Skip to content

Instantly share code, notes, and snippets.

@saschagrunert

saschagrunert/relnotes-by-kind-v2 .md

Last active November 6, 2019 15:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save saschagrunert/baf7cb9114d7a58e6728592fac3659ed to your computer and use it in GitHub Desktop.
Save saschagrunert/baf7cb9114d7a58e6728592fac3659ed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
relnotes-by-kind-v2 .md

New Features

  • Profiling is enabled by default in the scheduler (#84835, @denkensk), SIG Scheduling

  • Adding initial EndpointSlice metrics. (#83257, @robscott), SIG Apps, and SIG Network

  • add azure disk encryption(SSE+CMK) support (#84605, @andyzhangx), SIG Cloud Provider, and SIG Storage

  • Reduce default NodeStatusReportFrequency to 5 minutes. With this change, periodic node status updates will be send every 5m if node status doesn't change (otherwise they are still send with 10s).

    Bump NodeProblemDetector version to v0.8.0 to reduce forced NodeStatus updates frequency to 5 minutes. (#84007, @wojtek-t), SIG Cluster Lifecycle, SIG Node, SIG Scalability, and SIG Testing

  • CSI Topology feature is GA. The CSINodeInfo feature gate is deprecated and will be removed in a future release. The storage.k8s.io/v1beta1 CSINode object is deprecated and will be removed in a future release. (#83474, @msau42), SIG API Machinery, SIG Apps, SIG Auth, SIG CLI, SIG Storage, and SIG Testing

  • Added kubelet serving certificate metric server_rotation_seconds which is a histogram reporting the age of a just rotated serving certificate in seconds. (#84534, @sambdavidson), SIG API Machinery, SIG Auth, SIG Instrumentation, and SIG Node

  • local: support local filesystem volume with block resource reconstruction (#84218, @cofyc), SIG Node, SIG Storage, and SIG Testing

  • kubelet: a configuration file specified via --config is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. (#83204, @obitech), SIG Cluster Lifecycle, and SIG Node

  • kubeadm now propagates proxy environment variables to kube-proxy (#84559, @yastij), SIG Cluster Lifecycle

  • Reload apiserver SNI certificates from disk every minute (#84303, @jackkleeman), SIG API Machinery, and SIG Testing

  • Update Azure SDK versions to v35.0.0 (#84543, @andyzhangx), SIG Cloud Provider

  • Scheduler now reports metrics on cache size including nodes, pods, and assumed pods (#83508, @damemi), SIG Instrumentation, and SIG Scheduling

  • update the latest validated version of Docker to 19.03 (#84476, @neolit123), SIG Cluster Lifecycle

  • User can now use component config to configure NodeLabel plugin for the scheduler framework. (#84297, @liu-cong), SIG Scheduling

  • Pod labels can no longer be updated through the pod/status updates by nodes. (#84260, @tallclair), SIG Auth, and SIG Node

  • Reload apiserver serving certificate from disk every minute (#84200, @jackkleeman), SIG API Machinery, SIG Auth, SIG Node, and SIG Testing

  • Adds FQDN addressType support for EndpointSlice. (#84091, @robscott), SIG API Machinery, and SIG Network

  • Add permit_wait_duration_seconds metric for scheduler. (#84011, @liu-cong), SIG Scheduling

  • Optimize inter-pod affinity preferredDuringSchedulingIgnoredDuringExecution type, up to 4x in some cases. (#84264, @ahg-g), SIG Scheduling

  • filter plugin for cloud provider storage predicate (#84148, @gongguan), SIG Scheduling, and SIG Testing

  • Fixed binding of block PersistentVolumes / PersistentVolumeClaims when BlockVolume feature is off. (#84049, @jsafrane), SIG Apps, and SIG Storage

  • Refactor scheduler's framework permit API. (#83756, @hex108), SIG Scheduling, and SIG Testing

  • The kubectl's api-resource command now has a --sort-by flag to sort resources by name or kind. (#81971, @laddng), SIG CLI

  • Update to Ingress-GCE v1.6.1 (#84018, @rramkumar1), SIG Cluster Lifecycle

  • When scaling down a ReplicaSet, delete doubled up replicas first, where a "doubled up replica" is defined as one that is on the same node as an active replica belonging to a related ReplicaSet. ReplicaSets are considered "related" if they have a common controller (typically a Deployment). (#80004, @Miciah), SIG Apps, SIG Autoscaling, SIG Scalability, and SIG Testing

  • kubeadm: enhance certs check-expiration to show the expiration info of related CAs (#83932, @SataQiu), SIG Cluster Lifecycle

  • Add incoming pods metrics to scheduler queue. (#83577, @liu-cong), SIG Scheduling

  • Allow dynamically set glog logging level of kube-scheduler (#83910, @mrkm4ntr), SIG Scheduling

  • Add latency and request count metrics for scheduler framework. (#83569, @liu-cong), SIG Scheduling

  • ETCD version monitor metrics are now marked as with the ALPHA stability level. (#83283, @RainbowMango), SIG Cluster Lifecycle

  • A new --prefix flag added into kubectl logs which prepends each log line with information about it's source (pod name and container name) (#76471, @m1kola), SIG CLI

  • Change pod_preemption_victims metric from Gauge to Histogram. (#83603, @Tabrizian), SIG Scheduling

  • Expose SharedInformerFactory in the framework handle (#83663, @draveness), SIG Apps, SIG Scheduling, and SIG Testing

  • The topology manager aligns resources for pods of all QoS classes with respect to NUMA locality, not just Guaranteed QoS pods. (#83492, @ConnorDoyle), SIG Node

  • Add per-pod scheduling metrics across 1 or more schedule attempts. (#83674, @liu-cong), SIG Scheduling

  • The mutating and validating admission webhook plugins now read configuration from the admissionregistration.k8s.io/v1 API. (#80883, @liggitt), SIG API Machinery

  • kubeadm: implemented structured output of 'kubeadm token list' in JSON, YAML, Go template and JsonPath formats (#78764, @bart0sh), SIG Cluster Lifecycle

  • kube-proxy: a configuration file specified via --config is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. (#82927, @obitech), SIG API Machinery, SIG Cluster Lifecycle, and SIG Network

  • Add "podInitialBackoffDurationSeconds" and "podMaxBackoffDurationSeconds" to the scheduler config API (#81263, @draveness), SIG Apps, and SIG Scheduling

  • Expose kubernetes client in the scheduling framework handle. (#82432, @draveness), SIG Scheduling

  • Kubeadm: add support for 127.0.0.1 as advertise address. kubeadm will automatically replace this value with matching global unicast IP address on the loopback interface. (#83475, @fabriziopandini), SIG API Machinery, and SIG Cluster Lifecycle

  • kube-scheduler: a configuration file specified via --config is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. (#83030, @obitech), SIG API Machinery, SIG Cluster Lifecycle, and SIG Scheduling

  • Bump version of event-exporter to 0.3.1, to switch it to protobuf. (#83396, @loburm), SIG Instrumentation, and SIG Scalability

  • kubeadm: use the --service-cluster-ip-range flag to init or use the ServiceSubnet field in the kubeadm config to pass a comma separated list of Service CIDRs. (#82473, @Arvinderpal), SIG Cluster Lifecycle

  • Remove MaxPriority in the scheduler API, please use MaxNodeScore or MaxExtenderPriority instead. (#83386, @draveness), SIG Scheduling, and SIG Testing

  • Update crictl to v1.16.1. (#82856, @Random-Liu), SIG Cluster Lifecycle, and SIG Node

  • Reduces the number of calls made to the Azure API when requesting the instance view of a virtual machine scale set node. (#82496, @hasheddan), SIG Cloud Provider

  • Consolidate ScoreWithNormalizePlugin into the ScorePlugin interface (#83042, @draveness), SIG Scheduling, and SIG Testing

  • New APIs to allow adding/removing pods from pre-calculated prefilter state in the scheduling framework (#82912, @ahg-g), SIG Scheduling, and SIG Testing

  • Added metrics 'authentication_latency_seconds' that can be used to understand the latency of authentication. (#82409, @RainbowMango), SIG API Machinery, SIG Auth, and SIG Instrumentation

  • Added Clone method to the scheduling framework's PluginContext and ContextData. (#82951, @ahg-g), SIG Scheduling

  • Modified the scheduling framework's Filter API. (#82842, @ahg-g), SIG Scheduling, and SIG Testing

  • Added cloud operation count metrics to azure cloud controller manager. (#82574, @kkmsft), SIG Cloud Provider

  • When registering with a 1.17+ API server, MutatingWebhookConfiguration and ValidatingWebhookConfiguration objects can now request that only v1 AdmissionReview requests be sent to them. Previously, webhooks were required to support receiving v1beta1 AdmissionReview requests as well for compatibility with API servers <= 1.15.

    • When registering with a 1.17+ API server, a CustomResourceDefinition conversion webhook can now request that only v1 ConversionReview requests be sent to them. Previously, conversion webhooks were required to support receiving v1beta1 ConversionReview requests as well for compatibility with API servers <= 1.15. (#82707, @liggitt), SIG API Machinery

Changes by kind

api-change

  • All resources within the rbac.authorization.k8s.io/v1alpha1 and rbac.authorization.k8s.io/v1beta1 API groups are deprecated in favor of rbac.authorization.k8s.io/v1, and will no longer be served in v1.20. (#84758, @liggitt)
  • Scheduler ComponentConfig fields are now pointers (#83619, @damemi)
  • Scheduler Policy API has a new recommended apiVersion "apiVersion: kubescheduler.config.k8s.io/v1" which is consistent with the scheduler API group "kubescheduler.config.k8s.io". It holds the same API as the old apiVersion "apiVersion: v1". (#83578, @Huang-Wei)
  • Fixed EndpointSlice port name validation to match Endpoint port name validation (allowing port names longer than 15 characters) (#84481, @robscott)
  • Introduce x-kubernetes-map-type annotation as a CRD API extension. Enables this particular validation for server-side apply. (#84113, @enxebre)
  • Migrate controller-manager and scheduler to EndpointsLeases leader election. (#84084, @wojtek-t)
  • Update etcd client side to v3.4.3 Deprecated prometheus request meta-metrics have been removed (http_request_duration_microseconds, http_request_duration_microseconds_sum, http_request_duration_microseconds_count, http_request_size_bytes, http_request_size_bytes_sum, http_request_size_bytes_count, http_requests_total, http_response_size_bytes, http_response_size_bytes_sum, http_response_size_bytes_count) due to removal from the prometheus client library. Prometheus http request meta-metrics are now generated from promhttp.InstrumentMetricHandler instead. (#83987, @wenjiaswe)
  • Promote WatchBookmark feature to GA. With WatchBookmark feature, clients are able to request watch events with BOOKMARK type. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. (#83195, @wojtek-t)
  • An end-user may choose to request logs without confirming the identity of the backing kubelet. This feature can be disabled by setting the AllowInsecureBackendProxy feature-gate to false. (#83419, @deads2k)
  • external facing APIs in pluginregistration and deviceplugin packages are now available under k8s.io/kubelet/pkg/apis/ (#83551, @dims)
  • The VolumeSubpathEnvExpansion feature is graduating to GA. The VolumeSubpathEnvExpansion feature gate is unconditionally enabled, and will be removed in v1.19. (#82578, @kevtaylor)
  • Fix typos in certificates.k8s.io/v1beta1 KeyUsage constant names: UsageContentCommittment becomes UsageContentCommitment and UsageNetscapSGC becomes UsageNetscapeSGC. (#82511, @abursavich)

bug

  • CSI Migration: GCE PD access mode now reflects read only status of inline volumes - this allows multi-attach for read only many PDs (#84809, @davidz627)

  • kube-scheduler: emits a warning when a malformed component config file is used with v1alpha1. (#84129, @obitech)

  • The certificate signer no longer accepts ca.key passwords via the CFSSL_CA_PK_PASSWORD environment variable. This capability was not prompted by user request, never advertised, and recommended against in the security audit. (#84677, @mikedanese)

  • Only validate duplication of the RequestedToCapacityRatio custom priority and allow other custom predicates/priorities (#84646, @liu-cong)

  • Ensure the KUBE-MARK-DROP chain in kube-proxy mode=iptables. The chain is ensured for both ipv4 and ipv6 in dual-stack operation. (#84422, @aojea)

  • Fixed a bug in the single-numa-policy of the TopologyManager. Previously, best-effort pods would result in a terminated state with a TopologyAffinity error. Now they will run as expected. (#83777, @lmdaly)

  • Fix the bug that EndpointSlice for masters wasn't created after enabling EndpointSlice feature on a pre-existing cluster. (#84421, @tnqn)

  • sourcesReady provides the readiness of kubelet configuration sources such as apiserver update readiness. (#81344, @zouyee)

  • Fixed EndpointSlice port name validation to match Endpoint port name validation (allowing port names longer than 15 characters) (#84481, @robscott)

  • kube-proxy: emits a warning when a malformed component config file is used with v1alpha1. (#84143, @phenixblue)

  • Scheduler policy configs can no longer be declared multiple times (#83963, @damemi)

  • kubeadm: always mount the kube-controller-manager hostPath volume that is given by the --flex-volume-plugin-dir flag. (#84468, @neolit123)

  • kube-scheduler now fallbacks to emitting events using core/v1 Events when events.k8s.io/v1beta1 is disabled. (#83692, @yastij)

  • local: support local volume block mode reconstruction (#84173, @cofyc)

  • Fixed kubectl endpointslice output for get requests (#82603, @robscott)

  • set config.BindAddress to IPv4 address "127.0.0.1" if not specified (#83822, @zouyee)

  • CSI detach timeout increased from 10 seconds to 2 minutes (#84321, @cduchesne)

  • client-ca bundles for the all generic-apiserver based servers will dynamically reload from disk on content changes (#83579, @deads2k)

  • Fix kubelet metrics gathering on non-English Windows hosts (#84156, @wawa0210)

  • A new kubelet_preemptions metric is reported from Kubelets to track the number of preemptions occuring over time, and which resource is triggering those preemptions. (#84120, @smarterclayton)

  • Add data cache flushing during unmount device for GCE-PD driver in Windows Server. (#83591, @jingxu97)

  • Adds a metric apiserver_request_error_total to kube-apiserver. This metric tallies the number of request_errors encountered by verb, group, version, resource, subresource, scope, component, and code. (#83427, @logicalhan)

  • None. (#84138, @nilo19)

  • Update to use go1.12.12 (#84064, @cblecker)

  • Update Cluster Autoscaler version to 1.16.2 (CA release docs: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.16.2) (#84038, @losipiuk)

  • kubeadm no longer removes /etc/cni/net.d as it does not install it. Users should remove files from it manually or rely on the component that created them (#83950, @yastij)

  • Switched intstr.Type to sized integer to follow API guidelines and improve compatibility with proto libraries (#83956, @liggitt)

  • Fix handling tombstones in pod-disruption-budged controller. (#83951, @zouyee)

  • client-go: improved allocation behavior of the delaying workqueue when handling objects with far-future ready times. (#83945, @barkbay)

  • Fixed an issue with informers missing an Added event if a recently deleted object was immediately recreated at the same time the informer dropped a watch and relisted. (#83911, @matte21)

  • Bumps metrics-server version to v0.3.6 with following bugfix:

    • Don't break metric storage when duplicate pod metrics encountered causing hpa to fail (#83907, @olagacek)

  • Gives the right error message when using kubectl delete a wrong resource. (#83825, @zhouya0)

  • The userspace mode of kube-proxy no longer confusingly logs messages about deleting endpoints that it is actually adding. (#83644, @danwinship)

  • Ceph RBD volume plugin now does not use any keyring (/etc/ceph/ceph.client.lvs01cinder.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin) for authentication. Ceph user credentials must be provided in PersistentVolume objects and referred Secrets. (#75588, @smileusd)

  • Fixed attachment of AWS volumes that have just been detached. (#83567, @jsafrane)

  • Upgrade to etcd client 3.3.17 to fix bug where etcd client does not parse IPv6 addresses correctly when members are joining, and to fix bug where failover on multi-member etcd cluster fails certificate check on DNS mismatch (#83801, @jpbetz)

  • Fixed panic when accessing CustomResources of a CRD with x-kubernetes-int-or-string. (#83787, @sttts)

  • Fix unsafe JSON construction in a number of locations in the codebase (#81158, @zouyee)

  • Fixed a bug in the single-numa-node policy of the TopologyManager. Previously, pods that only requested CPU resources and did not request any third-party devices would fail to launch with a TopologyAffinity error. Now they will launch successfully. (#83697, @klueska)

  • Fix validation message to mention bytes, not characters. (#80880, @DirectXMan12)

  • Fix error where metrics related to dynamic kubelet config isn't registered (#83184, @odinuge)

  • Openstack: Do not delete managed LB in case of security group reconciliation errors (#82264, @multi-io)

  • Authentication token cache size is increased (from 4k to 32k) to support clusters with many nodes or many namespaces with active service accounts. (#83643, @lavalamp)

  • kube-proxy iptables probabilities are now more granular and will result in better distribution beyond 319 endpoints. (#83599, @robscott)

  • Fixed the bug that deleted services were processed by EndpointSliceController repeatedly even their cleanup were successful. (#82996, @tnqn)

  • If container fails because ContainerCannotRun, do not utilize the FallbackToLogsOnError TerminationMessagePolicy, as it masks more useful logs. (#81280, @yqwang-ms)

  • Fixed cleanup of raw block devices after kubelet restart. (#83451, @jsafrane)

  • Commands like kubectl apply now return errors if schema-invalid annotations are specified, rather than silently dropping the entire annotations section. (#83552, @liggitt)

  • kubeadm: fix wrong default value for the "upgrade node --certificate-renewal" flag. (#83528, @neolit123)

  • The --certificate-authority flag now correctly overrides existing skip TLS or CA data settings in the kubeconfig file (#83547, @liggitt)

  • Fixes a flaw (CVE-2019-11253) in json/yaml decoding where large or malformed documents could consume excessive server resources. Request bodies for normal API requests (create/delete/update/patch operations of regular resources) are now limited to 3MB. (#83261, @liggitt)

  • Fixes a goroutine leak in kube-apiserver when a request times out. (#83333, @lavalamp)

  • Fix aggressive VM calls for Azure VMSS (#83102, @feiskyer)

  • Update Azure load balancer to prevent orphaned public IP addresses (#82890, @chewong)

  • Fixes the bug in informer-gen that it produces incorrect code if a type has nonNamespaced tag set. (#80458, @tatsuhiro-t)

  • Update to go 1.12.10 (#83139, @cblecker)

  • On AWS nodes with multiple network interfaces, kubelet should now more reliably report the same primary node IP. (#80747, @danwinship)

  • Fixes kube-proxy bug accessing self nodeip:port on windows (#83027, @liggitt)

  • Resolves bottleneck in internal API server communication that can cause increased goroutines and degrade API Server performance (#80465, @answer1991)

  • # kubectl rollout history sts/test-sts statefulset.apps/test-sts REVISION 0 0 0 1 2 3 (#82643, @ZP-AlwaysWin)

  • Resolves regression generating informers for packages whose names contain . characters (#82410, @nikhita)

  • k8s dockerconfigjson secrets are now compatible with docker config desktop authentication credentials files (#82148, @bbourbie)

  • Use ipv4 in wincat port forward. (#83036, @liyanhui1228)

  • Bump metrics-server to v0.3.5 (#83015, @olagacek)

  • dashboard: disable the dashboard Deployment on non-Linux nodes. This step is required to support Windows worker nodes. (#82975, @wawa0210)

  • Fix possible fd leak and closing of dirs when using openstack (#82873, @odinuge)

  • PersistentVolumeLabel admission plugin, responsible for labeling PersistentVolumes with topology labels, now does not overwrite existing labels on PVs that were dynamically provisioned. It trusts the dynamic provisioning that it provided the correct labels to the PersistentVolume, saving one potentially expensive cloud API call. PersistentVolumes created manually by users are labelled by the admission plugin in the same way as before. (#82830, @jsafrane)

  • The docker container runtime now enforces a 220 second timeout on container network operations. (#71653, @liucimin)

  • Fixes a panic in kube-controller-manager cleaning up bootstrap tokens (#82887, @tedyu)

  • Fixed a scheduler panic when using PodAffinity. (#82841, @Huang-Wei)

  • Fix panic in kubelet when running IPv4/IPv6 dual-stack mode with a CNI plugin (#82508, @aanm)

  • Report non-confusing error for negative storage size in PVC spec. (#82759, @sttts)

  • Resolves issue with /readyz and /livez not including etcd and kms health checks (#82713, @logicalhan)

  • fix: azure disk detach failure if node not exists (#82640, @andyzhangx)

cleanup

  • All resources within the rbac.authorization.k8s.io/v1alpha1 and rbac.authorization.k8s.io/v1beta1 API groups are deprecated in favor of rbac.authorization.k8s.io/v1, and will no longer be served in v1.20. (#84758, @liggitt)

  • Removed Alpha feature MountContainers (#84365, @codenrhoden)

  • People can see the right log and note. (#84637, @zhipengzuo)

  • deprecate cleanup-ipvs flag (#83832, @gongguan)

  • Scheduler Policy API has a new recommended apiVersion "apiVersion: kubescheduler.config.k8s.io/v1" which is consistent with the scheduler API group "kubescheduler.config.k8s.io". It holds the same API as the old apiVersion "apiVersion: v1". (#83578, @Huang-Wei)

  • Update default etcd server version to 3.4.3 (#84329, @jingyih)

  • This PR sets the --cluster-dns flag value to kube-dns service IP whether or not NodeLocal DNSCache is enabled. NodeLocal DNSCache will listen on both the link-local as well as the service IP. (#84383, @prameshj)

  • Remove prometheus cluster monitoring addon from kube-up (#83442, @serathius)

  • set config.BindAddress to IPv4 address "127.0.0.1" if not specified (#83822, @zouyee)

  • The built-in system:csi-external-provisioner and system:csi-external-attacher cluster roles are removed as of 1.17 release (#84282, @tedyu)

  • Add a metric to track number of scheduler binding and prioritizing goroutines (#83535, @wgliang)

  • TaintNodesByCondition was graduated to GA, CheckNodeMemoryPressure, CheckNodePIDPressure, CheckNodeDiskPressure, CheckNodeCondition were accidentally removed since 1.12, the replacement is to use CheckNodeUnschedulablePred (#84152, @draveness)

  • Added the crictl Windows binaries as well as the Linux 32bit binary to the release archives (#83944, @saschagrunert)

  • clean duplicate GetPodServiceMemberships function (#83902, @gongguan)

  • Significant kube-proxy performance improvements when using Endpoint Slices at scale. (#83206, @robscott)

  • Upgrade default etcd server version to 3.3.17 (#83804, @jpbetz)

  • [migration phase 1] PodFitsHostPorts as filter plugin (#83659, @wgliang)

  • [migration phase 1] PodFitsResources as framework plugin (#83650, @wgliang)

  • [migration phase 1] PodMatchNodeSelector/NodAffinity as filter plugin (#83660, @wgliang)

  • Add more tracing steps in generic_scheduler (#83539, @wgliang)

  • [migration phase 1] PodFitsHost as filter plugin (#83662, @wgliang)

  • Bumps the minimum version of Go required for building Kubernetes to 1.12.4. (#83596, @jktomer)

  • If a bad flag is supplied to a kubectl command, only a tip to run --help is printed, instead of the usage menu. Usage menu is printed upon running kubectl command --help. (#82423, @sallyom)

  • hyperkube will now be available in a new github repository and will not be included in the kubernetes release from 1.17 onwards (#83454, @dims)

  • more complete and accurate logging of stack backtraces in E2E failures (#82176, @pohly)

  • Rename PluginContext to CycleState in the scheduling framework (#83430, @draveness)

  • Significant kube-proxy performance improvements for non UDP ports. (#83208, @robscott)

  • The resource version option, when passed to a list call, is now consistently interpreted as the minimum allowed resource version. Previously when listing resources that had the watch cache disabled clients could retrieve a snapshot at that exact resource version. If the client requests a resource version newer than the current state, a TimeoutError is returned suggesting the client retry in a few seconds. This behavior is now consistent for both single item retrieval and list calls, and for when the watch cache is enabled or disabled. (#72170, @jpbetz)

  • Some scheduler extender API fields are moved from pkg/scheduler/api to pkg/scheduler/apis/extender/v1. (#83262, @Huang-Wei)

  • Fix typos in certificates.k8s.io/v1beta1 KeyUsage constant names: UsageContentCommittment becomes UsageContentCommitment and UsageNetscapSGC becomes UsageNetscapeSGC. (#82511, @abursavich)

  • The deprecated mondo kubernetes-test tarball is no longer built. Users running Kubernetes e2e tests should use the kubernetes-test-portable and kubernetes-test-{OS}-{ARCH} tarballs instead. (#83093, @ixdy)

  • Improved performance of kube-proxy with EndpointSlice enabled with more efficient sorting. (#83035, @robscott)

  • Conformance tests may now include disruptive tests. If you are running tests against a live cluster, consider skipping those tests tagged as Disruptive to avoid non-test workloads being impacted. Be aware, skipping any conformance tests (even disruptive ones) will make the results ineligible for consideration for the CNCF Certified Kubernetes program. (#82664, @johnSchnake)

  • kube-dns add-on:

    • All containers are now being executed under more restrictive privileges.
    • Most of the containers now run as non-root user and has the root filesystem set as read-only.
    • The remaining container running as root only has the minimum Linux capabilities it requires to run.
    • Privilege escalation has been disabled for all containers. (#82347, @pjbgf)

  • dashboard: disable the dashboard Deployment on non-Linux nodes. This step is required to support Windows worker nodes. (#82975, @wawa0210)

  • Kubernetes no longer monitors firewalld. On systems using firewalld for firewall maintenance, kube-proxy will take slightly longer to recover from disruptive firewalld operations that delete kube-proxy's iptables rules.

    As a side effect of these changes, kube-proxy's sync_proxy_rules_last_timestamp_seconds metric no longer behaves the way it used to; now it will only change when services or endpoints actually change, rather than reliably updating every 60 seconds (or whatever). If you are trying to monitor for whether iptables updates are failing, the sync_proxy_rules_iptables_restore_failures_total metric may be more useful. (#81517, @danwinship)

documentation

  • Updated kube-proxy ipvs README with correct grep argument to list loaded ipvs modules (#83677, @pete911)

failing-test

  • CSI Migration: GCE PD access mode now reflects read only status of inline volumes - this allows multi-attach for read only many PDs (#84809, @davidz627)

flake

  • Reduced frequency of DescribeVolumes calls of AWS API when attaching/detaching a volume. (#84181, @jsafrane)
  • IP validates if a string is a valid IP address (#83104, @zouyee)
  • Use online nodes instead of possible nodes when discovering available NUMA nodes (#83196, @zouyee)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment