Kubernetes - v1.26.10

Changelog since v1.26.9

Changes by Kind

Feature

• Kubernetes is now built with Go 1.20.10 (#121151, @cpanato) [SIG Release and Testing]
• Kubernetes is now built with Go 1.20.9 (#121023, @cpanato) [SIG Release and Testing]

Bug or Regression

• Adds an opt-in mitigation for http/2 DOS vulnerabilities for CVE-2023-44487 and CVE-2023-39325 for the API server when the client is unauthenticated. The mitigation may be enabled by setting the UnauthenticatedHTTP2DOSMitigation feature gate to true (it is disabled by default). An API server fronted by an L7 load balancer that already mitigates these http/2 attacks may choose not to enable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may choose not to enable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated clients. (#121200, @enj) [SIG API Machinery]
• Fix a bug in cronjob controller where already created jobs may be missing from the status. (#120649, @andrewsykim) [SIG Apps]
• Fixed a 1.26.7 regression where kube-controller-manager can crash when StatefulSet with Parallel policy and PVC labels is scaled up. (#121186, @aleksandra-malinowska) [SIG Apps]
• Fixed attaching volumes after detach errors. Now volumes that failed to detach are not treated as attached, Kubernetes will make sure they are fully attached before they can be used by pods. (#120595, @jsafrane) [SIG Apps and Storage]
• Fixes a bug where Services using finalizers may hold onto ClusterIP and/or NodePort allocated resources for longer than expected if the finalizer is removed using the status subresource (#120656, @aojea) [SIG Network and Testing]
• Fixes creationTimestamp: null causing unnecessary writes to etcd (#116865, @alexzielenski) [SIG API Machinery and Testing]
• Revised the logic for DaemonSet rolling update to exclude nodes if scheduling constraints are not met.
  This eliminates the problem of rolling updates to a DaemonSet getting stuck around tolerations. (#120789, @mochizuki875) [SIG Apps and Testing]
• Sometimes, the scheduler incorrectly placed a pod in the "unschedulable" queue instead of the "backoff" queue. This happened when some plugin previously declared the pod as "unschedulable" and then in a later attempt encounters some other error. Scheduling of that pod then got delayed by up to five minutes, after which periodic flushing moved the pod back into the "active" queue. (#120334, @pohly) [SIG Scheduling]

Other (Cleanup or Flake)

• Etcd: update to v3.5.9 (#118078, @nikhita) [SIG Cloud Provider, Cluster Lifecycle and Testing]
• Fixes an issue where the vsphere cloud provider will not trust a certificate if:
• The issuer of the certificate is unknown (x509.UnknownAuthorityError)
• The requested name does not match the set of authorized names (x509.HostnameError)
• The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" (#120766, @MadhavJivrajani) [SIG Architecture and Cloud Provider]
• Set the resolution for the job_controller_job_sync_duration_seconds metric from 4ms to 1min (#120669, @mimowo) [SIG Apps and Instrumentation]

Dependencies

Added

Nothing has changed.

Changed

• github.com/vmware/govmomi: v0.30.0 → v0.30.6
• golang.org/x/crypto: v0.1.0 → v0.14.0
• golang.org/x/net: v0.8.0 → v0.17.0
• golang.org/x/sys: v0.6.0 → v0.13.0
• golang.org/x/term: v0.6.0 → v0.13.0
• golang.org/x/text: v0.8.0 → v0.13.0

Removed

Nothing has changed.