Path to this page:
Subject: CVS commit: pkgsrc/sysutils/py-kubernetes
From: Adam Ciarcinski
Date: 2024-05-08 13:55:57
Message id: 20240508115557.A6864FA2C@cvs.NetBSD.org
Log Message:
py-kubernetes: updated to 29.0.0
v29.0.0
Kubernetes API Version: v1.29.0
Bug or Regression
- Fix UTF-8 failures in Watch
- Fix upper version boundary of urllib3, since other dependencies don't support \
urllib3 in version 2
v29.0.0b1
Kubernetes API Version: v1.29.0
Bug or Regression
- Fix UTF-8 failures in Watch
- Fix upper version boundary of urllib3, since other dependencies don't support \
urllib3 in version 2
v29.0.0a1
Kubernetes API Version: v1.29.0
API Change
- '`kube-apiserver`: adds `--authentication-config` flag for reading \
`AuthenticationConfiguration`
files. `--authentication-config` flag is mutually exclusive with the existing \
`--oidc-*`
flags.'
- '`kube-scheduler` component config (`KubeSchedulerConfiguration`) \
`kubescheduler.config.k8s.io/v1beta3`
is removed in `v1.29`. Migrated `kube-scheduler` configuration files to \
`kubescheduler.config.k8s.io/v1`.'
- A new sleep action for the `PreStop` lifecycle hook was added, allowing \
containers to pause for a specified duration before termination.
- Added CEL expressions to `v1alpha1 AuthenticationConfiguration`.
- Added Windows support for InPlace Pod Vertical Scaling feature.
- Added `ImageMaximumGCAge` field to Kubelet configuration, which allows a user \
to set the maximum age an image is unused before it's garbage collected.
- Added `UserNamespacesPodSecurityStandards` feature gate to enable user \
namespace support for Pod Security Standards.
Enabling this feature will modify all Pod Security Standard rules to allow \
setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`.
This feature gate should only be enabled if all nodes in the cluster support \
the user namespace feature and have it enabled.
The feature gate will not graduate or be enabled by default in future \
Kubernetes releases.
- Added `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting \
CRD schema constraints.
- Added a new `ServiceCIDR` type that allows to dynamically configure the \
cluster range used to allocate `Service ClusterIPs` addresses.
- Added a new `ipMode` field to the `.status` of Services where `type` is set to \
`LoadBalancer`.
The new field is behind the `LoadBalancerIPMode` feature gate.
- Added options for configuring `nf_conntrack_udp_timeout`, and \
`nf_conntrack_udp_timeout_stream` variables of netfilter conntrack subsystem.
- Added support for CEL expressions to `v1alpha1 AuthorizationConfiguration` \
webhook `matchConditions`.
- Added support for projecting `certificates.k8s.io/v1alpha1` ClusterTrustBundle \
objects into pods.
- Added the `DisableNodeKubeProxyVersion` feature gate. If \
`DisableNodeKubeProxyVersion` is enabled, the `kubeProxyVersion` field is not \
set.
- Fixed a bug where CEL expressions in CRD validation rules would incorrectly \
compute a high estimated cost for functions that return strings, lists or maps.
The incorrect cost was evident when the result of a function was used in \
subsequent operations.
- Fixed the API comments for the Job `Ready` field in status.
- Fixed the API comments for the `FailIndex` Job pod failure policy action.
- Go API: the `ResourceRequirements` struct was replaced with \
`VolumeResourceRequirements` for use with volumes.
- Graduated `Job BackoffLimitPerIndex` feature to `beta`.
- Marked the `onPodConditions` field as optional in `Job`'s pod failure policy.
- Promoted `PodReadyToStartContainers` condition to `beta`.
- The `flowcontrol.apiserver.k8s.io/v1beta3` `FlowSchema` and \
`PriorityLevelConfiguration` APIs has been promoted to \
`flowcontrol.apiserver.k8s.io/v1`, with the following changes:
- `PriorityLevelConfiguration`: the `.spec.limited.nominalConcurrencyShares` \
field defaults to `30` only if the field is omitted (v1beta3 also defaulted an \
explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in \
the `v1` version in v1.29 to ensure compatibility with `v1.28` API servers. In \
`v1.30`, explicit `0` values will be allowed in this field in the `v1` API.
The `flowcontrol.apiserver.k8s.io/v1beta3` APIs are deprecated and will no \
longer be served in v1.32. All existing objects are available via the `v1` APIs. \
Transition clients and manifests to use the `v1` APIs before upgrading to \
`v1.32`.
- The `kube-proxy` command-line documentation was updated to clarify that
`--bind-address` does not actually have anything to do with binding to an
address, and you probably don't actually want to be using it.
- The `kube-scheduler` `selectorSpread` plugin has been removed, please use the \
`podTopologySpread` plugin instead.
- The `matchLabelKeys/mismatchLabelKeys` feature is introduced to the hard/soft \
`PodAffinity/PodAntiAffinity`.
- When updating a CRD, per-expression cost limit check are now skipped for \
`x-kubernetes-validations` rules of versions that are not mutated.
- `CSINodeExpandSecret` feature has been promoted to `GA` in this release and is \
enabled
by default. The CSI drivers can make use of the `secretRef` values passed in \
`NodeExpansion`
request optionally sent by the CSI Client from this release onwards.
- `NodeStageVolume` calls will now be retried if the CSI node driver is not running.
- `PersistentVolumeLastPhaseTransitionTime` is now beta and enabled by default.
- `ValidatingAdmissionPolicy` type checking now supports CRDs and API extensions \
types.
- `kube-apiserver`: added `--authorization-config` flag for reading a \
configuration file containing an `apiserver.config.k8s.io/v1alpha1 \
AuthorizationConfiguration` object. The `--authorization-config` flag is \
mutually exclusive with `--authorization-modes` and `--authorization-webhook-*` \
flags. The `alpha` `StructuredAuthorizationConfiguration` feature flag must be \
enabled for `--authorization-config` to be specified.
- `kube-proxy` now has a new nftables-based mode, available by running
`kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables`
This is currently an alpha-level feature and while it probably will not
eat your data, it may nibble at it a bit. (It passes e2e testing but has
not yet seen real-world use.)
At this point it should be functionally mostly identical to the iptables
mode, except that it does not (and will not) support Service NodePorts on
127.0.0.1. (Also note that there are currently no command-line arguments
for the nftables-specific config; you will need to use a config file if
you want to set the equivalent of any of the `--iptables-xxx` options.)
As this code is still very new, it has not been heavily optimized yet;
while it is expected to _eventually_ have better performance than the
iptables backend, very little performance testing has been done so far.
- `kube-proxy`: Added an option/flag for configuring the \
`nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack \
subsystem). When enabled, `kube-proxy` will not install the `DROP` rule for \
invalid conntrack states, which currently breaks users of asymmetric routing.
- Added support for projecting certificates.k8s.io/v1alpha1 ClusterTrustBundle \
objects into pods.
- Adds `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting CRD \
schema constraints
- Fix API comment for the Job Ready field in status
- Fix API comments for the FailIndex Job pod failure policy action.
- A new sleep action for the PreStop lifecycle hook is added, allowing \
containers to pause for a specified duration before termination.
- Add ImageMaximumGCAge field to Kubelet configuration, which allows a user to \
set the maximum age an image is unused before it's garbage collected.
- Add a new ServiceCIDR type that allows to dynamically configure the cluster \
range used to allocate Service ClusterIPs addresses
- Add the DisableNodeKubeProxyVersion feature gate. If \
DisableNodeKubeProxyVersion is enabled, the kubeProxyVersion field is not set.
- Added Windows support for InPlace Pod Vertical Scaling feature.
- Added `UserNamespacesPodSecurityStandards` feature gate to enable user \
namespace support for Pod Security Standards.
Enabling this feature will modify all Pod Security Standard rules to allow \
setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`.
This feature gate should only be enabled if all nodes in the cluster support \
the user namespace feature and have it enabled.
The feature gate will not graduate or be enabled by default in future \
Kubernetes releases.
- Added options for configuring nf_conntrack_udp_timeout, and \
nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem.
- Adds CEL expressions to v1alpha1 AuthenticationConfiguration.
- Adds support for CEL expressions to v1alpha1 AuthorizationConfiguration \
webhook matchConditions.
- CSINodeExpandSecret feature has been promoted to GA in this release and \
enabled by default. The CSI drivers can make use of the `secretRef` values \
passed in NodeExpansion request optionally sent by the CSI Client from this \
release onwards.
- Graduate Job BackoffLimitPerIndex feature to Beta
- Kube-apiserver: adds --authorization-config flag for reading a configuration \
file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration \
object. --authorization-config flag is mutually exclusive with \
--authorization-modes and --authorization-webhook-* flags. The alpha \
StructuredAuthorizationConfiguration feature flag must be enabled for \
--authorization-config to be specified.
- Kube-proxy now has a new nftables-based mode, available by running
kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables
This is currently an alpha-level feature and while it probably will not
eat your data, it may nibble at it a bit. (It passes e2e testing but has
not yet seen real-world use.)
At this point it should be functionally mostly identical to the iptables
mode, except that it does not (and will not) support Service NodePorts on
127.0.0.1. (Also note that there are currently no command-line arguments
for the nftables-specific config; you will need to use a config file if
you want to set the equivalent of any of the `--iptables-xxx` options.)
As this code is still very new, it has not been heavily optimized yet;
while it is expected to _eventually_ have better performance than the
iptables backend, very little performance testing has been done so far.
- Kube-proxy: Added an option/flag for configuring the \
`nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack \
subsystem). When enabled, kube-proxy will not install the DROP rule for invalid \
conntrack states, which currently breaks users of asymmetric routing.
- PersistentVolumeLastPhaseTransitionTime is now beta, enabled by default.
- Promote PodReadyToStartContainers condition to beta.
- The flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema and \
PriorityLevelConfiguration APIs has been promoted to \
flowcontrol.apiserver.k8s.io/v1, with the following changes:
- PriorityLevelConfiguration: the `.spec.limited.nominalConcurrencyShares` \
field defaults to `30` only if the field is omitted (v1beta3 also defaulted an \
explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in \
the `v1` version in v1.29 to ensure compatibility with 1.28 API servers. In \
v1.30, explicit `0` values will be allowed in this field in the `v1` API.
The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer \
be served in v1.32. All existing objects are available via the `v1` APIs. \
Transition clients and manifests to use the `v1` APIs before upgrading to v1.32.
- The kube-proxy command-line documentation was updated to clarify that
`--bind-address` does not actually have anything to do with binding to an
address, and you probably don't actually want to be using it.
- The matchLabelKeys/mismatchLabelKeys feature is introduced to the hard/soft \
PodAffinity/PodAntiAffinity.
- ValidatingAdmissionPolicy Type Checking now supports CRDs and API extensions types.
- When updating a CRD, per-expression cost limit check is skipped for \
x-kubernetes-validations rules of versions that are not mutated.
- Added a new `ipMode` field to the `.status` of Services where `type` is set to \
`LoadBalancer`.
The new field is behind the `LoadBalancerIPMode` feature gate.
- Fixed a bug where CEL expressions in CRD validation rules would incorrectly \
compute a high estimated cost for functions that return strings, lists or maps.
The incorrect cost was evident when the result of a function was used in \
subsequent operations.
- Go API: the ResourceRequirements struct needs to be replaced with \
VolumeResourceRequirements for use with volumes.
- Kube-apiserver: adds --authentication-config flag for reading \
AuthenticationConfiguration files. --authentication-config flag is mutually \
exclusive with the existing --oidc-* flags.
- Kube-scheduler component config (KubeSchedulerConfiguration) \
kubescheduler.config.k8s.io/v1beta3 is removed in v1.29. Migrate kube-scheduler \
configuration files to kubescheduler.config.k8s.io/v1.
- Mark the onPodConditions field as optional in Job's pod failure policy.
- Retry NodeStageVolume calls if CSI node driver is not running
- The kube-scheduler `selectorSpread` plugin has been removed, please use the \
`podTopologySpread` plugin instead.
Files: