Stay Informed
This week, read about:
- Hadoop Monitoring: Tools, Metrics, and Best Practices.
- Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online.
- Linux 6.12 Is The New Long Term Supported Kernel.
- Open Source Malware Up 200% Since 2023.
Security Based Updates
- No News
Non-Security Based Updates
Angular 19.0.4
compiler-cli:
- [fix - 7e612171709] | consider pre-release versions when detecting feature support (#59061) |
- [fix - cd764a31152] | error in unused standalone imports diagnostic (#59064) |
core:
- [fix - 34ded10fa60] | Fix a bug where snapshotted functions are being run twice if they return a nullish/falsey value. (#59073) |
platform-browser:
- [fix - ae0802d63c5] | collect external component styles from server rendering (#59031) |
Docker/Compose v2.32.0
What's Changed
Improvements:
- build with bake by @ndeloof in
- introduce watch restart action by @ndeloof in
- introduce sync+exec watch action by @ndeloof in
- Recreate container on volume configuration change by @ndeloof in
Fixes:
- fix support for service.mac_address by @ndeloof in
- pull --quiet should not drop status message, only progress by @ndeloof in
- do not require a build section but for `rebuild` action by @ndeloof in
- log configuration error as a watch log event by @ndeloof in
Internal:
- disable failing TestBuildSSH test by @ndeloof in
- Make e2e tests pass locally by @glours in
Dependencies:
- bump docker + buildx to latest release by @ndeloof in
- bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit and engine versions by @glours in
- build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @dependabot in
- build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot in
- build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @dependabot in
- build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by @dependabot in
- update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ by @thaJeztah in
Elasticsearch v8.17.0
Also see <<breaking-changes-8.17,Breaking changes in 8.17>>.
Bug Fixes
Analysis:
- Adjust analyze limit exception to be a `bad_request` {es-pull}116325[#116325]
CCS:
- Fix long metric deserialize & add - auto-resize needs to be set manually {es-pull}117105[#117105] (issue: {es-issue}116914[#116914])
CRUD:
- Standardize error code when bulk body is invalid {es-pull}114869[#114869]
Data streams:
- Acquire stats searcher for data stream stats {es-pull}117953[#117953]
EQL:
- Don't use a `BytesStreamOutput` to copy keys in `BytesRefBlockHash` {es-pull}114819[#114819] (issue: {es-issue}114599[#114599])
ES|QL:
- Added stricter range type checks and runtime warnings for ENRICH {es-pull}115091[#115091] (issues: {es-issue}107357[#107357], {es-issue}116799[#116799])
- Don't return TEXT type for functions that take TEXT {es-pull}114334[#114334] (issues: {es-issue}111537[#111537], {es-issue}114333[#114333])
- ESQL: Fix sorts containing `_source` {es-pull}116980[#116980] (issue: {es-issue}116659[#116659])
- ES|QL: Fix stats by constant expression {es-pull}114899[#114899]
- Fix BWC for ES|QL cluster request {es-pull}117865[#117865]
- Fix CCS exchange when multi cluster aliases point to same cluster {es-pull}117297[#117297]
- Fix COUNT filter pushdown {es-pull}117503[#117503] (issue: {es-issue}115522[#115522])
- Fix NPE in `EnrichLookupService` on mixed clusters with <8.14 versions {es-pull}116583[#116583] (issues: {es-issue}116529[#116529], {es-issue}116544[#116544])
- Fix stats by constant expresson with alias {es-pull}117551[#117551]
- Fix validation of SORT by aggregate functions {es-pull}117316[#117316]
- Fixing remote ENRICH by pushing the Enrich inside `FragmentExec` {es-pull}114665[#114665] (issue: {es-issue}105095[#105095])
- Ignore cancellation exceptions {es-pull}117657[#117657]
- Limit size of `Literal#toString` {es-pull}117842[#117842]
- Use `SearchStats` instead of field.isAggregatable in data node planning {es-pull}115744[#115744] (issue: {es-issue}115737[#115737])
- [ESQL] Fix Binary Comparisons on Date Nanos {es-pull}116346[#116346]
- [ES|QL] To_DatePeriod and To_TimeDuration return better error messages on `union_type` fields {es-pull}114934[#114934]
Infra/CLI:
- Fix NPE on plugin sync {es-pull}115640[#115640] (issue: {es-issue}114818[#114818])
Ingest Node:
- Fix enrich cache size setting name {es-pull}117575[#117575]
- Fix reconstituting version string from components {es-pull}117213[#117213] (issue: {es-issue}116950[#116950])
- Reducing error-level stack trace logging for normal events in `GeoIpDownloader` {es-pull}114924[#114924]
License:
- Distinguish `LicensedFeature` by family field {es-pull}116809[#116809]
Logs:
- Prohibit changes to index mode, source, and sort settings during resize {es-pull}115812[#115812]
Machine Learning:
- Fix deberta tokenizer bug caused by bug in normalizer {es-pull}117189[#117189]
- Fix for Deberta tokenizer when input sequence exceeds 512 tokens {es-pull}117595[#117595]
- Hides `hugging_face_elser` service from the `GET _inference/_services API` {es-pull}116664[#116664] (issue: {es-issue}116644[#116644])
- Mitigate IOSession timeouts {es-pull}115414[#115414] (issues: {es-issue}114385[#114385], {es-issue}114327[#114327], {es-issue}114105[#114105], {es-issue}114232[#114232])
- Propagate scoring function through random sampler {es-pull}116957[#116957] (issue: {es-issue}110134[#110134])
- Wait for the worker service to shutdown before closing task processor {es-pull}117920[#117920] (issue: {es-issue}117563[#117563])
Mapping:
- Address mapping and compute engine runtime field issues {es-pull}117792[#117792] (issue: {es-issue}117644[#117644])
- Always Emit Inference ID in Semantic Text Mapping {es-pull}117294[#117294]
- Fix false positive date detection with trailing dot {es-pull}116953[#116953] (issue: {es-issue}116946[#116946])
- Parse the contents of dynamic objects for [subobjects:false] {es-pull}117762[#117762] (issue: {es-issue}117544[#117544])
Network:
- Use underlying `ByteBuf` `refCount` for `ReleasableBytesReference` {es-pull}116211[#116211]
Ranking:
- Fix for propagating filters from compound to inner retrievers {es-pull}117914[#117914]
Search:
- Add missing `async_search` query parameters to rest-api-spec {es-pull}117312[#117312]
- Don't skip shards in coord rewrite if timestamp is an alias {es-pull}117271[#117271]
- Fields caps does not honour ignore_unavailable {es-pull}116021[#116021] (issue: {es-issue}107767[#107767])
- _validate does not honour ignore_unavailable {es-pull}116656[#116656] (issue: {es-issue}116594[#116594])
Vector Search:
- Correct bit * byte and bit * float script comparisons {es-pull}117404[#117404]
Watcher:
- Watch Next Run Interval Resets On Shard Move or Node Restart {es-pull}115102[#115102] (issue: {es-issue}111433[#111433])
Deprecations
Infra/REST API:
- Add a basic deprecation warning that the JSON format for non-detailed error responses is changing in v9 {es-pull}114739[#114739] (issue: {es-issue}89387[#89387])
Mapping:
- Deprecate `_source.mode` in mappings {es-pull}116689[#116689]
Enhancements
Authorization:
- Add a `monitor_stats` privilege and allow that privilege for remote cluster privileges {es-pull}114964[#114964]
Data streams:
- Adding a deprecation info API warning for data streams with old indices {es-pull}116447[#116447]
ES|QL:
- Add ES|QL `bit_length` function {es-pull}115792[#115792]
- ESQL: Honor skip_unavailable setting for nonmatching indices errors at planning time {es-pull}116348[#116348] (issue: {es-issue}114531[#114531])
- ESQL: Remove parent from `FieldAttribute` {es-pull}112881[#112881]
- ESQL: extract common filter from aggs {es-pull}115678[#115678]
- ESQL: optimise aggregations filtered by false/null into evals {es-pull}115858[#115858]
- ES|QL CCS uses `skip_unavailable` setting for handling disconnected remote clusters {es-pull}115266[#115266] (issue: {es-issue}114531[#114531])
- ES|QL: add metrics for functions {es-pull}114620[#114620]
- Esql Enable Date Nanos (tech preview) {es-pull}117080[#117080]
- [ES|QL] Implicit casting string literal to intervals {es-pull}115814[#115814] (issue: {es-issue}115352[#115352])
Indices APIs:
- Ensure class resource stream is closed in `ResourceUtils` {es-pull}116437[#116437]
Inference:
- [8.17] Add version prefix to Inference Service API path {es-pull}117366[#117366]
Infra/Core:
- Support for unsigned 64 bit numbers in Cpu stats {es-pull}114681[#114681] (issue: {es-issue}112274[#112274])
Ingest Node:
- Adding support for additional mapping to simulate ingest API {es-pull}114742[#114742]
- Adding support for simulate ingest mapping adddition for indices with mappings that do not come from templates {es-pull}115359[#115359]
Logs:
- Add logsdb telemetry {es-pull}115994[#115994]
- Add num docs and size to logsdb telemetry {es-pull}116128[#116128]
- Feature: re-structure document ID generation favoring _id inverted index compression {es-pull}104683[#104683]
Machine Learning:
- Add special case for elastic reranker in inference API {es-pull}116962[#116962]
- Adding inference endpoint validation for `AzureAiStudioService` {es-pull}113713[#113713]
- Adds support for `input_type` field to Vertex inference service {es-pull}116431[#116431]
- Enable built-in Inference Endpoints and default for Semantic Text {es-pull}116931[#116931]
- Increase default `queue_capacity` to 10_000 and decrease max `queue_capacity` to 100_000 {es-pull}115041[#115041]
- [Inference API] Add API to get configuration of inference services {es-pull}114862[#114862]
- [Inference API] Improve chunked results error message {es-pull}115807[#115807]
Recovery:
- Attempt to clean up index before remote transfer {es-pull}115142[#115142] (issue: {es-issue}104473[#104473])
Relevance:
- Add query rules retriever {es-pull}114855[#114855]
Search:
- Add Search Phase APM metrics {es-pull}113194[#113194]
- Add `docvalue_fields` Support for `dense_vector` Fields {es-pull}114484[#114484] (issue: {es-issue}108470[#108470])
- Add initial support for `semantic_text` field type {es-pull}113920[#113920]
- Adds access to flags no_sub_matches and no_overlapping_matches to hyphenation-decompounder-tokenfilter {es-pull}115459[#115459] (issue: {es-issue}97849[#97849])
- Better sizing `BytesRef` for Strings in Queries {es-pull}115655[#115655]
- Enable `_tier` based coordinator rewrites for all indices (not just mounted indices) {es-pull}115797[#115797]
Vector Search:
- Add support for bitwise inner-product in painless {es-pull}116082[#116082]
- Improve halfbyte transposition performance, marginally improving bbq performance {es-pull}117350[#117350]
New Features
Data streams:
- Add default ILM policies and switch to ILM for apm-data plugin {es-pull}115687[#115687]
ES|QL:
- Add support for `BYTE_LENGTH` scalar function {es-pull}116591[#116591]
- Esql/lookup join grammar {es-pull}116515[#116515]
- Remove snapshot build restriction for match and qstr functions {es-pull}114482[#114482]
Search:
- ESQL - Add match operator (:) {es-pull}116819[#116819]
Upgrades
Security:
- Upgrade Bouncy Castle FIPS dependencies {es-pull}112989[#112989]
Gitlab-foss v17.4.6
Fixed (2 changes):
- [Add param filtering to avoid error while saving project settings](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4787ee4000679f645aa1eaa1f1d07bfc34c461cd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173428)) **GitLab Enterprise Edition**
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/601e8e20637690102b5118d638e290f68f79fb43)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f974f850463f267b5a636f28c99cac61c4ef6259) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4655))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e6a47ce0dbdc4da3e8838451194203709c56fc5d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4596))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cb40c0144b6bf27b49a7745d61fcf37dbe84e8d2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4642))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/551e6018a99c91918f0f9a2f177ee237ae897246) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4651))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/495025a35f59b39fcfb6a49077a067c246f9fe06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4577))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/01fa899f15e792ce2c54dae3d3db85cb00a49789) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4637))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/322db9627a33a74d73e48ef05d87269191328346) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4627))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f690a49166c32965403070699436d8328768cd69) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4606))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b055634ab615a20599b0403570b5a8b27b812ec2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4635))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d6dd0f12d146021074a4a36412b6e3cae9782001) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4632))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7a6bd953a1f70b58b2fd48d58431fadb9e8249f8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4516))
Gitlab-foss v17.5.4
Fixed (1 change):
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5499b8941f6d0dec42bbd7469ca806890edae35e)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b9ce9e051da449add787b16f7cf2d08f8eb11115) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4654))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3f870e741e15034bca056fba125a0badbbe264bf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4595))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2257cdf16e6ddbfdfddbbecd694e30589581be4e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4628))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2215af32dfa6074844e4b39a5ce12dc8b2590d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4650))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7c6fbba10470644b4d532b3ba1aa00240bde391) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4576))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f0c1b73b4e2584aba7866653828b15283d10a90) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4638))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/707d7792996ebe8e4c8da2a587810e3339432352) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4626))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e2760b5a3425f50c3444ff264d4e3381f11894ea) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4605))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a7ff5a159f7d699eec9e9844e5ab0727219ecb91) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4634))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/542c5b0dbc4744dab0d89bc42b34bfe16e760e54) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4631))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f7e572e94c2360b93fe6e04a65b9874975382693) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4553))
Gitlab-foss v17.6.2
Fixed (2 changes):
- [Add guard clause to Wiki#find_page when title is nil](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1be99d9925c659f168dccb4b2cfb3510ac74e7ed)
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8e15de4128733083fe3bf640751aecf95d5471a7)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74de080527cf262ecec44e97c78705953cfa1cdc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4653))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16152cf39642bd4dc9ed023d52493c9522ef87f2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4652))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/734520792bc637580fd79ce2d368268501382d76) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4629))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/769b309ded5f3fca7f550ef9972750cd60298b73) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4649))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/09997ce510251b8f58343464143e40f1f5ed00c2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4618))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c0045078225c4b64fa1dd2582c246df5b7b4a96a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4639))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/32485a34d6f3ee22fdbe20d0a41cd6b10f0cd511) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4625))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5c69fef592ceab17eaeda04fd78e120116229b03) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4609))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1396d48051a02153a9bd064d39d2d5c09233f3c6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4633))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3305b0fafe245a02fa01a5b882e8ad5b565f8736) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4630))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4284532cd6ae8f0166806a81628887f82756ceef) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4619))
Jenkins 2.489
Enhancement:
- Add Command Palette as a replacement for the search bar. pull 7569
- Added password validation to ensure that existing users cannot create a password of less than 14 characters in length when in FIPS mode. JENKINS-74858
- Developer: The commons-compress library is no longer provided by Jenkins core, use the Commons Compress API plugin instead. JENKINS-73355
- Developer: Allow UpdateSite subclasses to call updateData method in UpdateSite to write out JSON. pull 10019
- Developer: Add support for @QueryParameter to the autocomplete component. Change autocomplete component to use POST for sending requests. JENKINS-37241
Bug fix:
- Reduce spacing in help files. JENKINS-69549
- Restore the original behavior of FileBoolean(Class, String) (regression in 2.488). pull 10022
Elastic/Kibana v8.17.0
Deprecations:
- The following functionality is deprecated in 8.17.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.17.0.The Observability > Logs > Explorer app is now deprecated in favor of Discover.
Details* +
- Both the Logs Explorer and Logs Stream applications are now deprecated and will be removed in 9.0. We continue to make enhancements to Discover to offer similar functionality in 9.x.
Features:
- {kib} 8.17.0 adds the following new and notable features.
Cases:
- Files can now be attached to cases directly via API ({kibana-pull}198377[#198377]).
Data ingestion and Fleet:
- Exposes advanced file logging configuration in the UI ({kibana-pull}200274[#200274]).
Dashboards and visualizations:
- AIOps: Adds Log Rate Analysis embeddable for dashboards ({kibana-pull}197943[#197943]).
Discover and ES|QL:
Keeps the preferred chart configuration when possible when writing ES|QL queries in Discover ({kibana-pull}197453[#197453]).
ES|QL:
- Adds the ability to star queries in the ES|QL editor ({kibana-pull}198362[#198362]).
Elastic Observability solution:
- Adds ability to show monitors from all permitted spaces in a single view in Synthetics ({kibana-pull}196109[#196109]).
- Adds fix it flow for field limit ({kibana-pull}195561[#195561]).
- Adds permissions to reopen and add comments to cases ({kibana-pull}194898[#194898]).
- Adds built-in definitions for core Kubernetes entities ({kibana-pull}196916[#196916]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Kibana security:
- Kibana's FIPS mode is no longer considered experimental ({kibana-pull}200734[#200734]).
- When running in FIPS mode, Kibana now forbids usage of PKCS12 configuration options ({kibana-pull}192627[#192627]). For more information about the features introduced in 8.17.0, refer to <<whats-new,What's new in 8.17>>.
Enhancements and bug fixes
- For detailed information about the 8.17.0 release, review the enhancements and bug fixes.
Enhancements
Alerting:
- Allows users to create rules with predefined nonrandom IDs ({kibana-pull}199119[#199119]).
Cases:
- The Jira Connector has been updated to use the latest API and support the Jira Data Center ({kibana-pull}197787[#197787]).
- The Case action is now GA ({kibana-pull}196972[#196972]).
Dashboards & Visualizations:
- Allows creating a dashboard with ES|QL chart even when there are no data views ({kibana-pull}196658[#196658]).
- Newly and default configured line charts are now interpolated by default with a straight linear interpolation in *Lens* ({kibana-pull}196184[#196184]).
- Simplifies access to some actions when hovering over panels ({kibana-pull}182535[#182535]).
- Improves URL drilldown authoring experience ({kibana-pull}197454[#197454]).
- The `metrics:allowCheckingForFailedShards` advanced setting has been removed. With this change, it is no longer possible to suppress warnings about failed shards in TSVB. For more information, refer to ({kibana-pull}197227[#197227]).
Data ingestion and Fleet:
- Filters integrations/packages list shown depending on the `policy_templates_behavior` field ({kibana-pull}200605[#200605]).
- Adds a `<type>@custom` component template to integrations index template's `composed_of` array ({kibana-pull}192731[#192731]).
Discover:
- Enables drag & drop for reordering columns in Discover ({kibana-pull}197832[#197832]).
ES|QL:
- Prevents suggestions with unsupported fields when writing ES|QL queries ({kibana-pull}200544[#200544]).
- Adds autocomplete and validation to support MATCH and QSRT when writing ES|QL queries ({kibana-pull}199032[#199032]).
Elastic Observability solution:
- Supports querying `semantic_text` fields in search connectors ({kibana-pull}200184[#200184]).
- Adds retry statements as an attempt to resolve flaky tests ({kibana-pull}200022[#200022]).
- Changes `host.hostname` to `host.name` in java metrics query ({kibana-pull}199208[#199208]).
- Improves analyzer by filtering unsuitable tokens ({kibana-pull}197868[#197868]).
- Uses `semantic_text` for internal knowledge base ({kibana-pull}186499[#186499]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Kibana security:
- Introduces explicit configuration for routes that require superuser access and moves the `api/encrypted_saved_objects/_rotate_key` endpoint to the new configuration. ({kibana-pull}196586[#196586]).
- Enforces standard on API Actions definitions by separating operations and subjects ({kibana-pull}193140[#193140]).
Machine Learning:
- AIOps: Adds action for adding Log Rate analysis embeddable to a dashboard ({kibana-pull}200557[#200557]).
- AIOps: Adds action for adding Log Pattern embeddable to a dashboard and case ({kibana-pull}199478[#199478]).
- Single Metric Viewer embeddable: Adds action for dashboard to apply filter from the embeddable to the page ({kibana-pull}198869[#198869]).
- File upload: Adds deployment initialization step ({kibana-pull}198446[#198446]).
- Data visualizer: Changes refresh button in Data View and Data Drift view to indicate an update is pending ({kibana-pull}196537[#196537]).
- Anomaly Detection: Adds never expire option to forecast creation modal ({kibana-pull}195151[#195151]).
Kibana platform:
- When attempting to save an object with a name that already exists, the name is automatically appended with a suffix to make it unique ({kibana-pull}198777[#198777]).
Bug fixes
Dashboards & Visualizations:
- Prevents identical include and exclude values in *Lens* ({kibana-pull}197628[#197628]).
- Fixes React Warning when rendering a recoverable error in *Lens* ({kibana-pull}196285[#196285]).
- Fixes an issue allowing to save a dashboard while there were no pending changes. The button is now disabled if there are no changes to save ({kibana-pull}196137[#196137]).
- Fixes an issue in Lens where the table exported did not match what was visible in the UI. ({kibana-pull}193780[#193780]).
Data ingestion and Fleet:
- Allows to create integration policy with no agent policies ({kibana-pull}201051[#201051]).
Discover:
- Addresses chart performance issues for non-transformational and non-time-based ES|QL queries ({kibana-pull}200583[#200583]).
ES|QL:
- Fixes an issue causing the the ES|QL editor to incorrectly use the light theme in some cases ({kibana-pull}200233[#200233]).
Elastic Observability solution:
- Fixes incorrect Y-axis and hover values in log rate chart on service overview ({kibana-pull}201361[#201361]).
- Observability AI Assistant: Fetch user instructions using the user ID instead of the username ({kibana-pull}200137[#200137]).
- Observability AI Assistant: Adds instructions about the slack connector to avoid executing a loop ({kibana-pull}199531[#199531]).
- Observability AI Assistant: Updates the term "chat" to "conversation" across the UI ({kibana-pull}199216[#199216]).
- Observability AI Assistant: Removes the "Copy" button if there is no content to copy ({kibana-pull}199064[#199064]).
- Observability AI Assistant: Adds uuid to knowledge base entries to avoid accidental overrides ({kibana-pull}191043[#191043]).
- Observability AI Assistant: Fixes error when opening an old conversation ({kibana-pull}197745[#197745]).
- Observability AI Assistant: Allows the input box to be resized off-screen ({kibana-pull}197063[#197063]).
- SLOs: Handle custom DSL query filters ({kibana-pull}198073[#198073]).
- Enables sub-feature permissions to edit Labs settings ({kibana-pull}197092[#197092]).
- Uses `telemetry.sdk` as a fallback for missing `agent.name` on non-tracing data ({kibana-pull}196529[#196529]).
- Adds support for simultaneous edits for private locations in Synthetics({kibana-pull}195874[#195874]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Machine Learning:
- Adds query guardrails and technical preview badge to the ES|QL data visualizer ({kibana-pull}200325[#200325]).
- AIOps: fixes time range filter in change point charts ({kibana-pull}200183[#200183]).
- Anomaly detection: Adds spacer below split card charts in job wizard ({kibana-pull}199708[#199708]).
- Adds missing aria labels to button icons ({kibana-pull}199447[#199447]).
Kibana platform:
- Fixes an issue with the global search field that could open the wrong page when pressing "Enter" while results were not yet fully loaded ({kibana-pull}197750[#197750]).
Kubernetes v1.32.0 Released
Urgent Upgrade Notes:
- There are no urgent upgrade notes for the v1.32 release.
Changes by Kind
Deprecation:
- Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the Kubernetes deprecation policy. (#126720, @liggitt) [SIG Architecture and Node]
- ServiceAccount metadata.annotationskubernetes.io/enforce-mountable-secrets]: deprecated since v1.32; no removal deadline. Prefer separate namespaces to isolate access to mounted secrets. ([#128396, @ritazh) [SIG API Machinery, Apps, Auth, CLI and Testing]
API Change:
- **ACTION REQUIRED** for custom scheduler plugin developers: `PodEligibleToPreemptOthers` in the `preemption` interface now includes `ctx` in the parameters. Please update your plugins' implementation accordingly. (#126465, @googs1025) [SIG Scheduling]
- Changed NodeToStatusMap from a map to a struct and exposed methods to access the entries. Added absentNodesStatus, which informs the status of nodes that are absent in the map. For developers of out-of-tree PostFilter plugins, ensure to update the usage of NodeToStatusMap. Additionally, NodeToStatusMap should eventually be renamed to NodeToStatusReader. (#126022, @macsko) [SIG Node, Scheduling, and Testing]
- A new /resize subresource was added to request pod resource resizing. Update your k8s client code to utilize the /resize subresource for Pod resizing operations. (#128266, @AnishShah) [SIG API Machinery, Apps, Node and Testing]
- A new feature that allows unsafe deletion of corrupt resources has been added, it is disabled by default, and it can be enabled by setting the option `--feature-gates=AllowUnsafeMalformedObjectDeletion=true`. It comes with an API change, a new delete option `ignoreStoreReadErrorWithClusterBreakingPotential` has been introduced, it is not set by default, this maintains backward compatibility. In order to perform an unsafe deletion of a corrupt resource, the user must enable the option for the delete request. A resource is considered corrupt if it can not be successfully retrieved from the storage due to
- a) transformation error e.g. decryption failure, or b) the object failed to decode. Normal deletion flow is attempted first, and if it fails with a corrupt resource error then it triggers unsafe delete. In addition, when this feature is enabled, the 'details' field of 'Status' from the LIST response includes information that identifies the corrupt object(s).
- NOTE: unsafe deletion ignores finalizer constraints, and skips precondition checks.
- WARNING: this may break the workload associated with the resource being unsafe-deleted, if it relies on the normal deletion flow, so cluster breaking consequences apply. (#127513, @tkashem) [SIG API Machinery, Etcd, Node and Testing]
- Added `singleProcessOOMKill` flag to the kubelet configuration. Setting that to true enable single process OOM killing in cgroups v2. In this mode, if a single process is OOM killed within a container, the remaining processes will not be OOM killed. (#126096, @utam0k) [SIG API Machinery, Node, Testing and Windows]
- Added a `/flagz` endpoint for kube-apiserver endpoint. (#127581, @richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]
- Added a `Stream` field to `PodLogOptions`, which allows clients to request certain log stream (stdout or stderr) of the container. Please also note that the combination of a specific `Stream` and `TailLines` is not supported. (#127360, @knight42) [SIG API Machinery, Apps, Architecture, Node, Release and Testing]
- Added alpha support for asynchronous Pod preemption. When the `SchedulerAsyncPreemption` feature gate is enabled, the scheduler now runs API calls to trigger preemptions asynchronously for better performance. (#128170, @sanposhiho) [SIG Scheduling and Testing]
- Added driver-owned fields in `ResourceClaim.Status` to report device status data for each allocated device. (#128240, @LionelJouin) [SIG API Machinery, Network, Node and Testing]
- Added enforcement of an upper cost bound for DRA evaluations of CEL. The API server and scheduler now enforce an upper bound on the cost and runtime steps required for evaluating a CEL expression. (#128101, @pohly) [SIG API Machinery and Node]
- Added the ability to change the maximum backoff delay accrued between container restarts for a node for containers in `CrashLoopBackOff`. To set this for a node, turn on the feature gate `KubeletCrashLoopBackoffMax` and set the `CrashLoopBackOff.MaxContainerRestartPeriod ` field between `"1s"` and `"300s"` in your kubelet config file. (#128374, @lauralorenz) [SIG API Machinery and Node]
- Allow for Pod search domains to be a single dot `.` or contain an underscore `_` (#127167, @adrianmoisey) [SIG Apps, Network and Testing]
- Annotation `batch.kubernetes.io/cronjob-scheduled-timestamp` added to Job objects scheduled from CronJobs is promoted to stable. (#128336, @soltysh)
- Apply fsGroup policy for ReadWriteOncePod volumes. (#128244, @gnufied) [SIG Storage and Testing]
- Changed the Pod API to support `resources` at `spec` level for pod-level resources. (#128407, @ndixita) [SIG API Machinery, Apps, CLI, Cluster Lifecycle, Node, Release, Scheduling and Testing]
- ContainerStatus.AllocatedResources is now guarded by a separate feature gate, InPlacePodVerticalSaclingAllocatedStatus (#128377, @tallclair) [SIG API Machinery, CLI, Node, Scheduling and Testing]
- Coordination.v1alpha1 API is dropped and replaced with coordination.v1alpha2. Old coordination.v1alpha1 types must be deleted before upgrade (#127857, @Jefftree) [SIG API Machinery, Etcd, Scheduling and Testing]
- DRA: Restricted the length of opaque device configuration parameters. At admission time, Kubernetes enforces a 10KiB size limit. (#128601, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- DRA: scheduling pods is up to 16x faster, depending on the scenario. Scheduling throughput depends a lot on cluster utilization. It is higher for lightly loaded clusters with free resources and gets lower when the cluster utilization increases. (#127277, @pohly) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Instrumentation, Node, Scheduling and Testing]
- DRA: the `DeviceRequestAllocationResult` struct now has an "AdminAccess" field which should be used instead of the corresponding field in the `DeviceRequest` field when dealing with an allocation. If a device is only allocated for admin access, allocating it again for normal usage is now supported, as originally intended. To allow admin access, starting with 1.32 the `DRAAdminAccess` feature gate must be enabled. (#127266, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Network, Node, Scheduling and Testing]
- Disallow `k8s.io` and `kubernetes.io` namespaced extra key in structured authentication configuration. (#126553, @aramase) [SIG Auth]
- Fixed a bug in the `NestedNumberAsFloat64` Unstructured field accessor that could have caused it to return rounded float64 values instead of errors when accessing very large int64 values. (#128099, @benluddy)
- Fixed the bug where `spec.terminationGracePeriodSeconds` of the pod will always be overwritten by the MaxPodGracePeriodSeconds of the soft eviction, you can enable the `AllowOverwriteTerminationGracePeriodSeconds` feature gate, which will restore the previous behavior. If you do need to set this, please file an issue with the Kubernetes project to help contributors understand why you needed it. (#122890, @HirazawaUi) [SIG API Machinery, Architecture, Node and Testing]
- Graduated Job's `ManagedBy` field to beta. (#127402, @mimowo) [SIG API Machinery, Apps and Testing]
- Implemented a new, alpha `seLinuxChangePolicy` field within a Pod-level `securityContext`, under SELinuxChangePolicy feature gate. This field allows for opting out from mounting Pod volumes with SELinux label when SELinuxMount feature is enabled (it is alpha and disabled by default now). Please see the KEP how we expect to warn users before any SELinux behavior changes and how they can opt-out before. Note that this field and feature gate is useful only with clusters that run with SELinux enabled. No action is required on clusters without SELinux. (#127981, @jsafrane) [SIG API Machinery, Apps, Architecture, Node, Storage and Testing]
- Introduced `v1alpha1` API for mutating admission policies, enabling extensible # admission control via CEL expressions (KEP 3962: Mutating Admission Policies). # To use, enable the `MutatingAdmissionPolicy` feature gate and the `admissionregistration.k8s.io/v1alpha1` # API via `--runtime-config`. (#127134, @jpbetz) [SIG API Machinery, Auth, Etcd and Testing]
- Introduced compressible resource setting on system reserved and kube reserved slices. (#125982, @harche)
- kube-apiserver: Promoted the `StructuredAuthorizationConfiguration` feature gate to GA. The `--authorization-config` flag now accepts `AuthorizationConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). (#128172, @liggitt) [SIG API Machinery, Auth and Testing]
- kube-proxy now reconciles Service/Endpoint changes with conntrack table and cleans up only stale UDP flow entries (#127318, @aroradaman) [SIG Network and Windows]
- kube-scheduler removed `AzureDiskLimits` ,`CinderLimits` `EBSLimits` and `GCEPDLimits` plugin. Given the corresponding CSI driver reports how many volumes a node can handle in NodeGetInfoResponse, the kubelet stores this limit in CSINode and the scheduler then knows the limit of the driver on the node. Removed plugins AzureDiskLimits, CinderLimits, EBSLimits and GCEPDLimits if you explicitly enabled them in the scheduler config. (#124003, @carlory) [SIG Scheduling, Storage and Testing]
- kubelet: the `--image-credential-provider-config` file was loaded with strict deserialization, which failed if the config file contained duplicate or unknown fields. This protected against accidentally running with malformed config files, unindented files, or typos in field names, and it prevented unexpected behavior. (#128062, @aramase) [SIG Auth and Node]
- NodeRestriction admission now validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate `ServiceAccountNodeAudienceRestriction` that's enabled by default. (#128077, @aramase) [SIG Auth, Storage and Testing]
- Promoted `CustomResourceFieldSelectors` to stable; the feature was enabled by default. The `--feature-gates=CustomResourceFieldSelectors=true` flag was no longer needed on kube-apiserver binaries and would be removed in a future release. (#127673, @jpbetz) [SIG API Machinery and Testing]
- Promoted feature gate `StatefulSetAutoDeletePVC` from beta to stable. (#128247, @mattcary) [SIG API Machinery, Apps, Auth and Testing]
- Removed all support for _classic_ dynamic resource allocation (DRA). The `DRAControlPlaneController` feature gate, formerly alpha, is no longer available. Kubernetes now only uses the _structured parameters_ model (also alpha) for allocating dynamic resources to Pods. if and only if classic DRA was enabled in a cluster, remove all workloads (pods, app deployments, etc. ) which depend on classic DRA and make sure that all PodSchedulingContext resources are gone before upgrading. PodSchedulingContext resources cannot be removed through the apiserver after an upgrade and workloads would not work properly. (#128003, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- Removed generally available feature gate `HPAContainerMetrics` (#126862, @carlory) [SIG API Machinery, Apps and Autoscaling]
- Removed restrictions on subresource flag in kubectl commands (#128296, @AnishShah) [SIG CLI]
- Revised the kubelet API Authorization with new subresources, that allow finer-grained authorization checks and access control for kubelet endpoints. Provided you enable the `KubeletFineGrainedAuthz` feature gate, you can access kubelet's `/healthz` endpoint by granting the caller `nodes/helathz` permission in RBAC. Similarly you can also access kubelet's `/pods` endpoint to fetch a list of Pods bound to that node by granting the caller `nodes/pods` permission in RBAC. Similarly you can also access kubelet's `/configz` endpoint to fetch kubelet's configuration by granting the caller `nodes/configz` permission in RBAC. You can still access kubelet's `/healthz`, `/pods` and `/configz` by granting the caller `nodes/proxy` permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. (#126347, @vinayakankugoyal) [SIG API Machinery, Auth, Cluster Lifecycle and Node]
- The core functionality of Dynamic Resource Allocation (DRA) got promoted to beta. No action is required when *upgrading*, the previous v1alpha3 API is still supported, so existing deployments and DRA drivers based on v1alpha3 continue to work. *Downgrading* from 1.32 to 1.31 with DRA resources in the cluster (resourceclaims, resourceclaimtemplates, deviceclasses, resourceslices) is *not* supported because the new v1beta1 is used as storage version and not readable by 1.31. (#127511, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- The default value for node-monitor-grace-period has been increased to 50s (earlier 40s) (Ref - https://github.com/kubernetes/kubernetes/issues/121793) (#126287, @devppratik) [SIG API Machinery, Apps and Node]
- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#126749, @thockin) [SIG API Machinery]
- The synthetic "Bookmark" event for the watch stream requests will now include a new annotation: `kubernetes.io/initial-events-list-blueprint`. THe annotation contains an empty, versioned list that is encoded in the requested format (such as protobuf, JSON, or CBOR), then base64-encoded and stored as a string. (#127587, @p0lyn0mial) [SIG API Machinery]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions. Name format CEL library is supported in new expressions. (#126977, @aaron-prindle) [SIG API Machinery, Architecture, Auth, Etcd, Instrumentation, Release, Scheduling and Testing]
- Updated incorrect description of persistentVolumeClaimRetentionPolicy (#126545, @yangjunmyfm192085) [SIG API Machinery, Apps and CLI]
- X.509 client certificate authentication to the kube-apiserver now produces credential IDs (derived from the certificate's signature) , for use in audit logging. (#125634, @ahmedtd) [SIG API Machinery, Auth and Testing]
Feature:
- Added Windows support for the node memory manager. (#128560, @marosset) [SIG Node and Windows]
- Added `--concurrent-daemonset-syncs` command line flag to kube-controller-manager. This value sets the number of workers for the daemonset controller. (#128444, @tosi3k)
- Added a `/statusz` endpoint for the kube-apiserver endpoint. (#125577, @richabanker) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Network, Node and Testing]
- Added a health check for the device plugin gRPC registration server. When the registration server is down, kubelet is marked as unhealthy. If systemd watchdog is configured, this will result in a kubelet restart. (#128432, @zhifei92) [SIG Node]
- Added a kubelet metric `container_aligned_compute_resources_count` to report the count of containers getting aligned compute resources. (#127155, @ffromani) [SIG Node and Testing]
- Added a kubelet metrics to report informations about the cpu pools managed by cpumanager when the static policy is in use. (#127506, @ffromani) [SIG Node and Testing]
- Added a new controller, volumeattributesclass-protection-controller, into the kube-controller-manager. The new controller manages a protective finalizer on VolumeAttributesClass objects. (#123549, @carlory) [SIG API Machinery, Apps, Auth and Storage]
- Added a new option `strict-cpu-reservation` for CPU Manager static policy. When this option is enabled, CPU cores in `reservedSystemCPUs` will be strictly used for system daemons and interrupt processing no longer available for any workload. (#127483, @jingczhang) [SIG Node]
- Added a one-time random duration of up to 50% of kubelet's `nodeStatusReportFrequency` to help spread the node status update load evenly over time. (#128640, @mengqiy)
- Added an option to enable leader election in local-up-cluster.sh via the LEADER_ELECT CLI flag. (#127786, @Jefftree)
- Added kubelet support for systemd watchdog integration. With this enabled, systemd can automatically recover a hung kubelet. (#127566, @zhifei92) [SIG Cloud Provider, Node and Testing]
- Added metrics to measure the latency of DRA Node operations and DRA GRPC calls (#127146, @bart0sh) [SIG Instrumentation, Network, Node, and Testing]
- Added new functionality to the Go client code (`client-go`) library. The `List()` method for the metadata client allows enabling API streaming when fetching collections; this improves performance when listing many objects. To request this behavior, your client software must enable the `WatchListClient` client-go feature gate. Additionally, streaming is only available if supported by the cluster; the API server that you connect to must also support streaming. If the API server does not support or allow streaming, then `client-go` falls back to fetching the collection using the **list** API verb. (#127388, @p0lyn0mial) [SIG API Machinery and Testing]
- Added preemptionPolicy field when using `kubectl get PriorityClass -owide` (#126529, @googs1025) [SIG CLI]
- Added status for extended Pod resources within the `status.containerStatuses].resources` field. ([#124227, @iholder101) [SIG Node and Testing]
- Added support to the kube-apiserver for an alpha feature enabling external signing of service account tokens and fetching of public verifying keys, by enabling the Alpha `ExternalServiceAccountTokenSigner` feature gate and specifying `--service-account-signing-endpoint`. The flag value can either be the location of a Unix domain socket on a filesystem, or be prefixed with an @ symbol and name a Unix domain socket in the abstract socket namespace. (#128190, @HarshalNeelkamal) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Release and Testing]
- Added the feature gate CBORServingAndStorage to allow CBOR as the encoding for API request and response bodies, and as the storage encoding for custom resources. Clients must opt in; programs built with client-go can do this using the client-go feature gates ClientsAllowCBOR and ClientsPreferCBOR. (#128539, @benluddy) [SIG API Machinery, Etcd and Testing]
- Adopted a new implementation of watch caches for **list** verbs, using a btree data structure. The new implementation is active by default; you can opt out by disabling the `BtreeWatchCache` feature gate. (#128415, @serathius) [SIG API Machinery, Auth and Cloud Provider]
- Allows PreStop lifecycle handler's sleep action to have a zero value (#127094, @sreeram-venkitesh) [SIG Apps, Node and Testing]
- CRI: Added a field to support CPU affinity on Windows. (#124285, @kiashok) [SIG Node and Windows]
- Changed OOM score adjustment calculation for sidecar containers: the OOM adjustment for these containers will match or fall below the OOM score adjustment of regular containers in the Pod. (#128029, @bouaouda-achraf)
- Client-go/rest: contextual logging of request/response with accurate source code location of the caller (#126999, @pohly) [SIG API Machinery and Instrumentation]
- DRA: The resource claim controller now maintains metrics about the total number of `ResourceClaims` and the number of allocated `ResourceClaims`. (#127661, @pohly) [SIG Apps, Instrumentation and Node]
- Enabled graceful shutdown feature for Windows node (#127404, @zylxjtu) [SIG Node, Testing and Windows]
- Enabled kube-controller-manager '--concurrent-job-syncs' flag works on orphan Pod processors (#126567, @fusida) [SIG Apps]
- Ensured resizing for Guaranteed pods with integer CPU requests on nodes with static CPU & Memory policy configured is not allowed for the beta release of in-place resize. The feature gate `InPlacePodVerticalScalingExclusiveCPUs` defaults to `false`, but can be enabled to unblock development on (#127262, @tallclair) SIG Node]. ([#128287, @esotsal) [SIG Node, Release and Testing]
- Extend discovery GroupManager with Group lister interface (#127524, @mjudeikis) [SIG API Machinery]
- Fixed: Avoid overwriting in-pod vertical scaling updates on systemd daemon reloads when using systemd (#124216, @iholder101) [SIG Node]
- Fixed an issue where kubectl doesn't print image volume when kubectl describe a pod with that volume. (#126706, @carlory)
- Graduated the AnonymousAuthConfigurableEndpoints feature gate to beta and enable by default to allow configurable endpoints for anonymous authentication. (#127009, @vinayakankugoyal) [SIG Auth]
- Graduated the kubelet memory manager to generally available (GA). (#128517, @Tal-or)
- Graduated `SchedulerQueueingHints` to beta; the feature gate is now enabled by default. (#128472, @sanposhiho) [SIG Scheduling]
- Graduated the `WatchList` feature gate to Beta for kube-apiserver and enabled `WatchListClient` for KCM. (#128053, @p0lyn0mial) [SIG API Machinery and Testing]
- Implemented a queueing hint for PersistentVolumeClaim/Add event in the `CSILimit` plugin. (#124703, @utam0k) [SIG Scheduling and Storage]
- Implemented new cluster events `UpdatePodSchedulingGatesEliminated` and `UpdatePodTolerations` for scheduler plugins. (#127083, @sanposhiho)
- Improved Node's QueueingHint in the `NodeAffinity` plugin by ignoring unrelated changes that keep pods unschedulable. (#127444, @dom4ha) [SIG Scheduling and Testing]
- Improved Node's QueueingHint in the `NodeResourceFit` plugin by ignoring unrelated changes that keep pods unschedulable. (#127473, @dom4ha) [SIG Scheduling and Testing]
- Improved performance of the job controller when handling job delete events. (#127378, @hakuna-matatah)
- Improved performance of the job controller when handling job update events. (#127228, @hakuna-matatah)
- Included an additional resource labeltransformation in on_operations_total metric which could be used for resource specific validations for example handling of encryption config by the apiserver. (#126512, @kmala) [SIG API Machinery, Auth, Etcd and Testing]
- Introduced a new metric `kubelet_admission_rejections_total` to track the number of pods rejected during admission. (#128556, @AnishShah)
- JWT authenticators now set the `jti` claim (if present and is a string value) as credential id for use by audit logging. (#127010, @aramase) [SIG API Machinery, Auth and Testing]
- kube-apiserver: Promoted `AuthorizeWithSelectors` feature to beta, which includes field and label selector information from requests in webhook authorization calls. Promoted `AuthorizeNodeWithSelectors` feature to beta, which changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. (#128168, @liggitt) [SIG API Machinery, Auth and Testing]
- kube-apiserver: a new `--requestheader-uid-headers` flag allows configuring request header authentication to obtain the authenticating user's UID from the specified headers. The suggested value for the new option is `X-Remote-Uid`. When specified, the `kube-system/extension-apiserver-authentication` configmap will include the value in its `.datarequestheader-uid-headers]` field. ([#115834, @stlaz) [SIG API Machinery, Auth, Cloud Provider and Testing]
- kube-proxy uses field-selector clusterIP!=None on Services to avoid watching for Headless Services, reducing unnecessary network bandwidth (#126769, @Sakuralbj) [SIG Network]
- : `kubeadm upgrade apply` now supports phase sub-command, users can use `kubeadm upgrade apply phase <phase-name>` to execute the specified phase, or use `kubeadm upgrade apply --skip-phases <phase-names>` to skip some phases during cluster upgrade. (#126032, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: `kubeadm upgrade node` now supports `addon` and `post-upgrade` phases. Users can use `kubeadm upgrade node phase addon` to execute the addon upgrade, or use `kubeadm upgrade node --skip-phases addon` to skip the addon upgrade. Currently, the `post-upgrade` phase is no-op, and it is mainly used to handle some release-specific post-upgrade tasks. (#127242, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: added a validation warning when the certificateValidityPeriod is more than the caCertificateValidityPeriod (#126538, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: added the feature gate `NodeLocalCRISocket`. When the feature gate is enabled, kubeadm will generate the `/var/lib/kubelet/instance-config.yaml` file to customize the `containerRuntimeEndpoint` field in the kubelet configuration for each node and will not write the same CRI socket on the Node object as an annotation. (#128031, @HirazawaUi) [SIG Cluster Lifecycle]
- kubeadm: allow mixing the flag --config with the special flag --print-manifest of the subphases of 'kubeadm init phase addon'. (#126740, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: consider --bind-address or --advertise-address and --secure-port for control plane components when the feature gate WaitForAllControlPlaneComponents is enabled. Use /livez for kube-apiserver and kube-scheduler, but continue using /healthz for kube-controller-manager until it supports /livez. (#128474, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: if an unknown command name is passed to any parent command such as 'kubeadm init phase' return an error. If 'kubeadm init phase' or another command that has subcommands is called without subcommand name, print the available commands and also return an error. (#127096, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: promoted feature gate `EtcdLearnerMode` to GA. Learner mode in etcd deployed by kubeadm is now locked to enabled by default. (#126374, @pacoxu) [SIG Cluster Lifecycle]
- kubelet: add log and event for cgroup v2 with kernel older than 5.8. (#126595, @pacoxu) [SIG Node]
- Kubernetes is now built with Go 1.23.3. (#128852, @cpanato) [SIG Release and Testing]
- Kubernetes is now built with go 1.23.0 (#127076, @cpanato) [SIG Release and Testing]
- Kubernetes was built with Go 1.23.1. (#127611, @haitch) [SIG Release and Testing]
- Kubernetes was built with Go 1.23.2. (#128110, @haitch) [SIG Release and Testing]
- Label `apps.kubernetes.io/pod-index` added to Pod from StatefulSets is promoted to stable Label `batch.kubernetes.io/job-completion-index` added to Pods from Indexed Jobs is promoted to stable (#128387, @alaypatel07) [SIG Apps]
- LoadBalancerIPMode feature was marked as GA. (#127348, @RyanAoh) [SIG Apps, Network and Testing]
- Locked the custom profiling feature in `kubectl debug` to true. (#127187, @ardaguclu) [SIG CLI and Testing]
- Output for the `ScalingReplicaSet` event has changed from: Scaled <up|down> replica set <replica-set-name> to <new-value> from <old-value> to: Scaled <up|down> replica set <replica-set-name> from <old-value> to <new-value>. (#125118, @jsoref) [SIG Apps and CLI]
- PodLifecycleSleepAction is graduated to GA (#128046, @AxeZhan) [SIG Architecture, Node and Testing]
- Pods were allowed to use the `net.ipv4.tcp_rmem` and `net.ipv4.tcp_wmem` sysctl by default when the kernel version was 4.15 or higher. With the kernel 4.15 the sysctl became namespaced. Pod Security admission allowed these sysctl in v1.32+ versions of the baseline and restricted policies. (#127489, @pacoxu) [SIG Auth, Network and Node]
- Prepared Pod validation to handle version skew for InPlacePodVerticalScaling's beta graduation. (#128186, @sreeram-venkitesh)
- Promoted `RecoverVolumeExpansionFailure` feature gate to beta. (#128342, @gnufied) [SIG Apps and Storage]
- Promoted `RetryGenerateName` to stable; the feature is enabled by default. `--feature-gates=RetryGenerateName=true` not needed on kube-apiserver binaries and will be removed in a future release. (#127093, @jpbetz) [SIG API Machinery]
- Promoted `SizeMemoryBackedVolumes` to stable. (#126981, @kannon92) [SIG Node, Storage and Testing]
- Promoted the `RelaxedEnvironmentVariableValidation` feature gate to beta and is enabled by default. (#126897, @HirazawaUi)
- Promoted the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks`. (#127302, @cici37) [SIG API Machinery and Testing]
- Promoted the `ServiceAccountTokenJTI` feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info
- Promoted the `ServiceAccountTokenPodNodeInfo` feature to GA, which adds the node name and uid as claims into service account tokens mounted into running pods, and embeds that information as `authentication.kubernetes.io/node-name` and `authentication.kubernetes.io/node-uid` user extra info when the token is used
- Promoted the `ServiceAccountTokenNodeBindingValidation` feature to GA, which validates service account tokens bound directly to nodes. (#128169, @liggitt) [SIG API Machinery, Auth and Testing]
- Realigned line breaks from `kubectl explain` descriptions. (#126533, @ah8ad3)
- Removed attachable volume limits from the capacity of the node for the following volume type when the kubelet was started, affecting the following volume types when the corresponding csi driver was installed:
- `awsElasticBlockStore` for `ebs.csi.aws.com`
- `azureDisk` for `disk.csi.azure.com`
- `gcePersistentDisk` for `pd.csi.storage.googleapis.com`
- `cinder` for `cinder.csi.openstack.org`
- `csi` However it was still enforced using a limit in CSINode objects. (#126924, @carlory)
- Reverted Go version used to build Kubernetes to 1.23.0. (#127861, @xmudrii) [SIG Release and Testing]
- Support inflight_events metric in the scheduler for QueueingHint. (#127052, @sanposhiho) [SIG Scheduling]
- Support specifying a custom network parameter when running e2e-node-tests with the remote option. (#127574, @bouaouda-achraf) [SIG Node and Testing]
- The Job controller now considers sidecar container restart counts when removing pods. (#124952, @AxeZhan) [SIG Apps and CLI]
- The `TopologyManagerPolicyOptions` feature-flag is promoted to GA. (#128124, @PiotrProkop)
- The scheduler implemented `QueueingHint` in VolumeBinding plugin's CSIDriver event, which enhanced the throughput of scheduling. (#125171, @YamasouA) [SIG Scheduling and Storage]
- The scheduler retries gated Pods more appropriately, giving them a backoff penalty too. (#126029, @sanposhiho) [SIG Scheduling]
- Unallowed label values will show up as "unexpected" in scheduler metrics. (#126762, @richabanker) [SIG Instrumentation and Scheduling]
- Updated the control plane's trust anchor publisher to create and manage a new ClusterTrustBundle object, associated with the `kubernetes.io/kube-apiserver-serving` X.509 certificate signer. This ClusterTrustBundle contains a PEM bundle in its payload that you can use to verify kube-apiserver serving certificates. (#127326, @stlaz) [SIG API Machinery, Apps, Auth, Cluster Lifecycle and Testing]
- Vendor: updated system-validators to v1.9.0. (#128149, @neolit123) [SIG Cluster Lifecycle and Node]
- Vendor: updated system-validators to v1.9.1. (#128533, @neolit123)
- When `SchedulerQueueingHint` is enabled, the scheduler's in-tree plugins now subscribe to specific node events to decide whether to requeue Pods. This allows the scheduler to handle cluster events faster with less memory. Specific node events include updates to taints, tolerations or allocatable. In-tree plugins now ignore node updates that don't modify any of these fields. (#127220, @sanposhiho) [SIG Node, Scheduling and Storage]
- When `SchedulerQueueingHints` is enabled, clear events cached in the scheduling queue as soon as possible so that the scheduler consumes less memory. (#120586, @sanposhiho) [SIG Scheduling]
- Windows: Support CPU and Topology manager on Windows. (#125296, @jsturtevant) [SIG Node and Windows]
Documentation:
- Clarified the kube-controller-manager documentation for `--allocate-node-cidrs`, `--cluster-cidr`, and `--service-cluster-ip-range` flags to accurately reflect their dependencies and usage conditions. (#126784, @eminwux) [SIG API Machinery, Cloud Provider and Docs]
- Documented the `--for=create` option to `kubectl wait`. (#127327, @ryanwinter) [SIG CLI]
- Fixed documentation for the `apiserver_admission_webhook_fail_open_count` and `apiserver_admission_webhook_request_total` metrics. The `type` label can have a value of "admit", not "mutating". (#127898, @modulitos)
- kubeadm: fixed a misleading output (typo) about control-plane joining instructions when executing the "kubeadm init" command. (#128118, @amaddio)
- The kubelet, when using `--cloud-provider=external` can use the `--node-ip` flag with one of the unspecified addresses 0.0.0.0 or ::, to create the Node with the IP of the default gateway of the corresponding IP family and then delegating the responsibility to the external cloud provider. This solves the bootstrap problems of out of tree cloud providers that are deployed as Pods within the cluster. (#125337, @aojea) [SIG Cloud Provider, Network, Node and Testing]
- Added request header UID propagation, behind an alpha `RemoteRequestHeaderUID` feature gate. (#129081, @stalz) [SIG API SIG API Machinery, cluster lifecycle, testing]
Failing Test:
- kubelet plugins are now re-registered properly on Windows if the re-registration period is < 15ms. (#114136, @claudiubelu) [SIG Node, Storage, Testing and Windows]
Bug or Regression:
1. When the kubelet constructs the CRI mounts for the container which references an `image` volume source type, it passes the missing mount attributes to the CRI implementation, including `readOnly`, `propagation`, and `recursiveReadOnly`. When the readOnly field of the containerMount is explicitly set to false, the kubelet will now take the `readOnly`as true to the CRI implementation because the image volume plugin requires the mount to be read-only.
2. Fixed a bug where the pod is unexpectedly running when the `image` volume source type is used and mounted to `/etc/hosts` in the container. (#126806, @carlory) [SIG Node and Storage]
- Added warnings for overlap paths in ConfigMap, Secret, DownwardAPI, Projected. Added warning for cases when ProjectedVolume with sources is provided. (#121968, @Peac36)
- Apiserver repair controller is resilient to etcd errors during bootstrap and retries during 30 seconds before failing. (#126671, @fusida) [SIG Network]
- Applyconfiguration-gen no longer generates duplicate methods and ambiguous member accesses when types end up with multiple members of the same name (through embedded structs). (#127001, @skitt) [SIG API Machinery]
- Bookmark events are now sent immediately after all items in the watchCache store have been processed, improving consistency in client behavior. (#127012, @Chaunceyctx)
- DRA: fixed several issues related to `allocationMode: all`. (#127565, @pohly)
- DRA: when a DRA driver was started after creating pods which need resources from that driver, no additional attempt was made to schedule such unschedulable pods again. Only affected DRA with structured parameters. (#126807, @pohly) [SIG Node, Scheduling and Testing]
- DRA: when enabling the scheduler queuing hint feature, pods got stuck as unschedulable for a while unnecessarily because recording the name of the generated ResourceClaim did not trigger scheduling. (#127497, @pohly) [SIG Auth, Node, Scheduling and Testing]
- Disallowed label values will show up as "unexpected" in all system components' metrics. (#128100, @yongruilin) [SIG Architecture and Instrumentation]
- Discarded the output streams of destination path check in kubectl cp when copying from local to pod and added a 3 seconds timeout to this check (#126652, @ardaguclu) [SIG CLI]
- Fixed 1.31 regression that can crash kube-controller-manager's service-lb-controller loop. (#128182, @carlory) [SIG API Machinery, Cloud Provider and Network]
- Fixed a 1.31 regression starting kubelet on Windows: Revert "fix: handle socket file detection on Windows". (#126976, @jsturtevant)
- Fixed a 1.31 regression with API emulation versioning honors cohabitating resources. (#127239, @xuzhenglun)
- Fixed a bug in the endpoints controller that failed to reconcile the Endpoint object after it was truncated (when it received more than 1000 endpoint addresses). (#127417, @aojea) [SIG Apps, Network and Testing]
- Fixed a bug in the garbage collector controller which could block indefinitely due to a cache sync failure. This fix allows the garbage collector to eventually continue garbage collecting other resources if a given resource cannot be listed or watched. Any objects in the unsynced resource type with owner references with `blockOwnerDeletion: true` will not be known to the garbage collector. Use of `blockOwnerDeletion` has always been best-effort and racy on startup and object creation. With this fix, it continues to be best-effort for resources that cannot be synced by the garbage collector controller. (#125796, @haorenfsa) [SIG API Machinery, Apps and Testing]
- Fixed a bug that occurred when the hostname label of a node did not match the node name, pods bound to a PersistentVolume with `nodeAffinity` using the hostname may be scheduled to the wrong node or experience scheduling failures. (#125398, @AxeZhan) [SIG Scheduling and Storage]
- Fixed a bug where `podCIDR` was released before node was deleted. (#128305, @adrianmoisey) [SIG Apps and Network]
- Fixed a bug where the kubelet ephemerally failed with `failed to initialize top level QOS containers: root container [kubepods] doesn't exist`, due to the cpuset cgroup being deleted on cgroup v2 with systemd cgroup manager. (#125923, @haircommander) [SIG Node and Testing]
- Fixed a bug where the pod(with regular init containers)'s phase was not pending when the regular init container had not finished running after a node restart. (#126653, @zhifei92) [SIG Node and Testing]
- Fixed a bug which the scheduler didn't correctly tell plugins Node deletion. This bug could impact all scheduler plugins subscribing to Node/Delete event, making the queue keep the Pods rejected by those plugins incorrectly at Node deletion. Among the in-tree plugins, PodTopologySpread is the only victim. (#127464, @sanposhiho) [SIG Scheduling and Testing]
- Fixed a bug with dual stack clusters using the beta feature MultiCIDRServiceAllocator which could not create dual stack Services or Services with IPs in the secondary range. Users who wanted to use this feature in version 1.30 with dual stack clusters could work around the issue by setting the feature gate DisableAllocatorDualWrite to true. (#127598, @aojea) [SIG Network and Testing]
- Fixed a possible memory leak in the QueueingHint (alpha feature). (#126962, @sanposhiho)
- Fixed a potential memory leak in QueueingHint (alpha feature). (#127016, @sanposhiho)
- Fixed a race condition in the kube-proxy initialization that could cause UDP traffic to service VIP. (#126532, @wedaly)
- Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins during kubelet restart. (#127669, @olyazavr)
- Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins on kubelet restart. (#128495, @olyazavr)
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127162, @gjkim42) [SIG Node]
- Fixed a regression in default 1.29 configurations with the `SidecarContainers` feature enabled, where init containers may fail to start due to a temporary container runtime failure. (#126543, @gjkim42)
- Fixed a regression introduced in v1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127780, @danwinship)
- Fixed a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126644, @Huang-Wei)
- Fixed a suboptimal scheduler preemption behavior where potential preemption victims were violating Pod Disruption Budgets. (#128307, @NoicFank) [SIG Scheduling]
- Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case (#128344, @kannon92) [SIG Node]
- Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case. (#126562, @kannon92)
- Fixed an issue where eviction manager was not deleting unused images or containers. (#127874, @AnishShah)
- Fixed an issue where requests sent by the KMSv2 service would be rejected due to having an invalid authority header. (#126930, @Ruddickmg) [SIG API Machinery and Auth]
- Fixed data race in kubelet/volumemanager. (#127919, @carlory) [SIG Apps, Node and Storage]
- Fixed fake client to accept request without metadata.name to better emulate behavior of actual client. (#126727, @jpbetz)
- Fixed the ability to set the `resolvConf` option in drop-in kubelet configuration files, which validates that drop-in kubelet configuration files are in a supported version. (#127421, @liggitt)
- Fixed the bug in `NodeUnschedulable` that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by NodeUnschedulable plugin and put the Pods in the queue for a longer time than needed. (#127427, @sanposhiho)
- Fixed the estimated cost in CEL for expressions that perform equality checks on IPs, CIDRs, Quantities, Formats and URLs. (#126359, @jpbetz)
- Fixed the incorrect help message of a metric "graceful_shutdown_end_time_seconds". Fixed incorrect value set for metrics "graceful_shutdown_start_time_seconds" and "graceful_shutdown_end_time_seconds" in certain cases during graceful node shutdown. (#128189, @zylxjtu) [SIG Node]
- Fixed the reporting of elapsed times during evaluation of `ValidatingAdmissionPolicy` decisions and annotations. The apiserver_validating_admission_policy_check_duration metrics will now show elapsed times and no longer be zero. (#128463, @knrc)
- Fixed the wrong hierarchical structure for both the child span and the parent span (i.e. `SerializeObject` and `List`). In the past, some children's spans appeared parallel to their parents. (#127551, @carlory) [SIG API Machinery and Instrumentation]
- Fixed: dynamic client-go can now handle subresources with an UnstructuredList response (#126809, @ryantxu) [SIG API Machinery]
- Fixed a bug where restartable and non-restartable init containers were not accounted for in the message and annotations of eviction event. (#124947, @toVersus) [SIG Node]
- Fixed a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126957, @dashpole) [SIG API Machinery, Architecture, Instrumentation and Node]
- Fixed the bug in PodTopologySpread that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by PodTopologySpread plugin and put the Pods in the queue for a longer time than needed. (#127447, @sanposhiho) [SIG Scheduling]
- For Dynamic Resource Allocation, labels in node selectors now are validated. Invalid labels already caused runtime errors before and are unlikely to occur in practice. (#128932, @pohly)
- For Dynamic Resource Allocation, the new "v1beta1" kubelet gPRC was renamed so that the protobuf package name is unique. (#128764, @pohly) [SIG Node and Testing]
- HostNetwork pods no longer depend on the PodIPs to be assigned to configure the defined hostAliases on the Pod (#126460, @aojea) [SIG Network, Node and Testing]
- If a client makes an API streaming requests and specifies an `application/json;as=Table` content type, the API server now responds with a 406 (Not Acceptable) error. This change helps to ensure that unsupported formats, such as `Table` representations are correctly rejected. (#126996, @p0lyn0mial) [SIG API Machinery and Testing]
- If an old pod spec has used image volume source, we must allow it when updating the resource even if the feature-gate ImageVolume is disabled. (#126733, @carlory) [SIG API Machinery, Apps and Node]
- Improved PVC Protection Controller's scalability by batch-processing PVCs by namespace with lazy live pod listing. (#125372, @hungnguyen243) [SIG Apps, Node, Storage and Testing]
- Improved the scalability of the PVC Protection Controller by batch-processing PVCs by namespace and implementing lazy live pod listing. (#126745, @hungnguyen243) [SIG Apps, Storage and Testing]
- kube-apiserver: fixed a 1.31 regression that stopped honoring build ID overrides with the --version flag (#126665, @liggitt) [SIG API Machinery]
- kubeadm: added "disable success" and "disable denial" as parameters of the "cache" plugin in the Corefile managed by kubeadm. This is to prevent conflicting responses during CoreDNS cache updates. (#128359, @matteriben) [SIG Cluster Lifecycle]
- kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127333, @yuyabee) [SIG Cluster Lifecycle]
- kubeadm: fixed an issue where the wrong member list was being reported when removing an etcd member. (#127650, @SataQiu)
- kubeadm: when adding new control plane nodes with `kubeamd join`, ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127491, @SataQiu) [SIG Cluster Lifecycle]
- kubelet now attempts to get an existing node if the request to create it fails with StatusForbidden. (#126318, @hoskeri) [SIG Node]
- kubelet: Fix - the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#128219, @carlory)
- kubelet: Fixed a bug where kubelet wrongly drops the QOSClass field of the Pod's status when it rejects a Pod. (#128083, @carlory) [SIG Node and Testing]
- kubelet: use the CRI stats provider if `PodAndContainerStatsFromCRI` feature is enabled (#126488, @haircommander) [SIG Node]
- Made kubelet's /metrics/slis endpoint always available. (#128430, @richabanker) [SIG Architecture, Instrumentation and Node]
- Node shutdown controller made a best effort to wait for CSI Drivers to complete the volume teardown process according to the pod priority groups. (#125070, @torredil) [SIG Node, Storage and Testing]
- Reduced memory usage/allocations during wait for volume attachment. (#126575, @Lucaber) [SIG Node and Storage]
- Removed unneeded permissions for system:controller:persistent-volume-binder and system:controller:expand-controller clusterroles (#125995, @carlory) [SIG Auth and Storage]
- Reset streams when an error happens during port-forward allowing kubectl to maintain port-forward connection open. (#128318, @soltysh) [SIG API Machinery, CLI and Node]
- Send an error on `ResultChan` and close the `RetryWatcher` when the client is forbidden or unauthorized from watching the resource. (#126038, @mprahl) [SIG API Machinery]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#126343, @SergeyKanzhelev) [SIG Node and Testing]
- The CSI volume plugin stopped watching the VolumeAttachment object if the object is not found or the volume is not attached when kubelet waits for a volume attached. In the past, it would fail due to missing permission. (#126961, @carlory) [SIG Storage]
- The Usage and VolumeCondition are both optional in the response and if CSIVolumeHealth feature gate is enabled kubelet needs to consider returning metrics if either one is set. (#127021, @Madhu-1) [SIG Storage]
- The `build-tag` flag is reintroduced to conversion-gen and defaulter-gen which allow users to inject custom build tag during code generation process. (#128259, @dinhxuanvu)
- Fixed problem with named ports not being available when specified in sidecar containers. (#127976, @chengjoey)
- The scheduler started considering the resource requests of existing sidecar containers during the scoring process. (#127878, @AxeZhan) [SIG Scheduling and Testing]
- Tighten validation on the qosClass field of pod status. This field is immutable but it would be populated with the old status by kube-apiserver if it is unset in the new status when updating this field via the status subsource. (#127744, @carlory) [SIG Apps, Instrumentation, Node, Storage and Testing]
- Upgraded coreDNS to v1.11.3. (#126449, @BenTheElder) [SIG Cloud Provider and Cluster Lifecycle]
- Use allocatedResources on PVC for node expansion in kubelet (#126600, @gnufied) [SIG Node, Storage and Testing]
- When entering a value other than "external" to the "--cloud-provider" flag for the kubelet, kube-controller-manager, and kube-apiserver, the user will now receive a warning in the logs about the disablement of internal cloud providers, this is in contrast to the previous warnings about deprecation. (#127711, @elmiko) [SIG API Machinery, Cloud Provider and Node]
- `StartupProbe` was explicitly stopped when the `successThreshold` was reached. This eliminated the problem of executing `StartupProbe` more times than the `successThreshold`. (#121206, @mochizuki875)
- kubelet: on Windows, consistently resolve filesystem links to volume identifiers instead of inconsistently normalizing to drive letters. (#129103, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Windows]
Other (Cleanup or Flake):
- Added a short output format argument for `kubectl explain`. You could now use `-o` as an abbreviation for `--output` in commands such as `kubectl explain <resource> --output plaintext-openapiv2`. (#127869, @ak20102763)
- Added an example for kubectl delete with the --interactive flag. (#127512, @bergerhoffer) [SIG CLI]
- Added: Log Line for Debugging possible merge errors for kubelet related Config requests. (#124389, @holgerson97)
- Aggregated Discovery v2beta1 fixture is removed in `./api/discovery`. Please use v2 (#127008, @Jefftree) [SIG API Machinery]
- Append the image pull error for the pods `status.containerStatuses[*].state.waiting.message` when in image pull back-off (`reason` is `ImagePullBackOff`) instead of the generic `Back-off pulling image…` message. (#127918, @saschagrunert) [SIG Node and Testing]
- CBOR-encoded watch responses now set the Content-Type header to "application/cbor-seq" instead of the nonconformant "application/cbor". (#128501, @benluddy) [SIG API Machinery, Etcd and Testing]
- CRI client now used the default timeout for `ImageFsInfo` RPC. (#128052, @saschagrunert)
- Clarified an API validation error for toleration if `operator` is `Exists` and `value` is not empty. (#128119, @saschagrunert) [SIG API Machinery and Apps]
- Device manager: stop using annotations to pass CDI device info to runtimes. Containerd versions older than v1.7.2 don't support passing CDI info through CRI and need to be upgraded. (#126435, @bart0sh) [SIG Node]
- Dropped support for `InPlacePodVerticalScaling` feature in Windows. (#128623, @AnishShah) [SIG Apps and Node]
- Enabled `CBORServingAndStorage` feature gate – built-in APIs can now be served in CBOR format for clients that request it. (#128503, @benluddy) [SIG API Machinery, Etcd and Testing]
- Fake clientsets now use a common, generic implementation. The corresponding structs are now private; callers must use the corresponding constructors. (#126503, @skitt) [SIG API Machinery, Architecture, Auth and Instrumentation]
- Feature `AllowServiceLBStatusOnNonLB` remains deprecated and is now locked to false to support compatibility versions. (#128139, @Jefftree)
- Feature gate "AllowServiceLBStatusOnNonLB" has been removed. This gate has been stable and unchanged for over a year. (#126786, @thockin) [SIG Apps]
- Fixed a warning message about the gce in-tree cloud provider state. (#126773, @carlory)
- Fixed spacing in `--validate flag` description in kubectl. (#128081, @soltysh)
- Fixes a bug in the `k8s.io/cloud-provider/service` controller, it may panic when a service is updated because the event recorder was used before it was initialized. All cloud providers should using the `v1.31.0` cloud provider service controller must ensure that the controllers is initialized before the informer start to process events or update it to the version 1.32.0. (#128179, @carlory) [SIG API Machinery, Cloud Provider, Network and Testing]
- Fully removed `PostStartHookContext.StopCh`. (#127341, @mjudeikis)
- kube-apiserver `--admission-control-config-file` files are now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128013, @seans3)
- kube-apiserver `--egress-selector-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128011, @seans3) [SIG API Machinery and Testing]
- kube-apiserver `ResourceQuotaConfiguration` admission plugin subsection within `--admission-control-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128038, @seans3)
- kube-controller-manager `--leader-migration-config` files were now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128009, @seans3) [SIG API Machinery and Cloud Provider]
- kube-proxy initialization waits for all pre-sync events from node and serviceCIDR informers to be delivered. (#126561, @wedaly) [SIG Network]
- kube-proxy will no longer depend on conntrack binary for stale UDP connections cleanup (#126847, @aroradaman) [SIG Cluster Lifecycle, Network and Testing]
- kubeadm: don't warn if `crictl` binary does not exist since kubeadm does not rely on `crictl` since v1.31. (#126596, @saschagrunert) [SIG Cluster Lifecycle]
- kubeadm: increased the verbosity of API client dry-run actions during the subcommands "init", "join", "upgrade" and "reset". It also allowed dry-run on 'kubeadm join' even if there was no existing cluster by utilizing a faked, in-memory cluster-info ConfigMap. (#126776, @neolit123)
- kubeadm: make sure the extra environment variables written to a kubeadm managed PodSpec are sorted alpha-numerically by the environment variable name. (#126743, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: removed the deprecated sub-phase of 'init kubelet-finilize' called `experimental-cert-rotation`, and use 'enable-client-cert-rotation' instead. (#126913, @pacoxu) [SIG Cluster Lifecycle]
- kubeadm: removed `socat` and `ebtables` from kubeadm preflight checks (#127151, @saschagrunert) [SIG Cluster Lifecycle]
- kubeadm: removed preflight check for existence of the conntrack binary, as conntrack is no longer a kube-proxy dependency in version 1.32 and newer. (#126953, @aroradaman)
- kubeadm: removed the deprecated and NO-OP flags `--feature-gates` for `kubeadm upgrade apply` and `--api-server-manifest`, `--controller-manager-manifest`, and `--scheduler-manifest` for `kubeadm upgrade diff`. (#127123, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: removed the deprecated flag `--experimental-output`, please use the flag `--output` instead that serves the same purpose. Affected commands are: `kubeadm config images list`, `kubeadm token list`, `kubeadm upgrade plan`, `kubeadm certs check-expiration`. (#126914, @carlory) [SIG Cluster Lifecycle]
- kubeadm: switched the kube-scheduler static Pod to use the endpoints `/livez` (for startup and liveness probes) and `/readyz` (for the readiness probe). Previously, `/healthz` was used for all probes, which is deprecated behavior in the scope of this component. (#126945, @liangyuanpeng) [SIG Cluster Lifecycle]
- Optimized the code by filtering out empty strings for podUID when calling the `getPodAndContainerForDevice` method. (#126997, @lengrongfu)
- Output a log as v4-level when a probe is triggered and shift the periodic timer of ReadinessProbe after manual run. (#119089, @mochizuki875)
- Removed generally available feature gate `ValidatingAdmissionPolicy`. (#126645, @cici37) [SIG API Machinery, Auth, and Testing]
- Removed generally available feature gate `CloudDualStackNodeIPs`. (#126840, @carlory) [SIG API Machinery and Cloud Provider]
- Removed generally available feature gate `LegacyServiceAccountTokenCleanUp`. (#126839, @carlory) [SIG Auth]
- Removed generally available feature gate `MinDomainsInPodTopologySpread`. (#126863, @carlory) [SIG Scheduling]
- Removed generally available feature gate `NewVolumeManagerReconstruction`. (#126775, @carlory) [SIG Node and Storage]
- Removed generally available feature gate `NodeOutOfServiceVolumeDetach` (#127019, @carlory) [SIG Apps and Testing]
- Removed generally available feature gate `StableLoadBalancerNodeSet`. (#126841, @carlory) [SIG API Machinery, Cloud Provider and Network]
- Removed generally available feature-gate `ZeroLimitedNominalConcurrencyShares` (#126894, @carlory) [SIG API Machinery]
- Removed legacy cloud provider integration code and the "service-lb-controller", "cloud-node-lifecycle-controller" and the "node-route-controller" from kube-controller-manager. You can now either set the `--cloud-provider` command line argument to "external", or to the empty string. All other values are invalid. (#128197, @aojea) [SIG API Machinery, Apps and Cloud Provider]
- Removed support for removing requests and limits during a pod resize. (#128683, @AnishShah) [SIG Apps, Node and Testing]
- Removed support for the kubelet `--runonce` mode. If you specify the kubelet command line flag `--runonce`, this is an error. Setting `runOnce` in a kubelet configuration file is also an error, and specifying any value for that configuration option is now deprecated. (#126336, @HirazawaUi) [SIG Node and Scalability]
- Removed the GAed feature gates for `ServerSideApply` and `ServerSideFieldValidation`. (#127058, @carlory)
- Removed the `KMSv2` and `KMSv2KDF` feature gates. The associated features graduated to stable in the Kubernetes v1.29 release. (#126698, @enj) [SIG API Machinery, Auth and Testing]
- Removed the feature gate ComponentSLIs, which had been promoted to stable since v1.29. (#127787, @Jefftree) [SIG Architecture and Instrumentation]
- Revised error handling for port forwards to Pods. Added stream resets preventing port-forward from blockage. (#128681, @soltysh) [SIG API Machinery, CLI and Testing]
- Short circuit if the compaction request from apiserver is disabled. (#126627, @fusida) [SIG Etcd]
- Show a warning message to inform users that the `legacy` profile is planned to be deprecated. (#127230, @mochizuki875) [SIG CLI]
- The `dynamicResources` has been refactored to `DynamicResources`, now users can introduce the `DynamicResources` struct outside the `dynamicresources` package. (#128399, @JesseStutler) [SIG Node and Scheduling]
- The `flowcontrol.apiserver.k8s.io/v1beta3` API version of `FlowSchema` and `PriorityLevelConfiguration` is no longer served in v1.32. Migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1` API version, available since v1.29. More information is at https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v132 (#127017, @carlory) [SIG API Machinery and Testing]
- The alpha Dynamic Resource Allocation gRPC API is still available, but might be removed in future releases. Driver authors should update their DRA drivers to use the v1beta1 gRPC API. (#128646, @pohly) [SIG Node and Testing]
- The feature-gate "PodHostIPs" has been removed. It is GA and its value has been locked since Kubernetes v1.30. (#128634, @thockin) [SIG Apps, Architecture, Node and Testing]
- The getters for the field name and typeDescription of the Reflector struct were renamed. (#128035, @alexanderstephan)
- The kube-apiserver `--tracing-config-file` is now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now result in an error. (#128073, @seans3)
- The members name and typeDescription of the Reflector struct were exported to allow for better user extensibility. (#127663, @alexanderstephan)
- Changed the percentage marker in `kubectl top node` from `%` to `(%)`. (#126995, @googs1025) [SIG CLI]
- Updated cni-plugins to v1.5.1. (#126966, @saschagrunert) [SIG Cloud Provider, Node and Testing]
- Updated cni-plugins to v1.6.0. (#128091, @saschagrunert) [SIG Cloud Provider, Node and Testing]
- Updated cri-tools to v1.31.0. (#126590, @saschagrunert) [SIG Cloud Provider and Node]
- Upgraded etcd client to v3.5.16. (#127279, @serathius) [SIG API Machinery, Auth, Cloud Provider and Node]
- Upgraded github.com/coredns/corefile-migration to v1.0.24. (#126851, @BenTheElder) [SIG Architecture and Cluster Lifecycle]
- Upgraded the functionality of `kubectl kustomize` as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.4.2 and https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0. (#127965, @koba1t)
- `ComponentSLIs` feature is marked as GA and locked. (#128317, @Jefftree) [SIG Architecture and Instrumentation]
- `kubectl apply --server-side` now supports `--subresource` congruent to `kubectl patch`. (#127634, @deads2k) [SIG CLI and Testing]
- kubelet: fixed an issue mounting CSI volumes on Windows nodes in 1.32.0 release candidates. (#129083 liggitt) [SIG API Machinery, architecture, auth, cli, cloud-provider, cluster-lifecycle, instrumentation,network,node, release, storage, windows ]
Dependencies
Added:
- github.com/Microsoft/hnslib: v0.0.8
- github.com/aws/aws-sdk-go-v2/config: v1.27.24
- github.com/aws/aws-sdk-go-v2/credentials: v1.17.24
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.13
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.13
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.8.0
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.11.3
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.11.15
- github.com/aws/aws-sdk-go-v2/service/sso: v1.22.1
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.26.2
- github.com/aws/aws-sdk-go-v2/service/sts: v1.30.1
- github.com/aws/aws-sdk-go-v2: v1.30.1
- github.com/aws/smithy-go: v1.20.3
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/containerd/containerd/api: v1.7.19
- github.com/containerd/errdefs: v0.1.0
- github.com/containerd/log: v0.1.0
- github.com/containerd/typeurl/v2: v2.2.0
- github.com/moby/docker-image-spec: v1.3.1
- github.com/moby/sys/user: v0.3.0
- github.com/moby/sys/userns: v0.1.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.27.0
Changed:
- cel.dev/expr: v0.15.0 → v0.18.0
- cloud.google.com/go/accessapproval: v1.7.1 → v1.7.4
- cloud.google.com/go/accesscontextmanager: v1.8.1 → v1.8.4
- cloud.google.com/go/aiplatform: v1.48.0 → v1.58.0
- cloud.google.com/go/analytics: v0.21.3 → v0.22.0
- cloud.google.com/go/apigateway: v1.6.1 → v1.6.4
- cloud.google.com/go/apigeeconnect: v1.6.1 → v1.6.4
- cloud.google.com/go/apigeeregistry: v0.7.1 → v0.8.2
- cloud.google.com/go/appengine: v1.8.1 → v1.8.4
- cloud.google.com/go/area120: v0.8.1 → v0.8.4
- cloud.google.com/go/artifactregistry: v1.14.1 → v1.14.6
- cloud.google.com/go/asset: v1.14.1 → v1.17.0
- cloud.google.com/go/assuredworkloads: v1.11.1 → v1.11.4
- cloud.google.com/go/automl: v1.13.1 → v1.13.4
- cloud.google.com/go/baremetalsolution: v1.1.1 → v1.2.3
- cloud.google.com/go/batch: v1.3.1 → v1.7.0
- cloud.google.com/go/beyondcorp: v1.0.0 → v1.0.3
- cloud.google.com/go/bigquery: v1.53.0 → v1.58.0
- cloud.google.com/go/billing: v1.16.0 → v1.18.0
- cloud.google.com/go/binaryauthorization: v1.6.1 → v1.8.0
- cloud.google.com/go/certificatemanager: v1.7.1 → v1.7.4
- cloud.google.com/go/channel: v1.16.0 → v1.17.4
- cloud.google.com/go/cloudbuild: v1.13.0 → v1.15.0
- cloud.google.com/go/clouddms: v1.6.1 → v1.7.3
- cloud.google.com/go/cloudtasks: v1.12.1 → v1.12.4
- cloud.google.com/go/compute: v1.23.0 → v1.25.1
- cloud.google.com/go/contactcenterinsights: v1.10.0 → v1.12.1
- cloud.google.com/go/container: v1.24.0 → v1.29.0
- cloud.google.com/go/containeranalysis: v0.10.1 → v0.11.3
- cloud.google.com/go/datacatalog: v1.16.0 → v1.19.2
- cloud.google.com/go/dataflow: v0.9.1 → v0.9.4
- cloud.google.com/go/dataform: v0.8.1 → v0.9.1
- cloud.google.com/go/datafusion: v1.7.1 → v1.7.4
- cloud.google.com/go/datalabeling: v0.8.1 → v0.8.4
- cloud.google.com/go/dataplex: v1.9.0 → v1.14.0
- cloud.google.com/go/dataproc/v2: v2.0.1 → v2.3.0
- cloud.google.com/go/dataqna: v0.8.1 → v0.8.4
- cloud.google.com/go/datastore: v1.13.0 → v1.15.0
- cloud.google.com/go/datastream: v1.10.0 → v1.10.3
- cloud.google.com/go/deploy: v1.13.0 → v1.17.0
- cloud.google.com/go/dialogflow: v1.40.0 → v1.48.1
- cloud.google.com/go/dlp: v1.10.1 → v1.11.1
- cloud.google.com/go/documentai: v1.22.0 → v1.23.7
- cloud.google.com/go/domains: v0.9.1 → v0.9.4
- cloud.google.com/go/edgecontainer: v1.1.1 → v1.1.4
- cloud.google.com/go/essentialcontacts: v1.6.2 → v1.6.5
- cloud.google.com/go/eventarc: v1.13.0 → v1.13.3
- cloud.google.com/go/filestore: v1.7.1 → v1.8.0
- cloud.google.com/go/firestore: v1.12.0 → v1.14.0
- cloud.google.com/go/functions: v1.15.1 → v1.15.4
- cloud.google.com/go/gkebackup: v1.3.0 → v1.3.4
- cloud.google.com/go/gkeconnect: v0.8.1 → v0.8.4
- cloud.google.com/go/gkehub: v0.14.1 → v0.14.4
- cloud.google.com/go/gkemulticloud: v1.0.0 → v1.1.0
- cloud.google.com/go/gsuiteaddons: v1.6.1 → v1.6.4
- cloud.google.com/go/iam: v1.1.1 → v1.1.5
- cloud.google.com/go/iap: v1.8.1 → v1.9.3
- cloud.google.com/go/ids: v1.4.1 → v1.4.4
- cloud.google.com/go/iot: v1.7.1 → v1.7.4
- cloud.google.com/go/kms: v1.15.0 → v1.15.5
- cloud.google.com/go/language: v1.10.1 → v1.12.2
- cloud.google.com/go/lifesciences: v0.9.1 → v0.9.4
- cloud.google.com/go/logging: v1.7.0 → v1.9.0
- cloud.google.com/go/longrunning: v0.5.1 → v0.5.4
- cloud.google.com/go/managedidentities: v1.6.1 → v1.6.4
- cloud.google.com/go/maps: v1.4.0 → v1.6.3
- cloud.google.com/go/mediatranslation: v0.8.1 → v0.8.4
- cloud.google.com/go/memcache: v1.10.1 → v1.10.4
- cloud.google.com/go/metastore: v1.12.0 → v1.13.3
- cloud.google.com/go/monitoring: v1.15.1 → v1.17.0
- cloud.google.com/go/networkconnectivity: v1.12.1 → v1.14.3
- cloud.google.com/go/networkmanagement: v1.8.0 → v1.9.3
- cloud.google.com/go/networksecurity: v0.9.1 → v0.9.4
- cloud.google.com/go/notebooks: v1.9.1 → v1.11.2
- cloud.google.com/go/optimization: v1.4.1 → v1.6.2
- cloud.google.com/go/orchestration: v1.8.1 → v1.8.4
- cloud.google.com/go/orgpolicy: v1.11.1 → v1.12.0
- cloud.google.com/go/osconfig: v1.12.1 → v1.12.4
- cloud.google.com/go/oslogin: v1.10.1 → v1.13.0
- cloud.google.com/go/phishingprotection: v0.8.1 → v0.8.4
- cloud.google.com/go/policytroubleshooter: v1.8.0 → v1.10.2
- cloud.google.com/go/privatecatalog: v0.9.1 → v0.9.4
- cloud.google.com/go/pubsub: v1.33.0 → v1.34.0
- cloud.google.com/go/recaptchaenterprise/v2: v2.7.2 → v2.9.0
- cloud.google.com/go/recommendationengine: v0.8.1 → v0.8.4
- cloud.google.com/go/recommender: v1.10.1 → v1.12.0
- cloud.google.com/go/redis: v1.13.1 → v1.14.1
- cloud.google.com/go/resourcemanager: v1.9.1 → v1.9.4
- cloud.google.com/go/resourcesettings: v1.6.1 → v1.6.4
- cloud.google.com/go/retail: v1.14.1 → v1.14.4
- cloud.google.com/go/run: v1.2.0 → v1.3.3
- cloud.google.com/go/scheduler: v1.10.1 → v1.10.5
- cloud.google.com/go/secretmanager: v1.11.1 → v1.11.4
- cloud.google.com/go/security: v1.15.1 → v1.15.4
- cloud.google.com/go/securitycenter: v1.23.0 → v1.24.3
- cloud.google.com/go/servicedirectory: v1.11.0 → v1.11.3
- cloud.google.com/go/shell: v1.7.1 → v1.7.4
- cloud.google.com/go/spanner: v1.47.0 → v1.55.0
- cloud.google.com/go/speech: v1.19.0 → v1.21.0
- cloud.google.com/go/storagetransfer: v1.10.0 → v1.10.3
- cloud.google.com/go/talent: v1.6.2 → v1.6.5
- cloud.google.com/go/texttospeech: v1.7.1 → v1.7.4
- cloud.google.com/go/tpu: v1.6.1 → v1.6.4
- cloud.google.com/go/trace: v1.10.1 → v1.10.4
- cloud.google.com/go/translate: v1.8.2 → v1.10.0
- cloud.google.com/go/video: v1.19.0 → v1.20.3
- cloud.google.com/go/videointelligence: v1.11.1 → v1.11.4
- cloud.google.com/go/vision/v2: v2.7.2 → v2.7.5
- cloud.google.com/go/vmmigration: v1.7.1 → v1.7.4
- cloud.google.com/go/vmwareengine: v1.0.0 → v1.0.3
- cloud.google.com/go/vpcaccess: v1.7.1 → v1.7.4
- cloud.google.com/go/webrisk: v1.9.1 → v1.9.4
- cloud.google.com/go/websecurityscanner: v1.6.1 → v1.6.4
- cloud.google.com/go/workflows: v1.11.1 → v1.12.3
- cloud.google.com/go: v0.110.7 → v0.112.0
- github.com/Azure/go-ansiterm: d185dfc → 306776e
- github.com/Microsoft/go-winio: v0.6.0 → v0.6.2
- github.com/armon/circbuf: bbbad09 → 5111143
- github.com/cilium/ebpf: v0.9.1 → v0.16.0
- github.com/containerd/console: v1.0.3 → v1.0.4
- github.com/containerd/ttrpc: v1.2.2 → v1.2.5
- github.com/coredns/corefile-migration: v1.0.21 → v1.0.24
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.4
- github.com/distribution/reference: v0.5.0 → v0.6.0
- github.com/docker/docker: v20.10.27+incompatible → v26.1.4+incompatible
- github.com/docker/go-connections: v0.4.0 → v0.5.0
- github.com/exponent-io/jsonpath: d6023ce → 1de76d7
- github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
- github.com/go-openapi/swag: v0.22.4 → v0.23.0
- github.com/golang/mock: v1.3.1 → v1.1.1
- github.com/google/cadvisor: v0.49.0 → v0.51.0
- github.com/google/cel-go: v0.20.1 → v0.22.0
- github.com/google/pprof: 4bfdf5a → d1b30fe
- github.com/gregjones/httpcache: 9cad4c3 → 901d907
- github.com/jonboulle/clockwork: v0.2.2 → v0.4.0
- github.com/moby/spdystream: v0.4.0 → v0.5.0
- github.com/moby/sys/mountinfo: v0.7.1 → v0.7.2
- github.com/mohae/deepcopy: 491d360 → c48cc78
- github.com/onsi/ginkgo/v2: v2.19.0 → v2.21.0
- github.com/onsi/gomega: v1.33.1 → v1.35.1
- github.com/opencontainers/image-spec: v1.0.2 → v1.1.0
- github.com/opencontainers/runc: v1.1.13 → v1.2.1
- github.com/opencontainers/runtime-spec: 494a5a6 → v1.2.0
- github.com/opencontainers/selinux: v1.11.0 → v1.11.1
- github.com/stoewer/go-strcase: v1.2.0 → v1.3.0
- github.com/urfave/cli: v1.22.2 → v1.22.14
- github.com/vishvananda/netlink: v1.1.0 → b1ce50c
- github.com/xiang90/probing: 43a291a → a49e3df
- go.etcd.io/bbolt: v1.3.9 → v1.3.11
- go.etcd.io/etcd/api/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/client/pkg/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/client/v2: v2.305.13 → v2.305.16
- go.etcd.io/etcd/client/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/pkg/v3: v3.5.13 → v3.5.16
- go.etcd.io/etcd/raft/v3: v3.5.13 → v3.5.16
- go.etcd.io/etcd/server/v3: v3.5.13 → v3.5.16
- go.uber.org/zap: v1.26.0 → v1.27.0
- golang.org/x/crypto: v0.24.0 → v0.28.0
- golang.org/x/exp: f3d0a9c → 8a7402a
- golang.org/x/lint: 1621716 → d0100b6
- golang.org/x/mod: v0.17.0 → v0.21.0
- golang.org/x/net: v0.26.0 → v0.30.0
- golang.org/x/oauth2: v0.21.0 → v0.23.0
- golang.org/x/sync: v0.7.0 → v0.8.0
- golang.org/x/sys: v0.21.0 → v0.26.0
- golang.org/x/telemetry: f48c80b → bda5523
- golang.org/x/term: v0.21.0 → v0.25.0
- golang.org/x/text: v0.16.0 → v0.19.0
- golang.org/x/time: v0.3.0 → v0.7.0
- golang.org/x/tools: e35e4cc → v0.26.0
- golang.org/x/xerrors: 04be3eb → 5ec99f8
- google.golang.org/genproto/googleapis/api: 5315273 → f6391c0
- google.golang.org/genproto/googleapis/rpc: f6361c8 → f6391c0
- google.golang.org/genproto: b8732ec → ef43131
- google.golang.org/protobuf: v1.34.2 → v1.35.1
- gotest.tools/v3: v3.0.3 → v3.0.2
- honnef.co/go/tools: v0.0.1-2019.2.3 → ea95bdf
- k8s.io/gengo/v2: 51d4e06 → 2b36238
- k8s.io/kube-openapi: 70dd376 → 32ad38e
- k8s.io/system-validators: v1.8.0 → v1.9.1
- k8s.io/utils: 18e509b → 3ea5e8c
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.30.3 → v0.31.0
- sigs.k8s.io/json: bc3834c → 9aa6b5e
- sigs.k8s.io/kustomize/api: v0.17.2 → v0.18.0
- sigs.k8s.io/kustomize/cmd/config: v0.14.1 → v0.15.0
- sigs.k8s.io/kustomize/kustomize/v5: v5.4.2 → v5.5.0
- sigs.k8s.io/kustomize/kyaml: v0.17.1 → v0.18.1
- sigs.k8s.io/structured-merge-diff/v4: v4.4.1 → v4.4.2
Removed:
- bazil.org/fuse: 371fbbd
- cloud.google.com/go/storage: v1.0.0
- dmitri.shuralyov.com/gpu/mtl: 666a987
- github.com/BurntSushi/xgb: 27f1227
- github.com/Microsoft/hcsshim: v0.8.26
- github.com/OneOfOne/xxhash: v1.2.2
- github.com/alecthomas/template: a0175ee
- github.com/armon/consul-api: eb2c6b5
- github.com/armon/go-metrics: f0300d1
- github.com/armon/go-radix: 7fddfc3
- github.com/aws/aws-sdk-go: v1.35.24
- github.com/bgentry/speakeasy: v0.1.0
- github.com/bketelsen/crypt: 5cbc8cc
- github.com/cespare/xxhash: v1.1.0
- github.com/checkpoint-restore/go-criu/v5: v5.3.0
- github.com/chzyer/logex: v1.1.10
- github.com/chzyer/test: a1ea475
- github.com/containerd/cgroups: v1.1.0
- github.com/containerd/containerd: v1.4.9
- github.com/containerd/continuity: v0.1.0
- github.com/containerd/fifo: v1.0.0
- github.com/containerd/go-runc: v1.0.0
- github.com/containerd/typeurl: v1.0.2
- github.com/coreos/bbolt: v1.3.2
- github.com/coreos/etcd: v3.3.13+incompatible
- github.com/coreos/go-systemd: 95778df
- github.com/coreos/pkg: 399ea9e
- github.com/daviddengcn/go-colortext: v1.0.0
- github.com/dgrijalva/jwt-go: v3.2.0+incompatible
- github.com/dgryski/go-sip13: e10d5fe
- github.com/docker/distribution: v2.8.2+incompatible
- github.com/fatih/color: v1.7.0
- github.com/frankban/quicktest: v1.14.0
- github.com/go-gl/glfw: e6da0ac
- github.com/gogo/googleapis: v1.4.1
- github.com/golangplus/bytes: v1.0.0
- github.com/golangplus/fmt: v1.0.0
- github.com/golangplus/testing: v1.0.0
- github.com/google/martian: v2.1.0+incompatible
- github.com/google/renameio: v0.1.0
- github.com/googleapis/gax-go/v2: v2.0.5
- github.com/gopherjs/gopherjs: 0766667
- github.com/hashicorp/consul/api: v1.1.0
- github.com/hashicorp/consul/sdk: v0.1.1
- github.com/hashicorp/errwrap: v1.0.0
- github.com/hashicorp/go-cleanhttp: v0.5.1
- github.com/hashicorp/go-immutable-radix: v1.0.0
- github.com/hashicorp/go-msgpack: v0.5.3
- github.com/hashicorp/go-multierror: v1.0.0
- github.com/hashicorp/go-rootcerts: v1.0.0
- github.com/hashicorp/go-sockaddr: v1.0.0
- github.com/hashicorp/go-syslog: v1.0.0
- github.com/hashicorp/go-uuid: v1.0.1
- github.com/hashicorp/go.net: v0.0.1
- github.com/hashicorp/golang-lru: v0.5.1
- github.com/hashicorp/hcl: v1.0.0
- github.com/hashicorp/logutils: v1.0.0
- github.com/hashicorp/mdns: v1.0.0
- github.com/hashicorp/memberlist: v0.1.3
- github.com/hashicorp/serf: v0.8.2
- github.com/imdario/mergo: v0.3.6
- github.com/jmespath/go-jmespath: v0.4.0
- github.com/jstemmer/go-junit-report: af01ea7
- github.com/jtolds/gls: v4.20.0+incompatible
- github.com/magiconair/properties: v1.8.1
- github.com/mattn/go-colorable: v0.0.9
- github.com/mattn/go-isatty: v0.0.3
- github.com/miekg/dns: v1.0.14
- github.com/mitchellh/cli: v1.0.0
- github.com/mitchellh/go-homedir: v1.1.0
- github.com/mitchellh/go-testing-interface: v1.0.0
- github.com/mitchellh/gox: v0.4.0
- github.com/mitchellh/iochan: v1.0.0
- github.com/mitchellh/mapstructure: v1.1.2
- github.com/oklog/ulid: v1.3.1
- github.com/pascaldekloe/goe: 57f6aae
- github.com/pelletier/go-toml: v1.2.0
- github.com/posener/complete: v1.1.1
- github.com/prometheus/tsdb: v0.7.1
- github.com/ryanuber/columnize: 9b3edd6
- github.com/sean-/seed: e2103e2
- github.com/shurcooL/sanitized_anchor_name: v1.0.0
- github.com/smartystreets/assertions: b2de0cb
- github.com/smartystreets/goconvey: v1.6.4
- github.com/spaolacci/murmur3: f09979e
- github.com/spf13/afero: v1.1.2
- github.com/spf13/cast: v1.3.0
- github.com/spf13/jwalterweatherman: v1.0.0
- github.com/spf13/viper: v1.7.0
- github.com/subosito/gotenv: v1.2.0
- github.com/ugorji/go: v1.1.4
- github.com/xordataexchange/crypt: b2862e3
- go.opencensus.io: v0.24.0
- go.starlark.net: a134d8f
- golang.org/x/image: cff245a
- golang.org/x/mobile: d2bd2a2
- google.golang.org/api: v0.13.0
- gopkg.in/alecthomas/kingpin.v2: v2.2.6
- gopkg.in/errgo.v2: v2.1.0
- gopkg.in/ini.v1: v1.51.0
- gopkg.in/resty.v1: v1.12.0
- rsc.io/binaryregexp: v0.2.0
Kubernetes v1.31.4
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128912, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix bug where PodCIDR was released before node was deleted (#128806, @adrianmoisey) [SIG Apps and Network]
Dependencies
Added:
- _Nothing has changed._
Changed:
- _Nothing has changed._
Removed:
- _Nothing has changed._
Kubernetes v1.29.12
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128914, @cpanato) [SIG Release and Testing]
Dependencies
Added:
- _Nothing has changed._
Changed:
- _Nothing has changed._
Removed:
- _Nothing has changed._
Kubernetes v1.30.8
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128913, @cpanato) [SIG Release and Testing]
Dependencies
Added:
_Nothing has changed._
Changed:
_Nothing has changed._
Removed:
_Nothing has changed._
Node v23.4.0
Notable Changes
Introducing experimental `assert.partialDeepStrictEqual`:
- Sometimes, when writing test, we want to validate that some specific properties are present, and the mere presence of additional keys are not exactly relevant for that specific test. For this use case, we can now use `assert.partialDeepStrictEqual`, which should be familiar to those already using `assert.deepStrictEqual`, with the main difference that it does not require all properties in the `actual` parameter to be present in the `expected` parameter. Here are a few examples of usage:
```js
assert.partialDeepStrictEqual(
{ a: 1, b: 2, c: 3 },
{ a: 1, b: 2 },
);
assert.partialDeepStrictEqual(
[1, 2, 3, 4],
[2, 3],
);
assert.partialDeepStrictEqual(
{ a: { b: { c: 1, d: 2 } }, e: 3 },
{ a: { b: { c: 1 } } },
);
assert.partialDeepStrictEqual(
{ a: { b: { c: 1, d: 2 } }, e: 3 },
{ a: { b: { c: 1 } } },
);
assert.partialDeepStrictEqual(
new Set([{ a: 1 }, { b: 1 }]),
new Set([{ a: 1 }]),
);
assert.partialDeepStrictEqual(
{ a: new Set([{ a: 1 }, { b: 1 }]), b: new Map(), c: [1, 2, 3] },
{ a: new Set([{ a: 1 }]), c: [2] },
);
```
Contributed by Giovanni Bucci in [#54630]
Implement `--trace-env` and `--trace-env-[js|native]-stack`:
- This release introduces `--trace-env`, `--trace-env-js-stack` and `--trace-env-native-stack` CLI options that print information about any access to environment variables done in the current Node.js instance to stderr. Currently in the logs, only the names of the environment variables being accessed are printed, while the values are not printed to avoid leaking sensitive information. To print the stack trace of the access, use `--trace-env-js-stack` and/or `--trace-env-native-stack`. Contributed by Joyee Cheung in [#55604]
Other notable Changes:
- [`59d6891872`] - **doc**: add LJHarb to collaborators (Jordan Harband) [#56132]
- [`565b04a7be`] - **(SEMVER-MINOR)** **net**: add `BlockList.isBlockList(value)` (James M Snell) [#56078]
- [`c9698ed6a4`] - **(SEMVER-MINOR)** **net**: support `blockList` in `net.connect` (theanarkh) [#56075]
- [`30d604180d`] - **(SEMVER-MINOR)** **net**: support `blockList` in `net.Server` (theanarkh) [#56079]
- [`9fba5e1df1`] - **(SEMVER-MINOR)** **net**: add `SocketAddress.parse` (James M Snell) [#56076]
- [`4cdb03201e`] - **(SEMVER-MINOR)** **process**: deprecate `features.{ipv6,uv}` and `features.tls_*` (René) [#55545]
- [`efb9f05f59`] - **(SEMVER-MINOR)** **sqlite**: unflag `node:sqlite` module (Colin Ihrig) [#55890]
- [`d777d4a52d`] - **(SEMVER-MINOR)** **sqlite**: add `StatementSync.prototype.iterate` method (tpoisseau) [#54213]
- ### Commits
- [`5b0ce376a2`] - **assert**: optimize partial comparison of two `Set`s (Antoine du Hamel) [#55970]
- [`a4f57f0293`] - **(SEMVER-MINOR)** **assert**: add partialDeepStrictEqual (Giovanni Bucci) [#54630]
- [`1b81a7d003`] - **build**: allow overriding clang usage (Shelley Vohr) [#56016]
- [`39c901307f`] - **build**: remove defaults for create-release-proposal (Rafael Gonzaga) [#56042]
- [`7133c0459f`] - **build**: avoid compiling with VS v17.12 (Stefan Stojanovic) [#55930]
- [`ce53f1689f`] - **build**: set node\_arch to target\_cpu in GN (Shelley Vohr) [#55967]
- [`2023b09d27`] - **build**: add create release proposal action (Rafael Gonzaga) [#55690]
- [`26ec99634c`] - **build**: use variable for crypto dep path (Shelley Vohr) [#55928]
- [`f48e289580`] - **build**: fix GN build for sqlite (Cheng) [#55912]
- [`fffabca6b8`] - **build**: compile bundled simdutf conditionally (Jakub Jirutka) [#55886]
- [`d8eb83c5c5`] - **build**: compile bundled simdjson conditionally (Jakub Jirutka) [#55886]
- [`83e02dc482`] - **build**: compile bundled ada conditionally (Jakub Jirutka) [#55886]
- [`816d37a187`] - **(SEMVER-MINOR)** **cli**: implement --trace-env and --trace-env-js|native]-stack (Joyee Cheung) [#55604]
- [`53c0f2f186`] - **crypto**: ensure CryptoKey usages and algorithm are cached objects (Filip Skokan) [#56108]
- [`93d36bf1c8`] - **crypto**: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) [#55296]
- [`8680b8030c`] - **deps**: update ngtcp2 to 1.9.1 (Node.js GitHub Bot) [#56095]
- [`78a2a6ca1e`] - **deps**: upgrade npm to 10.9.2 (npm team) [#56135]
- [`52dfe5af4b`] - **deps**: update sqlite to 3.47.1 (Node.js GitHub Bot) [#56094]
- [`3852b5c8d1`] - **deps**: update zlib to 1.3.0.1-motley-82a5fec (Node.js GitHub Bot) [#55980]
- [`f99f95f62f`] - **deps**: update corepack to 0.30.0 (Node.js GitHub Bot) [#55977]
- [`96e846de89`] - **deps**: update ngtcp2 to 1.9.0 (Node.js GitHub Bot) [#55975]
- [`d180a8aedb`] - **deps**: update simdutf to 5.6.3 (Node.js GitHub Bot) [#55973]
- [`288416a764`] - **deps**: upgrade npm to 10.9.1 (npm team) [#55951]
- [`cf3f7ac512`] - **deps**: update zlib to 1.3.0.1-motley-7e2e4d7 (Node.js GitHub Bot) [#54432]
- [`7768b3d054`] - **deps**: update simdjson to 3.10.1 (Node.js GitHub Bot) [#54678]
- [`9c6103833b`] - **deps**: update simdutf to 5.6.2 (Node.js GitHub Bot) [#55889]
- [`7b133d6220`] - **dgram**: check udp buffer size to avoid fd leak (theanarkh) [#56084]
- [`e4529b8179`] - **doc**: add report version and history section (Chengzhong Wu) [#56130]
- [`718625a03a`] - **doc**: mention `-a` flag for the release script (Ruy Adorno) [#56124]
- [`59d6891872`] - **doc**: add LJHarb to collaborators (Jordan Harband) [#56132]
- [`d7ed32404a`] - **doc**: add create-release-action to process (Rafael Gonzaga) [#55993]
- [`3b4ef93371`] - **doc**: rename file to advocacy-ambassador-program.md (Tobias Nießen) [#56046]
- [`59e4087d5e`] - **doc**: add added tag and fix typo sqlite.md (Bart Louwers) [#56012]
- [`a1b26608ae`] - **doc**: remove unused import from sample code (Blended Bram) [#55570]
- [`498f44ad73`] - **doc**: add FAQ to releases section (Rafael Gonzaga) [#55992]
- [`d48348afaa`] - **doc**: move history entry to class description (Luigi Pinca) [#55991]
- [`96926ce13c`] - **doc**: add history entry for textEncoder.encodeInto() (Luigi Pinca) [#55990]
- [`e92d51d511`] - **doc**: improve GN build documentation a bit (Shelley Vohr) [#55968]
- [`6be3824d6f`] - **doc**: fix deprecation codes (Filip Skokan) [#56018]
- [`fa2b35d28d`] - **doc**: remove confusing and outdated sentence (Luigi Pinca) [#55988]
- [`baed2763df`] - **doc**: deprecate passing invalid types in `fs.existsSync` (Carlos Espa) [#55892]
- [`a3f7db6b6d`] - **doc**: add doc for PerformanceObserver.takeRecords() (skyclouds2001) [#55786]
- [`770572423b`] - **doc**: add vetted courses to the ambassador benefits (Matteo Collina) [#55934]
- [`98f8f4a8a9`] - **doc**: order `node:crypto` APIs alphabetically (Julian Gassner) [#55831]
- [`1e0decb44c`] - **doc**: doc how to add message for promotion (Michael Dawson) [#55843]
- [`ff48c29724`] - **doc**: add esm example for zlib (Leonardo Peixoto) [#55946]
- [`ccc5a6d552`] - **doc**: document approach for building wasm in deps (Michael Dawson) [#55940]
- [`c8bb8a6ac5`] - **doc**: fix Node.js 23 column in CHANGELOG.md (Richard Lau) [#55935]
- [`9d078802ad`] - **doc**: remove RedYetiDev from triagers team (Aviv Keller) [#55947]
- [`5a2a757119`] - **doc**: add esm examples to node:timers (Alfredo González) [#55857]
- [`f711a48e15`] - **doc**: fix relative path mention in --allow-fs (Rafael Gonzaga) [#55791]
- [`219f5f2627`] - **doc**: include git node release --promote to steps (Rafael Gonzaga) [#55835]
- [`f9d25ed3e4`] - **doc**: add history entry for import assertion removal (Antoine du Hamel) [#55883]
- [`efb9f05f59`] - **(SEMVER-MINOR)** **doc,lib,src,test**: unflag sqlite module (Colin Ihrig) [#55890]
- [`a37e5fe5f8`] - **fs**: lazily load ReadFileContext (Gürgün Dayıoğlu) [#55998]
- [`9289374248`] - **http2**: fix memory leak caused by premature listener removing (ywave620) [#55966]
- [`49af1c33ac`] - **lib**: add validation for options in compileFunction (Taejin Kim) [#56023]
- [`8faf91846b`] - **lib**: fix `fs.readdir` recursive async (Rafael Gonzaga) [#56041]
- [`a2382303d7`] - **lib**: refactor code to improve readability (Pietro Marchini) [#55995]
- [`30f26ba254`] - **lib**: avoid excluding symlinks in recursive fs.readdir with filetypes (Juan José) [#55714]
- [`9b272ae339`] - **meta**: bump github/codeql-action from 3.27.0 to 3.27.5 (dependabotbot]) [#56103]
- [`fb0e6ca68b`] - **meta**: bump actions/checkout from 4.1.7 to 4.2.2 (dependabotbot]) [#56102]
- [`0ab611513c`] - **meta**: bump step-security/harden-runner from 2.10.1 to 2.10.2 (dependabotbot]) [#56101]
- [`ff4839b8ab`] - **meta**: bump actions/setup-node from 4.0.3 to 4.1.0 (dependabotbot]) [#56100]
- [`f262207356`] - **meta**: add releasers as CODEOWNERS to proposal action (Rafael Gonzaga) [#56043]
- [`b6005b3fac`] - **module**: mark evaluation rejection in require(esm) as handled (Joyee Cheung) [#56122]
- [`b8ab5332a9`] - **module**: remove --experimental-default-type (Geoffrey Booth) [#56092]
- [`4be5047030`] - **module**: do not warn when require(esm) comes from node\_modules (Joyee Cheung) [#55960]
- [`c9698ed6a4`] - **(SEMVER-MINOR)** **net**: support blocklist in net.connect (theanarkh) [#56075]
- [`9fba5e1df1`] - **(SEMVER-MINOR)** **net**: add SocketAddress.parse (James M Snell) [#56076]
- [`565b04a7be`] - **(SEMVER-MINOR)** **net**: add net.BlockList.isBlockList(value) (James M Snell) [#56078]
- * [`30d604180d`] - **(SEMVER-MINOR)** **net**: support blocklist for net.Server (theanarkh) [#56079]
- [`4cdb03201e`] - **(SEMVER-MINOR)** **process**: deprecate `features.{ipv6,uv}` and `features.tls_*` (René) [#55545]
- [`d09e57b26d`] - **quic**: update more QUIC implementation (James M Snell) [#55986]
- [`1fb30d6e86`] - **quic**: multiple updates to quic impl (James M Snell) [#55971]
- [`9e4f7aa808`] - **sqlite**: deps include `sqlite3ext.h` (Alex Yang) [#56010]
- [`d777d4a52d`] - **(SEMVER-MINOR)** **sqlite**: add `StatementSync.prototype.iterate` method (tpoisseau) [#54213]
- [`66451bb9ba`] - **src**: use spaceship operator in SocketAddress (James M Snell) [#56059]
- [`ad9ebe417a`] - **src**: add missing qualifiers to env.cc (Yagiz Nizipli) [#56062]
- [`56c4da240d`] - **src**: use std::string\_view for process emit fns (Yagiz Nizipli) [#56086]
- [`26ab8e9823`] - **src**: remove dead code in async\_wrap (Gerhard Stöbich) [#56065]
- [`4dea44e468`] - **src**: avoid copy on getV8FastApiCallCount (Yagiz Nizipli) [#56081]
- [`b778a4fe46`] - **src**: fix check fd (theanarkh) [#56000]
- [`971f5f54df`] - **src**: safely remove the last line from dotenv (Shima Ryuhei) [#55982]
- [`497a9aea1c`] - **src**: fix kill signal on Windows (Hüseyin Açacak) [#55514]
- [`8a935489f9`] - **src,build**: add no user defined deduction guides of CTAD check (Chengzhong Wu) [#56071]
- [`5edb8d5919`] - **test**: remove test-fs-utimes flaky designation (Luigi Pinca) [#56052]
- [`046e642a80`] - **test**: ensure `cli.md` is in alphabetical order (Antoine du Hamel) [#56025]
- [`da354f46cd`] - **test**: update WPT for WebCryptoAPI to 3e3374efde (Node.js GitHub Bot) [#56093]
- [`9486c7ce4c`] - **test**: update WPT for WebCryptoAPI to 76dfa54e5d (Node.js GitHub Bot) [#56093]
- [`a8809fc0f5`] - **test**: move test-worker-arraybuffer-zerofill to parallel (Luigi Pinca) [#56053]
- [`6194435b9e`] - **test**: update WPT for url to 67880a4eb83ca9aa732eec4b35a1971ff5bf37ff (Node.js GitHub Bot) [#55999]
- [`f7567d46d8`] - **test**: make HTTP/1.0 connection test more robust (Arne Keller) [#55959]
- [`c157e026fc`] - **test**: convert readdir test to use test runner (Thomas Chetwin) [#55750]
- [`29362ce673`] - **test**: make x509 crypto tests work with BoringSSL (Shelley Vohr) [#55927]
- [`493e16c852`] - **test**: fix determining lower priority (Livia Medeiros) [#55908]
- [`99858ceb9f`] - **test,crypto**: update WebCryptoAPI WPT (Filip Skokan) [#55997]
- [`7c3a4d4bcd`] - **test\_runner**: refactor Promise chain in run() (Colin Ihrig) [#55958]
- [`95e8c4ef6c`] - **test\_runner**: refactor build Promise in Suite() (Colin Ihrig) [#55958]
- [`c048865199`] - **test\_runner**: simplify hook running logic (Colin Ihrig) [#55963]
- [`8197815fe8`] - **test\_runner**: mark snapshot testing as stable (Colin Ihrig) [#55897]
- [`8a5d8c7669`] - **test\_runner**: mark context.plan() as stable (Colin Ihrig) [#55895]
- [`790a2ca3b7`] - **tools**: update `create-release-proposal` workflow (Antoine du Hamel) [#56054]
- [`98ce4652e2`] - **tools**: fix update-undici script (Michaël Zasso) [#56069]
- [`d6a6c8ace1`] - **tools**: allow dispatch of `tools.yml` from forks (Antoine du Hamel) [#56008]
- [`cc96fce5eb`] - **tools**: fix nghttp3 updater script (Antoine du Hamel) [#56007]
- [`2cd939cb95`] - **tools**: filter release keys to reduce interactivity (Antoine du Hamel) [#55950]
- [`4b3919f1be`] - **tools**: update WPT updater (Antoine du Hamel) [#56003]
- [`54c46b8464`] - **tools**: add WPT updater for specific subsystems (Mert Can Altin) [#54460]
- [`32b1681b7f`] - **tools**: use tokenless Codecov uploads (Michaël Zasso) [#55943]
- [`475141e370`] - **tools**: add linter for release commit proposals (Antoine du Hamel) [#55923]
- [`d093820f64`] - **tools**: lint js in `doc/**/*.md` (Livia Medeiros) [#55904]
- [`72eb710f0f`] - **tools**: fix riscv64 build failed (Lu Yahan) [#52888]
- [`882b70c83f`] - **tools**: bump cross-spawn from 7.0.3 to 7.0.5 in /tools/eslint (dependabotbot]) [#55894]
- [`9eccd7dba9`] - **util**: add fast path for Latin1 decoding (Mert Can Altin) [#55275]
- RabbitMQ `4.0.5` is a maintenance release in the `4.0.x` [release series]. Starting June 1st, 2024, community support for this series will only be provided to [regularly contributing users] and those who hold a valid [commercial support license]. It is **strongly recommended** that you read [4.0 release notes] in detail if upgrading from a version prior to `4.0.0`.
Minimum Supported Erlang Version:
- This release requires Erlang 26 and supports Erlang versions up to `27.2.x`. [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on Erlang version requirements for RabbitMQ. Nodes **will fail to start** on older Erlang releases.
Changes Worth Mentioning:
- Release notes can be found on GitHub at [rabbitmq-server/release-notes]
Core Broker
Bug Fixes:
- Reintroduced transient flow control between classic queue replicas and AMQP 0-9-1 channels, MQTT connections. Flow control between these specific parts of the core were unintentionally removed in `4.0.0` together with classic queue mirroring. Contributed by @gomoripeti. GitHub issue: [#12907]
- The feature that warns when deprecated features are used in the cluster had a false positive that treated (and reported) any queue as a "transient non-exclusive classic queue", even if the queue was of a different type, was not transient, and so on. GitHub issue: [#12802]
- AMQP 1.0 clients with close to peak consumption rates with a high `max_link_creadit` setting could run into an exception because RabbitMQ could set the incoming window size to a negative value. GitHub issues: [#12816] [#12904]
- AMQP 0-9-1 channel exception generator could not handle entity names (say, queue or stream names) that contained non-ASCII characters. This affected applications that use passive queue declarations, such as the Shovel plugin. Contributed by @bpint. GitHub issue: [#12888]
- Peer discovery resilience improvements. GitHub issues: [#12801] [#12809]
- Deadlettering of some messages could result in an exception. GitHub issue: [#12933] [#12938]
Enhancements:
- For virtual hosts that have a [default queue type]#default-queue-type) configured, the DQT value is now injected into queue definitions in exported definition documents. GitHub issue: [#12776]
- Definition export files now have additional "type" markers that help distinguish a cluster-wide definition file from that of a single virtual host. GitHub issue: [#12835]
Prometheus Plugin and Grafana Dashboards
Enhancements:
- Two new stream metrics for streams. Contributed by @gomoripeti and @markus812498. GitHub issue: [#12765]
Management Plugin
Bug Fixes:
- Fixes a false positive that incorrectly reported deprecated feature use, specifically the use of non-exclusive transient classic queues. GitHub issue: [#12840]
- `GET /api/overview` did not format empty cluster and node list tags as an empty JSON object, which was problematic for HTTP API clients with statically typed response data structures. GitHub issue: [#12797]
- When a logged in user's JWT token was refreshed, the user identity displayed in the UI was changed. GitHub issue: [#12818]
OAuth 2 Plugin
Bug Fixes:
- When a logged in user's JWT token was refreshed, the user identity displayed in the UI was changed. GitHub issue: [#12818]
AWS Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Kubernetes Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Consul Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
etcd Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Dependency Changes:
- * `osiris` was upgraded to [`1.8.5`]
Build Commit
Source Code Archives:
- To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.5.tar.xz` instead of the source tarball produced by GitHub.