-machinery,sig/apps]
  • Adds feature gate NodeLogQuery which provides cluster administrators with a streaming view of logs using kubectl without them having to implement a client side reader or logging into the node. (#96120, @LorbusChris) [sig/node,sig/api-machinery,sig/apps,sig/windows,sig/cli,sig/testing]
  • Api: validation of a PodSpec now rejects invalid ResourceClaim and ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim when using a template also must be valid. (#116576, @pohly) [sig/apps]
  • Bump default API QPS limits for Kubelet. (#116121, @wojtek-t) [sig/node,sig/api-machinery]
  • Enabled the StatefulSetStartOrdinal feature gate in beta (#115260, @pwschuurman) [sig/api-machinery,sig/apps]
  • Enabled usage of kube-proxy, kube-scheduler and kubelet HTTP APIs for changing the logging verbosity at runtime for JSON output. (#114609, @pohly) [sig/api-machinery,sig/instrumentation,sig/testing,sig/architecture,sig/cloud-provider]
  • Encryption of API Server at rest configuration now allows the use of wildcards in the list of resources. For example, . can be used to encrypt all resources, including all current and future custom resources. (#115149, @nilekhc) [sig/api-machinery,sig/auth,sig/testing]
  • Extended the kubelet's PodResources API to include resources allocated in ResourceClaims via DynamicResourceAllocation. Additionally, added a new Get() method to query a specific pod for its resources. (#115847, @moshe010) [SIG Node] [sig/node]
  • Forbid to set matchLabelKeys when labelSelector is not set in topologySpreadConstraints (#116535, @denkensk) [sig/scheduling,sig/api-machinery,sig/apps]
  • GCE does not support LoadBalancer Services with ports with different protocols (TCP and UDP) (#115966, @aojea) [SIG Apps and Cloud Provider] [sig/apps,sig/cloud-provider]
  • GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked to default value and will be removed in v1.29. If you were setting this feature gate explicitly, please remove it now. (#116233, @SergeyKanzhelev) [sig/node,sig/api-machinery,sig/apps]
  • Graduated Kubelet Topology Manager to GA. (#116093, @swatisehgal) [sig/node,sig/api-machinery,sig/testing]
  • Graduated KubeletTracing to beta, which means that the feature gate is now enabled by default. (#115750, @saschagrunert) [sig/node,sig/instrumentation]
  • Graduated seccomp profile defaulting to GA.

Set the kubelet --seccomp-default flag or seccompDefault kubelet configuration field to true to make pods on that node default to using the RuntimeDefault seccomp profile.

Enabling seccomp for your workload can have a negative performance impact depending on the kernel and container runtime version in use.

Guidance for identifying and mitigating those issues is outlined in the Kubernetes seccomp tutorial. (#115719, @saschagrunert) [SIG API Machinery, Node, Storage and Testing] [sig/storage,sig/node,sig/api-machinery,sig/testing]

  • Graduated the container resource metrics feature on HPA to beta. (#116046, @sanposhiho) [sig/autoscaling]
  • Implemented API streaming for the watch-cache

When sendInitialEvents ListOption is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (#110960, @p0lyn0mial) [sig/api-machinery]

  • Introduced API for streaming.

Added SendInitialEvents field to the ListOptions. When the new option is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (#115402, @p0lyn0mial) [sig/api-machinery]

  • Introduced a breaking change to the resource.k8s.io API in its AllocationResult struct. This change allows a kubelet plugin for the DynamicResourceAllocation feature to service allocations from multiple resource driver controllers. (#116332, @klueska) [sig/scheduling,sig/node,sig/api-machinery,sig/apps,sig/cli,sig/testing]
  • Introduces new alpha functionality to the reflector, allowing user to enable API streaming.

To activate this feature, users can set the ENABLE_CLIENT_GO_WATCH_LIST_ALPHA environmental variable. It is important to note that the server must support streaming for this feature to function properly. If streaming is not supported by the server, the reflector will revert to the previous method of obtaining data through LIST/WATCH semantics. (#110772, @p0lyn0mial) [SIG API Machinery] [sig/api-machinery]

  • K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, the broadcaster now gives up immediately after a failure to write an event to a sink. Previously it tried multiple times for 12 seconds in a goroutine. (#115514, @pohly) [SIG API Machinery] [sig/api-machinery]
  • K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (#114680, @pohly) [SIG Instrumentation] [sig/instrumentation]
  • Kubeadm: explicitly set priority for static pods with priorityClassName: system-node-critical (#114338, @champtar) [SIG Cluster Lifecycle] [sig/cluster-lifecycle]
  • Kubelet: a "maxParallelImagePulls" field can now be specified in the kubelet configuration file to control how many image pulls the kubelet can perform in parallel. (#115220, @ruiwen-zhao) [SIG API Machinery, Node and Scalability] [sig/scalability,sig/node,sig/api-machinery]
  • Kubelet: changed MemoryThrottlingFactor default value to 0.9 and formulas to calculate memory.high (#115371, @pacoxu) [sig/node,sig/api-machinery,sig/apps]
  • Kubernetes components that perform leader election now only support using Leases for this. (#114055, @aimuz) [sig/scheduling,sig/api-machinery,sig/cloud-provider]
  • Migrated the DaemonSet controller (within kube-controller-manager) to use contextual logging (#113622, @249043822) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • New service.kubernetes.io/topology-mode annotation has been introduced as a replacement for the service.kubernetes.io/topology-aware-hints annotation.
  • service.kubernetes.io/topology-aware-hints annotation has been deprecated.
  • kube-proxy now accepts any value that is not "disabled" for these annotations, enabling custom implementation-specific and/or future built-in heuristics to be used. (#116522, @robscott) [SIG Apps, Network and Testing] [sig/network,sig/apps,sig/testing]
  • Pods owned by a Job now uses the labels batch.kubernetes.io/job-name and batch.kubernetes.io/controller-uid. The legacy labels job-name and controller-uid are still added for compatibility. (#114930, @kannon92) [sig/apps]
  • Promoted CronJobTimeZone feature to GA (#115904, @soltysh) [sig/api-machinery,sig/apps]
  • Promoted SelfSubjectReview to Beta (#116274, @nabokihms) [SIG API Machinery, Auth, CLI and Testing] [sig/api-machinery,sig/auth,sig/cli,sig/testing]
  • Relaxed API validation to allow pod node selector to be mutable for gated pods (additions only, no deletions or mutations). (#116161, @danielvegamyhre) [sig/scheduling,sig/apps,sig/testing]
  • Remove kubernetes.io/grpc standard appProtocol (#116866, @LiorLieberman) [SIG API Machinery and Apps] [sig/api-machinery,sig/apps]
  • Remove deprecated --enable-taint-manager and --pod-eviction-timeout CLI (#115840, @atosatto) [sig/node,sig/api-machinery,sig/apps,sig/testing]
  • Removed support for the v1alpha1 kubeletplugin API of DynamicResourceManagement. All plugins must be updated to v1alpha2 in order to function properly. (#116558, @klueska) [sig/scheduling,sig/node,sig/api-machinery,sig/apps,sig/cli,sig/testing]
  • The API server now re-uses data encryption keys while the kms v2 plugin key ID is stable. Data encryption keys are still randomly generated on server start but an atomic counter is used to prevent nonce collisions. (#116155, @enj) [sig/api-machinery,sig/auth,sig/testing]
  • The PodDisruptionBudget spec.unhealthyPodEvictionPolicy field has graduated to beta and is enabled by default. On servers with the feature enabled, this field may be set to AlwaysAllow to always allow unhealthy pods covered by the PodDisruptionBudget to be evicted. (#115363, @ravisantoshgudimetla) [SIG Apps, Auth and Node] [sig/node,sig/auth,sig/apps]
  • The DownwardAPIHugePages kubelet feature graduated to stable / GA. (#115721, @saschagrunert) [SIG Apps and Node] [sig/node,sig/apps]
  • The following feature gates for volume expansion GA features have now been removed and must no longer be referenced in --feature-gates flags: ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes (#113942, @mengjiao-liu) [sig/api-machinery,sig/apps,sig/testing]
  • The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from set to map, resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (#114585, @JoelSpeed) [sig/api-machinery]
  • Updated API reference for Requests, specifying they must not exceed limits (#115434, @ehashman) [sig/node,sig/docs,sig/architecture]
  • Updated KMSv2 to beta (#115123, @aramase) [sig/api-machinery,sig/auth,sig/testing]
  • Updated: Redefine AppProtocol field description and add new standard values (#115433, @LiorLieberman) [SIG API Machinery, Apps and Network] [sig/network,sig/api-machinery,sig/apps]
  • /metrics/slis is now available for control plane components allowing you to scrape health check metrics. (#114997, @Richabanker) [sig/network,sig/scheduling,sig/storage,sig/node,sig/api-machinery,sig/cluster-lifecycle,sig/autoscaling,sig/auth,sig/apps,sig/cli,sig/instrumentation,sig/testing,sig/release,sig/architecture]
  • APIServerTracing feature gate is now enabled by default. Tracing in the API Server is still disabled by default, and requires a config file to enable. (#116144, @dashpole) [sig/api-machinery,sig/testing]
  • NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore extension point for a more performant calculation. (#115655, @tangwz) [sig/scheduling]
  • PodSchedulingReadiness is graduated to beta. (#115815, @Huang-Wei) [sig/scheduling,sig/api-machinery,sig/apps,sig/testing]
  • PodSpec.Container.Resources became mutable for CPU and memory resource types.
  • PodSpec.Container.ResizePolicy (new object) gives users control over how their containers are resized.
  • PodStatus.Resize status describes the state of a requested Pod resize.
  • PodStatus.ResourcesAllocated describes node resources allocated to Pod.
  • PodStatus.Resources describes node resources applied to running containers by CRI.
  • UpdateContainerResources CRI API now supports both Linux and Windows. (#102884, @vinaykul) [sig/scheduling,sig/node,sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • SELinuxMountReadWriteOncePod graduated to Beta. (#116425, @jsafrane) [sig/storage,sig/testing]
  • StatefulSetAutoDeletePVC feature gate promoted to beta. (#116501, @mattcary) [sig/auth,sig/apps,sig/testing]
  • StatefulSet names must be DNS labels, rather than subdomains. Any StatefulSet which took advantage of subdomain validation (by having dots in the name) can't possibly have worked, because we eventually set pod.spec.hostname from the StatefulSetName, and that is validated as a DNS label. (#114172, @thockin) [sig/apps]
  • ValidatingAdmissionPolicy now provides a status field that contains results of type checking the validation expression. The type checking is fully informational, and the behavior of the policy is unchanged. (#115668, @jiahuif) [sig/api-machinery,sig/auth,sig/testing,sig/cloud-provider]
  • cacheSize field in EncryptionConfiguration is not supported for KMSv2 provider (#113121, @aramase) [sig/api-machinery,sig/auth,sig/testing]
  • k8s.io/component-base/logs now also supports adding command line flags to a flag.FlagSet. (#114731, @pohly) [sig/architecture]
  • kubelet: migrated --container-runtime-endpoint and --image-service-endpoint to kubelet config (#112136, @pacoxu) [sig/scalability,sig/node,sig/api-machinery]
  • resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, ResourceClaimTemplate, ResourceClass, PodScheduling) must be deleted. The changes are internal, so YAML files which create pods and resource claims don't need changes except for the newer apiVersion. (#116299, @pohly) [sig/scheduling,sig/node,sig/api-machinery,sig/apps,sig/cli,sig/testing]
  • volumes: resource.claims is now cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (#115928, @pohly) [sig/storage,sig/api-machinery,sig/apps]

Feature

  • A new client side metric rest_client_request_retries_total has been added that tracks the number of retries sent to the server, partitioned by status code, verb and host (#108396, @tkashem) [sig/api-machinery,sig/instrumentation,sig/architecture]
  • A new feature was enabled to improve the performance of the iptables mode of kube-proxy in large clusters. No action was required, however:
  1. If you experienced problems with Services not syncing to iptables correctly, you can disable the feature by passing --feature-gates=MinimizeIPTablesRestore=false to kube-proxy (and file a bug if this fixes it). (This might also be detected by seeing the value of kube-proxy's sync_proxy_rules_iptables_partial_restore_failures_total metric rising.)
  2. If you were previously overriding the kube-proxy configuration for performance reasons, this may no longer be necessary. See https://kubernetes.io/docs/reference/networking/virtual-ips/#optimizing-iptables-mode-performance. (#115138, @danwinship) [sig/network]
  • API validation relaxed allowing Indexed Jobs to be scaled up/down by changing parallelism and completions in tandem, such that parallelism == completions. (#115236, @danielvegamyhre) [SIG Apps and Testing] [sig/apps,sig/testing]
  • Added "general", "baseline", and "restricted" debugging profiles for kubectl debug. (#114280, @sding3) [SIG CLI] [sig/cli]
  • Added "netadmin" debugging profiles for kubectl debug. (#115712, @wedaly) [SIG CLI] [sig/cli]
  • Added --output plaintext-openapiv2 argument to kubectl explain to use old openapiv2 explain implementation. (#115480, @alexzielenski) [sig/node,sig/auth,sig/cli,sig/architecture,sig/cloud-provider]
  • Added NewVolumeManagerReconstruction feature gate and enabled it by default to enable updated discovery of mounted volumes during kubelet startup. Please watch for kubelet getting stuck at startup and / or not unmounting volumes from deleted Pods and report any issues in this area. (#115268, @jsafrane) [sig/storage,sig/node]
  • Added kubelet Topology Manager metrics to track admission requests processed and occured admission errors. (#115137, @swatisehgal) [sig/node,sig/testing]
  • Added apiserver_envelope_encryption_invalid_key_id_from_status_total to measure number of times an invalid keyID is returned by the Status RPC call. (#115846, @ritazh) [SIG API Machinery and Auth] [sig/api-machinery,sig/auth]
  • Added apiserver_envelope_encryption_kms_operations_latency_seconds metric to measure the KMSv2 grpc calls latency. (#115649, @aramase) [SIG API Machinery, Auth and Testing] [sig/api-machinery,sig/auth,sig/testing]
  • Added e2e test to node expand volume with secret (#115451, @zhucan) [sig/storage,sig/testing]
  • Added e2e tests for kubectl --subresource for beta graduation (#116590, @MadhavJivrajani) [sig/cli,sig/testing]
  • Added kubelet Topology Manager metric to measure topology manager admission latency. (#115590, @swatisehgal) [sig/node,sig/testing]
  • Added logging-format option to CCMs based on k8s.io/cloud-provider (#108984, @LittleFox94) [sig/instrumentation,sig/cloud-provider]
  • Added metrics for volume reconstruction during kubelet startup. (#115965, @jsafrane) [SIG Node and Storage] [sig/storage,sig/node]
  • Added new -f flag into debug command to be used passing pod or node files instead explicit names. (#111453, @ardaguclu) [sig/cli,sig/testing]
  • Added new feature gate ServiceNodePortStaticSubrange, to enable the new strategy in the NodePort Service port allocators, so the node port range is subdivided and dynamic allocated NodePort port for Services are allocated preferentially from the upper range. (#114418, @xuzhenglun) [sig/network]
  • Added scheduler preemption support for pods using ReadWriteOncePod PVCs (#114051, @chrishenzie) [sig/scheduling,sig/storage,sig/testing]
  • Added the applyconfiguration generator to the code-generator script that generates server-side apply configuration and client APIs (#114987, @astefanutti) [sig/api-machinery]
  • Added the ability to host webhooks in the cloud controller manager. (#108838, @nckturner) [sig/api-machinery,sig/testing,sig/cloud-provider]
  • Apiserver_storage_transformation_operations_total metric has been updated to include labels transformer_prefix and status. (#115394, @ritazh) [SIG API Machinery, Auth, Instrumentation and Testing] [sig/api-machinery,sig/auth,sig/instrumentation,sig/testing]
  • By enabling the UserNamespacesStatelessPodsSupport feature gate in kubelet, you can now run a stateless pod in a separate user namespace (#116377, @giuseppe) [SIG Apps, Node and Storage] [sig/storage,sig/node,sig/apps]
  • By enabling the alpha CloudNodeIPs feature gate in kubelet and the cloud provider, you can now specify a dual-stack --node-ip value (when using an external cloud provider that supports that functionality). (#116305, @danwinship) [SIG API Machinery, Cloud Provider, Network and Node] [sig/network,sig/node,sig/api-machinery,sig/cloud-provider]
  • Changed kubectl --subresource flag to beta (#116595, @MadhavJivrajani) [sig/cli]
  • Changed metrics for aggregated discovery to publish new time series (alpha). (#115630, @Jefftree) [SIG API Machinery and Testing] [sig/api-machinery,sig/testing]
  • Dynamic Resource Allocation framework can be used for network devices (#114364, @bart0sh) [SIG Node] [sig/node]
  • Enable external plugins can be used as subcommands for kubectl create command if subcommand does not exist as builtin only when KUBECTL_ENABLE_CMD_SHADOW environment variable is exported. (#116293, @ardaguclu) [sig/cli]
  • GRPC probes now set a linger option of 1s to improve the TIME-WAIT state. (#115321, @rphillips) [SIG Network and Node] [sig/network,sig/node]
  • Graduated CRI Events driven Pod LifeCycle Event Generator (Evented PLEG) to Beta (#115967, @harche) [sig/node]
  • Graduated matchLabelKeys in podTopologySpread to Beta (#116291, @denkensk) [sig/scheduling]
  • Graduated the CSINodeExpandSecret feature to Beta. This feature facilitates passing secrets to CSI driver as part of Node Expansion CSI operation. (#115621, @humblec) [sig/storage]
  • Graduated the LegacyServiceAccountTokenTracking feature gate to Beta. The usage of auto-generated secret-based service account token now produces warnings by default, and relevant Secrets are labeled with a last-used timestamp (label key kubernetes.io/legacy-token-last-used). (#114523, @zshihang) [SIG API Machinery and Auth] [sig/api-machinery,sig/auth]
  • HPA controller exposes the following metrics from the kube-controller-manager.
  • metric_computation_duration_seconds: Number of metric computations.
  • metric_computation_total: The time(seconds) that the HPA controller takes to calculate one metric. (#116326, @sanposhiho) [SIG Apps, Autoscaling and Instrumentation] [sig/autoscaling,sig/apps,sig/instrumentation]
  • HPA controller starts to expose metrics from the kube-controller-manager.n- reconciliations_total: Number of reconciliation of HPA controller. n- reconciliation_duration_seconds: The time(seconds) that the HPA controller takes to reconcile once. (#116010, @sanposhiho) [sig/autoscaling,sig/apps,sig/instrumentation]
  • Kube-up now includes CoreDNS version v1.9.3 (#114279, @pacoxu) [sig/cluster-lifecycle,sig/cloud-provider]
  • Kubeadm: added the experimental (alpha) feature gate EtcdLearnerMode that allows etcd members to be joined as learner and only then promoted as voting members (#113318, @pacoxu) [sig/cluster-lifecycle]
  • Kubectl will now display SeccompProfile for pods, containers and ephemeral containers, if values were set. (#113284, @williamyeh) [sig/cli,sig/security]
  • Kubectl: added e2e test for default container annotation (#115046, @pacoxu) [sig/cli,sig/testing,sig/architecture]
  • Kubelet TCP and HTTP probes are now more effective using networking resources: conntrack entries, sockets. This is achieved by reducing the TIME-WAIT state of the connection to 1 second, instead of the defaults 60 seconds. This allows kubelet to free the socket, and free conntrack entry and ephemeral port associated. (#115143, @aojea) [sig/network,sig/node]
  • Kubelet allows pods to use the net.ipv4.ip_local_reserved_ports sysctl by default and the minimal kernel version is 3.16; Pod Security admission allows this sysctl in v1.27+ versions of the baseline and restricted policies. (#115374, @pacoxu) [SIG Auth, Network and Node] [sig/network,sig/node,sig/auth]
  • Kubelet config file will be backed up to /etc/kubernetes/tmp/ folder with kubeadm-kubelet-config append with a random suffix as the filename (#114695, @chendave) [SIG Cluster Lifecycle] [sig/cluster-lifecycle]
  • Kubernetes is now built with Go 1.19.5 (#115010, @cpanato) [sig/testing,sig/release]
  • Kubernetes is now built with go 1.20 (#114502, @cpanato) [SIG Release and Testing] [sig/testing,sig/release]
  • Kubernetes is now built with go 1.20.1 (#115828, @cpanato) [SIG Release and Testing] [sig/testing,sig/release]
  • Kubernetes is now built with go 1.20.2 (#116404, @cpanato) [SIG Release and Testing] [sig/testing,sig/release]
  • Locked CSIMigrationvSphere feature gate. (#116610, @xing-yang) [sig/storage]
  • Made apiextensions-apiserver binary linking static (also affects the deb and rpm packages). (#114226, @saschagrunert) [sig/api-machinery,sig/release]
  • Made kube-aggregator binary linking static (also affects the deb and rpm packages). (#114227, @saschagrunert) [sig/api-machinery,sig/release]
  • Made kubectl-convert binary linking static (also affects the deb and rpm packages). (#114228, @saschagrunert) [sig/release]
  • Migrated controller helper functions to use contextual logging. (#115049, @fatsheep9146) [sig/apps]
  • Migrated the ResourceQuota controller (within kube-controller-manager) to use contextual logging. (#113315, @ncdc) [SIG API Machinery, Apps and Testing] [sig/api-machinery,sig/apps,sig/testing]
  • Migrated the StatefulSet controller (within kube-controller-manager) to use contextual logging (#113840, @249043822) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the ClusterRole aggregation controller (within kube-controller-manager) to use contextual logging. (#113910, @mengjiao-liu) [sig/api-machinery,sig/apps,sig/instrumentation]
  • Migrated the Deployment controller (within kube-controller-manager) to use contextual logging (#113525, @249043822) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the ReplicaSet controller (within kube-controller-manager) to use contextual logging. (#114871, @Namanl2001) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the bootstrap signer controller and the token cleaner controller (within kube-controller-manager) to use contextual logging. (#113464, @mengjiao-liu) [SIG API Machinery, Apps and Instrumentation] [sig/api-machinery,sig/apps,sig/instrumentation]
  • Migrated the defaultbinder scheduler plugin to use contextual logging. (#116571, @mengjiao-liu) [SIG Instrumentation and Scheduling] [sig/scheduling,sig/instrumentation]
  • Migrated the main kube-controller-manager binary to use contextual logging. (#116529, @pohly) [sig/node,sig/api-machinery,sig/auth,sig/apps]
  • Migrated the namespace controller (within kube-controller-manager) to support contextual logging. (#113443, @yangjunmyfm192085) [sig/node,sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the service-account controller (within kube-controller-manager) to use contextual logging. (#114918, @Namanl2001) [SIG API Machinery, Apps, Auth, Instrumentation and Testing] [sig/api-machinery,sig/auth,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the volume attach/detach controller (within kube-controller-manager) to use contextual logging. Migrated the PersistentVolumeClaim protection controller (within kube-controller-manager) to use contextual logging. Migrated the PersistentVolume protection controller (within kube-controller-manager) to use contextual logging. (#113584, @yangjunmyfm192085) [sig/scheduling,sig/storage,sig/node,sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • Migrated the “TTL after finished” controller (within kube-controller-manager)to use contextual logging. (#113916, @songxiao-wang87) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • NONE (#113428, @mengjiao-liu) [sig/api-machinery,sig/apps,sig/instrumentation,sig/testing]
  • New plugin_evaluation_total is added to the scheduler.This metric counts how many times the specific plugin affects the scheduling result. The metric does not get incremented when the plugin has nothing to do with an incoming Pod. (#115082, @sanposhiho) [sig/scheduling,sig/instrumentation]
  • Node ipam controller now exposes metrics cidrset_cidrs_max_total and multicidrset_cidrs_max_total with information about the max number of CIDRs that can be allocated. (#112260, @aryan9600) [sig/network,sig/apps,sig/instrumentation]
  • Performance improvements in klog (#115277, @pohly) [sig/storage,sig/node,sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/cli,sig/instrumentation,sig/testing,sig/architecture,sig/cloud-provider]
  • Pod template schedulingGates are now mutable for Jobs that are suspended and have never been started (#115940, @ahg-g) [SIG Apps] [sig/apps]
  • Pods which have an invalid negative spec.terminationGracePeriodSeconds value will now be treated as having a terminationGracePeriodSeconds of 1 (#115606, @wzshiming) [sig/node,sig/apps,sig/testing]
  • Profiling can now be served on a unix-domain socket by using the --profiling-path option (when profiling is enabled) for security purposes. (#114191, @apelisse) [SIG API Machinery] [sig/api-machinery]
  • Promote aggregated discovery endpoint to beta and it will be enabled by default (#116108, @Jefftree) [sig/api-machinery]
  • Promoted OpenAPIV3 to GA (#116235, @Jefftree) [sig/api-machinery]
  • Promoted whoami kubectl command. (#116510, @nabokihms) [sig/auth,sig/cli]
  • Scheduler no longer runs the plugin's Filter method when its PreFilter method returned a Skip status. In other words, your PreFilter/Filter plugin can return a Skip status in PreFilter if the plugin does nothing in Filter for that Pod. Scheduler skips NodeAffinity Filter plugin when NodeAffinity Filter plugin has nothing to do with a Pod. It may affect some metrics values related to the NodeAffinity Filter plugin. (#114125, @sanposhiho) [sig/scheduling,sig/storage,sig/testing]
  • Scheduler now skips InterPodAffinity Filter plugin when InterPodAffinity Filter plugin has nothing to do with a Pod. It may affect some metrics values related to the InterPodAffinity Filter plugin. (#114889, @sanposhiho) [sig/scheduling,sig/testing]
  • Scheduler volumebinding: leveraged PreFilterResult to reduce down to only eligible node(s) for pod with bound claim(s) to local PersistentVolume(s) (#109877, @yibozhuang) [sig/scheduling,sig/storage,sig/testing]
  • Scheduling cycle now terminates immediately when any scheduler plugin returns an unschedulableAndUnresolvable status in PostFilter. (#114699, @kerthcet) [sig/scheduling,sig/testing]
  • Since Kubernetes v1.5, kubectl apply has had an alpha-stage --prune flag to support deleting previously applied objects that have been removed from the input manifest. This feature has remained in alpha ever since due to performance and correctness issues inherent in its design. This PR exposes a second, independent pruning alpha powered by a new standard named ApplySets. An ApplySet is a server-side object (by default, a Secret; ConfigMaps are also allowed) that kubectl can use to accurately and efficiently track set membership across apply operations. The format used for ApplySet is set out in KEP 3659 as a low-level specification. Other tools in the ecosystem can also build on this specification for improved interoperability. To try the ApplySet-based pruning alpha, set KUBECTL_APPLYSET=true and use the flags --prune --applyset=secret-name with kubectl apply. (#116205, @justinsb) [sig/cli]
  • Switched kubectl explain to use OpenAPIV3 information published by the server. OpenAPIV2 backend can still be used with the --output plaintext-openapiv2 argument (#116390, @alexzielenski) [SIG API Machinery, CLI and Testing] [sig/api-machinery,sig/cli,sig/testing]
  • The Pod API field .spec.schedulingGates[*].name now requires qualified names (like example.com/mygate), matching validation for names of .spec.readinessGates[*].name. Any uses of the alpha scheduling gate feature prior to 1.27 that do not match that validation must be renamed or deleted before upgrading to 1.27. (#115821, @lianghao208) [SIG Apps and Scheduling] [sig/scheduling,sig/apps]
  • The Scheduler did not run the plugin Score method when its PreScore method returned a Skip status. In other words, the PreScore/Score plugin could return a Skip status in PreScore if the plugin did nothing in Score for that Pod. (#115652, @AxeZhan) [sig/scheduling]
  • The AdvancedAuditing feature gate was locked to true in v1.27, and will be removed completely in v1.28 (#115163, @SataQiu) [SIG API Machinery] [sig/api-machinery]
  • The JobMutableNodeSchedulingDirectives feature gate has graduated to GA. (#116116, @ahg-g) [SIG Apps, Scheduling and Testing] [sig/scheduling,sig/apps,sig/testing]
  • The ReadWriteOncePod feature gate has been graduated to beta. (#114494, @chrishenzie) [sig/scheduling,sig/storage,sig/testing]
  • The bug which caused the status of Indexed Jobs to only update when new indexes were completed was fixed. Now, completed indexes are updated even if the .status.completedIndexes values are outside the [0, .spec.completions> range. (#115349, @danielvegamyhre) [sig/apps]
  • The go version defined in .go-version is now fetched when invoking test, build, and code generation targets if the current go version does not match it. Set $FORCE_HOST_GO=y while testing or building to skip this behavior, or set $GO_VERSION to override the selected go version. (#115377, @liggitt) [SIG Testing] [sig/testing]
  • The job controller back-off logic is now decoupled from workqueue. In case of parallelism > 1, if there are multiple new failures in a reconciliation cycle, all the failures are taken into account to compute the back-off. Previously, the back-off kicked in for all types of failures; with this change, only pod failures are taken into account. If the back-off limits exceeds, the job is marked as failed immediately; before this change, the job is marked as failed in the next back-off. (#114768, @sathyanarays) [SIG Apps and Testing] [sig/apps,sig/testing]
  • The mount-utils mounter now provides an option to limit the number of concurrent format operations. (#115379, @artemvmin) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage] [sig/network,sig/storage,sig/node,sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/cli,sig/instrumentation,sig/architecture,sig/cloud-provider]
  • The scheduler's metric plugin_execution_duration_seconds now records PreEnqueue plugins execution seconds. (#116201, @sanposhiho) [sig/scheduling]
  • Two changes to the /debug/api_priority_and_fairness/dump_priority_levels endpoint of API Priority and Fairness: added total number of dispatched, timed-out, rejected and cancelled requests; output now sorted by PriorityLevelName. (#112393, @borgerli) [sig/api-machinery]
  • Unlocked the CSIMigrationvSphere feature gate. The change allow users to continue using the in-tree vSphere driver,pending a vSphere CSI driver release that has with GA support for Windows, XFS, and raw block access. (#116342, @msau42) [SIG Storage] [sig/storage]
  • Updated cAdvisor to v0.47.0 (#114883, @bobbypage) [sig/storage,sig/node,sig/cluster-lifecycle,sig/auth,sig/cli,sig/instrumentation,sig/architecture,sig/cloud-provider]
  • Updated kube-apiserver SLO/SLI latency metrics to exclude priority & fairness queue wait times (#116420, @andrewsykim) [sig/api-machinery]
  • Updated distroless iptables to use released image registry.k8s.io/build-image/distroless-iptables:v0.2.2
  • Updated setcap to use released image registry.k8s.io/build-image/setcap:bullseye-v1.4.2 (#116509, @cpanato) [SIG Testing] [sig/testing]
  • Updated distroless iptables to use released image registry.k8s.io/distroless-iptables:v0.2.1 (#115905, @cpanato) [SIG Testing] [sig/testing]
  • Upgrades functionality of kubectl kustomize as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.0.0 and https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.0.1.

This is a new major release of kustomize, so there are a few backwards-incompatible changes, most of which are rare use cases, bug fixes with side effects, or things that have been deprecated for multiple releases already:

  • kubernetes-sigs/kustomize#4911: Drop support for a very old, legacy style of patches. patches used to be allowed to be used as an alias for patchesStrategicMerge in kustomize v3. You now have to use patchesStrategicMerge explicitly, or update to the new syntax supported by patches. See examples in the PR description of kubernetes-sigs/kustomize#4911.
  • kubernetes-sigs/kustomize#4731: Remove a potential build-time side-effect in ConfigMapGenerator and SecretGenerator, which loaded values from the local environment under some circumstances, breaking kustomize build's side-effect-free promise. While this behavior was never intended, we deprecated it and are announcing it as a breaking change since it existed for a long time. See also the Eschewed Features documentation.
  • kubernetes-sigs/kustomize#4985: If you previously included .git in an AWS or Azure URL, we will no longer automatically remove that suffix. You may need to add an extra / to replace the .git for the URL to properly resolve.
  • kubernetes-sigs/kustomize#4954: Drop support for using gh: as a host (e.g. gh:kubernetes-sigs/kustomize). We were unable to find any usage of or basis for this and believe it may have been targeting a custom gitconfig shorthand syntax. (#116598, @natasha41575) [SIG CLI] [sig/cli]
  • When an unsupported PodDisruptionBudget configuration is found, an event and log will be emitted to inform users of the misconfiguration. (#115861, @JayKayy) [SIG Apps] [sig/apps]
  • [E2E] Pods spawned by E2E tests can now pull images from the private registry using the new --e2e-docker-config-file flag (#114625, @Divya063) [SIG Node and Testing] [sig/node,sig/testing]
  • [alpha: kubectl apply --prune --applyset] Enabled certain custom resources (CRs) to be used as ApplySet parent objects. To enable this for a given CR, apply the label applyset.kubernetes.io/is-parent-type: true to the CustomResourceDefinition (CRD) that defines it. (#116353, @KnVerey) [sig/cli]
  • Kubelet no longer creates certain legacy iptables rules by default. It is possible that this will cause problems with some third-party components that improperly depended on those rules. If this affects you, you can run kubelet with --feature-gates=IPTablesOwnershipCleanup=false, but a bug should also be filed against the third-party component. (#114472, @danwinship) [sig/network]
  • MinDomainsInPodTopologySpread feature gate is enabled by default as a Beta feature in 1.27. (#114445, @mengjiao-liu) [sig/scheduling]
  • Secret of kubernetes.io/tls type now verifies that the private key matches the cert (#113581, @aimuz) [sig/apps]
  • StorageVersionGC (within kube-controller-manager) to use contextual logging. (#113986, @songxiao-wang87) [sig/api-machinery,sig/apps,sig/testing]
  • client-go: sharedInformerFactory now waits for goroutines during shutdown for metadatainformer and dynamicinformer. (#114434, @howardjohn) [sig/api-machinery]
  • kube-proxy now accepts the ContextualLogging, LoggingAlphaOptions, LoggingBetaOptions (#115233, @pohly) [sig/network,sig/instrumentation]
  • kube-scheduler: Optimized implementation of null labelSelector in topology spreading. (#116607, @alculquicondor) [sig/scheduling]
  • kubeadm: now shows a warning message when detecting that the sandbox image of the container runtime is inconsistent with that used by kubeadm (#115610, @SataQiu) [sig/cluster-lifecycle]
  • kubectl now uses HorizontalPodAutoscaler v2 by default. (#114886, @a7i) [sig/cli]
  • Kubernetes is now built with Go 1.20.3 (#117125, @xmudrii) [SIG Release and Testing] [sig/testing,sig/release]
  • Updated distroless iptables to use released image registry.k8s.io/build-image/distroless-iptables:v0.2.3 (#117126, @xmudrii) [SIG Testing] [sig/testing]

Documentation

  • Documented the reason field in CRI API to ensure it equals OOMKilled for the containers terminated by OOM killer (#112977, @mimowo) [sig/node]
  • Error message for Pods with requests exceeding limits will have a limit value printed. (#112925, @SergeyKanzhelev) [sig/node,sig/apps]
  • The change affects the following CLI command:

kubectl create rolebinding -h (#107124, @ptux) [SIG CLI] [sig/cli]

Failing Test

  • Deflaked a preemption test that may patch Nodes incorrectly. (#114350, @Huang-Wei) [sig/scheduling,sig/testing]
  • Fixed panic in vSphere e2e tests. (#115863, @jsafrane) [SIG Storage and Testing] [sig/storage,sig/testing]
  • Setting the Kubelet config option --resolv-conf=Host on Windows will now result in Kubelet applying the Pod DNS Policies as intended. (#110566, @claudiubelu) [sig/network,sig/node,sig/windows,sig/testing]

Bug or Regression

  • Added (dry run) and (server dry run) suffixes to kubectl scale command when dry-run is passed (#114252, @ardaguclu) [sig/cli,sig/testing]
  • Applied configurations can be generated for types with non-builtin map fields (#114920, @astefanutti) [sig/api-machinery]
  • Changed the error message of kubectl rollout restart when subsequent kubectl rollout restart commands are executed within a second (#113040, @ardaguclu) [sig/cli]
  • Changed the error message to cannot exec into multiple objects at a time when file passed to kubectl exec contains multiple resources (#114249, @ardaguclu) [sig/cli,sig/testing]
  • Client-go: fixed potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [sig/api-machinery]
  • Describing the CRs will now hide .metadata.managedFields (#114584, @soltysh) [sig/cli]
  • Discovery document will correctly return the resources for aggregated apiservers that do not implement aggregated disovery (#115770, @Jefftree) [sig/api-machinery]
  • Excluded preemptor pod metadata in the event message (#114923, @mimowo) [sig/scheduling]
  • Expanded the partial fix for kubernetes/kubernetes#111539 which was already started in kubernetes/kubernetes#109706 Specifically, we will now reduce the amount of syncs for ETP=local services even further in the CCM and avoid re-configuring LBs to an even greater extent. (#111658, @alexanderConstantinescu) [sig/network,sig/cloud-provider]
  • File content check for IPV4 is now enabled by default, and the check of IPV4 or IPV6 is done for kubeadm init or kubeadm join only in case the user intends to create a cluster to support that kind of IP address family (#115420, @chendave) [sig/network,sig/cluster-lifecycle]
  • Fixed CSI PersistentVolumes to allow Secrets names longer than 63 characters. (#114776, @jsafrane) [sig/apps]
  • Fixed Route controller to update routes when NodeIP changes (#108095, @lzhecheng) [sig/network,sig/cloud-provider]
  • Fixed DaemonSet to update the status even if it fails to create a pod. (#113787, @gjkim42) [sig/apps,sig/testing]
  • Fixed SELinux label for host path volumes created by host path provisioner (#112021, @mrunalp) [sig/storage,sig/node]
  • Fixed StatefulSetAutoDeletePVC feature when OwnerReferencesPermissionEnforcement admission plugin is enabled. (#114116, @jsafrane) [sig/storage,sig/auth,sig/apps]
  • Fixed a bug on the EndpointSlice mirroring controller that generated multiple slices in some cases for custom endpoints in non canonical format. (#114155, @aojea) [sig/network,sig/apps,sig/testing]
  • Fixed a bug that caused the apiserver to panic when trying to allocate a Service with a dynamic ClusterIP and was configured with Service CIDRs with a /28 mask for IPv4 and a /124 mask for IPv6 (#115322, @aojea) [sig/testing]
  • Fixed a bug where Kubernetes would apply a default StorageClass to a PersistentVolumeClaim, even when the deprecated annotation volume.beta.kubernetes.io/storage-class was set. (#116089, @cvvz) [SIG Apps and Storage] [sig/storage,sig/apps]
  • Fixed a bug where events/v1 Events with similar event type and reporting instance were not aggregated by client-go. (#112365, @dgrisonnet) [sig/api-machinery,sig/instrumentation]
  • Fixed a bug where when emitting similar Events consecutively, some were rejected by the apiserver. (#114237, @dgrisonnet) [sig/api-machinery]
  • Fixed a data race when emitting similar Events consecutively (#114236, @dgrisonnet) [sig/api-machinery]
  • Fixed a log line in scheduler that inaccurately implies that volume binding has finalized (#116018, @TommyStarK) [sig/scheduling,sig/storage]
  • Fixed a rare race condition in kube-apiserver that could lead to missing events when a watch API request was created at the same time kube-apiserver was re-initializing its internal watch. (#116172, @wojtek-t) [sig/api-machinery]
  • Fixed a regression in the pod binding subresource to honor the metadata.uid precondition. This allows kube-scheduler to ensure it is assigns node names to the same instances of pods it made scheduling decisions for. (#116550, @alculquicondor) [sig/api-machinery,sig/testing]
  • Fixed a regression that the scheduler always goes through all Filter plugins. (#114518, @Huang-Wei) [sig/scheduling]
  • Fixed an EndpointSlice Controller hashing bug that could cause EndpointSlices to incorrectly handle Pods with duplicate IP addresses. For example this could happen when a new Pod reused an IP that was also assigned to a Pod in a completed state. (#115907, @qinqon) [SIG Apps and Network] [sig/network,sig/apps]
  • Fixed an issue where a CSI migrated volume may be prematurely detached when the CSI driver is not running on the node. If CSI migration is enabled on the node, even the csi-driver is not up and ready, we will still add this volume to DSW. (#115464, @sunnylovestiramisu) [sig/storage,sig/apps]
  • Fixed an issue where failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#114516, @nikhita) [sig/apps,sig/testing]
  • Fixed an issue with Winkernel Proxier - ClusterIP Loadbalancers missing if the ExternalTrafficPolicy is set to Local and the available endpoints are all remoteEndpoints. (#115919, @princepereira) [sig/network,sig/windows]
  • Fixed bug in CRD Validation Rules (beta) and ValidatingAdmissionPolicy (alpha) where all admission requests could result in internal error: runtime error: index out of range [3] with length 3 evaluating rule: <rule name> under certain circumstances. (#114857, @jpbetz) [sig/api-machinery,sig/auth,sig/cloud-provider]
  • Fixed bug in beta aggregated discovery endpoint which caused CRD discovery information to be temporarily missing when an Aggregated APIService with the same GroupVersion is deleted (and vice versa). (#116770, @alexzielenski) [sig/api-machinery,sig/testing]
  • Fixed bug in reflector that couldn't recover from Too large resource version errors with API servers before 1.17.0. (#115093, @xuzhenglun) [sig/api-machinery]
  • Fixed clearing of rate-limiter for the queue of checks for cleaning stale pod disruption conditions. The bug could result in the PDB synchronization updates firing too often or the pod disruption cleanups taking too long to happen. (#114770, @mimowo) [sig/apps]
  • Fixed data race in kube-scheduler when preemption races with a Pod update. (#116395, @alculquicondor) [SIG Scheduling] [sig/scheduling]
  • Fixed file permission issues that happened during update of Secret/ConfigMap/projected volume when fsGroup is used. The problem caused a race condition where application gets intermittent permission denied error when reading files that were just updated, before the correct permissions were applied. (#114464, @tsaarni) [sig/storage]
  • Fixed incorrect watch events when a watch is initialized simultanously with a reinitializing watchcache. (#116436, @wojtek-t) [sig/api-machinery]
  • Fixed issue in Winkernel Proxier - Unexpected active TCP connection drops while horizontally scaling the endpoints for a LoadBalancer Service with Internal Traffic Policy: Local (#113742, @princepereira) [sig/network,sig/windows]
  • Fixed issue on Windows when calculating cpu limits on nodes with more than 64 logical processors (#114231, @mweibel) [sig/node,sig/windows]
  • Fixed issue with Winkernel Proxier - IPV6 load balancer policies were missing when service was configured with ipFamilyPolicy: RequireDualStack (#115503, @princepereira) [sig/network,sig/windows]
  • Fixed issue with Winkernel Proxier - IPV6 load balancer policies were missing when service was configured with ipFamilyPolicy: RequireDualStack (#115577, @princepereira) [sig/network,sig/windows]
  • Fixed issue with Winkernel Proxier - No ingress load balancer rules with endpoints to support load balancing when all the endpoints are terminating. (#113776, @princepereira) [sig/network,sig/windows,sig/testing]
  • Fixed missing delete events on informer re-lists to ensure all delete events were correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#115620, @odinuge) [sig/api-machinery]
  • Fixed nil pointer error in NodeVolumeLimits csi logging (#115179, @sunnylovestiramisu) [sig/scheduling]
  • Fixed panic validating custom resource definition schemas that set multipleOf to 0 (#114869, @liggitt) [sig/storage,sig/node,sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/cli,sig/instrumentation,sig/architecture,sig/cloud-provider]
  • Fixed performance regression in scheduler caused by frequent metric lookup on critical code path. (#116428, @mborsz) [SIG Scheduling] [sig/scheduling]
  • Fixed stuck apiserver if an aggregated apiservice returned 304 Not Modified for aggregated discovery information (#114459, @alexzielenski) [sig/api-machinery]
  • Fixed the problem Pod terminating stuck because of trying to umount not actual mounted dir. (#115769, @mochizuki875) [sig/storage,sig/node]
  • Fixed the regression that introduced 34s timeout for DELETECOLLECTION calls (#115341, @tkashem) [sig/api-machinery]
  • Fixed two regressions introduced by the PodDisruptionConditions feature (on by default in 1.26):
  • pod eviction API calls returned spurious precondition errors and required a second evict API call to succeed
  • dry-run eviction API calls persisted a DisruptionTarget condition into the pod being evicted (#116554, @atiratree) [sig/api-machinery,sig/testing]
  • Fixes #115825. Kube-proxy will now include the healthz state in its response to the LB HC as to avoid indicating to the LB that it should use the node in question when Kube-proxy is not healthy. (#111661, @alexanderConstantinescu) [SIG Network] [sig/network,sig/network]
  • Flag --concurrent-node-syncs has been added to cloud node controller which defines how many workers in parallel will be initialising and synchronising nodes. (#113104, @pawbana) [SIG API Machinery, Cloud Provider and Scalability] [sig/scalability,sig/api-machinery,sig/cloud-provider]
  • Force deleted pods may fail to terminate until the kubelet is restarted when the container runtime returns an error during termination. We have strengthened testing for runtime failures and now perform a more rigorous reconciliation to ensure static pods (especially those that use fixed UIDs) are restarted. As a side effect of these changes static pods will be restarted with lower latency than before (2s vs 4s, on average) and rapid updates to pod configuration should take effect sooner.

A new metric kubelet_known_pods has been added at ALPHA stability to report the number of pods a Kubelet is tracking in a number of internal states. Operators may use the metrics to track an excess of pods in the orphaned state that may not be completing. (#113145, @smarterclayton) [SIG API Machinery, Auth, Cloud Provider, Node and Testing] [sig/node,sig/api-machinery,sig/auth,sig/testing,sig/cloud-provider]

  • From now on, the HPA controller will return an error for the container resource metrics when the feature gate HPAContainerMetrics is disabled. As a result, HPA with a container resource metric performs no scale-down and performs only. (#116043, @sanposhiho) [sig/api-machinery,sig/autoscaling,sig/apps]
  • IPVS: Any ipvs scheduler can now be configured. If a un-usable scheduler is configured kube-proxy will re-start and the logs must be checked (same as before but different log printouts). (#114878, @uablrek) [sig/network]
  • If a user attempts to add an ephemeral container to a static pod, they will now get a visible validation error. (#114086, @xmcqueen) [sig/node,sig/apps]
  • Ingress with ingressClass annotation and IngressClassName both set can be created now. (#115447, @AxeZhan) [sig/network]
  • Kube-apiserver: errors decoding objects in etcd are now recorded in an apiserver_storage_decode_errors_total counter metric (#114376, @baomingwang) [SIG API Machinery and Instrumentation] [sig/api-machinery,sig/instrumentation]
  • Kube-apiserver: regular expressions specified with the --cors-allowed-origins option are now validated to match the entire hostname inside the Origin header of the request and must contain '^' or the '//' prefix to anchor to the start, and '$' or the port separator ':' to anchor to the end. (#112809, @tkashem) [SIG API Machinery] [sig/api-machinery]
  • Kube-apiserver: removed N^2 behavior loading webhook configurations. (#114794, @lavalamp) [SIG API Machinery, Architecture, CLI, Cloud Provider and Node] [sig/node,sig/api-machinery,sig/cli,sig/architecture,sig/cloud-provider]
  • Kubeadm: fixed an etcd learner-mode bug by preparing an etcd static pod manifest before promoting (#115038, @tobiasgiese) [sig/cluster-lifecycle]
  • Kubeadm: fixed the bug where kubeadm always does CRI detection even if it is not required by a phase subcommand (#114455, @SataQiu) [sig/cluster-lifecycle]
  • Kubeadm: improved retries when updating node information, in case kube-apiserver is temporarily unavailable (#114176, @QuantumEnergyE) [sig/cluster-lifecycle]
  • Kubeadm: modified --configflag from required to optional forkubeadm kubeconfig user` command (#116074, @SataQiu) [sig/cluster-lifecycle]
  • Kubectl: enabled usage of label selector for filtering out resources when pruning for kubectl diff (#114863, @danlenar) [sig/cli,sig/testing]
  • Kubelet startup now fails CRI connection if service or image endpoint is throwing any error (#115102, @saschagrunert) [sig/node]
  • Kubelet: fix recording issue when pulling image did finish (#114904, @TommyStarK) [SIG Node] [sig/node]
  • Kubelet: fixed a bug in kubeletthat stopped rendering theConfigMapswhenfsquota` monitoring is enabled (#112624, @pacoxu) [sig/storage,sig/node]
  • Messages of DisruptionTarget condition now excludes preemptor pod metadata (#114914, @mimowo) [sig/scheduling]
  • Optimized LoadBalancer creation with the help of attribute Internal Traffic Policy: Local (#114407, @princepereira) [sig/network]
  • PVCs will automatically be recreated if they are missing for a pending Pod. (#113270, @rrangith) [SIG Apps and Testing] [sig/apps,sig/testing]
  • PersistentVolume API objects which set NodeAffinities using beta Kubernetes labels for OS, architecture, zone, region, and instance type may now be modified to use the stable Kubernetes labels. (#115391, @haoruan) [sig/storage,sig/apps]
  • Potentially breaking change - Updating the polling interval for Windows stats collection from 1 second to 10 seconds (#116546, @marosset) [SIG Node and Windows] [sig/node,sig/windows]
  • Relaxed API validation for usage key encipherment and kubelet uses requested usages accordingly (#111660, @pacoxu) [sig/node,sig/api-machinery,sig/auth,sig/apps]
  • Removed scheduler names from preemption event messages. (#114980, @mimowo) [sig/scheduling]
  • Shared informers now correctly propagate whether they are synced or not. Individual informer handlers may now check if they are synced or not (new HasSynced method). Library support is added to assist controllers in tracking whether their own work is completed for items in the initial list (AsyncTracker). (#113985, @lavalamp) [sig/network,sig/node,sig/api-machinery,sig/auth,sig/apps,sig/testing]
  • The Kubernetes API server now correctly detects and closes existing TLS connections when its client certificate file for kubelet authentication has been rotated. (#115315, @enj) [SIG API Machinery, Auth, Node and Testing] [sig/node,sig/api-machinery,sig/auth,sig/testing]
  • Total test spec is now available by ProgressReporter, it will be reported before test suite got executed. (#114417, @chendave) [sig/node,sig/auth,sig/cli,sig/instrumentation,sig/testing,sig/architecture,sig/cloud-provider]
  • Updated the Event series starting count when emitting isomorphic events from 1 to 2. (#112334, @dgrisonnet) [sig/api-machinery,sig/testing]
  • When GCing pods, kube-controller-manager will delete Evicted pods first. (#116167, @borgerli) [sig/apps]
  • When describing deployments, OldReplicaSets now always shows all replicasets controlled the deployment, not just those that still have replicas available. (#113083, @llorllale) [SIG CLI] [sig/cli]
  • Windows CPU usage node stats are now correctly calculated for nodes with multiple Processor Groups. (#110864, @claudiubelu) [SIG Node, Testing and Windows] [sig/node,sig/windows,sig/testing]
  • LabelSelectors specified in topologySpreadConstraints were validated to ensure that pods are scheduled as expected. Existing pods with invalid LabelSelectors could be updated, but new pods were required to specify valid LabelSelectors. (#111802, @maaoBit) [sig/apps]
  • PodGC for pods which are in terminal phase now do not add the DisruptionTarget condition. (#115056, @mimowo) [sig/apps,sig/testing]
  • Service of type ExternalName do not create an Endpoint anymore. (#114814, @panslava) [sig/network,sig/apps,sig/testing]
  • cacher: If ResourceVersion is unset, the watch is now served from the underlying storage as documented. (#115096, @MadhavJivrajani) [sig/api-machinery]
  • client-go: fixed the wait time for trying to acquire the leader lease (#114872, @Iceber) [sig/api-machinery]
  • etcd: Updated to v3.5.7 (#115310, @mzaian) [sig/api-machinery,sig/cluster-lifecycle,sig/testing,sig/cloud-provider]
  • golang.org/x/net updated to v0.7.0 to fix CVE-2022-41723 (#115786, @liggitt) [sig/storage,sig/node,sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/cli,sig/instrumentation,sig/architecture,sig/cloud-provider]
  • kube-controller-manager will not run nodeipam controller when allocator type is CloudAllocator and the cloud provider is not enabled. (#114596, @andrewsykim) [sig/cloud-provider]
  • kube-controller-manager: fixed a bug that the kubeconfig field of kubecontrollermanager.config.k8s.io configuration is not populated correctly (#116219, @SataQiu) [sig/api-machinery,sig/cloud-provider]
  • kube-proxy with --proxy-mode=ipvs can be used with statically linked kernels. The reseved IPv4 range TEST-NET-2 in rfc5737 MUST NOT be used for ClusterIP or loadBalancerIP since address 198.51.100.0 is used for probing. (#114669, @uablrek) [sig/network]
  • kubeadm: fixed a bug where the uploaded kubelet configuration in kube-system/kubelet-config ConfigMap does not respect user patch (#115575, @SataQiu) [sig/cluster-lifecycle]
  • kubeadm: now respects user provided kubeconfig during discovery process (#113998, @SataQiu) [sig/cluster-lifecycle]
  • kubectl port-forward now exits with exit code 1 when remote connection is lost (#114460, @brianpursley) [sig/api-machinery]
  • nodeName being set along with non-empty schedulingGates is now enforced. (#115569, @Huang-Wei) [sig/scheduling,sig/apps]
  • node_stage_path is now set whenever available for expansion during mount (#115346, @gnufied) [sig/storage,sig/testing]
  • statefulset status will now be consistent on API errors (#113834, @atiratree) [sig/apps]
  • tryUnmount now respects mounter.withSafeNotMountedBehavior (#114736, @andyzhangx) [sig/storage]
  • The encryption response from KMS v2 plugins is now validated earlier at DEK generation time instead of waiting until an encryption is performed. (#116877, @enj) [SIG API Machinery and Auth] [sig/api-machinery,sig/auth]
  • Recreate DaemonSet pods completed with Succeeded phase (#117073, @mimowo) [SIG Apps and Testing] [sig/apps,sig/testing]

Other (Cleanup or Flake)

  • Added basic Denial Of Service prevention for the the node-local kubelet podresource API (#116459, @ffromani) [SIG Node and Testing] [sig/node,sig/testing]
  • Callers of wait.ExponentialBackoffWithContext now must pass a ConditionWithContextFunc to be consistent with the signature and avoid creating a duplicate context. If your condition does not need a context you can use the ConditionFunc.WithContext() helper to ignore the context, or use ExponentialBackoff directly. (#115113, @smarterclayton) [sig/storage,sig/api-machinery,sig/testing]
  • Changed docs for --contention-profiling flag to reflect it performed block profiling (#114490, @MadhavJivrajani) [sig/scheduling,sig/node,sig/api-machinery,sig/docs,sig/cloud-provider]
  • E2e framework: added --report-complete-ginkgo and --report-complete-junit parameters. They work like ginkgo --json-report <report dir>/ginkgo/report.json --junit-report <report dir>/ginkgo/report.xml. (#115678, @pohly) [SIG Testing] [sig/testing]
  • Fixed incorrect log information in the iptables utility. (#110723, @yangjunmyfm192085) [sig/network]
  • Improved FormatMap: Improves performance by about 4x, or nearly 2x in the worst case (#112661, @aimuz) [SIG Node] [sig/node]
  • Improved misleading message, in case of no metrics received for the HPA controlled pods. (#114740, @kushagra98) [sig/autoscaling,sig/apps]
  • Introduced new metrics removing the redundant subsystem in kube-apiserver pod logs metrics and deprecate the original ones:
  • kube_apiserver_pod_logs_pods_logs_backend_tls_failure_total becomes kube_apiserver_pod_logs_backend_tls_failure_total
  • kube_apiserver_pod_logs_pods_logs_insecure_backend_total becomes kube_apiserver_pod_logs_insecure_backend_total (#114497, @dgrisonnet) [sig/api-machinery]
  • Kubeadm: removed the deprecated v1beta2 API. kubeadm 1.26's config migrate command can be used to migrate a v1beta2 configuration file to v1beta3 (#114540, @pacoxu) [sig/cluster-lifecycle]
  • Kubelet: remove deprecated flag --container-runtime (#114017, @calvin0327) [SIG Cloud Provider and Node] [sig/node,sig/cloud-provider]
  • Kubelet: the deprecated --master-service-namespace flag is removed in v1.27 (#116015, @SataQiu) [sig/node]
  • Linux/arm will not ship in Kubernetes 1.27 as we are running into issues with building artifacts using golang 1.20.2 (please see issue #116492) (#115742, @dims) [SIG Architecture, Release and Testing] [sig/release,sig/testing,sig/release,sig/architecture]
  • Migrated pkg/controller/nodeipam/ipam/cloud_cidr_allocator.go, pkg/controller/nodeipam/ipam/multi_cidr_range_allocator.go pkg/controller/nodeipam/ipam/range_allocator.go pkg/controller/nodelifecycle/node_lifecycle_controller.go to structured logging (#112670, @yangjunmyfm192085) [sig/network,sig/api-machinery,sig/apps,sig/instrumentation,sig/testing,sig/architecture,sig/cloud-provider]
  • Migrated the Kubernetes object garbage collector (within kube-controller-manager) to use contextual logging. (#113471, @ncdc) [sig/api-machinery,sig/apps,sig/testing]
  • Migrated the ttlafterfinished controller (within kube-controller-manager) to use contextual logging. (#115332, @obaranov1) [SIG Apps] [sig/apps]
  • Migrated the “sample-controller” controller to use contextual logging. (#113879, @pchan) [SIG API Machinery and Instrumentation] [sig/api-machinery,sig/instrumentation]
  • Promoted pod resource limit/request metrics to stable. (#115454, @dgrisonnet) [sig/scheduling,sig/instrumentation]
  • Removed AWS kubelet credential provider. Please use the external kubelet credential provider binary named ecr-credential-provider instead. (#116329, @dims) [SIG Node, Storage and Testing] [sig/storage,sig/node,sig/testing]
  • Removed Azure disk in-tree storage plugin (#116301, @andyzhangx) [sig/scheduling,sig/storage,sig/node,sig/api-machinery,sig/testing,sig/cloud-provider]
  • Removed flag master-service-namespace from api-server arguments (#114446, @lengrongfu) [sig/api-machinery]
  • Removed the following deprecated metrics:
  • node_collector_evictions_number replaced by node_collector_evictions_total
  • scheduler_e2e_scheduling_duration_seconds replaced by scheduler_scheduling_attempt_duration_seconds (#115209, @dgrisonnet) [sig/scheduling,sig/apps]
  • Removed unused rule for nodes/spec from ClusterRole system:kubelet-api-admin (#113267, @hoskeri) [sig/auth,sig/cloud-provider]
  • Renamed API server identity Lease labels to use the key apiserver.kubernetes.io/identity (#114586, @andrewsykim) [SIG API Machinery, Apps, Cloud Provider and Testing] [sig/api-machinery,sig/apps,sig/testing,sig/cloud-provider]
  • Storage.k8s.io/v1beta1 API version of CSIStorageCapacity will no longer be served (#116523, @pacoxu) [SIG API Machinery] [sig/api-machinery]
  • The CSIMigrationAzureFile feature gate (for the feature which graduated to GA in v1.26) is now unconditionally enabled and will be removed in v1.28. (#114953, @enj) [sig/storage]
  • The ControllerManagerLeaderMigration feature, GA since 1.24, is now unconditionally enabled and the feature gate option has been removed. (#113534, @pacoxu) [sig/api-machinery,sig/cloud-provider]
  • The WaitFor and WaitForWithContext functions in the wait package have now been marked private. Callers should use the equivalent Poll* method with a zero duration interval. (#115116, @smarterclayton) [sig/api-machinery]
  • The wait.Poll* and wait.ExponentialBackoff* functions have been deprecated and will be removed in a future release. Callers should switch to using wait.PollUntilContextCancel, wait.PollUntilContextTimeout, or wait.ExponentialBackoffWithContext as appropriate.

PollWithContext(Cancel|Deadline) will no longer return ErrWaitTimeout - use the Interrupted(error) bool helper to replace checks for err == ErrWaitTimeout, or compare specifically to context errors as needed. A future release will make the ErrWaitTimeout error private and callers must use Interrupted() instead. If you are returning ErrWaitTimeout from your own methods, switch to creating a location specific cause err and pass it to the new method wait.ErrorInterrupted(cause) error which will ensure Interrupted() returns true for your loop.

The wait.NewExponentialBackoffManager and wait.NewJitteringBackoffManager functions have been marked as deprecated. Callers should switch to using the Backoff{...}.DelayWithReset(clock, resetInterval) method and must set the Steps field when using Factor. As a short term change, callers may use the Timer() method on the BackoffManager until the backoff managers are deprecated and removed. Please see the godoc of the deprecated functions for examples of how to replace usage of this function. (#107826, @smarterclayton) [SIG API Machinery, Auth, Cloud Provider, Storage and Testing] [sig/storage,sig/api-machinery,sig/auth,sig/testing,sig/cloud-provider]

  • The feature gates CSIInlineVolume, CSIMigration, DaemonSetUpdateSurge, EphemeralContainers, IdentifyPodOS, LocalStorageCapacityIsolation, NetworkPolicyEndPort and StatefulSetMinReadySeconds that graduated to GA in v1.25 and were unconditionally enabled have been removed in v1.27 (#114410, @SataQiu) [SIG Node] [sig/node]
  • Upgraded coredns to v1.10.1 (#115603, @pacoxu) [sig/cluster-lifecycle,sig/cloud-provider]
  • Upgraded go-jose to v2.6.0 (#115893, @mgoltzsche) [sig/api-machinery,sig/cluster-lifecycle,sig/auth,sig/testing]
  • [KCCM - service controller]: enabled connection draining for terminating pods upon node downscale by the cluster autoscaler. This is done by not reacting to the taint used by the cluster autoscaler to indicate that the node is going away soon, thus keeping the node referenced by the load balancer until the VM has been completely deleted. (#115204, @alexanderConstantinescu) [sig/network,sig/api-machinery,sig/instrumentation,sig/cloud-provider]
  • apiserver_admission_webhook_admission_duration_seconds buckets have been expanded, 25s is now the largest bucket size to match the webhook default timeout. (#115802, @logicalhan) [SIG API Machinery and Instrumentation] [sig/api-machinery,sig/instrumentation]
  • wait.ContextForChannel() now implements the context.Context interface and does not return a cancellation function. (#115140, @smarterclayton) [sig/api-machinery,sig/cloud-provider]

Dependencies

Added

  • github.com/a8m/tree: 10a5fd5
  • github.com/dougm/pretty: 2ee9d74
  • github.com/rasky/go-xdr: 4930550
  • github.com/vmware/vmw-guestinfo: 25eff15
  • sigs.k8s.io/kustomize/kustomize/v5: v5.0.1

Changed

Removed

  • github.com/PuerkitoBio/purell: v1.1.1
  • github.com/PuerkitoBio/urlesc: de5bf2a
  • github.com/elazarl/goproxy: 947c36d
  • github.com/form3tech-oss/jwt-go: v3.2.3+incompatible
  • github.com/mattn/go-runewidth: v0.0.7
  • github.com/mindprince/gonvml: 9ebdce4
  • github.com/niemeyer/pretty: a10e7ca
  • github.com/olekukonko/tablewriter: v0.0.4
  • sigs.k8s.io/kustomize/kustomize/v4: v4.5.7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment