Merge branch 'kubernetes:main' into patch-1

OWNERS_ALIASES

@@ -1,11 +1,13 @@
 aliases:
   sig-docs-blog-owners: # Approvers for blog content
     - mrbobbytables
+    - natalisucks
     - nate-double-u
     - sftim
   sig-docs-blog-reviewers: # Reviewers for blog content
     - Gauravpadam
     - mrbobbytables
+    - natalisucks
     - nate-double-u
     - sftim
   sig-docs-website-owners: # Admins for overall website

content/de/docs/concepts/workloads/pods/_index.md

@@ -364,6 +364,6 @@ oder {{< glossary_tooltip text="Deployments" term_id="deployment" >}} einbindet,
 kannst du Artikel zu früheren Technologien lesen, unter anderem: 
  * [Aurora](https://aurora.apache.org/documentation/latest/reference/configuration/#job-schema)
  * [Borg](https://research.google.com/pubs/pub43438.html)
- * [Marathon](https://mesosphere.github.io/marathon/docs/rest-api.html)
+ * [Marathon](https://github.com/d2iq-archive/marathon)
  * [Omega](https://research.google/pubs/pub41684/)
  * [Tupperware](https://engineering.fb.com/data-center-engineering/tupperware/).

content/en/blog/_posts/2018-05-04-Announcing-Kubeflow-0-1.md

@@ -42,7 +42,7 @@ NAMESPACE=kubeflow
 kubectl create namespace ${NAMESPACE}
 VERSION=v0.1.3
 
-# Initialize a ksonnet app. Set the namespace for it's default environment.
+# Initialize a ksonnet app. Set the namespace for its default environment.
 APP_NAME=my-kubeflow
 ks init ${APP_NAME}
 cd ${APP_NAME}

content/en/blog/_posts/2021-10-18-kpng-specialized-proxiers.md

@@ -41,7 +41,7 @@ spec:
 
 If the `service.kubernetes.io/service-proxy-name` label is defined the
 `kube-proxy` will ignore the service. A custom controller can watch
-services with the label set to it's own name, "kpng-example" in
+services with the label set to its own name, "kpng-example" in
 this example, and setup specialized load-balancing.
 
 The `service.kubernetes.io/service-proxy-name` label is [not

content/en/blog/_posts/2024-12-11-Kubernetes-v1-32-Release/index.md

@@ -1,16 +1,15 @@
 ---
 layout: blog
-title: 'Kubernetes v1.32: {release-name}'
+title: 'Kubernetes v1.32: Penelope'
 date: 2024-12-11
 slug: kubernetes-v1-32-release
 author: >
   [Kubernetes v1.32 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.32/release-team.md)
-draft: true
 ---
 
 **Editors:** Matteo Bianchi, Edith Puclla, William Rizzo, Ryota Sawada, Rashan Smith
 
-Announcing the release of Kubernetes v1.32: {release-name}!
+Announcing the release of Kubernetes v1.32: Penelope!
 
 In line with previous releases, the release of Kubernetes v1.32 introduces new stable, beta, and alpha features.
 The consistent delivery of high-quality releases underscores the strength of our development cycle and the vibrant
@@ -19,14 +18,22 @@ This release consists of 44 enhancements in total.
 Of those enhancements, 13 have graduated to Stable, 12 are entering Beta, and 19 have entered in Alpha.
 
 ## Release theme and logo
-{{< figure src="/images/blog/2024-12-11-kubernetes-1.32-release/k8s-1.32.png" alt="Kubernetes v1.32 logo"
-class="release-logo" >}}
 
-<TODO upload image to static/images/blog/2024-12-11-kubernetes-1.32-release/k8s-1.32.png>
+{{< figure src="k8s-1.32.png" alt="Kubernetes v1.32 logo: Penelope from the Odyssey, a helm and a purple geometric background"
+class="release-logo" >}}
 
-The Kubernetes v1.32 Release Theme is "{release-name}".
+The Kubernetes v1.32 Release Theme is "Penelope".
 
-Kubernetes v1.32's {release-story}
+If Kubernetes is Ancient Greek for "pilot", in this release we start from that origin 
+and reflect on the last 10 years of Kubernetes and our accomplishments: 
+each release cycle is a journey, and just like Penelope, in "The Odyssey",  
+weaved for 10 years -- each night removing parts of what she had done during the day -- 
+so does each release add new features and removes others, albeit here with a much 
+clearer purpose of constantly improving Kubernetes. 
+With v1.32 being the last release in the year Kubernetes marks its first decade anniversary, 
+we wanted to honour all of those that have been part of the global Kubernetes crew 
+that roams the cloud-native seas through perils and challanges: 
+may we continue to weave the future of Kubernetes together.
 
 ## Updates to recent key features
 
@@ -332,13 +339,6 @@ This removal will allow Kubernetes to handle new hardware requirements and resou
 the complexities of back and forth API calls to the kube-apiserver.
 
 See the enhancement issue [#3063](https://github.com/kubernetes/enhancements/issues/3063) to find out more.
-
-#### Deprecation of gitRepo volume types
-
-The [gitRepo](https://kubernetes.io/docs/concepts/storage/volumes/#gitrepo) volume type is deprecated and will be
-removed in a future release, the deprecation has been executed in light of the security advisory encompassing the
-[CVE-2024-10220](https://nvd.nist.gov/vuln/detail/CVE-2024-10220): Arbitrary command execution through gitRepo volume,
-which was reported publicly in [this issue](https://github.com/kubernetes/kubernetes/issues/128885).
 
 #### API removals
 
@@ -478,7 +478,7 @@ Antigua Guatemala, Guatemala
 
 ## Upcoming release webinar
 
-Join members of the Kubernetes v1.32 release team on **Thursday, January 9th 2024 at 5:00 PM (UTC)**, to learn about the
+Join members of the Kubernetes v1.32 release team on **Thursday, January 9th 2025 at 5:00 PM (UTC)**, to learn about the
 release highlights of this release, as well as deprecations and removals to help plan for upgrades.
 For more information and registration, visit the [event
 page](https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cncf-live-webinar-kubernetes-132-release/)

content/en/blog/_posts/2024-12-12-scheduler-queueinghint/index.md

@@ -3,7 +3,6 @@ layout: blog
 title: "Kubernetes v1.32: QueueingHint Brings a New Possibility to Optimize Pod Scheduling"
 date: 2024-12-12
 slug: scheduler-queueinghint
-draft: true
 Author: >
   [Kensei Nakada](https://github.com/sanposhiho) (Tetrate.io)
 ---
@@ -13,7 +12,7 @@ component that selects the nodes on which new Pods run. The scheduler processes
 these new Pods **one by one**. Therefore, the larger your clusters, the more important
 the throughput of the scheduler becomes.
 
-Over the years, the Kubernetes project (and SIG Scheduling in particular) has improved the throughput
+Over the years, Kubernetes SIG Scheduling has improved the throughput
 of the scheduler in multiple enhancements. This blog post describes a major improvement to the
 scheduler in Kubernetes v1.32: a 
 [scheduling context element](/docs/concepts/scheduling-eviction/scheduling-framework/#extension-points)
@@ -128,4 +127,4 @@ Please join us and share your feedback.
 
 ## How can I learn more?
 
-- [KEP-4247: Per-plugin callback functions for efficient requeueing in the scheduling queue](https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/4247-queueinghint/README.md)
+- [KEP-4247: Per-plugin callback functions for efficient requeueing in the scheduling queue](https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/4247-queueinghint/README.md)

content/en/blog/_posts/2024-11-11-memory-manager-moves-to-ga/index.md → content/en/blog/_posts/2024-12-13-memory-manager-moves-to-ga/index.md

@@ -1,11 +1,10 @@
 ---
 layout: blog
 title: "Kubernetes v1.32: Memory Manager Goes GA"
-date: 2024-11-11
+date: 2024-12-13
 slug: memory-manager-goes-ga
 author: >
   [Talor Itzhak](https://github.com/Tal-or) (Red Hat)
-draft: true
 ---
 
 With Kubernetes 1.32, the memory manager has officially graduated to General Availability (GA),

content/en/blog/_posts/2024-12-11-cpumanager-strict-cpu-reservation.md → content/en/blog/_posts/2024-12-16-cpumanager-strict-cpu-reservation.md

@@ -1,8 +1,7 @@
 ---
 layout: blog
 title: 'Kubernetes v1.32 Adds A New CPU Manager Static Policy Option For Strict CPU Reservation'
-draft: true
-date: 2024-12-11
+date: 2024-12-16
 slug: cpumanager-strict-cpu-reservation
 author: >
   [Jing Zhang](https://github.com/jingczhang) (Nokia)

content/en/blog/_posts/2024-12-11-api-streaming/index.md → content/en/blog/_posts/2024-12-17-api-streaming/index.md

@@ -1,8 +1,7 @@
 ---
 layout: blog
 title: 'Enhancing Kubernetes API Server Efficiency with API Streaming'
-date: 2024-12-11
-draft: true
+date: 2024-12-17
 slug: kube-apiserver-api-streaming
 author: >
  Stefan Schimanski (Upbound),

content/en/blog/_posts/2024-12-11-volume-group-snapshot-beta.md → content/en/blog/_posts/2024-12-18-volume-group-snapshot-beta.md

@@ -1,9 +1,8 @@
 ---
 layout: blog
 title: "Kubernetes 1.32: Moving Volume Group Snapshots to Beta"
-date: 2024-12-11
+date: 2024-12-18
 slug: kubernetes-1-32-volume-group-snapshot-beta
-draft: true
 author: >
    Xing Yang (VMware by Broadcom)
 ---

content/en/docs/concepts/cluster-administration/compatibility-version.md

@@ -0,0 +1,26 @@
+---
+title: Compatibility Version For Kubernetes Control Plane Components
+reviewers:
+- jpbetz
+- siyuanfoundation
+content_type: concept
+weight: 70
+---
+
+<!-- overview -->
+
+Since release v1.32, we introduced configurable version compatibility and emulation options to Kubernetes control plane components to make upgrades safer by providing more control and increasing the granularity of steps available to cluster administrators.
+
+<!-- body -->
+
+## Emulated Version
+
+The emulation option is set by the `--emulated-version` flag of control plane components. It allows the component to emulate the behavior (APIs, features, ...) of an earlier version of Kubernetes.
+
+When used, the capabilities available will match the emulated version: 
+* Any capabilities present in the binary version that were introduced after the emulation version will be unavailable. 
+* Any capabilities removed after the emulation version will be available. 
+
+This enables a binary from a particular Kubernetes release to emulate the behavior of a previous version with sufficient fidelity that interoperability with other system components can be defined in terms of the emulated version.
+
+The `--emulated-version` must be <= `binaryVersion`. See the help message of the `--emulated-version` flag for supported range of emulated versions.

content/en/docs/concepts/cluster-administration/logging.md

@@ -75,6 +75,37 @@ appending a container name to the command, with a `-c` flag, like so:
 kubectl logs counter -c count
 ```
 
+
+### Container log streams
+
+{{< feature-state feature_gate_name="PodLogsQuerySplitStreams" >}}
+
+As an alpha feature, the kubelet can split out the logs from the two standard streams produced
+by a container: [standard output](https://en.wikipedia.org/wiki/Standard_streams#Standard_output_(stdout))
+and [standard error](https://en.wikipedia.org/wiki/Standard_streams#Standard_error_(stderr)).
+To use this behavior, you must enable the `PodLogsQuerySplitStreams`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/).
+With that feature gate enabled, Kubernetes {{< skew currentVersion >}} allows access to these
+log streams directly via the Pod API. You can fetch a specific stream by specifying the stream name (either `Stdout` or `Stderr`),
+using the `stream` query string. You must have access to read the `log` subresource of that Pod.
+
+To demonstrate this feature, you can create a Pod that periodically writes text to both the standard output and error stream.
+
+{{% code_sample file="debug/counter-pod-err.yaml" %}}
+
+To run this pod, use the following command:
+
+```shell
+kubectl apply -f https://k8s.io/examples/debug/counter-pod-err.yaml
+```
+
+To fetch only the stderr log stream, you can run:
+
+```shell
+kubectl get --raw "/api/v1/namespaces/default/pods/counter-err/log?stream=Stderr"
+```
+
+
 See the [`kubectl logs` documentation](/docs/reference/generated/kubectl/kubectl-commands#logs)
 for more details.
 

content/en/docs/concepts/cluster-administration/node-shutdown.md

@@ -217,9 +217,7 @@ these pods will be stuck in terminating status on the shutdown node forever.
 
 To mitigate the above situation, a user can manually add the taint `node.kubernetes.io/out-of-service`
 with either `NoExecute` or `NoSchedule` effect to a Node marking it out-of-service.
-If the `NodeOutOfServiceVolumeDetach`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is enabled on {{< glossary_tooltip text="kube-controller-manager" term_id="kube-controller-manager" >}},
-and a Node is marked out-of-service with this taint, the pods on the node will be forcefully deleted
+If a Node is marked out-of-service with this taint, the pods on the node will be forcefully deleted
 if there are no matching tolerations on it and volume detach operations for the pods terminating on
 the node will happen immediately. This allows the Pods on the out-of-service node to recover quickly
 on a different node.
@@ -267,6 +265,28 @@ via the [Non-Graceful Node Shutdown](#non-graceful-node-shutdown) procedure ment
 {{< /note >}}
 
 
+## Windows Graceful node shutdown {#windows-graceful-node-shutdown}
+
+{{< feature-state feature_gate_name="WindowsGracefulNodeShutdown" >}}
+
+The Windows graceful node shutdown feature depends on kubelet running as a Windows service, 
+it will then have a registered [service control handler](https://learn.microsoft.com/en-us/windows/win32/services/service-control-handler-function) 
+to delay the  presshutdown event with a given duration.
+
+Windows graceful node shutdown is controlled with the `WindowsGracefulNodeShutdown` 
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) 
+which is introduced in 1.32 as an alpha feature.
+
+Windows graceful node shutdown can not be cancelled.
+
+If Kubelet is not running as a Windows service, it will not be able to set and monitor 
+the [Preshutdown](https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_preshutdown_info) event,
+the node will have to go through the [Non-Graceful Node Shutdown](#non-graceful-node-shutdown) procedure mentioned above.
+
+In the case where the Windows graceful node shutdown feature is enabled, but the kubelet is not 
+running as a Windows service, the kubelet will continue running instead of failing. However, 
+it will log an error indicating that it needs to be run as a Windows service.
+
 ## {{% heading "whatsnext" %}}
 
 Learn more about the following:

content/en/docs/concepts/configuration/manage-resources-containers.md

@@ -109,6 +109,26 @@ a Pod.
 For a particular resource, a *Pod resource request/limit* is the sum of the
 resource requests/limits of that type for each container in the Pod.
 
+## Pod-level resource specification
+
+{{< feature-state feature_gate_name="PodLevelResources" >}}
+
+Starting in Kubernetes 1.32, you can also specify resource requests and limits at
+the Pod level. the Pod level. At Pod level, Kubernetes {{< skew currentVersion >}}
+only supports resource requests or limits for specific resource types: `cpu` and /
+or `memory`. This feature is currently in alpha and with the feature enabled,
+Kubernetes allows you to declare an overall resource budget for the Pod, which is
+especially helpful when dealing with a large number of containers where it can be
+difficult to accurately gauge individual resource needs. Additionally, it enables
+containers within a Pod to share idle resources with each other, improving resource
+utilization. 
+
+For a Pod, you can specify resource limits and requests for CPU and memory by including the following:
+* `spec.resources.limits.cpu`
+* `spec.resources.limits.memory`
+* `spec.resources.requests.cpu`
+* `spec.resources.requests.memory`
+
 ## Resource units in Kubernetes
 
 ### CPU resource units {#meaning-of-cpu}
@@ -192,6 +212,19 @@ spec:
         cpu: "500m"
 ```
 
+## Pod resources example {#example-2}
+
+{{< feature-state feature_gate_name="PodLevelResources" >}}
+
+The following Pod has an explicit request of 1 CPU and 100 MiB of memory, and an
+explicit limit of 1 CPU and 200 MiB of memory. The `pod-resources-demo-ctr-1`
+container has explicit requests and limits set. However, the
+`pod-resources-demo-ctr-2` container will simply share the resources available
+within the Pod resource boundaries, as it does not have explicit requests and limits
+set.
+
+{{% code_sample file="pods/resource/pod-level-resources.yaml" %}}
+
 ## How Pods with resource requests are scheduled
 
 When you create a Pod, the Kubernetes scheduler selects a node for the Pod to

content/en/docs/concepts/configuration/secret.md

@@ -666,10 +666,7 @@ Therefore, one Pod does not have access to the Secrets of another Pod.
 
 ### Configure least-privilege access to Secrets
 
-To enhance the security measures around Secrets, Kubernetes provides a mechanism: you can
-annotate a ServiceAccount as `kubernetes.io/enforce-mountable-secrets: "true"`.
-
-For more information, you can refer to the [documentation about this annotation](/docs/concepts/security/service-accounts/#enforce-mountable-secrets).
+To enhance the security measures around Secrets, use separate namespaces to isolate access to mounted secrets.
 
 {{< warning >}}
 Any containers that run with `privileged: true` on a node can access all

content/en/docs/concepts/containers/container-lifecycle-hooks.md

@@ -58,6 +58,10 @@ Resources consumed by the command are counted against the Container.
 * Sleep - Pauses the container for a specified duration. 
   This is a beta-level feature default enabled by the `PodLifecycleSleepAction` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/). 
 
+{{< note >}}
+Enable the `PodLifecycleSleepActionAllowZero` feature gate if you want to set a sleep duration of zero seconds (effectively a no-op) for your Sleep lifecycle hooks.
+{{< /note >}}
+
 ### Hook handler execution
 
 When a Container lifecycle management hook is called,

content/en/docs/concepts/containers/images.md

@@ -214,7 +214,7 @@ behalf of the two different Pods, when parallel image pulls is enabled.
 
 ### Maximum parallel image pulls
 
-{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.32" state="beta" >}}
 
 When `serializeImagePulls` is set to false, the kubelet defaults to no limit on the
 maximum number of images being pulled at the same time. If you would like to

content/en/docs/concepts/extend-kubernetes/api-extension/custom-resources.md

@@ -316,9 +316,8 @@ may also be used with field selectors when included in the `spec.versions[*].sel
 {{< feature-state feature_gate_name="CustomResourceFieldSelectors" >}}
 
 The `spec.versions[*].selectableFields` field of a {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} may be used to
-declare which other fields in a custom resource may be used in field selectors
-with the feature of `CustomResourceFieldSelectors`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) (This feature gate is enabled by default since Kubernetes v1.31).
+declare which other fields in a custom resource may be used in field selectors.
+
 The following example adds the `.spec.color` and `.spec.size` fields as
 selectable fields.
 

content/en/docs/concepts/overview/working-with-objects/field-selectors.md

@@ -46,6 +46,14 @@ Error from server (BadRequest): Unable to find "ingresses" that match label sele
 | Node                      | `spec.unschedulable`                                                                                                                                                                                                                                            |
 | CertificateSigningRequest | `spec.signerName`                                                                                                                                                                                                                                               |
 
+### Custom resources fields
+
+All custom resource types support the `metadata.name` and `metadata.namespace` fields.
+
+Additionally, the `spec.versions[*].selectableFields` field of a {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}}
+declares which other fields in a custom resource may be used in field selectors. See [selectable fields for custom resources](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#crd-selectable-fields)
+for more information about how to use field selectors with CustomResourceDefinitions.
+
 ## Supported operators
 
 You can use the `=`, `==`, and `!=` operators with field selectors (`=` and `==` mean the same thing). This `kubectl` command, for example, selects all Kubernetes Services that aren't in the `default` namespace:
@@ -72,4 +80,4 @@ You can use field selectors across multiple resource types. This `kubectl` comma
 
 ```shell
 kubectl get statefulsets,services --all-namespaces --field-selector metadata.namespace!=default
-```
+```