Kubernetes v1.30.0-beta.0 is live!

336 views
Skip to first unread message

Meha Bhalodiya

unread,
Mar 13, 2024, 2:29:20 AMMar 13
to dev
Kubernetes Community,

Kubernetes v1.30.0-beta.0 has been built and pushed using Golang version 1.22.1.

The release notes have been updated in CHANGELOG-1.30.md, with a pointer to them on GitHub:


v1.30.0-beta.0

Downloads for v1.30.0-beta.0

Source Code

filenamesha512 hash
kubernetes.tar.gze83f477aed051274437987d7b3fa30e923c04950c15d4a7bec20e87f54c017d5938a8d822885b0b458e31c692cade1d26567ac10ffa90934ed15890516376236
kubernetes-src.tar.gza32078a0547d093bbf7d1c323d89cbe50fa04c8d98fe9f0decf2be63d206ad11872009971fd9937336f6a7a187294b058e441297a2ae8d7620d77965ad287ecc

Client Binaries

filenamesha512 hash
kubernetes-client-darwin-amd64.tar.gz948db15a9905704d08517c530f903d321103ba2c863c307d5afaa06036aa4ebca24e8674187399f9a92210e58eb7db8e0b46c7dc9f6abada19fcf64334c1ebf6
kubernetes-client-darwin-arm64.tar.gz67312baa29835f99ca81e3f241e4f08d776ac606364b4bfbe4bdfb07b1c0a7efdb68bd2b279e07816a7779b560accf4d70e71bbae739326c19844f33c25e97f5
kubernetes-client-linux-386.tar.gz0d83df79b845d22e7a0cb98a51b0f4d5e3b3c4558aea128cde5c16c0a1076096dd64569bed4485a419a755d72ba2ac27a364b0dc31319abfe1fbbc01a9b9b9eb
kubernetes-client-linux-amd64.tar.gz6dc7c48f7418c2375a2c0b264005aff04dca88fb6b2607b71acd5083f7ef62d907b4cdcc6353615855e675f2575fdddce0e010e994553e380ce45fd76f33a7f0
kubernetes-client-linux-arm.tar.gz98988fc90a23a5ef6e552192f44812858cb33e01378806a53853409d15927bc153b422f67563f81bb0eb0807584b08376ea76e584c5ab9faf5fab15ff73f9298
kubernetes-client-linux-arm64.tar.gzaadab5f9253cd313a85575a1c39d4b06966826b0e76ac1b647736dadc9545b57a9a3c9663528f13fb9432e3ca4c8a59698cf445f81402d7d3fbca76f5268d2b5
kubernetes-client-linux-ppc64le.tar.gz710bfde17dc991a4e5a233e26ca55dcbd021e75d10d70dbdba71ad791235dbe6607322b97bd3f22eb3e4d843eefdc8f38d1f0b28fac0ce0743fb063135a136c9
kubernetes-client-linux-s390x.tar.gzb036defee013a7187eeade78df0ab4dd221da347602cd33f977560fb89b27b82ecd7c2a9df1b63c3cef786c36ea054b735ef31fc9ad0fc4af980542a520375ef
kubernetes-client-windows-386.tar.gzdd4f20363812d781f9a4d7e985285418ddfd05b8ba05fd1c07c0ebbb2b3df1b940a8d57472a9b0647a6f71498be28cd8d8b71500a5576dbf7e8c3d8902b9005c
kubernetes-client-windows-amd64.tar.gz29f71f746dc3987d0187f6039b5e9c897b790c5f31882f7d3d6b138a592e384981856ced87c7cd892574566735d4c9f8972b90cd8a3370adf298f289ce32fc9d
kubernetes-client-windows-arm64.tar.gz805d8c10e562e45553f1a0978814924e3df5fc244868d20de77d8eea2e978ce524b4d87c5bd06a6250f087237db8566aa46edf6253e47b5b8f2651b14eb6ccdc

Server Binaries

filenamesha512 hash
kubernetes-server-linux-amd64.tar.gz8332ba0e47eece25af1864fe95849cabe5a208a48e5b8b4d311c545244ae1d05f0569b51f12887e97d8288ab80bc57044490153325e4af43082a65097579ded5
kubernetes-server-linux-arm64.tar.gze215b58ac54169d50e9a0247b08de1255990c77bdc80838dc226f165aacb84bd46605c3e3102a23ef590548b431a74bf9e3547fa24f3b5f84de4d68ba32965cb
kubernetes-server-linux-ppc64le.tar.gzd71917d0853b448b1541b4a437a40caef3624a2dacaafb918b2f3679fbb68b94a44ac3d13bcc7b5f6adbf65913342777af39b65b31742bf5c130893d47b65f10
kubernetes-server-linux-s390x.tar.gzd347add21100106c7fc057cfe0ac940fd0f80741faff9b9dc6093d3c99db17abf29b7cd713cd91f728cc1dae217ac9ad2446801f3f92c9aa18291829497aae01

Node Binaries

filenamesha512 hash
kubernetes-node-linux-amd64.tar.gzc853ce453e49aa520e20c934849eeeca4e841d49c94bbd8951d94ebade34ed92aecc841715023e0853f23d78e9bb884d5234d790a5ffe9a9a2fa580114bd849c
kubernetes-node-linux-arm64.tar.gz91a8de520f17062f4680d7b0a7f8073cabbc0996010d4ecc0d907d0bc89bd8641bef1ace3f5d5c050ffa30ce6dec1019b80ee5acea1e3d947666a5bac826b466
kubernetes-node-linux-ppc64le.tar.gzed17879b3b43183f5a537a1bad44a56140f809f182f131dbf95b4cbd4c91d90d79016d1c6fd108025a756f408c2dee68d5c458df29b4891a7b598fa41a119a94
kubernetes-node-linux-s390x.tar.gzbbbcde49cfa7dd52560865816b2c0ac92ce1e7d9a5bf17cce979adecc1b258f13cd07118e0b6c1959cca102c172ec8c950e14207d352b943d14153bb5f864555
kubernetes-node-windows-amd64.tar.gz952472d1b65a7b647d6e3f661ea36c975cf82482c32936ea2aa11ae0e828237391e7ae97d5b8a65b194178953c7725b092027ee545439a754e28702e60383e70

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

namearchitectures
registry.k8s.io/conformance:v1.30.0-beta.0amd64arm64ppc64les390x
registry.k8s.io/kube-apiserver:v1.30.0-beta.0amd64arm64ppc64les390x
registry.k8s.io/kube-controller-manager:v1.30.0-beta.0amd64arm64ppc64les390x
registry.k8s.io/kube-proxy:v1.30.0-beta.0amd64arm64ppc64les390x
registry.k8s.io/kube-scheduler:v1.30.0-beta.0amd64arm64ppc64les390x
registry.k8s.io/kubectl:v1.30.0-beta.0amd64arm64ppc64les390x

Changelog since v1.30.0-alpha.3

Changes by Kind

API Change

  • A new (alpha) field, trafficDistribution, has been added to the Service spec. This field provides a way to express preferences for how traffic is distributed to the endpoints for a Service. It can be enabled through the ServiceTrafficDistribution feature gate. (#123487@gauravkghildiyal) [SIG API Machinery, Apps and Network]

  • Add alpha-level support for the SuccessPolicy in Jobs (#123412@tenzen-y) [SIG API Machinery, Apps and Testing]

  • Added (alpha) support for the managedBy field on Jobs. Jobs with a custom value of this field - any value other than kubernetes.io/job-controller - are skipped by the job controller, and their reconciliation is delegated to an external controller, indicated by the value of the field. Jobs that don't have this field at all, or where the field value is the reserved string kubernetes.io/job-controller, are reconciled by the built-in job controller. (#123273@mimowo) [SIG API Machinery, Apps and Testing]

  • Added a alpha feature, behind the RelaxedEnvironmentVariableValidation feature gate. When that gate is enabled, Kubernetes allows almost all printable ASCII characters to be used in the names of environment variables for containers in Pods. (#123385@HirazawaUi) [SIG Apps, Node and Testing]

  • Added alpha support for field selectors on custom resources. Provided that the CustomResourceFieldSelectors feature gate is enabled, the CustomResourceDefinition API now lets you specify selectableFields. Listing a field there allows filtering custom resources for that CustomResourceDefinition in list or watch requests. (#122717@jpbetz) [SIG API Machinery]

  • Added support for configuring multiple JWT authenticators in Structured Authentication Configuration. The maximum allowed JWT authenticators in the authentication configuration is 64. (#123431@aramase) [SIG Auth and Testing]

  • Aggregated discovery supports both v2beta1 and v2 types and feature is promoted to GA (#122882@Jefftree) [SIG API Machinery and Testing]

  • Allowing container runtimes to fix an image garbage collection bug by adding an image_id field to the CRI Container message. (#123508@saschagrunert) [SIG Node]

  • AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext.

    • The beta AppArmor annotations are deprecated.
    • AppArmor status is no longer included in the node ready condition (#123435@tallclair) [SIG API Machinery, Apps, Auth, Node and Testing]
  • Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup. Previously such a config would run but would be inconsistently effective depending on the credential. (#123561@enj) [SIG API Machinery and Auth]

  • Dynamic Resource Allocation: DRA drivers may now use "structured parameters" to let the scheduler handle claim allocation. (#123516@pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Instrumentation, Node, Release, Scheduling, Storage and Testing]

  • Graduated pod scheduling gates to general availability. The PodSchedulingReadiness feature gate no longer has any effect, and the .spec.schedulingGates field is always available within the Pod and PodTemplate APIs. (#123575@Huang-Wei) [SIG API Machinery, Apps, Node, Scheduling and Testing]

  • Graduated support for minDomains in pod topology spread constraints, to general availability. The MinDomainsInPodTopologySpread feature gate no longer has any effect, and the field is always available within the Pod and PodTemplate APIs. (#123481@sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing]

  • JWT authenticator config set via the --authentication-config flag is now dynamically reloaded as the file changes on disk. (#123525@enj) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1beta1. (#123696@aramase) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: the AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1beta1. (#123640@liggitt) [SIG Auth and Testing]

  • Kubelet should fail if NodeSwap is used with LimitedSwap and cgroupv1 node. (#123738@kannon92) [SIG API Machinery, Node and Testing]

  • Kubelet: a custom root directory for pod logs (instead of default /var/log/pods) can be specified using the podLogsDir key in kubelet configuration. (#112957@mxpv) [SIG API Machinery, Node, Scalability and Testing]

  • Kubelet: the .memorySwap.swapBehavior field in kubelet configuration accepts a new value NoSwap and makes this the default if unspecified; the previously accepted UnlimitedSwap value has been dropped. (#122745@kannon92) [SIG API Machinery, Node and Testing]

  • OIDC authentication will now fail if the username asserted based on a CEL expression config is the empty string. Previously the request would be authenticated with the username set to the empty string. (#123568@enj) [SIG API Machinery, Auth and Testing]

  • PodSpec API: remove note that hostAliases are not supported on hostNetwork Pods. The feature has been supported since v1.8. (#122422@neolit123) [SIG API Machinery and Apps]

  • Promote AdmissionWebhookMatchConditions to GA. The feature is now stable and the feature gate is now locked to default. (#123560@ivelichkovich) [SIG API Machinery and Testing]

  • Structured Authentication Configuration now supports DiscoveryURL. discoveryURL if specified, overrides the URL used to fetch discovery information. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). (#123527@aramase) [SIG API Machinery, Auth and Testing]

  • Support Recursive Read-only (RRO) mounts (KEP-3857) (#123180@AkihiroSuda) [SIG API Machinery, Apps, Node and Testing]

  • The StructuredAuthenticationConfiguration feature is now beta and enabled by default. (#123719@enj) [SIG API Machinery and Auth]

  • The StorageVersionMigration API, which was previously available as a Custom Resource Definition (CRD), is now a built-in API in Kubernetes. (#123344@nilekhc) [SIG API Machinery, Apps, Auth, CLI and Testing]

  • The kubernetes repo now uses Go workspaces. This should not impact end users at all, but does have impact for developers of downstream projects. Switching to workspaces caused some breaking changes in the flags to the various k8s.io/code-generator tools. Downstream consumers should look at staging/src/k8s.io/code-generator/kube_codegen.sh to see the changes. (#123529@thockin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Testing]

  • ValidatingAdmissionPolicy is promoted to GA and will be enabled by default. (#123405@cici37) [SIG API Machinery, Apps, Auth and Testing]

  • When configuring a JWT authenticator:

    If username.expression uses 'claims.email', then 'claims.email_verified' must be used in username.expression or extra[].valueExpression or claimValidationRules[].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'. (#123737@enj) [SIG API Machinery and Auth]

Feature

  • Added access_mode label to volume_manager_selinux_* metrics. (#123667@jsafrane) [SIG Node, Storage and Testing]

  • Added client-go support for upgrading subresource fields from client-side to server-side management (#123484@erikgb) [SIG API Machinery]

  • Added apiserver_watch_cache_read_wait metric to measure watch cache impact on request latency. (#123190@padlar) [SIG API Machinery and Instrumentation]

  • Adds new flag, namely custom, in kubectl debug to let users customize pre-defined profiles. (#120346@ardaguclu) [SIG CLI]

  • Bump cAdvisor to v0.49.0 (#123599@bobbypage) [SIG Node]

  • Embed Node information into Pod-bound service account tokens as additional metadata

  • Feature gates for RemoteCommand (kubectl exec, cp, and attach) over WebSockets are now enabled by default (Beta).

    • Server-side feature gate: TranslateStreamCloseWebsocketRequests
    • Client-side (kubectl) feature gate: KUBECTL_REMOTE_COMMAND_WEBSOCKETS
    • To turn off RemoteCommand over WebSockets for kubectl, the environment variable feature gate must be explicitly set - KUBECTL_REMOTE_COMMAND_WEBSOCKETS=false (#123281@seans3) [SIG API Machinery, CLI and Testing]
  • Graduated HorizontalPodAutoscaler support for per-container metrics to stable. (#123482@sanposhiho) [SIG API Machinery, Apps and Autoscaling]

  • Graduated forensic container checkpointing KEP #2008 from Alpha to Beta. (#123215@adrianreber) [SIG Node and Testing]

  • In the Pod API, setting the alpha procMount field to Unmasked in a container now requires setting spec.hostUsers=false as well. (#123520@haircommander) [SIG Apps, Auth and Testing]

  • InitContainer's image location will be considered in scheduling when prioritizing nodes. (#123366@kerthcet) [SIG Scheduling]

  • It is possible to configure the IDs that the Kubelet uses to create user namespaces.

    User namespaces support is a Beta feature now. (#123593@giuseppe) [SIG Node]

  • Kube-apiserver now reports latency metric for JWT authenticator authenticate token decisions in the apiserver_authentication_jwt_authenticator_latency_seconds metric, labeled by jwtIssuer hash and result. (#123225@aramase) [SIG API Machinery and Auth]

  • Kube-apiserver now reports the following metrics for authorization webhook match conditions:

    • apiserver_authorization_match_condition_evaluation_errors_total counter metric labeled by authorizer type and name
    • apiserver_authorization_match_condition_exclusions_total counter metric labeled by authorizer type and name
    • apiserver_authorization_match_condition_evaluation_seconds histogram metric labeled by authorizer type and name (#123611@ritazh) [SIG API Machinery, Auth and Testing]
  • Kube-apiserver: Authorization webhooks now report the following metrics:

    • apiserver_authorization_webhook_evaluations_total
    • apiserver_authorization_webhook_duration_seconds
    • apiserver_authorization_webhook_evaluations_fail_open_total (#123639@liggitt) [SIG API Machinery, Auth and Testing]
  • Kube-apiserver: JWT authenticator now report the following metrics:

    • apiserver_authentication_config_controller_automatic_reloads_total
    • apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds (#123793@aramase) [SIG API Machinery, Auth and Testing]
  • Kube-apiserver: the StructuredAuthorizationConfiguration feature gate is promoted to beta and allows using the --authorization-configuration flag (#123641@liggitt) [SIG API Machinery and Auth]

  • Kube-controller-manager: increase the global level for broadcaster's logging to 3 so that users can ignore event messages by lowering the logging level. It reduces information noise. (#122293@mengjiao-liu) [SIG API Machinery, Apps, Autoscaling, Network, Node, Scheduling, Storage and Testing]

  • Kubeadm: add the WaitForAllControlPlaneComponents feature gate. It can be used to tell kubeadm to wait for all control plane components to be ready when running "kubeadm init" or "kubeadm join --control-plane". Currently kubeadm only waits for the kube-apiserver. The "kubeadm join" workflow now includes a new experimental phase called "wait-control-plane". This phase will be marked as non-experimental when WaitForAllControlPlaneComponents becomes GA. Accordingly a "kubeadm init" phase "wait-control-plane" will also be available once WaitForAllControlPlaneComponents becomes GA. These phases can be skipped if the user prefers to not wait for the control plane components. (#123341@neolit123) [SIG Cluster Lifecycle]

  • Kubeadm: print all the kubelets and nodes that need to be upgraded on "upgrade plan". (#123578@carlory) [SIG Cluster Lifecycle]

  • Kubectl port-forward over websockets (tunneling SPDY) can be enabled using an Alpha feature flag environment variable: KUBECTL_PORT_FORWARD_WEBSOCKETS=true. The API Server being communicated to must also have an Alpha feature flag enabled: PortForwardWebsockets. (#123413@seans3) [SIG API Machinery, CLI, Node and Testing]

  • Kubernetes is now built with go 1.22.1 (#123750@cpanato) [SIG Release and Testing]

  • Node podresources API now includes init containers with containerRestartPolicy of Always when SidecarContainers feature is enabled. (#120718@gjkim42) [SIG Node and Testing]

  • Promote ImageMaximumGCAge feature to beta (#123424@haircommander) [SIG Node and Testing]

  • Promote PodHostIPs condition to GA and lock to default. (#122870@wzshiming) [SIG Apps, Network, Node and Testing]

  • Target drop-in kubelet configuration dir feature to Beta (#122907@sohankunkerkar) [SIG Node and Testing]

  • The Kubelet rejects creating the pod if hostUserns=false and the CRI runtime does not support user namespaces. (#123216@giuseppe) [SIG Node]

  • The watch cache waits until it is at least as fresh as given requestedWatchRV if sendInitialEvents was requested. (#122830@p0lyn0mial) [SIG API Machinery, Network and Testing]

  • ValidatingAdmissionPolicy now exclude TokenReview, SelfSubjectReview, LocalSubjectAccessReview, and SubjectAccessReview from all versions of authentication.k8s.io and authorization.k8s.io group. (#123543@jiahuif) [SIG API Machinery and Testing]

  • kubectl get job now displays the status for the listed jobs. (#123226@ivanvc) [SIG Apps and CLI]

Bug or Regression

  • Adds the namespace when using 'kubectl logs ' and the pod is not found. Previously the message returned would be 'Error from server (NotFound): pods "my-pod-name" not found'. This has been updated to reflect the namespace in the message as follows: 'Error from server (NotFound): pods "my-pod-name" not found in namespace "default"' (#120111@newtondev) [SIG CLI]
  • DRA: ResourceClaim and PodSchedulingContext status updates no longer allow changing object meta data. (#123730@pohly) [SIG Node]
  • Fix CEL estimated cost to for expressions that perform operations on the result of map() operations, (e.g. .map(...).exists(...) ) to have the correct estimated instead of an unbounded cost. (#123562@jpbetz) [SIG API Machinery, Auth and Cloud Provider]
  • Fix node lifecycle controller panic when conditionType ready is been patch nil by mistake (#122874@fusida) [SIG Apps, Network and Node]
  • Fix non-recursive list returning "resource version too high" error when consistent list from cache is enabled (#123674@serathius) [SIG API Machinery]
  • Fixed a bug that an init container with containerRestartPolicy with Always cannot update its state from terminated to non-terminated for the pod with restartPolicy with Never or OnFailure. (#123323@gjkim42) [SIG Apps and Node]
  • Fixed incorrect syncCronJob error logging. (#122493@mengjiao-liu) [SIG Apps]
  • Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056@dhenkel92) [SIG Apps]
  • Fixes bug where providing a fieldpath to a CRD Validation Rule would erroneously affect the reported field path of other unrelated CRD Validation Rules on the same schema (#123475@alexzielenski) [SIG API Machinery]
  • JWTs used in service account and OIDC authentication are now strictly parsed to confirm that they use compact serialization. Other encodings were not previously accepted, but would result in different unspecific errors. (#123540@enj) [SIG API Machinery and Auth]
  • Kubeadm: in the new output API "output.kubeadm.k8s.io/v1alpha3" modify the UpgradePlan structure that is used when calling "kubeadm upgrade plan ... -o yaml|json", to include a list of multiple available upgrades. (#123461@carlory) [SIG Cluster Lifecycle]
  • Kubeadm: avoid uploading a defaulted flag value "--authorization-mode=Node,RBAC" for the kube-apiserver in the ClusterConfiguration stored in the "kube-system/kubeadm-config" ConfigMap. "Node,RBAC" are already the kubeadm defaults for this flag, so this action is redundant. (#123555@neolit123) [SIG Cluster Lifecycle]
  • OpenAPI V2 will no longer publish aggregated apiserver OpenAPI for group-versions not matching the APIService specified group version (#123570@Jefftree) [SIG API Machinery]
  • Prevent watch cache starvation by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior (#123532@serathius) [SIG API Machinery]
  • The initialization of nodes using external cloud-providers now waits for the providerID value to be available before declaring the node ready. This is required because previously, if there were errors of communication with the cloud-provider on the cloud-controller-manager, nodes may have been declared Ready without having this field or the zone labels, and the information was never reconciled. The providerID and the zone labels are required for integrations like loadbalancers to work correctly. Users still can opt-out to this new behavior by setting the feature flag OptionalProviderID in the cloud-controller-manager. (#123331@aojea) [SIG API Machinery, Cloud Provider and Testing]
  • The initialization of nodes using external cloud-providers now waits for the providerID value to be available before untainting it. This is required because , if there are communication errors with the cloud-provider on the cloud-controller-manager, nodes may have been declared Ready without having this field or the zone labels, and this information was never reconciled. The providerID and the zone labels are required for integrations like loadbalancers to work correctly. Cloud providers that does not implement the GetInstanceProviderID method will not require the providerID to be set and will not fail to initialize the node for backward compatibility issues. (#123713@aojea) [SIG Cloud Provider]
  • Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123758@liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
  • [kubeadam][structured authz] avoid setting default --authorization-mode when --authorization-config is provided (#123654@LiorLieberman) [SIG Cluster Lifecycle]

Other (Cleanup or Flake)

  • Accept zero as a default value for kubectl create token duration (#123565@ah8ad3) [SIG CLI]
  • Update kubedns and nodelocaldns to v1.23.0 (#123310@bzsuni) [SIG Cloud Provider]

Dependencies

Added

Changed

Removed



Contributors, the CHANGELOG-1.30.md has been bootstrapped with v1.30.0-beta.0 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages