Kubernetes v1.25.0 is live!

[Jeremy Rickard]

Kubernetes Community,

Kubernetes v1.25.0 has been built and pushed using Golang version 1.19.

The release notes have been updated in CHANGELOG-1.25.md, with a pointer to them on GitHub:

---

v1.25.0

Documentation

Downloads for v1.25.0

Source Code

filename	sha512 hash
kubernetes.tar.gz	2bff2da02f6197fbde3e3a378dd8a95415edcef2e5f95a9e1399ec8369a592dac461dbb7402cded1ba93ace22c87ee050ea02a7c1c2cabaa97609352302d5d0c
kubernetes-src.tar.gz	20810dbbc1ee7ec06348b09b1d0dcef456eab600b3c6fe594d426a9c7b6fbab69712594d6f97c63db371a41a509f17bb7c4675b8e28a25dd84abb9bea35fc8ad

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	4960a153e5cda0b30e7e437895fc8c08f80978d9f3189f6408e04446fa9777dafacb3cddbac5b09c8de0a19459893150a691b28f95cfa9f5c87b2926fe442df5
kubernetes-client-darwin-arm64.tar.gz	17972e1f0ad64113b9adf5f8e9c6231463048c0f04fde35fb614f59281127630ae475a7ec91e31cb03ebe444828e47e6d32ed05f000b6514bad646d6b9f5469c
kubernetes-client-linux-386.tar.gz	8d5a35a0a8e71ec59be0b720ff6fd80c172bcacae5f9a5f58bfc1ac66b4e877640d8626f23852ba2459dc1ec783347ae3300017e0919d59b16ae1011ac50c5d1
kubernetes-client-linux-amd64.tar.gz	34a7e9a496fff31a3afa6f5f7245212d051de3c2966e42a662040bde8a733c1cf55ce2e50227813fd29c6db758687a453a7df66b6c32f7f2c93959280c4e130a
kubernetes-client-linux-arm.tar.gz	f5defcd92f99562c455f44bf62b478d88d00ed3cce662bdd8bed8b880bae31e6e534fb044844b4664c543bed713332fd1734415e6da320f752984157e3fa32c9
kubernetes-client-linux-arm64.tar.gz	a01731aa3e7e8e560c92cf0b3d7ed9ce9964bfed88fcd055c881a0513c10be33e11b2c0539d4f52c17bfd605d540be5c6824a2f9f182d97a7a255a9a25b64607
kubernetes-client-linux-ppc64le.tar.gz	b022a28c25b0fefb1abbcaaa71d12f9edd14cf76d291ef3f8d13a8fc5cdec2edef3aee96c851e0dde7b8c7c1f5f38c3cc631e0bce15ccbc6f30bac45895ac7f4
kubernetes-client-linux-s390x.tar.gz	b4781d09fd1360097104fb6cd33e3f4de9ce571a13e329f26ce55505e9ddbbd2ca20794bb80a58eaa23ae63860376ae51187de76c99db9cbce984773ddf03c34
kubernetes-client-windows-386.tar.gz	5f6f71b7cb88dc18930d1864df21061f5b73a6969425701e945239323a0d7e5eb182c1607d3ddc26cbaf4dab0dc4bc59c7fbffe8bd66f5fd1edae075220d1c15
kubernetes-client-windows-amd64.tar.gz	cfcbdc13cfd17e8b38baa29d7638ae086b97d5784352d0e8bc92c6f6f34ce2e885ef1371d255d4b48c9a73cfdea8168d1d6cc7ac0b1b3bdc18a09970066d59ca
kubernetes-client-windows-arm64.tar.gz	55cc2d36764d8f496ca973d82fd1c60e93d227a8107fd0649c228f479b70dc05cbe23708fd8e4b820fd3b191786bbe054446d31f7d1b9fecff173d0f554d5a69

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	21614040cd3cc5a8ee0668bd91383427427e7796ee3de0f9fe6b4b5d9becb830141bb1ed3ba5376815385baa2675595e97765209f14bf68653bcf6fdfb070f3d
kubernetes-server-linux-arm.tar.gz	44ada6a0a6ba77aebdad52680c973f98bed495bdf7ac7cc6abbcb7e5b3fd5476961e0db6b8384b128c81ffd0b70d3a020f248062acfcd8b8b85fa295b1f8cf69
kubernetes-server-linux-arm64.tar.gz	c76ca3dc152a51c08d147a9ad9594a70071e548638d5065bf1aaaad63c3553c8af8d8dcb885e6e4ed724d944a5283fd000315d2622b7ef7a2df4b0b783ab0256
kubernetes-server-linux-ppc64le.tar.gz	491084954f951a3f3f61642e9006195f5dac84b4ccc29e407f85a3bb7aba8ea79c2b4deda69507bd516c1feff47ba9887309c26d6e6c4d2270cf5e0a8f0d5cac
kubernetes-server-linux-s390x.tar.gz	0e89499c004e5faaf69deb917c1df2eb3c2da36024ff3dcd10e5c3f7e7ef7c2393c109bb8ee8bd30756bc4024cacc05ea5f0131a5bc630a3513aada182a69949

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	46b4fd437824b1178dd570bc3a1a12aa5549482793f329d194b72a45daaa0bb8b990d7ee98f2a3d9a643ae113973f1f303cdcb6fdf8c56f439bf13acc7460728
kubernetes-node-linux-arm.tar.gz	f4338883d811369be6d7a2b658e3b46c06ddef0b584293c3e44bb5f961805d6659d2a73e62c470b80029938f8793f1b11c093e4b99431e419bd61b0e9ed5c133
kubernetes-node-linux-arm64.tar.gz	c2b174bb22485c0efb6a812ed78d84afa161d635f365d913ea08b3db8daae50ae15087a6d5fefce95c5363d90414079d8c5ff476bbfab9547c87befdf23bbcce
kubernetes-node-linux-ppc64le.tar.gz	7985f22fb43d3af183e94581dd7547b8817ad27b2c8b6304de60d28ce165341ab5dcd576f6c61b999c73ebf6a35d5cd5e328253160959f5112b94e4d17f41364
kubernetes-node-linux-s390x.tar.gz	7d6622e3128c3ad46ab286bdbb445f158b697f7624ff03f1905d4b62a91601d0f33880b4b0cfa93b435a9c786070f20ef86da877690c100bfa7460a8e8ca3cd5
kubernetes-node-windows-amd64.tar.gz	213954569d1e0b682805342964597a03d3b16a98756c9123d18dd8ceda9d4cddeeac500d5bdcf8cb27c136b2bfa5947fb5c75fdec7533a153199a855162d742e

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
k8s.gcr.io/conformance:v1.25.0	amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-apiserver:v1.25.0	amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-controller-manager:v1.25.0	amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-proxy:v1.25.0	amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-scheduler:v1.25.0	amd64, arm, arm64, ppc64le, s390x

Changelog since v1.24.0

What's New (Major Themes)

PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable

PodSecurityPolicy was initially deprecated in v1.21, and with the release of v1.25, it has been removed. The updates required to improve its usability would have introduced breaking changes, so it became necessary to remove it in favor of a more friendly replacement. That replacement is Pod Security Admission, which graduates to Stable with this release. If you are currently relying on PodSecurityPolicy, please follow the instructions for migration to Pod Security Admission.

Ephemeral Containers Graduate to Stable

Ephemeral Containers are containers that exist for only a limited time within an existing pod. This is particularly useful for troubleshooting when you need to examine another container but cannot use kubectl exec because that container has crashed or its image lacks debugging utilities. Ephemeral containers graduated to Beta in Kubernetes v1.23, and with this release, the feature graduates to Stable.

Support for cgroups v2 Graduates to Stable

It has been more than two years since the Linux kernel cgroups v2 API was declared stable. With some distributions now defaulting to this API, Kubernetes must support it to continue operating on those distributions. cgroups v2 offers several improvements over cgroups v1, for more information see the cgroups v2 documentation. While cgroups v1 will continue to be supported, this enhancement puts Kubernetes to be ready for eventual deprecation and replacement in favor of v2.

Windows support improved

• Performance dashboards added support for Windows
• Unit tests added support for Windows
• Conformance tests added support for Windows
• New repository created for Windows Operational Readiness

Moved container registry service from k8s.gcr.io to registry.k8s.io

Moving container registry from k8s.gcr.io to registry.k8s.io got merged. For more details, see the wiki page, announcement was sent to the kubernetes development mailing list.

Promoted SeccompDefault to Beta

SeccompDefault promoted to beta, see the tutorial Restrict a Container's Syscalls with seccomp for more details.

Promoted endPort in Network Policy to Stable

Promoted endPort in Network Policy to GA. Network Policy providers that support endPort field now can use it to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port.

Please be aware that endPort field MUST BE SUPPORTED by the Network Policy provider. If your provider does not support endPort, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port).

Promoted Local Ephemeral Storage Capacity Isolation to Stable

The Local Ephemeral Storage Capacity Isolation feature moved to GA. This was introduced as alpha in 1.8, moved to beta in 1.10, and it is now a stable feature. It provides support for capacity isolation of local ephemeral storage between pods, such as EmptyDir, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit.

Promoted core CSI Migration to Stable

CSI Migration is an ongoing effort that SIG Storage has been working on for a few releases. The goal is to move in-tree volume plugins to out-of-tree CSI drivers and eventually remove the in-tree volume plugins. The core CSI Migration feature moved to GA. CSI Migration for GCE PD and AWS EBS also moved to GA. CSI Migration for vSphere remains in beta (but is on by default). CSI Migration for Portworx moved to Beta (but is off-by-default).

Promoted CSI Ephemeral Volume to Stable

The CSI Ephemeral Volume feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This was initially introduced in 1.15 as an alpha feature, and it moved to GA. This feature is used by some CSI drivers such as the secret-store CSI driver.

Promoted CRD Validation Expression Language to Beta

CRD Validation Expression Language is promoted to beta, which makes it possible to declare how custom resources are validated using the Common Expression Language (CEL). Please see the validation rules guide.

Promoted Server Side Unknown Field Validation to Beta

Promoted the ServerSideFieldValidation feature gate to beta (on by default). This allows optionally triggering schema validation on the API server that errors when unknown fields are detected. This allows the removal of client-side validation from kubectl while maintaining the same core functionality of erroring out on requests that contain unknown or invalid fields.

Introduced KMS v2

Introduce KMS v2alpha1 API to add performance, rotation, and observability improvements. Encrypt data at rest (ie Kubernetes Secrets) with DEK using AES-GCM instead of AES-CBC for kms data encryption. No user action is required. Reads with AES-GCM and AES-CBC will continue to be allowed. See the guide Using a KMS provider for data encryption for more information.

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Deprecated beta APIs scheduled for removal in 1.25 are no longer served. See https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-25 for more information. (#108797, @deads2k) [SIG API Machinery, Instrumentation and Testing]
• Encrypted data with DEK using AES-GCM instead of AES-CBC for kms data encryption. No user action required. Reads with AES-GCM and AES-CBC will continue to be allowed. (#111119, @aramase)
• End-to-end testing has been migrated from Ginkgo v1 to v2.

When running test/e2e via the Ginkgo CLI, the v2 CLI must be used and -timeout=24h (or some other, suitable value) must be passed because the default timeout was reduced from 24h to 1h. When running it via go test, the corresponding -args parameter is -ginkgo.timeout=24h. To build the CLI in the Kubernetes repo, use make all WHAT=github.com/onsi/ginkgo/v2/ginkgo. Ginkgo V2 doesn't accept go test's -parallel flags to parallelize Ginkgo specs, please switch to use ginkgo -p or ginkgo -procs=N instead. (#109111, @chendave) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]

• No action required; No API/CLI changed; Add new Windows Image Support (#110333, @liurupeng) [SIG Cloud Provider and Windows]
• The intree volume plugin flocker support was completely removed from Kubernetes. (#111618, @Jiawei0227)
• The intree volume plugin quobyte support has been completely removed from Kubernetes. (#111619, @Jiawei0227)
• The intree volume plugin storageos support has been completely removed from Kubernetes. (#111620, @Jiawei0227)
• There is a new OCI image registry (registry.k8s.io) that can be used to pull Kubernetes images. The old registry (k8s.gcr.io) will continue to be supported for the foreseeable future, but the new name should perform better because it frontends equivalent mirrors in other clouds. Please point your clusters to the new registry going forward. \n\nAdmission/Policy integrations that have an allowlist of registries need to include registry.k8s.io alongside k8s.gcr.io.\nAir-gapped environments and image garbage-collection configurations will need to update to pre-pull and preserve required images under registry.k8s.io as well as k8s.gcr.io. (#109938, @dims)

Changes by Kind

Deprecation

• API server's deprecated --service-account-api-audiences flag was removed. Use --api-audiences instead. (#108624, @ialidzhikov)
• Ginkgo.Measure has been deprecated in Ginkgo V2, switch to use gomega/gmeasure instead (#111065, @chendave) [SIG Autoscaling and Testing]
• Kube-controller-manager: Removed flags deleting-pods-qps, deleting-pods-burst, and register-retry-count. (#109612, @pandaamanda)
• Kubeadm: during "upgrade apply/diff/node", in case the ClusterConfiguration.imageRepository stored in the "kubeadm-config" ConfigMap contains the legacy "k8s.gcr.io" repository, modify it to the new default "registry.k8s.io". Reflect the change in the in-cluster ConfigMap only during "upgrade apply". (#110343, @neolit123)
• Kubeadm: graduated the kubeadm specific feature gate UnversionedKubeletConfigMap to GA and locked it to true by default. The kubelet related ConfigMap and RBAC rules are now locked to have a simplified naming *kubelet-config instead of the legacy naming *kubelet-config-x.yy, where x.yy was the version of the control plane. If you have previously used the old naming format with UnversionedKubeletConfigMap=false, you must manually copy the config map from kube-system/kubelet-config-x.yy to kube-system/kubelet-config before upgrading to v1.25. (#110327, @neolit123)
• Kubeadm: stop applying the node-role.kubernetes.io/master:NoSchedule taint to control plane nodes for new clusters. Remove the taint from existing control plane nodes during "kubeadm upgrade apply" (#110095, @neolit123)
• Support for the alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io, deprecated since v1.19, was partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container securityContext.seccompProfile field instead. (#109819, @saschagrunert)
• The gcp and azure auth plugins have been removed from client-go and kubectl. See https://github.com/Azure/kubelogin and https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke (#110013, @enj)
• The beta PodSecurityPolicy admission plugin, deprecated since 1.21, is removed. Follow the instructions at https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ to migrate to the built-in PodSecurity admission plugin (or to another third-party policy webhook) prior to upgrading to v1.25. (#109798, @liggitt)
• VSphere releases less than 7.0u2 are not supported for in-tree vSphere volume as of Kubernetes v1.25. Please consider upgrading vSphere (both ESXi and vCenter) to 7.0u2 or above. (#111255, @divyenpatel)
• Windows winkernel kube-proxy no longer supports Windows HNS v1 APIs. (#110957, @papagalu)

API Change

• Add NodeInclusionPolicy to TopologySpreadConstraints in PodSpec. (#108492, @kerthcet)

• Added KMS v2alpha1 support. (#111126, @aramase)

• Added a deprecated warning for node beta label usage in PV/SC/RC and CSI Storage Capacity. (#108554, @pacoxu)

• Added a new feature gate CheckpointRestore to enable support to checkpoint containers. If enabled it is possible to checkpoint a container using the newly kubelet API (/checkpoint/{podNamespace}/{podName}/{containerName}). (#104907, @adrianreber) [SIG Node and Testing]

• Added alpha support for user namespaces in pods phase 1 (KEP 127, feature gate: UserNamespacesStatelessPodsSupport) (#111090, @rata)

• As of v1.25, the PodSecurity restricted level no longer requires pods that set .spec.os.name="windows" to also set Linux-specific securityContext fields. If a 1.25+ cluster has unsupported out-of-skew nodes prior to v1.23 and wants to ensure namespaces enforcing the restricted policy continue to require Linux-specific securityContext fields on all pods, ensure a version of the restricted prior to v1.25 is selected by labeling the namespace (for example, pod-security.kubernetes.io/enforce-version: v1.24) (#105919, @ravisantoshgudimetla)

• Changed ownership semantics of PersistentVolume's spec.claimRef from atomic to granular. (#110495, @alexzielenski)

• Extended ContainerStatus CRI API to allow runtime response with container resource requests and limits that are in effect.

  • UpdateContainerResources CRI API now supports both Linux and Windows. (#111645, @vinaykul)

• For v1.25, Kubernetes will be using Golang 1.19, In this PR the version is updated to 1.19rc2 as GA is not yet available. (#111254, @dims)

• Introduced NodeIPAM support for multiple ClusterCIDRs (#2593) as an alpha feature. Set feature gate MultiCIDRRangeAllocator=true, determines whether the MultiCIDRRangeAllocator controller can be used, while the kube-controller-manager flag below will pick the active controller. Enabled the MultiCIDRRangeAllocator by setting --cidr-allocator-type=MultiCIDRRangeAllocator flag in kube-controller-manager. (#109090, @sarveshr7)

• Introduced PodHasNetwork condition for pods. (#111358, @ddebroy)

• Introduced support for handling pod failures with respect to the configured pod failure policy rules. (#111113, @mimowo)

• Introduction of the DisruptionTarget pod condition type. Its reason field indicates the reason for pod termination:

  • PreemptionByKubeScheduler (Pod preempted by kube-scheduler)
  • DeletionByTaintManager (Pod deleted by taint manager due to NoExecute taint)
  • EvictionByEvictionAPI (Pod evicted by Eviction API)
  • DeletionByPodGC (an orphaned Pod deleted by PodGC) (#110959, @mimowo)

• Kube-Scheduler ComponentConfig is graduated to GA, kubescheduler.config.k8s.io/v1 is available now. Plugin SelectorSpread is removed in v1. (#110534, @kerthcet)

• Local Storage Capacity Isolation feature is GA in 1.25 release. For systems (rootless) that cannot check root file system, please use kubelet config --local-storage-capacity-isolation=false to disable this feature. Once disabled, pod cannot set local ephemeral storage request/limit, and emptyDir sizeLimit niether. (#111513, @jingxu97)

• Make PodSpec.Ports' description clearer on how this information is only informational and how it can be incorrect. (#110564, @j4m3s-s) [SIG API Machinery, Network and Node]

• On compatible systems, a mounter's Unmount implementation is changed to not return an error when the specified target can be detected as not a mount point. On Linux, the behavior of detecting a mount point depends on umount command is validated when the mounter is created. Additionally, mount point checks will be skipped in CleanupMountPoint/CleanupMountWithForce if the mounter's Unmount having the changed behavior of not returning error when target is not a mount point. (#109676, @cartermckinnon) [SIG Storage]

• PersistentVolumeClaim objects are no longer left with storage class set to nil forever, but will be updated retroactively once any StorageClass is set or created as default. (#111467, @RomanBednar)

• Promote StatefulSet minReadySeconds to GA. This means --feature-gates=StatefulSetMinReadySeconds=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation (#110896, @ravisantoshgudimetla) [SIG API Machinery, Apps and Testing]

• Promoted CronJob's TimeZone support to beta. (#111435, @soltysh)

• Promoted DaemonSet MaxSurge to GA. This means --feature-gates=DaemonSetUpdateSurge=true are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation . (#111194, @ravisantoshgudimetla)

• Scheduler: included supported ScoringStrategyType list in error message for NodeResourcesFit plugin (#111206, @SataQiu)

• The Go API for logging configuration in k8s.io/component-base was moved to k8s.io/component-base/logs/api/v1. The configuration file format and command line flags are the same as before. (#105797, @pohly)

• The Pod spec.podOS field is promoted to GA. The IdentifyPodOS feature gate unconditionally enabled, and will no longer be accepted as a --feature-gates parameter in 1.27. (#111229, @ravisantoshgudimetla)

• The PodTopologySpread is respected after rolling upgrades. (#111441, @denkensk)

• The CSIInlineVolume feature has moved from beta to GA. (#111258, @dobsonj)

• The PodSecurity admission plugin has graduated to GA and is enabled by default. The admission configuration version has been promoted to pod-security.admission.config.k8s.io/v1. (#110459, @wangyysde)

• The endPort field in Network Policy is now promoted to GA

  Network Policy providers that support endPort field now can use it to specify a range of ports to apply a Network Policy.

  Previously, each Network Policy could only target a single port.

  Please be aware that endPort field MUST BE SUPPORTED by the Network Policy provider. In case your provider does not support endPort and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port). (#110868, @rikatz)

• The metadata.clusterName field is completely removed. This should not have any user-visible impact. (#109602, @lavalamp)

• The minDomains field in Pod Topology Spread is graduated to beta (#110388, @sanposhiho) [SIG API Machinery and Apps]

• The command line flag enable-taint-manager for kube-controller-manager is deprecated and will be removed in 1.26. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. (#111411, @alculquicondor)

• This release added support for NodeExpandSecret for CSI driver client which enables the CSI drivers to make use of this secret while performing node expansion operation based on the user request. Previously there was no secret provided as part of the nodeexpansion call, thus CSI drivers did not make use of the same while expanding the volume at the node side. (#105963, @zhucan)

• Ephemeral Containers are now generally available (GA). The EphemeralContainers feature gate is always enabled and should be removed from --feature-gates flag on the kube-apiserver and the kubelet command lines. The EphemeralContainers feature gate is deprecated and scheduled for removal in a future release. (#111402, @verb)

Feature

• Added KMS v2alpha1 API. (#110201, @aramase)

• Added Service Account field in the output of kubectl describe pod command. (#111192, @aufarg)

• Added a new align-by-socket policy option to cpu manager static policy. When enabled CPU's to be aligned at socket boundary rather than NUMA boundary. (#111278, @arpitsardhana)

• Added container probe duration metrics. (#104484, @jackfrancis)

• Added new flags into alpha events such as --output, --types, --no-headers. (#110007, @ardaguclu)

• Added sum feature to kubectl top pod (#105100, @lauchokyip)

• Added the Apply and ApplyStatus methods to the dynamic ResourceInterface (#109443, @kevindelgado)

• Feature gate CSIMigration was locked to enabled. CSIMigration is GA now. The feature gate will be removed in v1.27. (#110410, @Jiawei0227)

• Feature gate ProbeTerminationGracePeriod is enabled by default. (#108541, @kerthcet)

• Ginkgo: when e2e tests are invoked through ginkgo-e2e.sh, the default now is to use color escape sequences only when connected to a terminal. GINKGO_NO_COLOR=y/n can be used to override that default. (#111633, @pohly)

• Graduated SeccompDefault to beta. The Kubelet feature gate is now enabled by default and the configuration/CLI flag still defaults to false. (#110805, @saschagrunert) [SIG Node and Testing]

• Graduated ServerSideFieldValidation to beta. Schema validation is performed server-side and requests will receive warnings for any invalid/unknown fields by default. (#110178, @kevindelgado) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Storage and Testing]

• Graduated CustomResourceValidationExpressions to beta. The CustomResourceValidationExpressions feature gate is now enabled by default. (#111524, @cici37)

• Graduated ServiceIPStaticSubrange feature to Beta (disabled by default). (#110419, @aojea)

• If a Pod has a DisruptionTarget condition with status=True for more than 2 minutes without getting a DeletionTimestamp, the control plane resets it to status=False. (#111475, @alculquicondor)

• In "large" clusters, kube-proxy in iptables mode will now sometimes leave unused rules in iptables for a while (up to --iptables-sync-period) before deleting them. This improves performance by not requiring it to check for stale rules on every sync. (In smaller clusters, it will still remove unused rules immediately once they are no longer used.)

  (The threshold for "large" used here is currently "1000 endpoints" but this is subject to change.) (#110334, @danwinship)

• Kube-up now includes CoreDNS version v1.9.3. (#110488, @mzaian)

• Kubeadm: Added support for additional authentication strategies in kubeadm join with discovery/kubeconfig file: client-go authentication plugins (exec), tokenFile, and authProvider. (#110553, @tallaxes)

• Kubeadm: Update CoreDNS to v1.9.3. (#110489, @pacoxu)

• Kubeadm: added support for the flag --print-manifest to the addon phases kube-proxy and coredns of kubeadm init phase addon. If this flag is usedkubeadm will not apply a given addon and instead print to the terminal the API objects that will be applied. (#109995, @wangyysde)

• Kubeadm: enhanced the "patches" functionality to be able to patch kubelet config files containing v1beta1.KubeletConfiguration. The new patch target is called kubeletconfiguration (e.g. patch file kubeletconfiguration+json.json).This makes it possible to apply node specific KubeletConfiguration options during init, join and upgrade, while the main KubeletConfiguration that is passed to init as part of the --config file can still act as the global stored in the cluster KubeletConfiguration. (#110405, @neolit123)

• Kubeadm: make sure the etcd static pod startup probe uses /health?serializable=false while the liveness probe uses /health?serializable=true&exclude=NOSPACE. The NOSPACE exclusion would allow administrators to address space issues one member at a time. (#110744, @neolit123) [SIG Cluster Lifecycle]

• Kubeadm: modified the etcd static Pod liveness and readiness probes to use a new etcd v3.5.3+ HTTP(s) health check endpoint /health?serializable=true that allows to track the health of individual etcd members and not fail all members if a single member is not healthy in the etcd cluster. (#110072, @neolit123)

• Kubeadm: support experimental JSON/YAML output for kubeadm upgrade plan with the --output flag. (#108447, @pacoxu)

• Kubeadm: the preferred pod anti-affinity for CoreDNS is now enabled by default. (#110593, @SataQiu)

• Kubectl: support multiple resources for kubectl rollout status. (#108777, @pjo256)

• Kubernetes is now built with Golang 1.18.2. (#110043, @cpanato)

• Kubernetes is now built with Golang 1.18.3 (#110421, @cpanato) [SIG Release and Testing]

• Kubernetes is now built with Golang 1.19.0. (#111679, @puerco)

• Lock CSIMigrationAzureDisk feature gate to default. (#110491, @andyzhangx)

• Metric running_managed_controllers is enabled for Cloud Node Lifecycle controller. (#111033, @jprzychodzen)

• Metric running_managed_controllers is enabled for Node IPAM controller in KCM. (#111466, @jprzychodzen)

• Metric running_managed_controllers is enabled for Route,Service and Cloud Node controllers in KCM and CCM. (#111462, @jprzychodzen)

• New KUBECACHEDIR environment variable was introduced to override default discovery cache directory which is $HOME/.kube/cache. (#109479, @ardaguclu)

• Pod SecurityContext and PodSecurityPolicy supports slash as sysctl separator. (#106834, @mengjiao-liu) [SIG Apps, Architecture, Auth, Node, Security and Testing]

• Promoted LocalStorageCapacityIsolationFSQuotaMonitoring to beta. (#107329, @pacoxu)

• Promoted the CSIMigrationPortworx feature gate to Beta. (#110411, @trierra)

• Return a warning when applying a pod-security.kubernetes.io label to a PodSecurity-exempted namespace. Stop including the pod-security.kubernetes.io/exempt=namespace audit annotation on namespace requests. (#109680, @tallclair)

• The new flag etcd-ready-timeout has been added. It configures a timeout of an additional etcd check performed as part of readyz check. (#111399, @Argh4k)

• The TopologySpreadConstraints will be shown in describe command for pods, deployments, daemonsets, etc. (#109563, @ardaguclu)

• The kubectl diff changed to ignore managed fields by default, and a new --show-managed-fields flag has been added to allow you to include managed fields in the diff. (#111319, @brianpursley)

• The beta feature ServiceIPStaticSubrange is now enabled by default. (#110703, @aojea)

• Updated base image for Windows pause container images to one built on Windows machines to address limitations of building Windows container images on Linux machines. (#110379, @marosset)

• Updated cAdvisor to v0.45.0. (#111647, @bobbypage)

• Updated debian-base, debian-iptables, and setcap images:

  • debian-base:bullseye-v1.3.0
  • debian-iptables:bullseye-v1.4.0
  • setcap:bullseye-v1.3.0 (#110558, @wespanther)

• When using the OpenStack legacy cloud provider, kubelet and KCM will ignore unknown configuration directives rather than failing to start. (#109709, @mdbooth)

• JobTrackingWithFinalizers enabled by default. This feature allows to keep track of the Job progress without relying on Pods staying in the apiserver. (#110948, @alculquicondor)

• CSIMigrationAWS upgraded to GA and locked to true. (#111479, @wongma7)

• CSIMigrationGCE upgraded to GA and locked to true. (#111301, @mattcary)

• CSIMigrationvSphere feature is now enabled by default. (#103523, @divyenpatel)

• MaxUnavailable for StatefulSets, allows faster RollingUpdate by taking down more than 1 pod at a time. The number of pods you want to take down during a RollingUpdate is configurable using maxUnavailable parameter. (#109251, @krmayankk)

• The gcp and azure auth plugins have been restored to client-go and kubectl until https://issue.k8s.io/111911 is resolved in supported kubectl minor versions. (#111918, @liggitt)

Documentation

• EndpointSlices with Pod referencing Nodes that don't exist couldn't be created or updated. The behavior on the EndpointSlice controller has been modified to update the EndpointSlice without the Pods that reference non-existing Nodes and keep retrying until all Pods reference existing Nodes. However, if service.Spec.PublishNotReadyAddresses is set, all the Pods are published without retrying. Fixed EndpointSlices metrics to reflect correctly the number of desired EndpointSlices when no endpoints are present. (#110639, @aojea)
• Optimization of kubectl Chinese translation (#110538, @hwdef) [SIG CLI]

Failing Test

• E2e tests: fixed bug in the e2e image agnhost:2.38 which hangs instead of exiting if a SIGTERM signal is received and the shutdown-delay option is 0. (#110214, @aojea)
• In-tree GCE PD test cases no longer run in Kubernetes testing harness anymore (side effect of switching on CSI migration in 1.22). Please switch on the environment variable ENABLE_STORAGE_GCE_PD_DRIVER to yes if you need to run these tests. (#109541, @dims)

Bug or Regression

• A bug was fixed where a job sync was not retried in case of a transient ResourceQuota conflict. (#111026, @alculquicondor)
• A change of a failed job condition status to False does not result in duplicate conditions. (#110292, @mimowo)
• Added error message "dry-run can not be used when --force is set" when dry-run and force flags are set in replace command. (#110326, @ardaguclu)
• Added the latest GCE pinhole firewall feature, which introduces destination-ranges in the ingress firewall-rules. It restricts access to the backend IPs by allowing traffic through ILB or NetLB only. This change does NOT change the existing ILB or NetLB behavior. (#109510, @sugangli)
• Allow expansion of ephemeral volumes (#109987, @gnufied) [SIG Node and Storage]
• Apiserver: fixed audit of loading more than one webhooks. (#110145, @sxllwx)
• Bug fix in test/e2e/framework Framework.RecordFlakeIfError (#111048, @alingse) [SIG Testing]
• Client-go: fixed an error in the fake client when creating API requests are submitted to subresources like pods/eviction. (#110425, @LY-today)
• Do not raise an error when setting a label with the same value, ignore it. (#105936, @zigarn)
• Do not report terminated container metrics (#110950, @yangjunmyfm192085) [SIG Node]
• EndpointSlices marked for deletion are now ignored during reconciliation. (#109624, @aryan9600)
• Etcd: Update to v3.5.4 (#110033, @mk46) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
• Faster mount detection for linux kernel 5.10+ using openat2 speeding up pod churn rates. On Kernel versions less 5.10, it will fallback to using the original way of detecting mount points i.e by parsing /proc/mounts. (#109217, @manugupt1)
• FibreChannel volume plugin may match the wrong device and wrong associated devicemapper parent. This may cause a disater that pods attach wrong disks. (#110719, @xakdwch)
• Fix a bug where CRI implementations that use cAdvisor stats provider (CRI-O) don't evict pods when their logs exceed ephemeral storage limit. (#108115, @haircommander) [SIG Node]
• Fix a bug where metrics are not recorded during Preemption(PostFilter). (#108727, @sanposhiho) [SIG Scheduling]
• Fix a data race in authentication between AuthenticatedGroupAdder and cached token authenticator. (#109969, @sttts) [SIG API Machinery and Auth]
• Fix bug that prevented the job controller from enforcing activeDeadlineSeconds when set. (#110294, @harshanarayana)
• Fix for volume reconstruction of CSI ephemeral volumes (#108997, @dobsonj) [SIG Node, Storage and Testing]
• Fix incorrectly report scope for request_duration_seconds and request_slo_duration_seconds metrics for POST custom resources API calls. (#110009, @azylinski) [SIG Instrumentation]
• Fix printing resources with int64 fields (#110408, @tkashem) [SIG API Machinery]
• Fix spurious kube-apiserver log warnings related to openapi v3 merging when creating or modifying CustomResourceDefinition objects (#109880, @Jefftree) [SIG API Machinery and Testing]
• Fix the bug that reported incorrect metrics for the cluster IP allocator. (#110027, @tksm)
• Fixed JobTrackingWithFinalizers when a pod succeeds after the job is considered failed, which led to API conflicts that blocked finishing the job. (#111646, @alculquicondor)
• Fixed JobTrackingWithFinalizers that:
  • was declaring a job finished before counting all the created pods in the status
  • was leaving pods with finalizers, blocking pod and job deletions JobTrackingWithFinalizers is still disabled by default. (#109486, @alculquicondor)
• Fixed NeedResize build failure on Windows. (#109721, @andyzhangx)
• Fixed a bug in kubectl that caused the wrong result length when using --chunk-size and --selector together. (#110652, @Abirdcfly)
• Fixed a bug involving Services of type LoadBalancer with multiple IPs and a LoadBalancerSourceRanges that overlaps the node IP. (#109826, @danwinship)
• Fixed a bug which could have allowed an improperly annotated LoadBalancer service to become active. (#109601, @mdbooth)
• Fixed a kubelet issue that could result in invalid pod status updates to be sent to the api-server where pods would be reported in a terminal phase but also report a ready condition of true in some cases. (#110256, @bobbypage)
• Fixed an issue on Windows nodes where HostProcess containers may not be created as expected. (#110140, @marosset)
• Fixed bug where CSI migration doesn't count inline volumes for attach limit. (#107787, @Jiawei0227)
• Fixed error "dbus: connection closed by user" after dbus daemon restarts. (#110496, @kolyshkin)
• Fixed image pull failure when IMDS is unavailable in kubelet startup. (#110523, @andyzhangx)
• Fixed memory leak in the job controller related to JobTrackingWithFinalizers. (#111721, @alculquicondor)
• Fixed mounting of iSCSI volumes over IPv6 networks. (#110688, @jsafrane)
• Fixed performance issue when creating large objects using SSA with fully unspecified schemas ( preserveUnknownFields ). (#111557, @alexzielenski)
• Fixed s.RuntimeCgroups error condition and Fixed possible wrong log print. (#110648, @yangjunmyfm192085)
• Fixed scheduling of CronJob with @every X schedules. (#109250, @d-honeybadger)
• Fixed strict server-side field validation treating metadata fields as unknown fields. (#109268, @liggitt)
• Fixed the GCE firewall update when the destination IPs are changing so that firewalls reflect the IP updates of the LBs. (#111186, @sugangli)
• Fixed the bug that a ServiceIPStaticSubrange enabled cluster assigns duplicate IP addresses when the dynamic block is exhausted. (#109928, @tksm)
• For scheduler plugin developers: the scheduler framework's shared PodInformer is now initialized with empty indexers. This enables scheduler plugins to add their extra indexers. Note that only non-conflict indexers are allowed to be added. (#110663, @fromanirh) [SIG Scheduling]
• If the parent directory of the file specified in the --audit-log-path argument does not exist, Kubernetes now creates it. (#110813, @vpnachev) [SIG Auth]
• Informer/reflector callers can now catch and unwrap specific API errors by type. (#110076, @karlkfi)
• Kube-apiserver: Get, GetList and Watch requests that should be served by the apiserver cacher during shutdown will be rejected to avoid a deadlock situation leaving requests hanging. (#108414, @aojea)
• Kubeadm: Fixed duplicate unix:// prefix in node annotation. (#110656, @pacoxu)
• Kubeadm: a bug was fixed due to which configurable KubernetesVersion was not being respected during kubeadm join. (#110791, @SataQiu)
• Kubeadm: enabled the --experimental-watch-progress-notify-interval flag for etcd and set it to 5s. The flag specifies an interval at which etcd sends watch data to the kube-apiserver. (#111383, @p0lyn0mial)
• Kubeadm: now sets the host OS environment variables when executing crictl during image pulls. This fixed a bug where *PROXY environment variables did not affect crictl internet connectivity. (#110134, @mk46)
• Kubeadm: only taint control plane nodes when the legacy "master" taint is present. This avoids the bug where "kubeadm upgrade" will re-taint a control plane node with the new "control plane" taint even if the user explicitly untainted the node. (#109840, @neolit123)
• Kubeadm: respect user specified image repository when using Kubernetes ci version (#111017, @SataQiu) [SIG Cluster Lifecycle]
• Kubeadm: support retry mechanism for removing container in reset phase (#110837, @SataQiu) [SIG Cluster Lifecycle]
• Kubelet: added log for volume metric collection taking too long (#107490, @pacoxu)
• Kubelet: added retry of checking Unix domain sockets on Windows nodes for the plugin registration mechanism. (#110075, @luckerby)
• Kubelet: added validation for labels provided with --node-labels. Malformed labels will result in errors. (#109263, @FeLvi-zzz)
• Kubelet: wait for node allocatable ephemeral-storage data. (#101882, @jackfrancis)
• Kubernetes now correctly handles "search ." in the host's resolv.conf file by preserving the "." entry in the "resolv.conf" that the kubelet writes to pods. (#109441, @Miciah) [SIG Network and Node]
• Made usage of key encipherment optional in API validation. (#111061, @pacoxu)
• ManagedFields time is correctly updated when the value of a managed field is modified. (#110058, @glebiller)
• OpenAPI will no longer duplicate these schemas:
  • io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions_v2
  • io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta_v2
  • io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference_v2
  • io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails_v2
  • io.k8s.apimachinery.pkg.apis.meta.v1.Status_v2 (#110179, @Jefftree)
• Panics while calling validating admission webhook are caught and honor the fail open or fail closed setting. (#108746, @deads2k) [SIG API Machinery]
• Pods now post their readiness during termination. (#110191, @rphillips)
• Reduced duration to sync proxy rules on Windows kube-proxy when using kernelspace mode. (#109124, @daschott)
• Reduced the number of cloud API calls and service downtime caused by excessive re-configurations of cluster LBs with externalTrafficPolicy=Local when node readiness changes (https://github.com/kubernetes/kubernetes/issues/111539). The service controller (in cloud-controller-manager) will avoid resyncing nodes which are transitioning between Ready / NotReady (only for for ETP=Local Services). The LBs used for these services will solely rely on the health check probe defined by the healthCheckNodePort to determine if a particular node is to be used for traffic load balancing. (#109706, @alexanderConstantinescu)
• Removed the recently re-introduced schedulability predicate (#109706) as to not have unschedulable nodes removed from load balancers back-end pools. (#111691, @alexanderConstantinescu)
• Removed unused flags from kubectl run command. (#110668, @brianpursley)
• Run kubelet, when there is an error exit, print the error log. (#110691, @yangjunmyfm192085)
• The priority_level_request_utilization metric histogram is adjusted so that for the cases where phase=waiting the denominator is the cumulative capacity of all of the priority level's queues. The read_vs_write_current_requests metric histogram is adjusted, in the case of using API Priority and Fairness instead of max-in-flight, to divide by the relevant limit: sum of queue capacities for waiting requests, sum of seat limits for executing requests. (#110164, @MikeSpreitzer)
• The commands kubeadm certs renew and kubeadm certs check-expiration now honor the cert-dir flag on a running Kubernetes cluster. (#110709, @chendave)
• The kube-proxy sync_proxy_rules_no_endpoints_total metric now only counts local-traffic-policy services which have remote endpoints but not local endpoints. (#109782, @danwinship)
• The namespace editors and admins can now create leases.coordination.k8s.io and should use this type for leaderelection instead of configmaps. (#111472, @deads2k)
• The node annotation alpha.kubernetes.io/provided-node-ip is no longer set ONLY when --cloud-provider=external. Now, it is set on kubelet startup if the --cloud-provider flag is set at all, including the deprecated in-tree providers. (#109794, @mdbooth) [SIG Network and Node]
• The pod phase lifecycle guarantees that terminal Pods, those whose states are Unready or Succeeded, can not regress and will have all container stopped. Hence, terminal Pods will never be reachable and should not publish their IP addresses on the Endpoints or EndpointSlices, independently of the Service TolerateUnready option. (#110255, @robscott)
• Unmounted volumes correctly for reconstructed volumes even if mount operation fails after kubelet restart. (#110670, @gnufied)
• Updated max azure data disk count map with new VM types. (#111406, @bennerv)
• Updated to cAdvisor v0.44.1 to fix an issue where metrics generated by kubelet for pod network stats were empty in some cases. (#109658, @bobbypage)
• Upgraded Azure/go-autorest/autorest to v0.11.27. (#110371, @andyzhangx)
• Upgraded functionality of kubectl kustomize as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.7. (#111606, @natasha41575)
• Use checksums instead of fsyncs to ensure discovery cache integrity (#110851, @negz) [SIG API Machinery]
• UserName check for 'ContainerAdministrator' is now case-insensitive if runAsNonRoot is set to true on Windows. (#111009, @marosset)
• Volumes are no longer detached from healthy nodes after 6 minutes timeout. 6 minute force-detach timeout is used only for unhealthy nodes (node.status.conditions["Ready"]!= true). (#110721, @jsafrane)
• When metrics are counted, discard the wrong container StartTime metrics (#110880, @yangjunmyfm192085) [SIG Instrumentation and Node]
• Windows kubelet plugin Watcher now working as intended. (#111439, @claudiubelu)
• [aws] Fixed a bug which reduces the number of unnecessary calls to STS in the event of assume role failures in the legacy cloud provider (#110706, @prateekgogia) [SIG Cloud Provider]
• pod.Spec.RuntimeClassName field is now available in kubectl describe command. (#110914, @yeahdongcn)

Other (Cleanup or Flake)

• Add missing powershell option to kubectl completion command short description. (#109773, @danielhelfand)
• Added e2e test flag to specify which volume drivers should be installed. This deprecated the ENABLE_STORAGE_GCE_PD_DRIVER environment variable. (#111481, @mattcary)
• Changed PV framework delete timeout to 5 minutes as documented. (#109764, @saikat-royc)
• Default burst limit for the discovery client set to 300. (#109141, @ulucinar)
• Deleted the apimachinery/clock package. Please use k8s.io/utils/clock package instead. (#109752, @MadhavJivrajani)
• Feature gates that graduated to GA in 1.23 or earlier and were unconditionally enabled have been removed: CSIServiceAccountToken, ConfigurableFSGroupPolicy, EndpointSlice, EndpointSliceNodeName, EndpointSliceProxying, GenericEphemeralVolume, IPv6DualStack, IngressClassNamespacedParams, StorageObjectInUseProtection, TTLAfterFinished, VolumeSubpath, WindowsEndpointSliceProxying. (#109435, @pohly)
• For Linux, kube-proxy uses a new “distroless” container image, instead of an image based on Debian. (#111060, @aojea)
• For resources built into an apiserver, the server now logs at -v=3 whether it is using watch caching. (#109175, @MikeSpreitzer) [SIG API Machinery]
• GlusterFS provisioner (kubernetes.io/glusterfs) has been deprecated in this release. (#111485, @humblec)
• Improved kubectl run and kubectl debug error messages upon attaching failures. (#110764, @soltysh)
• In the event that more than one IngressClass is designated "default", the DefaultIngressClass admission controller will choose one rather than fail. (#110974, @kidddddddddddddddddddddd) [SIG Network]
• Kube-proxy: The "userspace" proxy-mode is deprecated on Linux and Windows, despite being the default on Windows. As of v1.26, the default mode for Windows will change to 'kernelspace'. (#110762, @pandaamanda) [SIG Network]
• Kubeadm: perform additional dockershim cleanup. Treat all container runtimes as remote by using the flag "--container-runtime=remote", given dockershim was removed in 1.24 and given kubeadm 1.25 supports a kubelet version of 1.24 and 1.25. The flag "--network-plugin" will no longer be used for new clusters. Stop cleaning up the following dockershim related directories on "kubeadm reset": "/var/lib/dockershim", "/var/runkubernetes", "/var/lib/cni" (#110022, @neolit123) [SIG Cluster Lifecycle]
• Kubelet's deprecated --experimental-kernel-memcg-notification flag is now removed. Use --kernel-memcg-notification instead. (#109388, @ialidzhikov)
• Kubelet: Silenced flag output on errors. (#110728, @howardjohn)
• Kubernetes binaries are now built-in module mode instead of GOPATH mode. (#109464, @liggitt)
• Removed branch release-1.20 from prom bot due to EOL. (#110748, @cpanato)
• Removed deprecated kubectl.kubernetes.io/default-logs-container support (#109254, @pacoxu)
• Renamed apiserver_watch_cache_watch_cache_initializations_total to apiserver_watch_cache_initializations_total (#109579, @logicalhan)
• Shell completion is now provided for the "--subresource" flag. (#109070, @marckhouzam)
• Some apiserver metrics were changed, as follows.
  • priority_level_seat_count_samples is replaced with priority_level_seat_utilization, which samples every nanosecond rather than every millisecond; the old metric conveyed utilization despite its name.
  • priority_level_seat_count_watermarks is removed.
  • priority_level_request_count_samples is replaced with priority_level_request_utilization, which samples every nanosecond rather than every millisecond; the old metric conveyed utilization despite its name.
  • priority_level_request_count_watermarks is removed.
  • read_vs_write_request_count_samples is replaced with read_vs_write_current_requests, which samples every nanosecond rather than every second; the new metric, like the old one, measures utilization when the max-in-flight filter is used and number of requests when the API Priority and Fairness filter is used.
  • read_vs_write_request_count_watermarks is removed. (#110104, @MikeSpreitzer) [SIG API Machinery, Instrumentation and Testing]
• The kube-controller-manager's deprecated --experimental-cluster-signing-duration flag is now removed. Adapt your machinery to use the --cluster-signing-duration flag that is available since v1.19. (#108476, @ialidzhikov)
• The kube-scheduler ComponentConfig v1beta2 is deprecated in v1.25. (#111547, @kerthcet)
• The kubelet no longer supports collecting accelerator metrics through cAdvisor. The feature gate DisableAcceleratorUsageMetrics is now GA and cannot be disabled. (#110940, @pacoxu)
• Updated cri-tools to [v1.24.2(https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.24.2). (#109813, @saschagrunert)
• apiserver_dropped_requests is dropped from this release since apiserver_request_total can now be used to track dropped requests. etcd_object_counts is also removed in favor of apiserver_storage_objects. apiserver_registered_watchers is also removed in favor of apiserver_longrunning_requests. (#110337, @logicalhan)
• apiserver_longrunning_gauge was removed from the codebase. Please use apiserver_longrunning_requests instead. (#110310, @logicalhan)

Dependencies

Added

• github.com/emicklei/go-restful/v3: v3.8.0
• github.com/go-task/slim-sprig: 348f09d
• github.com/gogo/googleapis: v1.4.1
• github.com/golang-jwt/jwt/v4: v4.2.0
• github.com/golang/snappy: v0.0.3
• github.com/golangplus/bytes: v1.0.0
• github.com/golangplus/fmt: v1.0.0
• github.com/onsi/ginkgo/v2: v2.1.4
• go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful: v0.20.0
• go.opentelemetry.io/contrib/propagators: v0.20.0
• google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0

Changed

• bitbucket.org/bertimus9/systemstat: 0eeff89 → v0.5.0
• cloud.google.com/go: v0.81.0 → v0.97.0
• github.com/Azure/go-autorest/autorest/adal: v0.9.13 → v0.9.20
• github.com/Azure/go-autorest/autorest/mocks: v0.4.1 → v0.4.2
• github.com/Azure/go-autorest/autorest: v0.11.18 → v0.11.27
• github.com/GoogleCloudPlatform/k8s-cloud-provider: ea6160c → f118173
• github.com/MakeNowJust/heredoc: bb23615 → v1.0.0
• github.com/antlr/antlr4/runtime/Go/antlr: b48c857 → f25a4f6
• github.com/chai2010/gettext-go: c6fed77 → v1.0.2
• github.com/cncf/udpa/go: 5459f2c → 04548b0
• github.com/cncf/xds/go: fbca930 → cb28da3
• github.com/container-storage-interface/spec: v1.5.0 → v1.6.0
• github.com/containerd/containerd: v1.4.12 → v1.4.9
• github.com/coredns/corefile-migration: v1.0.14 → v1.0.17
• github.com/daviddengcn/go-colortext: 511bcaf → v1.0.0
• github.com/docker/docker: v20.10.12+incompatible → v20.10.17+incompatible
• github.com/envoyproxy/go-control-plane: 63b5d3c → 49ff273
• github.com/go-logr/logr: v1.2.0 → v1.2.3
• github.com/go-logr/zapr: v1.2.0 → v1.2.3
• github.com/golangplus/testing: af21d9c → v1.0.0
• github.com/google/cadvisor: v0.44.1 → v0.45.0
• github.com/google/cel-go: v0.10.1 → v0.12.4
• github.com/google/go-cmp: v0.5.5 → v0.5.6
• github.com/google/martian/v3: v3.1.0 → v3.2.1
• github.com/google/pprof: cbba55b → 94a9f03
• github.com/googleapis/gax-go/v2: v2.0.5 → v2.1.1
• github.com/imdario/mergo: v0.3.5 → v0.3.6
• github.com/matttproud/golang_protobuf_extensions: c182aff → v1.0.1
• github.com/onsi/gomega: v1.10.1 → v1.19.0
• github.com/opencontainers/runc: v1.1.1 → v1.1.3
• github.com/pquerna/cachecontrol: 0dec1b3 → v0.1.0
• github.com/seccomp/libseccomp-golang: 3879420 → f33da4d
• github.com/xlab/treeprint: a009c39 → v1.1.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• go.etcd.io/etcd/api/v3: v3.5.1 → v3.5.4
• go.etcd.io/etcd/client/pkg/v3: v3.5.1 → v3.5.4
• go.etcd.io/etcd/client/v2: v2.305.0 → v2.305.4
• go.etcd.io/etcd/client/v3: v3.5.1 → v3.5.4
• go.etcd.io/etcd/pkg/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/raft/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/server/v3: v3.5.0 → v3.5.4
• golang.org/x/crypto: 8634188 → 3147a52
• golang.org/x/mod: 9b9b3d8 → 86c51ed
• golang.org/x/net: cd36cc0 → a158d28
• golang.org/x/sync: 036812b → 886fb93
• golang.org/x/sys: 3681064 → 8c9f86f
• golang.org/x/tools: 897bd77 → v0.1.12
• google.golang.org/api: v0.46.0 → v0.60.0
• google.golang.org/genproto: 42d7afd → c8bf987
• google.golang.org/grpc: v1.40.0 → v1.47.0
• google.golang.org/protobuf: v1.27.1 → v1.28.0
• gopkg.in/yaml.v3: 496545a → v3.0.1
• k8s.io/klog/v2: v2.60.1 → v2.70.1
• k8s.io/kube-openapi: 3ee0da9 → 67bda5d
• k8s.io/utils: 3a6ce19 → ee6ede2
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.30 → v0.0.32
• sigs.k8s.io/json: 9f7c6b3 → f223a00
• sigs.k8s.io/kustomize/api: v0.11.4 → v0.12.1
• sigs.k8s.io/kustomize/cmd/config: v0.10.6 → v0.10.9
• sigs.k8s.io/kustomize/kustomize/v4: v4.5.4 → v4.5.7
• sigs.k8s.io/kustomize/kyaml: v0.13.6 → v0.13.9
• sigs.k8s.io/structured-merge-diff/v4: v4.2.1 → v4.2.3

Removed

• github.com/OneOfOne/xxhash: v1.2.2
• github.com/cespare/xxhash: v1.1.0
• github.com/clusterhq/flocker-go: 2b8b725
• github.com/emicklei/go-restful: v2.9.5+incompatible
• github.com/google/cel-spec: v0.6.0
• github.com/jstemmer/go-junit-report: v0.9.1
• github.com/nxadm/tail: v1.4.4
• github.com/onsi/ginkgo: v1.14.0
• github.com/quobyte/api: v0.1.8
• github.com/spaolacci/murmur3: f09979e
• github.com/storageos/go-api: v2.2.0+incompatible
• gopkg.in/tomb.v1: dd63297

---

Contributors, the CHANGELOG-1.25.md has been bootstrapped with v1.25.0 release notes and you may edit now as needed.

Published by your Kubernetes Release Managers.