Stay Informed
This week, read about:
- Google Introduces First Quantum Resilient FIDO2 Security Key Implementation.
- Announcement of LibreOffice 7.6 Community.
- TP-Link Smart Bulbs Can Let Hackers Steal Your WiFi Password.
- We're In The OWASP-Makes-List-Of-Security-Bug-Types Phase with LLM Chatbots.
Key Security, Maintenance, and Features Releases
Security Based Updates
Apache Cassandra 3.11.16
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)
* Remove unnecessary String.format invocation in QueryProcessor when getting a prepared statement from cache (CASSANDRA-17202)
Merged from 3.0:
* Fix Requires for Java for RPM package (CASSANDRA-18751)
* Fix CQLSH online help topic link (CASSANDRA-17534)
* Remove unused suppressions (CASSANDRA-18724)
* Upgrade OWASP to 8.3.1 (CASSANDRA-18650)
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Suppress CVE-2023-34455, CVE-2023-34454, CVE-2023-34453 (CASSANDRA-18608)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)
* Pass down all contact points to driver for cassandra-stress (CASSANDRA-18025)
* Validate the existence of a datacenter in nodetool rebuild (CASSANDRA-14319)
* Suppress CVE-2023-2251 (CASSANDRA-18497)
Non-Security Based Updates
Nginx 1.25.2
* Feature: path MTU discovery when using HTTP/3.
* Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using HTTP/3.
* Change: now nginx uses appname "nginx" when loading OpenSSL configuration.
* Change: now nginx does not try to load OpenSSL configuration if the --with-openssl option was used to built OpenSSL and the OPENSSL_CONF environment variable is not set.
* Bugfix: in the $body_bytes_sent variable when using HTTP/3.
* Bugfix: in HTTP/3.
Angular 16.2.1
* Fix: Apply named outlets to children empty paths not appearing in the URL.
Elasticsearch 8.9.1
Fixes:
Aggregations
- GlobalAggregator should call rewrite() before createWeight()
Cluster Coordination
- Improve exception handling in Coordinator#publish
EQL
- Backport fix for async missing events and re-enable the feature
ILM+SLM
- Ignore the total_shards_per_node setting on searchable snapshots in frozen
- Migrate to data tiers routing configures correct default for mounted indices Infra/Core
- Fix APM trace start time
Infra/Logging
- Add Configuration to PatternLayout
Machine Learning
- Fix failure processing Question Answering model output where the input has been spanned over multiple sequences
Search
- UnmappedFieldFetcher should ignore nested fields
Grafana 9.5.8
Features and Enhancements:
GenericOAuth: Set sub as auth id.
Bug Fixes:
DataSourceProxy: Fix url validation error handling
Kibana 8.9.1
Fixes:
APM
- Fixes flame graph rendering on the transaction detail page.
- Check if documents are missing span.name.
- Fixes transaction action menu for Trace Explorer and dependency operations.
Canvas
- Fixes embeddables not rendering in Canvas.
Discover
- Fixes grid styles to enable better content wrapping.
- Fixes search sessions using temporary data views.
- Make share links and search session information shorter for temporary data views.
Fleet
- Fixes for query error on Agents list in the UI.
- Remove duplicate path being pushed to package archive.
Management
- Resolves potential errors present in v8.9.0 with data views that contain field filters that have been edited.
Uptime
- Fixes Monitor not found 404 message display.
Kubernetes 1.28
UPGRADE NOTES
- Action required for the custom scheduler plugin developers. Here's the breaking change in EnqueueExtension in the scheduling framework. The EventsToRegister in EnqueueExtension changed the return value from ClusterEvent to ClusterEventWithHint. ClusterEventWithHint allows each plugin to filter out more useless events via the callback function named QueueingHintFn. When the scheduling queue receives a cluster event, before moving each Pod from unschedulable pod pool to activeQ/backoffQ, it will call QueueingHintFn of plugins that rejected each Pod in the previous scheduling cycle. Depending on the value returned from QueueingHintFn, the scheduling queue changes how it queues each Pod:
- if more than one QueueingHintFn returns QueueImmediately, it queues Pod to activeQ.
- If no QueueingHintFn returns QueueImmediately and more than one plugin returns QueueAfterBackoff, it queues Pod to backoffQ if Pod is backing off, or to activeQ if Pod's backoff has already finished.
- If all QueueingHintFn return QueueSkip, it puts this pod back to the unschedulable pod pool
Having appropriate QueueingHintFn contributes to reducing useless retries and thus improves the overall scheduler's performance.
How can I migrate?
For backward compatibility, nil QueueingHintFn is treated as always returning QueueAfterBackoff. So, if you want to just keep the existing behavior, you can register ClusterEventWithHint with no QueueingHintFn in it. But, registering appropriate QueueingHintFn is, of course, better from a scheduling performance perspective.
- CephFS volume plugin (kubernetes.io/cephfs) has been deprecated in this release and will be removed in a subsequent release. The alternative is to use the CephFS CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes cluster.
- Deprecated support for CSI migration of Ceph RBD volumes. Users who were relying on Kubernetes' ability to migrate to an out-of-tree storage driver should complete that migration before the support for it is removed.
- RBD volume plugin (kubernetes.io/rbd) has been deprecated in this release and will be removed in a subsequent release. Alternative is to use RBD CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster.
FIXES
Deprecation:
- Changed kubectl version default output to be identical to what kubectl version --short printed, and removed --short flag entirely.
- Kube-controller-manager deprecate --volume-host-cidr-denylist and --volume-host-allow-local-loopback flags.
- Kubelet: The --azure-container-registry-config flag has been deprecated and will be removed in a future release, please use --image-credential-provider-config and --image-credential-provider-bin-dir to setup acr credential provider instead.
- Removed tracking annotation from validation and defaulting.
- Removed withdrawn feature NetworkPolicyStatus.
- The deprecated flag --lock-object-namespace and --lock-object-name have been removed from kube-scheduler. Please use --leader-elect-resource-namespace and --leader-elect-resource-name or ComponentConfig instead to configure those parameters.
- KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead. In a future release, Set --feature-gates=KMSv1=true to use the deprecated KMSv1 feature.
API Change:
- A CDIDevice field is included in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol.
- ACTION_REQUIRED When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits.
- Added ServedVersions field to StorageVersion API.
- Added IP mode field to loadbalancer status ingress.
- Added podReplacementPolicy and terminating field to job api.
- Added a new namespaceParamRef field to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy.
- Added a warning that TLS 1.3 ciphers are not configurable.
- Added error handling for seccomp localhost configurations that do not properly set a localhostProfile.
- Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed.
- Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject variable with expressions.
- Added new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations.
- Added new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs.
- Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler
- Changed how KMS v2 encryption at rest can generate data encryption keys. When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce.
- Exposed rest.DefaultServerUrlFor function.
- Extended the Job API for alpha version of BackoffLimitPerIndex.
- Graduated AdmissionWebhookMatchCondition feature to beta.
- If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup.
- In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels.
- Indexed Job pods now have the pod completion index set as a pod label.
- Kube-proxy: added --logging-format flag to support structured logging.
- NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits.
- PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase.
- Pods which set hostNetwork: true and declare ports, get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this.
- Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1.
- Promoted the feature gate ValidtaingAdmissionPolicy to beta, and it is turned off by default.
- Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability.
- Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus.
- Removed WindowsHostProcessContainers feature-gate.
- Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta.
- StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index.
- Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver
- Supported BackoffLimitPerIndex in Jobs.
- The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer creates the KUBE-MARK-DROP chain (which has been unused for several releases) or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy).
- The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA.
- The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions.
- The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination.
- Updated the comment about the feature-gate level for PodFailurePolicy from alpha to beta.
- client-go: Improved memory use of reflector caches when watching large numbers of objects which do not change frequently.
- component-base/logs is now stricter about not applying configurations multiple times and will return an error when that is attempted. Can be overridden by binaries which need to do that.
- kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner controller loop removes service account token secrets that have not been used in the time specified by --legacy-service-account-token-clean-up-period (defaulting to one year), and are referenced from the .secrets list of a ServiceAccount object, and are not referenced from pods.
- kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2 is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1.
Feature:
- A ValidatingAdmissionPolicy now has its messageExpression field checked against resolved types.
- Added '--concurrent-cron-job-syncs' flag for kube-controller-manager to set the number of workers for cron job controller.
- Added '--concurrent-job-syncs' flag for kube-controller-manager to set the number of job controller workers.
- Added --concurrency flag to configure the concurrency of kubectl diff execution, defaults to 1.
- Added ConsistentListFromCache feature gate that allows apiserver to serve consistent lists from cache.
- Added DisruptionTarget condition to the pod preempted by kubelet to make room for a critical pod.
- Added apiserver_admission_match_condition_evaluation_seconds and apiserver_admission_match_condition_exclusions_total metrics.
- Added a container image for kubectl at registry.k8s.io/kubectl across the same architectures as other images (linux/amd64 linux/arm64 linux/s390x linux/ppc64le)
- Added a new command line argument --interactive to kubectl. The new command line argument lets a user confirm deletion requests per resource interactively.
- Added a new feature gate, SchedulerQueueingHints (enabled by default). The new feature gate activates a framework for fine-grained filtering of events related to scheduler plugins. In this release, no default scheduling plugins make use of the hinting framework, so you should not expect any behavior changes.
- Added full cgroup v2 swap support for both Limited and Unlimited swap.
When LimitedSwap is enabled the swap limit would be automatically calculated for Burstable QoS pods. For Best-Effort/Guaranteed QoS pods, swap would be disabled.
Containers with memory requests equal to their memory limits also won't have swap access, and it is a way to opt-out of swap for a single container.
The formula for the swap limit for Burstable QoS pods is: (<memory-request>/<node-memory-capacity>)*<node-swap-capacity>.
Support for cgroup v1 is removed.
- Added handling for pods in podgc for PodReplacementPolicy or PodDisruption.
- Added reason to metric attachdetach_controller_forced_detaches in the attach detach controller.
- Added support for pod hostNetwork field selector
- Added swap to stats to Summary API and Prometheus endpoints (stats/summary and /metrics/resource).
- Added the implementation for PodRecreationPolicy to wait for the creation of pods once the existing ones are fully terminated.
- Allow to monitor client-go DNS resolver latencies via rest_client_dns_resolution_duration_seconds Prometheus metric.
- Apiserver adds two new metrics etcd_requests_total and etcd_request_errors_total that allow users to monitor requests to etcd storage, split by operation and resource type.
- Bumped distroless-iptables to 0.2.6 based on Go 1.20.6.
- Bumped metrics-server to v0.6.3.
- CEL authorizer checks no longer raise runtime errors. Calls to "check" will always return a decision object and the authorization error (if any) can be accessed within expressions using the new decision methods "errored" and "error".
- CRI: exposed commit memory bytes in container stats specific to Windows
- Client-go now exposes two new metrics to monitor the client-go logic that generate http.Transports for the clients.
- rest_client_transport_cache_entries is a gauge metric with the number of existing entries in the internal cache
- rest_client_transport_create_calls_total is a counter that increments each time a new transport is created, storing the result of the operation needed to generate it: hit, miss or uncacheable.
- Cloud controller manager's node controller now emits timing metrics for initial Node synchronization. These metrics measure the delay between the creation of a new Node and the node controller's initial management actions, such as removing the cloud provider taint. These metrics should be consulted when setting cloud controller manager's --concurrent-node-syncs flag.
- Dynamic resource allocation: when a claim uses "wait for first consumer" allocation (the default), then it will now get deallocated after it was used by a pod. That ensures that the next pod isn't affected by previous scheduling decision and that resources are not kept allocated unless really needed. If keeping a claim allocated is desired, use "immediate allocation."
- Enabled use of pods with volumes and user namespaces. The feature gate was renamed from UserNamespacesStatelessPodsSupport to UserNamespacesSupport.
- External credential provider plugins will now have their standard error output logged by kubelet upon failures.
- Faster scheduling when ResourceClaims are involved.
- Fixed the alpha CloudDualStackNodeIPs feature.
- Graduated the LegacyServiceAccountTokenTracking feature gate to GA. The usage of auto-generated secret-based service account token now produces warnings, and relevant Secrets are labeled with a last-used timestamp (label key kubernetes.io/legacy-token-last-used).
- Graduated the ProbeTerminationGracePeriod feature gate to GA.
- Hashing of KeyID in Logs
This release adds a feature to hash the KeyID values in the logs. The KeyID values are sensitive information that should not be exposed in plain text in the logs. By hashing the KeyID values, we can protect the confidentiality of the data while still being able to log the necessary information.
- Implemented alpha support for a drop-in kubelet configuration directory.
- In the course of admitting a single request, the ValidatingAdmissionPolicy plugin will perform no more than one authorization check per unique authorizer expression. All evaluations of identical authorizer expressions will produce the same decision.
- Introduce support for CEL optionals (see CEL spec proposal 246). This feature will not be fully enabled until a future Kubernetes release (likely to be v1.29), but is added in v1.28 to enable safe rollback on downgrade.
- Kube-controller-manager: the dynamic resource controller steps in when a pod got created such that the scheduler ignores it (i.e. spec.nodeName is set) and then takes care of triggering delayed resource claim allocation and/or reserving a claim for the pod.
- Kube-proxy handles Terminating EndpointSlices conditions and enables zero downtime deployments for Services with ExternalTrafficPolicy=Local author: @andrewsykim
- Kube-proxy service health returns http header X-Load-Balancing-Endpoint-Weight with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints.
- Kubelet: plugins for dynamic resource allocation may use the v1alpha3 API instead of v1alpha2 if they want to do prepare/unprepare operations in batches.
- Kubelet: security of dynamic resource allocation was enhanced by limiting node access to those objects that are needed on the node.
- Kubelet: un-deprecated --provider-id flag.
- Kubernetes is now built with Go 1.20.4.
- Kubernetes is now built with Go 1.20.5.
- Kubernetes is now built with Go 1.20.6.
- Metric scheduler_scheduler_goroutines is removed. Use scheduler_goroutines instead.
- Migrated pkg/controller/endpoint to contextual logging.
- Migrated pkg/scheduler/framework/preemption to use contextual logging.
- Migrated pod-security-admission to use contextual logging.
- Migrated controller functions to use contextual logging.
- Migrated the Job controller (within kube-controller-manager) to use contextual logging.
- Migrated the EndpointSlice and EndpointSliceMirroring controllers (within kube-controller-manager) to use contextual logging.
- Migrated the certificate controller (within kube-controller-manager) to use contextual logging.
- Migrated the noderesources scheduler plugin to use contextual logging.
- Migrated the podtopologyspread scheduler plugins to use contextual logging.
- Moved non-graceful node shutdown to GA.
- New CEL Library functions to support Kubernetes Quantities.
- New Metrics Added for Encryption Configuration Controller
This release adds new metrics to the Encryption Configuration Controller to help monitor the automatic reloading of encryption configuration. The new metrics include:
- apiserver_encryption_config_controller_automatic_reload_failures_total: Total number of failed automatic reloads of encryption configuration.
- apiserver_encryption_config_controller_automatic_reload_success_total: Total number of successful automatic reloads of encryption configuration.
- apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds: Timestamp of the last successful or failed automatic reload of encryption configuration.
These metrics can be used to monitor the health of the Encryption Configuration Controller and to troubleshoot any issues that may arise during automatic reloading of encryption configuration.
- New staging repo has been created for the EndpointSlice reconciler.
- Promoted ServiceNodePortStaticSubrange feature gate to beta, and it will be enabled by default.
- Promoted the following apiserver flowcontrol metrics to Beta:
- apiserver_flowcontrol_request_wait_duration_seconds
- apiserver_flowcontrol_current_executing_seats
- apiserver_flowcontrol_nominal_limit_seats
- apiserver_flowcontrol_rejected_requests_total
- apiserver_flowcontrol_dispatched_requests_total
- apiserver_flowcontrol_current_inqueue_requests
- apiserver_flowcontrol_current_executing_requests
- Renamed PodHasNetwork to PodReadyToStartContainers.
- Replaced apiserver_storage_db_total_size_in_bytes with apiserver_storage_size_bytes metric.
- Scheduler now waits for handlers to finish syncing before the scheduling cycles start.
- Set metrics-server's metric-resolution to 15s.
- SubjectAccessReview requests sent to webhook authorizers now default spec.resourceAttributes.version to * if unset.
- Supported specifying a custom retry period for cloud load-balancer operations.
- The "value" part in the wait --for=jsonpath='{expression}'[=value] is now optional. If the value is not provided i.e., the command looks like wait --for=jsonpath='{expression}' then the wait condition is interpreted as matched when the expression returns any single JSON value like object or a literal.
- The Kubernetes apiserver now emits a warning message for Pods with a null labelSelector in podAffinity or topologySpreadConstraints. The null labelSelector means "match none". Using it in podAffinity or topologySpreadConstraint could lead to unintended behavior.
- The AdvancedAuditing feature gate that graduated to GA in v1.12 (and was unconditionally enabled) has been removed.
- The ExpandedDNSConfig feature has graduated to GA. 'ExpandedDNSConfig' feature was locked to default value and will be removed in v1.30. If you were setting this feature gate explicitly, please remove it now.
- The apiserver debug endpoint /debug/api_priority_and_fairness/dump_requests has been extended to dump executing requests as well as queued ones. A column for StartTime has been added to the returned table, with the queued requests having a StartTime of "0001-01-01T00:00:00Z". The executing requests have a RequestIndexInQueue of -1, and the QueueIndex is also -1 for priority levels without queues.
- The helping message of commands which have sub-commands is now clearer and more instructive. It will show the full command instead of kubectl <command> --help ...
Changed kubectl create secret --help description. There will be a short introduction to the three secret types and clearer guidance on how to use the command.
- The scheduler skips the InterPodAffinity Score plugin when nothing to do with the Pod. It will affect some metrics values related to the InterPodAffinity Score plugin.
- The scheduler skips the PodTopologySpread Filter plugin if no spread constraints. It will affect some metrics values related to the PodTopologySpread Filter plugin.
- The scheduler skips the PodTopologySpread Score plugin when nothing to do with the Pod. It will affect some metrics values related to the PodTopologySpread Score plugin.
- The short names vwc and mwc were introduced for the resources validatingwebhookconfigurations and mutatingwebhookconfigurations.
- Updated etcd image to 3.5.9-0.
- Updated cAdvisor to v0.47.2 and fixed metrics in cri-o when a container restarts.
- Updated distroless I-tables to use registry.k8s.io/build-image/distroless-iptables:v0.2.5
- Updated distroless iptables to use released image registry.k8s.io/build-image/distroless-iptables:v0.2.4
- Updated the scheduler interface and cache methods to use contextual logging.
- ValidatingAdmissionPolicy type checking now correctly handles authorizer variable.
- When a pod is done or not going to run, then ResourceClaims for it can be reused by other pods or deleted.
- With the KubeletCgroupDriverFromCRI feature gate enabled and sufficiently new version of a container runtime, kubelet automatically detects the cgroup driver config from the container runtime, eliminating the need to specify the cgroupDriver configuration option (or --cgroup-driver flag) of kubelet.
- [Kube-proxy]: Implemented connection draining for terminating nodes.
- --version=v1.X.Y... can now be used to set the prerelease and buildID portions of the version reported by components.
- RetroactiveDefaultStorageClass feature made stable and enabled by default.
- TopologyManagerPolicyOptions feature-flag is promoted to beta and enabled by default.
- force_delete_pods_total and force_delete_pod_errors_total metrics count all pod deletion behaviors.
- klog text output now uses JSON as encoding for structs, maps and slices.
- kube-proxy in iptables mode will now have separate sync_full_proxy_rules_duration_seconds\nand sync_partial_proxy_rules_duration_seconds (in addition to the existing\nsync_proxy_rules_duration_seconds), giving better information about the duration of each \nsync type, rather than only giving a weighted average of the two sync types together.
- kubeadm: added a new "kubeadm config validate" command that can be used to validate any input config file. Use the --config flag to pass a config file to it. See the command --help screen for more information. As a result of adding this new command, enhance the validation capabilities of the existing "kubeadm config migrate" command. For both commands unknown APIs or fields will throw errors.
- kubeadm: added the --allow-experimental-api flag to "kubeadm config migrate/validate" commands. It can be used to migrate or validate WIP/experimental APIs in the future.
- kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync.
- plugin_evaluation_total metric supports prescore/score extension point. The metric doesn't get incremented when the prescore/score plugin has nothing to do with an incoming pod.
Logstash 8.9.1
Notable issues fixed
- Fix pipeline to pipeline communication when upstream pipeline is terminated and events is written to a closed queue in downstream.
- Fix DLQ unable to finalize segment error
Updates to dependencies
- Update JDK to 17.0.8+7
Plugins
Elasticsearch Filter - 3.15.2
- Added checking to ensure either query or query_template is non empty
Snmp Input - 1.3.3
- Silence warnings when loading dictionary MIB files
Aws Integration - 7.1.5
- Fix external documentation links
RabbitMQ 3.12.3
Core Server
Bug Fixes
- Certain diagnostics operations during rolling upgrades from 3.10 to 3.11 could fail
if the listener_records_in_ets feature flag was enabled in the middle of the upgrade. - On Windows, PowerShell will no longer be used as a fallback for handle.exe
for computing how many file and socket handles a node uses.
If a user does not have handle.exe`` installed in the PATH`` of their Windows system,
a message will be logged once, and then the total handles being used will be set to 0.
PowerShell ended up being a CPU-intensive alternative that's not worth the gains
for many installations.
- Node maintenance state was not replicated to all nodes, even though it was accessible
from any node (and for any node).
CLI Tools
Enhacements
- Some warnings were emitted even when --formatter was set to json.
MQTT Plugin
Bug Fixes
- MQTT connections could run into an exception when a queue it consumed from was temporarily
unavailable (e.g. was undergoing a leader election).
Enhancements
- When QoS 0 consumers consistently do not keep up with publishers, some messages will be dropped
to avoid runaway resource usage.
Now the number of dropped messages will be reflected in the dropped message metric, together with unroutable messages.
HTTP AuthN/AuthZ Backend Plugin
Bug Fixes
- AMQP 1.0 client connections were refused with this plugin.
LDAP AuthN/AuthZ Backend Plugin
Bug Fixes
- AMQP 1.0 client connections were refused with this plugin.
Sonatype Nexus Repository 3.59.0
FIXES
NEXUS-39797: Resolved an issue that was causing some components to not be indexed for search in HA deployments.
NEXUS-39774 & 39573: Using the Search API to return Maven assets with an empty maven.classifier now works as expected.
NEXUS-39255: The Conan v2 remote list command to retrieve revisions performs as expected without a 500 error.
NEXUS-36486: The blobCreated date is now preserved when migrating to PostgreSQL.
NEXUS-36415: Adjusted handling in cases where invalid content violating metadata format is cached in a proxy repository.
NEXUS-35977: Improved error messaging and documentation related to requesting files from a R format repository.
- Fix linting
- Bump python-daemon package
- Fix trial status and host limit with sub
- Update example service-account.yml for container group in documentation
- Add PR check to ensure JIRA links are present
- Fix RBAC around credential access add button
- Wait for new label IDs before setting label prompt values.
- Add Request time out option for collection
- Only process ansible_facts for successful jobs
- Fix broken link to upgrade docs.
- Allow importing licenses with a missing "usage" attribute
- Remove extra quote from Skipped task status string
- Modify main/0185 to set aside the json fields that might be a problem
- Integrate scheduler into dispatcher main loop
- HostMetricSummaryMonthly: Analytics export
- Add a retry to update host facts on deadlocks
- Fix programming error in facts retry merge
- Make the default JOB_EVENT_BUFFER_SECONDS 1 seconds
Gitlab Community Edition 16.3.0
Added (169 changes)
Fixed (180 changes)
Changed (265 changes)
Security (22 changes)
*Use component to hide sensitive analytics settings (merge request)
*Fix undefined method page error in list dependencies (merge request)
*Fix undefined method licenses for nil:NilClass bug (merge request)
*Add pagination for license scanning (merge request)
*Mitigate autolink filter ReDOS (merge request)
*Revert 'security-408388--protected-branch' (merge request)
*Fix bug where comments on files with incorrect sha breaks UI (merge request)
*Prevent leaking emails of newly created users (merge request)
*Sanitize multiple hardlinks from import archives (merge request)
*Mitigate project reference filter ReDOS (merge request)
*Relocate PlantUML config and disable SVG support (merge request)
*Added redirect to filtered params (merge request)
*Validates project path availability (merge request)
*Fix XSS vector in Web IDE (merge request)
*Prevent creation of tags matching protected branch names (merge request)
*Add a stricter regex for the Harbor search param (merge request)
*Prohibit 40 character hex plus a hyphen if branch name is path (merge request)
*Fix policy project assign (merge request)
*Fix pipeline schedule authorization for protected branch/tag (merge request)
*Update pipeline user to the last policy MR author (merge request)
*Test nr 3: fast security->canonical sync (merge request)
*Test fast security->canonical sync (merge request)
Performance (17 changes)
Other (90 changes)