Kubernetes - v1.27.2

Changelog since v1.27.1

Changes by Kind

API Change

• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile (#117020, @cji) [SIG API Machinery and Node]
• Fixed an issue where kubelet does not set case-insensitive headers for http probes. (#117182, @dddddai) (#117324, @dddddai) [SIG API Machinery, Apps and Node]
• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta (#117815, @kerthcet) [SIG Apps]

Feature

• Kubernetes is now built with Go 1.20.4 (#117773, @xmudrii) [SIG Release and Testing]

Failing Test

• Allow Azure Disk e2es to use newer topology labels if available from nodes (#117216, @gnufied) [SIG Storage and Testing]

Bug or Regression

• CVE-2023-27561 CVE-2023-25809 CVE-2023-28642: Bump fix runc v1.1.4 -> v1.1.5 (#117242, @haircommander) [SIG Node]
• During device plugin allocation, resources requested by the pod can only be allocated if the device plugin has registered itself to kubelet AND healthy devices are present on the node to be allocated. If these conditions are not sattsfied, the pod would fail with UnexpectedAdmissionError error. (#117719, @swatisehgal) [SIG Node and Testing]
• Fallback from OpenAPI V3 to V2 when the OpenAPI V3 document is invalid or incomplete. (#117980, @seans3) [SIG CLI]
• Fix bug where listOfStrings.join() in CEL expressions resulted in an unexpected internal error. (#117596, @jpbetz) [SIG API Machinery]
• Fix incorrect calculation for ResourceQuota with PriorityClass as its scope. (#117825, @Huang-Wei) [SIG API Machinery]
• Fix performance regression in scheduler caused by frequent metric lookup on critical code path. (#117617, @tosi3k) [SIG Scheduling]
• Fix: the volume is not detached after the pod and PVC objects are deleted (#117236, @cvvz) [SIG Storage]
• Fixed a memory leak in the Kubernetes API server that occurs during APIService processing. (#117310, @enj) [SIG API Machinery]
• Fixes a race condition serving OpenAPI content (#117708, @Jefftree) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Instrumentation and Node]
• Fixes a regression in kubectl and client-go discovery when configured with a server URL other than the root of a server. (#117685, @ardaguclu) [SIG API Machinery]
• Fixes bug where an incomplete OpenAPI V3 document can cause a nil-pointer crash.
  Ensures fallback to OpenAPI V2 endpoint for errors retrieving OpenAPI V3 document. (#117918, @seans3) [SIG CLI]
• Kubeadm: fix a bug where file copy(backup) could not be executed correctly on Windows platform during upgrade (#117861, @SataQiu) [SIG Cluster Lifecycle]
• Kubelet terminates pods correctly upon restart, fixing an issue where pods may have not been fully terminated if the kubelet was restarted during pod termination. (#117433, @bobbypage) [SIG Node and Testing]
• Number of errors reported to the metric storage_operation_duration_seconds_count for emptyDir decreased significantly because previously one error was reported for each projected volume created. (#117022, @mpatlasov) [SIG Storage]
• Resolves a spurious "Unknown discovery response content-type" error in client-go discovery requests by tolerating extra content-type parameters in API responses (#117637, @seans3) [SIG API Machinery]
• Reverted NewVolumeManagerReconstruction and SELinuxMountReadWriteOncePod feature gates to disabled by default to resolve a regression of volume reconstruction on kubelet/node restart (#117752, @liggitt) [SIG Storage]
• Static pods were taking extra time to be restarted after being updated. Static pods that are waiting to restart were not correctly counted in kubelet_working_pods. (#116995, @smarterclayton) [SIG Node]
• [KCCM] service controller: change the cloud controller manager to make providerID a predicate when synchronizing nodes. This change allows load balancer integrations to ensure that the providerID is set when configuring
  load balancers and targets. (#117450, @alexanderConstantinescu) [SIG Cloud Provider and Network]

Other (Cleanup or Flake)

• A v2-level info log will be added, which will output the details of the pod being preempted, including victim and preemptor (#117214, @HirazawaUi) [SIG Scheduling]
• Structured logging of NamespacedName was inconsistent with klog.KObj. Now both use lower case field names and namespace is optional. (#117238, @pohly) [SIG API Machinery, Architecture and Instrumentation]

Dependencies

Added

Nothing has changed.

Changed

• github.com/opencontainers/runc: v1.1.4 → v1.1.6
• k8s.io/kube-openapi: 15aac26 → 8b0f38b
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.1.1 → v0.1.2

Removed

Nothing has changed.