Kubernetes - v1.30.0-alpha.3

Changelog since v1.30.0-alpha.2

Changes by Kind

API Change

• Added a CBOR implementation of runtime.Serializer. Until CBOR graduates to Alpha, API servers will refuse to start if configured with CBOR support. (#122881, @benluddy) [SIG API Machinery]

• Added audienceMatchPolicy field to AuthenticationConfiguration and support for configuring multiple audiences.

• The "audienceMatchPolicy" can be empty (or unset) when a single audience is specified in the "audiences" field.

• The "audienceMatchPolicy" must be set to "MatchAny" when multiple audiences are specified in the "audiences" field. (#123165, @aramase) [SIG API Machinery, Auth and Testing]
• Contextual logging is now beta and enabled by default. (#122589, @pohly) [SIG Instrumentation]
• Cri-api: KEP-3857: Recursive Read-only (RRO) mounts (#123272, @AkihiroSuda) [SIG Node]
• Enabled a mechanism for concurrent log rotatation via kubelet using a configuration entity of containerLogMaxWorkers which controls the maximum number of concurrent rotation that can be performed and an interval configuration of containerLogMonitorInterval that can aid is configuring the monitoring duration to best suite your cluster's log generation standards. (#114301, @harshanarayana) [SIG API Machinery, Node and Testing]
• Text logging in Kubernetes components now uses textlogger. The same split streams of info and error log entries with buffering of info entries is now also supported for text output (off by default, alpha feature). Previously, this was only supported for JSON. Performance is better also without split streams. (#114672, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Storage and Testing]
• This change adds the following CLI option for kube-controller-manager:
• disable-force-detach (defaults to false): Prevent force detaching volumes based on maximum unmount time and node status. If enabled, the non-graceful node shutdown feature must be used to recover from node failure (see https://kubernetes.io/blog/2023/08/16/kubernetes-1-28-non-graceful-node-shutdown-ga/). If enabled and a pod must be forcibly terminated at the risk of corruption, then the appropriate VolumeAttachment object (see here: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/) must be deleted. (#120344, @rohitssingh) [SIG API Machinery, Apps, Storage and Testing]

Feature

• A new kubelet metric image_pull_duration_seconds is added. The metric tracks the duration (in seconds) it takes for an image to be pulled, including the time spent in the waiting queue of image puller. The metric is broken down by bucketed image size. (#121719, @ruiwen-zhao) [SIG Instrumentation and Node]
• A new metric lifecycle_handler_sleep_terminated_total is added to record how many times LifecycleHandler sleep got unexpectedly terminated. (#122456, @AxeZhan) [SIG Node and Testing]
• Add "reason" field to image_garbage_collected_total metric, so admins can differentiate images that were collected for reason "age" vs "space" (#123345, @haircommander) [SIG Node]
• Add feature gate MutatingAdmissionPolicy for enabling mutation policy in admission chain. (#123425, @cici37) [SIG API Machinery]
• Add kubelet metrics to track the memory manager allocation and pinning (#121778, @Tal-or) [SIG Node and Testing]
• Added support for cloud provider integrations to supply optional, per-Node custom labels that will be
  applied to Nodes by the node controller.
  Extra labels will only be applied where the cloud provider integration implements this. (#123223, @mmerkes) [SIG Cloud Provider]
• Kube-apiserver now reloads the --authorization-config file when it changes. Reloads increment the apiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds timestamp metric, with status="success" for successful reloads and status="failed" for failed reloads. Failed reloads keep using the previously loaded authorization configuration. (#121946, @liggitt) [SIG API Machinery, Auth and Testing]
• Kube-apiserver now reports metrics for authorization decisions in the apiserver_authorization_decisions_total metric, labeled by authorizer type, name, and decision. (#123333, @liggitt) [SIG API Machinery, Auth and Testing]
• Kubeadm: add support for machine readable output with "-o yaml" and "-o json" to the command "kubeadm certs check-expiration". This change is added in a new API "kind": "CertificateExpirationInfo", "apiVersion": "output.kubeadm.k8s.io/v1alpha3". The existing non structured formatting is preserved. The output API version v1alpha2 is now deprecated and will be removed in a future release. Please migrate to using v1alpha3. (#123372, @carlory) [SIG Cluster Lifecycle]
• LoadBalancerIPMode feature is now marked as Beta (#123418, @rikatz) [SIG Network and Testing]
• New alpha feature gate SELinuxMount can be used to speed up SELinux relabeling of volumes. (#123157, @jsafrane) [SIG Node and Storage]
• NewVolumeManagerReconstruction feature is now GA. (#123442, @jsafrane) [SIG Node]
• Promoted the CRDValidationRatcheting feature gate to beta, and made it enabled by default. (#121461, @alexzielenski) [SIG API Machinery and Testing]
• Update ImageGCMaxAge behavior in the kubelet to wait the MaxAge duration after the kubelet has restarted before garbage collecting (#123343, @haircommander) [SIG Node and Testing]
• When the RetryGenerateName feature gate is enabled on the kube-apiserver,
  create requests using generateName are retried automatically by the apiserver when the generated name conflicts with an existing resource name, up to a max limit of 7 retries.
  This feature is in alpha. (#122887, @jpbetz) [SIG API Machinery]

Documentation

• Add a new internal metric in the kubelet that allow developers to understand the source of the latency problems on node startups.

kubelet_first_network_pod_start_sli_duration_seconds (#121720, @aojea) [SIG Instrumentation, Network and Node]

Bug or Regression

• DRA: fixed potential data race with no known real-world implications. (#123222, @pohly) [SIG Node]
• Fix bug where health check could pass while APIServices are missing from aggregated discovery (#122883, @Jefftree) [SIG API Machinery and Testing]
• Fixed an issue where a JWT authenticator configured via --authentication-config would fail to verify tokens that were not signed using RS256. (#123282, @enj) [SIG API Machinery, Auth and Testing]
• Improves scheduler performance when no scoring plugins are defined. (#123384, @aleksandra-malinowska) [SIG Scheduling]
• Kubeadm: fix a bug during kubeadm upgrade, where it is not possible to mount a new device and create a symbolic link for /etc/kubernetes (or a sub-directory) so that kubeadm stores its information on the mounted device. (#123406, @SataQiu) [SIG Cluster Lifecycle]
• Kubeadm: fix a bug where "kubeadm upgrade plan -o yaml|json" includes unneeded output and was missing component config information. (#123492, @carlory) [SIG Cluster Lifecycle]
• Patches a leak of a discovery document that would occur when an Aggregated APIService changed its Spec.Service field and did not change it back. (#123517, @Jefftree) [SIG API Machinery]
• Restore --verify-only function in code generation wrappers. (#123261, @skitt) [SIG API Machinery]
• Sample-apiserver manifest example will have correct RBAC (#123479, @Jefftree) [SIG API Machinery and Testing]

Other (Cleanup or Flake)

• An optimization is implemented to reduce stack memory usage for watch requests. It is can be disabled with the feature gate: APIServingWithRoutine=false (#120902, @linxiulei) [SIG API Machinery]
• Kubeadm: make sure that a variety of API server requests are retried during "init", "join", "upgrade", "reset" workflows. Prior to this change some API server requests, such as, creating or updating ConfigMaps were "one-shot" - i.e. they could fail if the API server dropped connectivity for a very short period of time. (#123271, @neolit123) [SIG Cluster Lifecycle]
• Kubeadm: the bridge-nf-call-iptables=1 and bridge-nf-call-ip6tables=1 preflight checks are removed since not all the network implementations require this setting, network plugins are responsible for setting this correctly depending on whether or not they connect containers to Linux bridges or use some other mechanism. (#123464, @SataQiu) [SIG Cluster Lifecycle]
• Upgrade metrics server to v0.7.0 (#123504, @pacoxu) [SIG Cloud Provider and Instrumentation]

Dependencies

Added

Nothing has changed.

Changed

• github.com/fxamacker/cbor/v2: v2.5.0 → v2.6.0
• golang.org/x/crypto: v0.16.0 → v0.19.0
• golang.org/x/sys: v0.15.0 → v0.17.0
• golang.org/x/term: v0.15.0 → v0.17.0

Removed

Nothing has changed.