Kubernetes - v1.28.0

Documentation

Changelog since v1.27.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Action required for the custom scheduler plugin developers.
  Here's the breaking change in EnqueueExtension in the scheduling framework.
  The EventsToRegister in EnqueueExtension changed the return value from ClusterEvent to ClusterEventWithHint. ClusterEventWithHint allows each plugin to filter out more useless events via the callback function named QueueingHintFn.
  When the scheduling queue receives a cluster event, before moving each Pod from unschedulable pod pool to activeQ/backoffQ, it will call QueueingHintFn of plugins that rejected each Pod in the previous scheduling cycle.
  Depending on the value returned from QueueingHintFn, the scheduling queue changes how it queues each Pod:
• if more than one QueueingHintFn returns QueueImmediately, it queues Pod to activeQ.
• If no QueueingHintFn returns QueueImmediately and more than one plugin returns QueueAfterBackoff, it queues Pod to backoffQ if Pod is backing off, or to activeQ if Pod's backoff has already finished.
• If all QueueingHintFn return QueueSkip, it puts this pod back to the unschedulable pod pool

Having appropriate QueueingHintFn contributes to reducing useless retries and thus improves the overall scheduler's performance.

How can I migrate?

For backward compatibility, nil QueueingHintFn is treated as always returning QueueAfterBackoff.
So, if you want to just keep the existing behavior, you can register ClusterEventWithHint with no QueueingHintFn in it.
But, registering appropriate QueueingHintFn is, of course, better from a scheduling performance perspective. (#118551, @sanposhiho) [SIG Node, Scheduling, Storage and Testing]
- CephFS volume plugin (kubernetes.io/cephfs) has been deprecated in this release and will be removed in a subsequent release. The alternative is to use the CephFS CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes cluster. (#118143, @humblec)
- Deprecated support for CSI migration of Ceph RBD volumes. Users who were relying on Kubernetes' ability
to migrate to an out-of-tree storage driver should complete that migration before the support for it is removed. (#118303, @carlory)
- RBD volume plugin (kubernetes.io/rbd) has been deprecated in this release
and will be removed in a subsequent release. Alternative is to use RBD CSI driver
(https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster. (#118552, @humblec)

Changes by Kind

Deprecation

• Changed kubectl version default output to be identical to what kubectl version --short printed,
  and removed --short flag entirely. (#116720, @soltysh)
• Kube-controller-manager deprecate --volume-host-cidr-denylist and --volume-host-allow-local-loopback flags. (#118128, @carlory) [SIG API Machinery, Apps, Network, Node, Storage and Testing]
• Kubelet: The --azure-container-registry-config flag has been deprecated and will be removed in a future release, please use --image-credential-provider-config and --image-credential-provider-bin-dir to setup acr credential provider instead. (#118596, @SataQiu) [SIG Node]
• Removed tracking annotation from validation and defaulting. (#117633, @kannon92)
• Removed withdrawn feature NetworkPolicyStatus. (#115843, @rikatz)
• The deprecated flag --lock-object-namespace and --lock-object-name have been removed from kube-scheduler. Please use --leader-elect-resource-namespace and --leader-elect-resource-name or ComponentConfig instead to configure those parameters. (#119130, @SataQiu) [SIG Scheduling]
• KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead. In a future release, Set --feature-gates=KMSv1=true to use the deprecated KMSv1 feature. (#119007, @aramase)

API Change

• A CDIDevice field is included in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol. (#118254, @elezar) [SIG Node and Testing]
• ACTION_REQUIRED
  When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits. (#118420, @alculquicondor) [SIG Apps]
• Added ServedVersions field to StorageVersion API. (#118386, @Richabanker)
• Added IP mode field to loadbalancer status ingress. (#118895, @RyanAoh)
• Added podReplacementPolicy and terminating field to job api. (#119301, @kannon92)
• Added a new namespaceParamRef field to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy. (#119215, @alexzielenski) [SIG API Machinery and Testing]
• Added a warning that TLS 1.3 ciphers are not configurable. (#115399, @3u13r) [SIG API Machinery and Node]
• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile. (#117020, @cji)
• Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed. (#118041, @cici37) [SIG API Machinery]
• Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject
  variable with expressions. (#118267, @cici37) [SIG API Machinery and Testing]
• Added new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations. (#118990, @alexzielenski)
• Added new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs. (#118137, @helayoty)
• Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler (#115754, @linxiulei) [SIG API Machinery and Scheduling]
• Changed how KMS v2 encryption at rest can generate data encryption keys.
  When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce. (#118828, @enj)
• Exposed rest.DefaultServerUrlFor function. (#118055, @timofurrer)
• Extended the Job API for alpha version of BackoffLimitPerIndex. (#119294, @mimowo)
• Graduated AdmissionWebhookMatchCondition feature to beta. (#119380, @a-hilaly)
• If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup. (#117793, @tzneal) [SIG Apps, Node and Testing]
• In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels. For details see https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness#dispatching . (#118782, @MikeSpreitzer) [SIG API Machinery]
• Indexed Job pods now have the pod completion index set as a pod label. (#118883, @danielvegamyhre) [SIG Apps]
• Kube-proxy: added --logging-format flag to support structured logging. (#117800, @cyclinder)
• NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits. (#115398, @tangwz) [SIG Scheduling]
• PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase. (#116469, @RomanBednar)
• Pods which set hostNetwork: true and declare ports, get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this. (#117696, @thockin) [SIG Apps]
• Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1. (#118644, @alexzielenski) [SIG API Machinery, Apps and Testing]
• Promoted the feature gate ValidtaingAdmissionPolicy to beta, and it is turned off by default. (#119409, @alexzielenski)
• Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability. (#119264, @logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle and Instrumentation]
• Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus. (#116335, @gnufied) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
• Removed WindowsHostProcessContainers feature-gate. (#117570, @marosset) [SIG API Machinery, Apps, Auth, Node and Windows]
• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta. (#117802, @kerthcet) [SIG API Machinery and Apps]
• StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index. (#119232, @danielvegamyhre) [SIG Apps]
• Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver (#117740, @Richabanker) [SIG API Machinery, Apps, Auth, Cloud Provider, Network, Node and Testing]
• Supported BackoffLimitPerIndex in Jobs. (#118009, @mimowo)
• The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer
  creates the KUBE-MARK-DROP chain (which has been unused for several releases)
  or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy). (#119374, @danwinship)
• The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA. (#117713, @nabokihms) [SIG API Machinery, Architecture, Auth, CLI and Testing]
• The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions. (#117351, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
• The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination. (#116429, @gjkim42) [SIG API Machinery, Apps, Node, Scheduling and Testing]
• Updated the comment about the feature-gate level for PodFailurePolicy from alpha to beta (#118278, @mimowo)
• client-go: Improved memory use of reflector caches when watching large numbers
  of objects which do not change frequently. (#113362, @sxllwx)
• component-base/logs is now stricter about not applying configurations multiple
  times and will return an error when that is attempted. Can be overridden by binaries
  which need to do that. (#117108, @pohly)
• kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate
  is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner
  controller loop removes service account token secrets that have not been used
  in the time specified by --legacy-service-account-token-clean-up-period (defaulting
  to one year), and are referenced from the .secrets list of a ServiceAccount
  object, and are not referenced from pods. (#115554, @yt2985)
• kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2
  is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (#117649, @SataQiu)

Feature

• A ValidatingAdmissionPolicy now has its messageExpression field checked against resolved types. (#119209, @jiahuif) [SIG API Machinery]
• Added '--concurrent-cron-job-syncs' flag for kube-controller-manager to set the number of workers for cron job controller. (#117550, @borgerli)
• Added '--concurrent-job-syncs' flag for kube-controller-manager to set the number of job controller workers. (#117138, @tosi3k)
• Added --concurrency flag to configure the concurrency of kubectl diff execution, defaults to 1. (#118810, @brancz)
• Added ConsistentListFromCache feature gate that allows apiserver to serve consistent lists from cache. (#118508, @serathius)
• Added DisruptionTarget condition to the pod preempted by kubelet to make room for a critical pod. (#117586, @mimowo)
• Added apiserver_admission_match_condition_evaluation_seconds and apiserver_admission_match_condition_exclusions_total metrics. (#119311, @ivelichkovich)
• Added a container image for kubectl at registry.k8s.io/kubectl across the same architectures as other images (linux/amd64 linux/arm64 linux/s390x linux/ppc64le) (#116672, @dims) [SIG Architecture and Release]
• Added a new command line argument --interactive to kubectl. The new command line argument lets a user confirm deletion requests per resource interactively. (#114530, @ardaguclu) [SIG CLI and Testing]
• Added a new feature gate, SchedulerQueueingHints (enabled by default).
  The new feature gate activates a framework for fine-grained filtering of events related to scheduler plugins.
  In this release, no default scheduling plugins make use of the hinting framework, so you should not expect any behavior changes. (#119328, @sanposhiho) [SIG Scheduling]
• Added full cgroup v2 swap support for both Limited and Unlimited swap.

When LimitedSwap is enabled the swap limit would be automatically calculated for
Burstable QoS pods. For Best-Effort/Guaranteed QoS pods, swap would be disabled.

Containers with memory requests equal to their memory limits also won't have
swap access, and it is a way to opt-out of swap for a single container.

The formula for the swap limit for Burstable QoS pods is:
(<memory-request>/<node-memory-capacity>)*<node-swap-capacity>.

Support for cgroup v1 is removed. (#118764, @iholder101)
- Added handling for pods in podgc for PodReplacementPolicy or PodDisruption. (#118772, @kannon92)
- Added reason to metric attachdetach_controller_forced_detaches in the attach detach controller. (#119185, @xing-yang)
- Added support for pod hostNetwork field selector (#110477, @halfcrazy) [SIG Apps and Node]
- Added swap to stats to Summary API and Prometheus endpoints (stats/summary and /metrics/resource). (#118865, @iholder101)
- Added the implementation for PodRecreationPolicy to wait for the creation of pods once the existing ones are fully terminated. (#117015, @kannon92)
- Allow to monitor client-go DNS resolver latencies via rest_client_dns_resolution_duration_seconds Prometheus metric. (#115357, @mfojtik)
- Apiserver adds two new metrics etcd_requests_total and etcd_request_errors_total that allow users to monitor requests to etcd storage, split by operation and resource type. (#117222, @iyear) [SIG API Machinery]
- Bumped distroless-iptables to 0.2.6 based on Go 1.20.6. (#119365, @xmudrii)
- Bumped metrics-server to v0.6.3. (#117120, @dgrisonnet)
- CEL authorizer checks no longer raise runtime errors. Calls to "check" will always return a decision object and the authorization error (if any) can be accessed within expressions using the new decision methods "errored" and "error". (#118804, @benluddy) [SIG API Machinery]
- CRI: exposed commit memory bytes in container stats specific to Windows (#119238, @kiashok)
- Client-go now exposes two new metrics to monitor the client-go logic that
generate http.Transports for the clients.

• rest_client_transport_cache_entries is a gauge metric
  with the number of existing entries in the internal cache

• rest_client_transport_create_calls_total is a counter
  that increments each time a new transport is created, storing
  the result of the operation needed to generate it: hit, miss
  or uncacheable. (#117295, @aojea)

• Cloud controller manager's node controller now emits timing metrics for initial Node synchronization. These metrics measure the delay between the creation of a new Node and the node controller's initial management actions, such as removing the cloud provider taint. These metrics should be consulted when setting cloud controller manager's --concurrent-node-syncs flag. (#119241, @cartermckinnon) [SIG Cloud Provider and Instrumentation]
• Dynamic resource allocation: when a claim uses "wait for first consumer" allocation (the default), then it will now get deallocated after it was used by a pod. That ensures that the next pod isn't affected by previous scheduling decision and that resources are not kept allocated unless really needed. If keeping a claim allocated is desired, use "immediate allocation." (#118936, @pohly)
• Enabled use of pods with volumes and user namespaces. The feature gate was renamed from UserNamespacesStatelessPodsSupport to UserNamespacesSupport. (#118691, @giuseppe)
• External credential provider plugins will now have their standard error output logged by kubelet upon failures. (#117448, @cartermckinnon)
• Faster scheduling when ResourceClaims are involved. (#119078, @pohly)
• Fixed the alpha CloudDualStackNodeIPs feature. (#118329, @danwinship)
• Graduated the LegacyServiceAccountTokenTracking feature gate to GA. The usage of auto-generated secret-based service account token now produces warnings, and relevant Secrets are labeled with a last-used timestamp (label key kubernetes.io/legacy-token-last-used). (#117591, @zshihang) [SIG API Machinery, Auth and Testing]
• Graduated the ProbeTerminationGracePeriod feature gate to GA. (#114307, @rphillips)
• Hashing of KeyID in Logs

This release adds a feature to hash the KeyID values in the logs. The KeyID values are sensitive information that should not be exposed in plain text in the logs. By hashing the KeyID values, we can protect the confidentiality of the data while still being able to log the necessary information. (#118988, @nilekhc) [SIG API Machinery, Auth and Testing]
- Implemented alpha support for a drop-in kubelet configuration directory. (#119390, @sohankunkerkar)
- In the course of admitting a single request, the ValidatingAdmissionPolicy plugin will perform no more than one authorization check per unique authorizer expression. All evaluations of identical authorizer expressions will produce the same decision. (#116443, @benluddy) [SIG API Machinery and Testing]
- Introduce support for CEL optionals (see CEL spec proposal 246).
This feature will not be fully enabled until a future Kubernetes release (likely to be v1.29), but is added in v1.28 to enable
safe rollback on downgrade. (#118339, @jpbetz) [SIG API Machinery, Auth, Cloud Provider and Testing]
- Kube-controller-manager: the dynamic resource controller steps in when a pod got created such that the scheduler ignores it (i.e. spec.nodeName is set) and then takes care of triggering delayed resource claim allocation and/or reserving a claim for the pod. (#118209, @pohly) [SIG API Machinery, Apps, Auth, Node and Testing]
- Kube-proxy handles Terminating EndpointSlices conditions and enables zero downtime deployments for Services with ExternalTrafficPolicy=Local author: @andrewsykim (#117718, @aojea) [SIG Network, Testing and Windows]
- Kube-proxy service health returns http header X-Load-Balancing-Endpoint-Weight with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#118999, @cezarygerard)
- Kubelet: plugins for dynamic resource allocation may use the v1alpha3 API instead of v1alpha2 if they want to do prepare/unprepare operations in batches. (#119012, @pohly)
- Kubelet: security of dynamic resource allocation was enhanced by limiting node access to those objects that are needed on the node. (#116254, @pohly) [SIG Auth and Testing]
- Kubelet: un-deprecated --provider-id flag. (#116530, @pacoxu)
- Kubernetes is now built with Go 1.20.4. (#117744, @xmudrii) [SIG Release and Testing]
- Kubernetes is now built with Go 1.20.5. (#118507, @jeremyrickard)
- Kubernetes is now built with Go 1.20.6. (#119324, @xmudrii)
- Metric scheduler_scheduler_goroutines is removed. Use scheduler_goroutines instead. (#117727, @kerthcet) [SIG Scheduling]
- Migrated pkg/controller/endpoint to contextual logging. (#116755, @my-git9)
- Migrated pkg/scheduler/framework/preemption to use contextual logging. (#116835, @mengjiao-liu)
- Migrated pod-security-admission to use contextual logging. (#114471, @Namanl2001) [SIG Apps and Auth]
- Migrated controller functions to use contextual logging. (#116930, @fatsheep9146) [SIG API Machinery, Apps, Network, Node, Storage and Testing]
- Migrated the Job controller (within kube-controller-manager) to use contextual logging. (#116910, @fatsheep9146) [SIG API Machinery, Apps and Testing]
- Migrated the EndpointSlice and EndpointSliceMirroring controllers (within kube-controller-manager) to use contextual logging. (#115295, @Namanl2001) [SIG API Machinery, Apps, Network and Testing]
- Migrated the certificate controller (within kube-controller-manager) to use contextual logging. (#113994, @mengjiao-liu) [SIG API Machinery, Apps, Auth, Instrumentation and Testing]
- Migrated the noderesources scheduler plugin to use contextual logging. (#116748, @mengjiao-liu)
- Migrated the podtopologyspread scheduler plugins to use contextual logging. (#116797, @mengjiao-liu) [SIG Instrumentation and Scheduling]
- Moved non-graceful node shutdown to GA. (#118228, @carlory)
- New CEL Library functions to support Kubernetes Quantities. (#118803, @alexzielenski) [SIG API Machinery]
- New Metrics Added for Encryption Configuration Controller

This release adds new metrics to the Encryption Configuration Controller to help monitor the automatic reloading of encryption configuration. The new metrics include:

• apiserver_encryption_config_controller_automatic_reload_failures_total: Total number of failed automatic reloads of encryption configuration.
• apiserver_encryption_config_controller_automatic_reload_success_total: Total number of successful automatic reloads of encryption configuration.
• apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds: Timestamp of the last successful or failed automatic reload of encryption configuration.

These metrics can be used to monitor the health of the Encryption Configuration Controller and to troubleshoot any issues that may arise during automatic reloading of encryption configuration. (#119008, @nilekhc)
- New staging repo has been created for the EndpointSlice reconciler. (#118953, @mskrocki)
- Promoted ServiceNodePortStaticSubrange feature gate to beta, and it will be enabled by default. (#117877, @xuzhenglun)
- Promoted the following apiserver flowcontrol metrics to Beta:

• apiserver_flowcontrol_request_wait_duration_seconds
• apiserver_flowcontrol_current_executing_seats
• apiserver_flowcontrol_nominal_limit_seats
• apiserver_flowcontrol_rejected_requests_total
• apiserver_flowcontrol_dispatched_requests_total
• apiserver_flowcontrol_current_inqueue_requests
• apiserver_flowcontrol_current_executing_requests (#119110, @andrewsykim)
• Renamed PodHasNetwork to PodReadyToStartContainers. (#117702, @kannon92) [SIG Node and Testing]
• Replaced apiserver_storage_db_total_size_in_bytes with apiserver_storage_size_bytes metric. (#118812, @serathius)
• Scheduler now waits for handlers to finish syncing before the scheduling cycles start. (#116729, @AxeZhan)
• Set metrics-server's metric-resolution to 15s. (#117121, @dgrisonnet) [SIG Cloud Provider and Instrumentation]
• SubjectAccessReview requests sent to webhook authorizers now default spec.resourceAttributes.version to * if unset. (#116937, @AxeZhan) [SIG Apps and Auth]
• Supported specifying a custom retry period for cloud load-balancer operations. (#94021, @timoreimann)
• The "value" part in the wait --for=jsonpath='{expression}'[=value] is now
  optional. If the value is not provided i.e., the command looks like wait --for=jsonpath='{expression}'
  then the wait condition is interpreted as matched when the expression returns
  any single JSON value like object or a literal. (#118160, @minherz)
• The Kubernetes apiserver now emits a warning message for Pods with a null labelSelector in podAffinity or topologySpreadConstraints. The null labelSelector means "match none". Using it in podAffinity or topologySpreadConstraint could lead to unintended behavior. (#117025, @sanposhiho) [SIG Scheduling]
• The AdvancedAuditing feature gate that graduated to GA in v1.12 (and was unconditionally
  enabled) has been removed. (#118763, @Shubham82)
• The ExpandedDNSConfig feature has graduated to GA. 'ExpandedDNSConfig' feature was locked to default value and will be removed in v1.30. If you were setting this feature gate explicitly, please remove it now. (#116741, @gjkim42) [SIG Apps, Network and Node]
• The apiserver debug endpoint /debug/api_priority_and_fairness/dump_requests has been extended to dump executing requests as well as queued ones. A column for StartTime has been added to the returned table, with the queued requests having a StartTime of "0001-01-01T00:00:00Z". The executing requests have a RequestIndexInQueue of -1, and the QueueIndex is also -1 for priority levels without queues. (#119009, @MikeSpreitzer) [SIG API Machinery]
• The helping message of commands which have sub-commands is now clearer and more instructive. It will show the full command instead of kubectl <command> --help ...

Changed kubectl create secret --help description. There will be a short introduction to the three secret types and clearer guidance on how to use the command. (#117930, @LronDC)
- The scheduler skips the InterPodAffinity Score plugin when nothing to do with the Pod.
It will affect some metrics values related to the InterPodAffinity Score plugin. (#117794, @utam0k) [SIG Scheduling]
- The scheduler skips the PodTopologySpread Filter plugin if no spread constraints.
It will affect some metrics values related to the PodTopologySpread Filter plugin. (#117683, @utam0k)
- The scheduler skips the PodTopologySpread Score plugin when nothing to do with the Pod.
It will affect some metrics values related to the PodTopologySpread Score plugin. (#118608, @utam0k)
- The short names vwc and mwc were introduced for the resources validatingwebhookconfigurations and mutatingwebhookconfigurations. (#117535, @hysyeah)
- Updated etcd image to 3.5.9-0. (#117999, @kkkkun) [SIG API Machinery]
- Updated cAdvisor to v0.47.2 and fixed metrics in cri-o when a container restarts. (#118774, @harche)
- Updated distroless I-tables to use registry.k8s.io/build-image/distroless-iptables:v0.2.5 (#118541, @jeremyrickard) [SIG Testing]
- Updated distroless iptables to use released image registry.k8s.io/build-image/distroless-iptables:v0.2.4 (#117746, @xmudrii) [SIG Testing]
- Updated the scheduler interface and cache methods to use contextual logging. (#116849, @mengjiao-liu)
- ValidatingAdmissionPolicy type checking now correctly handles authorizer variable. (#118540, @jiahuif) [SIG API Machinery]
- When a pod is done or not going to run, then ResourceClaims for it can be reused by other pods or deleted. (#118817, @pohly)
- With the KubeletCgroupDriverFromCRI feature gate enabled and sufficiently new version of a container
runtime, kubelet automatically detects the cgroup driver config from the container runtime, eliminating
the need to specify the cgroupDriver configuration option (or --cgroup-driver flag) of kubelet. (#118770, @marquiz)
- [Kube-proxy]: Implemented connection draining for terminating nodes. (#116470, @alexanderConstantinescu)
- --version=v1.X.Y... can now be used to set the prerelease and buildID portions of the version reported by components (#117688, @liggitt) [SIG API Machinery, Architecture and Release]
- RetroactiveDefaultStorageClass feature made stable and enabled by default. (#118102, @RomanBednar)
- TopologyManagerPolicyOptions feature-flag is promoted to beta and enabled by default. (#118816, @PiotrProkop)
- force_delete_pods_total and force_delete_pod_errors_total metrics count all pod deletion behaviors. (#118480, @carlory)
- klog text output now uses JSON as encoding for structs, maps and slices. (#117687, @pohly)
- kube-proxy in iptables mode will now have separate sync_full_proxy_rules_duration_seconds\nand
sync_partial_proxy_rules_duration_seconds (in addition to the existing\nsync_proxy_rules_duration_seconds),
giving better information about the duration of each \nsync type, rather than
only giving a weighted average of the two sync types together. (#117787, @danwinship)
- kubeadm: added a new "kubeadm config validate" command that can be used to
validate any input config file. Use the --config flag to pass a config file
to it. See the command --help screen for more information. As a result of adding
this new command, enhance the validation capabilities of the existing "kubeadm
config migrate" command. For both commands unknown APIs or fields will throw errors. (#118013, @neolit123)
- kubeadm: added the --allow-experimental-api flag to "kubeadm config migrate/validate" commands. It can be used to migrate or validate WIP/experimental APIs in the future. (#118866, @neolit123)
- kubeadm: generate CA certificates with a start time that is offset 5
minutes in the past relative to the current system time to workaround cases of
clock desync. (#118922, @champtar)
- plugin_evaluation_total metric supports prescore/score extension point.
The metric doesn't get incremented when the prescore/score plugin has nothing to do with an incoming pod. (#118025, @AxeZhan)

Documentation

• Enhanced clarity in error messaging when waiting for volume creation (#118262, @torredil) [SIG Apps and Storage]

Failing Test

• Allowed Azure Disk e2es to use newer topology labels if available from nodes. (#117216, @gnufied)
• Fixed nil pointer in test AfterEach volumeperf.go for sidecar release. (#117368, @sunnylovestiramisu)
• Switched back to debian-base instead of distroless for conformance image. (#119422, @saschagrunert)

Bug or Regression

• Added a new event FailedToRetrieveImagePullSecret which will be generated when a pod references an ImagePullSecret that doesn't exist. (#117927, @kaisoz) [SIG Node]
• Added additional validation for endpoint IP configuration while iterating through queried endpoint list. (#116749, @princepereira)
• Added warning for dup ports update/patching in pod's container ports and service ports. (#113245, @pacoxu)
• As in Kubernetes v1.26 and v1.27, resource claims do not get prepared by kubelet when no container uses them. This was changed accidentally in v1.28.0-alpha.1. (#118786, @pohly)
• Bumped cadvisor version to v0.47.3. (#119225, @iholder101)
• CI job ci-kubernetes-node-arm64-ubuntu-serial will test node e2e on arm64, use-dockerized-build and target-build-arch are required to run this job. (#118567, @chendave)
• CVE-2023-27561 CVE-2023-25809 CVE-2023-28642: Bump fix runc v1.1.4 -> v1.1.5 (#117095, @PushkarJ) [SIG Architecture, Node and Security]
• Code blocks in kubectl {$COMMAND}--help will move right by 3 indentation. (#118029, @ardaguclu)
• Compute the backoff delay more accurately for deleted pods (#118413, @mimowo) [SIG Apps]
• Declare Job as finished only after removing all Pod finalizers to avoid orphan Pods. (#119159, @alculquicondor)
• During device plugin allocation, resources requested by the pod can only be allocated if the device plugin has registered itself to kubelet AND healthy devices are present on the node to be allocated. If these conditions are not sattsfied, the pod would fail with UnexpectedAdmissionError error. (#116376, @swatisehgal) [SIG Node and Testing]
• Dynamic Resource Allocation: logged an error and submitted an event when Kubelet failed to prepare dynamic resources. (#118578, @bart0sh)
• Ensure Job status updates are batched by 1s. This fixes an unlikely scenario when a sequence of immediately
  completing pods could trigger a sequence of non-batched Job status updates. (#118470, @mimowo) [SIG Apps]
• Faster StatefulSet creation when Parallel mode is enabled. (#117865, @aleksandra-malinowska)
• Fixed a data race in TopologyCache when AddHints and SetNodes are called concurrently. (#117249, @tnqn) [SIG Apps and Network]
• Fixed a race condition in kube-proxy when using LocalModeNodeCIDR, to avoid dropping Services traffic if the object node is recreated when kube-proxy is starting. (#118499, @aojea)
• Fixed bug where listOfStrings.join() in CEL expressions resulted in an unexpected internal error. (#117593, @jpbetz) [SIG API Machinery]
• Fixed incorrect calculation for ResourceQuota with PriorityClass as its scope. (#117677, @Huang-Wei) [SIG API Machinery]
• Fix: After a Node is down and take some time to get back to up again, the mount point of the evicted Pods cannot be cleaned up successfully. (#111933) Meanwhile Kubelet will print the log Orphaned pod "xxx" found, but error not a directory occurred when trying to remove the volumes dir every 2 seconds. (#105536) (#116134, @cvvz) [SIG Node and Storage]
• Fix: The volume is not detached after the pod and PVC objects are deleted. (#116138, @cvvz) [SIG Storage]
• Fixed Cronjob status.lastSuccessfulTime not populated by a manually triggered (#118530, @carlory)
• Fixed Topology Aware Hints not working when the topology.kubernetes.io/zone label is added after Node creation. (#117245, @tnqn)
• Fixed creationTimestamp: null causing unnecessary writes to etcd. (#116865, @alexzielenski)
• Fixed vSphere cloud provider not to skip detach volumes from nodes at kube-controller-startup. (#117243, @jsafrane)
• Fixed a bug at kube-apiserver start where APIService objects for custom resources could be deleted and recreated. (#118104, @liggitt)
• Fixed a bug that unintentionally overrides custom Accept headers in http (live-/readiness)-probes if the header is in lowercase. (#114606, @tuunit)
• Fixed a bug where kubectl port-forward, when used with a Deployment, could connect to a terminating pod even when a running pod is also available. (#119256, @brianpursley) [SIG CLI]
• Fixed a bug where pv recycler failed to scrub volume with too many files in the directory due to hitting ARG_MAX limit with rm command (#117189). (#117283, @defo89) [SIG Cloud Provider and Storage]
• Fixed a memory leak in the Kubernetes API server that occurs during APIService processing. (#117258, @enj) [SIG API Machinery]
• Fixed a race condition between Run() and SetTransform() and SetWatchErrorHandler() in shared informers. (#117870, @howardjohn) [SIG API Machinery]
• Fixed a race condition serving OpenAPI content (#117705, @Jefftree)
• Fixed a regression in 1.27.0 that resulted in missing metadata in converted object errors when modifying objects for multi-version custom resource definitions with a conversion strategy of None. (#117301, @ncdc)
• Fixed a regression in kubectl and client-go discovery when configured with a server URL other than the root of a server (#117495, @ardaguclu)
• Fixed an issue where the API server did not send impersonated UID to authentication webhooks. (#116681, @stlaz) [SIG API Machinery and Auth]
• Fixed bug that caused a resource to include patch directives when using strategic merge patch against a non-existent field. (#117568, @alexzielenski)
• Fixed bug to correctly report ErrRegistryUnavailable on pulling container images for remote CRI runtimes. (#117612, @saschagrunert) [SIG Node]
• Fixed bug where explain was not properly respecting jsonpaths. (#115694, @mpuckett159)
• Fixed bug where using the $deleteFromPrimitiveList directive in a strategic merge patch of certain fields would remove the other values from the list instead of the values specified. (#110472, @brianpursley) [SIG API Machinery]
• Fixed component status calling etcd health endpoint over http which exposed kubernetes to the risk of complete watch starvation and is inconsistent with other etcd probing done by kube-apiserver. (#118460, @serathius)
• Fixed computing backoff delay when using Job pod failure policy, by including in the backoff delay calculation pod failures ignored from the backoffLimit counter. (#119434, @mimowo)
• Fixed cronjob controller handling of complex schedules, like 30 6-16/4 * * 1-5, for example. (#118724, @soltysh)
• Fixed deletion of non-admissible pods that are deleted during Kubelet restart. (#118497, @mimowo)
• Fixed issue where kubectl-convert would fail when encountering resources that could not be converted to the specified api version. New behavior is to warn the user of the failed conversions and continue to convert the remaining resources. (#117002, @gxwilkerson33)
• Fixed issue where there was no response or error from kubectl rollout status when there were no resources of specified kind. (#117884, @gxwilkerson33) [SIG CLI]
• Fixed kubelet startup getting stuck with NewVolumeManagerReconstruction feature enabled and a CSI volume present in /var/lib/kubelet/pods. (#117804, @jsafrane) [SIG Node and Storage]
• Fixed performance regression in scheduler caused by frequent metric lookup on critical code path. (#117594, @tosi3k)
• Fixed restricted debug profile. (#117543, @mochizuki875)
• Fixed the preStop hook. This will now block the pod termination grace period. (#115835, @HirazawaUi)
• Fixed the discoverability of apiregistration.k8s.io in openapi/v3 (#118879, @atiratree)
• If kubeadm reset finds no etcd member ID for the peer it removes during the remove-etcd-member phase, it continues immediately to other phases, instead of retrying the phase for up to 3 minutes before continuing. (#117724, @dlipovetsky) [SIG Cluster Lifecycle]
• Improved exponential backoff in Reflector, significantly reducing the load on Kubernetes apiserver in case of throttling of requests. (#118132, @marseel) [SIG API Machinery and Scalability]
• Known issue: fixed that the PreEnqueue plugins aren't executed for Pods proceeding to activeQ through backoffQ. (#117194, @sanposhiho) [SIG Release and Scheduling]
• Kubeadm: the limitation that the ignorePreflightErrors field can not be set to all in kubeadm config file has been removed. (#119351, @SataQiu)
• Kubelet terminates pods correctly upon restart, fixing an issue where pods may have not been fully terminated if the kubelet was restarted during pod termination. (#117019, @bobbypage) [SIG Node and Testing]
• Kubelet will now skip pod resource checks when the request is zero. (#116408, @ChenLingPeng)
• Number of errors reported to the metric storage_operation_duration_seconds_count for emptyDir decreased significantly because previously one error was reported for each projected volume created. (#117022, @mpatlasov) [SIG Storage]
• Pod termination will be faster when the pod has a missing volume reference. (#117412, @smarterclayton) [SIG Node and Testing]
• Recording timing traces had a race condition. Impact in practice was probably low. (#117139, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
• Reduced CPU and memory consumption of kube-apiserver if OpenAPI V2 will not be accessed by any client. Also improved performance of the apiserver on installation of many CRDs. (#118212, @Jefftree)
• Removed leading zeros from the etcd member ID in kubeadm log messages. (#117919, @dlipovetsky) [SIG Cluster Lifecycle]
• Resolves a spurious "Unknown discovery response content-type" error in client-go discovery requests by tolerating extra content-type parameters in API responses (#117571, @seans3) [SIG API Machinery]
• Reverted NewVolumeManagerReconstruction and SELinuxMountReadWriteOncePod feature gates to disabled by default to resolve a regression of volume reconstruction on kubelet/node restart (#117751, @liggitt) [SIG Storage]
• Setting a mirror pod's phase to Succeeded or Failed can prevent the corresponding static pod from restarting due mutation of a Kubelet cache. (#116482, @smarterclayton) [SIG Node]
• Show a warning when volume.beta.kubernetes.io/storage-class annotation is used in pv or pvc (#117036, @haoruan) [SIG Storage]
• Static pods were taking extra time to be restarted after being updated. Static pods that are waiting to restart were not correctly counted in kubelet_working_pods. (#116995, @smarterclayton) [SIG Node]
• The Daemonset controller creates replacements for terminal Pods, which can appear during VM preemptions or when using Pod finalizers. (#118716, @alculquicondor)
• The pod_scheduling_duration_seconds metrics won't consider the time when a pod fails PreEnqueue (like being gated). (#118049, @helayoty)
• The kube-proxy sync_proxy_rules_iptables_total metric has now reverted back
  to its pre-1.27 behavior of tracking the total number of iptables rules that
  kube-proxy is responsible for, rather than only counting the number of rules
  that it re-synced on the last sync. The new sync_proxy_rules_iptables_last
  metric now gives the latter number. (#119140, @danwinship) [SIG Network]
• The metric apiserver_flowcontrol_request_concurrency_limit has been deprecated and will be removed in a future release. It is a duplicate of apiserver_flowcontrol_nominal_limit_seats (introduced in release 1.26) but has an outdated name and had an outdated HELP string. (#118959, @MikeSpreitzer) [SIG API Machinery]
• Updated etcd version to 3.5.8. (#117335, @kkkkun)
• Updated apiserver metric request_filter_duration_seconds to include a 10s, 15s and 30s bucket.
  Updated apiserver metric request_wait_duration_seconds to include a 15s bucket. (#118945, @andrewsykim)
• Updated kube-apiserver's priority & fairness work estimator such that 'max seats' is MIN(0.15 x nominalCL, nominalCL / handSize)

This fixes a bug where clients with requests using hand size x max seats greater than the nominal concurrency limit can starve other requests in the same priority level. (#118601, @andrewsykim)
- Updated static pods are restarted 2s faster by correcting a safe but non-optimal ordering bug. (#116690, @smarterclayton) [SIG Node]
- Users will no longer see an error for failed events caused due to terminating namespace. (#114849, @padlar) [SIG API Machinery]
- [Dual-stack] Fixed generateAPIPodStatus() of kubelet handling Secondary IP. hostIPs order may not be consistent. If secondary IP is before primary one, current logic adds primary IP twice into PodIPs, which leads to error: "may specify no more than one IP for each IP family". (#116879, @lzhecheng)
- [KCCM] service controller: change the cloud controller manager to make providerID a predicate when synchronizing nodes. This change allows load balancer integrations to ensure that the providerID is set when configuring
load balancers and targets. (#117388, @alexanderConstantinescu) [SIG Cloud Provider and Network]
- kube-apiserver will now always remove its endpoint from Kubernetes service during
graceful shutdown (even if it's the only/last one). (#116685, @nayihz)
- kubeadm: fixed a bug where the static pod changes detection logic is inconsistent
with kubelet. (#118069, @SataQiu)
- kubeadm: crictl pull should use -i to set the image service endpoint. (#117835, @pacoxu)
- kubeadm: fixed a bug where file copy(backup) could not be executed correctly
on Windows platform during upgrade. (#117861, @SataQiu)
- kubeadm: speedup init by 0s or 20s. kubelet-start phase is now after etcd
and control-plane phases, removing a race condition between kubelet looking for
static pod manifests and kubeadm writing them. (#117984, @champtar)
- kubeadm: will now throw warnings instead of errors for deprecated feature gates. (#118270, @pacoxu)
- kubectl events --for will also support fully qualified names such as replicasets.apps,
etc. (#117034, @ardaguclu)
- kubectl explain should correctly work for all resources. (#118876, @atiratree)
- kubectl expose supports the creation of different protocol services on the same port. (#114909, @aimuz)
- kubelet will ensure /etc/hosts file is mode 0644 regardless of umask. (#113209, @luozhiwenn)
- kubelet: print sorted volumes message in events. (#117079, @qingwave)
- wait.PollUntilContextTimeout function, if immediate is true, the condition
will be invoked before waiting and guarantees that the condition is invoked at
least once, regardless of whether the context has been cancelled. (#118686, @aojea)

Other (Cleanup or Flake)

• A v2-level info log will be added, which will output the details of the pod being preempted, including victim and preemptor. (#117214, @HirazawaUi)
• Allowed container runtimes to use ErrSignatureValidationFailed as possible image pull failure. (#117717, @saschagrunert)
• Deprecated genericclioptions.IOStreams and used genericiooptions.IOStreams. (#117102, @ardaguclu)
• E2e framework: the node-role.kubernetes.io/master taint has been removed from the default value of --non-blocking-taints flag. You may need to set --non-blocking-taints explicitly if the cluster to be tested has nodes with the deprecated node-role.kubernetes.io/master taint. (#118510, @SataQiu) [SIG Testing]
• Enabled the node-local kubelet podresources API endpoint on windows, alongside unix. (#115133, @ffromani)
• Fixed dra e2e image build on non-amd64 architectures. (#117912, @bart0sh) [SIG Node and Testing]
• Kube-apiserver adds two new alpha metrics conversion_webhook_request_total and conversion_webhook_duration_seconds that allow users to monitor requests to CRD conversion webhooks, split by result, and failure_type (In case of failure). (#118292, @cchapla) [SIG API Machinery, Architecture and Instrumentation]
• Kube-proxy will now warn at startup if the configuration seems inconsistent
  with respect to IP families. (For example, if you have an IPv4 node IP, but
  --cluster-cidr is IPv6.) (#119003, @danwinship) [SIG Network]
• Kube-proxy: removed log warning about not using config file. (#118115, @TommyStarK) [SIG Network]
• Made Job controller batching of syncJob invocations enabled unconditionally (it was conditional on JobReadyPods feature before).
  Also, Job controller's constants for default backoff and maximal backoff are lowered down to 1s (from 10s) and 1min (from 6min), respectively. These constants are used to determine the backoff delay for the next Job controller sync in case of a request failure. (#118615, @mimowo) [SIG Apps and Testing]
• Marked the feature gate ExperimentalHostUserNamespaceDefaulting as deprecated.
  Enabling the feature gate already had no effect; the deprecation allows for removing the feature gate in a future release. (#116723, @SergeyKanzhelev) [SIG Node]
• Migrated pkg/scheduler/framework/runtime to use contextual logging. (#116842, @mengjiao-liu) [SIG Instrumentation and Scheduling]
• Migrated the disruption controller (within kube-controller-manager) to use contextual logging. (#119147, @mengjiao-liu) [SIG API Machinery, Apps, Instrumentation and Testing]
• Migrated the interpodaffinity scheduler plugin to use contextual logging. (#116635, @mengjiao-liu) [SIG Instrumentation and Scheduling]
• Migrated the podgc controller and some other remaining log calls within kube-controller-manager to use contextual logging. kube-controller-manager is now converted completely. (#119250, @pohly) [SIG API Machinery, Apps, Cloud Provider, Instrumentation, Network, Storage and Testing]
• Migrated the volumezone scheduler plugin to use contextual logging. (#116829, @mengjiao-liu) [SIG Instrumentation and Scheduling]
• Moved k8s.io/kubernetes/pkg/kubelet/cri/streaming package to k8s.io/kubelet/pkg/cri/streaming. (#118253, @saschagrunert) [SIG Node, Release and Security]
• OpenAPI proto deserializations should use gnostic-models instead of the gnostic library. (#118384, @Jefftree) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Node, Storage and Testing]
• Projects which use k8s.io/code-generator and invoke generate-groups or generate-internal-groups.sh have a new, simpler script (kube_codegen.sh) they can use. The old scripts are deprecated but remain intact. (#117262, @thockin) [SIG API Machinery and Instrumentation]
• Promoted kubernetes_healthcheck and kubernetes_healthchecks_total to BETA stability level. (#118986, @logicalhan)
• Reduced delay when processing jobs after a transient API error. (#118759, @mimowo)
• Removed GA'ed feature gate DelegateFSGroupToCSIDriver. (#117655, @carlory)
• Removed GA'ed feature gate DevicePlugins. (#117656, @carlory)
• Removed GA'ed feature gate KubeletCredentialProviders. (#116901, @pacoxu)
• Removed GA'ed feature gates: MixedProtocolLBService, ServiceInternalTrafficPolicy,
  ServiceIPStaticSubrange, and EndpointSliceTerminatingCondition. (#117237, @yulng)
• Removed KUBECTL_EXPLAIN_OPENAPIV3 which is already redundant. (#119286, @ardaguclu)
• Removed the deprecated azureFile in-tree storage plugin. (#118236, @andyzhangx)
• Revised OpenAPI v2 fetching for CustomResourceDefinitions. CRDs are now aggregated lazily,
  which improves resource usage during installation of many CRDs. As a result, the first request
  to fetch the OpenAPI may be slower. (#118808, @Jefftree)
• Shrank the OpenAPI v2 spec by more than 50%, especially for less CPU resource consumption. (#118204, @sttts)
• Structured logging of NamespacedName was inconsistent with klog.KObj. Now both will use lower case field names and namespace is optional. (#117238, @pohly)
• The GetAllocatableResources podresources API endpoint is now GA. (#118973, @ffromani)
• The NetworkPolicyLegacy test suite (deprecated in v1.21) has now officially been removed in favor of the new table driven e2e tests. (#118915, @astoycos)
• The generate_groups.sh and generate_internal_groups.sh scripts from the k8s.io/code-generator repo are deprecated (but still work) in favor of kube_codegen.sh in that same repo. Projects which use the old scripts are encouraged to look at adopting the new one. (#117897, @thockin) [SIG API Machinery]
• The feature gate CSIStorageCapacity have been removed and must no longer be referenced in --feature-gates flags. (#118018, @humblec)
• The feature gates CSIMigrationGCE is graduated to GA and were unconditionally enabled have been removed in v1.25, and the entire gcepd package has been removed. (#117055, @cyclinder)
• The feature gates DisableAcceleratorUsageMetrics and PodSecurity that graduated to GA and were unconditionally enabled have been removed in v1.28. (#114068, @cyclinder) [SIG API Machinery, Node, Scheduling and Storage]
• The kubelet podresources endpoint is GA and always enabled. (#116525, @ffromani) [SIG Node]
• The metric apiserver_flowcontrol_current_executing_seats has been introduced as a duplicate of apiserver_flowcontrol_request_concurrency_in_use because the latter has a confusing name and will be removed in a later release. (#118960, @MikeSpreitzer) [SIG API Machinery]
• Updated Cluster Autosaler to version 1.26.1. (#116526, @pacoxu) [SIG Autoscaling and Cloud Provider]
• Updated cri-tools to v1.27.0. (#117545, @saschagrunert)
• Updated setcap image to debian bookworm v1.0.0. (#119247, @saschagrunert)
• Updated cri-tools to v1.26.1. (#116649, @saschagrunert) [SIG Architecture and Release]
• Updated debian-base image to bookworm-v1.0.0. (#119095, @saschagrunert)
• Use table-driven test for TestPerPodSchedulingMetrics. (#118842, @helayoty)
• When retrieving event resources, the reportingController and reportingInstance fields in the event will contain values. (#116506, @HirazawaUi) [SIG API Machinery and Instrumentation]
• [KCCM] drop filtering nodes for the providerID when syncing load balancers, but have changes to the field trigger a re-sync of load balancers. This should ensure that cloud providers which don't specify providerID, can still use the service controller implementation to provision load balancers. (#117602, @alexanderConstantinescu) [SIG Cloud Provider and Network]
• kube-apiserver added two new metrics authorization_attempts_total and authorization_duration_seconds
  that allow users to monitor requests to authorization webhooks, split by result. (#117211, @HirazawaUi)
• kube-apiserver: Improved memory use when performing GetList on the cache. (#116327, @sxllwx)
• kube-controller-manager and cloud-controller-manager have changed the
  name of controllers that can be turned on/off that are passed to the --controllers
  flag (e.g., pod-garbage-collector-controller). The old names (eg podgc) are
  also accepted and aliased to the new names. (#115813, @atiratree)
• kubeadm: Introduced a new feature gate UpgradeAddonsBeforeControlPlane to
  fix a kube-proxy skew policy misalignment. Its default value is false. Upgrade
  of the CoreDNS and kube-proxy addons will now trigger after all the control plane
  instances have been upgraded, unless the fearure gate is set to true. This feature
  gate will be removed in a future release. (#117660, @pacoxu)

Dependencies

Added

• cloud.google.com/go/accessapproval: v1.6.0
• cloud.google.com/go/accesscontextmanager: v1.7.0
• cloud.google.com/go/aiplatform: v1.37.0
• cloud.google.com/go/analytics: v0.19.0
• cloud.google.com/go/apigateway: v1.5.0
• cloud.google.com/go/apigeeconnect: v1.5.0
• cloud.google.com/go/apigeeregistry: v0.6.0
• cloud.google.com/go/appengine: v1.7.1
• cloud.google.com/go/area120: v0.7.1
• cloud.google.com/go/artifactregistry: v1.13.0
• cloud.google.com/go/asset: v1.13.0
• cloud.google.com/go/assuredworkloads: v1.10.0
• cloud.google.com/go/automl: v1.12.0
• cloud.google.com/go/baremetalsolution: v0.5.0
• cloud.google.com/go/batch: v0.7.0
• cloud.google.com/go/beyondcorp: v0.5.0
• cloud.google.com/go/billing: v1.13.0
• cloud.google.com/go/binaryauthorization: v1.5.0
• cloud.google.com/go/certificatemanager: v1.6.0
• cloud.google.com/go/channel: v1.12.0
• cloud.google.com/go/cloudbuild: v1.9.0
• cloud.google.com/go/clouddms: v1.5.0
• cloud.google.com/go/cloudtasks: v1.10.0
• cloud.google.com/go/compute/metadata: v0.2.3
• cloud.google.com/go/compute: v1.19.0
• cloud.google.com/go/contactcenterinsights: v1.6.0
• cloud.google.com/go/container: v1.15.0
• cloud.google.com/go/containeranalysis: v0.9.0
• cloud.google.com/go/datacatalog: v1.13.0
• cloud.google.com/go/dataflow: v0.8.0
• cloud.google.com/go/dataform: v0.7.0
• cloud.google.com/go/datafusion: v1.6.0
• cloud.google.com/go/datalabeling: v0.7.0
• cloud.google.com/go/dataplex: v1.6.0
• cloud.google.com/go/dataproc: v1.12.0
• cloud.google.com/go/dataqna: v0.7.0
• cloud.google.com/go/datastream: v1.7.0
• cloud.google.com/go/deploy: v1.8.0
• cloud.google.com/go/dialogflow: v1.32.0
• cloud.google.com/go/dlp: v1.9.0
• cloud.google.com/go/documentai: v1.18.0
• cloud.google.com/go/domains: v0.8.0
• cloud.google.com/go/edgecontainer: v1.0.0
• cloud.google.com/go/errorreporting: v0.3.0
• cloud.google.com/go/essentialcontacts: v1.5.0
• cloud.google.com/go/eventarc: v1.11.0
• cloud.google.com/go/filestore: v1.6.0
• cloud.google.com/go/functions: v1.13.0
• cloud.google.com/go/gaming: v1.9.0
• cloud.google.com/go/gkebackup: v0.4.0
• cloud.google.com/go/gkeconnect: v0.7.0
• cloud.google.com/go/gkehub: v0.12.0
• cloud.google.com/go/gkemulticloud: v0.5.0
• cloud.google.com/go/gsuiteaddons: v1.5.0
• cloud.google.com/go/iam: v0.13.0
• cloud.google.com/go/iap: v1.7.1
• cloud.google.com/go/ids: v1.3.0
• cloud.google.com/go/iot: v1.6.0
• cloud.google.com/go/kms: v1.10.1
• cloud.google.com/go/language: v1.9.0
• cloud.google.com/go/lifesciences: v0.8.0
• cloud.google.com/go/logging: v1.7.0
• cloud.google.com/go/longrunning: v0.4.1
• cloud.google.com/go/managedidentities: v1.5.0
• cloud.google.com/go/maps: v0.7.0
• cloud.google.com/go/mediatranslation: v0.7.0
• cloud.google.com/go/memcache: v1.9.0
• cloud.google.com/go/metastore: v1.10.0
• cloud.google.com/go/monitoring: v1.13.0
• cloud.google.com/go/networkconnectivity: v1.11.0
• cloud.google.com/go/networkmanagement: v1.6.0
• cloud.google.com/go/networksecurity: v0.8.0
• cloud.google.com/go/notebooks: v1.8.0
• cloud.google.com/go/optimization: v1.3.1
• cloud.google.com/go/orchestration: v1.6.0
• cloud.google.com/go/orgpolicy: v1.10.0
• cloud.google.com/go/osconfig: v1.11.0
• cloud.google.com/go/oslogin: v1.9.0
• cloud.google.com/go/phishingprotection: v0.7.0
• cloud.google.com/go/policytroubleshooter: v1.6.0
• cloud.google.com/go/privatecatalog: v0.8.0
• cloud.google.com/go/pubsublite: v1.7.0
• cloud.google.com/go/recaptchaenterprise/v2: v2.7.0
• cloud.google.com/go/recommendationengine: v0.7.0
• cloud.google.com/go/recommender: v1.9.0
• cloud.google.com/go/redis: v1.11.0
• cloud.google.com/go/resourcemanager: v1.7.0
• cloud.google.com/go/resourcesettings: v1.5.0
• cloud.google.com/go/retail: v1.12.0
• cloud.google.com/go/run: v0.9.0
• cloud.google.com/go/scheduler: v1.9.0
• cloud.google.com/go/secretmanager: v1.10.0
• cloud.google.com/go/security: v1.13.0
• cloud.google.com/go/securitycenter: v1.19.0
• cloud.google.com/go/servicedirectory: v1.9.0
• cloud.google.com/go/shell: v1.6.0
• cloud.google.com/go/spanner: v1.45.0
• cloud.google.com/go/speech: v1.15.0
• cloud.google.com/go/storagetransfer: v1.8.0
• cloud.google.com/go/talent: v1.5.0
• cloud.google.com/go/texttospeech: v1.6.0
• cloud.google.com/go/tpu: v1.5.0
• cloud.google.com/go/trace: v1.9.0
• cloud.google.com/go/translate: v1.7.0
• cloud.google.com/go/video: v1.15.0
• cloud.google.com/go/videointelligence: v1.10.0
• cloud.google.com/go/vision/v2: v2.7.0
• cloud.google.com/go/vmmigration: v1.6.0
• cloud.google.com/go/vmwareengine: v0.3.0
• cloud.google.com/go/vpcaccess: v1.6.0
• cloud.google.com/go/webrisk: v1.8.0
• cloud.google.com/go/websecurityscanner: v1.5.0
• cloud.google.com/go/workflows: v1.10.0
• github.com/alecthomas/kingpin/v2: v2.3.2
• github.com/antlr/antlr4/runtime/Go/antlr/v4: 8188dc5
• github.com/google/gnostic-models: v0.6.8
• github.com/googleapis/enterprise-certificate-proxy: v0.2.3
• github.com/xhit/go-str2duration/v2: v2.1.0
• go.etcd.io/gofail: v0.1.0
• google.golang.org/genproto/googleapis/api: dd9d682
• google.golang.org/genproto/googleapis/rpc: 28d5490

Changed

• cloud.google.com/go/bigquery: v1.8.0 → v1.50.0
• cloud.google.com/go/datastore: v1.1.0 → v1.11.0
• cloud.google.com/go/firestore: v1.1.0 → v1.9.0
• cloud.google.com/go/pubsub: v1.3.1 → v1.30.0
• cloud.google.com/go: v0.97.0 → v0.110.0
• github.com/Azure/azure-sdk-for-go: v55.0.0+incompatible → v68.0.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.20 → v0.9.23
• github.com/Azure/go-autorest/autorest/validation: v0.1.0 → v0.3.1
• github.com/Azure/go-autorest/autorest: v0.11.27 → v0.11.29
• github.com/Microsoft/go-winio: v0.4.17 → v0.6.0
• github.com/alecthomas/units: f65c72e → b94a6e3
• github.com/cenkalti/backoff/v4: v4.1.3 → v4.2.1
• github.com/census-instrumentation/opencensus-proto: v0.2.1 → v0.4.1
• github.com/cespare/xxhash/v2: v2.1.2 → v2.2.0
• github.com/cilium/ebpf: v0.7.0 → v0.9.1
• github.com/cncf/udpa/go: 04548b0 → c52dc94
• github.com/cncf/xds/go: cb28da3 → 06c439d
• github.com/cockroachdb/datadriven: bf6692d → v1.0.2
• github.com/container-storage-interface/spec: v1.7.0 → v1.8.0
• github.com/containerd/cgroups: v1.0.1 → v1.1.0
• github.com/containerd/ttrpc: v1.1.0 → v1.2.2
• github.com/coredns/caddy: v1.1.0 → v1.1.1
• github.com/coreos/go-oidc: v2.1.0+incompatible → v2.2.1+incompatible
• github.com/coreos/go-semver: v0.3.0 → v0.3.1
• github.com/coreos/go-systemd/v22: v22.4.0 → v22.5.0
• github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible
• github.com/dustin/go-humanize: v1.0.0 → v1.0.1
• github.com/envoyproxy/go-control-plane: 49ff273 → v0.10.3
• github.com/envoyproxy/protoc-gen-validate: v0.1.0 → v0.9.1
• github.com/evanphx/json-patch: v4.12.0+incompatible → v5.6.0+incompatible
• github.com/frankban/quicktest: v1.11.3 → v1.14.0
• github.com/fvbommel/sortorder: v1.0.1 → v1.1.0
• github.com/go-kit/log: v0.2.0 → v0.2.1
• github.com/go-logr/logr: v1.2.3 → v1.2.4
• github.com/go-openapi/jsonreference: v0.20.1 → v0.20.2
• github.com/go-task/slim-sprig: 348f09d → 52ccab3
• github.com/gofrs/uuid: v4.0.0+incompatible → v4.4.0+incompatible
• github.com/golang-jwt/jwt/v4: v4.4.2 → v4.5.0
• github.com/google/cadvisor: v0.47.1 → v0.47.3
• github.com/google/cel-go: v0.12.6 → v0.16.0
• github.com/google/gofuzz: v1.1.0 → v1.2.0
• github.com/googleapis/gax-go/v2: v2.1.1 → v2.7.1
• github.com/inconshreveable/mousetrap: v1.0.1 → v1.1.0
• github.com/kr/pretty: v0.3.0 → v0.3.1
• github.com/matttproud/golang_protobuf_extensions: v1.0.2 → v1.0.4
• github.com/mitchellh/go-wordwrap: v1.0.0 → v1.0.1
• github.com/mitchellh/mapstructure: v1.4.1 → v1.1.2
• github.com/onsi/ginkgo/v2: v2.9.1 → v2.9.4
• github.com/onsi/gomega: v1.27.4 → v1.27.6
• github.com/opencontainers/runc: v1.1.4 → v1.1.7
• github.com/prometheus/client_golang: v1.14.0 → v1.16.0
• github.com/prometheus/client_model: v0.3.0 → v0.4.0
• github.com/prometheus/common: v0.37.0 → v0.44.0
• github.com/prometheus/procfs: v0.8.0 → v0.10.1
• github.com/seccomp/libseccomp-golang: f33da4d → v0.10.0
• github.com/spf13/cobra: v1.6.0 → v1.7.0
• github.com/stretchr/testify: v1.8.1 → v1.8.2
• github.com/vishvananda/netns: v0.0.2 → v0.0.4
• github.com/xlab/treeprint: v1.1.0 → v1.2.0
• go.etcd.io/bbolt: v1.3.6 → v1.3.7
• go.etcd.io/etcd/api/v3: v3.5.7 → v3.5.9
• go.etcd.io/etcd/client/pkg/v3: v3.5.7 → v3.5.9
• go.etcd.io/etcd/client/v2: v2.305.7 → v2.305.9
• go.etcd.io/etcd/client/v3: v3.5.7 → v3.5.9
• go.etcd.io/etcd/pkg/v3: v3.5.7 → v3.5.9
• go.etcd.io/etcd/raft/v3: v3.5.7 → v3.5.9
• go.etcd.io/etcd/server/v3: v3.5.7 → v3.5.9
• go.opencensus.io: v0.23.0 → v0.24.0
• go.starlark.net: 8dd3e2e → a134d8f
• go.uber.org/atomic: v1.7.0 → v1.10.0
• go.uber.org/multierr: v1.6.0 → v1.11.0
• golang.org/x/crypto: v0.1.0 → v0.11.0
• golang.org/x/exp: 6cc2880 → a9213ee
• golang.org/x/mod: v0.9.0 → v0.10.0
• golang.org/x/net: v0.8.0 → v0.13.0
• golang.org/x/oauth2: ee48083 → v0.8.0
• golang.org/x/sync: v0.1.0 → v0.2.0
• golang.org/x/sys: v0.6.0 → v0.10.0
• golang.org/x/term: v0.6.0 → v0.10.0
• golang.org/x/text: v0.8.0 → v0.11.0
• golang.org/x/time: 90d013b → v0.3.0
• golang.org/x/tools: v0.7.0 → v0.8.0
• google.golang.org/api: v0.60.0 → v0.114.0
• google.golang.org/genproto: c8bf987 → 0005af6
• google.golang.org/grpc: v1.51.0 → v1.54.0
• google.golang.org/protobuf: v1.28.1 → v1.30.0
• gopkg.in/gcfg.v1: v1.2.0 → v1.2.3
• gopkg.in/natefinch/lumberjack.v2: v2.0.0 → v2.2.1
• gopkg.in/warnings.v0: v0.1.1 → v0.1.2
• k8s.io/klog/v2: v2.90.1 → v2.100.1
• k8s.io/kube-openapi: 15aac26 → 2695361
• k8s.io/utils: a36077c → d93618c
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.1.1 → v0.1.2
• sigs.k8s.io/kustomize/api: v0.13.2 → 6ce0bf3
• sigs.k8s.io/kustomize/cmd/config: v0.11.1 → v0.11.2
• sigs.k8s.io/kustomize/kustomize/v5: v5.0.1 → 6ce0bf3
• sigs.k8s.io/kustomize/kyaml: v0.14.1 → 6ce0bf3

Removed

• github.com/antlr/antlr4/runtime/Go/antlr: v1.4.10
• github.com/certifi/gocertifi: 2c3bb06
• github.com/cockroachdb/errors: v1.2.4
• github.com/cockroachdb/logtags: eb05cc2
• github.com/docopt/docopt-go: ee0de3b
• github.com/getsentry/raven-go: v0.2.0
• github.com/google/gnostic: v0.5.7-v3refs