CHANGELOG/CHANGELOG-1.36.md
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | c134ae3f6d7b8276d2f2020ea0890a70f1ce136ee9460f4b12fa6719f6f4e8909fe9fbf85a52b4b87f6d2032d7044d57f1928f48060f251dbba644deb6649a1f |
| kubernetes-src.tar.gz | 627e4211a1578935ad9635c2400f302ac2a08e56d8cdb0427dd2fa016f4a45f2d58aeaa0c1b089deb9abb2c3036d29b6ee919ada57a1606fabef8c513c618717 |
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | 876b2a5db62a21aa525e3b9766c9ad5a89b0b718fc36f35a0aa976de8d0890e482bf1cc9e07b805544d8d20aff6ef3869b5492afb877cac87f35cea169cf817f |
| kubernetes-client-darwin-arm64.tar.gz | bd9f7e60992fd4508ae74722cfe7a7aa8e9805c46ed0dec6b4347c0c278eb97e672c4fb894007af9c59673514a9b0645e17196c492edaafb072381697ea45ac9 |
| kubernetes-client-linux-386.tar.gz | cef8f4aa41dd953b9a6065b1e761c59b20d35cdf13a95a2bcffc6ae9fac77c14b833ee054429ade778c8032dce372ff4234c69cb463b072a4494b628e25400a1 |
| kubernetes-client-linux-amd64.tar.gz | 0c23410d581b626d4f36dd291101ce81b64d15da95692693b16b05ffffb42b0f77c8e85b32631fa19e3c9d2109e267d775740f0e50dc29694093ef32be3bada1 |
| kubernetes-client-linux-arm.tar.gz | 02b27b095c060baa4034588353c4f777eb4d0defc6a536ebe62e9a72a93987ecb5cbbe9181dc00a5c6fbeac7232e7770cf04655a46376b9b63bb5229eeeb63fd |
| kubernetes-client-linux-arm64.tar.gz | 6777fc534be81b04deaf37051ff82359e894e71c2ec97656850ac1973375f1ec2d61e538e574b9d95d1548fa4c2e9e584fd0225f79930caba9f7d981ae0f8026 |
| kubernetes-client-linux-ppc64le.tar.gz | 661dc1a997a9eae839b9f7835d062115b327590dd241ceb72bf32fe56e6bbc82614ff7b100f72056a694e2f4fd6a86d4396fc65a43858aafabbea825f925f274 |
| kubernetes-client-linux-s390x.tar.gz | b9b1c9e6cc9b6d1778ab5ac290c5541dfd57877d8fed80f6a7a3b01108cb8296e038908fb881801d6cd5204906ee68672cf6ea2d4766e64034f5615dc3fd116b |
| kubernetes-client-windows-386.tar.gz | 9f0c3d7f7057b0c61075db496041b92808e9039f9fbbbf4e8acb90c2e535700d1bdc11bdd78effd3a27b9b2593998a40016e7bd806311ff72256cc3d5e4c759c |
| kubernetes-client-windows-amd64.tar.gz | 9d62b1d9e3c0c869907fb10cb850cd4ef855570f3991c08e779369fe4c732e06c36dafa2bfea0589bac4852308a74f9f4f4de495d30ccf80ea4b886538a4541f |
| kubernetes-client-windows-arm64.tar.gz | e4f8a2dc09c59132cca3ffe96c9da2d2e862343382fbcb64cbb77b61e0ba02898b1f78b546a833c081307d0959190b39991b8b898313bb7ee3a7bcce65aea8de |
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | 2a746d8485428451ea98b4a6bc87caff3d5a16380081b5dca8e4a945b398c415770b2ade78e9c356d4b1d8289b8eb04d155fd75c8a22bfd8e4a8eb8b68243174 |
| kubernetes-server-linux-arm64.tar.gz | 0f8e304d016ec0b976a05df060ea6e6c750b2c0d0990f5572a2e2b285015a08aa4892ba1046822d34d5620f84b73d655ca32e054eb05d78a47c13f567d7a643f |
| kubernetes-server-linux-ppc64le.tar.gz | d0b58696236107a80cd2d907316ce771d626dc7c3427b8d7f61191d506f68aa7bd0cd47aa2708f6e229bf8722a834bf4af9b1ed886e972e466bd306dba3f259f |
| kubernetes-server-linux-s390x.tar.gz | 4bced69b2ff0b8231b9085729d8da1f59e3311c0013eee67ae742da79c9d8cff0921fca1f4fb08d9ed2d2d78b059b026ebddac7f36471b244d9dfdd952018c72 |
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | 5adae9badcb1bc7dda5bc75a7fc41ead727e62a9744c5545a4c43a8e2e77127720f83212ad0b7a244c7c7f9b82abb2e2e3c2c8e18a4739320591ec1c388eb7d4 |
| kubernetes-node-linux-arm64.tar.gz | cba5683285a0e74830d4334e35b1fa6495b553a03917af40c795157b57a96a7165e502b3dfac37d8cd619619c871eac1055c501615c2e762fbb7c1d9a824dae0 |
| kubernetes-node-linux-ppc64le.tar.gz | 1352a58e7e1aff9809cb1f875058ed9a1f5b80a8aeaa4c5b38cc91316c1fe0c3846c3868d3b8c70912a3a736d433197ca76a6a656f4b58ecc34ef8a773843042 |
| kubernetes-node-linux-s390x.tar.gz | be83680c9c73bf2c9c2f90d27fe7efd9eb26074ebf4004391bb0650125c354bcc71c42b5b964ed1d725d34a7be60d3a676d9fac5efedd6fc157653a2c6cd32b5 |
| kubernetes-node-windows-amd64.tar.gz | 45fdaa8d3020589e197ea37532c2428fecb71b0c4a7661d627b24ee52cacf9323b51387188e848f85f25f630b97ed86f0318b5708adcddfd5a3cdaa9e46e0908 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
Nothing has changed.
Nothing has changed.
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | 5b28aae440bdb013eb1497bc357a4b27eb51d275b6da72a9f8aec845169ecbc47ed8c82f091b3b62ede51765e587e652040e39f78da4dd5f560be88f3c3cc52b |
| kubernetes-src.tar.gz | 84e1f0f1e3e57e4b19cb0971d0d980b47cbd2b512e0a0a1477bf88f9d0ff4b786a714e391276fc7b6c4ec119fb8311272b4838644be0bb54c898d31c6640e8b5 |
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | d7f5c47f327bee440c506a37876538eb232900b1d01c922ca3e3f3ee5a7cf73a35e1c9bcf0c045f9341ee41c04bdac1728f691b470c0ce6302704000347bbad1 |
| kubernetes-client-darwin-arm64.tar.gz | fac20e24b8f9f4fba2c22a6acc193d2fc561542233c7707328a87a1ddbf0d2a476503487c055a21b3661df4cda7e96e271734192c65d1d8badd275cfabbb6ec8 |
| kubernetes-client-linux-386.tar.gz | 64edce3331e69b6abb4cb6b0668125c511ee82e2e98978af44e541a3218d09d832f44cec05ea22fc8fd141587b15915153cd92f4664b6da6b2f56891f6b9af3e |
| kubernetes-client-linux-amd64.tar.gz | e15cea3fe11262d903b549c26c36936232b08cfa231573a1c7aeaa64553ff2099534bae8e92c99a304ab7edc945e692f95da77ed68b4e4896a99377d00bcde66 |
| kubernetes-client-linux-arm.tar.gz | eb93e29a907f19f4fabd77f0268c2ebb278a332aa182b9e8e3d56b9fff2a28442dee888689f87ca25b3111ee7dc87d9961d5bd0d1867d812edbeff867380996d |
| kubernetes-client-linux-arm64.tar.gz | 3d184176e56da806368a36b2c8ee33e7f695970498132ed39ddf62d0733440bf1198833441ec05923b1b7d0d50da01896a5253e6be38f950775eb6e82022302f |
| kubernetes-client-linux-ppc64le.tar.gz | e985ea5dd3a5d61bcb60e209d7e520c6102a0c7117e23c17ad5dc1a34538a5c73cd5e1abe335aba122e3e6abebaa98b4a1d98912f0f9e63efa9f824594ba54db |
| kubernetes-client-linux-s390x.tar.gz | a44617572f6099efab0133cc2c0b4e9dcfedca6e9d4381036ab2b2a58909250b2062d14f2ef1c06fd814ecf1f6979784f9f5303983865ce490817d8f88abe021 |
| kubernetes-client-windows-386.tar.gz | da1df34ff592947383f02c34df15ad2d68c09eb43de670eb6c59525ce2e35dd24578645e8c114314c19fc3c3f1fe6dc05d141db513b3326a3d76d08b23f92e74 |
| kubernetes-client-windows-amd64.tar.gz | 37e27266d6a671c0d5dd2add6e3e441715f627419f4765a055020aa19d303997d5ae05da56b88a3a7de5b2d85be4b5b49ee776ad16349f458a94eabe3d4dca38 |
| kubernetes-client-windows-arm64.tar.gz | 40f0e5a3fce2e5650d7a00ca1e55f49f1ac00c0a1fd91f79719102f0eac4bfb164f3deb94d3b6ac39c7f2596bdab8c95d43b76a68b81b07d9e000e6a3bf9532e |
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | 134342bbe78abb9b02ae3ebe10b9e5de72d2ae9084f33c767d0045c04e740f5c50c40fb9bba00ac2afcb96afcd507b8745c26ec02a40ab0b6a2ca938b9797577 |
| kubernetes-server-linux-arm64.tar.gz | 51a034a8e544db735f803237d6e363f156b36793fea613029c6db005d9fede5147f623f03732b3bf55d8674cd5faf2f6c675f2f0998c1fbb836548fb581402a5 |
| kubernetes-server-linux-ppc64le.tar.gz | 5e9a38e2fd29e23240dd4f82f94504258310c5262b59d2b7dd24ddde6e61282042ac7727fdde7fd7c137ca3a63a7a6b8ae38278a839dc825129dc53069d82ceb |
| kubernetes-server-linux-s390x.tar.gz | e70e9b0cf26a81c5d8030609f8d3aa91e569353d688fc74f6f63244453651f2f38139af92880b68393cc110c70d25fd0f686e06d55c6873bbb4e0f572dd964c2 |
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | a716ef2572eedde30999ec7ab1a720dc749afa7c4440457b846f868634f1faa6d36b88d80838575cf41bd5eac0b229c2606f32898347bb56342a7ff854dd6852 |
| kubernetes-node-linux-arm64.tar.gz | 69ae5167206cc88b125a8f53e618e4f452130a940ea5fbd1e79bf0c6ce82a624a468529cb4ac4d56cc644826fea3bf13a42c99cc43d54fd42acfa98eb04e0897 |
| kubernetes-node-linux-ppc64le.tar.gz | d9f292776a53c2db0d7a518eb6b3844d2eca971528e04ee30ac17340d7748eca9a0aa57edceef15267d254dd8a04fcc2a63485f8fda8610cb90a6c53b88779bd |
| kubernetes-node-linux-s390x.tar.gz | 3f564f9340a52714669e73cff2c5b7a86971bd252ee095e0739e71792d42577d76a4df2fe669f18377cc5ed3a7dc577439af54e4d0033d2d5539978730a85ded |
| kubernetes-node-windows-amd64.tar.gz | b00af83413f84e2f585a74aa217af4deadf39b792479cc6e47b9b4e7ae1e2d4975c094d385d405a6a47de602153a7df7be9fa663d4734f3fdb6fb513b76a5c26 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
Add ResourcePoolStatusRequest API (v1alpha1) for querying DRA resource pool availability. This enables users and external schedulers to discover available devices across pools before submitting workloads. Requires the DRAResourcePoolStatus feature gate (alpha). (#137028, @nmn3m) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Scheduling, Storage and Testing]
Added DisruptionMode, PriorityClassName and Priority fields to Workload and PodGroup APIs to support workload-aware preemption when WorkloadAwarePreemption feature gate is enabled. (#136589, @tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (Beta in 1.36). Schedulers and controllers must be granted update/patch on resourceclaims/binding. DRA drivers must be granted associated-node:update or arbitrary-node:update (or patch equivalents) on resourceclaims/driver, restricted by their specific resourceNames. (#134947, @aojea) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Scheduling and Testing]
DRA: PodGroup resources can now make requests with ResourceClaims through a spec.resourceClaims field which can refer to ResourceClaims and ResourceClaimTemplates. Claims made by a PodGroup are reserved for the entire PodGroup instead of individual Pods, allowing more than 256 Pods to share a single ResourceClaim. ResourceClaimTemplates referenced by a PodGroup's claim will replicate into a ResourceClaim specific to that PodGroup able to be shared by all of the group's Pods. (#136989, @nojnhuh) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Graduate InPlacePodLevelResourcesVerticalScaling feature to beta and have it on by default. This feature allows resizing the CPU and memory resources at pod-level for pods with pod-level resources set and enabled. (#137684, @ndixita) [SIG API Machinery, Apps, Autoscaling, Node, Release, Scheduling and Testing]
Promote NodeLogQuery to GA. (#137544, @jrvaldes) [SIG Node and Windows]
[Alpha] Introduce List Types for Attributes in DRA (KEP-5491).
The DRAListTypeAttributes feature gate(false by default) can activate below enhancements.
For DRA drivers, it can enable list-type fields(bools/ints/strings/versions) for device attributes in ResourceSlice. Please remember that the number of attribute values, including scalars and lists, per single device is limited to 48.
For DRA users, this feature enhances the semantics of matchAttribute/distinctAttribute constraint in ResourceClaim to work on both scalar and list attributes. The matchAttribute constraint now matches when the intersection (as a set) of all the list values among candidate devices is non-empty. The distinctAttribute constraint, which is behind the ConsumableCapacity feature gate, matches when all the list values (as a set) among candidate devices are pairwise disjoint. In both constraints, scalar values are implicitly treated as a singleton set.
And, a new CEL function .includes is introduced. The function can work on both scalar and list attributes to test inclusion(e.g., device.attributes["dra.example.com"].model.includes("model-a")). This can support smooth migration for CEL expression in DRA resources when a DRA driver changes the attribute value type from scalar to list, or vice versa. (#137190, @everpeace) [SIG API Machinery, Node, Scheduling and Testing]
UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate. The UserNamespacesHostNetworkSupport feature gate only takes effect when the container runtime's UserNamespacesHostNetwork runtime handler returns true and the NodeDeclaredFeatures feature gate is enabled. (#135828, @HirazawaUi) [SIG Autoscaling, Node, Scheduling and Testing]Nothing has changed.
Nothing has changed.
Nothing has changed.
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | 7e4c5eb75fdcbddb19c94139ead1b7d16bbc9332f319006312441db15cf2d5562625a42cc1a14aad93338a1e48e6c00e2abfe23071626d2a80959ce71c82fc07 |
| kubernetes-src.tar.gz | a97a579bf0b56b408908d1ab58bb75c821e05bb26b301afb223302314a569ebed865b019118ece4a94e598564d21d36ad1f452ea5f64837e3ebbca67b11c1201 |
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | 942e91cc2e59e2b3c6d14d0e3547c349b5fdf573f76861baa78a650871bbddf80c5503b8ab42a7c34481fd5750781722274aae1210cddbb82cccc5ebb38c96f1 |
| kubernetes-client-darwin-arm64.tar.gz | 3d985d2d528017b806cd6073ff4dee53faf3ee8b6a25c994287b82a4b09be6ed0e0ab122c4659b08d61fb0a0603bad00dd6c34f5d08f7d3a9fa7ed810619efd0 |
| kubernetes-client-linux-386.tar.gz | 4631d3edc7dc0fe4dc2cfa6b0b520d167d372b60ea386dcea8c2b59b2e4c37bcf8fff93ef77813a5842dac7d45926efdc78a69fcaafe8aa488dab2d36eb36f37 |
| kubernetes-client-linux-amd64.tar.gz | bc41228fd7e01c94c88b6f6798ae4a37834098880bc00109a5e54bd1138a9b827804426003dfedf92d418c8a1b79bc39443518b1cefbcac616c211528287e26b |
| kubernetes-client-linux-arm.tar.gz | b89b8174eba4fc43560c35f37abb599b326a38963bdf1a4925c1eacbf1090c859ce6fb664475ab953859ea3c9f7e1d7bceaeadb2a9f42d2772efba7dc521917c |
| kubernetes-client-linux-arm64.tar.gz | 4693d9992d1b2148e6cd93eafba1ef03a73a72f1b81c610be6f6597225bc31a7fe60775f04c1b89b7dc669eba16087762b14c21ae7d8fd405e1a9a24bd2b838b |
| kubernetes-client-linux-ppc64le.tar.gz | 166ab0173f7e80f4d584fe2cf61693b3bb0896840d587e7c2b5fd670db5498f8facfefd2ea49c91c50ab53304c9bc430fa29e87420abb552355e1ed9068c7e95 |
| kubernetes-client-linux-s390x.tar.gz | 0b3c66b59cd4935ff56b493a3aae0ddf441f89ab4e52a45edbfbd0cd882af317ddf85e40cb914681fbb89a55ad3707884d0c3046f8df2a9045702ff62df06bf2 |
| kubernetes-client-windows-386.tar.gz | cb4083fed4d5e3140f7dd5730e7dabf681ea11999f0b6e946a6f840380355257f849b35600f29e2d87fc056036e41827fe5596991882eedc4fd9a5c3addf8d97 |
| kubernetes-client-windows-amd64.tar.gz | 9b858b63cea22adfe924f5a583ed398c0c613a436c4f9db625d13ca52f1dd79c49daf7b6d981c2be1d90218385194822908dfdf70e41bc55b58c5ff8c6a32e00 |
| kubernetes-client-windows-arm64.tar.gz | a7982d04ee2c2a804e575c20121036ac5fbfcb82f1c473525635ad7bb816055ec6f223b4c7612b7b87d185816368d2e690a1c3ed47336cc2eebbf6372f0576de |
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | 826ce2b809ae92eddacdb7c1dc75108024112457a0c1d48a23809d282707d13292d5fa40502ef7b6f44a9d68821eb556f59af05498a47427fd337634018ed576 |
| kubernetes-server-linux-arm64.tar.gz | 3f70adbb9b1389670b0d77c1caab3b2b83253caa90e4641fc4604a0d559f286a1b083d0111db7c0bc057e25f6184f2b1fed9a206ad21c29b7c0a03869c8cbaf2 |
| kubernetes-server-linux-ppc64le.tar.gz | a092665ee24cdda2800f31be942704340bdd541590d7d752e0ba847fadbcf6eb047954f890476f7b926c49984b3d9cb1ef675eedb76163d3b155ab4f5430fc3d |
| kubernetes-server-linux-s390x.tar.gz | acfb69d1a089bd2bd9250d37ebc705eaf80a3b831b80756cabe90f9a8d92816344a12859ec49e6f6a74e6ec0b2a39d382be7f3061f0ffad3f9d1fdb82e25d5f0 |
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | cb8e8ec77f7e4ea9e8db50cb41339b1c1026b3565b0a47a6873156cec58e495897b0a767885838d9f085c1f6b69d40eb2e3b1babc5f9c85c235a13ddd9399670 |
| kubernetes-node-linux-arm64.tar.gz | cea68a83e7b202e273721be4fd708fcd45d4d3e06f1d8b6da5d6282672e11282d0cb162a76595ae4b95381a27afd3eebfe15595b18539dac720658f67e9ab549 |
| kubernetes-node-linux-ppc64le.tar.gz | f1e73ab63bef0a79f8c04a4e123f99d6fcc5efd576766bb84dde9988979a87a7d4aba18e29e3696396cd1fca2281345b353fcd470cfbdfae27a122bdb9270ecd |
| kubernetes-node-linux-s390x.tar.gz | 61f255a0e29fb87b10bf3aa0cd0d48921cf3491662acf39ed455e8322d76034129808a6855a95e451a69960991ee3641d11a1a487bc897b0f0097c4d5eb9bce6 |
| kubernetes-node-windows-amd64.tar.gz | 8e30f607ba4c196ae4fb422fa632d497d940bb82c34f3aef4ee13477070cf932119eb2968065d571bbd1a714f77ca6a6a238013fabfb6f4d580921553fd8abab |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
Raw field of metav1.FieldsV1 is deprecated. Code that constructs or reads FieldsV1 should migrate to the new NewFieldsV1(string), GetRawBytes(), GetRawString(), and SetRawBytes() accessor methods. (#137304, @aaron-prindle) [SIG API Machinery, Apps and Testing]AllowlistEntry.Name to AllowlistEntry.Command in the credential plugin allowlist (#137272, @pmengelbert) [SIG API Machinery, Auth, CLI and Testing]A few log calls which did not properly format their parameters were fixed. (#137108, @pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Network, Node, Scheduling and Testing]
Add --tls-curve-preferences flag for configuring TLS key exchange mechanism (#137115, @damdo) [SIG API Machinery, Architecture, CLI, Cloud Provider, Node and Testing]
Add a deletion protection mechanism for PodGroup objects. (#137641, @helayoty) [SIG API Machinery, Apps, Auth, Scheduling and Storage]
Add admission plugin that validates PodGroup resources reference an existing Workload and match the declared PodGroupTemplate spec. (#137464, @helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Add alpha support for manifest-based admission control configuration (KEP-5793). When the ManifestBasedAdmissionControlConfig feature gate is enabled, admission webhooks and CEL-based policies can be loaded from static manifest files on disk via the staticManifestsDir field in AdmissionConfiguration. These policies are active from API server startup, survive etcd unavailability, and can protect API-based admission resources from modification. (#137346, @aramase) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
Add opt-in alpha support in kubeletplugin framework for DRA drivers to publish DRA Device metadata in pod CDI mounts (#137086, @alaypatel07) [SIG Apps, Network, Node and Testing]
Add tlsServerName field to EgressSelectorConfiguration TLSConfig to allow overriding the server name used for TLS certificate verification (#136640, @kennangaibel) [SIG API Machinery, Apps, Auth, Storage and Testing]
Added MemoryReservationPolicy cgroup v2 MemoryQoS support to KubeletConfiguration for memory.min protection. (#137584, @QiWang19) [SIG Node and Storage]
Added PlacementGenerate extension point to the scheduler. It's used to generate placements for placement-based pod group scheduling. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#137083, @brejman) [SIG Scheduling]
Added PlacementScore extension point to the scheduler. It's used to score placements in order to choose the best one for placement-based pod group scheduling. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate.
Deprecated MinNodeScore and MaxNodeScore in favor of MinScore and MaxScore. (#137201, @brejman) [SIG Scheduling]
Added SchedulingConstraints to express TAS constraints for pod group scheduling behind TopologyAwareWorkloadScheduling feature gate.
Added TopologyPlacement plugin implementing PlacementGenerate extension point to take the constraints into consideration during pod group scheduling. The usage of this plugin is guarded by the TopologyAwareWorkloadScheduling feature gate. (#137271, @brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added TAS logic to the pod group scheduling cycle behind TopologyAwareWorkloadScheduling feature gate. This feature supports scheduling pod groups on nodes with matching topology domains. (#137489, @brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher pod counts within a group. (#137488, @vshkrabkov) [SIG Scheduling and Testing]
Added alpha support (behind PersistentVolumeClaimUnusedSinceTime feature gate) for tracking PVC unused status via a new Unused condition on PersistentVolumeClaimStatus. When enabled, the PVC protection controller sets Unused=True with a lastTransitionTime when no non-terminal Pods reference the PVC, enabling external automation to identify and manage unused storage. (#137862, @gnufied) [SIG Apps, Auth, Storage and Testing]
Added placement-based pod group scheduling algorithm to scheduler. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136944, @brejman) [SIG Scheduling and Testing]
Allow users to opt-in to scheduling behaviour for CSI volume (#137343, @gnufied) [SIG API Machinery, Scheduling and Storage]
Config.k8s.io.flagz API is graduated to v1beta1 (#137174, @richabanker) [SIG API Machinery, Instrumentation, Node, Scheduling and Testing]
Config.k8s.io.statusz API is graduated to v1beta1 (#137173, @richabanker) [SIG API Machinery, Instrumentation, Scheduling and Testing]
DRA DeviceTaintRules: the TimeAdded of the taint is not only added automatically, it now also gets updated automatically when changing the effect. (#137167, @pohly) [SIG API Machinery, Node and Testing]
DRA extended resource feature is promoted to beta in 1.36 (#135048, @yliaog) [SIG API Machinery, Architecture, Auth, Network, Node, Scheduling and Testing]
DRA: graduate Device Binding Conditions (KEP #5007) to beta. The feature is now enabled by default in v1.36. (#137795, @ttsuuubasa) [SIG API Machinery, Node, Scheduling and Testing]
DRA: graduated device taints and tolerations (KEP #5055) to beta. Support for DeviceTaints in ResourceSlices is on by default. Support for DeviceTaintRules depends on enabling resource.k8s.io/v1beta2 and the DeviceTaintRules feature gate. (#137170, @pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Etcd, Node, Scheduling and Testing]
DRAConsumableCapacity is enabled by default. (#136611, @sunya-ch) [SIG API Machinery, Cluster Lifecycle, Node, Scheduling and Testing]
Extended NodeResourcesFit to implement the PlacementScore extension point. The usage of the PlacementScore extension point is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136652, @brejman) [SIG Scheduling]
Feature gate UserNamespacesSupport is now GA. (#136792, @rata) [SIG API Machinery, Apps, CLI, Node, Storage and Testing]
For pod resizes requested on nodes where the resize request exceeds the node's allocatable capacity or the node is running an OS that does not support resize, the request will now fail in admission rather than be marked as Infeasible in the pod status later. (#136043, @natasha41575) [SIG API Machinery, Node, Release, Scheduling, Storage and Testing]
Graduate metric 'apiserver_storage_events_received_total' to BETA (#136314, @petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
Graduated ImageVolume feature to stable. (#136711, @saschagrunert) [SIG Apps, Architecture, Node and Testing]
HPA: Improved scaling to and from zero with enabled HPAScaleToZero feature gate. (#135118, @johanneswuerbach) [SIG Apps, Autoscaling and Testing]
Integrate Workload and PodGroup APIs with the Job controllers to support gang-scheduling. (#137032, @helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Instrumentation, Node, Scheduling and Testing]
Introduced scheduling.k8s.io/v1alpha2 Workload and PodGroup API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. Removed scheduling.k8s.io/v1alpha1 Workload API. (#136976, @tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling, Storage and Testing]
Kube-scheduler now updates PodGroup status with a PodGroupScheduled condition reflecting whether the group was successfully scheduled or is unschedulable. (#137611, @helayoty) [SIG API Machinery, Apps, Scheduling and Testing]
Promote DRAPrioritizedList to GA (#136924, @troychiu) [SIG Apps, Architecture, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Network, Node, Release, Scheduling, Storage and Testing]
Promote ProcMountType feature to GA (#137454, @haircommander) [SIG API Machinery, Apps, Auth, CLI, Node, Storage and Testing]
Promote NodeDeclaredFeatures to beta. (#136042, @pravk03) [SIG API Machinery, Apps, Cluster Lifecycle, Instrumentation, Node, Scheduling, Storage and Testing]
Promoted mutable CSI node allocatable count to GA. The MutableCSINodeAllocatableCount feature gate is now locked to enabled. (#136230, @torredil) [SIG API Machinery and Storage]
Promoted several endpointslice metrics from Alpha to Beta stability. (#136368, @bhope) [SIG Instrumentation and Network]
Promoted several scheduler metrics (scheduler_goroutines, scheduler_permit_wait_duration_seconds, scheduler_plugin_evaluation_total, scheduler_plugin_execution_duration_seconds, scheduler_scheduling_algorithm_duration_seconds, scheduler_unschedulable_pods) from Alpha to Beta stability, providing stronger API and label stability guarantees for metric consumers. (#136155, @bhope) [SIG Instrumentation and Scheduling]
Promoted the DRAAdminAccess feature gate to GA. (#137373, @ritazh) [SIG API Machinery, Auth, Node, Scheduling and Testing]
Promoted two Job controller metrics from Alpha to Beta stability, providing stronger API and label stability guarantees for metric consumers. (#136367, @bhope) [SIG Apps and Instrumentation]
Remove CRD stored versions from status upon SVM migration (#135297, @michaelasp) [SIG API Machinery, Apps, Auth and Testing]
Renamed metric 'etcd_bookmark_counts' to 'etcd_bookmark_total'. If you are using custom monitoring dashboards or alerting rules based on the 'etcd_bookmark_counts' metric, please update them to use the new 'etcd_bookmark_total' metric. (#136483, @petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
Slow requests that use impersonation can now be tracked via the apiserver.latency.k8s.io/impersonation audit event annotation when the ConstrainedImpersonation feature is enabled. (#137523, @enj) [SIG API Machinery, Auth and Testing]
The /configz endpoint of kubelet, scheduler, cloud controller manager, and kube-proxy serializes the APIVersion and Kind fields as well as using public types instead of internal. (#136044, @SergeyKanzhelev) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Network, Node, Scheduling and Testing]
The ConstrainedImpersonation feature is now beta and enabled by default. (#137609, @enj) [SIG API Machinery and Testing]
The StrictIPCIDRValidation feature gate to kube-apiserver is now
enabled by default, meaning that API fields no longer allow IP or CIDR
values with extraneous leading "0"s (e.g., 010.000.000.005 rather than
10.0.0.5) or CIDR subnet/mask values with ambiguous semantics (e.g.,
192.168.0.5/24 rather than 192.168.0.0/24 or 192.168.0.5/32). (#137053, @danwinship) [SIG Network and Testing]
This change adds a new alpha feature DRANativeResources, which includes:
#### Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
<!--
This section can be blank if this pull request does not require a release note.
When adding links which point to resources within git repositories, like
KEPs or supporting documentation, please reference a specific commit and avoid
linking directly to the master branch. This ensures that links reference a
specific point in time, rather than a document that may change over time.
See here for guidance on getting permanent links to files: https://help.github.com/en/articles/getting-permanent-links-to-files
Please use the following format for linking documentation:
- [KEP]: <link>
- [Usage]: <link>
- [Other doc]: <link>
--> ([#136725](https://github.com/kubernetes/kubernetes/pull/136725), [@pravk03](https://github.com/pravk03)) [SIG API Machinery, Apps, Node, Scheduling and Testing]
SnapshotMetadataService is now available in v1beta1 version. The support for the v1alpha1 version have been removed. (#137564, @iPraveenParihar) [SIG Storage and Testing]
A new gRPC service is added to the Kubelet that provides information about pods running on the node. (#134627, @briansonnenberg) [SIG Node and Testing]
Add alpha metrics tracking the resource version the cache layer of an informer is at. (#137419, @michaelasp) [SIG API Machinery, Architecture, Instrumentation and Testing]
Add the timezone field to the cronjob describe output. (#136663, @kfess) [SIG CLI]
Add the ability for statefulset controller to read its own pod and pvc writes (#137254, @michaelasp) [SIG Apps]
Add tracing for WatchList requests (#137202, @serathius) [SIG API Machinery and Testing]
Added ControllerManagerReleaseLeaderElectionLockOnCancel feature gate to gate leader election lock release on exit for kube-controller-manager (#136279, @tchap) [SIG API Machinery and Cloud Provider]
Added New RuntimeService streaming RPCs (StreamPodSandboxes, StreamContainers, StreamContainerStats, StreamPodSandboxStats, StreamPodSandboxMetrics) and New ImageService streaming RPC (StreamImages). (#136987, @bitoku) [SIG Cluster Lifecycle, Node and Testing]
Added the metric terminated_containers_total to track the number of containers failed or succeeded broken down by exit code (#137453, @rawsocket) [SIG Instrumentation, Node and Testing]
Added two scheduler metrics for Device Binding Conditions, covering allocation attempts and PreBind duration with status and driver labels. (#137284, @ttsuuubasa) [SIG Node and Scheduling]
Added warning when kubectl rollout undo is used on resources managed with kubectl apply to prevent unexpected behavior from annotation mismatch (#137064, @olamilekan000) [SIG CLI]
Adding multiple conditions support to kubectl wait command. (#136855, @ardaguclu) [SIG CLI and Testing]
Adds metrics for constrained impersonation as described in https://kep.k8s.io/5284
apiserver_impersonation_attempts_total{mode, decision} apiserver_impersonation_attempts_duration_seconds{mode, decision} apiserver_impersonation_authorization_attempts_total{mode, decision} apiserver_impersonation_authorization_attempts_duration_seconds{mode, decision} (#137374, @enj) [SIG API Machinery, Auth and Testing]
Adds the ExtendWebSocketsToKubelet feature gate (Beta, default true in v1.36). When enabled, the API server proxies WebSocket exec/attach/portforward requests directly to the kubelet rather than translating or tunneling them at the API server. The kubelet now handles WebSocket-to-SPDY stream translation (exec/attach) and WebSocket tunneling (portforward) using the same handlers previously used at the API server. The kubelet advertises support for this feature to the API server via the NodeDeclaredFeatures mechanism; the API server only proxies directly to a kubelet that has advertised support. Two new ALPHA metrics are added to track routing decisions and WebSocket streaming volume: apiserver_websocket_streaming_requests_total (labels: subresource, proxy_type) and kubelet_streaming_websocket_requests_total (label: subresource). (#136256, @seans3) [SIG API Machinery, Autoscaling, Node, Scheduling and Testing]
Allow the CRI (and NRI) to block pod-level resizes. (#137555, @natasha41575) [SIG Node]
Bump coredns to 1.14.2 (#137605, @pacoxu) [SIG Cloud Provider and Cluster Lifecycle]
CRI API: A new field is added to the PullImageResponse message - image_id. This field serves as a unique identifier for the image on the node as returned by the container runtimes. (#137217, @stlaz) [SIG Node]
DRA ResourceSlice controller: new optional ReconcilePoolWithName allows per-pool reconciliation without setting NodeName on slices, so the scheduler can use NodeSelector or allNodes for node-owned, cluster-visible resources (e.g. network-shared devices). "All nodes" is no longer the default. When publishing devices for the entire cluster, it must be set explicitly. (#137365, @yaroslavborbat) [SIG Node and Testing]
Enable the feature gate RestartAllContainersOnContainerExits by default. The RestartAllContainersOnContainerExits feature is promoted to beta. (#136681, @yuanwang04) [SIG Node and Testing]
Enables Prometheus native histogram support in apiserver when feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160) (#136763, @richabanker) [SIG API Machinery, Architecture, Cloud Provider, Instrumentation, Network, Node, Scheduling and Testing]
Enables Prometheus native histogram support in kube-controller-manager when feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160) (#137779, @richabanker) [SIG API Machinery, Instrumentation and Testing]
Enables Prometheus native histogram support in kube-proxy when feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160) (#137781, @richabanker) [SIG Network]
Enables Prometheus native histogram support in kubelet when feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160) (#137780, @richabanker) [SIG Node]
Enables Prometheus native histogram support in scheduler when feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160) (#137466, @richabanker) [SIG API Machinery, Architecture, Instrumentation, Scheduling and Testing]
Ensures single-container pod can restart quickly with RestartAllContainers action. (#136966, @yuanwang04) [SIG Node and Testing]
Fix missing field conversions (BindsToNode, BindingConditions, BindingFailureConditions, AllowMultipleAllocations, Capacity) in DRA API v1beta1 hand-written conversion code (#137240, @yykkibbb) [SIG Node]
Graduate ComponentFlagz to beta (#137386, @richabanker) [SIG API Machinery, Architecture, Auth, Instrumentation, Node and Testing]
Graduate ComponentStatusz to beta (#137384, @richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]
Instrument /flagz and /statusz endpoints with apiserver request metrics (apiserver_request_total, apiserver_request_duration_seconds), with group and version labels reflecting the content-negotiated API version. (#137021, @yongruilin) [SIG API Machinery and Instrumentation]
Introduce index-based naming in ResourceSlice controller and ensure ResourceSlices and pools are sorted lexicographically before allocation, allowing users to control allocation priority. (#136641, @troychiu) [SIG Node and Testing]
Introduces new staging modules k8s.io/streaming and k8s.io/cri-streaming for Kubernetes streaming transport and CRI streaming server code.
k8s.io/apimachinery/pkg/util/httpstream (including spdy and wsstream) remains available as a deprecated compatibility wrapper backed by k8s.io/streaming.
The extracted SPDY roundtripper preserves CIDR matching in NO_PROXY/no_proxy. (#137298, @dims) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
Kube-apiserver: The UnknownVersionInteroperabilityProxy feature gate graduates to beta and enabled by default. The --peer-ca-file flag is required to turn on the proxy. (#137172, @richabanker) [SIG API Machinery]
Kubeadm: when using '--v=1' or higher log verbosity, print information of the CA certificate used for discovery when using 'kubeadm join'. (#137102, @sivchari) [SIG Cluster Lifecycle]
Kubectl explain: when a schema or field includes an externalDocs section, it is now displayed as:
EXTERNAL DOCS:
<description>
URL: <url>
This appears after the DESCRIPTION block for top-level resources and
after the field description for individual fields. The section is
omitted in short mode and when externalDocs is absent. (#136988, @pedjak) [SIG CLI]
Kubectl: kubectl describe node now lists aggregated ResourceSlices when the ResourceSlice API is present, detailing slice name, driver, and pool. (#131744, @ArangoGutierrez) [SIG CLI]
Kubelet: if the --client-ca-file is updated while kubelet is running, the updated root certificates are now correctly used to advertise accepted authorities to TLS clients connecting to the kubelet endpoints. This behavior is guarded by the ReloadKubeletClientCAFile feature gate, which is enabled by default. (#136762, @HarshalNeelkamal) [SIG API Machinery, Auth, Node and Testing]
Kubernetes is now built using Go 1.26.0 (#137080, @cpanato) [SIG Release and Testing]
Preserve the logs of restarted containers for containers restarted by feature RestartAllContainers. (#136963, @yuanwang04) [SIG Node]
Promote DRAPartitionableDevices to beta (#137350, @mortent) [SIG Node, Scheduling and Testing]
Promoted the KubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to GA. (#136728, @guptaNswati) [SIG Node and Testing]
REVERT: CRI API: A new field is added to the PullImageResponse message - image_id. This field serves as a unique identifier for the image on the node as returned by the container runtimes. (#137574, @SergeyKanzhelev) [SIG Node]
Reduces the needs of the setcap build image for kube-apiserver by no longer requiring that image to contain a shell (sh or dash or bash). (#136633, @addyess) [SIG Release]
Server images now use staging/src/k8s.io/component-base/logs/kube-log-runner instead of go-runner, full compatability is maintained (including the same /go-runner executable path).
In the future Kubernetes will use base-images without go-runner. (#136954, @BenTheElder) [SIG Instrumentation and Release]
Support in-place pod resize of running non-sidecar initContainers. (#137352, @natasha41575) [SIG API Machinery, Apps, Autoscaling, Node, Scheduling, Storage and Testing]
The KubeletPSI feature has graduated to General Availability (GA) and continues to be enabled by default. This feature allows the Kubelet to expose Linux cgroup Pressure Stall Information (PSI) metrics, providing deeper visibility into system and pod-level resource contention (CPU, Memory, and I/O) via the Kubelet Summary API. (#136548, @mariafromano-25) [SIG Node]
This change allows the Topology, CPU, and Memory managers to recognize and act upon
pod.spec.resources, enabling two flexible resource management models. Both models
support guaranteed pods that contain a mix of containers that may be eligible to receive
exclusive resource allocation or be part of the pod-allocated shared resource pool. (#134768, @KevinTMtz) [SIG Node and Testing]
Update kubectl kuberc set with options for setting credentialPluginPolicy and credentialPluginAllowlist (#137300, @pmengelbert) [SIG CLI]
When kubectl exec or kubectl logs are run with a specified container name, and no container with that name is found, kubectl now lists the names of containers that would be valid to specify. (#136973, @ardaguclu) [SIG CLI and Testing]
--detach-keys flag to kubectl attach and kubectl run, allowing detach without terminating the container (#134997, @yangjunmyfm192085) [SIG API Machinery and CLI]RestartContainer on non-sidecar initContainers, as the resize of such containers has never been supported. (#137458, @natasha41575) [SIG Apps, Node and Testing]preloadedImagesVerificationAllowlist in Kubelet's configuration. Previously, the use of "familiar" image names (e.g. "alpine") from a Pod wouldn't properly match the same name in preloadedImagesVerificationAllowlist in Kubelet's configuration. (#137629, @stlaz) [SIG Auth, Node and Testing]batch.Job's status.startTime. The error for unsuspended jobs now correctly indicates the field is immutable once set, instead of incorrectly referring to the action as a "removal". (#136585, @zhzhuang-zju) [SIG Apps]PodReadyToStartContainers condition immediately after sandbox creation rather than after image pull, reducing the time to condition True. (#134660, @Priyankasaggu11929) [SIG Apps, Node and Testing]GuaranteedQoSPodCPUResize from node declared features. (#136759, @pravk03) [SIG Node and Testing]status.resourceClaimStatuses[].resourceClaimName now refer correctly to the resourceClaimName field instead of the name field. (#137321, @nojnhuh) [SIG Apps]kubectl describe now defaults to showing related events only when describing a single object. Passing --show-events explicitly when describing multiple objects or fuzzy matching on prefix will still show related events if desired. (#137145, @mark-liu) [SIG CLI]SELinuxChangePolicy & SELinuxMountReadWriteOncePod to GA; it is now enabled unconditionally. (#136912, @dfajmon) [SIG Apps, Storage and Testing]SuggestFor entries from kubectl wait so that it is no longer suggested when users type kubectl list or kubectl ps (#137266, @kfess) [SIG CLI and Testing]--bounding-dirs flag and BoundingDirs field from deepcopy-gen. (#137348, @Jefftree) [SIG API Machinery]fs.ReadLinkFS optional argument to be filesystem-independenent (#137220, @ffromani) [SIG Node]v1alpha1 WebhookAdmissionConfiguration has been removed. It was deprecated in v1.17 in favor of apiserver.config.k8s.io/v1. (#137379, @aramase) [SIG API Machinery and Testing]Nothing has changed.
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | 7aa0ed3b03a1574ec0db00d47381e3c76610be89f5ceb52145add9f01533d72833b9594499e0a9af43c41df38d4c448906689cd5662532f32728e11f0f0b39d7 |
| kubernetes-src.tar.gz | a6858468f30d207b375dd2278d8653c69211b364136b212e84ee563bba6ca2bfe89d5ecefda3bc88671ee0c901f02d0f50eefe1e12b7cc58a842fad90811bd23 |
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | 2dde9c67ba2d165e46d4e09c886b8b17563f3767f6fcb5ed98883dfe5bd2ecd7f70af94b0d71678a36916f8d6a6ba1cd3b2c9b4e8b7084e94dfef075291e32c5 |
| kubernetes-client-darwin-arm64.tar.gz | 70178cdf6431041bcd6bcd55e67ba978ec5fe53a47ded53d6fa932e65af8742a47099de5c20fb44da279e957abf57f54281b4ce8f7f7e638810c89851751c7fd |
| kubernetes-client-linux-386.tar.gz | 5ca76f2388552d2a4d601a19c0120d8db65f8f151ac2223a69cf426523de7d2d9532104d5464b15a588cb3c283203069f5347edd5a3ac912d459d7c703467b81 |
| kubernetes-client-linux-amd64.tar.gz | f9901ed9e5a1d9b8638a2ac84e65e7986c81d2d72d086aa14cf298397d72a290e6b22b644cb74aa61ff0181df6e3ca38103863289679d4ae00195827a3333c93 |
| kubernetes-client-linux-arm.tar.gz | a347d318571485aa21325ba4de7dd4afa29bffa4b8060ed04a9ef3afe7cea4f12c520e6eebc1b96e991147f0123096a1a745f905b687baa6981d1f8d16971452 |
| kubernetes-client-linux-arm64.tar.gz | 2e493202a0023af3cff5f5e6d19307791a994eac931f18fe33fe5016861d5b17690b75aece91c02b5e022d4e00a824e85cb7fdc43ca45e238cea16d202ef7ec6 |
| kubernetes-client-linux-ppc64le.tar.gz | 9feebb6cca23158f299085945e1ff6db5c1742a72d157f89d837811f84db5f9cb9b5db042f2898840a86839621b89066a1ccc925cd2a981af64bbf513d94e229 |
| kubernetes-client-linux-s390x.tar.gz | c8a42085199cf548119fd2af703c84cc1d2fda61086b50e09d03ea18cd0aaf28063d21eb258b64c30884022c6ab81b78bfd6d848fc4bf04b410d2972eb23266f |
| kubernetes-client-windows-386.tar.gz | ccb9320af60720149913f39a88d4abdf5c9d53d3ddd396a61504288576e6f2f27ef21cb26a23e27e34b4c56c95eb1daa54ed389460c51660074a92a3c34eee23 |
| kubernetes-client-windows-amd64.tar.gz | c068c174870aca6710c688088b46bee4e852ea97be7e8c02aad10bef81d1a3e6485b50ff41bee11121cce357f74cf54d67f65df04087f590ff6259bd03eb2d11 |
| kubernetes-client-windows-arm64.tar.gz | 9247e597dab4fb45facc3c32d4b2772e7bb5c9814a1f5ae64b5fdba5469784957df154a7b7aedc99e79e4fd81e07f7fe2b0eb492e17492fba497e94e5e501a8f |
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | ef279ca406ed3e939972353287b9ad769df0915749c5ffe61f096b6f75ab7604ff03177affc8c66a2dd688fe8b3fb6c1a7e8deabb4985fa7f40517f483fc5983 |
| kubernetes-server-linux-arm64.tar.gz | a3414c851a8c0cf42abfb1ba2e17fb40b31b4d2cd9a4224ed8ecfc951b127a829f4ab14fa2cf68dbabfbe19aa6212f09c207d25518832b13e9f81986415a1a88 |
| kubernetes-server-linux-ppc64le.tar.gz | 841d2a9dd87ab1232d79611c855c1dd2d9aca11afdd4d790692e38894ef6fd37b382c68aacaea32daf71b39f196bea2448d860ce9ed70b03766d83895779a68b |
| kubernetes-server-linux-s390x.tar.gz | ec89bea22f65a612eb0e52b03c6d277c35f5f2e2cbbc4cd50510f013b4d7ca6702f47017dcb417e1cc257017b1755ae02f6c21fac0d44881be2814aed0130127 |
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | 37fca1f367e1b78035fd95f1bc547fca89018fc42f450e3660d6f108890e6f319a1e94bf52584178558101375846baf7721a59e88ef3a22f8a493381bbc2a6e1 |
| kubernetes-node-linux-arm64.tar.gz | 6ddbfbe217414c874d2367cdba0943d9a8ead4c98bb4e2ccaec64cdb2a0218bae46f108b4fb3ba949f78707cc47477fd0b97dc2291a83d5c08832201a185f595 |
| kubernetes-node-linux-ppc64le.tar.gz | 6e1707b097daae5e2a68ffd068245034e056ee49d96a70bfce430de3b752ddc148027a9b94155d77da270df617d9450b59e02749fc06a41622e48c9505f00553 |
| kubernetes-node-linux-s390x.tar.gz | 12674c621376b790dc2421a113ce3ca226af8d649a65d465ddf0ce29f21ecea39f74283b39ced2f8b894595b86f0c40bfcaea37e9d7b44e95d1f8cdb0f01e6b8 |
| kubernetes-node-windows-amd64.tar.gz | 25e2cd21678e8051716172074a8cc9efeb53e8ff275a15f9d0e801616804b9cbb1a5b16378e057b905dad75ce0e94e9837934343374bef87d4bf9843c8b3ef76 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
--flex-volume-plugin-dir and mount the directory /usr/libexec/kubernetes/kubelet-plugins/volume/exec in the KCM static pod using kubeadm's extraVolumes mechanism before upgrading to 1.36. Up until now, kubeadm automatically did the mounting if the user passed the flag. (#136423, @neolit123) [SIG Cluster Lifecycle]ProtoMessage() methods, identifying them as standard v1 proto messages. Protobuf serialization of Kubernetes API types should use k8s.io/apimachinery/pkg/runtime/serializer/protobuf. See KEP-5589 for more details. (#137084, @liggitt) [SIG API Machinery, Apps, Architecture, Auth, Node, Scheduling and Storage]kubernetes_build_info, rest_client_requests_total, rest_client_request_duration_seconds, running_managed_controllers) from Alpha to Beta stability, providing stronger API and label stability guarantees for consumers. (#136154, @bhope) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scalability, Scheduling, Storage and Testing]apiserver_peer_proxy_errors_total and apiserver_peer_discovery_sync_errors_total to apiserver to track errors encountered in peer proxying and peer discovery (#137065, @richabanker) [SIG API Machinery]LastStoreSyncResourceVersion method to obtain this resource version. This method can return "" if the store has not been synced to yet, and depends on the AtomicFIFO feature being enabled. (#134827, @michaelasp) [SIG API Machinery and Testing]daemonset_controller_stale_sync_skips_total metric is incremented and a message is logged by the daemonset controller. This behavior can be temporarily disabled by setting the StaleControllerConsistencyDaemonSet feature gate to false. (#134937, @michaelasp) [SIG API Machinery, Apps, Node, Scheduling and Testing]job_controller_stale_sync_skips_total metric is incremented and a message is logged by the job controller. This behavior can be temporarily disabled by setting the StaleControllerConsistencyJob feature gate to false. (#137210, @michaelasp) [SIG API Machinery and Apps]ContainerRuntimeVersion validates if the installed container runtime supports the RuntimeConfig gRPC method. For older kubelet versions than 1.37, it will return a preflight warning. (#136898, @carlory) [SIG Cluster Lifecycle]MutablePodResourcesForSuspendedJobs and MutableSchedulingDirectivesForSuspendedJobs to be enabled by default. (#135965, @kannon92) [SIG Apps and Testing]kubectl plugin list failed to detect overshadowed plugins on Windows. (#136689, @kfess) [SIG CLI]container_cpu_load_average_10s, container_cpu_load_d_average_10s, and cpu_tasks_state have been dropped from the reported metrics by cadvisor. This is done because the values were always 0, because a flag was not enabled in the kubelet. (#134981, @haircommander) [SIG Node and Testing]HonorPVReclaimPolicy, which was locked and enabled since 1.33. (#135335, @carlory) [SIG Apps and Storage]kubectl kustomize as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.8.1 (#136892, @koba1t) [SIG Architecture and CLI]Nothing has changed.
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | 79ec354722859240b1d715c0da181e5a2a0fd354984ae9d511d58e7c09ec5cf7e54421db38a6d96b409b9a08b1c1b9dc13e7df20e7ab21299837d00cf72f162c |
| kubernetes-src.tar.gz | f274bff791b16bb4de10730aabbfc027220f45c44d2dc8d1a8b575cc86421ec01fb106bcb2f3cb137145e64396ca37f2ec689932395162dcae5d3b6b65fc97ec |
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | 6fc2c7b184ee6435c0e7179dbe8ff63549631d9a5eb28262b10596a6f26e245ab2cf16402a6466e37b81a42760f811808796d1e83dd205125c0e64e1330772bd |
| kubernetes-client-darwin-arm64.tar.gz | e56eb183ba431d530b6cbd83ee94c1c398f3f4969cdee247092738a5cbe2b567d705788f95adec2f13cf17ebd791165903a0f1fcac9fcbf36ed65b9a00f38ac3 |
| kubernetes-client-linux-386.tar.gz | 1a65eb81a4cf1631fa6fb102f2dfcffd29732bb96479c0432c9780f2dcb4600f8c85991b0f68f038ae963348d39291c74a855a71705093ecc09218ee4ed5271c |
| kubernetes-client-linux-amd64.tar.gz | a1824ed2091dac2289c99c67e504b01b0176657675496752136a630ecf57347e0a5578a21c3bd74d0baad995d1e99ba0c78b5dfc2a61316227171c25a216111b |
| kubernetes-client-linux-arm.tar.gz | 9e368482df69b6990c917d6df0f3589851d72bcd7304226970eae32898baeb76e5955e93bda577d72231ca2342562ab91dfecb19dd5479f91352a4577f8f7d92 |
| kubernetes-client-linux-arm64.tar.gz | 7894d5868aa7888a26648ea338fbe63031e2b3ce0919a337e69cba002c369a0bbe6971ed7add1fd5e2284ebc696f9bb9c0180c298fe349140482b2e93a51d72a |
| kubernetes-client-linux-ppc64le.tar.gz | ae379c93762b86b8ddd1f1076b2e37c2866991e5a5700eb08ff5b65aaeca552764c6bb0506376b502e67f1734f5655b59ca4aa751b572667a9522065822874f1 |
| kubernetes-client-linux-s390x.tar.gz | 316d1093cd109d91b55c5ca18a8aa2d0e04feb29bb688b3d52018818329519c8fa6b226de8505de3ced920c064b8f150dccb2829d2bb2a4bed594e4d663377cd |
| kubernetes-client-windows-386.tar.gz | 48f7ca49e081393474c644c31a7bae8810dfc7673c2f1800207960ea14e73616e1b7717d312e4787e8b5179c5a46a256cdbaa80e01cdf37cf999f370a17060e1 |
| kubernetes-client-windows-amd64.tar.gz | d70670136a91a5f81f7b030f258881917371102e958382d3dfef425d5d76718cc242d7ee86dbaaaa5705e019b4178e323a29cc0d4ace6d803550ea8d412189e2 |
| kubernetes-client-windows-arm64.tar.gz | 99c08b44870989a9629573f110317215e4ec177a25298e28f497deb75867838085b987a100c8ee678ccf1345e4cef075d159c5cb9198a3a342a92733309820d5 |
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | 9208265b86d2d7ebf8dd8f771a586de571aa07ab54c1d7428deb8803dbf63f2e396e30b103cac4da8ddf791be8b66dfce90e428906ec2d59e485953a6b6e1b7b |
| kubernetes-server-linux-arm64.tar.gz | 704ce893ee7b239194aae37b608b175940efbf60072622a661d866221f6fdba9c6b6c4ca11008bf2be1cf2c70cb9f6e5aece9052efa2468c1e3b73510c35d2f0 |
| kubernetes-server-linux-ppc64le.tar.gz | 99cc1cf4169b4c8a00b7e7e4f49c98703e0191dd0aa0e4f641a0b35a92e7d5df14587d5b56f571fa4d00290d806bbf916cb3d934537883f9364a04d66d0ba958 |
| kubernetes-server-linux-s390x.tar.gz | ea9ac2489aa2b8d9a0bd8a8a12958b754edd0c9227aaee23dadf7fc7711cab5033edcb85dc545e6bd8cb78336e073b2cfb8ed8655932b91a4d8d22c3eb3dfb90 |
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | 1cff3dd843e8ffbe2728967c3520bb000a551573fc9049fb4d3e6734d76a9ea72a2e54a0eca18bf68b0f023106714a877fb01b2e942720b707f738df1709361d |
| kubernetes-node-linux-arm64.tar.gz | 55a65f51bc9d25ca2993bf2d277e1ceadc585d8af90e3f92b9b6fd682b7fa78f8fd0bb4bba127143825c70227d8815b037159feb8a319c0b4fb406e3b4dfa913 |
| kubernetes-node-linux-ppc64le.tar.gz | e67d17e2d38716e6d20a777d360454f0a0e04d8f5dc94f8888c823df55ddb96973e819229e043d0e9a7f25027f4f64583f13443d633f568b62237e1fcceae8b4 |
| kubernetes-node-linux-s390x.tar.gz | 807376145bb55d7b534523c18fac4f61ddb8d20e0646c2152de28cd547f1ef82787f01e8b43a7ea1128a9c76c7ee14183e28629032396ff124629c1a6c6c9ab4 |
| kubernetes-node-windows-amd64.tar.gz | 1f204db26af19933504f50292513ea3e238f57ac9bc8c4faad8a71271cd2c2920515ad0267ed87618ac4d6f510f111fe5a2feeebe084425b0f369905f577cac8 |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
AllowParallel: true from the PreBindPreFlight method. PreBind plugin implementations need to be updated to return the PreBindPreFlightResult from the PreBindPreFlight method; returning nil retains the existing sequential behavior. (#135393, @tosi3k) [SIG Node, Scheduling, Storage and Testing]cpuCFSQuotaPeriod kubelet config field requires the CustomCPUCFSQuotaPeriod feature gate when using non-default values. No functional changes introduced. (#133845, @rbiamru) [SIG Node and Release]fake.NewClientset() to work properly with correct schema. (#131068, @soltysh) [SIG API Machinery]--audit-policy-file config file now supports specifying group: "*" in resources rules to match all API groups (#135262, @cmuuss) [SIG API Machinery, Auth and Testing]informer_queued_items{name=kube-controller-manager,group=<group>,resource=<resource>,version=<version>} <count> (#135782, @richabanker) [SIG API Machinery, Architecture, Instrumentation and Testing]storage.k8s.io/v1 (#134556, @carlory) [SIG API Machinery, Apps, Etcd, Network, Node, Scheduling, Storage and Testing]CSIMigrationPortworx, which was locked and enabled since 1.33.
endpoints field in discovery.k8s.io/v1 EndpointSlice is now correctly defined as optional in the OpenAPI specification, matching the server's behavior. (#136111, @aojea) [SIG Network]Add architecture to the kernel version column in the kubectl get node -owide output. (#132402, @astraw99) [SIG CLI]
Add the appProtocol field to the service describe output. (#135744, @ali-a-a) [SIG CLI]
Add write and read permissions for workloads to the admin cluster role. Add write permissions for workloads to the edit cluster role. Add read permissions for workloads to the view cluster role. (#135418, @carlory) [SIG Auth]
Added ALPHA metric scheduler_pod_scheduled_after_flush_total to count pods scheduled after being flushed from unschedulablePods due to timeout (#135126, @mrvarmazyar) [SIG Scheduling]
Added kubectl explain -r flag as a shorthand for --recursive (#135283, @laervn) [SIG CLI]
Align the meaning of victim metrics between async preemption and sync preemption. The definition has been standardized to refer to the number of Pods chosen as victims. (#135955, @utam0k) [SIG Scheduling]
CRD validation now strictly enforces ranges for numeric formats (int32, int64, float, double) when specified in the schema. Existing objects with out-of-range values are preserved via validation ratcheting (#136582, @yongruilin) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
Change the default debug profile from legacy to general. legacy profile is planned to be removed in v1.39. (#135874, @mochizuki875) [SIG CLI and Testing]
Client-go informers can now enqueue new watch events while already-queued events are being processed. This avoids dropping watches during a burst of incoming events due to contention on slow processing. This behavior is controlled by the UnlockWhileProcessing client-go feature gate, which is enabled by default. (#136264, @michaelasp) [SIG API Machinery and Scheduling]
Client-go: Informer resync processing improved handling of Resync handling. This reduces contention on store locks between incoming events and handler updates, which may result in observable timing differences of handler invocations. This behavior is guarded by an AtomicFIFO feature gate. This gate is enabled by default in 1.36, but can be disabled if needed to temporarily regain the previous behavior. (#136008, @michaelasp) [SIG API Machinery]
Client-go: default informer behavior now updates store state with all the objects in a list or relist, before calling handler OnDelete/OnAdd/OnUpdate methods for individual items which were deleted/added/removed. This ensures that the store state which can be inspected by handlers actually corresponds to a set of objects that existed at a particular resource version on the server. This behavior is guarded by an AtomicFIFO feature gate. This gate is enabled by default in 1.36, but can be disabled if needed to temporarily regain the previous behavior. (#135462, @michaelasp) [SIG API Machinery]
Cloud Controller Manager now exports the counter metric route_controller_route_sync_total, which increments each time routes are synced with the cloud provider. This metric is in alpha stage. (#136539, @lukasmetzner) [SIG API Machinery, Cloud Provider and Instrumentation]
Enable WatchCacheInitializationPostStartHook by default (#135777, @serathius) [SIG API Machinery]
Graduated fine-grained kubelet API authorization to stable. (#136116, @vinayakankugoyal) [SIG Node]
ImageLocality plugin: consider ImageVolume images when scoring nodes for pod scheduling. (#130231, @Barakmor1) [SIG Scheduling]
Kube-apiserver: Promoted ExternalServiceAccountTokenSigner feature to GA. (#136118, @HarshalNeelkamal) [SIG API Machinery and Auth]
Kubeadm: Upgraded the NodeLocalCRISocket feature gating to GA and locked it to be enabled. (#135742, @HirazawaUi) [SIG Cluster Lifecycle]
Kubeadm: added the flag --allow-deprecated-api to 'kubeadm config validate'. By default the command will print a warning for a deprecated API unless the flag is passed. Additionally, added missing support for v1beta4 UpgradeConfiguration to 'kubeadm config migrate|validate' commands. (#135148, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: bumped the timeout of the kubeadm upgrade CreateJob preflight check to 1 minute. This allows Windows worker nodes to have more time to run the preflight check. It uses the pause image, so if you are experiencing slow pull times, you can either pre-pull the new pause on the work using kubeadm config images pull --kubernetes-version TARGET or skip the preflight check with --ignore-preflight-errors. (#136273, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: removed the kubeadm specific feature gate ControlPlaneKubeletLocalMode which became GA in 1.35 and was locked to enabled. (#135773, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: when patching a Node object do not exit early on unknown (non-allowlisted) API errors. Instead, always retry within the duration of the polling for getting and patching a Node object. (#135776, @neolit123) [SIG Cluster Lifecycle]
Kubectl get ingressclass now displays (default) marker for default IngressClass (#134422, @jaehanbyun) [SIG CLI and Network]
Kubernetes is now built using Go 1.25.6 (#136465, @cpanato) [SIG Release and Testing]
Kubernetes is now built with Go 1.25.6 (#136257, @BenTheElder) [SIG Release]
Kubernetes is now built with Go 1.25.7 (#136750, @BenTheElder) [SIG Release]
Promote Relaxed validation for Services names to beta (enabled by default)
Promote RelaxedServiceNameValidation feature to beta (enabled by default)
The names of new Services names are validation with NameIsDNSLabel(),
relaxing the pre-existing validation. (#136389, @adrianmoisey) [SIG Network]
Promoted the CSIServiceAccountTokenSecrets feature gate to GA. (#136596, @aramase) [SIG Auth and Storage]
Promoting kubectl kuberc commands to beta (#136643, @ardaguclu) [SIG CLI and Testing]
The ResourceClaim controller now correctly handles unknown (non-pod) references in the status.reservedFor field by skipping them instead of halting the sync process. (#136450, @MohammedSaalif) [SIG Apps and Node]
Update to latest cAdvisor 0.55.0 in our vendor dependencies (#135829, @dims) [SIG Node]
Using pytorch based e2e integration test instead of tensorflow in some node e2e CI tests. (#136397, @dims) [SIG Testing]
Using pytorch based e2e integration test instead of tensorflow in some node e2e CI tests. (#136398, @dims) [SIG Node and Testing]
Added extra check to prevent users to work around DRA extended resource quota set by system admin (#135434, @yliaog) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Aligned kubectl label output message to include 'modified' when labels are both added and removed (#134849, @tchap) [SIG CLI]
Apiserver liveness probes will now fail when the loopback client certificate expires. (#136477, @everettraven) [SIG API Machinery and Testing]
Changed the behavior of default scheduler preemption plugin when preempting pods that are in "WaitOnPermit" phase. They are now moved to the scheduler backoff queue instead of being marked as unschedulable. (#135719, @Argh4k) [SIG Scheduling and Testing]
Changes some instances of error logs to info logs with verbosity level inside of controller/resourcequota and controller/garbagecollector (#136040, @petern48) [SIG API Machinery and Apps]
Changes the nodeGetCapabilities method of csiDriverClient returning NewUncertainProgressError while received a non final GRPC error (#135930, @249043822) [SIG Node and Storage]
Client-go informers: fix an unlikely deadlock during informer startup. (#136509, @pohly) [SIG API Machinery]
DRA: when scheduling many pods very rapidly, sometimes the same device was allocated twice for different ResourceClaims due races between data processing in different goroutines. Depending on whether DRA drivers check for this during NodePrepareResources (they should, but maybe not all implement this properly), the second pod using the same device then failed to start until the first one is done or (worse) ran in parallel. (#136269, @pohly) [SIG Node, Scheduling and Testing]
Disabled SchedulerAsyncAPICalls feature gate due to performance issues caused by API client throttling. (#135903, @macsko) [SIG Scheduling]
Ensures a couple of feature gates - ChangeContainerStatusOnKubeletRestart and StatefulSetSemanticRevisionComparison are visible from the "--help" in different components (#135515, @dims) [SIG Architecture]
Fix a nil pointer dereference in Kubelet when handling pod updates of mirror pods with the NodeDeclaredFeatures feature gate enabled. (#136037, @pravk03) [SIG Node]
Fix apiserver request latency annotation in the audit log when request took more than 500ms (#135685, @chaochn47) [SIG API Machinery]
Fix data race in kubelet container manager. (#136206, @HirazawaUi) [SIG Node]
Fix data race in kubelet pod allocated resources. (#136226, @HirazawaUi) [SIG Node]
Fix data race in kubelet status manager. (#136205, @HirazawaUi) [SIG Node]
Fix issues where server side apply patches operations incorrectly treat empty arrays and maps as absent.
Fix issue where client-go's Extract{TypeName}() and Extract{TypeName}From() functions incorrectly treat empty arrays and maps as absent. Fix issue where client-go's Extract{TypeName}()andExtract{TypeName}From() functions would incorrectly duplicate atomic elements from associative lists. (#135391, @jpbetz) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Network, Node, Scheduling and Storage]
Fix log verbosity level in apiserver's unsafe delete authorization check that was incorrectly using Error level instead of Info level (#136229, @thc1006) [SIG API Machinery]
Fix queue hint for the interpodaffinity plugin in case target pod labels change (#135394, @brejman) [SIG Scheduling]
Fix static pod status is always Init:0/1 if unable to get init container status from container runtime. (#131317, @bitoku) [SIG Node and Testing]
Fix the log verbosity level of some non-error logs that were incorrectly logged at error level (#136046, @Tanner-Gladson) [SIG API Machinery and Apps]
Fix the log verbosity level of some non-error logs that were incorrectly logged at error level (#136050, @ShaanveerS) [SIG Apps and Storage]
Fixed SELinux warning controller not to emit events for completed pods. (#135629, @jsafrane) [SIG Apps, Storage and Testing]
Fixed a bug causing clients to error out when decoding large CBOR encoded lists. (#135340, @ricardomaraschini) [SIG API Machinery]
Fixed a bug in DeepEqualWithNilDifferentFromEmpty where empty slices/maps were incorrectly considered equal to non-empty ones due to using OR (||) instead of AND (&&) logic. This could cause managed fields timestamps to not update when the only change was adding or removing all elements from a list or map. (#135636, @mikecook) [SIG API Machinery]
Fixed a bug in the dra_operations_duration_seconds metric where the is_error label was recording inverted values. Error operations now correctly report is_error="true", and successful operations report is_error="false". (#135227, @hime) [SIG Node]
Fixed a bug that caused endpoint slice churn for headless services with no ports defined (#133474) (#136502, @tzneal) [SIG Network]
Fixed a bug where kubectl apply --dry-run=client would only output server state instead of merged manifest values when the resource already exists. (#135513, @grandeit) [SIG CLI]
Fixed a bug where the Gated pods metric was not updated when a Pod transitioned from Unschedulable to Gated during an update. (#135368, @vshkrabkov) [SIG Scheduling]
Fixed a bug where the scheduler_unschedulable_pods metric could be artificially inflated (leak) when a pod fails PreEnqueue plugins after being previously marked unschedulable. (#135981, @vshkrabkov) [SIG Scheduling]
Fixed a panic in kubectl exec when the terminal size queue delegate is uninitialized. (#135918, @MarcosDaNight) [SIG CLI]
Fixed a panic in kubectl when processing pods with nil resource requests but populated container status resources. (#136534, @dmaizel) [SIG CLI]
Fixed a race condition in the CEL compiler that could occur when initializing composited policies concurrently.
Fixes a fatal crash (concurrent map read/write) in NewCompositedCompilerFromTemplate.
The NewCompositedCompilerFromTemplate function previously performed a shallow copy of CompositionEnv, sharing the MapType pointer across all compilers. Under high concurrency, this caused a race condition when FindStructFieldType (reader) and AddField (writer) accessed MapType.Fields simultaneously, leading to an APIServer panic.
This change implements a deep copy of the Fields map for each composition environment, ensuring thread safety.
Fixes #135757 (#135759, @Abhigyan-Shekhar) [SIG API Machinery and CLI]
Fixed an issue in the Windows kube-proxy (winkernel) where IPv4 and IPv6 Service load balancers could be incorrectly shared, causing broken dual-stack Service behavior. The kube-proxy now tracks load balancers per IP family, enabling correct support for PreferDualStack and RequireDualStack Services on Windows nodes. (#136241, @princepereira) [SIG Network and Windows]
Fixed issue where kubectl run -i/-it would miss container output written before the attach connection was established. (#136010, @olamilekan000) [SIG CLI]
Fixed kubelet logging to properly respect verbosity levels. Previously, some debug/info messages using V().Error() would always be printed regardless of the configured log verbosity. (#136028, @thc1006) [SIG Node]
Fixed queue hint for certain plugins on change to pods with nominated nodes (#135392, @brejman) [SIG Scheduling]
Fixed queue hint for inter-pod anti-affinity in case deleted pod's anti-affinity matched the pending pod, which might have caused delays in scheduling. (#135325, @brejman) [SIG Scheduling and Testing]
Fixed volumeattachment cleanup in kube-controller-manager when CSI's attachRequired switches from true to false (#129664, @hkttty2009) [SIG Storage and Testing]
Fixes a 1.29 regression in the apiserver_watch_events_sizes metric to report total outgoing watch traffic again (#135367, @mborsz) [SIG API Machinery]
Fixes a 1.34 regression starting pods with environment variables with a value containing $ followed by a multi-byte character (#136325, @AutuSnow) [SIG Architecture]
Fixes a 1.34+ regression in ipvs and winkernel kube-proxy backends; these are now reverted back to their pre-1.34 behavior of regularly rechecking all of their rules even when no Services or EndpointSlices change. (#135631, @danwinship) [SIG Network and Windows]
Fixes kube-proxy log spam when all of a Service's endpoints were unready. (#136743, @ansilh) [SIG Network]
Kube-apiserver: setting --audit-log-maxsize=0 now disables audit log rotation (the default remains 100 MB). In order to avoid outages due to filling disks with ever-growing audit logs, --audit-log-maxage now defaults to 366 (1 year) and --audit-log-maxbackup now defaults to 100. If retention of all rotated logs is desired, age and count-based pruning can be disabled by explicitly specifying --audit-log-maxage=0 and --audit-log-maxbackup=0. (#136478, @kairosci) [SIG API Machinery]
Kube-proxy now correctly handles the case where a pod IP gets assigned to a newly-created pod when the pod that previously had that IP has been terminated but is not yet fully deleted. (#135593, @danwinship) [SIG Network]
Kubeadm: fix a bug where kubeadm upgrade is failed if the content of the kubeadm-flags.env file is KUBELET_KUBEADM_ARGS="" (#136127, @carlory) [SIG Cluster Lifecycle]
Kubeadm: waiting for etcd learner member to be started before promoting during 'kubeadm join' (#136014, @SataQiu) [SIG Cluster Lifecycle]
Kubeadm: when applying the overrides provided by the user using "extraArgs", do not sort the resulted list of arguments alpha-numerically. Instead, only sort the list of default arguments and keep the list of overrides unsorted. This allows finer control for flags which have an order that matters, such as, "--service-account-issuer" for kube-apiserver. (#135400, @neolit123) [SIG Cluster Lifecycle]
Kubectl: fixes kyaml output of kubectl get ... --output-watch-events -o kyaml (#136110, @liggitt) [SIG CLI]
Kubelet(dra): correctly handles multiple ResourceClaims even if one is already prepared (#135919, @rogowski-piotr) [SIG Node and Testing]
Kubelet: fix data race in volume manager's WaitForAllPodsUnmount that could cause errors to be lost during concurrent pod unmount operations. (#135794, @AutuSnow) [SIG Node and Storage]
Kubelet: fixed reloading of kubelet server certificate files when they are changed on disk, and kubelet is dialed by IP address instead of DNS/hostname (#133654, @kwohlfahrt) [SIG API Machinery, Auth, Node and Testing]
Optimized kube-proxy conntrack cleanup logic, reducing the time complexity of deleting stale UDP entries. This significantly improves performance when there are many stale connections to clean up. (#135511, @aojea) [SIG Network]
ReadWriteOncePod preemption e2e test no longer causes other random e2e tests to flake randomly. (#135623, @jsafrane) [SIG Storage and Testing]
Sort runtime handlers list coming from the CRI runtime (#135358, @harche) [SIG Node]
StatefulSets should always count .status.availableReplicas at the correct time without a delay. This results in faster progress of StatefulSet rollout. (#135428, @atiratree) [SIG Apps]
The kubelet plugin manager now properly handles plugin registration failures by removing failed plugins from the actual state and retrying with exponential backoff (initial delay 500ms, doubling each failure up to ~2 minutes maximum) to protect against broken plugins causing denial of service while still allowing recovery from transient failures. (#133335, @bart0sh) [SIG Node, Storage and Testing]
The nftables mode of kube-proxy now uses less CPU when loading very large rulesets. (#135800, @danwinship) [SIG Network]
Updated NodeResourcesBalancedAllocation scoring algorithm to align with the documentation. The score will now take into consideration both balance with and without the requested pod. Previous algorithm only considered balance with the requested pod. This can change the scheduling decisions in some cases. (#135573, @brejman) [SIG Scheduling]
When use kubectl command to delete multiple sts pods, the kubectl command deletes pods and exits normally. (#135563, @yangjunmyfm192085) [SIG CLI, Network and Node]
Added missing tests for client-go metrics (#136052, @sreeram-venkitesh) [SIG Architecture and Instrumentation]
Adds audit-id to 'Starting watch' log line (#136084, @richabanker) [SIG API Machinery]
Adds explicit logging when WatchList requests complete their initial listing phase. (#136085, @richabanker) [SIG API Machinery]
Client-go: Reflector no longer gets confused about the resource version it should use to restart a watch while receiving synthetic ADDED events at the beginning of a watch from resourceVersion "0" or "". (#136583, @michaelasp) [SIG API Machinery]
Client-go: fake client-go (i.e. anything using k8s.io/client-go/testing) now supports separate List+Watch calls with checking of ResourceVersion in the Watch call. This closes a race condition where creating an object directly after an informer cache has synced (= List call completed) and before the Watch call completed would cause that object to not be sent to the informer. A visible side-effect of adding that support is that List meta data contains a ResourceVersion (starting at "1" for the empty set, incremented by one for each add/update) and that Watch may return objects where it previously didn't.
Note that this List+Watch is not to be confused with the ListWatch feature, which uses a single call. That feature is still not supported by fake client-go. (#136143, @pohly) [SIG API Machinery, Apps, Auth and CLI]
DRA device taint eviction: the controller might have reported "1 pod needs to be evicted in 1 namespace. 1 pod evicted since starting the controller." when only a single pod is involved, depending on timing (pod evicted, informer cache not updated yet). It would eventually arrive at the correct "1 pod evicted since starting the controller.", but now it tries harder to avoid the confusing intermediate state by delaying the status update after eviction. (#135611, @Karthik-K-N) [SIG Apps and Scheduling]
DRA: Fixed Kubelet admission to correctly handle DRA-backed extended resources, allowing pods to be admitted even when these resources are not present in the node's allocatable capacity. (#135725, @bart0sh) [SIG Node, Scheduling and Testing]
Enables YAML support for statusz and flagz. (#135309, @richabanker) [SIG API Machinery, Instrumentation and Testing]
Kubeadm: removed the cleanup of the "--pod-infra-container-image" kubelet flag from the "/var/lib/kubelet/kubeadm-flags.env" on upgrade. This cleanup was necessary when upgrading to 1.35. (#135807, @carlory) [SIG Cluster Lifecycle]
Kubeadm: removed usage of the deprecated flags '--experimental-initial-corrupt-check' and '--experimental-watch-progress-notify-interval' if the etcd version is < 3.6.0. In this version of kubeadm, etcd < 3.6.0 is no longer supported in terms of the k8s / etcd version mapping. These deprecated flags have been replaced by '--feature-gates=InitialCorruptCheck=true' and '--watch-progress-notify-interval'. (#135701, @neolit123) [SIG Cluster Lifecycle]
Lock the DisableNodeKubeProxyVersion feature gate to be enabled by default. (#136673, @HirazawaUi) [SIG CLI and Network]
Remove WatchFromStorageWithoutResourceVersion feature gate (#136066, @serathius) [SIG API Machinery]
Remove event listing behavior when describing a removed pod from file. (#135281, @scaliby) [SIG CLI]
Renamed PodGroupInfo to PodGroupState, which can break custom scheduler plugins that use Handle.WorkloadManager (#136344, @brejman) [SIG Scheduling]
Set InOrderInformers to GA via the usage of RealFIFO, this means that DeltaFIFO will gradually be deprecated in favor of RealFIFO in internal implementations. (#136601, @michaelasp) [SIG API Machinery]
Updated cri-tools to v1.35.0. (#135694, @saschagrunert) [SIG Cloud Provider and Node]
Updates the etcd client library to v3.6.6 (#135331, @yashsingh74) [SIG API Machinery, Auth, Cloud Provider, Etcd, Node and Scheduling]
Updates the etcd client library to v3.6.7 (#136407, @ivanvc) [SIG API Machinery, Auth, Cloud Provider, Node and Scheduling]