Stay Informed

This week, read about:

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:

  • Removed bower-npm-resolver from dependencies
  • This resolves unwanted downloads of minimist and tough-cookie with many others

Non-Security Based Updates

Angular 18.2.0
COMPILER:

  • (feat - c8e2885136) | Add extended diagnostic to warn when there are uncalled functions in event bindings (#56295) (#56295)

COMPILER-CLI:

  • (feat - 98ed5b609e) | run JIT transform on classes withjit: trueopt-out (#56892)
  • (fix - c76b440ac0) | add warning for unused let declarations (#57033)
  • (fix - 0f0a1f2836) | emitting references to ngtypecheck files (#57138)
  • (fix - 6c2fbda694) | extended diagnostic visitor not visiting template attributes (#57033)
  • (fix - e11c0c42d2) | run JIT transforms on@NgModuleclasses withjit: true(#57212)

CORE:

  • (feat - f7918f5272) | Add 'flush' parameter option to fakeAsync to flush after the test (#57239)
  • (feat - fab673a1dd) | add ng generate schematic to convert to inject (#57056)
  • (feat - 7919982063) | Add whenStable helper on ApplicationRef (#57190)
  • (feat - 3459289ef0) | bootstrapModule can configure NgZone in providers (#57060)
  • (fix - 296216cbe1) | Allow hybrid CD scheduling to support multiple "Angular zones" (#57267)
  • (fix - 8718abce90) | Deprecate ignoreChangesOutsideZone option (#57029)
  • (fix - 827070e331) | Do not run image performance warning checks on server (#57234)
  • (fix - ca89ef9141) | handle shorthand assignment in the inject migration (#57134)
  • (fix - 5dcdbfcba9) | rename the equality function option in toSignal (#56769)
  • (fix - 2a4f488a6c) | warnings for oversized images and lazy-lcp present with bootstrapModule (#57060)

Angular 18.1.5
COMPILER-CLI:

  • (fix - 5401332b0e) | generate valid TS 5.6 type checking code (#57303)

CORE:

  • (fix - e39b22a932) | Account for addEventListener to be passed a Window or Document. (#57282)
  • (fix - db65bc25ca) | Account for addEventListener to be passed a Window or Document. (#57354)
  • (fix - 0e024ecc27) | complete post-hydration cleanup in components that use ViewContainerRef (#57300)
  • (fix - 822db64b93) | skip hydration for i18n nodes that were not projected (#57356)
  • (fix - 810f76f574) | take skip hydration flag into account while hydrating i18n blocks (#57299)

Ansible 2.17.3
Minor Changes:

  • ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
  • ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.

Bugfixes:

  • Warning now includes filename and line number of variable when specifying a list of dictionaries for vars (https://github.com/ansible/ansible/issues/82528).
  • config, restored the ability to set module compression via a variable
  • debconf - fix normalization of value representation for boolean vtypes in new packages (https://github.com/ansible/ansible/issues/83594)
  • linear strategy: fix handlers included via ``include_tasks`` handler to be executed in lockstep (https://github.com/ansible/ansible/issues/83019)

Ansible16.10
Minor Changes:

  • ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
  • ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.

Bugfixes:

  • config, restored the ability to set module compression via a variable
  • linear strategy: fix handlers included via ``include_tasks`` handler to be executed in lockstep (https://github.com/ansible/ansible/issues/83019)

Docker Compose v2.29.2
Improvements:

  • docs: Update docker compose kill usage (12041)
  • add x-initSync to watch to always provide initial (12047)

Fixes:

  • Removes redundant condition from toAPIBuildOptions in build.go (12009)
  • Fix stoping compose process for single container for file change on sync-restart action (12014)

FluentD v1.17.1
Enhancement:

  • yaml_parser: Support $log_level element: https://github.com/fluent/fluentd/pull/4482
  • out_file: Add warn message for symlink_path setting: https://github.com/fluent/fluentd/pull/4502
  • out_http: Add `compress gzip` option: https://github.com/fluent/fluentd/pull/4528
  • in_exec: Add `encoding` option to handle non-ascii characters: https://github.com/fluent/fluentd/pull/4533
  • in_tail: Add throttling metrics: https://github.com/fluent/fluentd/pull/4578
  • compat: Improve method call performance: https://github.com/fluent/fluentd/pull/4588
  • in_sample: Add `reuse_record` parameter to reuse the sample data: https://github.com/fluent/fluentd/pull/4586
  • `in_sample` has changed to copy sample data by default to avoid the impact of destructive changes by subsequent plugins.
  • This increases the load when generating large amounts of sample data.
  • You can use this new parameter to have the same performance as before.

BugFixes:

  • logger: Fix LoadError with console gem v1.25: https://github.com/fluent/fluentd/pull/4492
  • parser_json: Fix wrong LoadError warning: https://github.com/fluent/fluentd/pull/4522
  • in_tail: Fix an issue where a large single line could consume a large amount of memory even though `max_line_size` is set: https://github.com/fluent/fluentd/pull/4530

Misc:

  • Comment out inappropriate default configuration about out_forward: https://github.com/fluent/fluentd/pull/4523
  • gemspec: Remove unnecessary files from released gem: https://github.com/fluent/fluentd/pull/4534
  • plugin-generator: Update gemspec to remove unnecessary files: https://github.com/fluent/fluentd/pull/4535
  • Suppress non-parenthesis warnings: https://github.com/fluent/fluentd/pull/4594
  • Fix FrozenError in http_server plugin helper: https://github.com/fluent/fluentd/pull/4598
  • Add logger gem dependency for Ruby 3.5: https://github.com/fluent/fluentd/pull/4589

Gitlab v17.3.0
Added (143 changes)
Fixed (143 changes)
Changed (226 changes)
Deprecated (1 change)

  • [Stop using PrometheusAlertPresenter from graphql and remove class](https://gitlab.com/gitlab-org/gitlab/-/commit/9cd7badde943e0f90d1ea4bbdcd43220da81a464) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160504))

Removed (30 changes)
Security (22 changes)

  • [Filter parameters in Rack::Attack logs](https://gitlab.com/gitlab-org/gitlab/-/commit/4565d96be79f64541c7aab68ab27f27cd58d6184)
  • [Fix Possible asciidoctor include:: directive DOS](https://gitlab.com/gitlab-org/gitlab/-/commit/73f3ea94b844fbc3dfe4e6a4ef9edf3375e67360)
  • [Show correct file content](https://gitlab.com/gitlab-org/gitlab/-/commit/56c91e5510ab52f5e74be40f4672ca879babfa2a)
  • [Fix the catastrophic backtracking](https://gitlab.com/gitlab-org/gitlab/-/commit/9757b254a51dac68951ac12951f2e1a1e870d02a)
  • [Update audit payload](https://gitlab.com/gitlab-org/gitlab/-/commit/82726dd897601e1212641d2c4d1975a4f63b1032)
  • [Limit access to project accessed by Security Policy Bot](https://gitlab.com/gitlab-org/gitlab/-/commit/0de6ffe017e4b400641889ac1ea83d903265c10a)
  • [Show alert about not rendering files due to path encoding](https://gitlab.com/gitlab-org/gitlab/-/commit/ba3360000e58eb8a0633cfddf94c0743b009b948)
  • [Add a project scope to LfsTokens](https://gitlab.com/gitlab-org/gitlab/-/commit/de2022b4a5ee5a708454626bcadce1c50467c812)
  • [Security fixes for banzai pipeline part 2](https://gitlab.com/gitlab-org/gitlab/-/commit/9a5b8ae2305b905f4ff6d92041294273b1dda4d4)
  • [Remove xhtml extensions from snippets blobs](https://gitlab.com/gitlab-org/gitlab/-/commit/09d9235e3ebdff1af49863701b718a365f2baede)
  • [Fix ReDoS in RefMatcher](https://gitlab.com/gitlab-org/gitlab/-/commit/71a408dd12b9a96d6713644938f59d3e7d36f738)
  • [Enforce `require_password_to_approve` MR approval policy property](https://gitlab.com/gitlab-org/gitlab/-/commit/42526d753dc6ea54beb7ed7e73a222befbe3ee00)
  • [Remove verify authentication token skip in cdot proxy controller](https://gitlab.com/gitlab-org/gitlab/-/commit/c34f64202a013bb6460b40c346d05120ab4182b4)
  • [Fix ReDoS when parsing git push options](https://gitlab.com/gitlab-org/gitlab/-/commit/1286b58893505391bb33e915f25bcc00ea1184e2)
  • [Attribute BulkImport::Export to a particular user](https://gitlab.com/gitlab-org/gitlab/-/commit/ab8e4a0d4c413daa52d65810d4fb849e03617c91)
  • [Refactor import_export_upload to be user-based](https://gitlab.com/gitlab-org/gitlab/-/commit/29d4e4570f642bf0f6697a584bf4eb24be6d60e5)
  • [Don't include project-level analytics settings in DOM](https://gitlab.com/gitlab-org/gitlab/-/commit/9925a8a3989b8bda4ca0c76b1002c25a911c2326)
  • [Remove prohibited tags after import](https://gitlab.com/gitlab-org/gitlab/-/commit/638447ecfe01cd0c35713ec7a29350f6fde021df)
  • [Fix for private dotenv artifacts not accessible to downstream jobs](https://gitlab.com/gitlab-org/gitlab/-/commit/a52656303b62340f8cfe56bd9c9442c30973b6a7)
  • [Do not allow script execution on dependency responses](https://gitlab.com/gitlab-org/gitlab/-/commit/2b160f8fa7ac30f840e38b11098499762f351f07)
  • [Fix for private txt artifacts being accessible through the artifacts/browse link](https://gitlab.com/gitlab-org/gitlab/-/commit/049e1a244d4ab0d113694c878ff5a7ad0e16f4bc)
  • [Disable system hooks on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/commit/dbb3b7dc3298b67c68545e17f387e91fc7da62a0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159437))

Performance (10 changes):

  • [Add preloads to AddOnPurchasesResolver](https://gitlab.com/gitlab-org/gitlab/-/commit/cf1c82daeb7c6643e872a89695841bca5710a1f9) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162232)) **GitLab Enterprise Edition**
  • [Remove `segmented_vulnerability_report_export` feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/f32a63f6bb7621aac6eb0a821f1a532062ea9b10) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161448)) **GitLab Enterprise Edition**
  • [Do not attempt to upsert existing cvs scanners](https://gitlab.com/gitlab-org/gitlab/-/commit/71785e5153bcb06d88d24d7115a9c1f844e49e4c) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161360))
  • [Only wait for contribution mapping related exports](https://gitlab.com/gitlab-org/gitlab/-/commit/a7c79a2304403809ae7cf33d9235166356b24db0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160398))
  • [Prevent timeouts in group autocomplete query](https://gitlab.com/gitlab-org/gitlab/-/commit/b4a70fa2ec90382713f542fbc7b9931a8e28a2b1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160836))
  • [Skip updates for existing components and versions](https://gitlab.com/gitlab-org/gitlab/-/commit/e4f6455cea823b0c63e5c143728d7ccc5568a3d4) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160777)) **GitLab Enterprise Edition**
  • [Refactor Nuget SearchResultsPresenter](https://gitlab.com/gitlab-org/gitlab/-/commit/8840bdb22157df8544897e707c2802153fb751d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159895))
  • [Adjust Bitbucket Cloud issues worker to be resumable](https://gitlab.com/gitlab-org/gitlab/-/commit/5da77cea6b385dcc75644bf1eb56f521170cbc2b) by @ivantedja ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158472))
  • [Bulk insert CVS vulnerability scanners](https://gitlab.com/gitlab-org/gitlab/-/commit/067d8440852104040c110a82c438801d8005436b) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159968))
  • [Remove skip_sbom_occurrences_update_on_pipeline_id_change feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/8325878a2da2883fbe1af685957bfc4f855a3bb6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159637)) **GitLab Enterprise Edition**

jenkins 2.472
1. makeButton creates jenkins-buttons on the fly instead of using YUI. (issue 73563))
2. Upgrade Jetty from 10.0.22 to 12.0.12. (issue 73130))
3. Modernize project relationship page. (pull 9461))
4. Clarify that the plugin incompatibility message applies to the current plugin. (issue 73495))
5. fix IndexOutOfBoundsException in cloud management pages when controller has no executors (issue 73554))
6. Fix "New Item" page layout if no icon is defined for an item (issue 73586))

Kuberentes v1.28.13
Changes by Kind
API Change:

  • Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126159, @xyz-li) [SIG API Machinery]
  • Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]

Bug or Regression:

  • Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
  • Fixed a bug in ValidatingAdmissionPolicy that caused policies which were using CRD parameters to fail to synchronize (#123003, @alexzielenski) [SIG API Machinery and Testing]
  • Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126150, @xyz-li) [SIG API Machinery and Testing]
  • Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
  • Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
  • StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#126581, @mattcary) [SIG Apps, Storage and Testing]
  • Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]

Kubernetes v1.29.8
Changes by Kind
API Change:

  • Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126157, @xyz-li) [SIG API Machinery]
  • Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]

Bug or Regression:

  • Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
  • Fixed a bug that init containers with `Always` restartPolicy may not terminate gracefully if the pod hasn't initialized yet. (#126332, @gjkim42) [SIG Node and Testing]
  • Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126151, @xyz-li) [SIG API Machinery and Testing]
  • Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
  • Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
  • StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#126580, @mattcary) [SIG Apps, Storage and Testing]
  • Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]

Kubernetes v1.30.4
Changes by Kind
API Change:

  • Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126146, @xyz-li) [SIG API Machinery]
  • Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]

Bug or Regression:

  • Disabled a previously on-by-default optimization for the API server where each **watch** response used a dedicated goroutine. The `APIServingWithRoutine` feature gate has been demoted from beta to alpha, and is now off by default. (#126481, @benluddy) [SIG API Machinery]
  • Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
  • Fixed a bug that init containers with `Always` restartPolicy may not terminate gracefully if the pod hasn't initialized yet. (#126331, @gjkim42) [SIG Node and Testing]
  • Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126153, @xyz-li) [SIG API Machinery and Testing]
  • Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
  • Kubeadm: Added `--yes` flag to the list of allowed flags so that it can be mixed with `kubeadm upgrade apply --config` (#125566, @xmudrii) [SIG Cluster Lifecycle]
  • Kubeadm: fixed a bug on 'kubeadm join' where using patches with a kubeletconfiguration target was not respected when performing the local kubelet healthz check. (#126251, @neolit123) [SIG Cluster Lifecycle]
  • Kubeadm: fixed a regression where the JoinConfiguration.discovery.timeout was no longer respected and the value was always hardcoded to "5m" (5 minutes). (#125481, @neolit123) [SIG Cluster Lifecycle]
  • Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
  • Resolve a regression in 1.30 default behavior for kubectl exec, cp, and attach which fail when using an HTTPS proxy. (#126253, @seans3) [SIG API Machinery and CLI]
  • StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#125389, @mattcary) [SIG Apps and Testing]
  • Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]

kubernetes v1.31.0
Urgent Upgrade Notes:
(No, really, you MUST read this before you upgrade)

  • Added support to the scheduler to start using QueueingHint registered for Pod/Updated event to determine whether unschedulable Pods update make them schedulable, when the feature gate `SchedulerQueueingHints` is enabled. Previously, when unschedulable Pods are updated, the scheduler always put Pods back to activeQ/backoffQ. But, actually not all updates to Pods make Pods schedulable, especially considering many scheduling constraints nowadays are immutable. Now, when unschedulable Pods are updated, the scheduling queue checks with QueueingHint(s) whether the update may make the pods schedulable, and requeues them to activeQ/backoffQ **only when** at least one QueueingHint(s) return Queue. Action required for custom scheduler plugin developers: Plugins **have to** implement a QueueingHint for Pod/Update event if the rejection from them could be resolved by updating unscheduled Pods themselves. Example: suppose you develop a custom plugin that denies Pods that have a `schedulable=false` label. Given Pods with a `schedulable=false` label will be schedulable if the `schedulable=false` label is removed, this plugin would implement QueueingHint for Pod/Update event that returns Queue when such label changes are made in unscheduled Pods. (#122234, @AxeZhan) [SIG Scheduling and Testing]
  • Kubelet flag `--keep-terminated-pod-volumes` was removed.  This flag was deprecated in 2017. (#122082, @carlory) [SIG Apps, Node, Storage and Testing]
  • Reduced state change noise when volume expansion fails. Also mark certain failures as infeasible. ACTION REQUIRED:  If you are using the `RecoverVolumeExpansionFailure` alpha feature gate then after upgrading to this release, you need to update some objects. For any existing PersistentVolumeClaimss with `status.allocatedResourceStatus` set to either "ControllerResizeFailed" or "NodeResizeFailed", clear the `status.allocatedResourceStatus`. (#126108, @gnufied) [SIG Apps, Auth, Node, Storage and Testing]

Changes by Kind
Deprecation:

  • 'kubeadm: marked the sub-phase of ''init kubelet-finilize'' called ''experimental-cert-rotation'' as deprecated and print a warning if it is used directly; it will be removed in a future release. Add a replacement sub-phase ''enable-client-cert-rotation''.' (#124419, @neolit123) [SIG Cluster Lifecycle]
  • Added a warning when creating or updating a PersistentVolume (PV) with the deprecated annotation `volume.beta.kubernetes.io/mount-options`. (#124819, @carlory)
  • CephFS volume plugin ( `kubernetes.io/cephfs`) was removed in this release and the `cephfs` volume type became non-functional. Alternative is to use CephFS CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster. A re-deployment of your application is required to use the new driver if you were using `kubernetes.io/cephfs` volume plugin before upgrading cluster version to 1.31+. (#124544, @carlory) [SIG Node, Scalability, Storage and Testing]
  • CephRBD volume plugin ( `kubernetes.io/rbd`) was removed in this release. And its csi migration support was also removed, so the `rbd` volume type became non-functional. Alternative is to use RBD CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster. A re-deployment of your application is required to use the new driver if you were using `kubernetes.io/rbd` volume plugin before upgrading cluster version to 1.31+. (#124546, @carlory) [SIG Node, Scalability, Scheduling, Storage and Testing]
  • Kube-scheduler deprecated all non-csi volumelimit plugins and removed those from defaults plugins.
    • AzureDiskLimits
    • CinderLimits
    • EBSLimits
    • GCEPDLimits
  • The NodeVolumeLimits plugin can handle the same functionality as the above plugins since the above volume types are migrated to CSI. Please remove those plugins and replace them with the NodeVolumeLimits plugin if you explicitly use those plugins in the scheduler config. Those plugins will be removed in the release 1.32. (#124500, @carlory) [SIG Scheduling and Storage]
  • Kubeadm: deprecated the kubeadm `RootlessControlPlane` feature gate (previously alpha), given that the core K8s `UserNamespacesSupport` feature gate graduated to beta in 1.30. Once core Kubernetes support for user namespaces is generally available and kubeadm has started to support running the control plane in userns pods, the kubeadm `RootlessControlPlane` feature gate will be removed entirely. Until kubeadm supports the userns functionality out of the box, users can continue using the deprecated  `RootlessControlPlane` feature gate, or  opt-in `UserNamespacesSupport` by using kubeadm patches on the static pod manifests. (#124997, @neolit123) [SIG Cluster Lifecycle]
  • Removed k8s.io/legacy-cloud-providers from staging. (#124767, @carlory) [SIG API Machinery, Cloud Provider and Release]
  • Removed legacy cloud provider integration code (undoing a previous reverted commit). (#124886, @carlory) [SIG Cloud Provider and Release]

API Change:

  • 'ACTION REQUIRED: The Dynamic Resource Allocation (DRA) driver's DaemonSet must be deployed with a service account that enables writing ResourceSlice and reading ResourceClaim objects.' (#125163, @pohly) [SIG Auth, Node and Testing]
  • Add UserNamespaces field to NodeRuntimeHandlerFeatures (#126034, @sohankunkerkar) [SIG API Machinery, Apps and Node]
  • Added Coordinated Leader Election as Alpha under the `CoordinatedLeaderElection` feature gate. With the feature enabled, the control plane can use LeaseCandidate objects (coordination.k8s.io/v1alpha1 API group) to participate in a leader election and let the kube-apiserver select the best instance according to some strategy. (#124012, @Jefftree) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Release, Scheduling and Testing]
  • Added a `.status.features.supplementalGroupsPolicy` field to Nodes. The field is true when the feature is implemented in the CRI implementation (KEP-3619). (#125470, @everpeace) [SIG API Machinery, Apps, Node and Testing]
  • Added an `allocatedResourcesStatus` to each container status to indicate the health status of devices exposed by the device plugin. (#126243, @SergeyKanzhelev) [SIG API Machinery, Apps, Node and Testing]
  • Added support to the kube-proxy nodePortAddresses / --nodeport-addresses option to accept the value "primary", meaning to only listen for NodePort connections on the node's primary IPv4 and/or IPv6 address (according to the Node object). This is strongly recommended, if you were not previously using --nodeport-addresses, to avoid surprising behavior. (This behavior is enabled by default with the nftables backend; you would need to explicitly request `--nodeport-addresses 0.0.0.0/0,::/0` there to get the traditional "listen on all interfaces" behavior.) (#123105, @danwinship) [SIG API Machinery, Network and Windows]
  • Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strict cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. (#124675, @cici37) [SIG API Machinery, Auth, Node and Testing]
  • Changed how the API server handles updates to `.spec.defaultBackend` of Ingress objects. Server-side apply now considers `.spec.defaultBackend` to be an atomic struct.  This means that any field-owner who sets values in that struct (they are mutually exclusive) owns the whole struct. For almost all users this change has no impact; for controllers that want to change the default backend port from number to name (or vice-versa), this makes it easier. (#126207, @thockin) [SIG API Machinery]
  • Component-base/logs: when compiled with Go >= 1.21, component-base will automatically configure the slog default logger together with initializing klog. (#120696, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Storage and Testing]
  • CustomResourceDefinition objects created with non-empty `caBundle` fields which are invalid or do not contain any certificates will not appear in discovery or serve endpoints until a valid `caBundle` is provided. Updates to CustomResourceDefinition are no longer allowed to transition a valid `caBundle` field to an invalid `caBundle` field, because this breaks serving of the existing CustomResourceDefinition. (#124061, @Jefftree) [SIG API Machinery]
  • Dynamic Resource Allocation (DRA): Added a feature so the number of ResourceClaim objects can be limited per namespace and by the number of devices requested through a specific class via the v1.ResourceQuota mechanism. (#120611, @pohly) [SIG API Machinery, Apps, Auth, CLI, Etcd, Node, Release, Scheduling and Testing]
  • Dynamic Resource Allocation (DRA): client-side validation of a ResourceHandle would have accepted a missing DriverName, whereas server-side validation then would have raised an error. (#124075, @pohly)
  • Dynamic Resource Allocation (DRA): in the `pod.spec.recourceClaims` array, the `source` indirection is no longer necessary. Instead of e.g. `source: resourceClaimTemplateName: my-template`, one can write `resourceClaimTemplateName: my-template`. (#125116, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
  • Enhanced the Dynamic Resource Allocation (DRA) with an updated version of the resource.k8s.io API group. The primary user-facing type remains the ResourceClaim, however significant changes have been made, resulting in the new version, v1alpha3, which is not compatible with the previous version. (#125488, @pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Etcd, Node, Release, Scheduling, Storage and Testing]
  • Fixed a 1.30.0 regression in OpenAPI descriptions of the `imagePullSecrets` and `hostAliases` fields to mark the fields used as keys in those lists as either defaulted or required. (#124553, @pmalek)
  • Fixed a 1.30.0 regression in openapi descriptions of `PodIP.IP`  and `HostIP.IP` fields to mark the fields used as keys in those lists as required. (#126057, @thockin)
  • Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#124568, @xyz-li) [SIG API Machinery]
  • Fixed a deep copy issue when retrieving the controller reference. (#124116, @HiranmoyChowdhury) [SIG API Machinery and Release]
  • Fixed code-generator client-gen to work with `api/v1`-like package structure. (#125162, @sttts) [SIG API Machinery and Apps]
  • Fixed incorrect "v1 Binding is deprecated in v1.6+" warning in kube-scheduler log. (#125540, @pohly) [SIG API Machinery]
  • Fixed the comment for the Job's managedBy field. (#124793, @mimowo) [SIG API Machinery and Apps]
  • Fixed the documentation for the default value of the `procMount` entry in `securityContext` within a Pod. The documentation was previously using the name of the internal variable `DefaultProcMount`, rather than the actual value, "Default". (#125782, @aborrero) [SIG Apps and Node]
  • Graduate PodDisruptionConditions to GA and lock (#125461, @mimowo) [SIG Apps, Node, Scheduling and Testing]
  • Graduated MatchLabelKeys/MismatchLabelKeys feature in PodAffinity/PodAntiAffinity to Beta. (#123638, @sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing]
  • Graduated `JobPodFailurePolicy` to GA and locked it to it's default. (#125442, @mimowo) [SIG API Machinery, Apps, Scheduling and Testing]
  • Graduated the Job `successPolicy` field to beta. The new reason label, "SuccessPolicy" and "CompletionsReached" are added to the "jobs_finished_total" metric. Additionally, if you enable the `JobSuccessPolicy` feature gate, the Job gets "CompletionsReached" reason for the "SuccessCriteriaMet" and "Complete" condition type when the number of succeeded Job Pods (`.status.succeeded`) reached the desired completions (`.spec.completions`). (#126067, @tenzen-y) [SIG API Machinery, Apps and Testing]
  • Graduated the `DisableNodeKubeProxyVersion` feature gate to beta. By default, the kubelet no longer attempts to set the `.status.kubeProxyVersion` field for its associated Node. (#123845, @HirazawaUi) [SIG API Machinery, Cloud Provider, Network, Node and Testing]
  • Improved scheduling performance when many nodes, and prefilter returned 1-2 nodes (e.g. daemonset). For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status. (#125197, @gabesaba)
  • Introduced a new boolean kubelet flag `--fail-cgroupv1`. (#126031, @harche) [SIG API Machinery and Node]
  • K8s.io/apimachinery/pkg/util/runtime: Added support for new calls to handle panics and errors in the context where they occur. `PanicHandlers` and `ErrorHandlers` now must accept a context parameter for that. Log output is structured instead of unstructured. (#121970, @pohly) [SIG API Machinery and Instrumentation]
  • KEP-1880: Users of the new feature to add multiple service CIDR will use by default a dual-write strategy on the new ClusterIP allocators to avoid the problem of possible duplicate IPs allocated to Services when running skewed kube-apiservers using different allocators. They can opt-out of this behavior by enabled the feature gate DisableAllocatorDualWrite. (#122047, @aojea) [SIG API Machinery, Apps, Instrumentation and Testing]
  • Kube-apiserver: Added Alpha features to allow API server authz to check the context of requests:
  • The `AuthorizeWithSelectors` feature gate enables including field and label selector information from requests in webhook authorization calls.
  • The `AuthorizeNodeWithSelectors` feature gate changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. (#125571, @liggitt) [SIG API Machinery, Auth, Node, Scheduling and Testing]
  • Kube-apiserver: ControllerRevision objects are now verified to contain valid JSON data in the `data` field. (#125549, @liggitt) [SIG API Machinery and Apps]
  • Kube-apiserver: the `--encryption-provider-config` file is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. When `--encryption-provider-config-automatic-reload` is used, new encryption config files that contain typos after the kube-apiserver is running are treated as invalid and the last valid config is used. (#124912, @enj) [SIG API Machinery and Auth]
  • Kube-controller-manager: the `horizontal-pod-autoscaler-upscale-delay` and `horizontal-pod-autoscaler-downscale-delay` flags have been removed (deprecated and non-functional since v1.12). (#124948, @SataQiu) [SIG API Machinery, Apps and Autoscaling]
  • Made kube-proxy Windows service control manager integration (`--windows-service`) configurable in v1alpha1 component configuration via `windowsRunAsService` field. (#126072, @aroradaman) [SIG Network and Scalability]
  • PersistentVolumeLastPhaseTransitionTime feature is stable and enabled by default. (#124969, @RomanBednar) [SIG API Machinery, Apps, Storage and Testing]
  • Promoted `LocalStorageCapacityIsolation` to beta; the behaviour is enabled by default. Within the kubelet, storage capacity isolation is active if the feature gate is enabled and the specific Pod is using a user namespace. (#126014, @PannagaRao) [SIG Apps, Autoscaling, Node, Storage and Testing]
  • Promoted `StatefulSetStartOrdinal` to stable. This means `--feature-gates=StatefulSetStartOrdinal=true` are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation. (#125374, @pwschuurman) [SIG API Machinery, Apps and Testing]
  • Promoted feature-gate `VolumeAttributesClass` to beta (disabled by default). Users need to enable the feature gate and the `storage.k8s.io/v1beta1` API group to use this feature. Promoted the VolumeAttributesClass API to beta. (#126145, @carlory) [SIG API Machinery, Apps, CLI, Etcd, Storage and Testing]
  • Removed deprecated command flags --volume-host-cidr-denylist and --volume-host-allow-local-loopback from kube-controller-manager. (#124017, @carlory) [SIG API Machinery, Apps, Cloud Provider and Storage]
  • Removed feature gate `CustomResourceValidationExpressions`. (#126136, @cici37) [SIG API Machinery, Cloud Provider and Testing]
  • Reverted a change where `ConsistentListFromCache` was moved to beta and enabled by default. (#126139, @enj)
  • Revised the Pod API with Alpha support for volumes derived from OCI artifacts. This feature is behind the `ImageVolume` feature gate. (#125660, @saschagrunert) [SIG API Machinery, Apps and Node]
  • Supported fine-grained supplemental groups policy (KEP-3619), which enabled fine-grained control for supplementary groups in the first container processes. This allows you to choose whether to include groups defined in the container image (/etc/groups) for the container's primary UID or not. (#117842, @everpeace) [SIG API Machinery, Apps and Node]
  • The (alpha) nftables mode of kube-proxy now requires version 1.0.1 or later of the nft command-line, and kernel 5.13 or later. (For testing/development purposes, you can use older kernels, as far back as 5.4, if you set the `nftables.skipKernelVersionCheck` option in the kube-proxy config, but this is not recommended in production since it may cause problems with other nftables users on the system.) (#124152, @danwinship) [SIG Network]
  • To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions for existing expressions in storage, will fully support runtime in next release for compatibility concern. (#126188, @cici37) [SIG API Machinery and Testing]
  • Updated the feature MultiCIDRServiceAllocator to beta (disabled by default). Users need to enable the feature gate and the networking v1beta1 group to be able to use this new feature, that allows to dynamically reconfigure Service CIDR ranges. (#125021, @aojea) [SIG API Machinery, Apps, CLI, Etcd, Instrumentation, Network and Testing]
  • Use omitempty for optional Job Pod Failure Policy fields. (#126046, @mimowo)
  • User can choose a different static policy option `SpreadPhysicalCPUsPreferredOption` to spread cpus across physical cpus for some specific applications (#123733, @Jeffwan) [SIG Node]
  • When the featuregate AnonymousAuthConfigurableEndpoints is enabled users can update the AuthenticationConfig file with endpoints for with anonymous requests are alllowed. (#124917, @vinayakankugoyal) [SIG API Machinery, Auth, Cloud Provider, Node and Testing]

View all OpenUpdate editions >