Kubernetes v1.34.0 is live!

94 views
Skip to first unread message

Matteo Bianchi

unread,
Aug 27, 2025, 1:25:01 PMAug 27
to d...@kubernetes.io
Kubernetes Community,

Kubernetes v1.34.0 has been built and pushed using Golang version 1.24.6.

The release notes have been updated in CHANGELOG-1.34.md, with a pointer to them on GitHub:

v1.34.0

Documentation

Downloads for v1.34.0

Source Code

filenamesha512 hash
kubernetes.tar.gz133a1ea99881ac8988b1931908506b8b02e0533c6c6521b67152c00e0ba5c124870a3a5050887827a7d1b1b8cc4b1da9e2b07f76684975585d0947e5d234faa5
kubernetes-src.tar.gz2fa409c71ce0f98dc540baa0e5058f751ee982cf0b9dfe4d3ed5eea1331586e7a464a631909889f9c0758d364643718a336816343136b603ef59bdf43c7a30d7

Client Binaries

filenamesha512 hash
kubernetes-client-darwin-amd64.tar.gz20b6c4f9327f4d0b5873429595e2b7bdfec6269e9a39dee69e28ff9f3fd168611f56f378b867c35edc605dac23227b0d95083fdbc676c04f5d8d1142ceff829c
kubernetes-client-darwin-arm64.tar.gzc48d5efa26f8313f535a173201c38896fa9147fd46a7d3a085c70dcbb16391a894d4c4f09ecb6d1d7ed081a7d3fdd8f71afadd0253a55808addb383680ef89b7
kubernetes-client-linux-386.tar.gzefc91631134a8cdd543d4e9cf429928b0b7abe2f6212f05ea82ad62830caef74aa4b9b090b45d583912de280e13af87b8b20c0d3fc6fbc43b5c99beb5a9ff8db
kubernetes-client-linux-amd64.tar.gzaa5e3a41986e23ad6910eb86e68eb10217db60978dadc88370c669cb9c9e10d1431133cc8f7401b4e9843e0d15120c867f2803121e690ac7c74ee85eabbc13b5
kubernetes-client-linux-arm.tar.gzaeafc3d539a400e2e1a32ed501aca7e265ed817d0d56acf62f306c26c2be0beac6af88b6478a26df865105a2c13f2006cc1e062189f4b6885814133090228e86
kubernetes-client-linux-arm64.tar.gz24158910deed9d09e99e5fb358bd9758de509f344bfb0b1482b2426e26c1e52f7f97657438fa698b51da10c7444699f7addae58ee67b23f38eb175df0e17661a
kubernetes-client-linux-ppc64le.tar.gzb30f3966ab6d2b723956cd400e73a685ea6431230eb1994bbb995af163f6ba7abbda79834dab3f0fc0a6b4a9c9af3582f07689e100841ea012015070cac9cd80
kubernetes-client-linux-s390x.tar.gzb543accac845a9a8d1fccc62e43d44479247f9ed65d7db7e2fcf0004ee02c7eaf9d10ab977040bf77f4f5171974a1d4d8a1852d93668b1f593ad5f957ba84952
kubernetes-client-windows-386.tar.gz2f60547e2e8800df61c57adfb862031e81ba27cba3edeaf483aa8616820561c6ed9b87778b4e81be14545dcaa35bef9d80c817972039357f8e594a6f4edeeb13
kubernetes-client-windows-amd64.tar.gza528fdec4aa426f0b72ff96f39727842e6561f4c49e273e6f007934f42ab2992fd75a8fa43c9ae7d9f3345091228d43bc03e3bdf3696d36a56b4fb49d20a6e9d
kubernetes-client-windows-arm64.tar.gz467dcadaa8b48d45caa0a5aca5669317fd501689e4a90219c701adb5e9f46ce66085dd3800321e2377c775992180d76aae2e2b84a4f7bb50f997198def0dd8e6

Server Binaries

filenamesha512 hash
kubernetes-server-linux-amd64.tar.gza9ec9abe6a803d55d56753e1be8549223cd34ebcbec26536cbdc277c5f17a28c4942329e1df01a2bd067b60a0c1c2901e240d5014e9ce445400239bd488582af
kubernetes-server-linux-arm64.tar.gzd05fd68c31f30b1853aa927200ce99fc1e7e67b39803be7508c5591b57e74f3496bcd8b50b84afeabd293f41bc647ea4bcb0bf85a7be5b49e8d2604214e5ccda
kubernetes-server-linux-ppc64le.tar.gz173d638506736cfd0bd8ffe7719447895068ed3f3c8a20405548f0db6689bcd63a4f226f6b19e35e7696801c338d9071f2f93392c8ec6316617303350cb44cff
kubernetes-server-linux-s390x.tar.gz80fd0c55c3c1cdbdd47faf9bfcf2f89d36c56bb91c0281c126e8ba84ad36c527f1861646f54dc4258ba6fae0fb8ee23674ed41f811a08758da3fe1337f723748

Node Binaries

filenamesha512 hash
kubernetes-node-linux-amd64.tar.gz93ae93af2d39bf00747b66f365781c64880b4ca235031a7ecae7a9d017e04df7ca925f8c005b1da49447cf64cb3f1ecc790db460e60cd1f98f34aae1434ad103
kubernetes-node-linux-arm64.tar.gz33216af73a02919579985be5d5372ecb305b6fb2013297f3ea36b357d3cf4bce2a07a612e188b76c752aabbe23bdc726645f348f5db43b12893fc80ac65711f3
kubernetes-node-linux-ppc64le.tar.gz781df3a7785435ed365949850ef3c4555e3531826907d75e2edf102cdef8950176c17c8dc8ad97077908b12895eb2cf2796e27418252cb790a7876484270d33a
kubernetes-node-linux-s390x.tar.gz133c8c011e3f0c6094262efa2cd053e96facdfdb603f90eb51b9ee085c082ac82bcd53863cc517f7ae9e219265f8e66e94e4fbdc21ee01b79b72c993792dde5c
kubernetes-node-windows-amd64.tar.gze5f6dbd19106b4f4d125d048f1351be2b6a06a79622ece31c24a2a27c03268474a42a1b0b85b1de46423a66c0ee9e1060e9bcee709ae1668c7a650b5575ccc76

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

namearchitectures
registry.k8s.io/conformance:v1.34.0amd64arm64ppc64les390x
registry.k8s.io/kube-apiserver:v1.34.0amd64arm64ppc64les390x
registry.k8s.io/kube-controller-manager:v1.34.0amd64arm64ppc64les390x
registry.k8s.io/kube-proxy:v1.34.0amd64arm64ppc64les390x
registry.k8s.io/kube-scheduler:v1.34.0amd64arm64ppc64les390x
registry.k8s.io/kubectl:v1.34.0amd64arm64ppc64les390x

Changelog since v1.33.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

  • For metrics apiserver_cache_list_fetched_objects_totalapiserver_cache_list_returned_objects_totalapiserver_cache_list_total replace resource_prefix label with API group and resource labels. For metrics etcd_request_duration_secondsetcd_requests_total and etcd_request_errors_total replace type label with API resource and group label. For metric apiserver_selfrequest_total add a API group label. For metrics apiserver_watch_events_sizes and apiserver_watch_events_total replace API kind label with resource label. For metrics apiserver_request_body_size_bytesapiserver_storage_events_received_totalapiserver_storage_list_evaluated_objects_totalapiserver_storage_list_fetched_objects_totalapiserver_storage_list_returned_objects_totalapiserver_storage_list_totalapiserver_watch_cache_events_dispatched_totalapiserver_watch_cache_events_received_totalapiserver_watch_cache_initializations_totalapiserver_watch_cache_resource_versionwatch_cache_capacityapiserver_init_events_totalapiserver_terminated_watchers_totalwatch_cache_capacity_increase_totalwatch_cache_capacity_decrease_totalapiserver_watch_cache_read_wait_secondsapiserver_watch_cache_consistent_read_totalapiserver_storage_consistency_checks_totaletcd_bookmark_countsstorage_decode_errors_total extract the API group from resource label and put it in new group label. (#131845@serathius) [SIG API Machinery, Etcd, Instrumentation and Testing]
  • Kubelet: removed the deprecated flag --cloud-config from the command line. (#130161@carlory) [SIG Cloud Provider, Node and Scalability]
  • Static pods that reference API objects were denied admission by the kubelet so that static pods would not be silently running even after the mirror pod creation failed. (#131837@sreeram-venkitesh) [SIG Auth, Node and Testing]
  • The Scheduling Framework exposed NodeInfos to the PreFilter plugins. The PreFilter plugins now accepted the NodeInfo list from the arguments. (#130720@saintube) [SIG Node, Scheduling, Storage and Testing]

Changes by Kind

Deprecation

  • Apimachinery: Deprecated MessageCountMap and CreateAggregateFromMessageCountMap. (#132376@tico88612)
  • DRA kubelet: gRPC API graduated to v1, v1beta1 was deprecated starting in 1.34. Updating DRA drivers to the k8s.io/dynamic-resource-allocation/kubeletplugin helper from 1.34 added support for both API versions. (#132700@pohly) [SIG Node and Testing]
  • Deprecated the preferences field in kubeconfig in favor of kuberc. (#131741@soltysh) [SIG API Machinery, CLI, Cluster Lifecycle and Testing]
  • Kubeadm: Consistently prefixed errors with error: when printing them. (#132080@neolit123)
  • Kubeadm: Exposed only the non-deprecated klog flags (-v and -vmodule), in line with KEP https://features.k8s.io/2845. (#131647@carsontham)
  • [cloud-provider] Respected the exclude-from-external-load-balancers=false label. (#131085@kayrus) [SIG Cloud Provider and Network]

API Change

  • Added omitempty and opt tag to the API v1beta2 AdminAccess type in the DeviceRequestAllocationResult struct. (#132338@PatrickLaabs)

  • Added a runtime.ApplyConfiguration interface implemented by all generated apply configuration types. (#132194@alvaroaleman) [SIG API Machinery and Instrumentation]

  • Added a detailed event for in-place pod vertical scaling completed, improving cluster management and debugging. (#130387@shiya0705) [SIG API Machinery, Apps, Autoscaling, Node, Scheduling and Testing]

  • Added a mechanism for configurable container restarts: container-level restart rules. This was an alpha feature behind the ContainerRestartRules feature gate. (#132642@yuanwang04) [SIG API Machinery, Apps, Node and Testing]

  • Added a new FileKeyRef field to containers, allowing them to load variables from files by setting this field.

    Introduced the EnvFiles feature gate to govern activation of this functionality. (#132626@HirazawaUi) [SIG API Machinery, Apps, Node and Testing]

  • Added driver-owned fields in ResourceSlice to mark whether the device was shareable among multiple resource claims (or requests) and to specify how each capacity could be shared between different requests.

    • Added user-owned fields in ResourceClaim to specify resource requirements against each device capacity.
    • Added scheduler-owned field in ResourceClaim.Status to specify how much device capacity is reserved for a specific request.
    • Added an additional identifier to ResourceClaim.Status for the device supports multiple allocations.
    • Added a new constraint type to enforce uniqueness of specified attributes across all allocated devices. (#132522@sunya-ch) [SIG API Machinery, Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Release, Scheduling and Testing]

  • Added new optional APIs in ResouceSlice.Basic and ResourceClaim.Status.AllocatedDeviceStatus. (#130160@KobayashiD27) [SIG API Machinery, Apps, Architecture, Node, Release, Scheduling and Testing]

  • Added support for specifying controlplane or cluster egress selectors in JWT authenticators via the issuer.egressSelectorType field in the AuthenticationConfiguration.jwt array. If unset, the previous behavior of using no egress selector is preserved. This functionality requires the StructuredAuthenticationConfigurationEgressSelector beta feature gate (enabled by default). (#132768@enj) [SIG API Machinery, Auth and Testing]

  • Added support in the Kubelet for monitoring the health of devices allocated via Dynamic Resource Allocation (DRA) and report it in the pod.status.containerStatuses.allocatedResourcesStatus field. This required the DRA plugin to implement the new v1alpha1 NodeHealth gRPC service. This feature was controlled by the ResourceHealthStatus feature gate. (#130606@Jpsassine) [SIG Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Network, Node, Release, Scheduling, Storage and Testing]

  • Added support in the kubelet's image pull credential tracking for service account-based verification. When an image was pulled using service account credentials via external credential providers, subsequent Pods using the same service account (UID, name, and namespace) could access the cached image without re-authentication for the lifetime of that service account. (#132771@aramase) [SIG Auth, Node and Testing]

  • Added validation to reject Pods using the PodLevelResources feature on Windows OS due to lack of support. The API server rejected Pods with pod-level resources and a Pod.spec.os.name targeting Windows. Kubelet on nodes running Windows also rejected Pods with pod-level resources at the admission phase. (#133046@toVersus) [SIG Apps and Node]

  • Added warnings when creating headless service with set loadBalancerIP,externalIPs and/or SessionAffinity. (#132214@Peac36)

  • Allowed pvc.spec.VolumeAttributesClassName to change from non-nil to nil. (#132106@AndrewSirenko)

  • Allowed setting the hostnameOverride field in PodSpec to specify any RFC 1123 DNS subdomain as the pod's hostname. The HostnameOverride feature gate was introduced to control enablement of this functionality. (#132558@HirazawaUi) [SIG API Machinery, Apps, Network, Node and Testing]

  • Changed underlying logic for Eviction Manager helper functions. (#132277@KevinTMtz) [SIG Node, Scheduling and Testing]

  • Changed underlying logic to propagate pod-level hugepage cgroup to containers when they did not specify hugepage resources.

    • Added validation to enforce the hugepage aggregated container limits to be smaller than or equal to pod-level limits. This was already enforced with the defaulted requests from the specified limits, however it did not make it clear about both hugepage requests and limits. (#131089@KevinTMtz) [SIG Apps, Node and Testing]

  • Corrected the documentation to clarify that podSelector is optional and described its default behavior. (#131354@tomoish)

  • DRA API: resource.k8s.io/v1alpha3 now only contains DeviceTaintRule. All other types got removed because they became obsolete when introducing the v1beta1 API in 1.32. before updating a cluster where resourceclaims, resourceclaimtemplates, deviceclasses, or resourceslices might have been stored using Kubernetes < 1.32, delete all of those resources before updating and recreate them as needed while running Kubernetes >= 1.32. (#132000@pohly) [SIG Etcd, Node, Scheduling and Testing]

  • DRA: Starting with Kubernetes 1.34, the alpha-level resource.k8s.io/admin-access label has been updated to resource.kubernetes.io/admin-access. Admins using the alpha feature and updating from 1.33 can set both labels, upgrade, then remove resource.k8s.io/admin-access when no downgrade is going to happen anymore. (#131996@ritazh) [SIG Node and Testing]

  • DRA: The scheduler plugin prevented abnormal filter runtimes by timing out after 10 seconds. This was configurable via the plugin configuration's FilterTimeout. Setting it to zero disabled the timeout and restored the behavior of Kubernetes <= 1.33. (#132033@pohly) [SIG Node, Scheduling and Testing]

  • DRA: When the prioritized list feature was used in a request and the resulting number of allocated devices exceeded the number of allowed devices per claim, the scheduler aborted the attempt to allocate devices early. Previously, it tried to many different combinations, which could take a long time. (#130593@mortent) [SIG Apps, Node, Scheduling and Testing]

  • DRA: removed support for the v1alpha4 kubelet gRPC API (added in 1.31, superseded in 1.32). DRA drivers using the helper package from Kubernetes >= 1.32 use the v1beta1 API and continue to be supported. (#132574@pohly)

  • Deprecated StreamingConnectionIdleTimeout field of the kubelet config. (#131992@lalitc375)

  • Dynamic Resource Allocation: Graduated core functionality to general availability (GA). This newly stable feature uses the structured parameters flavor of DRA. (#132706@pohly) [SIG API Machinery, Apps, Auth, Autoscaling, Etcd, Node, Scheduling and Testing]

  • Enabled kube-apiserver support for PodCertificateRequest and PodCertificate projected volumes (behind the PodCertificateRequest feature gate). (#128010@ahmedtd) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Storage and Testing]

  • Extended resources backed by DRA feature allowed cluster operator to specify extendedResourceName in DeviceClass, and application operator to continue using extended resources in pod's requests to request for DRA devices matching the DeviceClass.

    NodeResourcesFit plugin scoring didn't work for extended resources backed by DRA. (#130653@yliaog) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]

  • Extended the NodePorts scheduling plugin to consider hostPorts used by restartable init containers. (#132040@avrittrohwer) [SIG Scheduling and Testing]

  • Fixed a 1.33 regression that causes a nil panic in kube-scheduler when aggregating resource requested across container's spec and status. (#132895@yue9944882) [SIG Node and Scheduling]

  • Fixed prerelease lifecycle for PodCertificateRequest. (#133350@carlory)

  • Introduced OpenAPI format support for k8s-short-name and k8s-long-name in CustomResourceDefinition schemas. (#132504@jpbetz) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]

  • Introduced the admissionregistration.k8s.io/v1beta1/MutatingAdmissionPolicy API type. To enable, enable the MutatingAdmissionPolicy feature gate (which was off by default) and set --runtime-config=admissionregistration.k8s.io/v1beta1=true on the kube-apiserver. Note that the default stored version remained alpha in 1.34, and whoever enabled beta during 1.34 needed to run a storage migration yourself to ensure you don't depend on alpha data in etcd. (#132821@cici37) [SIG API Machinery, Etcd and Testing]

  • Kube-apiserver: Added support for disabling caching of authorization webhook decisions in the --authorization-config file. The new fields cacheAuthorizedRequests and cacheUnauthorizedRequests could be set to false to prevent caching for authorized or unauthorized requests. See the https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-configuration-file-for-authorization for more details. (#129237@rfranzke) [SIG API Machinery and Auth]

  • Kube-apiserver: Promoted the StructuredAuthenticationConfiguration feature gate to GA. (#131916@aramase) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: the AuthenticationConfiguration type accepted in --authentication-config files has been promoted to apiserver.config.k8s.io/v1. (#131752@aramase) [SIG API Machinery, Auth and Testing]

  • Kube-log-runner: Added the -log-file-size parameter to rotate log output into a new file once it reached a certain size. Introduced -log-file-age to enable automatic removal of old output files, and -flush-interval to support periodic flushing. (#127667@zylxjtu) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]

  • Kubectl: Graduated kuberc support to beta. A kuberc configuration file provided a mechanism for customizing kubectl behavior (distinct from kubeconfig, which configures cluster access across different clients). (#131818@soltysh) [SIG CLI and Testing]

  • Promoted Job Pod Replacement Policy to general availability. The JobPodReplacementPolicy feature gate was locked to true and will be removed in a future Kubernetes release. (#132173@dejanzele) [SIG Apps and Testing]

  • Promoted MutableCSINodeAllocatableCount to beta. (#132429@torredil)

  • Promoted feature-gate VolumeAttributesClass to GA

    • Promoted API VolumeAttributesClass and VolumeAttributesClassList to storage.k8s.io/v1. (#131549@carlory) [SIG API Machinery, Apps, Auth, CLI, Etcd, Storage and Testing]

  • Promoted the APIServerTracing feature gate to GA. The --tracing-config-file flag accepted TracingConfiguration in version apiserver.config.k8s.io/v1 (with no changes from apiserver.config.k8s.io/v1beta1). (#132340@dashpole) [SIG API Machinery and Testing]

  • Promoted the AuthorizeWithSelectors and AuthorizeNodeWithSelectors feature gates to stable and locked on. (#132656@liggitt) [SIG API Machinery, Auth and Testing]

  • Promoted the KubeletTracing feature gate to GA. (#132341@dashpole) [SIG Instrumentation and Node]

  • Promoted the RelaxedEnvironmentVariableValidation feature gate to GA and locked it in the enabled state by default. (#132054@HirazawaUi) [SIG Apps, Architecture, Node and Testing]

  • Removed an inaccurate statement about requiring ports when the Pod spec hostNetwork field was set. (#130994@BenTheElder) [SIG Network and Node]

  • Removed deprecated gogo protocol definitions from k8s.io/kubelet/pkg/apis/pluginregistration in favor of google.golang.org/protobuf. (#132773@saschagrunert)

  • Removed deprecated gogo protocol definitions from k8s.io/cri-api in favor of google.golang.org/protobuf. (#128653@saschagrunert) [SIG API Machinery, Auth, Instrumentation, Node and Testing]

  • Replaced Boolean-pointer-helper functions with the k8s.io/utils/ptr implementations. (#132794@PatrickLaabs) [SIG API Machinery, Auth, CLI, Node and Testing]

  • Replaced boolPtrFn helper functions with the "k8s.io/utils/ptr" implementation. (#132907@PatrickLaabs)

  • Replaced deprecated package k8s.io/utils/pointer with k8s.io/utils/ptr for the apiextensions-apiserver apiextensions. (#132723@PatrickLaabs)

  • Replaced deprecated package k8s.io/utils/pointer with k8s.io/utils/ptr for the apiserver (1/2). (#132751@PatrickLaabs) [SIG API Machinery and Auth]

  • Replaced deprecated package k8s.io/utils/pointer with k8s.io/utils/ptr for the component-base. (#132754@PatrickLaabs) [SIG API Machinery, Architecture, Instrumentation and Scheduling]

  • Replaced deprecated package k8s.io/utils/pointer with k8s.io/utils/ptr for the kube-aggregator apiregistration. (#132701@PatrickLaabs)

  • Simplied validation error message for invalid fields by removing redundant field name. (#132513@xiaoweim) [SIG API Machinery, Apps, Auth, Node and Scheduling]

  • Simplied validation error message for required fields by removing redundant messages. (#132472@xiaoweim) [SIG API Machinery, Apps, Architecture, Auth, Cloud Provider, Network, Node and Storage]

  • The KubeletServiceAccountTokenForCredentialProviders feature was beta and enabled by default. (#133017@aramase) [SIG Auth and Node]

  • The conditionType is "oneof" approved/denied check of CertificateSigningRequest's .status.conditions field was migrated to declarative validation. If the DeclarativeValidation feature gate was enabled, mismatches with existing validation are reported via metrics. If the DeclarativeValidationTakeover feature gate was enabled, declarative validation was the primary source of errors for migrated fields. (#133013@aaron-prindle) [SIG API Machinery and Auth]

  • The fallback behavior of the Downward API's resourceFieldRef field was updated to account for pod-level resources: if container-level limits were not set, pod-level limits were now used before falling back to node allocatable resources. (#132605@toVersus) [SIG Node, Scheduling and Testing]

  • The validation of replicas field in the ReplicationController /scale subresource has been migrated to declarative validation. If the DeclarativeValidation feature gate is enabled, mismatches with existing validation are reported via metrics. If the DeclarativeValidationTakeover feature gate is enabled, declarative validation is the primary source of errors for migrated fields. (#131664@jpbetz) [SIG API Machinery and Apps]

  • The validation-gen code generator generated validation code that supported validation ratcheting. (#132236@yongruilin) [SIG API Machinery, Apps, Auth and Node]

  • Updated IsDNS1123SubdomainWithUnderscore so that, when it returned an error, it also returned the correct regex information (dns1123SubdomainFmtWithUnderscore). (#132034@ChosenFoam)

  • Updated etcd version to v3.6.0. (#131501@joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]

  • Updated the v1 credential provider configuration to include the tokenAttributes.cacheType field. This field is required and must be set to either ServiceAccount or Token when configuring a provider that uses a service account to fetch registry credentials. (#132617@aramase) [SIG Auth, Node and Testing]

  • Zero-value metadata.creationTimestamp values are now omitted and no longer serialize an explicit null in JSON, YAML, and CBOR output (#130989@liggitt) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]

  • AppArmor profiles specified in the Pod or container SecurityContext were no longer copied to deprecated AppArmor annotations (prefix container.apparmor.security.beta.kubernetes.io/). Anything that inspected the deprecated annotations must be migrated to use the SecurityContext fields instead. (#131989@tallclair)

  • MultiCIDRServiceAllocator was locked and enabled by default, DisableAllocatorDualWrite was enabled by default. (#131318@aojea) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Network and Testing]

Feature

  • Added 3 new metrics for monitoring async API calls in the scheduler when the SchedulerAsyncAPICalls feature gate was enabled:

    • scheduler_async_api_call_execution_total: tracks executed API calls by call type and result (success/error)
    • scheduler_async_api_call_duration_seconds: histogram of API call execution duration by call type and result
    • scheduler_pending_async_api_calls: gauge showing current number of pending API calls in the queue. (#133120@utam0k) [SIG Release and Scheduling]

  • Added HPA support to pod-level resource specifications. When the pod-level resource feature was enabled, HPAs configured with Resource type metrics calculated the pod resources from pod.Spec.Resources field, if specified. (#132430@laoj2) [SIG Apps, Autoscaling and Testing]

  • Added Traffic Distribution field to kubectl describe service output (#131491@tchap) [SIG CLI]

  • Added SizeBasedListCostEstimate feature gate that allowed apiserver to estimate sizes of objects to calculate cost of LIST requests. (#132355@serathius) [SIG API Machinery and Etcd]

  • Added apiserver_resource_size_estimate_bytes metric to API server. (#132893@serathius) [SIG API Machinery, Etcd and Instrumentation]

  • Added started_user_namespaced_pods_total and started_user_namespaced_pods_errors_total for tracking the successes and failures in creating pods if a user namespace was requested. (#132902@haircommander) [SIG Node and Testing]

  • Added a --show-swap option to kubectl top subcommands (#129458@iholder101) [SIG CLI]

  • Added a container_swap_limit_bytes metric to expose the swap limit assigned to containers under the LimitedSwap swap behavior. (#132348@iholder101) [SIG Node and Testing]

  • Added a delay to node updates after kubelet startup. A random offset, based on the configured nodeStatusReportFrequency, helped distribute traffic and load from node status updates more evenly over time. The initial status update could occur up to 50% earlier or later than the regular schedule. (#130919@mengqiy)

  • Added a flag to kubectl version to detect whether a client/server version mismatch was outside the officially supported range. (#127365@omerap12)

  • Added a new PreBindPreFlight function to the PreBindPlugin interface. All in-tree PreBind plugins have been updated to implement PreBindPreFlight function. (#132391@sanposhiho) [SIG Node, Scheduling, Storage and Testing]

  • Added a warning when alpha metrics are used with emulated versions. (#132276@michaelasp) [SIG API Machinery and Architecture]

  • Added alpha metrics for compatibility versioning (#131842@michaelasp) [SIG API Machinery, Architecture, Instrumentation and Scheduling]

  • Added configurable flags to kube-apiserver for coordinated leader election. (#132433@michaelasp) [SIG API Machinery and Testing]

  • Added machine readable output options (JSON & YAML) to kubectl api-resources. (#132604@dharmit) [SIG Apps, CLI and Network]

  • Added memory tracking to scheduler performance tests to help detect memory leaks and monitored memory usage patterns while running scheduler_perf. (#132910@utam0k) [SIG Scheduling and Testing]

  • Added support for CEL expressions with escaped names in the structured authentication config. Using [...] to access claims or user data was recommended when names contained characters that would otherwise need escaping. CEL optionals with ? could be used where has was not applicable — for example, claims[?"kubernetes.io"] or user.extra[?"domain.io/foo"]. (#131574@enj) [SIG API Machinery and Auth]

  • Added support for --cpu--memory flag to kubectl autoscale, started deprecating --cpu-precent. (#129373@googs1025)

  • Added support for a new kubectl output format, kyaml. KYAML was a strict subset of YAML and should be accepted by any YAML processor. The formatting of KYAML was halfway between JSON and YAML. Because it was more explicit than the default YAML style, it was less error-prone. (#132942@thockin) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Contributor Experience, Instrumentation, Network, Node, Scheduling, Storage and Testing]

  • Added the DetectCacheInconsistency feature gate, allowing the API server to periodically verify consistency between its cache and etcd. Detected inconsistencies reported via the apiserver_storage_consistency_checks_total metric and trigger purging of affected cache snapshots. (#132884@serathius) [SIG API Machinery, Instrumentation and Testing]

  • Added the SizeBasedListCostEstimate feature gate (enabled by default), which changes how APF seats are assigned to LIST requests. With this feature, one seat is assigned per 100KB of data loaded into memory at once during a LIST operation. (#132932@serathius)

  • Added useful endpoints for kube-apiserver. (#132581@itssimrank) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

  • Built Kubernetes using Go 1.24.3. (#131934@cpanato) [SIG Release and Testing]

  • Built Kubernetes using Go 1.24.4. (#132222@cpanato) [SIG Release and Testing]

  • Bumped DRA API version to v1 in deviceattribute package in k8s.io/dynamic-resource-allocation. (#133164@everpeace)

  • Bumped KubeletCgroupDriverFromCRI to GA and add metric to track out-of-support CRI implementations. (#133157@haircommander) [SIG Node and Testing]

  • CRI API had auth fields in image pulling marked as debug_redact. (#133135@SergeyKanzhelev)

  • Changed handling of CustomResourceDefinitions with unrecognized formats. Writing a schema with an unrecognized format now triggered a warning (the write was still accepted). (#133136@yongruilin)

  • DRA kubelet: Fixed the kubelet to also clean up ResourceSlices in some additional failure scenarios (driver was removed forcibly or crashed and did not restart). (#132058@pohly) [SIG Node and Testing]

  • DRAAdminAccess was enabled by default allowing users to create ResourceClaims and ResourceClaimTemplates in privileged mode to grant access to devices that were in use by other users for admin tasks like monitoring health or status of the device. (#133085@ritazh) [SIG Auth and Node]

  • Demoted KEP-5278 feature gates ClearingNominatedNodeNameAfterBinding and NominatedNodeNameForExpectation to alpha from beta. (#133293@utam0k) [SIG Scheduling and Testing]

  • Deprecated apiserver_storage_objects and replaced it with apiserver_resource_objects metric using labels consistent with other metrics. (#132965@serathius) [SIG API Machinery, Etcd and Instrumentation]

  • Eliminated work when creating Services or understanding port purposes, especially for external resources deployed via Helm charts. (#133018@rushmash91)

  • Enabled compact snapshots in the watch cache based on etcd compaction events. (#132876@serathius) [SIG API Machinery and Etcd]

  • Enabled completion for aliases defined in kubectlrc. (#131586@ardaguclu)

  • Ensured memory resizing for Guaranteed QoS pods on static Memory policy configurations was gated by InPlacePodVerticalScalingExclusiveMemory (defaults: false). (#132473@pravk03) [SIG Node, Scheduling and Testing]

  • Ensured that non-scheduling related errors (e.g., network errors) did not lengthen the Pod scheduling backoff time. (#128748@sanposhiho) [SIG Scheduling and Testing]

  • Executed API calls dispatched during pod scheduling asynchronously if the SchedulerAsyncAPICalls feature gate was enabled. Out-of-tree plugins used APIDispatcher and APICacher from the framework to dispatch their own calls. (#132886@macsko) [SIG Release, Scheduling and Testing]

  • Fixed recording the kubelet_container_resize_requests_total metric to include all resize-related updates. (#133060@natasha41575)

  • Graduated ListFromCacheSnapshot to beta. (#132901@serathius) [SIG API Machinery and Etcd]

  • Graduated PodLevelResources feature to beta and have it on by default. This feature allowed defining CPU and memory resources for an entire pod in pod.spec.resources. (#132999@ndixita)

  • Graduated PodObservedGenerationTracking feature to beta and had it on by default. This feature meant that the top level status.observedGeneration and status.conditions[].observedGeneration fields in Pods were populated to reflect the metadata.generation of the podspec at the time that the status or condition was reported. (#132912@natasha41575) [SIG Apps, Node and Testing]

  • Graduated ResilientWatchCacheInitialization to GA. (#131979@serathius)

  • Graduated StreamingCollectionEncodingToJSON and StreamingCollectionEncodingToProtobuf to GA. (#132648@serathius)

  • Graduated configurable endpoints for anonymous authentication using the authentication configuration file to stable. (#131654@vinayakankugoyal) [SIG API Machinery and Testing]

  • Graduated relaxed DNS search string validation to GA. For the Pod API, .spec.dnsConfig.searches now allows an underscore (_) where a dash (-) would be allowed, and it allows search strings be a single dot .. (#132036@adrianmoisey) [SIG Network and Testing]

  • Graduated scheduler QueueingHint support to GA (general availability) (#131973@sanposhiho) [SIG Scheduling and Testing]

  • Graduated the WinOverlay feature in the kube-proxy to GA. The WinOverlay feature gate was enabled by default. (#133042@rzlink) [SIG Network and Windows]

  • Graduated the ConsistentListFromCache to GA. (#132645@serathius)

  • Graduated the WatchList feature gate to beta for kube-apiserver and enabled WatchListClient for KCM. (#132704@p0lyn0mial) [SIG API Machinery and Testing]

  • Graduated the WinDSR feature in the kube-proxy to GA. The WinDSR feature gate was enabled by default. (#132108@rzlink) [SIG Network and Windows]

  • If PreBindPreFlight returned Skip, the scheduler didn't run the plugin at PreBind. If any PreBindPreFlight returned Success, the scheduler put NominatedNodeName to the pod so that other components (such as the cluster autoscaler) could notice the pod was going to be bound to the node. (#133021@sanposhiho) [SIG Scheduling and Testing]

  • Implemented prioritization of resize requests based on priorityClass and QoS class when node resources are insufficient to accommodate all pending resize operations. (#132342@natasha41575) [SIG Node and Testing]

  • Included the namespace in the output of kubectl delete for better identification of resources. (#126619@totegamma)

  • Increased APF max seats to 100 for LIST requests. (#133034@serathius)

  • Introduced a method GetPCIeRootAttributeByPCIBusID(pciBusID) for third-party DRA drivers to provide common logic for the standardized device attribute resource.kubernetes.io/pcieRoot. (#132296@everpeace)

  • Kube-apiserver reported the last configuration hash as a label in

    • apiserver_authentication_config_controller_last_config_info metric after successfully loading the authentication configuration file.
    • apiserver_authorization_config_controller_last_config_info metric after successfully loading the authorization configuration file.
    • apiserver_encryption_config_controller_last_config_info metric after successfully loading the encryption configuration file. (#132299@aramase) [SIG API Machinery, Auth and Testing]

  • Kube-apiserver: Each unique set of etcd server overrides specified with --etcd-servers-overrides surfaced health checks named etcd-override-<index> and etcd-override-readiness-<index>. These checks were still excluded by the ?exclude=etcd and ?exclude=etcd-readiness directives. (#129438@pacoxu) [SIG API Machinery and Testing]

  • Kube-apiserver: Previously persisted CustomResourceDefinition objects with an invalid whitespace-only caBundle could serve requests that did not require conversion. (#132514@tiffanny29631)

  • Kube-apiserver: Promoted the ExternalServiceAccountTokenSigner feature to beta, which enabled external signing of service account tokens and fetching of public verifying keys. This was accomplished by enabling the beta ExternalServiceAccountTokenSigner feature gate and specifying the --service-account-signing-endpoint flag. The flag value could either be the path to a Unix domain socket on the filesystem, or be prefixed with @ to indicate a Unix domain socket in the abstract namespace. (#131300@HarshalNeelkamal) [SIG API Machinery, Auth and Testing]

  • Kube-proxy: Checked whether IPv6 was available on Linux before using it. (#131265@rikatz)

  • Kubeadm: Added support for ECDSA-P384 as an encryption algorithm type in v1beta4. (#131677@lalitc375)

  • Kubeadm: Fixed an issue where etcd member promotion failed with an error indicating the member was already promoted. (#130782@BernardMC)

  • Kubeadm: graduated the NodeLocalCRISocket feature gate to beta and enabed it by default. When its enabled, kubeadm will:

    1. Generate a /var/lib/kubelet/instance-config.yaml file to customize the containerRuntimeEndpoint field in per-node kubelet configurations.
    2. Remove the kubeadm.alpha.kubernetes.io/cri-socket annotation from nodes during upgrade operations.
    3. Remove the --container-runtime-endpoint flag from the /var/lib/kubelet/kubeadm-flags.env file during upgrades. (#131981@HirazawaUi) [SIG Cluster Lifecycle]

  • Kubeadm: graduated the kubeadm specific feature gate WaitForAllControlPlaneComponents to GA. The feature gate is was locked to always be enabled and on node initialization kubeadm performed a health check for all control plane components and not only the kube-apiserver. (#132594@neolit123)

  • Kubeadm: switched the validation check for Linux kernel version to throw warnings instead of errors. (#131919@neolit123) [SIG Cluster Lifecycle and Node]

  • Kubelet detected terminal CSI volume mount failures due to exceeded attachment limits on the node and marked the Stateful Pod as Failed, allowing its controller to recreate it. This prevented Pods from getting stuck indefinitely in the ContainerCreating state. (#132933@torredil) [SIG Apps, Node, Storage and Testing]

  • Kubelet reported a hash of the credential provider configuration via the kubelet_credential_provider_config_info metric. The hash was exposed in the hash label. (#133016@aramase) [SIG API Machinery and Auth]

  • Kubelet: Extended the --image-credential-provider-config flag to accept a directory path in addition to a single file. When a directory was specified, all .json, .yaml, and .yml files in that directory were loaded and merged in lexicographical order. (#131658@dims) [SIG Auth and Node]

  • LeaseLocks could now have custom labels that different holders would overwrite when they became the holder of the underlying lease. (#131632@DerekFrank)

  • Memory limits could be decreased with a NotRequired resize restart policy. When decreasing memory limits,a best-effort check was performed to prevent limits from decreasing below usage and triggering an OOM-kill. (#133012@tallclair) [SIG Apps, Node and Testing]

  • Migrated validation in CertificateSigningRequest to use declarative validation. When the DeclarativeValidation feature gate is enabled, mismatches with existing validation are reported via metrics. If DeclarativeValidationTakeover is enabled, declarative validation becomes the primary source of errors for migrated fields. (#132361@yongruilin) [SIG API Machinery and Auth]

  • Moved Recover from volume expansion failure to GA. (#132662@gnufied) [SIG Apps, Auth, Node, Storage and Testing]

  • Prevented any type of CPU/Memory alignment or hint generation with the Topology Manager from the CPU or Memory Manager when pod-level resources were used in the Pod spec. (#133279@ffromani) [SIG Node and Testing]

  • Promoted Linux node pressure stall information (PSI) metrics to beta. (#132822@roycaihw) [SIG Node]

  • Promoted Windows graceful shutdown feature from alpha to beta. (#133062@zylxjtu)

  • Promoted the Ordered Namespace Deletion test to Conformance. (#132219@BenTheElder) [SIG API Machinery, Architecture and Testing]

  • Promoted the KubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to beta, which were enabled by default if DRA went to GA. (#132940@guptaNswati)

  • Promoted the feature OrderedNamespaceDeletion to GA. (#131514@cici37) [SIG API Machinery and Testing]

  • Removed "endpoint-controller" and "workload-leader-election" FlowSchemas from the default APF configuration.

    migrate the lock type used in the leader election in your workloads from configmapsleases/endpointsleases to leases. (#131215@tosi3k) [SIG API Machinery, Apps, Network, Scalability and Scheduling]

  • Started recording metrics for in-place Pod resize. (#132903@natasha41575)

  • The Kubernetes API server merged selectors built from matchLabelKeys into the labelSelector of topologySpreadConstraints, aligning Pod Topology Spread behavior with Inter-Pod Affinity. To prevent breaking existing Pods using matchLabelKeys, this scheduler behavior was preserved until v1.34. Upgrades from v1.32 to v1.34 should be done incrementally (v1.32 → v1.33 → v1.34), ensuring Pods created at v1.32 with matchLabelKeys are scheduled before reaching v1.34. Controllers relying on matchLabelKeys no longer need to handle them directly and can use labelSelector instead. The new feature gate MatchLabelKeysInPodTopologySpreadSelectorMerge, enabled by default, controls this behavior. (#129874@mochizuki875) [SIG Apps, Node, Scheduling and Testing]

  • The PreferSameTrafficDistribution feature gate is now enabled by default, enabling the PreferSameNode traffic distribution value for Services. (#132127@danwinship) [SIG Apps and Network]

  • The new dra_resource_claims_in_use kubelet metrics reported active ResourceClaims, overall and by driver. (#131641@pohly) [SIG Architecture, Instrumentation, Node and Testing]

  • The scheduler no longer cleared the nominatedNodeName field for Pods. External components, such as Cluster Autoscaler and Karpenter, were responsible for managing this field when needed. (#133276@macsko) [SIG Scheduling and Testing]

  • The validation in the CertificateSigningRequest /status and /approval subresources was migrated to declarative validation. If the DeclarativeValidation feature gate was enabled, mismatches with existing validation are reported via metrics. If the DeclarativeValidationTakeover feature gate was enabled, declarative validation was the primary source of errors for migrated fields. (#133068@yongruilin) [SIG API Machinery and Auth]

  • Updated kube-controller-manager events to support contextual logging. (#128351@mengjiao-liu)

  • Updated pause version to registry.k8s.io/pause:3.10.1. (#130713@ArkaSaha30) [SIG Cluster Lifecycle, Node, Scheduling and Testing]

  • Updated the Kubernetes build environment to use Go 1.24.5. (#132896@cpanato) [SIG Release and Testing]

  • Updated the built in system:monitoring role with permission to access kubelet metrics endpoints. (#132178@gavinkflam) [SIG Auth]

  • When RelaxedServiceNameValidation feature gate is enabled, the names of new Services names are validation with NameIsDNSLabel(), relaxing the pre-existing validation. (#132339@adrianmoisey) [SIG Apps, Network and Testing]

  • When proxying to an aggregated API server, kube-apiserver used the EndpointSlices of the service indicated by the APIServer, rather than using Endpoints.

    If you were using the aggregated API server feature, and you were writing out the endpoints for it by hand (rather than letting kube-controller-manager generate Endpoints and EndpointSlices for it automatically based on the Service definition), then you should write out an EndpointSlice object rather than (or in addition to) an Endpoints object. (#129837@danwinship) [SIG API Machinery, Network and Testing]

  • Whenever a pod was successfully bound to a node, the kube-apiserver cleared the pod's nominatedNodeName field. This prevented stale information from affecting external scheduling components. (#132443@utam0k) [SIG Apps, Node, Scheduling and Testing]

  • DRAPrioritizedList was turned on by default which made it possible to provide a prioritized list of subrequests in a ResourceClaim. (#132767@mortent) [SIG Node, Scheduling and Testing]

  • PodLifecycleSleepAction was graduated to GA. (#132595@AxeZhan) [SIG Apps, Node and Testing]

  • kube-controller-manager reported the following metrics for ResourceClaims with admin access:

    • resourceclaim_controller_creates_total count metric with labels admin_access (true or false), status (failure or success) to track the total number of ResourceClaims creation requests
    • resourceclaim_controller_resource_claims gauge metric with labels admin_access (true or false), allocated (true or false) to track the current number of ResourceClaims. (#132800@ritazh) [SIG Apps, Auth, Instrumentation and Node]

  • kubeadm: Started using a named port probe-port for all probes in the static pod manifests generated by kubeadm for the kube-apiserverkube-controller-managerkube-scheduler, and related components. If probe port values were previously patched using kubeadm patches, the corresponding named port under the container’s ports field must now also be patched. (#132776@neolit123)

Failing Test

  • DRA driver helper: Fixed handling of apiserver restart when running on a Kubernetes version which did not support the resource.k8s.io version used by the DRA driver. (#133076@pohly) [SIG Node and Testing]
  • Fixed e2e test "[Driver: csi-hostpath] [Testpattern: Dynamic PV (filesystem volmode)] volumeLimits should support volume limits" not to leak Pods and namespaces. (#132674@jsafrane) [SIG Storage and Testing]
  • Kube-apiserver: The --service-account-signing-endpoint flag now only validates the format of abstract socket names (#131509@liggitt) [SIG API Machinery and Auth]

Bug or Regression

  • Added podSpec validation for creating StatefulSet. (#131790@chengjoey) [SIG Apps, Etcd and Testing]
  • Checked for newer resize fields when deciding the recovery feature status in the kubelet. (#131418@gnufied)
  • Clarified help message of --ignore-not-found flag. Supported --ignore-not-found in watch operation. (#132542@gemmahou)
  • DRA drivers: the resource slice controller sometimes didn't react properly when kubelet or someone else deleted a recently created ResourceSlice. It incorrectly assumed that the ResourceSlice still exists and didn't recreate it. (#132683@pohly) [SIG Apps, Node and Testing]
  • DRA: Ensured that ResourceClaims requesting a fixed number of devices with adminAccess were no longer allocated the same device multiple times. (#131299@nojnhuh)
  • Disabled reading of disk geometry before calling expansion for ext and xfs filesystems. (#131568@gnufied)
  • Ensured objects are transformed prior to storage in SharedInformers if a transformer is provided and WatchList is activated. (#131799@valerian-roche)
  • Fixed API response for StorageClassList queries to return a graceful error message, if the provided ResourceVersion is too large. (#132374@PatrickLaabs) [SIG API Machinery and Etcd]
  • Fixed ReplicationController reconciliation when the DeploymentReplicaSetTerminatingReplicas feature gate was enabled. (#131822@atiratree)
  • Fixed a bug in CEL's common.UnstructuredToVal where == evaluates to false for identical objects when a field is present but the value is null. This bug does not impact the Kubernetes API. (#131559@jpbetz) [SIG API Machinery]
  • Fixed a bug in the Job controller that could result in creating unnecessary Pods for Jobs already marked as finished (either successful or failed). (#130333@kmala) [SIG Apps and Testing]
  • Fixed a bug that caused an unexpected delay in creating Pods for newly created Jobs. (#132109@linxiulei) [SIG Apps and Testing]
  • Fixed a bug that caused duplicate validation when updating a ReplicaSet. (#131873@gavinkflam) [SIG Apps]
  • Fixed a bug that fails to create a replica set when a deployment name is too long. (#132560@hdp617) [SIG API Machinery and Apps]
  • Fixed a bug that the async preemption feature keeps preemptor pods unnecessarily in the queue. (#133167@sanposhiho) [SIG Scheduling]
  • Fixed a panic issue related to kubectl revision history kubernetes/kubectl#1724 (#130503@tahacodes) [SIG CLI]
  • Fixed a possible deadlock in the watch client that could happen if the watch was not stopped. (#131266@karlkfi) [SIG API Machinery]
  • Fixed a regression introduced in 1.33 where some paginated LIST calls fell back to etcd instead of being served from cache. (#132244@hakuna-matatah)
  • Fixed an incorrect reference to JoinConfigurationKind in the error message when no ResetConfiguration is found during kubeadm reset with the --config flag. (#132258@J3m3) [SIG Cluster Lifecycle]
  • Fixed an issue that allowed Custom Resources to be created using Server-Side Apply even when their CustomResourceDefinition was terminating. (#132467@sdowell)
  • Fixed an issue where Windows kube-proxy’s ModifyLoadBalancer API updates did not match the HNS state in version 15.4. Support for ModifyLoadBalancer policy began with Kubernetes 1.31+. (#131506@princepereira)
  • Fixed an issue where insufficientResources was logged as a pointer during pod preemption, making logs more readable. (#132183@chrisy-x) [SIG Node]
  • Fixed an issue where the kubelet token cache returned stale tokens when service accounts were recreated with the same name. The cache is now UID-aware. Additionally, the new TokenRequestServiceAccountUIDValidation feature gate (Beta, enabled by default) ensures the TokenRequest UID matches the service account UID when set. (#132803@aramase) [SIG API Machinery, Auth, Node and Testing]
  • Fixed bug that prevented the alpha feature PodTopologyLabelAdmission from working due to checking for the incorrect label key when copying topology labels. This bug delayed the graduation of the feature to beta by an additional release to allow time for meaningful feedback. (#132462@munnerz)
  • Fixed incorrect behavior for AllocationMode: All in ResourceClaim when used in subrequests. (#131660@mortent) [SIG Node]
  • Fixed misleading response codes in admission control metrics. (#132165@gavinkflam) [SIG API Machinery, Architecture and Instrumentation]
  • Fixed runtime cost estimation for x-int-or-string custom resource schemas with maximum lengths. (#132837@JoelSpeed)
  • Fixed the allocatedResourceStatuses field name mismatch in PVC status validation. (#131213@carlory)
  • Fixed the observedGeneration field in pod resize conditions to accurately reflect the associated pod generation when both InPlacePodVerticalScaling and PodObservedGenerationTracking feature gates are enabled. (#131157@natasha41575)
  • Fixed the bug when swap related metrics were not available in /metrics/resource endpoint. (#132065@yuanwang04) [SIG Node and Testing]
  • Fixed the problem of validation error when specifying resource requirements at the container level for a resource not supported at the pod level. It implicitly interpreted the pod-level value as 0. (#132551@chao-liang) [SIG Apps]
  • Fixed validation for Job with suspend=true, and completions=0 to set the Complete condition. (#132614@mimowo) [SIG Apps and Testing]
  • HPA status displayed memory metrics using Ki. (#132351@googs1025) [SIG Apps and Autoscaling]
  • Improved the error message shown when a Pod using user namespaces was created on a runtime that did not support user namespaces. (#131623@rata)
  • Kube-apiserver: Defaulted empty spec.jobTemplate.spec.podFailurePolicy.rules[*].onPodConditions[*].status fields for CronJob objects as documented, avoiding validation failures during write requests. (#131525@carlory)
  • Kube-apiserver: Fixed OIDC discovery document publishing when external service account token signing was enabled. (#131493@hoskeri) [SIG API Machinery, Auth and Testing]
  • Kube-proxy: Removed the iptables CLI wait interval flag. (#131961@cyclinder)
  • Kube-scheduler: in Kubernetes 1.33, the number of devices that can be allocated per ResourceClaim was accidentally reduced to 16. Now the supported number of devices per ResourceClaim is 32 again. (#131662@mortent) [SIG Node]
  • Kubeadm: Fixed a bug where the default args for etcd were not correct when a local etcd image was used and the etcd version was less than 3.6.0. (#133023@carlory)
  • Kubelet: Closed a loophole that allowed static Pods to reference arbitrary ResourceClaims. Even though these Pods failed to run due to a sanity check, such references are now explicitly disallowed. (#131844@pohly) [SIG Apps, Auth and Node]
  • Kubelet: Fixed a bug that caused an unexpected NodeResizeError condition to appear in the PVC status when the CSI driver did not support node volume expansion and the PVC had the ReadWriteMany access mode. (#131495@carlory)
  • Modified the node-local podresources API endpoint to consider only active pods. Since this changes long-standing behavior, the KubeletPodResourcesListUseActivePods feature gate (enabled by default) can be disabled to restore the previous behavior. Users encountering regressions are encouraged to file an issue if they rely on the old behavior. (#132028@ffromani) [SIG Node and Testing]
  • Pods were not allowed to mix the usage of user-namespaces (hostUsers: false) and volumeDevices. Kubernetes returned an error in this case. (#132868@rata)
  • Reduced the 5s delay before tainting node.kubernetes.io/unreachable:NoExecute when a Node became unreachable. (#120816@tnqn) [SIG Apps and Node]
  • Removed defunct make vet target, please use make lint instead (#132509@yongruilin) [SIG Testing]
  • Removed the deprecated flag --wait-interval for the ip6tables-legacy-restore binary. (#132352@PatrickLaabs)
  • ReplicaSets and Deployments should always count .status.availableReplicas at the correct time without a delay. This results in faster reconciliation of Deployment conditions and faster, unblocked Deployment rollouts. (#132121@atiratree) [SIG Apps]
  • Resolved a bug where DaemonSet updates unnecessarily triggered duplicate validation due to overlapping calls to ValidateDaemonSet and ValidateDaemonSetUpdate. This redundancy has been removed to prevent repeated validation runs. (#132548@gavinkflam)
  • Skipped pod backoff entirely when the PodMaxBackoffDuration kube-scheduler option was set to zero and the SchedulerPopFromBackoffQ feature gate was enabled. (#131965@macsko)
  • Stopped expanding PVCs annotated with node-expand-not-required. (#131907@gnufied) [SIG API Machinery, Etcd, Node, Storage and Testing]
  • Stopped expanding the volume on the node if controller-side expansion was already completed. (#131868@gnufied)
  • Stopped logging error events when waiting for expansion on the kubelet. (#131408@gnufied)
  • Stopped removing the CSI JSON file if the volume was already mounted during subsequent errors. (#131311@gnufied)
  • The baseline and restricted pod security admission levels blocked setting the host field on probe and lifecycle handlers. (#125271@tssurya) [SIG Auth, Node and Testing]
  • The garbage collection controller no longer raced with changes to ownerReferences when deleting orphaned objects. (#132632@sdowell) [SIG API Machinery and Apps]
  • The shorthand for --output flag in kubectl explain was accidentally deleted, but has been added back. (#131962@superbrothers) [SIG CLI]
  • Updated Windows kube-proxy to align with Linux behavior by correctly honoring the port specified in EndpointSlice for internal traffic routing. (#132647@princepereira) [SIG Network and Windows]
  • Updated kube-proxy with nftables to reject or drop traffic to services with no endpoints from filter chains at priority 0 (NF_IP_PRI_FILTER). (#132456@aroradaman)
  • Updated kubectl get job to display the SuccessCriteriaMet status for listed jobs. (#132832@Goend) [SIG Apps and CLI]
  • Updated the HPA controller so that it no longer emitted a FailedRescale event if a scale operation initially failed due to a conflict but succeeded after a retry; it now emitted a SuccessfulRescale event in this case. A FailedRescale event was still emitted if all retries were exhausted. (#132007@AumPatel1) [SIG Apps and Autoscaling]
  • Statefulset respected minReadySeconds. (#130909@Edwinhr716)
  • kubectl create|delete|get|replace --raw commands now honored the server root paths specified in the kubeconfig file. (#131165@liggitt)

Other (Cleanup or Flake)

Dependencies

Added

Changed

Removed


Contributors, the CHANGELOG-1.34.md has been bootstrapped with v1.34.0 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages