./sysutils/py-kubernetes, Kubernetes Python client

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 30.1.0, Package name: py312-kubernetes-30.1.0, Maintainer: pkgsrc-users

Python client for kubernetes http://kubernetes.io/


Master sites:

Filesize: 867.002 KB

Version history: (Expand)


CVS history: (Expand)


   2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862)
Log message:
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays
   2024-10-14 08:46:10 by Thomas Klausner | Files touched by this commit (325)
Log message:
*: clean-up after python38 removal
   2024-07-19 08:57:50 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-kubernetes: updated to 30.1.0

v30.1.0

Kubernetes API Version: v1.30.1
   2024-05-08 13:55:57 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-kubernetes: updated to 29.0.0

v29.0.0

Kubernetes API Version: v1.29.0

Bug or Regression
- Fix UTF-8 failures in Watch
- Fix upper version boundary of urllib3, since other dependencies don't support \ 
urllib3 in version 2

v29.0.0b1

Kubernetes API Version: v1.29.0

Bug or Regression
- Fix UTF-8 failures in Watch
- Fix upper version boundary of urllib3, since other dependencies don't support \ 
urllib3 in version 2

v29.0.0a1

Kubernetes API Version: v1.29.0

API Change
- '`kube-apiserver`: adds `--authentication-config` flag for reading \ 
`AuthenticationConfiguration`
 files. `--authentication-config` flag is mutually exclusive with the existing \ 
`--oidc-*`
 flags.'
- '`kube-scheduler` component config (`KubeSchedulerConfiguration`) \ 
`kubescheduler.config.k8s.io/v1beta3`
 is removed in `v1.29`. Migrated `kube-scheduler` configuration files to \ 
`kubescheduler.config.k8s.io/v1`.'
- A new sleep action for the `PreStop` lifecycle hook was added, allowing \ 
containers to pause for a specified duration before termination.
- Added CEL expressions to `v1alpha1 AuthenticationConfiguration`.
- Added Windows support for InPlace Pod Vertical Scaling feature.
- Added `ImageMaximumGCAge` field to Kubelet configuration, which allows a user \ 
to set the maximum age an image is unused before it's garbage collected.
- Added `UserNamespacesPodSecurityStandards` feature gate to enable user \ 
namespace support for Pod Security Standards.
 Enabling this feature will modify all Pod Security Standard rules to allow \ 
setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`.
 This feature gate should only be enabled if all nodes in the cluster support \ 
the user namespace feature and have it enabled.
 The feature gate will not graduate or be enabled by default in future \ 
Kubernetes releases.
- Added `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting \ 
CRD schema constraints.
- Added a new `ServiceCIDR` type that allows to dynamically configure the \ 
cluster range used to allocate `Service ClusterIPs` addresses.
- Added a new `ipMode` field to the `.status` of Services where `type` is set to \ 
`LoadBalancer`.
 The new field is behind the `LoadBalancerIPMode` feature gate.
- Added options for configuring `nf_conntrack_udp_timeout`, and \ 
`nf_conntrack_udp_timeout_stream` variables of netfilter conntrack subsystem.
- Added support for CEL expressions to `v1alpha1 AuthorizationConfiguration` \ 
webhook `matchConditions`.
- Added support for projecting `certificates.k8s.io/v1alpha1` ClusterTrustBundle \ 
objects into pods.
- Added the `DisableNodeKubeProxyVersion` feature gate. If \ 
`DisableNodeKubeProxyVersion` is enabled, the `kubeProxyVersion` field is not \ 
set.
- Fixed a bug where CEL expressions in CRD validation rules would incorrectly \ 
compute a high estimated cost for functions that return strings, lists or maps.
 The incorrect cost was evident when the result of a function was used in \ 
subsequent operations.
- Fixed the API comments for the Job `Ready` field in status.
- Fixed the API comments for the `FailIndex` Job pod failure policy action.
- Go API: the `ResourceRequirements` struct was replaced with \ 
`VolumeResourceRequirements` for use with volumes.
- Graduated `Job BackoffLimitPerIndex` feature to `beta`.
- Marked the `onPodConditions` field as optional in `Job`'s pod failure policy.
- Promoted `PodReadyToStartContainers` condition to `beta`.
- The `flowcontrol.apiserver.k8s.io/v1beta3` `FlowSchema` and \ 
`PriorityLevelConfiguration` APIs has been promoted to \ 
`flowcontrol.apiserver.k8s.io/v1`, with the following changes:
 - `PriorityLevelConfiguration`: the `.spec.limited.nominalConcurrencyShares` \ 
field defaults to `30` only if the field is omitted (v1beta3 also defaulted an \ 
explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in \ 
the `v1` version in v1.29 to ensure compatibility with `v1.28` API servers. In \ 
`v1.30`, explicit `0` values will be allowed in this field in the `v1` API.
 The `flowcontrol.apiserver.k8s.io/v1beta3` APIs are deprecated and will no \ 
longer be served in v1.32. All existing objects are available via the `v1` APIs. \ 
Transition clients and manifests to use the `v1` APIs before upgrading to \ 
`v1.32`.
- The `kube-proxy` command-line documentation was updated to clarify that
 `--bind-address` does not actually have anything to do with binding to an
 address, and you probably don't actually want to be using it.
- The `kube-scheduler` `selectorSpread` plugin has been removed, please use the \ 
`podTopologySpread` plugin instead.
- The `matchLabelKeys/mismatchLabelKeys` feature is introduced to the hard/soft \ 
`PodAffinity/PodAntiAffinity`.
- When updating a CRD, per-expression cost limit check are now skipped for \ 
`x-kubernetes-validations` rules of versions that are not mutated.
- `CSINodeExpandSecret` feature has been promoted to `GA` in this release and is \ 
enabled
 by default. The CSI drivers can make use of the `secretRef` values passed in \ 
`NodeExpansion`
 request optionally sent by the CSI Client from this release onwards.
- `NodeStageVolume` calls will now be retried if the CSI node driver is not running.
- `PersistentVolumeLastPhaseTransitionTime` is now beta and enabled by default.
- `ValidatingAdmissionPolicy` type checking now supports CRDs and API extensions \ 
types.
- `kube-apiserver`: added `--authorization-config` flag for reading a \ 
configuration file containing an `apiserver.config.k8s.io/v1alpha1 \ 
AuthorizationConfiguration` object. The `--authorization-config` flag is \ 
mutually exclusive with `--authorization-modes` and `--authorization-webhook-*` \ 
flags. The `alpha` `StructuredAuthorizationConfiguration` feature flag must be \ 
enabled for `--authorization-config` to be specified.
- `kube-proxy` now has a new nftables-based mode, available by running

     `kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables`

 This is currently an alpha-level feature and while it probably will not
 eat your data, it may nibble at it a bit. (It passes e2e testing but has
 not yet seen real-world use.)

 At this point it should be functionally mostly identical to the iptables
 mode, except that it does not (and will not) support Service NodePorts on
 127.0.0.1. (Also note that there are currently no command-line arguments
 for the nftables-specific config; you will need to use a config file if
 you want to set the equivalent of any of the `--iptables-xxx` options.)

 As this code is still very new, it has not been heavily optimized yet;
 while it is expected to _eventually_ have better performance than the
 iptables backend, very little performance testing has been done so far.
- `kube-proxy`: Added an option/flag for configuring the \ 
`nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack \ 
subsystem).  When enabled, `kube-proxy` will not install the `DROP` rule for \ 
invalid conntrack states, which currently breaks users of asymmetric routing.
- Added support for projecting certificates.k8s.io/v1alpha1 ClusterTrustBundle \ 
objects into pods.
- Adds `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting CRD \ 
schema constraints
- Fix API comment for the Job Ready field in status
- Fix API comments for the FailIndex Job pod failure policy action.
- A new sleep action for the PreStop lifecycle hook is added, allowing \ 
containers to pause for a specified duration before termination.
- Add ImageMaximumGCAge field to Kubelet configuration, which allows a user to \ 
set the maximum age an image is unused before it's garbage collected.
- Add a new ServiceCIDR type that allows to dynamically configure the cluster \ 
range used to allocate Service ClusterIPs addresses
- Add the DisableNodeKubeProxyVersion feature gate. If \ 
DisableNodeKubeProxyVersion is enabled, the kubeProxyVersion field is not set.
- Added Windows support for InPlace Pod Vertical Scaling feature.
- Added `UserNamespacesPodSecurityStandards` feature gate to enable user \ 
namespace support for Pod Security Standards.
 Enabling this feature will modify all Pod Security Standard rules to allow \ 
setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`.
 This feature gate should only be enabled if all nodes in the cluster support \ 
the user namespace feature and have it enabled.
 The feature gate will not graduate or be enabled by default in future \ 
Kubernetes releases.
- Added options for configuring nf_conntrack_udp_timeout, and \ 
nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem.
- Adds CEL expressions to v1alpha1 AuthenticationConfiguration.
- Adds support for CEL expressions to v1alpha1 AuthorizationConfiguration \ 
webhook matchConditions.
- CSINodeExpandSecret feature has been promoted to GA in this release and \ 
enabled by default. The CSI drivers can make use of the `secretRef` values \ 
passed in NodeExpansion request optionally sent by the CSI Client from this \ 
release onwards.
- Graduate Job BackoffLimitPerIndex feature to Beta
- Kube-apiserver: adds --authorization-config flag for reading a configuration \ 
file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration \ 
object. --authorization-config flag is mutually exclusive with \ 
--authorization-modes and --authorization-webhook-* flags. The alpha \ 
StructuredAuthorizationConfiguration feature flag must be enabled for \ 
--authorization-config to be specified.
- Kube-proxy now has a new nftables-based mode, available by running

     kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables

 This is currently an alpha-level feature and while it probably will not
 eat your data, it may nibble at it a bit. (It passes e2e testing but has
 not yet seen real-world use.)

 At this point it should be functionally mostly identical to the iptables
 mode, except that it does not (and will not) support Service NodePorts on
 127.0.0.1. (Also note that there are currently no command-line arguments
 for the nftables-specific config; you will need to use a config file if
 you want to set the equivalent of any of the `--iptables-xxx` options.)

 As this code is still very new, it has not been heavily optimized yet;
 while it is expected to _eventually_ have better performance than the
 iptables backend, very little performance testing has been done so far.
- Kube-proxy: Added an option/flag for configuring the \ 
`nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack \ 
subsystem).  When enabled, kube-proxy will not install the DROP rule for invalid \ 
conntrack states, which currently breaks users of asymmetric routing.
- PersistentVolumeLastPhaseTransitionTime is now beta, enabled by default.
- Promote PodReadyToStartContainers condition to beta.
- The flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema and \ 
PriorityLevelConfiguration APIs has been promoted to \ 
flowcontrol.apiserver.k8s.io/v1, with the following changes:
 - PriorityLevelConfiguration: the `.spec.limited.nominalConcurrencyShares` \ 
field defaults to `30` only if the field is omitted (v1beta3 also defaulted an \ 
explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in \ 
the `v1` version in v1.29 to ensure compatibility with 1.28 API servers. In \ 
v1.30, explicit `0` values will be allowed in this field in the `v1` API.
 The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer \ 
be served in v1.32. All existing objects are available via the `v1` APIs. \ 
Transition clients and manifests to use the `v1` APIs before upgrading to v1.32.
- The kube-proxy command-line documentation was updated to clarify that
 `--bind-address` does not actually have anything to do with binding to an
 address, and you probably don't actually want to be using it.
- The matchLabelKeys/mismatchLabelKeys feature is introduced to the hard/soft \ 
PodAffinity/PodAntiAffinity.
- ValidatingAdmissionPolicy Type Checking now supports CRDs and API extensions types.
- When updating a CRD, per-expression cost limit check is skipped for \ 
x-kubernetes-validations rules of versions that are not mutated.
- Added a new `ipMode` field to the `.status` of Services where `type` is set to \ 
`LoadBalancer`.
 The new field is behind the `LoadBalancerIPMode` feature gate.
- Fixed a bug where CEL expressions in CRD validation rules would incorrectly \ 
compute a high estimated cost for functions that return strings, lists or maps.
 The incorrect cost was evident when the result of a function was used in \ 
subsequent operations.
- Go API: the ResourceRequirements struct needs to be replaced with \ 
VolumeResourceRequirements for use with volumes.
- Kube-apiserver: adds --authentication-config flag for reading \ 
AuthenticationConfiguration files. --authentication-config flag is mutually \ 
exclusive with the existing --oidc-* flags.
- Kube-scheduler component config (KubeSchedulerConfiguration) \ 
kubescheduler.config.k8s.io/v1beta3 is removed in v1.29. Migrate kube-scheduler \ 
configuration files to kubescheduler.config.k8s.io/v1.
- Mark the onPodConditions field as optional in Job's pod failure policy.
- Retry NodeStageVolume calls if CSI node driver is not running
- The kube-scheduler `selectorSpread` plugin has been removed, please use the \ 
`podTopologySpread` plugin instead.
   2023-11-07 23:38:10 by Thomas Klausner | Files touched by this commit (112)
Log message:
*: latest py-sphinx only support Python 3.9+
   2023-08-27 05:28:28 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-kubernetes: updated to 27.2.0

v27.2.0

Kubernetes API Version: v1.27.3

Documentation
- Fix request_timeout example and doc. Arg name should be _request_timeout. \ 
Single value type should be int or long.

v27.2.0b1

Kubernetes API Version: v1.27.2

v27.2.0a1

Kubernetes API Version: v1.27.2

API Change
- Added error handling for seccomp localhost configurations that do not properly \ 
set a localhostProfile
- Fixed an issue where kubelet does not set case-insensitive headers for http probes.
- Revised the comment about the feature-gate level for PodFailurePolicy from \ 
alpha to beta
- A fix in the `resource.k8s.io/v1alpha1/ResourceClaim` API avoids harmless (?) \ 
".status.reservedFor: element 0: associative list without keys has an \ 
element that's a map type" errors in the apiserver. Validation now rejects \ 
the incorrect reuse of the same UID in different entries.
- A terminating pod on a node that is not caused by preemption no longer \ 
prevents `kube-scheduler` from preempting pods on that node
 - Rename `PreemptionByKubeScheduler` to `PreemptionByScheduler`
- API: resource.k8s.io/v1alpha1.PodScheduling was renamed to \ 
resource.k8s.io/v1alpha2.PodSchedulingContext.
- Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching \ 
the evaluation cost
 restrictions that already apply to CustomResourceDefinition.
 If rule evaluation uses more compute than the limit, the API server aborts the \ 
evaluation and the
 admission check that was being performed is aborted; the `failurePolicy` for \ 
the ValidatingAdmissionPolicy
 determines the outcome.
- Added `auditAnnotations` to `ValidatingAdmissionPolicy`, enabling CEL to be \ 
used to add audit annotations to request audit events.
 Added `validationActions` to `ValidatingAdmissionPolicyBinding`, enabling \ 
validation failures to be handled by any combination of the warn, audit and deny \ 
enforcement actions.
- Added `messageExpression` field to `ValidationRule`.
- Added `messageExpression` to `ValidatingAdmissionPolicy`, to set custom \ 
failure message via CEL expression.
- Added a new IPAddress object kind
 - Added a new ClusterIP allocator. The new allocator removes previous Service \ 
CIDR block size limitations for IPv4, and limits IPv6 size to a /64
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
 A ClusterTrustBundle may be used to distribute \ 
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \ 
the cluster.
- Added authorization check support to the CEL expressions of \ 
ValidatingAdmissionPolicy via a `authorizer`
 variable with expressions. The new variable provides a builder that allows \ 
expressions such \ 
`authorizer.group('').resource('pods').check('create').allowed()`.
- Added matchConditions field to ValidatingAdmissionPolicy and enabled support \ 
for CEL based custom match criteria.
- Added new option to the `InterPodAffinity` scheduler plugin to ignore existing
 pods` preferred inter-pod affinities if the incoming pod has no preferred inter-pod
 affinities. This option can be used as an optimization for higher scheduling \ 
throughput
 (at the cost of an occasional pod being scheduled non-optimally/violating existing
 pods preferred inter-pod affinities). To enable this scheduler option, set the
 `InterPodAffinity` scheduler plugin arg `ignorePreferredTermsOfExistingPods: true`
- Added the `MatchConditions` field to `ValidatingWebhookConfiguration` and \ 
`MutatingWebhookConfiguration` for the v1beta and v1 apis.

 The `AdmissionWebhookMatchConditions` featuregate is now in Alpha
- Added validation to ensure that if \ 
`service.kubernetes.io/topology-aware-hints` and \ 
`service.kubernetes.io/topology-mode` annotations are both set, they are set to \ 
the same value.Also Added deprecation warning if \ 
`service.kubernetes.io/topology-aware-hints` annotation is used.
- Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, \ 
CronJobs, or ReplicationControllers) whose names are not valid DNS labels.
- Adds feature gate `NodeLogQuery` which provides cluster administrators with a \ 
streaming view of logs using kubectl without them having to implement a client \ 
side reader or logging into the node.
- Api: validation of a `PodSpec` now rejects invalid `ResourceClaim` and \ 
`ResourceClaimTemplate` names. For a pod, the name generated for the \ 
`ResourceClaim` when using a template also must be valid.
- Bump default API QPS limits for Kubelet.
- Enabled the `StatefulSetStartOrdinal` feature gate in beta
- Enabled usage of `kube-proxy`, `kube-scheduler` and `kubelet` HTTP APIs for \ 
changing the logging
  verbosity at runtime for JSON output.
- Encryption of API Server at rest configuration now allows the use of wildcards \ 
in the list of resources.  For example, *.* can be used to encrypt all \ 
resources, including all current and future custom resources.
- Extended the kubelet's PodResources API to include resources allocated in \ 
`ResourceClaims` via `DynamicResourceAllocation`. Additionally, added a new \ 
`Get()` method to query a specific pod for its resources.
- Forbid to set matchLabelKeys when labelSelector is not set in \ 
topologySpreadConstraints
- GCE does not support LoadBalancer Services with ports with different protocols \ 
(TCP and UDP)
- GRPC probes are now a GA feature. `GRPCContainerProbe` feature gate was locked \ 
to default value and will be removed in v1.29. If you were setting this feature \ 
gate explicitly, please remove it now.
- Graduated `Kubelet Topology Manager` to GA.
- Graduated `KubeletTracing` to beta, which means that the feature gate is now \ 
enabled by default.
- Graduated seccomp profile defaulting to GA.

 Set the kubelet `--seccomp-default` flag or `seccompDefault` kubelet \ 
configuration field to `true` to make pods on that node default to using the \ 
`RuntimeDefault` seccomp profile.

 Enabling seccomp for your workload can have a negative performance impact \ 
depending on the kernel and container runtime version in use.

 Guidance for identifying and mitigating those issues is outlined in the \ 
Kubernetes [seccomp tutorial](https://k8s.io/docs/tutorials/security/seccomp).
- Graduated the container resource metrics feature on `HPA` to beta.
- Implemented API streaming for the `watch-cache`

 When `sendInitialEvents` `ListOption` is set together with `watch=true`, it \ 
begins the watch stream with synthetic init events followed by a synthetic \ 
"Bookmark" after which the server continues streaming events.
- Introduced API for streaming.

 Added `SendInitialEvents` field to the `ListOptions`. When the new option is \ 
set together with `watch=true`, it begins the watch stream with synthetic init \ 
events followed by a synthetic "Bookmark" after which the server \ 
continues streaming events.
- Introduced a breaking change to the `resource.k8s.io` API in its \ 
`AllocationResult` struct. This change allows a kubelet plugin for the \ 
`DynamicResourceAllocation` feature to service allocations from multiple \ 
resource driver controllers.
- Introduces new alpha functionality to the reflector, allowing user to enable \ 
API streaming.

 To activate this feature, users can set the `ENABLE_CLIENT_GO_WATCH_LIST_ALPHA` \ 
environmental variable.
 It is important to note that the server must support streaming for this feature \ 
to function properly.
 If streaming is not supported by the server, the reflector will revert to the \ 
previous method
 of obtaining data through LIST/WATCH semantics.
- K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, \ 
the broadcaster now gives up immediately after a failure to write an event to a \ 
sink. Previously it tried multiple times for 12 seconds in a goroutine.
- K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set \ 
led to panics when printing the help message
- Kubeadm: explicitly set `priority` for static pods with `priorityClassName: \ 
system-node-critical`
- Kubelet: a "maxParallelImagePulls" field can now be specified in the \ 
kubelet configuration file to control how many image pulls the kubelet can \ 
perform in parallel.
- Kubelet: changed `MemoryThrottlingFactor` default value to `0.9` and formulas \ 
to calculate `memory.high`
- Kubernetes components that perform leader election now only support using \ 
`Leases` for this.
- Migrated the `DaemonSet` controller (within `kube-controller-manager`) to use \ 
[contextual \ 
logging](https://k8s.io/docs/concepts/cluster-administration/system-logs/#contextual-logging)
- New `service.kubernetes.io/topology-mode` annotation has been introduced as a \ 
replacement for the `service.kubernetes.io/topology-aware-hints` annotation.
 - `service.kubernetes.io/topology-aware-hints` annotation has been deprecated.
 - kube-proxy now accepts any value that is not "disabled" for these \ 
annotations, enabling custom implementation-specific and/or future built-in \ 
heuristics to be used.
- Pods owned by a Job now uses the labels `batch.kubernetes.io/job-name` and \ 
`batch.kubernetes.io/controller-uid`.
 The legacy labels `job-name` and `controller-uid` are still added for compatibility.
- Promoted `CronJobTimeZone` feature to GA
- Promoted `SelfSubjectReview` to Beta
- Relaxed API validation to allow pod node selector to be mutable for gated pods \ 
(additions only, no deletions or mutations).
- Remove `kubernetes.io/grpc` standard appProtocol
- Remove deprecated `--enable-taint-manager` and `--pod-eviction-timeout` CLI
- Removed support for the `v1alpha1` kubeletplugin API of \ 
`DynamicResourceManagement`. All plugins must be updated to `v1alpha2` in order \ 
to function properly.
- The API server now re-uses data encryption keys while the kms v2 plugin key ID \ 
is stable.  Data encryption keys are still randomly generated on server start \ 
but an atomic counter is used to prevent nonce collisions.
- The PodDisruptionBudget `spec.unhealthyPodEvictionPolicy` field has graduated \ 
to beta and is enabled by default. On servers with the feature enabled, this \ 
field may be set to `AlwaysAllow` to always allow unhealthy pods covered by the \ 
PodDisruptionBudget to be evicted.
- The `DownwardAPIHugePages` kubelet feature graduated to stable / GA.
- The following feature gates for volume expansion GA features have now been \ 
removed and must no longer be referenced in `--feature-gates` flags: \ 
`ExpandCSIVolumes`, `ExpandInUsePersistentVolumes`, `ExpandPersistentVolumes`
- The list-type of the alpha `resourceClaims` field introduced to `Pods` in \ 
`1.26.0` was modified from `set` to `map`, resolving an incompatibility with use \ 
of this schema in `CustomResourceDefinitions` and with server-side apply.
- Updated API reference for Requests, specifying they must not exceed limits
- Updated `KMSv2` to beta
- Updated: Redefine AppProtocol field description and add new standard values
- `/metrics/slis` is now available for control plane components allowing you to \ 
scrape health check metrics.
- `APIServerTracing` feature gate is now enabled by default. Tracing in the API
 Server is still disabled by default, and requires a config file to enable.
- `NodeResourceFit` and `NodeResourcesBalancedAllocation` implement the `PreScore`
 extension point for a more performant calculation.
- `PodSchedulingReadiness` is graduated to beta.
- `PodSpec.Container.Resources` became mutable for CPU and memory resource types.
 - `PodSpec.Container.ResizePolicy` (new object) gives users control over how \ 
their containers are resized.
 - `PodStatus.Resize` status describes the state of a requested Pod resize.
 - `PodStatus.ResourcesAllocated` describes node resources allocated to Pod.
 - `PodStatus.Resources` describes node resources applied to running containers \ 
by CRI.
 - `UpdateContainerResources` CRI API now supports both Linux and Windows.
- `SELinuxMountReadWriteOncePod` graduated to Beta.
- `StatefulSetAutoDeletePVC` feature gate promoted to beta.
- `StatefulSet` names must be DNS labels, rather than subdomains. Any `StatefulSet`
 which took advantage of subdomain validation (by having dots in the name) can't
 possibly have worked, because we eventually set `pod.spec.hostname` from the \ 
`StatefulSetName`,
 and that is validated as a DNS label.
- `ValidatingAdmissionPolicy` now provides a status field that contains results \ 
of type checking the validation expression.
 The type checking is fully informational, and the behavior of the policy is \ 
unchanged.
- `cacheSize` field in `EncryptionConfiguration` is not supported for KMSv2 provider
- `k8s.io/component-base/logs` now also supports adding command line flags to a \ 
`flag.FlagSet`.
- `kubelet`: migrated `--container-runtime-endpoint` and `--image-service-endpoint`
 to kubelet config
- `resource.k8s.io/v1alpha1` was replaced with `resource.k8s.io/v1alpha2`. Before
 upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, \ 
ResourceClaimTemplate,
 ResourceClass, PodScheduling) must be deleted. The changes are internal, so
 YAML files which create pods and resource claims don't need changes except for
 the newer `apiVersion`.
- `volumes`: `resource.claims` is now cleared for PVC specs during create or \ 
update of a pod spec with inline PVC template or of a PVC because it has no \ 
effect.
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
 A ClusterTrustBundle may be used to distribute \ 
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \ 
the cluster.
- Remove `kubernetes.io/grpc` standard appProtocol
- API: resource.k8s.io/v1alpha1.PodScheduling was renamed to \ 
resource.k8s.io/v1alpha2.PodSchedulingContext.
- APIServerTracing feature gate is now enabled by default. Tracing in the API \ 
Server is still disabled by default, and requires a config file to enable.
- Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching \ 
the evaluation cost
 restrictions that already apply to CustomResourceDefinition.
 If rule evaluation uses more compute than the limit, the API server aborts the \ 
evaluation and the
 admission check that was being performed is aborted; the `failurePolicy` for \ 
the ValidatingAdmissionPolicy
 determines the outcome.
- Added `messageExpression` to `ValidatingAdmissionPolicy`, to set custom \ 
failure message via CEL expression.
- Added a new IPAddress object kind
 - Added a new ClusterIP allocator. The new allocator removes previous Service \ 
CIDR block size limitations for IPv4, and limits IPv6 size to a /64
- Added a new alpha API: ClusterTrustBundle (`certificates.k8s.io/v1alpha1`).
 A ClusterTrustBundle may be used to distribute \ 
[X.509](https://www.itu.int/rec/T-REC-X.509) trust anchors to workloads within \ 
the cluster.
- Added authorization check support to the CEL expressions of \ 
ValidatingAdmissionPolicy via a `authorizer`
 variable with expressions. The new variable provides a builder that allows \ 
expressions such \ 
`authorizer.group('').resource('pods').check('create').allowed()`.
- Added matchConditions field to ValidatingAdmissionPolicy, enabled support for \ 
CEL based custom match criteria.
- Added messageExpression field to ValidationRule.
- Added the `MatchConditions` field to `ValidatingWebhookConfiguration` and \ 
`MutatingWebhookConfiguration` for the v1beta and v1 apis.

 The `AdmissionWebhookMatchConditions` featuregate is now in Alpha
- Added validation to ensure that if \ 
`service.kubernetes.io/topology-aware-hints` and \ 
`service.kubernetes.io/topology-mode` annotations are both set, they are set to \ 
the same value.
 - Added deprecation warning if `service.kubernetes.io/topology-aware-hints` \ 
annotation is used.
- Adds auditAnnotations to ValidatingAdmissionPolicy, enabling CEL to be used to \ 
add audit annotations to request audit events.
 Adds validationActions to ValidatingAdmissionPolicyBinding, enabling validation \ 
failures to be handled by any combination of the warn, audit and deny \ 
enforcement actions.
- Adds feature gate `NodeLogQuery` which provides cluster administrators with a \ 
streaming view of logs using kubectl without them having to implement a client \ 
side reader or logging into the node.
- Api: validation of a PodSpec now rejects invalid ResourceClaim and \ 
ResourceClaimTemplate names. For a pod, the name generated for the ResourceClaim \ 
when using a template also must be valid.
- Bump default API QPS limits for Kubelet.
- Enable the "StatefulSetStartOrdinal" feature gate in beta
- Extended the kubelet's PodResources API to include resources allocated in \ 
`ResourceClaims` via `DynamicResourceAllocation`. Additionally, added a new \ 
`Get()` method to query a specific pod for its resources.
- Forbid to set matchLabelKeys when labelSelector isn’t set in \ 
topologySpreadConstraints
- GCE does not support LoadBalancer Services with ports with different protocols \ 
(TCP and UDP)
- GRPC probes are now a GA feature. GRPCContainerProbe feature gate was locked \ 
to default value and will be removed in v1.29. If you were setting this feature \ 
gate explicitly, please remove it now.
- Graduate Kubelet Topology Manager to GA.
- Graduate `KubeletTracing` to beta, which means that the feature gate is now \ 
enabled by default.
- Graduate the container resource metrics feature on HPA to beta.
- Introduced a breaking change to the `resource.k8s.io` API in its \ 
`AllocationResult` struct. This change allows a kubelet plugin for the \ 
`DynamicResourceAllocation` feature to service allocations from multiple \ 
resource driver controllers.
- Introduces new alpha functionality to the reflector, allowing user to enable \ 
API streaming.

 To activate this feature, users can set the `ENABLE_CLIENT_GO_WATCH_LIST_ALPHA` \ 
environmental variable.
 It is important to note that the server must support streaming for this feature \ 
to function properly.
 If streaming is not supported by the server, the reflector will revert to the \ 
previous method
 of obtaining data through LIST/WATCH semantics.
- Kubelet: change MemoryThrottlingFactor default value to 0.9 and formulas to \ 
calculate memory.high
- Migrated the DaemonSet controller (within `kube-controller-manager) to use \ 
[contextual \ 
logging](https://k8s.io/docs/concepts/cluster-administration/system-logs/#contextual-logging)
- New `service.kubernetes.io/topology-mode` annotation has been introduced as a \ 
replacement for the `service.kubernetes.io/topology-aware-hints` annotation.
 - `service.kubernetes.io/topology-aware-hints` annotation has been deprecated.
 - kube-proxy now accepts any value that is not "disabled" for these \ 
annotations, enabling custom implementation-specific and/or future built-in \ 
heuristics to be used.
- NodeResourceFit and NodeResourcesBalancedAllocation implement the PreScore \ 
extension point for a more performant calculation.
- Pods owned by a Job will now use the labels `batch.kubernetes.io/job-name` and \ 
`batch.kubernetes.io/controller-uid`.
 The legacy labels `job-name` and `controller-uid` are still added for compatibility.
- Promote CronJobTimeZone feature to GA
- Promoted `SelfSubjectReview` to Beta
- Relax API validation to allow pod node selector to be mutable for gated pods \ 
(additions only, no deletions or mutations).
- Remove deprecated `--enable-taint-manager` and `--pod-eviction-timeout` CLI flags
- Resource.k8s.io/v1alpha1 was replaced with resource.k8s.io/v1alpha2. Before \ 
upgrading a cluster, all objects in resource.k8s.io/v1alpha1 (ResourceClaim, \ 
ResourceClaimTemplate, ResourceClass, PodScheduling) must be deleted. The \ 
changes will be internal, so YAML files which create pods and resource claims \ 
don't need changes except for the newer `apiVersion`.
- SELinuxMountReadWriteOncePod graduated to Beta.
- StatefulSetAutoDeletePVC feature gate promoted to beta.
- The API server now re-uses data encryption keys while the kms v2 plugin's key \ 
ID is stable.  Data encryption keys are still randomly generated on server start \ 
but an atomic counter is used to prevent nonce collisions.
- The API server's encryption at rest configuration now allows the use of \ 
wildcards in the list of resources.  For example, '*.*' can be used to encrypt \ 
all resources, including all current and future custom resources.
- Update KMSv2 to beta
- Updated: Redefine AppProtocol field description and add new standard values
- ValidatingAdmissionPolicy now provides a status field that contains results of \ 
type checking the validation expression.
 The type checking is fully informational, and the behavior of the policy is \ 
unchanged.
- We have removed support for the v1alpha1 kubeletplugin API of \ 
DynamicResourceManagement. All plugins must update to v1alpha2 in order to \ 
function properly going forward.
- Graduated seccomp profile defaulting to GA.

 Set the kubelet `--seccomp-default` flag or `seccompDefault` kubelet \ 
configuration field to `true` to make pods on that node default to using the \ 
`RuntimeDefault` seccomp profile.

 Enabling seccomp for your workload can have a negative performance impact \ 
depending on the kernel and container runtime version in use.

 Guidance for identifying and mitigating those issues is outlined in the \ 
Kubernetes [seccomp tutorial](https://k8s.io/docs/tutorials/security/seccomp).
- Implements API for streaming for the watch-cache

 When sendInitialEvents ListOption is set together with watch=true, it begins \ 
the watch stream with synthetic init events followed by a synthetic \ 
"Bookmark" after which the server continues streaming events.
- Introduce API for streaming.

 Add SendInitialEvents field to the ListOptions. When the new option is set \ 
together with watch=true, it begins the watch stream with synthetic init events \ 
followed by a synthetic "Bookmark" after which the server continues \ 
streaming events.
- Kubelet: a "maxParallelImagePulls" field can now be specified in the \ 
kubelet configuration file to control how many image pulls the kubelet can \ 
perform in parallel.
- PodSchedulingReadiness is graduated to beta.
- In-place resize feature for Kubernetes Pods
 - Changed the Pod API so that the `resources` defined for containers are \ 
mutable for `cpu` and `memory` resource types.
 - Added `resizePolicy` for containers in a pod to allow users control over how \ 
their containers are resized.
 - Added `allocatedResources` field to container status in pod status that \ 
describes the node resources allocated to a pod.
 - Added `resources` field to container status that reports actual resources \ 
applied to running containers.
 - Added `resize` field to pod status that describes the state of a requested \ 
pod resize.
 For details, see KEPs below.
- The PodDisruptionBudget `spec.unhealthyPodEvictionPolicy` field has graduated \ 
to beta and is enabled by default. On servers with the feature enabled, this \ 
field may be set to `AlwaysAllow` to always allow unhealthy pods covered by the \ 
PodDisruptionBudget to be evicted.
- The `DownwardAPIHugePages` kubelet feature graduated to stable / GA.
- Volumes: `resource.claims` gets cleared for PVC specs during create or update \ 
of a pod spec with inline PVC template or of a PVC because it has no effect.
- A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) \ 
".status.reservedFor: element 0: associative list without keys has an \ 
element that's a map type" errors in the apiserver. Validation now rejects \ 
the incorrect reuse of the same UID in different entries.
- CacheSize field in EncryptionConfiguration is not supported for KMSv2 provider
- K8s.io/client-go/tools/record.EventBroadcaster: after Shutdown() is called, \ 
the broadcaster now gives up immediately after a failure to write an event to a \ 
sink. Previously it tried multiple times for 12 seconds in a goroutine.
- K8s.io/component-base/logs now also supports adding command line flags to a \ 
flag.FlagSet.
- Update API reference for Requests, specifying they must not exceed limits
- `/metrics/slis` is made available for control plane components allowing you to \ 
scrape health check metrics.
- A terminating pod on a node that is not caused by preemption won't prevent \ 
kube-scheduler from preempting pods on that node
- Rename 'PreemptionByKubeScheduler' to 'PreemptionByScheduler'
- Added new option to the InterPodAffinity scheduler plugin to ignore existing \ 
pods` preferred inter-pod affinities if the incoming pod has no preferred \ 
inter-pod affinities. This option can be used as an optimization for higher \ 
scheduling throughput (at the cost of an occasional pod being scheduled \ 
non-optimally/violating existing pods' preferred inter-pod affinities). To \ 
enable this scheduler option, set the InterPodAffinity scheduler plugin arg \ 
"ignorePreferredTermsOfExistingPods: true".
- Added warnings about workload resources (Pods, ReplicaSets, Deployments, Jobs, \ 
CronJobs, or ReplicationControllers) whose names are not valid DNS labels.
- K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set \ 
led to panics when printing the help message
- Kube-proxy, kube-scheduler and kubelet have HTTP APIs for changing the logging \ 
verbosity at runtime. This now also works for JSON output.
- Kubeadm: explicitly set `priority` for static pods with `priorityClassName: \ 
system-node-critical`
- Kubelet: migrate "--container-runtime-endpoint" and \ 
"--image-service-endpoint" to kubelet config
- Kubernetes components that perform leader election now only support using \ 
Leases for this.
- StatefulSet names must be DNS labels, rather than subdomains.  Any StatefulSet \ 
which took advantage of subdomain validation (by having dots in the name) can't \ 
possibly have worked, because we eventually set `pod.spec.hostname` from the \ 
StatefulSetName, and that is validated as a DNS label.
- The following feature gates for volume expansion GA features have been removed \ 
and must no longer be referenced in `--feature-gates` flags: ExpandCSIVolumes, \ 
ExpandInUsePersistentVolumes, ExpandPersistentVolumes
- The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 \ 
was modified from "set" to "map", resolving an \ 
incompatibility with use of this schema in CustomResourceDefinitions and with \ 
server-side apply.
   2023-05-19 12:43:04 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-kubernetes: updated to 26.1.0

v26.1.0

Kubernetes API Version: v1.26.1

Bug or Regression
- The timeout unit of the WSClient update method is now always seconds for both \ 
poll and select functions.

Feature
- Adds support for loading CA certificates from a file using the \ 
`idp-certificate-authority` key for the oidc plugin.
   2023-01-25 10:17:36 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
py-kubernetes: added version 25.3.0

Python client for kubernetes http://kubernetes.io/