Kubernetes v1.26.0 is live!

Skip to first unread message

Jeremy Rickard

Dec 9, 2022, 12:54:57 PM12/9/22
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.26.0 has been built and pushed using Golang version 1.19.4.

The release notes have been updated in CHANGELOG-1.26.md, with a pointer to them on GitHub:



Downloads for v1.26.0

Source Code

filename sha512 hash
kubernetes.tar.gz 3062a427a45548bd9c5a8358c740f0a5cfea7b546dca724c71d28768bb36c628280c91263a362afd01c89ef3944f5a768ed44e75d421fe9dc1ec2e8ba26214f3
kubernetes-src.tar.gz 30ef5d75282fee72e6affff34c72f76fc1d0154b3f37ad2897dec8c63ce6620d9e3237cc3c34ba3cab5d31f64ed43c4ec79c8bc40e832de6c4895a449d05682f

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz a8c7d82db6a415e7c16bc6a35ee59115e91491f842816b0128b5668821223ab9477697151ec31fb052cd893d57fc507b0a3b68f9bffd666f9d4b821c336a10c8
kubernetes-client-darwin-arm64.tar.gz 5b449a69eb22902bdc5cc110b65d3103e459639c4b8eb84eed005a79efc8c9f42dd0a37f5d51b073e96f69a5de36b44c00b3bf730334d1296bd3df3a2f7c603b
kubernetes-client-linux-386.tar.gz 32881e912da9edf44d304bb67b4302fd271d4925928c28cd9e8d94fa677e8e8d4706eb1d9a7490f51f87cf39cf087133895a047aaf1564caa8783e3e3af190e9
kubernetes-client-linux-amd64.tar.gz e4e55a2b7cfcb8a61a982b4c5630119dac74c793fad285a5753f3fad20122c266fce4f291889a03c562d6416d9f07992bf5de78298bd6801b06a8c36dc7a0acf
kubernetes-client-linux-arm.tar.gz 72b2899747277a8c50f2ccf8dc9293532e9d0f18fbfc5ce2bd847f46939930819a031d2ef6e6f624ea7b48d61653d14cc8869651c6155d4cada801e63e45a90f
kubernetes-client-linux-arm64.tar.gz 54081ebe799fd11ace1b54b66a4ad3c87f233dcc8f14ec38fd02d69daccf8a5e46e42e615582316a0930528fd108c679590813edc69aea151a1e8e384d3d5b31
kubernetes-client-linux-ppc64le.tar.gz 1cb6bcae4e060cb581c89121dc623d75cd07d665876f12fc441a2cae54f194883e2f9aa02e2f61a066f7d604626c98b6baeb38ac2aea22d34eee68ce3530d12a
kubernetes-client-linux-s390x.tar.gz 568313713168e29b13849ff2bc3e275af54acb8048a7fe5b7569f713453523f32904f974b3e4888b60cd59ad2d00a97a170c33ee0525cfa224384c936b5bdb97
kubernetes-client-windows-386.tar.gz 81aff59ef27eee27edce5222dfab420e3f9ffe090897820db07cf69bf212adcbe5fe3ce8d8551da6c2dc99c9a0ce05d9f0bad79544043c613e1bb841fe711c14
kubernetes-client-windows-amd64.tar.gz ab37bc7569fef9e852944af6cc82a9763d89244749a28b8dd819e9234acccf89ca168cb485fbb8e4dc28c25ec3d4686503f3b3dfa5509283c674f7460fe84456
kubernetes-client-windows-arm64.tar.gz a4373d6d3d37dcde3f86ed17e5d079c74247ee412fc062fe58472215a09cdbbefd03ba55d299fc8cbcfb70419e3400a69f84da17b078ffc149c6078df8d0ac50

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz 55de8adfe4d98826cf5f55007b8dbb63cd42fc898b399cd2c74d6c4818f2fbad1de4bd7cba2a94f8edc5a13a6297816691e62ffd0113428d23b8e7592d9d2eb6
kubernetes-server-linux-arm.tar.gz 59305ba936cae7f021f41944491e53b43fce21f64491be44881b68c78b03b25591b850faf24472d10a17941e440ce9d4977e29fce46a7bb7786257311721fd61
kubernetes-server-linux-arm64.tar.gz c0c0c6d1288f4b417b8b4b5960df9af081d2caf8b2abd2117e26677fc4b5b6d3bd5a0638f2559c86e77f7bb6c9acf5bd4e7f33aa4a8f0d9ba50e448c5a780ca9
kubernetes-server-linux-ppc64le.tar.gz 837fc57905aa29f27c253ea392ce331c762789b69a581e2d3709c22f14af0b475d4f691fe48d05f5bac3784b84a6c59e9fbda527b4d9e169f93a10fe09f2d195
kubernetes-server-linux-s390x.tar.gz edf1c11412cff5423389daa6bde79be302d2e8d9962d191247a8935189927ee89f5c24f4be2ffe2a8be0516395677d085d4367d9436bcdd46c5270c36713645f

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz 19d0941ff71a8c7fd9695e69fc03e446dab48d081985f4288a6ff6d6f5a76b1e5c2cec643a9090597760f9444f0846978ddfe6a97e2b3ab59d8530d524be75bb
kubernetes-node-linux-arm.tar.gz f75cca0a72a4a4cc1f89210d08b36e7d1777d6af02e74497c3f93fef3308040c278f0600d65d1ccc052f14d567590762327d67453a3a4c06a5fe529dca99f7ae
kubernetes-node-linux-arm64.tar.gz 94579d7a3cb146ceffc0af42b5fd886510041fec0a5d5e9c2383e91ae3f6dd663b9691193f67646f38265195757f04bcc55e17ea3fc414174c375e672249c606
kubernetes-node-linux-ppc64le.tar.gz 0487d68b2598a12bc40f7012c2b68a4d2cb0dbfac59eb7d468eb23966ebbbad3cc14e061fb4cb4562366812eefa7a7df704c435522a4d6fb68fec1268b845775
kubernetes-node-linux-s390x.tar.gz a4dc195f599ebe3bc0ea5d2eb9f9004d9770cad7c8333b273f6ff9af0f73528a08c4949c360647f9096cc48a4daf65ecc71b70683728ab75cf3041857b6df965
kubernetes-node-windows-amd64.tar.gz 6331bffc65bea362245a0bcba2ce28521679c60e0332e329872c5a588d21cca0162c48cac4ac2fcdb303116f5f4f62596f81658cc056d34add27857ec53b22d1

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
registry.k8s.io/conformance:v1.26.0 amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.26.0 amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.26.0 amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.26.0 amd64, arm, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.26.0 amd64, arm, arm64, ppc64le, s390x

Changelog since v1.25.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

Changes by Kind


  • CLI flag pod-eviction-timeout is deprecated and will be removed together with enable-taint-manager in v1.27. (#113710, @kerthcet)
  • Kube-apiserver: the unused --master-service-namespace flag was deprecated and will be removed in v1.27. (#112797, @SataQiu)
  • The gcp and azure auth plugins have been removed from client-go and kubectl. See kubelogin and Kubectl Auth Changes in GKE for details about the cloud-specific replacements. (#112341, @enj)

API Change

  • 'A new preEnqueue extension point was added to scheduler's component config v1beta2/v1beta3/v1.' (#113275, @Huang-Wei)
  • 'Added a ResourceClaim API (in the resource.k8s.io/v1alpha1 API group and behind the DynamicResourceAllocation feature gate). The new API is now more flexible than the existing Device Plugins feature of Kubernetes because it allows Pods to request (claim) special kinds of resources, which can be available at node level, cluster level, or following any other model you implement.' (#111023, @pohly)
  • 'Container preStop and postStart lifecycle handlers using httpGet now honor the specified scheme and headers fields. This enables setting custom headers and changing the scheme to HTTPS, consistent with container startup/readiness/liveness probe capabilities. Lifecycle handlers configured with scheme: HTTPS that encounter errors indicating the endpoint is actually using HTTP fall back to making the request over HTTP for compatibility with previous releases. When this happens, a LifecycleHTTPFallback event is recorded in the namespace of the pod and a kubelet_lifecycle_handler_http_fallbacks_total metric in the kubelet is incremented. Cluster administrators can opt out of the expanded lifecycle handler capabilities by setting --feature-gates=ConsistentHTTPGetHandlers=false in kubelet.' (#86139, @jasimmons)
  • 'Graduated JobTrackingWithFinalizers to stable. Jobs created before the feature was enabled are still tracked without finalizers. Jobs tracked with finalizers have the annotation batch.kubernetes.io/job-tracking. If the annotation is present and the user attempts to remove it, the control plane adds it back. The annotation batch.kubernetes.io/job-tracking is now deprecated. The control plane will ignore it and stop adding it for new Jobs in v1.27.' (#113510, @alculquicondor)
  • 'Kubelet added the following Pod failure conditions:
    • DisruptionTarget (graceful node shutdown, node pressure eviction)' (#112360, @mimowo)
  • 'Priority and Fairness has introduced a new feature called borrowing that allows an API priority level to borrow a number of seats from other priority level(s). As a cluster operator, you can enable borrowing for a certain priority level configuration object via the two newly introduced fields lendablePercent, and borrowingLimitPercent located under the .spec.limited field of the designated priority level. This change added the following metrics:
    • apiserver_flowcontrol_nominal_limit_seats: Nominal number of execution seats configured for each priority level
    • apiserver_flowcontrol_lower_limit_seats: Configured lower bound on number of execution seats available to each priority level
    • apiserver_flowcontrol_upper_limit_seats: Configured upper bound on number of execution seats available to each priority level
    • apiserver_flowcontrol_demand_seats: Observations, at the end of every nanosecond, of (the number of seats each priority level could use) / (nominal number of seats for that level)
    • apiserver_flowcontrol_demand_seats_high_watermark: High watermark, over last adjustment period, of demand_seats
    • apiserver_flowcontrol_demand_seats_average: Time-weighted average, over last adjustment period, of demand_seats
    • apiserver_flowcontrol_demand_seats_stdev: Time-weighted standard deviation, over last adjustment period, of demand_seats
    • apiserver_flowcontrol_demand_seats_smoothed: Smoothed seat demands
    • apiserver_flowcontrol_target_seats: Seat allocation targets
    • apiserver_flowcontrol_seat_fair_frac: Fair fraction of server's concurrency to allocate to each priority level that can use it
    • apiserver_flowcontrol_current_limit_seats: current derived number of execution seats available to each priority level The possibility of borrowing means that the old metric apiserver_flowcontrol_request_concurrency_limit can no longer mean both the configured concurrency limit and the enforced concurrency limit. Henceforth it means the configured concurrency limit.' (#113485, @MikeSpreitzer)
  • 'NodeInclusionPolicy in podTopologySpread plugin is now enabled by default.' (#113500, @kerthcet)
  • 'PodDisruptionBudget now adds an alpha spec.unhealthyPodEvictionPolicy field. When the PDBUnhealthyPodEvictionPolicy feature-gate is enabled in kube-apiserver, setting this field to "AlwaysAllow" allows pods to be evicted if they do not have a ready condition, regardless of whether the PodDisruptionBudget is currently healthy.' (#113375, @atiratree)
  • 'metav1.LabelSelectors specified in API objects are now validated to ensure they do not contain invalid label values that will error at time of use. Existing invalid objects can be updated, but new objects are required to contain valid label selectors.' (#113699, @liggitt)
  • Add percentageOfNodesToScore as a scheduler profile level parameter to API version v1. When a profile percentageOfNodesToScore is set, it will override global percentageOfNodesToScore. (#112521, @yuanchen8911)
  • Add auth API to get self subject attributes (new selfsubjectreviews API is added). The corresponding command for kubctl is provided - kubectl auth whoami. (#111333, @nabokihms) [SIG API Machinery, Auth, CLI and Testing]
  • Added kubernetes_feature_enabled metric series to track whether each active feature gate is enabled. (#112690, @logicalhan)
  • Added a --topology-manager-policy-options flag to the kubelet to support fine tuning the topology manager policies. The first policy option, prefer-closest-numa-nodes, allows these policies to favor sets of NUMA nodes with shorter distance between nodes when making admission decisions. (#112914, @PiotrProkop)
  • Added a feature that allows a StatefulSet to start numbering replicas from an arbitrary non-negative ordinal, using the .spec.ordinals.start field. (#112744, @pwschuurman)
  • Added a kube-proxy flag (--iptables-localhost-nodeports, default true) to allow disabling NodePort services on loopback addresses. Note: this only applies to iptables mode and ipv4. (#108250, @cyclinder)
  • Added a new namespace alpha field to DataSourceRef field in PersistentVolumeClaim API. (#113186, @ttakahashi21)
  • Aggregated discovery will be alpha and can be toggled with the AggregatedDiscoveryEndpoint feature flag. (#113171, @Jefftree)
  • Clarified the CFS quota as 100ms in the code comments and set the minimum cpuCFSQuotaPeriod to 1ms to match Linux kernel expectations. (#112123, @paskal)
  • Component-base: make the validation logic about LeaderElectionConfiguration consistent between component-base and client-go (#111758, @SataQiu) [SIG API Machinery and Scheduling]
  • Deprecated the apiserver_request_slo_duration_seconds metric for v1.27 in favor of apiserver_request_sli_duration_seconds for naming consistency purposes with other SLI-specific metrics and to avoid any confusion between SLOs and SLIs. (#112679, @dgrisonnet)
  • Enable the "Retriable and non-retriable pod failures for jobs" feature into beta. (#113360, @mimowo)
  • Enabled kube-controller-manager to support '--concurrent-horizontal-pod-autoscaler-syncs' flag to set the number of horizontal pod autoscaler controller workers. (#108501, @zroubalik)
  • Fixed spurious field is immutable errors validating updates to Event API objects via the events.k8s.io/v1 API. (#112183, @liggitt)
  • Graduated ServiceInternalTrafficPolicy feature to GA. (#113496, @avoltz)
  • In 'kube-proxy`: The "userspace" proxy mode (deprecated for over a year) is no longer supported on either Linux or Windows. Users should use "iptables" or "ipvs" on Linux, or "kernelspace" on Windows. (#112133, @knabben)
  • Introduce v1beta3 for Priority and Fairness with the following changes to the API spec:
    • rename 'assuredConcurrencyShares' (located under `spec.limited') to 'nominalConcurrencyShares'.
    • apply strategic merge patch annotations to 'Conditions' of flowschemas and prioritylevelconfigurations. (#112306, @tkashem)
  • Introduced v1alpha1 API for validating admission policies, enabling extensible admission control via CEL expressions (KEP 3488: CEL for Admission Control). To use, enable the ValidatingAdmissionPolicy feature gate and the admissionregistration.k8s.io/v1alpha1 API via --runtime-config. (#113314, @cici37)
  • KMS: added validation for duplicate kms config name when auto reload is enabled. If you enabled automatic reload of encryption configuration with API server flag --encryption-provider-config-automatic-reload, ensure all the KMS provider names (v1 and v2) in the encryption configuration are unique. (#113697, @aramase)
  • Kubelet external Credential Provider feature is moved to GA. Credential Provider Plugin and Credential Provider Config APIs updated from v1beta1 to v1 with no API changes. (#111616, @ndixita)
  • Legacy klog flags are no longer available. Only -v and -vmodule are still supported. (#112120, @pohly) [SIG Architecture, CLI, Instrumentation, Node and Testing]
  • Moved MixedProtocolLBService from beta to GA. (#112895, @janosi)
  • New Pod API field .spec.schedulingGates is introduced to enable users to control when to mark a Pod as scheduling ready. (#113274, @Huang-Wei)
  • Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (#111936, @haoruan)
  • Removed feature gates ServiceLoadBalancerClass and ServiceLBNodePortControl. These feature gates were enabled (and locked) since v1.24. (#112577, @andrewsykim)
  • Reverted regression that prevented client-go latency metrics to be reported with a template URL to avoid label cardinality. (#111752, @aanm)
  • The EndpointSliceTerminatingCondition feature gate was graduated to GA. The gate is now locked and will be removed in v1.28. (#113351, @andrewsykim)
  • DynamicKubeletConfig feature gate has been removed from the API server. Dynamic kubelet reconfiguration now can't be used even when older nodes are still attempting to rely on it. This is aligned with the Kubernetes version skew policy. (#112643, @SergeyKanzhelev)
  • kubectl wait command with jsonpath flag will wait for target path until timeout. (#109525, @jonyhy96)


  • 'Added selector validation to HorizontalPodAutoscaler: when multiple HPAs select the same set of Pods, scaling now will be disabled for those HPAs with the reason AmbiguousSelector. This change also covers a case when multiple HPAs point to the same deployment.' (#112011, @pbeschetnov)
  • 'Pod Security admission: the pod-security warn level will now default to the enforce level.' (#113491, @tallclair)
  • 'Promoted the APIServerIdentity feature to Beta. By default, each kube-apiserver will now create a Lease in the kube-system namespace. These lease objects can be used to identify the number of active API servers in the cluster, and may also be used for future features such as the Storage Version API.' (#113629, @andrewsykim)
  • 'The iptables kube-proxy backend now process service/endpoint changes more efficiently in very large clusters.' (#110268, @danwinship)
  • 'CSIMigrationvSphere was upgraded to GA and locked to true. Do not upgrade to K8s 1.26 if you need Windows, or XFS, or raw block support until vSphere CSI Driver adds support for them in a version post v2.7.x.' (#113336, @divyenpatel)
  • 'DelegateFSGroupToCSIDriver feature is GA.' (#113225, @bertinatto)
  • 'NodeOutOfServiceVolumeDetach is now beta.' (#113511, @xing-yang)
  • 'RetroactiveDefaultStorageClass feature is now beta.' (#113329, @RomanBednar)
  • 'registered_metric_total will now report the number of metrics broken down by stability level and deprecated version.' (#112907, @logicalhan)
  • A new DisableCompression field (default = false) has been added to kubeconfig under cluster info. When set to true, clients using the kubeconfig opt out of response compression for all requests to the apiserver. This can help improve list call latencies significantly when client-server network bandwidth is ample (>30MB/s) or if the server is CPU-constrained. (#112309, @shyamjvs)
  • A new pod_status_sync_duration_seconds histogram is reported at alpha metrics stability that estimates how long the Kubelet takes to write a pod status change once it is detected. (#107896, @smarterclayton) [SIG Apps, Architecture, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
  • API Server Tracing now includes a variety of new spans and span events. (#113172, @dashpole) [SIG API Machinery, Architecture, Auth, Instrumentation, Network, Node and Scheduling]
  • API Server tracing now includes the latency of authorization, priorityandfairness, impersonation, audit, and authentication filters. (#113217, @dashpole)
  • API Server tracing root span name for opentelemetry is changed from KubernetesAPI to HTTP GET. (#112545, @dims)
  • Added --disable-compression flag to kubectl (default = false). When true, it opts out of response compression for all requests to the apiserver. This can help improve list call latencies significantly when client-server network bandwidth is ample (>30MB/s) or if the server is CPU-constrained. (#112580, @shyamjvs)
  • Added a method StreamWithContext to remotecommand.Executor to support cancelable SPDY executor stream. (#103177, @arkbriar)
  • Added a new feature gate CelValidatingAdmissionExtensibility to enable expression validation for Admission Control. (#112792, @cici37) [SIG API Machinery]
  • Added alpha support for WindowsHostNetworking feature. (#112961, @marosset)
  • Added alpha support for returning container and pod metrics from CRI, instead of cAdvsior. (#113609, @haircommander)
  • Added categories column to the kubectl api-resources command's wide output (-o wide). Added --categories flag to the kubectl api-resources command, which can be used to filter the output to show only resources belonging to one or more categories. (#111096, @brianpursley) [SIG CLI]
  • Added kubelet metrics to track the cpumanager cpu allocation and pinning (#112855, @fromanirh)
  • Added new Golang runtime-related metrics to Kubernetes components:
    • go_gc_cycles_automatic_gc_cycles_total
    • go_gc_cycles_forced_gc_cycles_total
    • go_gc_cycles_total_gc_cycles_total
    • go_gc_heap_allocs_by_size_bytes
    • go_gc_heap_allocs_bytes_total
    • go_gc_heap_allocs_objects_total
    • go_gc_heap_frees_by_size_bytes
    • go_gc_heap_frees_bytes_total
    • go_gc_heap_frees_objects_total
    • go_gc_heap_goal_bytes
    • go_gc_heap_objects_objects
    • go_gc_heap_tiny_allocs_objects_total
    • go_gc_pauses_seconds
    • go_memory_classes_heap_free_bytes
    • go_memory_classes_heap_objects_bytes
    • go_memory_classes_heap_released_bytes
    • go_memory_classes_heap_stacks_bytes
    • go_memory_classes_heap_unused_bytes
    • go_memory_classes_metadata_mcache_free_bytes
    • go_memory_classes_metadata_mcache_inuse_bytes
    • go_memory_classes_metadata_mspan_free_bytes
    • go_memory_classes_metadata_mspan_inuse_bytes
    • go_memory_classes_metadata_other_bytes
    • go_memory_classes_os_stacks_bytes
    • go_memory_classes_other_bytes
    • go_memory_classes_profiling_buckets_bytes
    • go_memory_classes_total_bytes
    • go_sched_goroutines_goroutines
    • go_sched_latencies_seconds (#111910, @tosi3k)
  • Added new metric job_controller_terminated_pods_tracking_finalizer which can be used to monitor whether the job controller is removing Pod finalizers from terminated Pods after accounting them in Job status. (#113176, @alculquicondor)
  • Added publishing events when enabling/disabling TopologyAwareHints. (#113544, @LiorLieberman)
  • Added reconstruction of SELinux mount context after kubelet restart. Feature SELinuxMountReadWriteOncePod is now fully implemented and kubelet does not lose its cache of SELinux contexts after kubelet process restart. (#113596, @jsafrane)
  • Added support for Evented PLEG feature gate. (#111384, @harche)
  • Added the metric pod_start_sli_duration_seconds to kubelet. (#111930, @azylinski)
  • Added validation for the --container-runtime-endpoint flag of kubelet to be non-empty. (#112542, @astraw99)
  • Adds alpha --output plaintext protected by environment variable KUBECTL_EXPLAIN_OPENAPIV3 (#113146, @alexzielenski) [SIG CLI]
  • Adds metrics force_delete_pods_total and force_delete_pod_errors_total in the Pod GC Controller. (#113519, @xing-yang) [SIG Apps]
  • Azure File CSI migration is now GA. (#113160, @andyzhangx)
  • Changed preemption_victims metric bucket from LinearBuckets to ExponentialBuckets. (#112939, @lengrongfu)
  • Exposed health check SLI metrics on metrics/slis for apiserver. (#112741, @logicalhan)
  • Extend the job job_finished_total metric by new reason` label and introduce a new job metric to count pod failures handled by pod failure policy with respect to the action applied. (#113324, @mimowo) [SIG Apps and Testing]
  • Graduate ServiceIPStaticSubrange feature to GA. (#112163, @aojea)
  • Graduated Kubelet CPU Manager to GA. (#113018, @fromanirh)
  • Graduated Kubelet Device Manager to GA. (#112980, @swatisehgal)
  • If ComponentSLIs feature gate is enabled, then /metrics/slis becomes available on kubelet, allowing you to scrape health check metrics. (#113030, @Richabanker) [SIG Node]
  • If ComponentSLIs feature gate is enabled, then /metrics/slis now becomes available on cloud-controller-manager allowing you to scrape health check metrics. (#113340, @Richabanker)
  • If more than one StorageClass is designated as default (via the "storageclass.kubernetes.io/is-default-class" annotation), choose the newest one instead of throwing an error.' (#110559, @danishprakash)
  • In 'client-go SharedInformerFactory` will now support waiting for goroutines during shutdown. (#112200, @pohly)
  • In kubeadm, command kubeadm join phase control-plane-prepare certs now supports to run with dry-run mode on it's own. (#113005, @chendave)
  • Kube-apiserver: gzip compression switched from level 4 to level 1 to improve large list call latencies in exchange for higher network bandwidth usage (10-50% higher). This increases the headroom before very large unpaged list calls exceed request timeout limits. (#112299, @shyamjvs)
  • Kubeadm: added show-join-command as a new separate phase at the end of kubeadm init. You can skip printing the join information by using kubeadm init --skip-phases=show-join-command. Executing only this phase on demand will throw an error because the phase needs dependencies such as bootstrap tokens to be pre-populated. (#111512, @SataQiu)
  • Kubeadm: added the "--cleanup-tmp-dir" flag for kubeadm reset. It will cleanup the contents of /etc/kubernetes/tmp. The flag is off by default. (#112172, @chendave)
  • Kubeadm: now supports image repository format validation. (#112732, @SataQiu)
  • Kubeadm: sub-phases are now able to support the dry-run mode, e.g. kubeadm reset phase cleanup-node --dry-run (#112945, @chendave) [SIG Cluster Lifecycle]
  • Kubeadm: tried to load CA cert from external CertificateAuthority file when CertificateAuthorityData is empty for existing kubeconfig. (#111783, @SataQiu)
  • Kubectl shell completions for the bash shell now include descriptions. (#113636, @marckhouzam)
  • Kubernetes is now built with Go 1.19.1 (#112287, @palnabarun) [SIG Release and Testing]
  • Kubernetes is now built with Go 1.19.2 (#112900, @xmudrii) [SIG Release and Testing]
  • Kubernetes is now built with Go 1.19.3. (#113550, @xmudrii)
  • Logs of requests that were timed out by a timeout handler no longer contain a statusStack and logging error output fields. (#112374, @Argh4k)
  • Metrics for RetroactiveDefaultStorageClass feature are now available. To see an attempt count for updating PVC retroactively with a default StorageClass see retroactive_storageclass_total metric and for total numer of errors see retroactive_storageclass_errors_total. (#113323, @RomanBednar)
  • Promoted kubectl alpha events to kubectl events. (#113819, @soltysh)
  • Promoting WindowsHostProcessContainers to stable. (#113476, @marosset)
  • Scheduler now retries updating a pod's status on ServiceUnavailable and InternalError errors, in addition to net.ConnectionRefused error. (#111809, @Huang-Wei)
  • Shell completion now shows plugin names when appropriate. Furthermore, shell completion will work for plugins that provide such support. (#105867, @marckhouzam)
  • Switched kubectl to use github.com/russross/blackfriday/v2 (#112731, @pacoxu)
  • The ExpandedDNSConfig feature has graduated to beta and is enabled by default. Note that this feature requires container runtime support. (#112824, @gjkim42) [SIG Network and Testing]
  • The LegacyServiceAccountTokenNoAutoGeneration feature gate was promoted to GA. (#112838, @zshihang)
  • The ProxyTerminatingEndpoints feature is now Beta and enabled by default. When enabled, kube-proxy will attempt to route traffic to terminating pods when the traffic policy is Local and there are only terminating pods remaining on a node. (#113363, @andrewsykim)
  • The goroutines metric is newly added in the scheduler. It replaces scheduler_goroutines metric and it counts the number of goroutine in more places than scheduler_goroutine does. (#112003, @sanposhiho) [SIG Instrumentation and Scheduling]
  • Updated cAdvisor to v0.46.0. (#113769, @bobbypage)
  • Updated the Lease identity naming format for the APIServerIdentity feature to use a persistent name. (#113307, @andrewsykim)
  • When ComponentSLIs feature gate is enabled, /metrics/slis becomes available on kube-scheduler, allowing you to scrape health check metrics. (#113026, @Richabanker)
  • When ComponentSLIs feature gate is enabled, then /metrics/slis becomes available on kube-proxy allowing you to scrape health check metrics. (#113057, @Richabanker)
  • When ComponentSLIs feature gate is enabled, then /metrics/slis becomes available on kube-controller-manager, allowing you to scrape health check metrics. (#112978, @logicalhan)
  • When the alpha LegacyServiceAccountTokenTracking feature gate is enabled, secret-based service account tokens will have a kubernetes.io/legacy-token-last-used applied to them containing the date they were last used. (#108858, @zshihang) [SIG API Machinery, Auth and Testing]
  • CSRDuration feature gate that graduated to GA in 1.24 and is unconditionally enabled now removed in v1.26. (#112386, @Shubham82)
  • kubectl config view now automatically redacts any secret fields marked with a datapolicy tag. (#109189, @mpuckett159)


  • Clarified the default CFS quota period as being 100µs and not 100ms. (#111554, @paskal) [SIG Node]

Bug or Regression

  • Added back unused flags on kubectl run command, which did not go through the required deprecation period before being removed. (#112243, @brianpursley)
  • Added support for RSA and ECDSA format keys in preflight check on kubeadm. (#112508, @SataQiu)
  • Allowed Label section in vSphere e2e cloud provider configuration. (#112427, @gnufied)
  • Apiserver /healthz/etcd endpoint rate limits the number of forwarded health check requests to the etcd backends, answering with the last known state if the rate limit is exceeded. The rate limit is based on 1/2 of the timeout configured, with no burst allowed. (#112046, @aojea)
  • Apiserver: used the correct error when logging errors updating managedFields. (#113711, @andrewsykim)
  • Avoided propagating hosts search . into containers in /etc/resolv.conf. (#112157, @dghubble)
  • Bump golang.org/x/net to v0.1.1-0.20221027164007-c63010009c80. (#112693, @aimuz)
  • Bump runc to v1.1.4. (#113719, @pacoxu)
  • Callers using DelegatingAuthenticationOptions can now use DisableAnonymous to disable Anonymous authentication. (#112181, @xueqzhan)
  • Changed error message when resource is not supported by given patch type in kubectl patch. (#112556, @ardaguclu)
  • Correct the calculating error in podTopologySpread plugin to avoid unexpected scheduling results. (#112507, @kerthcet)
  • Etcd: Updated to v3.5.5. (#112489, @dims)
  • Fixed Admission controllers that caused unnecessary significant load on `apiserver'. (#112696, @aimuz)
  • Fixed DaemonSet to update the status even if it fails to create a pod. (#112127, @gjkim42)
  • Fixed a bug where a change in the appProtocol for a Service did not trigger a load balancer update. (#112785, @MartinForReal) [SIG Cloud Provider and Network]
  • Fixed a bug where the kubelet choose the wrong container by its name when running kubectl exec. (#113041, @saschagrunert)
  • Fixed an ephemeral port exhaustion bug caused by improper connection management that occurred when a large number of objects were handled by kubectl while exec auth was in use. (#112017, @enj)
  • Fixed an issue in winkernel proxier that causes proxy rules to leak anytime service backends are modified. (#112837, @daschott)
  • Fixed bug in kubectl rollout history where only the latest revision was displayed when a specific revision was requested and an output format was specified. (#111093, @brianpursley)
  • Fixed bug where dry run message was not printed when running kubectl label with --dry-run flag. (#111571,