Workflow

Kubernetes-asyncio

Latest version: v32.3.0

Safety actively analyzes 723882 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 12

32.3.0

* fix: Delete extra characters in URL ([354](https://github.com/tomplus/kubernetes_asyncio/pull/354), [satayyeb](https://github.com/satayyeb))
* feat: Add option to disable ssl.VERIFY_X509_STRICT ([350](https://github.com/tomplus/kubernetes_asyncio/pull/350), [msw-kialo](https://github.com/msw-kialo))
* doc: Update README example with asyncio.run ([348](https://github.com/tomplus/kubernetes_asyncio/pull/348), [PaarthShah](https://github.com/PaarthShah))
* feat: Add leaderelection module ([347](https://github.com/tomplus/kubernetes_asyncio/pull/347), [JacobHenner](https://github.com/JacobHenner))

API Change

- DRA: CEL expressions using attribute strings exceeded the cost limit because their cost estimation was incomplete. Cost estimation was unnecessarily also computed in the scheduler. ([129690](https://github.com/kubernetes/kubernetes/pull/129690), [pohly](https://github.com/pohly)) [SIG Node]

- DRA API: the maximum number of pods which can use the same ResourceClaim is now 256 instead of 32. Beware that downgrading a cluster where this relaxed limit is in use to Kubernetes 1.32.0 is not supported because 1.32.0 would refuse to update ResourceClaims with more than 32 entries in the status.reservedFor field. ([129544](https://github.com/kubernetes/kubernetes/pull/129544), [pohly](https://github.com/pohly)) [SIG API Machinery, Node and Testing]

32.0.0

Breaking changes:

* fix rest api aiohttp timeout ([337](https://github.com/tomplus/kubernetes_asyncio/pull/337), [soamicharan](https://github.com/soamicharan))

This fix may affect you if you don't configure timeout for watch/stream. Previously it was treated as 5 min, now it's forever.

API Change

- **ACTION REQUIRED** for custom scheduler plugin developers:
`PodEligibleToPreemptOthers` in the `preemption` interface now includes `ctx` in the parameters.
Please update your plugins' implementation accordingly. ([126465](https://github.com/kubernetes/kubernetes/pull/126465), [googs1025](https://github.com/googs1025)) [SIG Scheduling]
- Changed NodeToStatusMap from a map to a struct and exposed methods to access the entries. Added absentNodesStatus, which informs the status of nodes that are absent in the map. For developers of out-of-tree PostFilter plugins, ensure to update the usage of NodeToStatusMap. Additionally, NodeToStatusMap should eventually be renamed to NodeToStatusReader. ([126022](https://github.com/kubernetes/kubernetes/pull/126022), [macsko](https://github.com/macsko)) [SIG Node, Scheduling, and Testing]

- A new /resize subresource was added to request pod resource resizing. Update your k8s client code to utilize the /resize subresource for Pod resizing operations. ([128266](https://github.com/kubernetes/kubernetes/pull/128266), [AnishShah](https://github.com/AnishShah)) [SIG API Machinery, Apps, Node and Testing]
- A new feature that allows unsafe deletion of corrupt resources has been added, it is disabled by default,
and it can be enabled by setting the option `--feature-gates=AllowUnsafeMalformedObjectDeletion=true`.
It comes with an API change, a new delete option `ignoreStoreReadErrorWithClusterBreakingPotential` has
been introduced, it is not set by default, this maintains backward compatibility.
In order to perform an unsafe deletion of a corrupt resource, the user must enable the option for the delete
request. A resource is considered corrupt if it can not be successfully retrieved from the storage due to
a) transformation error e.g. decryption failure, or b) the object failed to decode. Normal deletion flow is
attempted first, and if it fails with a corrupt resource error then it triggers unsafe delete.
In addition, when this feature is enabled, the 'details' field of 'Status' from the LIST response
includes information that identifies the corrupt object(s).
NOTE: unsafe deletion ignores finalizer constraints, and skips precondition checks.
WARNING: this may break the workload associated with the resource being unsafe-deleted, if it relies on
the normal deletion flow, so cluster breaking consequences apply. ([127513](https://github.com/kubernetes/kubernetes/pull/127513), [tkashem](https://github.com/tkashem)) [SIG API Machinery, Etcd, Node and Testing]
- Added `singleProcessOOMKill` flag to the kubelet configuration. Setting that to true enable single process OOM killing in cgroups v2. In this mode, if a single process is OOM killed within a container, the remaining processes will not be OOM killed. ([126096](https://github.com/kubernetes/kubernetes/pull/126096), [utam0k](https://github.com/utam0k)) [SIG API Machinery, Node, Testing and Windows]
- Added a `/flagz` endpoint for kube-apiserver endpoint. ([127581](https://github.com/kubernetes/kubernetes/pull/127581), [richabanker](https://github.com/richabanker)) [SIG API Machinery, Architecture, Auth and Instrumentation]
- Added a `Stream` field to `PodLogOptions`, which allows clients to request certain log stream (stdout or stderr) of the container.
Please also note that the combination of a specific `Stream` and `TailLines` is not supported. ([127360](https://github.com/kubernetes/kubernetes/pull/127360), [knight42](https://github.com/knight42)) [SIG API Machinery, Apps, Architecture, Node, Release and Testing]
- Added alpha support for asynchronous Pod preemption.
When the `SchedulerAsyncPreemption` feature gate is enabled, the scheduler now runs API calls to trigger preemptions asynchronously for better performance. ([128170](https://github.com/kubernetes/kubernetes/pull/128170), [sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
- Added driver-owned fields in `ResourceClaim.Status` to report device status data for each allocated device. ([128240](https://github.com/kubernetes/kubernetes/pull/128240), [LionelJouin](https://github.com/LionelJouin)) [SIG API Machinery, Network, Node and Testing]
- Added enforcement of an upper cost bound for DRA evaluations of CEL. The API server and scheduler now enforce an upper bound on the cost and runtime steps required for evaluating a CEL expression. ([128101](https://github.com/kubernetes/kubernetes/pull/128101), [pohly](https://github.com/pohly)) [SIG API Machinery and Node]
- Added the ability to change the maximum backoff delay accrued between container restarts for a node for containers in `CrashLoopBackOff`. To set this for a node, turn on the feature gate `KubeletCrashLoopBackoffMax` and set the `CrashLoopBackOff.MaxContainerRestartPeriod ` field between `"1s"` and `"300s"` in your [kubelet config file](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/). ([#128374](https://github.com/kubernetes/kubernetes/pull/128374), [lauralorenz](https://github.com/lauralorenz)) [SIG API Machinery and Node]
- Allow for Pod search domains to be a single dot `.` or contain an underscore `_` ([127167](https://github.com/kubernetes/kubernetes/pull/127167), [adrianmoisey](https://github.com/adrianmoisey)) [SIG Apps, Network and Testing]
- Annotation `batch.kubernetes.io/cronjob-scheduled-timestamp` added to Job objects scheduled from CronJobs is promoted to stable. ([128336](https://github.com/kubernetes/kubernetes/pull/128336), [soltysh](https://github.com/soltysh))
- Apply fsGroup policy for ReadWriteOncePod volumes. ([128244](https://github.com/kubernetes/kubernetes/pull/128244), [gnufied](https://github.com/gnufied)) [SIG Storage and Testing]
- Changed the Pod API to support `resources` at `spec` level for pod-level resources. ([128407](https://github.com/kubernetes/kubernetes/pull/128407), [ndixita](https://github.com/ndixita)) [SIG API Machinery, Apps, CLI, Cluster Lifecycle, Node, Release, Scheduling and Testing]
- ContainerStatus.AllocatedResources is now guarded by a separate feature gate, InPlacePodVerticalSaclingAllocatedStatus ([128377](https://github.com/kubernetes/kubernetes/pull/128377), [tallclair](https://github.com/tallclair)) [SIG API Machinery, CLI, Node, Scheduling and Testing]
- Coordination.v1alpha1 API is dropped and replaced with coordination.v1alpha2. Old coordination.v1alpha1 types must be deleted before upgrade ([127857](https://github.com/kubernetes/kubernetes/pull/127857), [Jefftree](https://github.com/Jefftree)) [SIG API Machinery, Etcd, Scheduling and Testing]
- DRA: Restricted the length of opaque device configuration parameters. At admission time, Kubernetes enforces a 10KiB size limit. ([128601](https://github.com/kubernetes/kubernetes/pull/128601), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- DRA: scheduling pods is up to 16x faster, depending on the scenario. Scheduling throughput depends a lot on cluster utilization. It is higher for lightly loaded clusters with free resources and gets lower when the cluster utilization increases. ([127277](https://github.com/kubernetes/kubernetes/pull/127277), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Instrumentation, Node, Scheduling and Testing]
- DRA: the `DeviceRequestAllocationResult` struct now has an "AdminAccess" field which should be used instead of the corresponding field in the `DeviceRequest` field when dealing with an allocation. If a device is only allocated for admin access, allocating it again for normal usage is now supported, as originally intended. To allow admin access, starting with 1.32 the `DRAAdminAccess` feature gate must be enabled. ([127266](https://github.com/kubernetes/kubernetes/pull/127266), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Etcd, Network, Node, Scheduling and Testing]
- Disallow `k8s.io` and `kubernetes.io` namespaced extra key in structured authentication configuration. ([126553](https://github.com/kubernetes/kubernetes/pull/126553), [aramase](https://github.com/aramase)) [SIG Auth]
- Fixed a bug in the `NestedNumberAsFloat64` Unstructured field accessor that could have caused it to return rounded float64 values instead of errors when accessing very large int64 values. ([128099](https://github.com/kubernetes/kubernetes/pull/128099), [benluddy](https://github.com/benluddy))
- Fixed the bug where `spec.terminationGracePeriodSeconds` of the pod will always be overwritten by the MaxPodGracePeriodSeconds of the soft eviction, you can enable the `AllowOverwriteTerminationGracePeriodSeconds` feature gate, which will restore the previous behavior. If you do need to set this, please file an issue with the Kubernetes project to help contributors understand why you needed it. ([122890](https://github.com/kubernetes/kubernetes/pull/122890), [HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Architecture, Node and Testing]
- Graduated Job's `ManagedBy` field to beta. ([127402](https://github.com/kubernetes/kubernetes/pull/127402), [mimowo](https://github.com/mimowo)) [SIG API Machinery, Apps and Testing]
- Implemented a new, alpha `seLinuxChangePolicy` field within a Pod-level `securityContext`, under SELinuxChangePolicy feature gate. This field allows for opting out from mounting Pod volumes with SELinux label when SELinuxMount feature is enabled (it is alpha and disabled by default now).
Please see [the KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling#story-3-cluster-upgrade) how we expect to warn users before any SELinux behavior changes and how they can opt-out before. Note that this field and feature gate is useful only with clusters that run with SELinux enabled. No action is required on clusters without SELinux. ([127981](https://github.com/kubernetes/kubernetes/pull/127981), [jsafrane](https://github.com/jsafrane)) [SIG API Machinery, Apps, Architecture, Node, Storage and Testing]
- Introduced `v1alpha1` API for mutating admission policies, enabling extensible admission control via CEL expressions (KEP 3962: Mutating Admission Policies). To use, enable the `MutatingAdmissionPolicy` feature gate and the `admissionregistration.k8s.io/v1alpha1` API via `--runtime-config`. ([127134](https://github.com/kubernetes/kubernetes/pull/127134), [jpbetz](https://github.com/jpbetz)) [SIG API Machinery, Auth, Etcd and Testing]
- Introduced compressible resource setting on system reserved and kube reserved slices. ([125982](https://github.com/kubernetes/kubernetes/pull/125982), [harche](https://github.com/harche))
- kube-apiserver: Promoted the `StructuredAuthorizationConfiguration` feature gate to GA. The `--authorization-config` flag now accepts `AuthorizationConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). ([128172](https://github.com/kubernetes/kubernetes/pull/128172), [liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth and Testing]
- kube-proxy now reconciles Service/Endpoint changes with conntrack table and cleans up only stale UDP flow entries ([127318](https://github.com/kubernetes/kubernetes/pull/127318), [aroradaman](https://github.com/aroradaman)) [SIG Network and Windows]
- kube-scheduler removed `AzureDiskLimits` ,`CinderLimits` `EBSLimits` and `GCEPDLimits` plugin. Given the corresponding CSI driver reports how many volumes a node can handle in NodeGetInfoResponse, the kubelet stores this limit in CSINode and the scheduler then knows the limit of the driver on the node. Removed plugins AzureDiskLimits, CinderLimits, EBSLimits and GCEPDLimits if you explicitly enabled them in the scheduler config. ([124003](https://github.com/kubernetes/kubernetes/pull/124003), [carlory](https://github.com/carlory)) [SIG Scheduling, Storage and Testing]
- kubelet: the `--image-credential-provider-config` file was loaded with strict deserialization, which failed if the config file contained duplicate or unknown fields. This protected against accidentally running with malformed config files, unindented files, or typos in field names, and it prevented unexpected behavior. ([128062](https://github.com/kubernetes/kubernetes/pull/128062), [aramase](https://github.com/aramase)) [SIG Auth and Node]
- NodeRestriction admission now validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate `ServiceAccountNodeAudienceRestriction` that's enabled by default. ([128077](https://github.com/kubernetes/kubernetes/pull/128077), [aramase](https://github.com/aramase)) [SIG Auth, Storage and Testing]
- Promoted `CustomResourceFieldSelectors` to stable; the feature was enabled by default. The `--feature-gates=CustomResourceFieldSelectors=true` flag was no longer needed on kube-apiserver binaries and would be removed in a future release. ([127673](https://github.com/kubernetes/kubernetes/pull/127673), [jpbetz](https://github.com/jpbetz)) [SIG API Machinery and Testing]
- Promoted feature gate `StatefulSetAutoDeletePVC` from beta to stable. ([128247](https://github.com/kubernetes/kubernetes/pull/128247), [mattcary](https://github.com/mattcary)) [SIG API Machinery, Apps, Auth and Testing]
- Removed all support for _classic_ dynamic resource allocation (DRA). The `DRAControlPlaneController` feature gate, formerly alpha, is no longer available. Kubernetes now only uses the _structured parameters_ model (also alpha) for allocating dynamic resources to Pods.

if and only if classic DRA was enabled in a cluster, remove all workloads (pods, app deployments, etc. ) which depend on classic DRA and make sure that all PodSchedulingContext resources are gone before upgrading. PodSchedulingContext resources cannot be removed through the apiserver after an upgrade and workloads would not work properly. ([128003](https://github.com/kubernetes/kubernetes/pull/128003), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- Removed generally available feature gate `HPAContainerMetrics` ([126862](https://github.com/kubernetes/kubernetes/pull/126862), [carlory](https://github.com/carlory)) [SIG API Machinery, Apps and Autoscaling]
- Removed restrictions on subresource flag in kubectl commands ([128296](https://github.com/kubernetes/kubernetes/pull/128296), [AnishShah](https://github.com/AnishShah)) [SIG CLI]
- Revised the kubelet API Authorization with new subresources, that allow finer-grained authorization checks and access control for kubelet endpoints.
Provided you enable the `KubeletFineGrainedAuthz` feature gate, you can access kubelet's `/healthz` endpoint by granting the caller `nodes/helathz` permission in RBAC.
Similarly you can also access kubelet's `/pods` endpoint to fetch a list of Pods bound to that node by granting the caller `nodes/pods` permission in RBAC.
Similarly you can also access kubelet's `/configz` endpoint to fetch kubelet's configuration by granting the caller `nodes/configz` permission in RBAC.
You can still access kubelet's `/healthz`, `/pods` and `/configz` by granting the caller `nodes/proxy` permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. ([126347](https://github.com/kubernetes/kubernetes/pull/126347), [vinayakankugoyal](https://github.com/vinayakankugoyal)) [SIG API Machinery, Auth, Cluster Lifecycle and Node]
- The core functionality of Dynamic Resource Allocation (DRA) got promoted to beta. No action is required when *upgrading*, the previous v1alpha3 API is still supported, so existing deployments and DRA drivers based on v1alpha3 continue to work. *Downgrading* from 1.32 to 1.31 with DRA resources in the cluster (resourceclaims, resourceclaimtemplates, deviceclasses, resourceslices) is *not* supported because the new v1beta1 is used as storage version and not readable by 1.31. ([127511](https://github.com/kubernetes/kubernetes/pull/127511), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- The default value for node-monitor-grace-period has been increased to 50s (earlier 40s) (Ref - https://github.com/kubernetes/kubernetes/issues/121793) ([#126287](https://github.com/kubernetes/kubernetes/pull/126287), [devppratik](https://github.com/devppratik)) [SIG API Machinery, Apps and Node]
- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". ([126749](https://github.com/kubernetes/kubernetes/pull/126749), [thockin](https://github.com/thockin)) [SIG API Machinery]
- The synthetic "Bookmark" event for the watch stream requests will now include a new annotation: `kubernetes.io/initial-events-list-blueprint`. THe annotation contains an empty, versioned list that is encoded in the requested format (such as protobuf, JSON, or CBOR), then base64-encoded and stored as a string. ([127587](https://github.com/kubernetes/kubernetes/pull/127587), [p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions.
Name format CEL library is supported in new expressions. ([126977](https://github.com/kubernetes/kubernetes/pull/126977), [aaron-prindle](https://github.com/aaron-prindle)) [SIG API Machinery, Architecture, Auth, Etcd, Instrumentation, Release, Scheduling and Testing]
- Updated incorrect description of persistentVolumeClaimRetentionPolicy ([126545](https://github.com/kubernetes/kubernetes/pull/126545), [yangjunmyfm192085](https://github.com/yangjunmyfm192085)) [SIG API Machinery, Apps and CLI]
- X.509 client certificate authentication to the kube-apiserver now produces credential IDs (derived from the certificate's signature) , for use in audit logging. ([125634](https://github.com/kubernetes/kubernetes/pull/125634), [ahmedtd](https://github.com/ahmedtd)) [SIG API Machinery, Auth and Testing]

31.1.1

Changes:

* Allow resource names >2 parts ([343](https://github.com/tomplus/kubernetes_asyncio/pull/343), [edwinpjacques](https://github.com/edwinpjacques))

31.1.0

Breaking changes:

* Websocket connect method returns an asynchronous context manager instead of a websocket ([328](https://github.com/tomplus/kubernetes_asyncio/pull/328), [olivier-matz-6wind](https://github.com/olivier-matz-6wind))

Example:
python
websocket = await core_v1_ws.connect_get_namespaced_pod_exec(...)
now context manager is returned which can be used in this way:
async with websocket as ws:
...
await ws.send_bytes(...)


Changes:

* Added `load_config` function ([331](https://github.com/tomplus/kubernetes_asyncio/pull/331), [james-mchugh](https://github.com/james-mchugh))
* Watch() retries 410 errors ([327](https://github.com/tomplus/kubernetes_asyncio/pull/327), [tomplus](https://github.com/tomplus))
* Pod exec enhancements ([328](https://github.com/tomplus/kubernetes_asyncio/pull/328), [olivier-matz-6wind](https://github.com/olivier-matz-6wind))

* Fix content-type detection for object sending as patch ([334](https://github.com/tomplus/kubernetes_asyncio/pull/334), [tomplus](https://github.com/tomplus))
* Fix stopping Watch for logs and events with timeout ([330](https://github.com/tomplus/kubernetes_asyncio/pull/330), [tomplus](https://github.com/tomplus))

API Change

- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". ([kubernetes/kubernetes126761](https://github.com/kubernetes/kubernetes/pull/126761), [thockin](https://github.com/thockin)) [SIG API Machinery]

- 'ACTION REQUIRED: The Dynamic Resource Allocation (DRA) driver's DaemonSet
must be deployed with a service account that enables writing ResourceSlice
and reading ResourceClaim objects.'
([kubernetes/kubernetes125163](https://github.com/kubernetes/kubernetes/pull/125163), [pohly](https://github.com/pohly)) [SIG Auth, Node and Testing]
- Add UserNamespaces field to NodeRuntimeHandlerFeatures ([kubernetes/kubernetes126034](https://github.com/kubernetes/kubernetes/pull/126034), [sohankunkerkar](https://github.com/sohankunkerkar)) [SIG API Machinery, Apps and Node]
- Added Coordinated Leader Election as Alpha under the `CoordinatedLeaderElection` feature gate. With the feature enabled, the control plane can use LeaseCandidate objects (coordination.k8s.io/v1alpha1 API group) to participate in a leader election and let the kube-apiserver select the best instance according to some strategy. ([kubernetes/kubernetes124012](https://github.com/kubernetes/kubernetes/pull/124012), [Jefftree](https://github.com/Jefftree)) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Release, Scheduling and Testing]
- Added a `.status.features.supplementalGroupsPolicy` field to Nodes. The field is true when the feature is implemented in the CRI implementation (KEP-3619). ([kubernetes/kubernetes125470](https://github.com/kubernetes/kubernetes/pull/125470), [everpeace](https://github.com/everpeace)) [SIG API Machinery, Apps, Node and Testing]
- Added an `allocatedResourcesStatus` to each container status to indicate the health status of devices exposed by the device plugin. ([kubernetes/kubernetes126243](https://github.com/kubernetes/kubernetes/pull/126243), [SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG API Machinery, Apps, Node and Testing]
- Added support to the kube-proxy nodePortAddresses / --nodeport-addresses option to
accept the value "primary", meaning to only listen for NodePort connections
on the node's primary IPv4 and/or IPv6 address (according to the Node object).
This is strongly recommended, if you were not previously using
--nodeport-addresses, to avoid surprising behavior.
(This behavior is enabled by default with the nftables backend; you would
need to explicitly request `--nodeport-addresses 0.0.0.0/0,::/0` there to get
the traditional "listen on all interfaces" behavior.) ([kubernetes/kubernetes123105](https://github.com/kubernetes/kubernetes/pull/123105), [danwinship](https://github.com/danwinship)) [SIG API Machinery, Network and Windows]
- Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strict cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. ([kubernetes/kubernetes124675](https://github.com/kubernetes/kubernetes/pull/124675), [cici37](https://github.com/cici37)) [SIG API Machinery, Auth, Node and Testing]
- Changed how the API server handles updates to `.spec.defaultBackend` of Ingress objects.
Server-side apply now considers `.spec.defaultBackend` to be an atomic struct. This means that any field-owner who sets values in that struct (they are mutually exclusive) owns the whole struct. For almost all users this change has no impact; for controllers that want to change the default backend port from number to name (or vice-versa), this makes it easier. ([kubernetes/kubernetes126207](https://github.com/kubernetes/kubernetes/pull/126207), [thockin](https://github.com/thockin)) [SIG API Machinery]
- Component-base/logs: when compiled with Go >= 1.21, component-base will automatically configure the slog default logger together with initializing klog. ([kubernetes/kubernetes120696](https://github.com/kubernetes/kubernetes/pull/120696), [pohly](https://github.com/pohly)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Storage and Testing]
- CustomResourceDefinition objects created with non-empty `caBundle` fields which are invalid or do not contain any certificates will not appear in discovery or serve endpoints until a valid `caBundle` is provided. Updates to CustomResourceDefinition are no longer allowed to transition a valid `caBundle` field to an invalid `caBundle` field, because this breaks serving of the existing CustomResourceDefinition. ([kubernetes/kubernetes124061](https://github.com/kubernetes/kubernetes/pull/124061), [Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
- Dynamic Resource Allocation (DRA): Added a feature so the number of ResourceClaim objects can be limited per namespace and by the number of devices requested through a specific class via the v1.ResourceQuota mechanism. ([kubernetes/kubernetes120611](https://github.com/kubernetes/kubernetes/pull/120611), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Node, Release, Scheduling and Testing]
- Dynamic Resource Allocation (DRA): client-side validation of a ResourceHandle would have accepted a missing DriverName, whereas server-side validation then would have raised an error. ([kubernetes/kubernetes124075](https://github.com/kubernetes/kubernetes/pull/124075), [pohly](https://github.com/pohly))
- Dynamic Resource Allocation (DRA): in the `pod.spec.recourceClaims` array, the `source` indirection is no longer necessary. Instead of e.g. `source: resourceClaimTemplateName: my-template`, one can write `resourceClaimTemplateName: my-template`. ([kubernetes/kubernetes125116](https://github.com/kubernetes/kubernetes/pull/125116), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- Enhanced the Dynamic Resource Allocation (DRA) with an updated version of the resource.k8s.io API group. The primary user-facing type remains the ResourceClaim, however significant changes have been made, resulting in the new version, v1alpha3, which is not compatible with the previous version. ([kubernetes/kubernetes125488](https://github.com/kubernetes/kubernetes/pull/125488), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Etcd, Node, Release, Scheduling, Storage and Testing]
- Fixed a 1.30.0 regression in OpenAPI descriptions of the `imagePullSecrets` and
`hostAliases` fields to mark the fields used as keys in those lists as either defaulted
or required. ([kubernetes/kubernetes124553](https://github.com/kubernetes/kubernetes/pull/124553), [pmalek](https://github.com/pmalek))
- Fixed a 1.30.0 regression in openapi descriptions of `PodIP.IP` and `HostIP.IP` fields to mark the fields used as keys in those lists as required. ([kubernetes/kubernetes126057](https://github.com/kubernetes/kubernetes/pull/126057), [thockin](https://github.com/thockin))
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. ([kubernetes/kubernetes124568](https://github.com/kubernetes/kubernetes/pull/124568), [xyz-li](https://github.com/xyz-li)) [SIG API Machinery]
- Fixed a deep copy issue when retrieving the controller reference. ([kubernetes/kubernetes124116](https://github.com/kubernetes/kubernetes/pull/124116), [HiranmoyChowdhury](https://github.com/HiranmoyChowdhury)) [SIG API Machinery and Release]
- Fixed code-generator client-gen to work with `api/v1`-like package structure. ([kubernetes/kubernetes125162](https://github.com/kubernetes/kubernetes/pull/125162), [sttts](https://github.com/sttts)) [SIG API Machinery and Apps]
- Fixed incorrect "v1 Binding is deprecated in v1.6+" warning in kube-scheduler log. ([kubernetes/kubernetes125540](https://github.com/kubernetes/kubernetes/pull/125540), [pohly](https://github.com/pohly)) [SIG API Machinery]
- Fixed the comment for the Job's managedBy field. ([kubernetes/kubernetes124793](https://github.com/kubernetes/kubernetes/pull/124793), [mimowo](https://github.com/mimowo)) [SIG API Machinery and Apps]
- Fixed the documentation for the default value of the `procMount` entry in `securityContext` within a Pod.
The documentation was previously using the name of the internal variable `DefaultProcMount`, rather than the actual value, "Default". ([kubernetes/kubernetes125782](https://github.com/kubernetes/kubernetes/pull/125782), [aborrero](https://github.com/aborrero)) [SIG Apps and Node]
- Graduate PodDisruptionConditions to GA and lock ([kubernetes/kubernetes125461](https://github.com/kubernetes/kubernetes/pull/125461), [mimowo](https://github.com/mimowo)) [SIG Apps, Node, Scheduling and Testing]
- Graduated MatchLabelKeys/MismatchLabelKeys feature in PodAffinity/PodAntiAffinity to Beta. ([kubernetes/kubernetes123638](https://github.com/kubernetes/kubernetes/pull/123638), [sanposhiho](https://github.com/sanposhiho)) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduated `JobPodFailurePolicy` to GA and locked it to it's default. ([kubernetes/kubernetes125442](https://github.com/kubernetes/kubernetes/pull/125442), [mimowo](https://github.com/mimowo)) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduated the Job `successPolicy` field to beta.

The new reason label, "SuccessPolicy" and "CompletionsReached" are added to the "jobs_finished_total" metric.
Additionally, if you enable the `JobSuccessPolicy` feature gate, the Job gets "CompletionsReached" reason for the "SuccessCriteriaMet" and "Complete" condition type
when the number of succeeded Job Pods (`.status.succeeded`) reached the desired completions (`.spec.completions`). ([kubernetes/kubernetes126067](https://github.com/kubernetes/kubernetes/pull/126067), [tenzen-y](https://github.com/tenzen-y)) [SIG API Machinery, Apps and Testing]
- Graduated the `DisableNodeKubeProxyVersion` feature gate to beta. By default, the kubelet no longer attempts to set the `.status.kubeProxyVersion` field for its associated Node. ([kubernetes/kubernetes123845](https://github.com/kubernetes/kubernetes/pull/123845), [HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Cloud Provider, Network, Node and Testing]
- Improved scheduling performance when many nodes, and prefilter returned 1-2 nodes (e.g. daemonset)

For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status. ([kubernetes/kubernetes125197](https://github.com/kubernetes/kubernetes/pull/125197), [gabesaba](https://github.com/gabesaba))
- Introduced a new boolean kubelet flag `--fail-cgroupv1`. ([kubernetes/kubernetes126031](https://github.com/kubernetes/kubernetes/pull/126031), [harche](https://github.com/harche)) [SIG API Machinery and Node]
- K8s.io/apimachinery/pkg/util/runtime: Added support for new calls to handle panics and errors in the context where they occur. `PanicHandlers` and `ErrorHandlers` now must accept a context parameter for that. Log output is structured instead of unstructured. ([kubernetes/kubernetes121970](https://github.com/kubernetes/kubernetes/pull/121970), [pohly](https://github.com/pohly)) [SIG API Machinery and Instrumentation]
- KEP-1880: Users of the new feature to add multiple service CIDR will use by default a dual-write strategy on the new ClusterIP allocators to avoid the problem of possible duplicate IPs allocated to Services when running skewed kube-apiservers using different allocators. They can opt-out of this behavior by enabled the feature gate DisableAllocatorDualWrite. ([kubernetes/kubernetes122047](https://github.com/kubernetes/kubernetes/pull/122047), [aojea](https://github.com/aojea)) [SIG API Machinery, Apps, Instrumentation and Testing]
- Kube-apiserver: Added Alpha features to allow API server authz to check the context of requests:
- The `AuthorizeWithSelectors` feature gate enables including field and label selector information from requests in webhook authorization calls.
- The `AuthorizeNodeWithSelectors` feature gate changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. ([kubernetes/kubernetes125571](https://github.com/kubernetes/kubernetes/pull/125571), [liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Node, Scheduling and Testing]
- Kube-apiserver: ControllerRevision objects are now verified to contain valid JSON data in the `data` field. ([kubernetes/kubernetes125549](https://github.com/kubernetes/kubernetes/pull/125549), [liggitt](https://github.com/liggitt)) [SIG API Machinery and Apps]
- Kube-apiserver: the `--encryption-provider-config` file is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. When `--encryption-provider-config-automatic-reload` is used, new encryption config files that contain typos after the kube-apiserver is running are treated as invalid and the last valid config is used. ([kubernetes/kubernetes124912](https://github.com/kubernetes/kubernetes/pull/124912), [enj](https://github.com/enj)) [SIG API Machinery and Auth]
- Kube-controller-manager: the `horizontal-pod-autoscaler-upscale-delay` and `horizontal-pod-autoscaler-downscale-delay` flags have been removed (deprecated and non-functional since v1.12). ([kubernetes/kubernetes124948](https://github.com/kubernetes/kubernetes/pull/124948), [SataQiu](https://github.com/SataQiu)) [SIG API Machinery, Apps and Autoscaling]
- Made kube-proxy Windows service control manager integration (`--windows-service`) configurable in v1alpha1 component configuration via `windowsRunAsService` field. ([kubernetes/kubernetes126072](https://github.com/kubernetes/kubernetes/pull/126072), [aroradaman](https://github.com/aroradaman)) [SIG Network and Scalability]
- PersistentVolumeLastPhaseTransitionTime feature is stable and enabled by default. ([kubernetes/kubernetes124969](https://github.com/kubernetes/kubernetes/pull/124969), [RomanBednar](https://github.com/RomanBednar)) [SIG API Machinery, Apps, Storage and Testing]
- Promoted `LocalStorageCapacityIsolation` to beta; the behaviour is enabled by default. Within the kubelet, storage capacity isolation is active if the feature gate is enabled and the specific Pod is using a user namespace. ([kubernetes/kubernetes126014](https://github.com/kubernetes/kubernetes/pull/126014), [PannagaRao](https://github.com/PannagaRao)) [SIG Apps, Autoscaling, Node, Storage and Testing]
- Promoted `StatefulSetStartOrdinal` to stable. This means `--feature-gates=StatefulSetStartOrdinal=true` are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation. ([kubernetes/kubernetes125374](https://github.com/kubernetes/kubernetes/pull/125374), [pwschuurman](https://github.com/pwschuurman)) [SIG API Machinery, Apps and Testing]
- Promoted feature-gate `VolumeAttributesClass` to beta (disabled by default). Users need to enable the feature gate and the `storage.k8s.io/v1beta1` API group to use this feature.
Promoted the VolumeAttributesClass API to beta. ([kubernetes/kubernetes126145](https://github.com/kubernetes/kubernetes/pull/126145), [carlory](https://github.com/carlory)) [SIG API Machinery, Apps, CLI, Etcd, Storage and Testing]
- Removed deprecated command flags --volume-host-cidr-denylist
and --volume-host-allow-local-loopback from kube-controller-manager.
([kubernetes/kubernetes124017](https://github.com/kubernetes/kubernetes/pull/124017), [carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Cloud Provider and Storage]
- Removed feature gate `CustomResourceValidationExpressions`. ([kubernetes/kubernetes126136](https://github.com/kubernetes/kubernetes/pull/126136), [cici37](https://github.com/cici37)) [SIG API Machinery, Cloud Provider and Testing]
- Reverted a [change](https://github.com/kubernetes/kubernetes/pull/123513) where `ConsistentListFromCache` was moved to beta and enabled by default. ([kubernetes/kubernetes#126139](https://github.com/kubernetes/kubernetes/pull/126139), [enj](https://github.com/enj))
- Revised the Pod API with Alpha support for volumes derived from OCI artifacts. This feature is behind the `ImageVolume` feature gate. ([kubernetes/kubernetes125660](https://github.com/kubernetes/kubernetes/pull/125660), [saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Apps and Node]
- Supported fine-grained supplemental groups policy (KEP-3619), which enabled
fine-grained control for supplementary groups in the first container processes.
This allows you to choose whether to include groups defined in the container image (/etc/groups)
for the container's primary UID or not. ([kubernetes/kubernetes117842](https://github.com/kubernetes/kubernetes/pull/117842), [everpeace](https://github.com/everpeace)) [SIG API Machinery, Apps and Node]
- The (alpha) nftables mode of kube-proxy now requires version 1.0.1 or later
of the nft command-line, and kernel 5.13 or later. (For testing/development
purposes, you can use older kernels, as far back as 5.4, if you set the
`nftables.skipKernelVersionCheck` option in the kube-proxy config, but this is not
recommended in production since it may cause problems with other nftables
users on the system.) ([kubernetes/kubernetes124152](https://github.com/kubernetes/kubernetes/pull/124152), [danwinship](https://github.com/danwinship)) [SIG Network]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions for existing expressions in storage, will fully support runtime in next release for compatibility concern. ([kubernetes/kubernetes126188](https://github.com/kubernetes/kubernetes/pull/126188), [cici37](https://github.com/cici37)) [SIG API Machinery and Testing]
- Updated the feature MultiCIDRServiceAllocator to beta (disabled by default). Users need to enable the feature gate and the networking v1beta1 group to be able to use this new feature, that allows to dynamically reconfigure Service CIDR ranges. ([kubernetes/kubernetes125021](https://github.com/kubernetes/kubernetes/pull/125021), [aojea](https://github.com/aojea)) [SIG API Machinery, Apps, CLI, Etcd, Instrumentation, Network and Testing]
- Use omitempty for optional Job Pod Failure Policy fields. ([kubernetes/kubernetes126046](https://github.com/kubernetes/kubernetes/pull/126046), [mimowo](https://github.com/mimowo))
- User can choose a different static policy option `SpreadPhysicalCPUsPreferredOption` to spread cpus across physical cpus for some specific applications ([kubernetes/kubernetes123733](https://github.com/kubernetes/kubernetes/pull/123733), [Jeffwan](https://github.com/Jeffwan)) [SIG Node]
- When the featuregate AnonymousAuthConfigurableEndpoints is enabled users can update the AuthenticationConfig file with endpoints for with anonymous requests are alllowed. ([kubernetes/kubernetes124917](https://github.com/kubernetes/kubernetes/pull/124917), [vinayakankugoyal](https://github.com/vinayakankugoyal)) [SIG API Machinery, Auth, Cloud Provider, Node and Testing]
- Move ConsistentListFromCache feature flag to Beta and enable it by default ([kubernetes/kubernetes126469](https://github.com/kubernetes/kubernetes/pull/126469), [serathius](https://github.com/serathius)) [SIG API Machinery]
- Add Coordinated Leader Election as alpha under the CoordinatedLeaderElection feature gate. With the feature enabled, the control plane can use LeaseCandidate objects (coordination.k8s.io/v1alpha1 API group) to participate in a leader election and let the kube-apiserver select the best instance according to some strategy. ([kubernetes/kubernetes124012](https://github.com/kubernetes/kubernetes/pull/124012), [Jefftree](https://github.com/Jefftree)) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Release, Scheduling and Testing]
- Add an AllocatedResourcesStatus to each container status to indicate the health status of devices exposed by the device plugin. ([kubernetes/kubernetes126243](https://github.com/kubernetes/kubernetes/pull/126243), [SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG API Machinery, Apps, Node and Testing]
- Added Node.Status.Features.SupplementalGroupsPolicy field which is set to true when the feature is implemented in the CRI implementation (KEP-3619) ([kubernetes/kubernetes125470](https://github.com/kubernetes/kubernetes/pull/125470), [everpeace](https://github.com/everpeace)) [SIG API Machinery, Apps, Node and Testing]
- CustomResourceDefinition objects created with non-empty `caBundle` fields which are invalid or do not contain any certificates will not appear in discovery or serve endpoints until a valid `caBundle` is provided. Updates to CustomResourceDefinition are no longer allowed to transition a valid `caBundle` field to an invalid `caBundle` field. ([kubernetes/kubernetes124061](https://github.com/kubernetes/kubernetes/pull/124061), [Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
- DRA: The DRA driver's daemonset must be deployed with a service account that enables writing ResourceSlice and reading ResourceClaim objects. ([kubernetes/kubernetes125163](https://github.com/kubernetes/kubernetes/pull/125163), [pohly](https://github.com/pohly)) [SIG Auth, Node and Testing]
- DRA: new API and several new features ([kubernetes/kubernetes125488](https://github.com/kubernetes/kubernetes/pull/125488), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Etcd, Node, Release, Scheduling, Storage and Testing]
- DRA: the number of ResourceClaim objects can be limited per namespace and by the number of devices requested through a specific class via the v1.ResourceQuota mechanism. ([kubernetes/kubernetes120611](https://github.com/kubernetes/kubernetes/pull/120611), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Node, Release, Scheduling and Testing]
- Fix the documentation for the default value of the procMount entry in the pod securityContext.
The documentation was previously using the name of the internal variable 'DefaultProcMount' rather than the actual value 'Default'. ([kubernetes/kubernetes125782](https://github.com/kubernetes/kubernetes/pull/125782), [aborrero](https://github.com/aborrero)) [SIG Apps and Node]
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. ([kubernetes/kubernetes124568](https://github.com/kubernetes/kubernetes/pull/124568), [xyz-li](https://github.com/xyz-li)) [SIG API Machinery]
- Graduate the Job SuccessPolicy to Beta.

The new reason label, "SuccessPolicy" and "CompletionsReached" are added to the "jobs_finished_total" metric.
Additionally, If we enable the "JobSuccessPolicy" feature gate, the Job gets "CompletionsReached" reason for the "SuccessCriteriaMet" and "Complete" condition type
when the number of succeeded Job Pods (".status.succeeded") reached the desired completions (".spec.completions"). ([kubernetes/kubernetes126067](https://github.com/kubernetes/kubernetes/pull/126067), [tenzen-y](https://github.com/tenzen-y)) [SIG API Machinery, Apps and Testing]
- Introduce a new boolean kubelet flag --fail-cgroupv1 ([kubernetes/kubernetes126031](https://github.com/kubernetes/kubernetes/pull/126031), [harche](https://github.com/harche)) [SIG API Machinery and Node]
- Kube-apiserver: adds an alpha AuthorizeWithSelectors feature that includes field and label selector information from requests in webhook authorization calls; adds an alpha AuthorizeNodeWithSelectors feature that makes the node authorizer limit requests from node API clients to get / list / watch its own Node API object, and to get / list / watch its own Pod API objects. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or grant broader read access independent of the node authorizer. ([kubernetes/kubernetes125571](https://github.com/kubernetes/kubernetes/pull/125571), [liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Node, Scheduling and Testing]
- Kube-proxy Windows service control manager integration(--windows-service) is now configurable in v1alpha1 component configuration via `WindowsRunAsService` field ([kubernetes/kubernetes126072](https://github.com/kubernetes/kubernetes/pull/126072), [aroradaman](https://github.com/aroradaman)) [SIG Network and Scalability]
- Promote LocalStorageCapacityIsolation to beta and enable if user namespace is enabled for the pod ([kubernetes/kubernetes126014](https://github.com/kubernetes/kubernetes/pull/126014), [PannagaRao](https://github.com/PannagaRao)) [SIG Apps, Autoscaling, Node, Storage and Testing]
- Promote StatefulSetStartOrdinal to stable. This means `--feature-gates=StatefulSetStartOrdinal=true` are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation ([kubernetes/kubernetes125374](https://github.com/kubernetes/kubernetes/pull/125374), [pwschuurman](https://github.com/pwschuurman)) [SIG API Machinery, Apps and Testing]
- Promoted feature-gate `VolumeAttributesClass` to beta (disabled by default). Users need to enable the feature gate and the storage v1beta1 group to use this new feature.
- Promoted API `VolumeAttributesClass` and `VolumeAttributesClassList` to `storage.k8s.io/v1beta1`. ([kubernetes/kubernetes126145](https://github.com/kubernetes/kubernetes/pull/126145), [carlory](https://github.com/carlory)) [SIG API Machinery, Apps, CLI, Etcd, Storage and Testing]
- Removed feature gate `CustomResourceValidationExpressions`. ([kubernetes/kubernetes126136](https://github.com/kubernetes/kubernetes/pull/126136), [cici37](https://github.com/cici37)) [SIG API Machinery, Cloud Provider and Testing]
- Revert "Move ConsistentListFromCache feature flag to Beta and enable it by default" ([kubernetes/kubernetes126139](https://github.com/kubernetes/kubernetes/pull/126139), [enj](https://github.com/enj)) [SIG API Machinery]
- Revised the Pod API with alpha support for volumes derived from OCI artefacts.
This feature is behind the `ImageVolume` feature gate. ([kubernetes/kubernetes125660](https://github.com/kubernetes/kubernetes/pull/125660), [saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Apps and Node]
- The Ingress.spec.defaultBackend is now considered an atomic struct for the purposes of server-side-apply. This means that any field-owner who sets values in that struct (they are mutually exclusive) owns the whole struct. For almost all users this change has no impact. For controllers which want to change port from number to name (or vice-versa), this makes it easier. ([kubernetes/kubernetes126207](https://github.com/kubernetes/kubernetes/pull/126207), [thockin](https://github.com/thockin)) [SIG API Machinery]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions for existing expressions in storage, will fully support runtime in next release for compatibility concern. ([kubernetes/kubernetes126188](https://github.com/kubernetes/kubernetes/pull/126188), [cici37](https://github.com/cici37)) [SIG API Machinery and Testing]
- Add UserNamespaces field to NodeRuntimeHandlerFeatures ([kubernetes/kubernetes126034](https://github.com/kubernetes/kubernetes/pull/126034), [sohankunkerkar](https://github.com/sohankunkerkar)) [SIG API Machinery, Apps and Node]
- Fixes a 1.30.0 regression in openapi descriptions of PodIP.IP and HostIP.IP fields to mark the fields used as keys in those lists as required. ([kubernetes/kubernetes126057](https://github.com/kubernetes/kubernetes/pull/126057), [thockin](https://github.com/thockin)) [SIG API Machinery]
- Graduate JobPodFailurePolicy to GA and lock ([kubernetes/kubernetes125442](https://github.com/kubernetes/kubernetes/pull/125442), [mimowo](https://github.com/mimowo)) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduate PodDisruptionConditions to GA and lock ([kubernetes/kubernetes125461](https://github.com/kubernetes/kubernetes/pull/125461), [mimowo](https://github.com/mimowo)) [SIG Apps, Node, Scheduling and Testing]
- PersistentVolumeLastPhaseTransitionTime feature is stable and enabled by default. ([kubernetes/kubernetes124969](https://github.com/kubernetes/kubernetes/pull/124969), [RomanBednar](https://github.com/RomanBednar)) [SIG API Machinery, Apps, Storage and Testing]
- The (alpha) nftables mode of kube-proxy now requires version 1.0.1 or later
of the nft command-line, and kernel 5.13 or later. (For testing/development
purposes, you can use older kernels, as far back as 5.4, if you set the
`nftables.skipKernelVersionCheck` option in the kube-proxy config, but this is not
recommended in production since it may cause problems with other nftables
users on the system.) ([kubernetes/kubernetes124152](https://github.com/kubernetes/kubernetes/pull/124152), [danwinship](https://github.com/danwinship)) [SIG Network]
- Use omitempty for optional Job Pod Failure Policy fields ([kubernetes/kubernetes126046](https://github.com/kubernetes/kubernetes/pull/126046), [mimowo](https://github.com/mimowo)) [SIG Apps]
- User can choose a different static policy option `SpreadPhysicalCPUsPreferredOption` to spread cpus across physical cpus for some specific applications ([kubernetes/kubernetes123733](https://github.com/kubernetes/kubernetes/pull/123733), [Jeffwan](https://github.com/Jeffwan)) [SIG Node]
- DRA: in the `pod.spec.recourceClaims` array, the `source` indirection is no longer necessary. Instead of e.g. `source: resourceClaimTemplateName: my-template`, one can write `resourceClaimTemplateName: my-template`. ([kubernetes/kubernetes125116](https://github.com/kubernetes/kubernetes/pull/125116), [pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- Fix code-generator client-gen to work with `api/v1`-like package structure. ([kubernetes/kubernetes125162](https://github.com/kubernetes/kubernetes/pull/125162), [sttts](https://github.com/sttts)) [SIG API Machinery and Apps]
- KEP-1880: Users of the new feature to add multiple service CIDR will use by default a dual-write strategy on the new ClusterIP allocators to avoid the problem of possible duplicate IPs allocated to Services when running skewed kube-apiservers using different allocators. They can opt-out of this behavior by enabled the feature gate DisableAllocatorDualWrite ([kubernetes/kubernetes122047](https://github.com/kubernetes/kubernetes/pull/122047), [aojea](https://github.com/aojea)) [SIG API Machinery, Apps, Instrumentation and Testing]
- Kube-apiserver: ControllerRevision objects are now verified to contain valid JSON data in the `data` field. ([kubernetes/kubernetes125549](https://github.com/kubernetes/kubernetes/pull/125549), [liggitt](https://github.com/liggitt)) [SIG API Machinery and Apps]
- Update the feature MultiCIDRServiceAllocator to beta (disabled by default). Users need to enable the feature gate and the networking v1beta1 group to be able to use this new feature, that allows to dynamically reconfigure Service CIDR ranges. ([kubernetes/kubernetes125021](https://github.com/kubernetes/kubernetes/pull/125021), [aojea](https://github.com/aojea)) [SIG API Machinery, Apps, CLI, Etcd, Instrumentation, Network and Testing]
- When the featuregate AnonymousAuthConfigurableEndpoints is enabled users can update the AuthenticationConfig file with endpoints for with anonymous requests are alllowed. ([kubernetes/kubernetes124917](https://github.com/kubernetes/kubernetes/pull/124917), [vinayakankugoyal](https://github.com/vinayakankugoyal)) [SIG API Machinery, Auth, Cloud Provider, Node and Testing]
- Fixed incorrect "v1 Binding is deprecated in v1.6+" warning in kube-scheduler log. ([kubernetes/kubernetes125540](https://github.com/kubernetes/kubernetes/pull/125540), [pohly](https://github.com/pohly)) [SIG API Machinery]
- Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strct cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. ([kubernetes/kubernetes124675](https://github.com/kubernetes/kubernetes/pull/124675), [cici37](https://github.com/cici37)) [SIG API Machinery, Auth, Node and Testing]
- Component-base/logs: when compiled with Go >= 1.21, component-base will automatically configure the slog default logger together with initializing klog. ([kubernetes/kubernetes120696](https://github.com/kubernetes/kubernetes/pull/120696), [pohly](https://github.com/pohly)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Storage and Testing]
- DRA: client-side validation of a ResourceHandle would have accepted a missing DriverName, whereas server-side validation then would have raised an error. ([kubernetes/kubernetes124075](https://github.com/kubernetes/kubernetes/pull/124075), [pohly](https://github.com/pohly)) [SIG Apps]
- Fix Deep Copy issue in getting controller reference ([kubernetes/kubernetes124116](https://github.com/kubernetes/kubernetes/pull/124116), [HiranmoyChowdhury](https://github.com/HiranmoyChowdhury)) [SIG API Machinery and Release]
- Fix the comment for the Job's managedBy field ([kubernetes/kubernetes124793](https://github.com/kubernetes/kubernetes/pull/124793), [mimowo](https://github.com/mimowo)) [SIG API Machinery and Apps]
- Fixes a 1.30.0 regression in openapi descriptions of imagePullSecrets and hostAliases fields to mark the fields used as keys in those lists as either defaulted or required. ([kubernetes/kubernetes124553](https://github.com/kubernetes/kubernetes/pull/124553), [pmalek](https://github.com/pmalek)) [SIG API Machinery]
- Graduate MatchLabelKeys/MismatchLabelKeys feature in PodAffinity/PodAntiAffinity to Beta ([kubernetes/kubernetes123638](https://github.com/kubernetes/kubernetes/pull/123638), [sanposhiho](https://github.com/sanposhiho)) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduated the `DisableNodeKubeProxyVersion` feature gate to beta. By default, the kubelet no longer attempts to set the `.status.kubeProxyVersion` field for its associated Node. ([kubernetes/kubernetes123845](https://github.com/kubernetes/kubernetes/pull/123845), [HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Cloud Provider, Network, Node and Testing]
- Improved scheduling performance when many nodes, and prefilter returns 1-2 nodes (e.g. daemonset)

For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status ([kubernetes/kubernetes125197](https://github.com/kubernetes/kubernetes/pull/125197), [gabesaba](https://github.com/gabesaba)) [SIG Scheduling]
- K8s.io/apimachinery/pkg/util/runtime: new calls support handling panics and errors in the context where they occur. `PanicHandlers` and `ErrorHandlers` now must accept a context parameter for that. Log output is structured instead of unstructured. ([kubernetes/kubernetes121970](https://github.com/kubernetes/kubernetes/pull/121970), [pohly](https://github.com/pohly)) [SIG API Machinery and Instrumentation]
- Kube-apiserver: the `--encryption-provider-config` file is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. When `--encryption-provider-config-automatic-reload` is used, new encryption config files that contain typos after the kube-apiserver is running are treated as invalid and the last valid config is used. ([kubernetes/kubernetes124912](https://github.com/kubernetes/kubernetes/pull/124912), [enj](https://github.com/enj)) [SIG API Machinery and Auth]
- Kube-controller-manager removes deprecated command flags: --volume-host-cidr-denylist and --volume-host-allow-local-loopback ([kubernetes/kubernetes124017](https://github.com/kubernetes/kubernetes/pull/124017), [carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Cloud Provider and Storage]
- Kube-controller-manager: the `horizontal-pod-autoscaler-upscale-delay` and `horizontal-pod-autoscaler-downscale-delay` flags have been removed (deprecated and non-functional since v1.12) ([kubernetes/kubernetes124948](https://github.com/kubernetes/kubernetes/pull/124948), [SataQiu](https://github.com/SataQiu)) [SIG API Machinery, Apps and Autoscaling]
- Support fine-grained supplemental groups policy (KEP-3619), which enables fine-grained control for supplementary groups in the first container processes. You can choose whether to include groups defined in the container image(/etc/groups) for the container's primary uid or not. ([kubernetes/kubernetes117842](https://github.com/kubernetes/kubernetes/pull/117842), [everpeace](https://github.com/everpeace)) [SIG API Machinery, Apps and Node]
- The kube-proxy nodeportAddresses / --nodeport-addresses option now
accepts the value "primary", meaning to only listen for NodePort connections
on the node's primary IPv4 and/or IPv6 address (according to the Node object).
This is strongly recommended, if you were not previously using
--nodeport-addresses, to avoid surprising behavior.

(This behavior is enabled by default with the nftables backend; you would
need to explicitly request `--nodeport-addresses 0.0.0.0/0,::/0` there to get
the traditional "listen on all interfaces" behavior.) ([kubernetes/kubernetes123105](https://github.com/kubernetes/kubernetes/pull/123105), [danwinship](https://github.com/danwinship)) [SIG API Machinery, Network and Windows]

30.3.0

* fix: Timeout related fixes ([320](https://github.com/tomplus/kubernetes_asyncio/pull/320), [olivier-matz-6wind](https://github.com/olivier-matz-6wind))
* fix: Fix reconnecting in watch for custom resources ([321](https://github.com/tomplus/kubernetes_asyncio/pull/321), [tomplus](https://github.com/tomplus))
* fix: fix unittests to work with aiohttp 3.10+ ([326](https://github.com/tomplus/kubernetes_asyncio/pull/326), [tomplus](https://github.com/tomplus))

API Change

- Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strct cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. ([124676](https://github.com/kubernetes/kubernetes/pull/124676), [cici37](https://github.com/cici37)) [SIG API Machinery, Auth, Node and Testing]
- Improved scheduling performance when many nodes, and prefilter returns 1-2 nodes (e.g. daemonset)
For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status ([125306](https://github.com/kubernetes/kubernetes/pull/125306), [gabesaba](https://github.com/gabesaba)) [SIG Scheduling]

30.1.1

* feat: remove setuptools from requirements ([318](https://github.com/tomplus/kubernetes_asyncio/pull/318), [tomplus](https://github.com/tomplus))
* fix: restore rest client ablity to handle "application/apply-patch+yaml" content type ([317](https://github.com/tomplus/kubernetes_asyncio/pull/317), [Meallia](https://github.com/Meallia))

Page 1 of 12

Links

Releases

Has known vulnerabilities

Next

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.