chore(deps): update dependency kubernetes-asyncio to v28

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
kubernetes-asyncio	==24.2.3 -> ==28.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

tomplus/kubernetes_asyncio (kubernetes-asyncio)

v28.2.1

Compare Source

• feat: add bookmark support in watcher (#​291, @​tkauf15k)

v28.2.0

Compare Source

Kubernetes API Version: v1.28.2

API Change

• Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps.
  The incorrect cost was evident when the result of a function was used in subsequent operations. (kubernetes/kubernetes#119807, @​jpbetz) [SIG API Machinery, Auth and Cloud Provider]
• Mark Job onPodConditions as optional in pod failure policy (kubernetes/kubernetes#120208, @​mimowo) [SIG API Machinery and Apps]
• A CDIDevice field is included in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol. (kubernetes/kubernetes#118254, @​elezar) [SIG Node and Testing]
• ACTION_REQUIRED
  When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits. (kubernetes/kubernetes#118420, @​alculquicondor) [SIG Apps]
• Added ServedVersions field to StorageVersion API. (kubernetes/kubernetes#118386, @​Richabanker)
• Added IP mode field to loadbalancer status ingress. (kubernetes/kubernetes#118895, @​RyanAoh)
• Added podReplacementPolicy and terminating field to job api. (kubernetes/kubernetes#119301, @​kannon92)
• Added a new namespaceParamRef field to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy. (kubernetes/kubernetes#119215, @​alexzielenski) [SIG API Machinery and Testing]
• Added a warning that TLS 1.3 ciphers are not configurable. (kubernetes/kubernetes#115399, @​3u13r) [SIG API Machinery and Node]
• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile. (kubernetes/kubernetes#117020, @​cji)
• Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed. (kubernetes/kubernetes#118041, @​cici37) [SIG API Machinery]
• Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject
  variable with expressions. (kubernetes/kubernetes#118267, @​cici37) [SIG API Machinery and Testing]
• Added new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations. (kubernetes/kubernetes#118990, @​alexzielenski)
• Added new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs. (kubernetes/kubernetes#118137, @​helayoty)
• Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler (kubernetes/kubernetes#115754, @​linxiulei) [SIG API Machinery and Scheduling]
• Changed how KMS v2 encryption at rest can generate data encryption keys.
  When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce. (kubernetes/kubernetes#118828, @​enj)
• Exposed rest.DefaultServerUrlFor function. (kubernetes/kubernetes#118055, @​timofurrer)
• Extended the Job API for alpha version of BackoffLimitPerIndex. (kubernetes/kubernetes#119294, @​mimowo)
• Graduated AdmissionWebhookMatchCondition feature to beta. (kubernetes/kubernetes#119380, @​a-hilaly)
• If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup. (kubernetes/kubernetes#117793, @​tzneal) [SIG Apps, Node and Testing]
• In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels. For details see https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness#dispatching . (kubernetes/kubernetes#118782, @​MikeSpreitzer) [SIG API Machinery]
• Indexed Job pods now have the pod completion index set as a pod label. (kubernetes/kubernetes#118883, @​danielvegamyhre) [SIG Apps]
• Kube-proxy: added --logging-format flag to support structured logging. (kubernetes/kubernetes#117800, @​cyclinder)
• NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits. (kubernetes/kubernetes#115398, @​tangwz) [SIG Scheduling]
• PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase. (kubernetes/kubernetes#116469, @​RomanBednar)
• Pods which set hostNetwork: true and declare ports, get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this. (kubernetes/kubernetes#117696, @​thockin) [SIG Apps]
• Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1. (kubernetes/kubernetes#118644, @​alexzielenski) [SIG API Machinery, Apps and Testing]
• Promoted the feature gate ValidtaingAdmissionPolicy to beta, and it is turned off by default. (kubernetes/kubernetes#119409, @​alexzielenski)
• Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability. (kubernetes/kubernetes#119264, @​logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle and Instrumentation]
• Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus. (kubernetes/kubernetes#116335, @​gnufied) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
• Removed WindowsHostProcessContainers feature-gate. (kubernetes/kubernetes#117570, @​marosset) [SIG API Machinery, Apps, Auth, Node and Windows]
• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta. (kubernetes/kubernetes#117802, @​kerthcet) [SIG API Machinery and Apps]
• StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index. (kubernetes/kubernetes#119232, @​danielvegamyhre) [SIG Apps]
• Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver (kubernetes/kubernetes#117740, @​Richabanker) [SIG API Machinery, Apps, Auth, Cloud Provider, Network, Node and Testing]
• Supported BackoffLimitPerIndex in Jobs. (kubernetes/kubernetes#118009, @​mimowo)
• The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer
  creates the KUBE-MARK-DROP chain (which has been unused for several releases)
  or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy). (kubernetes/kubernetes#119374, @​danwinship)
• The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA. (kubernetes/kubernetes#117713, @​nabokihms) [SIG API Machinery, Architecture, Auth, CLI and Testing]
• The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions. (kubernetes/kubernetes#117351, @​pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
• The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination. (kubernetes/kubernetes#116429, @​gjkim42) [SIG API Machinery, Apps, Node, Scheduling and Testing]
• Updated the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#118278, @​mimowo)
• client-go: Improved memory use of reflector caches when watching large numbers
  of objects which do not change frequently. (kubernetes/kubernetes#113362, @​sxllwx)
• component-base/logs is now stricter about not applying configurations multiple
  times and will return an error when that is attempted. Can be overridden by binaries
  which need to do that. (kubernetes/kubernetes#117108, @​pohly)
• kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate
  is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner
  controller loop removes service account token secrets that have not been used
  in the time specified by --legacy-service-account-token-clean-up-period (defaulting
  to one year), and are referenced from the .secrets list of a ServiceAccount
  object, and are not referenced from pods. (kubernetes/kubernetes#115554, @​yt2985)
• kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2
  is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (kubernetes/kubernetes#117649, @​SataQiu)
• Aggregated discovery now returns responseKind: {} for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. (kubernetes/kubernetes#119835, @​liggitt) [SIG API Machinery and Testing]
• Fix CustomResourceDefinition status.storedVersions validation error messages. (kubernetes/kubernetes#119653, @​sttts) [SIG API Machinery]
• Kube-proxy in Kubernetes >= 1.28 up until v1.28.0-beta.0 ignored the -v command line flag when combined with --config. (kubernetes/kubernetes#119867, @​pohly) [SIG Network]
• PersistentVolumes have a new LastPhaseTransitionTime field which holds a timestamp of when the volume last transitioned its phase. (kubernetes/kubernetes#116469, @​RomanBednar) [SIG API Machinery, Apps, Auth, Node, Release, Storage and Testing]
• Promoted API groups ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to v1beta1. (kubernetes/kubernetes#118644, @​alexzielenski) [SIG API Machinery, Apps and Testing]
• Promoted the feature gate ValidtaingAdmissionPolicy to beta and it is turned off by default. (kubernetes/kubernetes#119409, @​alexzielenski) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Release, Storage and Testing]
• Changed how KMS v2 encryption at rest can generate data encryption keys. When you enable the KMSv2KDF feature gate (off by default), KMS v2 uses a key derivation function to generate single use data encryption keys from a secret seed combined with some random data. This eliminates the need for a counter based nonce while avoiding nonce collision concerns associated with AES-GCM's 12 byte nonce. (kubernetes/kubernetes#118828, @​enj) [SIG API Machinery, Auth and Testing]
• A CDIDevice field is includes in the Device Plugin's ContainerAllocateResponse. This field maps to the CDIDevice field in the CRI protocol. (kubernetes/kubernetes#118254, @​elezar) [SIG Node and Testing]
• Add new annotation batch.kubernetes.io/cronjob-scheduled-timestamp to Job objects scheduled from CronJobs. (kubernetes/kubernetes#118137, @​helayoty) [SIG Apps]
• Add podReplacementPolicy and terminating field to job api (kubernetes/kubernetes#119301, @​kannon92) [SIG API Machinery and Apps]
• Added fields reason and fieldPath into CRD validation rules to allow users to specify reason and field path when validation failed. (kubernetes/kubernetes#118041, @​cici37) [SIG API Machinery]
• Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a namespaceObject
  variable with expressions. (kubernetes/kubernetes#118267, @​cici37) [SIG API Machinery and Testing]
• Adds new CRDValidationRatcheting alpha feature. During a PATCH or UPDATE Validation Ratcheting discards errors thrown by unchanged portions of the resource from most OpenAPI schema validations. (kubernetes/kubernetes#118990, @​alexzielenski) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
• Adds new namespaceParamRef to admissionregistration.k8s.io/v1alpha1.ValidatingAdmissionPolicy (kubernetes/kubernetes#119215, @​alexzielenski) [SIG API Machinery and Testing]
• Extend the Job API for alpha version of BackoffLimitPerIndex (kubernetes/kubernetes#119294, @​mimowo) [SIG API Machinery and Apps]
• Graduate AdmissionWebhookMatchCondition feature to beta (kubernetes/kubernetes#119380, @​a-hilaly) [SIG API Machinery]
• In the API Priority and Fairness feature, priority levels that are exempt from limitation can now be given a nominal and a lendable concurrency and their dispatching borrows from the concurrency limits of the other priority levels. For details see https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness#dispatching . (kubernetes/kubernetes#118782, @​MikeSpreitzer) [SIG API Machinery]
• Indexed Job pods now have the pod completion index set as a pod label. (kubernetes/kubernetes#118883, @​danielvegamyhre) [SIG Apps]
• Kube-proxy: add '--logging-format' flag to support structured logging (kubernetes/kubernetes#117800, @​cyclinder) [SIG API Machinery, Architecture, Instrumentation and Network]
• Registered_metric_total, disabled_metric_total, hidden_metric_total & kubernetes_feature_enabled are promoted to BETA stability. (kubernetes/kubernetes#119264, @​logicalhan) [SIG API Machinery, Architecture, Cluster Lifecycle and Instrumentation]
• Removed resizeStatus enum from pvc.Status and replaced with AllocatedResourceStatus (kubernetes/kubernetes#116335, @​gnufied) [SIG API Machinery, Apps, Auth, Node, Storage and Testing]
• StatefulSet pods now have the pod index set as a pod label statefulset.kubernetes.io/pod-index. (kubernetes/kubernetes#119232, @​danielvegamyhre) [SIG Apps]
• Support BackoffLimitPerIndex in Jobs (kubernetes/kubernetes#118009, @​mimowo) [SIG API Machinery, Apps and Testing]
• Support for proxying a request to a peer kube-apiserver if the local apiserver is not able to serve it due to version skew or in the case the requested api is disabled on the local apiserver (kubernetes/kubernetes#117740, @​Richabanker) [SIG API Machinery, Apps, Auth, Cloud Provider, Network, Node and Testing]
• The IPTablesOwnershipCleanup feature (KEP-3178) is now GA; kubelet no longer
  creates the KUBE-MARK-DROP chain (which has been unused for several releases)
  or the KUBE-MARK-MASQ chain (which is now only created by kube-proxy). (kubernetes/kubernetes#119374, @​danwinship) [SIG API Machinery, Network and Node]
• The names of ResourceClaims generated from ResourceClaimTemplate are now generated. The base name is still <pod>-<claim name>, but a random suffix will avoid name collisions. (kubernetes/kubernetes#117351, @​pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
• The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination. (kubernetes/kubernetes#116429, @​gjkim42) [SIG API Machinery, Apps, Node, Scheduling and Testing]
• Add ServedVersions field to StorageVersion API (kubernetes/kubernetes#118386, @​Richabanker) [SIG API Machinery and Testing]
• Component-base/logs is now more strict about not applying configurations multiple times and will return an error when that is attempted. Can be overridden by binaries which need to do that. (kubernetes/kubernetes#117108, @​pohly) [SIG API Machinery, Architecture, Cloud Provider, Instrumentation, Scheduling and Testing]
• ACTION_REQUIRED
  When an Indexed Job has a number of completions higher than 10^5 and parallelism higher than 10^4, and a big number of Indexes fail, Kubernetes might not be able to track the termination of the Job. Kubernetes now emits a warning, at Job creation, when the Job manifest exceeds both of these limits. (kubernetes/kubernetes#118420, @​alculquicondor) [SIG Apps]
• Expose rest.DefaultServerUrlFor function (kubernetes/kubernetes#118055, @​timofurrer) [SIG API Machinery]
• If using cgroups v2, then the cgroup aware OOM killer will be enabled for container cgroups via memory.oom.group . This causes processes within the cgroup to be treated as a unit and killed simultaneously in the event of an OOM kill on any process in the cgroup. (kubernetes/kubernetes#117793, @​tzneal) [SIG Apps, Node and Testing]
• Update the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#118278, @​mimowo) [SIG Apps]
• Added a warning that TLS 1.3 ciphers are not configurable. (kubernetes/kubernetes#115399, @​3u13r) [SIG API Machinery and Node]
• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile (kubernetes/kubernetes#117020, @​cji) [SIG API Machinery and Node]
• Added new config option delayCacheUntilActive to KubeSchedulerConfiguration that can provide a tradeoff between memory efficiency and scheduling speed when their leadership is updated in kube-scheduler (kubernetes/kubernetes#115754, @​linxiulei) [SIG API Machinery and Scheduling]
• Client-go: Improved memory use of reflector caches when watching large numbers of objects which do not change frequently (kubernetes/kubernetes#113362, @​sxllwx) [SIG API Machinery]
• Kube-controller-manager: The LegacyServiceAccountTokenCleanUp feature gate is now available as alpha (off by default). When enabled, the legacy-service-account-token-cleaner controller loop removes service account token secrets that have not been used in the time specified by --legacy-service-account-token-clean-up-period (defaulting to one year), and are referenced from the .secrets list of a ServiceAccount object, and are not referenced from pods. (kubernetes/kubernetes#115554, @​yt2985) [SIG API Machinery, Apps, Auth, Release and Testing]
• Kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta2 is removed in v1.28. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. (kubernetes/kubernetes#117649, @​SataQiu) [SIG API Machinery, Scheduling and Testing]
• NodeVolumeLimits implement the PreFilter extension point for skipping the Filter phase if the Pod doesn't use volumes with limits. (kubernetes/kubernetes#115398, @​tangwz) [SIG Scheduling]
• Pods which set hostNetwork: true and declare ports get the hostPort field set automatically. Previously this would happen in the PodTemplate of a Deployment, DaemonSet or other workload API. Now hostPort will only be set when an actual Pod is being created. If this presents a problem, setting the feature gate "DefaultHostNetworkHostPortsInPodTemplates" to true will revert this behavior. Please file a kubernetes bug if you need to do this. (kubernetes/kubernetes#117696, @​thockin) [SIG Apps]
• Removing WindowsHostProcessContainers feature-gate (kubernetes/kubernetes#117570, @​marosset) [SIG API Machinery, Apps, Auth, Node and Windows]
• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#117802, @​kerthcet) [SIG API Machinery and Apps]
• The SelfSubjectReview API is promoted to authentication.k8s.io/v1 and the kubectl auth whoami command is GA. (kubernetes/kubernetes#117713, @​nabokihms) [SIG API Machinery, Architecture, Auth, CLI and Testing]

v27.6.0

Compare Source

Kubernetes API Version: v1.27.6

API Change

• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile (kubernetes/kubernetes#117020, @​cji) [SIG API Machinery and Node]

• Fixed an issue where kubelet does not set case-insensitive headers for http probes. (#​117182, @​dddddai) (kubernetes/kubernetes#117324, @​dddddai) [SIG API Machinery, Apps and Node]

• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta (kubernetes/kubernetes#117815, @​kerthcet) [SIG Apps]

• A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (kubernetes/kubernetes#115354, @​pohly)

• A terminating pod on a node that is not caused by preemption no longer prevents kube-scheduler from preempting pods on that node

  • Rename PreemptionByKubeScheduler to PreemptionByScheduler (kubernetes/kubernetes#114623, @​Huang-Wei)

• API: resource.k8s.io/v1alpha1.PodScheduling was renamed to resource.k8s.io/v1alpha2.PodSchedulingContext. (kubernetes/kubernetes#116556, @​pohly) [SIG API Machinery, Apps, Auth, CLI, Node, Scheduling and Testing]

• Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost
  restrictions that already apply to CustomResourceDefinition.
  If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the
  admission check that was being performed is aborted; the failurePolicy for the ValidatingAdmissionPolicy
  determines the outcome. (kubernetes/kubernetes#115747, @​cici37)

• Added auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to add audit annotations to request audit events.
  Added validationActions to ValidatingAdmissionPolicyBinding, enabling validation failures to be handled by any combination of the warn, audit and deny enforcement actions. (kubernetes/kubernetes#115973, @​jpbetz)

• Added messageExpression field to ValidationRule. (kubernetes/kubernetes#115969, @​DangerOnTheRanger)

• Added messageExpression to ValidatingAdmissionPolicy, to set custom failure message via CEL expression. (kubernetes/kubernetes#116397, @​jiahuif) [SIG API Machinery]

• Added a new IPAddress object kind

  • Added a new ClusterIP allocator. The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64 (kubernetes/kubernetes#115075, @​aojea) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Network and Testing]

• Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1).
  A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @​ahmedtd) [SIG API Machinery, Auth and Testing]

• Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a authorizer
  variable with expressions. The new variable provides a builder that allows expressions such authorizer.group('').resource('pods').check('create').allowed(). (kubernetes/kubernetes#116054, @​jpbetz) [SIG API Machinery and Testing]

• Added matchConditions field to ValidatingAdmissionPolicy and enabled support for CEL based custom match criteria. (kubernetes/kubernetes#116350, @​maxsmythe)

• Added new option to the InterPodAffinity scheduler plugin to ignore existing
  podspreferred inter-pod affinities if the incoming pod has no preferred inter-pod affinities. This option can be used as an optimization for higher scheduling throughput (at the cost of an occasional pod being scheduled non-optimally/violating existing pods preferred inter-pod affinities). To enable this scheduler option, set theInterPodAffinityscheduler plugin argignorePreferredTermsOfExistingPods: true` (kubernetes/kubernetes#114393, @​danielvegamyhre)

• Added the MatchConditions field to ValidatingWebhookConfiguration and MutatingWebhookConfiguration for the v1beta and v1 apis.

  The AdmissionWebhookMatchConditions featuregate is now in Alpha (kubernetes/kubernetes#116261, @​ivelichkovich) [SIG API Machinery and Testing]

• Added validation to ensure that if service.kubernetes.io/topology-aware-hints and service.kubernetes.io/topology-mode annotations are both set, they are set to the same value.Also Added deprecation warning if service.kubernetes.io/topology-aware-hints annotation is used. (kubernetes/kubernetes#116612, @​robscott)

• Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, CronJobs, or ReplicationControllers) whose names are not valid DNS labels. (kubernetes/kubernetes#114412, @​thockin)

• Adds feature gate NodeLogQuery which provides cluster administrators with a streaming view of logs using kubectl without them having to implement a client side reader or logging into the node. (kubernetes/kubernetes#96120, @​LorbusChris)

• Api: validation of a PodSpec now rejects invalid ResourceClaim and ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim when using a template also must be valid. (kubernetes/kubernetes#116576, @​pohly)

• Bump default API QPS limits for Kubelet. (kubernetes/kubernetes#116121, @​wojtek-t)

• Enabled the StatefulSetStartOrdinal feature gate in beta (kubernetes/kubernetes#115260, @​pwschuurman)

• Enabled usage of kube-proxy, kube-scheduler and kubelet HTTP APIs for changing the logging
  verbosity at runtime for JSON output. (kubernetes/kubernetes#114609, @​pohly)

• Encryption of API Server at rest configuration now allows the use of wildcards in the list of resources. For example, . can be used to encrypt all resources, including all current and future custom resources. (kubernetes/kubernetes#115149, @​nilekhc)

• Extended the kubelet's PodResources API to include resources allocated in ResourceClaims via DynamicResourceAllocation. Additionally, added a new Get() method to query a specific pod for its resources. (kubernetes/kubernetes#115847, @​moshe010) [SIG Node]

• Forbid to set matchLabelKeys when labelSelector is not set in topologySpreadConstraints (kubernetes/kubernetes#116535, @​denkensk)

• GCE does not support LoadBalancer Services with ports with different protocols (TCP and UDP) (kubernetes/kubernetes#115966, @​aojea) [SIG Apps and Cloud Provider]

• GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked to default value and will be removed in v1.29. If you were setting this feature gate explicitly, please remove it now. (kubernetes/kubernetes#116233, @​SergeyKanzhelev)

• Graduated Kubelet Topology Manager to GA. (kubernetes/kubernetes#116093, @​swatisehgal)

• Graduated KubeletTracing to beta, which means that the feature gate is now enabled by default. (kubernetes/kubernetes#115750, @​saschagrunert)

• Graduated seccomp profile defaulting to GA.

  Set the kubelet --seccomp-default flag or seccompDefault kubelet configuration field to true to make pods on that node default to using the RuntimeDefault seccomp profile.

  Enabling seccomp for your workload can have a negative performance impact depending on the kernel and container runtime version in use.

  Guidance for identifying and mitigating those issues is outlined in the Kubernetes seccomp tutorial. (kubernetes/kubernetes#115719, @​saschagrunert) [SIG API Machinery, Node, Storage and Testing]

• Graduated the container resource metrics feature on HPA to beta. (kubernetes/kubernetes#116046, @​sanposhiho)

• Implemented API streaming for the watch-cache

  When sendInitialEvents ListOption is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#110960, @​p0lyn0mial)

• Introduced API for streaming.

  Added SendInitialEvents field to the ListOptions. When the new option is set together with watch=true, it begins the watch stream with synthetic init events followed by a synthetic "Bookmark" after which the server continues streaming events. (kubernetes/kubernetes#115402, @​p0lyn0mial)

• Introduced a breaking change to the resource.k8s.io API in its AllocationResult struct. This change allows a kubelet plugin for the DynamicResourceAllocation feature to service allocations from multiple resource driver controllers. (kubernetes/kubernetes#116332, @​klueska)

• Introduces new alpha functionality to the reflector, allowing user to enable API streaming.

  To activate this feature, users can set the ENABLE_CLIENT_GO_WATCH_LIST_ALPHA environmental variable.
  It is important to note that the server must support streaming for this feature to function properly.
  If streaming is not supported by the server, the reflector will revert to the previous method
  of obtaining data through LIST/WATCH semantics. (kubernetes/kubernetes#110772, @​p0lyn0mial) [SIG API Machinery]

• K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, the broadcaster now gives up immediately after a failure to write an event to a sink. Previously it tried multiple times for 12 seconds in a goroutine. (kubernetes/kubernetes#115514, @​pohly) [SIG API Machinery]

• K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (kubernetes/kubernetes#114680, @​pohly) [SIG Instrumentation]

• Kubeadm: explicitly set priority for static pods with priorityClassName: system-node-critical (kubernetes/kubernetes#114338, @​champtar) [SIG Cluster Lifecycle]

• Kubelet: a "maxParallelImagePulls" field can now be specified in the kubelet configuration file to control how many image pulls the kubelet can perform in parallel. (kubernetes/kubernetes#115220, @​ruiwen-zhao) [SIG API Machinery, Node and Scalability]

• Kubelet: changed MemoryThrottlingFactor default value to 0.9 and formulas to calculate memory.high (kubernetes/kubernetes#115371, @​pacoxu)

• Kubernetes components that perform leader election now only support using Leases for this. (kubernetes/kubernetes#114055, @​aimuz)

• Migrated the DaemonSet controller (within kube-controller-manager) to use contextual logging (kubernetes/kubernetes#113622, @​249043822)

• New service.kubernetes.io/topology-mode annotation has been introduced as a replacement for the service.kubernetes.io/topology-aware-hints annotation.

  • service.kubernetes.io/topology-aware-hints annotation has been deprecated.
  • kube-proxy now accepts any value that is not "disabled" for these annotations, enabling custom implementation-specific and/or future built-in heuristics to be used. (kubernetes/kubernetes#116522, @​robscott) [SIG Apps, Network and Testing]

• Pods owned by a Job now uses the labels batch.kubernetes.io/job-name and batch.kubernetes.io/controller-uid.
  The legacy labels job-name and controller-uid are still added for compatibility. (kubernetes/kubernetes#114930, @​kannon92)

• Promoted CronJobTimeZone feature to GA (kubernetes/kubernetes#115904, @​soltysh)

• Promoted SelfSubjectReview to Beta (kubernetes/kubernetes#116274, @​nabokihms) [SIG API Machinery, Auth, CLI and Testing]

• Relaxed API validation to allow pod node selector to be mutable for gated pods (additions only, no deletions or mutations). (kubernetes/kubernetes#116161, @​danielvegamyhre)

• Remove kubernetes.io/grpc standard appProtocol (kubernetes/kubernetes#116866, @​LiorLieberman) [SIG API Machinery and Apps]

• Remove deprecated --enable-taint-manager and --pod-eviction-timeout CLI (kubernetes/kubernetes#115840, @​atosatto)

• Removed support for the v1alpha1 kubeletplugin API of DynamicResourceManagement. All plugins must be updated to v1alpha2 in order to function properly. (kubernetes/kubernetes#116558, @​klueska)

• The API server now re-uses data encryption keys while the kms v2 plugin key ID is stable. Data encryption keys are still randomly generated on server start but an atomic counter is used to prevent nonce collisions. (kubernetes/kubernetes#116155, @​enj)

• The PodDisruptionBudget spec.unhealthyPodEvictionPolicy field has graduated to beta and is enabled by default. On servers with the feature enabled, this field may be set to AlwaysAllow to always allow unhealthy pods covered by the PodDisruptionBudget to be evicted. (kubernetes/kubernetes#115363, @​ravisantoshgudimetla) [SIG Apps, Auth and Node]

• The DownwardAPIHugePages kubelet feature graduated to stable / GA. (kubernetes/kubernetes#115721, @​saschagrunert) [SIG Apps and Node]

• The following feature gates for volume expansion GA features have now been removed and must no longer be referenced in --feature-gates flags: ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes (kubernetes/kubernetes#113942, @​mengjiao-liu)

• The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from set to map, resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (kubernetes/kubernetes#114585, @​JoelSpeed)

• Updated API reference for Requests, specifying they must not exceed limits (kubernetes/kubernetes#115434, @​ehashman)

• Updated KMSv2 to beta (kubernetes/kubernetes#115123, @​aramase)

• Updated: Redefine AppProtocol field description and add new standard values (kubernetes/kubernetes#115433, @​LiorLieberman) [SIG API Machinery, Apps and Network]

• /metrics/slis is now available for control plane components allowing you to scrape health check metrics. (kubernetes/kubernetes#114997, @​Richabanker)

• APIServerTracing feature gate is now enabled by default. Tracing in the API
  Server is still disabled by default, and requires a config file to enable. (kubernetes/kubernetes#116144, @​dashpole)

• NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore
  extension point for a more performant calculation. (kubernetes/kubernetes#115655, @​tangwz)

• PodSchedulingReadiness is graduated to beta. (kubernetes/kubernetes#115815, @​Huang-Wei)

• PodSpec.Container.Resources became mutable for CPU and memory resource types.

  • PodSpec.Container.ResizePolicy (new object) gives users control over how their containers are resized.
  • PodStatus.Resize status describes the state of a requested Pod resize.
  • PodStatus.ResourcesAllocated describes node resources allocated to Pod.
  • PodStatus.Resources describes node resources applied to running containers by CRI.
  • UpdateContainerResources CRI API now supports both Linux and Windows. (kubernetes/kubernetes#102884, @​vinaykul)

• SELinuxMountReadWriteOncePod graduated to Beta. (kubernetes/kubernetes#116425, @​jsafrane)

• StatefulSetAutoDeletePVC feature gate promoted to beta. (kubernetes/kubernetes#116501, @​mattcary)

• StatefulSet names must be DNS labels, rather than subdomains. Any StatefulSet
  which took advantage of subdomain validation (by having dots in the name) can't
  possibly have worked, because we eventually set pod.spec.hostname from the StatefulSetName,
  and that is validated as a DNS label. (kubernetes/kubernetes#114172, @​thockin)

• ValidatingAdmissionPolicy now provides a status field that contains results of type checking the validation expression.
  The type checking is fully informational, and the behavior of the policy is unchanged. (kubernetes/kubernetes#115668, @​jiahuif)

• cacheSize field in EncryptionConfiguration is not supported for KMSv2 provider (kubernetes/kubernetes#113121, @​aramase)

• k8s.io/component-base/logs now also supports adding command line flags to a flag.FlagSet. (kubernetes/kubernetes#114731, @​pohly)

• kubelet: migrated --container-runtime-endpoint and --image-service-endpoint
  to kubelet config (kubernetes/kubernetes#112136, @​pacoxu)

• resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before
  upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, ResourceClaimTemplate,
  ResourceClass, PodScheduling) must be deleted. The changes are internal, so
  YAML files which create pods and resource claims don't need changes except for
  the newer apiVersion. (kubernetes/kubernetes#116299, @​pohly)

• volumes: resource.claims is now cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (kubernetes/kubernetes#115928, @​pohly)

• Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1).
  A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @​ahmedtd) [SIG API Machinery, Auth and Testing]

• Remove kubernetes.io/grpc standard appProtocol (kubernetes/kubernetes#116866, @​LiorLieberman) [SIG API Machinery and Apps]

• API: resource.k8s.io/v1alpha1.PodScheduling was renamed to resource.k8s.io/v1alpha2.PodSchedulingContext. (kubernetes/kubernetes#116556, @​pohly) [SIG API Machinery, Apps, Auth, CLI, Node, Scheduling and Testing]

• APIServerTracing feature gate is now enabled by default. Tracing in the API Server is still disabled by default, and requires a config file to enable. (kubernetes/kubernetes#116144, @​dashpole) [SIG API Machinery and Testing]

• Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost
  restrictions that already apply to CustomResourceDefinition.
  If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the
  admission check that was being performed is aborted; the failurePolicy for the ValidatingAdmissionPolicy
  determines the outcome. (kubernetes/kubernetes#115747, @​cici37) [SIG API Machinery]

• Added messageExpression to ValidatingAdmissionPolicy, to set custom failure message via CEL expression. (kubernetes/kubernetes#116397, @​jiahuif) [SIG API Machinery]

• Added a new IPAddress object kind

  • Added a new ClusterIP allocator. The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64 (kubernetes/kubernetes#115075, @​aojea) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Network and Testing]

• Added a new alpha API: ClusterTrustBundle (certificates.k8s.io/v1alpha1).
  A ClusterTrustBundle may be used to distribute X.509 trust anchors to workloads within the cluster. (kubernetes/kubernetes#113218, @​ahmedtd) [SIG API Machinery, Auth and Testing]

• Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a authorizer
  variable with expressions. The new variable provides a builder that allows expressions such authorizer.group('').resource('pods').check('create').allowed(). (kubernetes/kubernetes#116054, @​jpbetz) [SIG API Machinery and Testing]

• Added matchConditions field to ValidatingAdmissionPolicy, enabled support for CEL based custom match criteria. (kubernetes/kubernetes#116350, @​maxsmythe) [SIG API Machinery and Testing]

• Added messageExpression field to ValidationRule. (#​115969, @​DangerOnTheRanger) ([Add messageExpression field for CRD validation kubernetes/kubernetes#115969](https://togithub.com/kubernetes/kube

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[pabrahamsson]

LGTM