Kubernetes - v1.28.3

Changelog since v1.28.2

Changes by Kind

Feature

• Kubernetes is now built with Go 1.20.10 (#121153, @cpanato) [SIG Release and Testing]
• Kubernetes is now built with Go 1.20.9 (#121025, @cpanato) [SIG Release and Testing]

Failing Test

• E2e framework: retrying after intermittent apiserver failures was fixed in WaitForPodsResponding (#120559, @pohly) [SIG Testing]

Bug or Regression

• Adds an opt-in mitigation for http/2 DOS vulnerabilities for CVE-2023-44487 and CVE-2023-39325 for the API server when the client is unauthenticated. The mitigation may be enabled by setting the UnauthenticatedHTTP2DOSMitigation feature gate to true (it is disabled by default). An API server fronted by an L7 load balancer that already mitigates these http/2 attacks may choose not to enable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may choose not to enable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated clients. (#121196, @enj) [SIG API Machinery]
• Fix 1.28.0 regression where adding aggregated APIService objects could cause apiserver to panic and affect the health check (#121040, @Jefftree) [SIG API Machinery and Testing]
• Fix a bug in cronjob controller where already created jobs may be missing from the status. (#120649, @andrewsykim) [SIG Apps]
• Fixed a 1.28.0 regression where kube-controller-manager can crash when StatefulSet with Parallel policy and PVC labels is scaled up. (#121184, @aleksandra-malinowska) [SIG Apps]
• Fixed a bug where containers would not start on cgroupv2 systems where swap is disabled. (#120924, @klueska) [SIG Node]
• Fixed a regression in kube-proxy where it might refuse to start if given
  single-stack IPv6 configuration options on a node that has both IPv4 and
  IPv6 IPs. (#121008, @danwinship) [SIG Network]
• Fixed an issue to not drain all the pods in a namespace when an empty-selector i.e. "{}" is specified in a Pod Disruption Budget (PDB) (#121131, @sairameshv) [SIG Apps]
• Fixed attaching volumes after detach errors. Now volumes that failed to detach are not treated as attached, Kubernetes will make sure they are fully attached before they can be used by pods. (#120595, @jsafrane) [SIG Apps and Storage]
• Fixed bug to surface events for the following metrics: apiserver_encryption_config_controller_automatic_reload_failures_total, apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds, apiserver_encryption_config_controller_automatic_reload_success_total (#120544, @ritazh) [SIG API Machinery, Auth and Testing]
• Fixes a bug where Services using finalizers may hold onto ClusterIP and/or NodePort allocated resources for longer than expected if the finalizer is removed using the status subresource (#120654, @aojea) [SIG Testing]
• Revised the logic for DaemonSet rolling update to exclude nodes if scheduling constraints are not met.
  This eliminates the problem of rolling updates to a DaemonSet getting stuck around tolerations. (#120785, @mochizuki875) [SIG Apps and Testing]
• Sometimes, the scheduler incorrectly placed a pod in the "unschedulable" queue instead of the "backoff" queue. This happened when some plugin previously declared the pod as "unschedulable" and then in a later attempt encounters some other error. Scheduling of that pod then got delayed by up to five minutes, after which periodic flushing moved the pod back into the "active" queue. (#120334, @pohly) [SIG Scheduling]

Other (Cleanup or Flake)

• Fixes an issue where the vsphere cloud provider will not trust a certificate if:
• The issuer of the certificate is unknown (x509.UnknownAuthorityError)
• The requested name does not match the set of authorized names (x509.HostnameError)
• The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" (#120768, @MadhavJivrajani) [SIG Architecture and Cloud Provider]
• Set the resolution for the job_controller_job_sync_duration_seconds metric from 4ms to 1min (#120667, @mimowo) [SIG Apps and Instrumentation]

Dependencies

Added

Nothing has changed.

Changed

• github.com/vmware/govmomi: v0.30.0 → v0.30.6
• golang.org/x/crypto: v0.11.0 → v0.14.0
• golang.org/x/net: v0.13.0 → v0.17.0
• golang.org/x/sys: v0.10.0 → v0.13.0
• golang.org/x/term: v0.10.0 → v0.13.0
• golang.org/x/text: v0.11.0 → v0.13.0

Removed

Nothing has changed.