Path to this page:
Subject: CVS commit: pkgsrc/sysutils/py-kubernetes
From: Adam Ciarcinski
Date: 2023-08-27 05:28:28
Message id: 20230827032828.7DDD2FBDB@cvs.NetBSD.org
Log Message:
py-kubernetes: updated to 27.2.0
v27.2.0
Kubernetes API Version: v1.27.3
Documentation
- Fix request_timeout example and doc. Arg name should be _request_timeout. \
Single value type should be int or long.
v27.2.0b1
Kubernetes API Version: v1.27.2
v27.2.0a1
Kubernetes API Version: v1.27.2
API Change
- Added error handling for seccomp localhost configurations that do not properly \
set a localhostProfile
- Fixed an issue where kubelet does not set case-insensitive headers for http probes.
- Revised the comment about the feature-gate level for PodFailurePolicy from \
alpha to beta
- A fix in the `resource.k8s.io/v1alpha1/ResourceClaim` API avoids harmless (?) \
".status.reservedFor: element 0: associative list without keys has an \
element that's a map type" errors in the apiserver. Validation now rejects \
the incorrect reuse of the same UID in different entries.
- A terminating pod on a node that is not caused by preemption no longer \
prevents `kube-scheduler` from preempting pods on that node
- Rename `PreemptionByKubeScheduler` to `PreemptionByScheduler`
- API: resource.k8s.io/v1alpha1.PodScheduling was renamed to \
resource.k8s.io/v1alpha2.PodSchedulingContext.
- Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching \
the evaluation cost
restrictions that already apply to CustomResourceDefinition.
If rule evaluation uses more compute than the limit, the API server aborts the \
evaluation and the
admission check that was being performed is aborted; the `failurePolicy` for \
the ValidatingAdmissionPolicy
determines the outcome.
- Added `auditAnnotations` to `ValidatingAdmissionPolicy`, enabling CEL to be \
used to add audit annotations to request audit events.
Added `validationActions` to `ValidatingAdmissionPolicyBinding`, enabling \
validation failures to be handled by any combination of the warn, audit and deny \
enforcement actions.
- Added `messageExpression` field to `ValidationRule`.
- Added `messageExpression` to `ValidatingAdmissionPolicy`, to set custom \
failure message via CEL expression.
- Added a new IPAddress object kind
- Added a new ClusterIP allocator. The new allocator removes previous Service \
CIDR block size limitations for IPv4, and limits IPv6 size to a /64
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
A ClusterTrustBundle may be used to distribute \
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \
the cluster.
- Added authorization check support to the CEL expressions of \
ValidatingAdmissionPolicy via a `authorizer`
variable with expressions. The new variable provides a builder that allows \
expressions such \
`authorizer.group('').resource('pods').check('create').allowed()`.
- Added matchConditions field to ValidatingAdmissionPolicy and enabled support \
for CEL based custom match criteria.
- Added new option to the `InterPodAffinity` scheduler plugin to ignore existing
pods` preferred inter-pod affinities if the incoming pod has no preferred inter-pod
affinities. This option can be used as an optimization for higher scheduling \
throughput
(at the cost of an occasional pod being scheduled non-optimally/violating existing
pods preferred inter-pod affinities). To enable this scheduler option, set the
`InterPodAffinity` scheduler plugin arg `ignorePreferredTermsOfExistingPods: true`
- Added the `MatchConditions` field to `ValidatingWebhookConfiguration` and \
`MutatingWebhookConfiguration` for the v1beta and v1 apis.
The `AdmissionWebhookMatchConditions` featuregate is now in Alpha
- Added validation to ensure that if \
`service.kubernetes.io/topology-aware-hints` and \
`service.kubernetes.io/topology-mode` annotations are both set, they are set to \
the same value.Also Added deprecation warning if \
`service.kubernetes.io/topology-aware-hints` annotation is used.
- Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, \
CronJobs, or ReplicationControllers) whose names are not valid DNS labels.
- Adds feature gate `NodeLogQuery` which provides cluster administrators with a \
streaming view of logs using kubectl without them having to implement a client \
side reader or logging into the node.
- Api: validation of a `PodSpec` now rejects invalid `ResourceClaim` and \
`ResourceClaimTemplate` names. For a pod, the name generated for the \
`ResourceClaim` when using a template also must be valid.
- Bump default API QPS limits for Kubelet.
- Enabled the `StatefulSetStartOrdinal` feature gate in beta
- Enabled usage of `kube-proxy`, `kube-scheduler` and `kubelet` HTTP APIs for \
changing the logging
verbosity at runtime for JSON output.
- Encryption of API Server at rest configuration now allows the use of wildcards \
in the list of resources. For example, *.* can be used to encrypt all \
resources, including all current and future custom resources.
- Extended the kubelet's PodResources API to include resources allocated in \
`ResourceClaims` via `DynamicResourceAllocation`. Additionally, added a new \
`Get()` method to query a specific pod for its resources.
- Forbid to set matchLabelKeys when labelSelector is not set in \
topologySpreadConstraints
- GCE does not support LoadBalancer Services with ports with different protocols \
(TCP and UDP)
- GRPC probes are now a GA feature. `GRPCContainerProbe` feature gate was locked \
to default value and will be removed in v1.29. If you were setting this feature \
gate explicitly, please remove it now.
- Graduated `Kubelet Topology Manager` to GA.
- Graduated `KubeletTracing` to beta, which means that the feature gate is now \
enabled by default.
- Graduated seccomp profile defaulting to GA.
Set the kubelet `--seccomp-default` flag or `seccompDefault` kubelet \
configuration field to `true` to make pods on that node default to using the \
`RuntimeDefault` seccomp profile.
Enabling seccomp for your workload can have a negative performance impact \
depending on the kernel and container runtime version in use.
Guidance for identifying and mitigating those issues is outlined in the \
Kubernetes [seccomp tutorial](https://k8s.io/docs/tutorials/security/seccomp).
- Graduated the container resource metrics feature on `HPA` to beta.
- Implemented API streaming for the `watch-cache`
When `sendInitialEvents` `ListOption` is set together with `watch=true`, it \
begins the watch stream with synthetic init events followed by a synthetic \
"Bookmark" after which the server continues streaming events.
- Introduced API for streaming.
Added `SendInitialEvents` field to the `ListOptions`. When the new option is \
set together with `watch=true`, it begins the watch stream with synthetic init \
events followed by a synthetic "Bookmark" after which the server \
continues streaming events.
- Introduced a breaking change to the `resource.k8s.io` API in its \
`AllocationResult` struct. This change allows a kubelet plugin for the \
`DynamicResourceAllocation` feature to service allocations from multiple \
resource driver controllers.
- Introduces new alpha functionality to the reflector, allowing user to enable \
API streaming.
To activate this feature, users can set the `ENABLE_CLIENT_GO_WATCH_LIST_ALPHA` \
environmental variable.
It is important to note that the server must support streaming for this feature \
to function properly.
If streaming is not supported by the server, the reflector will revert to the \
previous method
of obtaining data through LIST/WATCH semantics.
- K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, \
the broadcaster now gives up immediately after a failure to write an event to a \
sink. Previously it tried multiple times for 12 seconds in a goroutine.
- K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set \
led to panics when printing the help message
- Kubeadm: explicitly set `priority` for static pods with `priorityClassName: \
system-node-critical`
- Kubelet: a "maxParallelImagePulls" field can now be specified in the \
kubelet configuration file to control how many image pulls the kubelet can \
perform in parallel.
- Kubelet: changed `MemoryThrottlingFactor` default value to `0.9` and formulas \
to calculate `memory.high`
- Kubernetes components that perform leader election now only support using \
`Leases` for this.
- Migrated the `DaemonSet` controller (within `kube-controller-manager`) to use \
[contextual \
logging](https://k8s.io/docs/concepts/cluster-administration/system-logs/#contextual-logging)
- New `service.kubernetes.io/topology-mode` annotation has been introduced as a \
replacement for the `service.kubernetes.io/topology-aware-hints` annotation.
- `service.kubernetes.io/topology-aware-hints` annotation has been deprecated.
- kube-proxy now accepts any value that is not "disabled" for these \
annotations, enabling custom implementation-specific and/or future built-in \
heuristics to be used.
- Pods owned by a Job now uses the labels `batch.kubernetes.io/job-name` and \
`batch.kubernetes.io/controller-uid`.
The legacy labels `job-name` and `controller-uid` are still added for compatibility.
- Promoted `CronJobTimeZone` feature to GA
- Promoted `SelfSubjectReview` to Beta
- Relaxed API validation to allow pod node selector to be mutable for gated pods \
(additions only, no deletions or mutations).
- Remove `kubernetes.io/grpc` standard appProtocol
- Remove deprecated `--enable-taint-manager` and `--pod-eviction-timeout` CLI
- Removed support for the `v1alpha1` kubeletplugin API of \
`DynamicResourceManagement`. All plugins must be updated to `v1alpha2` in order \
to function properly.
- The API server now re-uses data encryption keys while the kms v2 plugin key ID \
is stable. Data encryption keys are still randomly generated on server start \
but an atomic counter is used to prevent nonce collisions.
- The PodDisruptionBudget `spec.unhealthyPodEvictionPolicy` field has graduated \
to beta and is enabled by default. On servers with the feature enabled, this \
field may be set to `AlwaysAllow` to always allow unhealthy pods covered by the \
PodDisruptionBudget to be evicted.
- The `DownwardAPIHugePages` kubelet feature graduated to stable / GA.
- The following feature gates for volume expansion GA features have now been \
removed and must no longer be referenced in `--feature-gates` flags: \
`ExpandCSIVolumes`, `ExpandInUsePersistentVolumes`, `ExpandPersistentVolumes`
- The list-type of the alpha `resourceClaims` field introduced to `Pods` in \
`1.26.0` was modified from `set` to `map`, resolving an incompatibility with use \
of this schema in `CustomResourceDefinitions` and with server-side apply.
- Updated API reference for Requests, specifying they must not exceed limits
- Updated `KMSv2` to beta
- Updated: Redefine AppProtocol field description and add new standard values
- `/metrics/slis` is now available for control plane components allowing you to \
scrape health check metrics.
- `APIServerTracing` feature gate is now enabled by default. Tracing in the API
Server is still disabled by default, and requires a config file to enable.
- `NodeResourceFit` and `NodeResourcesBalancedAllocation` implement the `PreScore`
extension point for a more performant calculation.
- `PodSchedulingReadiness` is graduated to beta.
- `PodSpec.Container.Resources` became mutable for CPU and memory resource types.
- `PodSpec.Container.ResizePolicy` (new object) gives users control over how \
their containers are resized.
- `PodStatus.Resize` status describes the state of a requested Pod resize.
- `PodStatus.ResourcesAllocated` describes node resources allocated to Pod.
- `PodStatus.Resources` describes node resources applied to running containers \
by CRI.
- `UpdateContainerResources` CRI API now supports both Linux and Windows.
- `SELinuxMountReadWriteOncePod` graduated to Beta.
- `StatefulSetAutoDeletePVC` feature gate promoted to beta.
- `StatefulSet` names must be DNS labels, rather than subdomains. Any `StatefulSet`
which took advantage of subdomain validation (by having dots in the name) can't
possibly have worked, because we eventually set `pod.spec.hostname` from the \
`StatefulSetName`,
and that is validated as a DNS label.
- `ValidatingAdmissionPolicy` now provides a status field that contains results \
of type checking the validation expression.
The type checking is fully informational, and the behavior of the policy is \
unchanged.
- `cacheSize` field in `EncryptionConfiguration` is not supported for KMSv2 provider
- `k8s.io/component-base/logs` now also supports adding command line flags to a \
`flag.FlagSet`.
- `kubelet`: migrated `--container-runtime-endpoint` and `--image-service-endpoint`
to kubelet config
- `resource.k8s.io/v1alpha1` was replaced with `resource.k8s.io/v1alpha2`. Before
upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, \
ResourceClaimTemplate,
ResourceClass, PodScheduling) must be deleted. The changes are internal, so
YAML files which create pods and resource claims don't need changes except for
the newer `apiVersion`.
- `volumes`: `resource.claims` is now cleared for PVC specs during create or \
update of a pod spec with inline PVC template or of a PVC because it has no \
effect.
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
A ClusterTrustBundle may be used to distribute \
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \
the cluster.
- Remove `kubernetes.io/grpc` standard appProtocol
- API: resource.k8s.io/v1alpha1.PodScheduling was renamed to \
resource.k8s.io/v1alpha2.PodSchedulingContext.
- APIServerTracing feature gate is now enabled by default. Tracing in the API \
Server is still disabled by default, and requires a config file to enable.
- Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching \
the evaluation cost
restrictions that already apply to CustomResourceDefinition.
If rule evaluation uses more compute than the limit, the API server aborts the \
evaluation and the
admission check that was being performed is aborted; the `failurePolicy` for \
the ValidatingAdmissionPolicy
determines the outcome.
- Added `messageExpression` to `ValidatingAdmissionPolicy`, to set custom \
failure message via CEL expression.
- Added a new IPAddress object kind
- Added a new ClusterIP allocator. The new allocator removes previous Service \
CIDR block size limitations for IPv4, and limits IPv6 size to a /64
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
A ClusterTrustBundle may be used to distribute \
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \
the cluster.
- Added authorization check support to the CEL expressions of \
ValidatingAdmissionPolicy via a `authorizer`
variable with expressions. The new variable provides a builder that allows \
expressions such \
`authorizer.group('').resource('pods').check('create').allowed()`.
- Added matchConditions field to ValidatingAdmissionPolicy, enabled support for \
CEL based custom match criteria.
- Added messageExpression field to ValidationRule.
- Added the `MatchConditions` field to `ValidatingWebhookConfiguration` and \
`MutatingWebhookConfiguration` for the v1beta and v1 apis.
The `AdmissionWebhookMatchConditions` featuregate is now in Alpha
- Added validation to ensure that if \
`service.kubernetes.io/topology-aware-hints` and \
`service.kubernetes.io/topology-mode` annotations are both set, they are set to \
the same value.
- Added deprecation warning if `service.kubernetes.io/topology-aware-hints` \
annotation is used.
- Adds auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to \
add audit annotations to request audit events.
Adds validationActions to ValidatingAdmissionPolicyBinding, enabling validation \
failures to be handled by any combination of the warn, audit and deny \
enforcement actions.
- Adds feature gate `NodeLogQuery` which provides cluster administrators with a \
streaming view of logs using kubectl without them having to implement a client \
side reader or logging into the node.
- Api: validation of a PodSpec now rejects invalid ResourceClaim and \
ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim \
when using a template also must be valid.
- Bump default API QPS limits for Kubelet.
- Enable the "StatefulSetStartOrdinal" feature gate in beta
- Extended the kubelet's PodResources API to include resources allocated in \
`ResourceClaims` via `DynamicResourceAllocation`. Additionally, added a new \
`Get()` method to query a specific pod for its resources.
- Forbid to set matchLabelKeys when labelSelector isn’t set in \
topologySpreadConstraints
- GCE does not support LoadBalancer Services with ports with different protocols \
(TCP and UDP)
- GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked \
to default value and will be removed in v1.29. If you were setting this feature \
gate explicitly, please remove it now.
- Graduate Kubelet Topology Manager to GA.
- Graduate `KubeletTracing` to beta, which means that the feature gate is now \
enabled by default.
- Graduate the container resource metrics feature on HPA to beta.
- Introduced a breaking change to the `resource.k8s.io` API in its \
`AllocationResult` struct. This change allows a kubelet plugin for the \
`DynamicResourceAllocation` feature to service allocations from multiple \
resource driver controllers.
- Introduces new alpha functionality to the reflector, allowing user to enable \
API streaming.
To activate this feature, users can set the `ENABLE_CLIENT_GO_WATCH_LIST_ALPHA` \
environmental variable.
It is important to note that the server must support streaming for this feature \
to function properly.
If streaming is not supported by the server, the reflector will revert to the \
previous method
of obtaining data through LIST/WATCH semantics.
- Kubelet: change MemoryThrottlingFactor default value to 0.9 and formulas to \
calculate memory.high
- Migrated the DaemonSet controller (within `kube-controller-manager) to use \
[contextual \
logging](https://k8s.io/docs/concepts/cluster-administration/system-logs/#contextual-logging)
- New `service.kubernetes.io/topology-mode` annotation has been introduced as a \
replacement for the `service.kubernetes.io/topology-aware-hints` annotation.
- `service.kubernetes.io/topology-aware-hints` annotation has been deprecated.
- kube-proxy now accepts any value that is not "disabled" for these \
annotations, enabling custom implementation-specific and/or future built-in \
heuristics to be used.
- NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore \
extension point for a more performant calculation.
- Pods owned by a Job will now use the labels `batch.kubernetes.io/job-name` and \
`batch.kubernetes.io/controller-uid`.
The legacy labels `job-name` and `controller-uid` are still added for compatibility.
- Promote CronJobTimeZone feature to GA
- Promoted `SelfSubjectReview` to Beta
- Relax API validation to allow pod node selector to be mutable for gated pods \
(additions only, no deletions or mutations).
- Remove deprecated `--enable-taint-manager` and `--pod-eviction-timeout` CLI flags
- Resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before \
upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, \
ResourceClaimTemplate, ResourceClass, PodScheduling) must be deleted. The \
changes will be internal, so YAML files which create pods and resource claims \
don't need changes except for the newer `apiVersion`.
- SELinuxMountReadWriteOncePod graduated to Beta.
- StatefulSetAutoDeletePVC feature gate promoted to beta.
- The API server now re-uses data encryption keys while the kms v2 plugin's key \
ID is stable. Data encryption keys are still randomly generated on server start \
but an atomic counter is used to prevent nonce collisions.
- The API server's encryption at rest configuration now allows the use of \
wildcards in the list of resources. For example, '*.*' can be used to encrypt \
all resources, including all current and future custom resources.
- Update KMSv2 to beta
- Updated: Redefine AppProtocol field description and add new standard values
- ValidatingAdmissionPolicy now provides a status field that contains results of \
type checking the validation expression.
The type checking is fully informational, and the behavior of the policy is \
unchanged.
- We have removed support for the v1alpha1 kubeletplugin API of \
DynamicResourceManagement. All plugins must update to v1alpha2 in order to \
function properly going forward.
- Graduated seccomp profile defaulting to GA.
Set the kubelet `--seccomp-default` flag or `seccompDefault` kubelet \
configuration field to `true` to make pods on that node default to using the \
`RuntimeDefault` seccomp profile.
Enabling seccomp for your workload can have a negative performance impact \
depending on the kernel and container runtime version in use.
Guidance for identifying and mitigating those issues is outlined in the \
Kubernetes [seccomp tutorial](https://k8s.io/docs/tutorials/security/seccomp).
- Implements API for streaming for the watch-cache
When sendInitialEvents ListOption is set together with watch=true, it begins \
the watch stream with synthetic init events followed by a synthetic \
"Bookmark" after which the server continues streaming events.
- Introduce API for streaming.
Add SendInitialEvents field to the ListOptions. When the new option is set \
together with watch=true, it begins the watch stream with synthetic init events \
followed by a synthetic "Bookmark" after which the server continues \
streaming events.
- Kubelet: a "maxParallelImagePulls" field can now be specified in the \
kubelet configuration file to control how many image pulls the kubelet can \
perform in parallel.
- PodSchedulingReadiness is graduated to beta.
- In-place resize feature for Kubernetes Pods
- Changed the Pod API so that the `resources` defined for containers are \
mutable for `cpu` and `memory` resource types.
- Added `resizePolicy` for containers in a pod to allow users control over how \
their containers are resized.
- Added `allocatedResources` field to container status in pod status that \
describes the node resources allocated to a pod.
- Added `resources` field to container status that reports actual resources \
applied to running containers.
- Added `resize` field to pod status that describes the state of a requested \
pod resize.
For details, see KEPs below.
- The PodDisruptionBudget `spec.unhealthyPodEvictionPolicy` field has graduated \
to beta and is enabled by default. On servers with the feature enabled, this \
field may be set to `AlwaysAllow` to always allow unhealthy pods covered by the \
PodDisruptionBudget to be evicted.
- The `DownwardAPIHugePages` kubelet feature graduated to stable / GA.
- Volumes: `resource.claims` gets cleared for PVC specs during create or update \
of a pod spec with inline PVC template or of a PVC because it has no effect.
- A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) \
".status.reservedFor: element 0: associative list without keys has an \
element that's a map type" errors in the apiserver. Validation now rejects \
the incorrect reuse of the same UID in different entries.
- CacheSize field in EncryptionConfiguration is not supported for KMSv2 provider
- K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, \
the broadcaster now gives up immediately after a failure to write an event to a \
sink. Previously it tried multiple times for 12 seconds in a goroutine.
- K8s.io/component-base/logs now also supports adding command line flags to a \
flag.FlagSet.
- Update API reference for Requests, specifying they must not exceed limits
- `/metrics/slis` is made available for control plane components allowing you to \
scrape health check metrics.
- A terminating pod on a node that is not caused by preemption won't prevent \
kube-scheduler from preempting pods on that node
- Rename 'PreemptionByKubeScheduler' to 'PreemptionByScheduler'
- Added new option to the InterPodAffinity scheduler plugin to ignore existing \
pods` preferred inter-pod affinities if the incoming pod has no preferred \
inter-pod affinities. This option can be used as an optimization for higher \
scheduling throughput (at the cost of an occasional pod being scheduled \
non-optimally/violating existing pods' preferred inter-pod affinities). To \
enable this scheduler option, set the InterPodAffinity scheduler plugin arg \
"ignorePreferredTermsOfExistingPods: true".
- Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, \
CronJobs, or ReplicationControllers) whose names are not valid DNS labels.
- K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set \
led to panics when printing the help message
- Kube-proxy, kube-scheduler and kubelet have HTTP APIs for changing the logging \
verbosity at runtime. This now also works for JSON output.
- Kubeadm: explicitly set `priority` for static pods with `priorityClassName: \
system-node-critical`
- Kubelet: migrate "--container-runtime-endpoint" and \
"--image-service-endpoint" to kubelet config
- Kubernetes components that perform leader election now only support using \
Leases for this.
- StatefulSet names must be DNS labels, rather than subdomains. Any StatefulSet \
which took advantage of subdomain validation (by having dots in the name) can't \
possibly have worked, because we eventually set `pod.spec.hostname` from the \
StatefulSetName, and that is validated as a DNS label.
- The following feature gates for volume expansion GA features have been removed \
and must no longer be referenced in `--feature-gates` flags: ExpandCSIVolumes, \
ExpandInUsePersistentVolumes, ExpandPersistentVolumes
- The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 \
was modified from "set" to "map", resolving an \
incompatibility with use of this schema in CustomResourceDefinitions and with \
server-side apply.
Files: