Kubernetes v1.25.0 has been built and pushed using Golang version 1.19.
The release notes have been updated in CHANGELOG-1.25.md, with a pointer to them on GitHub:
filename | sha512 hash |
---|---|
kubernetes.tar.gz | 2bff2da02f6197fbde3e3a378dd8a95415edcef2e5f95a9e1399ec8369a592dac461dbb7402cded1ba93ace22c87ee050ea02a7c1c2cabaa97609352302d5d0c |
kubernetes-src.tar.gz | 20810dbbc1ee7ec06348b09b1d0dcef456eab600b3c6fe594d426a9c7b6fbab69712594d6f97c63db371a41a509f17bb7c4675b8e28a25dd84abb9bea35fc8ad |
filename | sha512 hash |
---|---|
kubernetes-client-darwin-amd64.tar.gz | 4960a153e5cda0b30e7e437895fc8c08f80978d9f3189f6408e04446fa9777dafacb3cddbac5b09c8de0a19459893150a691b28f95cfa9f5c87b2926fe442df5 |
kubernetes-client-darwin-arm64.tar.gz | 17972e1f0ad64113b9adf5f8e9c6231463048c0f04fde35fb614f59281127630ae475a7ec91e31cb03ebe444828e47e6d32ed05f000b6514bad646d6b9f5469c |
kubernetes-client-linux-386.tar.gz | 8d5a35a0a8e71ec59be0b720ff6fd80c172bcacae5f9a5f58bfc1ac66b4e877640d8626f23852ba2459dc1ec783347ae3300017e0919d59b16ae1011ac50c5d1 |
kubernetes-client-linux-amd64.tar.gz | 34a7e9a496fff31a3afa6f5f7245212d051de3c2966e42a662040bde8a733c1cf55ce2e50227813fd29c6db758687a453a7df66b6c32f7f2c93959280c4e130a |
kubernetes-client-linux-arm.tar.gz | f5defcd92f99562c455f44bf62b478d88d00ed3cce662bdd8bed8b880bae31e6e534fb044844b4664c543bed713332fd1734415e6da320f752984157e3fa32c9 |
kubernetes-client-linux-arm64.tar.gz | a01731aa3e7e8e560c92cf0b3d7ed9ce9964bfed88fcd055c881a0513c10be33e11b2c0539d4f52c17bfd605d540be5c6824a2f9f182d97a7a255a9a25b64607 |
kubernetes-client-linux-ppc64le.tar.gz | b022a28c25b0fefb1abbcaaa71d12f9edd14cf76d291ef3f8d13a8fc5cdec2edef3aee96c851e0dde7b8c7c1f5f38c3cc631e0bce15ccbc6f30bac45895ac7f4 |
kubernetes-client-linux-s390x.tar.gz | b4781d09fd1360097104fb6cd33e3f4de9ce571a13e329f26ce55505e9ddbbd2ca20794bb80a58eaa23ae63860376ae51187de76c99db9cbce984773ddf03c34 |
kubernetes-client-windows-386.tar.gz | 5f6f71b7cb88dc18930d1864df21061f5b73a6969425701e945239323a0d7e5eb182c1607d3ddc26cbaf4dab0dc4bc59c7fbffe8bd66f5fd1edae075220d1c15 |
kubernetes-client-windows-amd64.tar.gz | cfcbdc13cfd17e8b38baa29d7638ae086b97d5784352d0e8bc92c6f6f34ce2e885ef1371d255d4b48c9a73cfdea8168d1d6cc7ac0b1b3bdc18a09970066d59ca |
kubernetes-client-windows-arm64.tar.gz | 55cc2d36764d8f496ca973d82fd1c60e93d227a8107fd0649c228f479b70dc05cbe23708fd8e4b820fd3b191786bbe054446d31f7d1b9fecff173d0f554d5a69 |
filename | sha512 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 21614040cd3cc5a8ee0668bd91383427427e7796ee3de0f9fe6b4b5d9becb830141bb1ed3ba5376815385baa2675595e97765209f14bf68653bcf6fdfb070f3d |
kubernetes-server-linux-arm.tar.gz | 44ada6a0a6ba77aebdad52680c973f98bed495bdf7ac7cc6abbcb7e5b3fd5476961e0db6b8384b128c81ffd0b70d3a020f248062acfcd8b8b85fa295b1f8cf69 |
kubernetes-server-linux-arm64.tar.gz | c76ca3dc152a51c08d147a9ad9594a70071e548638d5065bf1aaaad63c3553c8af8d8dcb885e6e4ed724d944a5283fd000315d2622b7ef7a2df4b0b783ab0256 |
kubernetes-server-linux-ppc64le.tar.gz | 491084954f951a3f3f61642e9006195f5dac84b4ccc29e407f85a3bb7aba8ea79c2b4deda69507bd516c1feff47ba9887309c26d6e6c4d2270cf5e0a8f0d5cac |
kubernetes-server-linux-s390x.tar.gz | 0e89499c004e5faaf69deb917c1df2eb3c2da36024ff3dcd10e5c3f7e7ef7c2393c109bb8ee8bd30756bc4024cacc05ea5f0131a5bc630a3513aada182a69949 |
filename | sha512 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 46b4fd437824b1178dd570bc3a1a12aa5549482793f329d194b72a45daaa0bb8b990d7ee98f2a3d9a643ae113973f1f303cdcb6fdf8c56f439bf13acc7460728 |
kubernetes-node-linux-arm.tar.gz | f4338883d811369be6d7a2b658e3b46c06ddef0b584293c3e44bb5f961805d6659d2a73e62c470b80029938f8793f1b11c093e4b99431e419bd61b0e9ed5c133 |
kubernetes-node-linux-arm64.tar.gz | c2b174bb22485c0efb6a812ed78d84afa161d635f365d913ea08b3db8daae50ae15087a6d5fefce95c5363d90414079d8c5ff476bbfab9547c87befdf23bbcce |
kubernetes-node-linux-ppc64le.tar.gz | 7985f22fb43d3af183e94581dd7547b8817ad27b2c8b6304de60d28ce165341ab5dcd576f6c61b999c73ebf6a35d5cd5e328253160959f5112b94e4d17f41364 |
kubernetes-node-linux-s390x.tar.gz | 7d6622e3128c3ad46ab286bdbb445f158b697f7624ff03f1905d4b62a91601d0f33880b4b0cfa93b435a9c786070f20ef86da877690c100bfa7460a8e8ca3cd5 |
kubernetes-node-windows-amd64.tar.gz | 213954569d1e0b682805342964597a03d3b16a98756c9123d18dd8ceda9d4cddeeac500d5bdcf8cb27c136b2bfa5947fb5c75fdec7533a153199a855162d742e |
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
PodSecurityPolicy was initially deprecated in v1.21, and with the release of v1.25, it has been removed. The updates required to improve its usability would have introduced breaking changes, so it became necessary to remove it in favor of a more friendly replacement. That replacement is Pod Security Admission, which graduates to Stable with this release. If you are currently relying on PodSecurityPolicy, please follow the instructions for migration to Pod Security Admission.
Ephemeral Containers are containers that exist for only a limited time within an existing pod. This is particularly useful for troubleshooting when you need to examine another container but cannot use kubectl exec
because that container has crashed or its image lacks debugging utilities. Ephemeral containers graduated to Beta in Kubernetes v1.23, and with this release, the feature graduates to Stable.
It has been more than two years since the Linux kernel cgroups v2 API was declared stable. With some distributions now defaulting to this API, Kubernetes must support it to continue operating on those distributions. cgroups v2 offers several improvements over cgroups v1, for more information see the cgroups v2 documentation. While cgroups v1 will continue to be supported, this enhancement puts Kubernetes to be ready for eventual deprecation and replacement in favor of v2.
Moving container registry from k8s.gcr.io to registry.k8s.io got merged. For more details, see the wiki page, announcement was sent to the kubernetes development mailing list.
SeccompDefault promoted to beta, see the tutorial Restrict a Container's Syscalls with seccomp for more details.
Promoted endPort
in Network Policy to GA. Network Policy providers that support endPort
field now can use it to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port.
Please be aware that endPort
field MUST BE SUPPORTED by the Network Policy provider. If your provider does not support endPort
, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port).
The Local Ephemeral Storage Capacity Isolation feature moved to GA. This was introduced as alpha in 1.8, moved to beta in 1.10, and it is now a stable feature. It provides support for capacity isolation of local ephemeral storage between pods, such as EmptyDir
, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit.
CSI Migration is an ongoing effort that SIG Storage has been working on for a few releases. The goal is to move in-tree volume plugins to out-of-tree CSI drivers and eventually remove the in-tree volume plugins. The core CSI Migration feature moved to GA. CSI Migration for GCE PD and AWS EBS also moved to GA. CSI Migration for vSphere remains in beta (but is on by default). CSI Migration for Portworx moved to Beta (but is off-by-default).
The CSI Ephemeral Volume feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This was initially introduced in 1.15 as an alpha feature, and it moved to GA. This feature is used by some CSI drivers such as the secret-store CSI driver.
CRD Validation Expression Language is promoted to beta, which makes it possible to declare how custom resources are validated using the Common Expression Language (CEL). Please see the validation rules guide.
Promoted the ServerSideFieldValidation
feature gate to beta (on by default). This allows optionally triggering schema validation on the API server that errors when unknown fields are detected. This allows the removal of client-side validation from kubectl while maintaining the same core functionality of erroring out on requests that contain unknown or invalid fields.
Introduce KMS v2alpha1 API to add performance, rotation, and observability improvements. Encrypt data at rest (ie Kubernetes Secrets
) with DEK using AES-GCM instead of AES-CBC for kms data encryption. No user action is required. Reads with AES-GCM and AES-CBC will continue to be allowed. See the guide Using a KMS provider for data encryption for more information.
When running test/e2e via the Ginkgo CLI, the v2 CLI must be used and -timeout=24h
(or some other, suitable value) must be passed because the default timeout was reduced from 24h to 1h. When running it via go test
, the corresponding -args
parameter is -ginkgo.timeout=24h
. To build the CLI in the Kubernetes repo, use make all WHAT=github.com/onsi/ginkgo/v2/ginkgo
.
Ginkgo V2 doesn't accept go test's -parallel
flags to parallelize Ginkgo specs, please switch to use ginkgo -p
or ginkgo -procs=N
instead. (#109111, @chendave) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
registry.k8s.io
) that can be used to pull Kubernetes images. The old registry (k8s.gcr.io
) will continue to be supported for the foreseeable future, but the new name should perform better because it frontends equivalent mirrors in other clouds. Please point your clusters to the new registry going forward. \n\nAdmission/Policy integrations that have an allowlist of registries need to include registry.k8s.io
alongside k8s.gcr.io
.\nAir-gapped environments and image garbage-collection configurations will need to update to pre-pull and preserve required images under registry.k8s.io
as well as k8s.gcr.io
. (#109938, @dims)--service-account-api-audiences
flag was removed. Use --api-audiences
instead. (#108624, @ialidzhikov)deleting-pods-qps
, deleting-pods-burst
, and register-retry-count
. (#109612, @pandaamanda)ClusterConfiguration.imageRepository
stored in the "kubeadm-config" ConfigMap
contains the legacy "k8s.gcr.io" repository, modify it to the new default "registry.k8s.io". Reflect the change in the in-cluster ConfigMap
only during "upgrade apply". (#110343, @neolit123)UnversionedKubeletConfigMap
to GA and locked it to true
by default. The kubelet related ConfigMap and RBAC rules are now locked to have a simplified naming *kubelet-config
instead of the legacy naming *kubelet-config-x.yy
, where x.yy
was the version of the control plane. If you have previously used the old naming format with UnversionedKubeletConfigMap=false
, you must manually copy the config map from kube-system/kubelet-config-x.yy
to kube-system/kubelet-config
before upgrading to v1.25
. (#110327, @neolit123)node-role.kubernetes.io/master:NoSchedule
taint to control plane nodes for new clusters. Remove the taint from existing control plane nodes during "kubeadm upgrade apply" (#110095, @neolit123)seccomp.security.alpha.kubernetes.io/pod
and container.seccomp.security.alpha.kubernetes.io
, deprecated since v1.19, was partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container securityContext.seccompProfile
field instead. (#109819, @saschagrunert)gcp
and azure
auth plugins have been removed from client-go and kubectl. See https://github.com/Azure/kubelogin and https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke (#110013, @enj)PodSecurityPolicy
admission plugin, deprecated since 1.21, is removed. Follow the instructions at https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ to migrate to the built-in PodSecurity admission plugin (or to another third-party policy webhook) prior to upgrading to v1.25. (#109798, @liggitt)Add NodeInclusionPolicy
to TopologySpreadConstraints
in PodSpec. (#108492, @kerthcet)
Added a deprecated warning for node beta label usage in PV/SC/RC and CSI Storage Capacity. (#108554, @pacoxu)
Added a new feature gate CheckpointRestore
to enable support to checkpoint containers. If enabled it is possible to checkpoint a container using the newly kubelet API (/checkpoint/{podNamespace}/{podName}/{containerName}). (#104907, @adrianreber) [SIG Node and Testing]
Added alpha support for user namespaces in pods phase 1 (KEP 127, feature gate: UserNamespacesStatelessPodsSupport) (#111090, @rata)
As of v1.25, the PodSecurity restricted
level no longer requires pods that set .spec.os.name="windows" to also set Linux-specific securityContext fields. If a 1.25+ cluster has unsupported out-of-skew nodes prior to v1.23 and wants to ensure namespaces enforcing the restricted
policy continue to require Linux-specific securityContext fields on all pods, ensure a version of the restricted
prior to v1.25 is selected by labeling the namespace (for example, pod-security.kubernetes.io/enforce-version: v1.24
) (#105919, @ravisantoshgudimetla)
Changed ownership semantics of PersistentVolume's spec.claimRef from atomic
to granular
. (#110495, @alexzielenski)
Extended ContainerStatus CRI API to allow runtime response with container resource requests and limits that are in effect.
For v1.25, Kubernetes will be using Golang 1.19, In this PR the version is updated to 1.19rc2 as GA is not yet available. (#111254, @dims)
Introduced NodeIPAM support for multiple ClusterCIDRs (#2593) as an alpha feature.
Set feature gate MultiCIDRRangeAllocator=true
, determines whether the MultiCIDRRangeAllocator
controller can be used, while the kube-controller-manager flag below will pick the active controller.
Enabled the MultiCIDRRangeAllocator
by setting --cidr-allocator-type=MultiCIDRRangeAllocator
flag in kube-controller-manager. (#109090, @sarveshr7)
Introduced PodHasNetwork condition for pods. (#111358, @ddebroy)
Introduced support for handling pod failures with respect to the configured pod failure policy rules. (#111113, @mimowo)
Introduction of the DisruptionTarget
pod condition type. Its reason
field indicates the reason for pod termination:
Kube-Scheduler ComponentConfig is graduated to GA, kubescheduler.config.k8s.io/v1
is available now.
Plugin SelectorSpread
is removed in v1. (#110534, @kerthcet)
Local Storage Capacity Isolation feature is GA in 1.25 release. For systems (rootless) that cannot check root file system, please use kubelet config --local-storage-capacity-isolation=false to disable this feature. Once disabled, pod cannot set local ephemeral storage request/limit, and emptyDir sizeLimit niether. (#111513, @jingxu97)
Make PodSpec.Ports' description clearer on how this information is only informational and how it can be incorrect. (#110564, @j4m3s-s) [SIG API Machinery, Network and Node]
On compatible systems, a mounter's Unmount implementation is changed to not return an error when the specified target can be detected as not a mount point. On Linux, the behavior of detecting a mount point depends on umount
command is validated when the mounter is created. Additionally, mount point checks will be skipped in CleanupMountPoint/CleanupMountWithForce if the mounter's Unmount having the changed behavior of not returning error when target is not a mount point. (#109676, @cartermckinnon) [SIG Storage]
PersistentVolumeClaim objects are no longer left with storage class set to nil
forever, but will be updated retroactively once any StorageClass is set or created as default. (#111467, @RomanBednar)
Promote StatefulSet minReadySeconds to GA. This means --feature-gates=StatefulSetMinReadySeconds=true
are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation (#110896, @ravisantoshgudimetla) [SIG API Machinery, Apps and Testing]
Promoted CronJob's TimeZone support to beta. (#111435, @soltysh)
Promoted DaemonSet MaxSurge to GA. This means --feature-gates=DaemonSetUpdateSurge=true
are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation . (#111194, @ravisantoshgudimetla)
Scheduler: included supported ScoringStrategyType list in error message for NodeResourcesFit plugin (#111206, @SataQiu)
The Go API for logging configuration in k8s.io/component-base
was moved to k8s.io/component-base/logs/api/v1
. The configuration file format and command line flags are the same as before. (#105797, @pohly)
The Pod spec.podOS
field is promoted to GA. The IdentifyPodOS
feature gate unconditionally enabled, and will no longer be accepted as a --feature-gates
parameter in 1.27. (#111229, @ravisantoshgudimetla)
The PodTopologySpread is respected after rolling upgrades. (#111441, @denkensk)
The CSIInlineVolume
feature has moved from beta to GA. (#111258, @dobsonj)
The PodSecurity
admission plugin has graduated to GA and is enabled by default. The admission configuration version has been promoted to pod-security.admission.config.k8s.io/v1
. (#110459, @wangyysde)
The endPort
field in Network Policy is now promoted to GA
Network Policy providers that support endPort
field now can use it to specify a range of ports to apply a Network Policy.
Previously, each Network Policy could only target a single port.
Please be aware that endPort
field MUST BE SUPPORTED by the Network Policy provider. In case your provider does not support endPort
and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port). (#110868, @rikatz)
The metadata.clusterName
field is completely removed. This should not have any user-visible impact. (#109602, @lavalamp)
The minDomains
field in Pod Topology Spread is graduated to beta (#110388, @sanposhiho) [SIG API Machinery and Apps]
The command line flag enable-taint-manager
for kube-controller-manager is deprecated and will be removed in 1.26. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. (#111411, @alculquicondor)
This release added support for NodeExpandSecret
for CSI driver client which enables the CSI drivers to make use of this secret while performing node expansion operation based on the user request. Previously there was no secret provided as part of the nodeexpansion
call, thus CSI drivers did not make use of the same while expanding the volume at the node side. (#105963, @zhucan)
Ephemeral Containers are now generally available (GA). The EphemeralContainers
feature gate is always enabled and should be removed from --feature-gates
flag on the kube-apiserver and the kubelet command lines. The EphemeralContainers
feature gate is deprecated and scheduled for removal in a future release. (#111402, @verb)
Added Service Account field in the output of kubectl describe pod
command. (#111192, @aufarg)
Added a new align-by-socket
policy option to cpu manager static
policy. When enabled CPU's to be aligned at socket boundary rather than NUMA boundary. (#111278, @arpitsardhana)
Added container probe duration metrics. (#104484, @jackfrancis)
Added new flags into alpha events such as --output, --types, --no-headers. (#110007, @ardaguclu)
Added sum feature to kubectl top pod
(#105100, @lauchokyip)
Added the Apply
and ApplyStatus
methods to the dynamic ResourceInterface
(#109443, @kevindelgado)
Feature gate CSIMigration
was locked to enabled. CSIMigration
is GA now. The feature gate will be removed in v1.27
. (#110410, @Jiawei0227)
Feature gate ProbeTerminationGracePeriod
is enabled by default. (#108541, @kerthcet)
Ginkgo: when e2e tests are invoked through ginkgo-e2e.sh, the default now is to use color escape sequences only when connected to a terminal. GINKGO_NO_COLOR=y/n
can be used to override that default. (#111633, @pohly)
Graduated SeccompDefault to beta
. The Kubelet feature gate is now enabled by default and the configuration/CLI flag still defaults to false
. (#110805, @saschagrunert) [SIG Node and Testing]
Graduated ServerSideFieldValidation to beta
. Schema validation is performed server-side and requests will receive warnings for any invalid/unknown fields by default. (#110178, @kevindelgado) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Storage and Testing]
Graduated CustomResourceValidationExpressions
to beta
. The CustomResourceValidationExpressions
feature gate is now enabled by default. (#111524, @cici37)
Graduated ServiceIPStaticSubrange
feature to Beta (disabled by default). (#110419, @aojea)
If a Pod has a DisruptionTarget condition with status=True for more than 2 minutes without getting a DeletionTimestamp, the control plane resets it to status=False. (#111475, @alculquicondor)
In "large" clusters, kube-proxy in iptables mode will now sometimes
leave unused rules in iptables for a while (up to --iptables-sync-period
)
before deleting them. This improves performance by not requiring it to
check for stale rules on every sync. (In smaller clusters, it will still
remove unused rules immediately once they are no longer used.)
(The threshold for "large" used here is currently "1000 endpoints" but this is subject to change.) (#110334, @danwinship)
Kube-up now includes CoreDNS version v1.9.3. (#110488, @mzaian)
Kubeadm: Added support for additional authentication strategies in kubeadm join
with discovery/kubeconfig file: client-go authentication plugins (exec
), tokenFile
, and authProvider.
(#110553, @tallaxes)
Kubeadm: added support for the flag --print-manifest
to the addon phases kube-proxy
and coredns
of kubeadm init phase addon
. If this flag is usedkubeadm
will not apply a given addon and instead print to the terminal the API objects that will be applied. (#109995, @wangyysde)
Kubeadm: enhanced the "patches" functionality to be able to patch kubelet config files containing v1beta1.KubeletConfiguration
. The new patch target is called kubeletconfiguration
(e.g. patch file kubeletconfiguration+json.json
).This makes it possible to apply node specific KubeletConfiguration options during init
, join
and upgrade
, while the main KubeletConfiguration
that is passed to init
as part of the --config
file can still act as the global stored in the cluster KubeletConfiguration
. (#110405, @neolit123)
Kubeadm: make sure the etcd static pod startup probe uses /health?serializable=false while the liveness probe uses /health?serializable=true&exclude=NOSPACE. The NOSPACE exclusion would allow administrators to address space issues one member at a time. (#110744, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: modified the etcd static Pod liveness
and readiness
probes to use a new etcd v3.5.3+
HTTP(s) health check endpoint /health?serializable=true
that allows to track the health of individual etcd members and not fail all members if a single member is not healthy in the etcd cluster. (#110072, @neolit123)
Kubeadm: support experimental JSON/YAML output for kubeadm upgrade plan
with the --output
flag. (#108447, @pacoxu)
Kubeadm: the preferred pod anti-affinity for CoreDNS is now enabled by default. (#110593, @SataQiu)
Kubectl: support multiple resources for kubectl rollout status. (#108777, @pjo256)
Kubernetes is now built with Golang 1.18.2. (#110043, @cpanato)
Kubernetes is now built with Golang 1.18.3 (#110421, @cpanato) [SIG Release and Testing]
Kubernetes is now built with Golang 1.19.0. (#111679, @puerco)
Lock CSIMigrationAzureDisk feature gate to default. (#110491, @andyzhangx)
Metric running_managed_controllers
is enabled for Cloud Node Lifecycle controller. (#111033, @jprzychodzen)
Metric running_managed_controllers
is enabled for Node IPAM controller in KCM. (#111466, @jprzychodzen)
Metric running_managed_controllers
is enabled for Route,Service and Cloud Node controllers in KCM and CCM. (#111462, @jprzychodzen)
New KUBECACHEDIR
environment variable was introduced to override default discovery cache directory which is $HOME/.kube/cache
. (#109479, @ardaguclu)
Pod SecurityContext and PodSecurityPolicy supports slash as sysctl separator. (#106834, @mengjiao-liu) [SIG Apps, Architecture, Auth, Node, Security and Testing]
Promoted LocalStorageCapacityIsolationFSQuotaMonitoring to beta. (#107329, @pacoxu)
Promoted the CSIMigrationPortworx
feature gate to Beta. (#110411, @trierra)
Return a warning when applying a pod-security.kubernetes.io
label to a PodSecurity-exempted namespace.
Stop including the pod-security.kubernetes.io/exempt=namespace
audit annotation on namespace requests. (#109680, @tallclair)
The new flag etcd-ready-timeout
has been added. It configures a timeout of an additional etcd check performed as part of readyz check. (#111399, @Argh4k)
The TopologySpreadConstraints will be shown in describe command for pods, deployments, daemonsets, etc. (#109563, @ardaguclu)
The kubectl diff
changed to ignore managed fields by default, and a new --show-managed-fields flag has been added to allow you to include managed fields in the diff. (#111319, @brianpursley)
The beta feature ServiceIPStaticSubrange
is now enabled by default. (#110703, @aojea)
Updated base image for Windows pause container images to one built on Windows machines to address limitations of building Windows container images on Linux machines. (#110379, @marosset)
Updated cAdvisor to v0.45.0. (#111647, @bobbypage)
Updated debian-base, debian-iptables, and setcap images:
When using the OpenStack legacy cloud provider, kubelet and KCM will ignore unknown configuration directives rather than failing to start. (#109709, @mdbooth)
JobTrackingWithFinalizers
enabled by default. This feature allows to keep track of the Job progress without relying on Pods staying in the apiserver.
(#110948, @alculquicondor)
CSIMigrationAWS
upgraded to GA and locked to true.
(#111479, @wongma7)
CSIMigrationGCE
upgraded to GA and locked to true.
(#111301, @mattcary)
CSIMigrationvSphere
feature is now enabled by default.
(#103523, @divyenpatel)
MaxUnavailable
for StatefulSets
, allows faster RollingUpdate
by taking down more than 1 pod at a time.
The number of pods you want to take down during a RollingUpdate
is configurable using maxUnavailable
parameter.
(#109251, @krmayankk)
The gcp
and azure
auth plugins have been restored to client-go and kubectl until https://issue.k8s.io/111911 is resolved in supported kubectl minor versions. (#111918, @liggitt)
service.Spec.PublishNotReadyAddresses
is set, all the Pods are published without retrying. Fixed EndpointSlices metrics to reflect correctly the number of desired EndpointSlices when no endpoints are present. (#110639, @aojea)agnhost:2.38
which hangs instead of exiting if a SIGTERM
signal is received and the shutdown-delay
option is 0
. (#110214, @aojea)ENABLE_STORAGE_GCE_PD_DRIVER
to yes
if you need to run these tests. (#109541, @dims)False
does not result in duplicate conditions. (#110292, @mimowo)destination-ranges
in the ingress firewall-rules
. It restricts access to the backend IPs by allowing traffic through ILB
or NetLB
only. This change does NOT change the existing ILB
or NetLB
behavior. (#109510, @sugangli)pods/eviction
. (#110425, @LY-today)JobTrackingWithFinalizers
that:
JobTrackingWithFinalizers
is still disabled by default. (#109486, @alculquicondor)NeedResize
build failure on Windows. (#109721, @andyzhangx)kubectl
that caused the wrong result length when using --chunk-size
and --selector
together. (#110652, @Abirdcfly)LoadBalancer
with multiple IPs and a LoadBalancerSourceRanges
that overlaps the node IP. (#109826, @danwinship)HostProcess
containers may not be created as expected. (#110140, @marosset)IMDS
is unavailable in kubelet startup. (#110523, @andyzhangx)JobTrackingWithFinalizers
. (#111721, @alculquicondor)@every X
schedules. (#109250, @d-honeybadger)metadata
fields as unknown fields. (#109268, @liggitt)ServiceIPStaticSubrange
enabled cluster assigns duplicate IP addresses when the dynamic block is exhausted. (#109928, @tksm)--audit-log-path
argument does not exist, Kubernetes now creates it. (#110813, @vpnachev) [SIG Auth]unix://
prefix in node annotation. (#110656, @pacoxu)KubernetesVersion
was not being respected during kubeadm join. (#110791, @SataQiu)OS
environment variables when executing crictl
during image pulls. This fixed a bug where *PROXY
environment variables did not affect crictl
internet connectivity. (#110134, @mk46)readiness
during termination. (#110191, @rphillips)kube-proxy
when using kernelspace
mode. (#109124, @daschott)Ready
/ NotReady
(only for for ETP=Local Services). The LBs used for these services will solely rely on the health check probe defined by the healthCheckNodePort
to determine if a particular node is to be used for traffic load balancing. (#109706, @alexanderConstantinescu)kubectl run
command. (#110668, @brianpursley)priority_level_request_utilization
metric histogram is adjusted so that for the cases where phase=waiting
the denominator is the cumulative capacity of all of the priority level's queues.
The read_vs_write_current_requests
metric histogram is adjusted, in the case of using API Priority and Fairness instead of max-in-flight, to divide by the relevant limit: sum of queue capacities for waiting requests, sum of seat limits for executing requests. (#110164, @MikeSpreitzer)kubeadm certs renew
and kubeadm certs check-expiration
now honor the cert-dir
flag on a running Kubernetes cluster. (#110709, @chendave)sync_proxy_rules_no_endpoints_total
metric now only counts local-traffic-policy services which have remote endpoints but not local endpoints. (#109782, @danwinship)--cloud-provider=external
. Now, it is set on kubelet startup if the --cloud-provider
flag is set at all, including the deprecated in-tree providers. (#109794, @mdbooth) [SIG Network and Node]Unready
or Succeeded
, can not regress and will have all container stopped. Hence, terminal Pods will never be reachable and should not publish their IP addresses on the Endpoints
or EndpointSlices
, independently of the Service TolerateUnready
option. (#110255, @robscott)kubectl kustomize
as described at
https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.7. (#111606, @natasha41575)node.status.conditions["Ready"]!= true
). (#110721, @jsafrane)pod.Spec.RuntimeClassName
field is now available in kubectl describe command. (#110914, @yeahdongcn)apimachinery/clock
package. Please use k8s.io/utils/clock
package instead. (#109752, @MadhavJivrajani)kube-proxy
uses a new “distroless” container image, instead of an image based on Debian. (#111060, @aojea)-v=3
whether it is using watch caching. (#109175, @MikeSpreitzer) [SIG API Machinery]kubernetes.io/glusterfs
) has been deprecated in this release. (#111485, @humblec)kubectl run
and kubectl debug
error messages upon attaching failures. (#110764, @soltysh)--experimental-kernel-memcg-notification
flag is now removed. Use --kernel-memcg-notification
instead. (#109388, @ialidzhikov)module
mode instead of GOPATH
mode. (#109464, @liggitt)release-1.20
from prom bot due to EOL. (#110748, @cpanato)apiserver_watch_cache_watch_cache_initializations_total
to apiserver_watch_cache_initializations_total
(#109579, @logicalhan)priority_level_seat_count_samples
is replaced with priority_level_seat_utilization
, which samples every nanosecond rather than every millisecond; the old metric conveyed utilization despite its name.priority_level_seat_count_watermarks
is removed.priority_level_request_count_samples
is replaced with priority_level_request_utilization
, which samples every nanosecond rather than every millisecond; the old metric conveyed utilization despite its name.priority_level_request_count_watermarks
is removed.read_vs_write_request_count_samples
is replaced with read_vs_write_current_requests
, which samples every nanosecond rather than every second; the new metric, like the old one, measures utilization when the max-in-flight filter is used and number of requests when the API Priority and Fairness filter is used.read_vs_write_request_count_watermarks
is removed. (#110104, @MikeSpreitzer) [SIG API Machinery, Instrumentation and Testing]--experimental-cluster-signing-duration
flag is now removed. Adapt your machinery to use the --cluster-signing-duration
flag that is available since v1.19. (#108476, @ialidzhikov)DisableAcceleratorUsageMetrics
is now GA and cannot be disabled. (#110940, @pacoxu)apiserver_dropped_requests
is dropped from this release since apiserver_request_total
can now be used to track dropped requests. etcd_object_counts
is also removed in favor of apiserver_storage_objects
. apiserver_registered_watchers
is also removed in favor of apiserver_longrunning_requests
. (#110337, @logicalhan)apiserver_longrunning_gauge
was removed from the codebase. Please use apiserver_longrunning_requests
instead.
(#110310, @logicalhan)
Contributors, the
CHANGELOG-1.25.md has been bootstrapped with
v1.25.0 release notes and you may edit now as needed.
Published by your
Kubernetes Release
Managers.