--- - branch: MAIN date: Wed May 8 11:55:57 UTC 2024 files: - new: '1.5' old: '1.4' path: pkgsrc/sysutils/py-kubernetes/Makefile pathrev: pkgsrc/sysutils/py-kubernetes/Makefile@1.5 type: modified - new: '1.4' old: '1.3' path: pkgsrc/sysutils/py-kubernetes/PLIST pathrev: pkgsrc/sysutils/py-kubernetes/PLIST@1.4 type: modified - new: '1.4' old: '1.3' path: pkgsrc/sysutils/py-kubernetes/distinfo pathrev: pkgsrc/sysutils/py-kubernetes/distinfo@1.4 type: modified id: 20240508T115557Z.4ed9ec13528bed2f911c89bf5c58e1f433df246f log: | py-kubernetes: updated to 29.0.0 v29.0.0 Kubernetes API Version: v1.29.0 Bug or Regression - Fix UTF-8 failures in Watch - Fix upper version boundary of urllib3, since other dependencies don't support urllib3 in version 2 v29.0.0b1 Kubernetes API Version: v1.29.0 Bug or Regression - Fix UTF-8 failures in Watch - Fix upper version boundary of urllib3, since other dependencies don't support urllib3 in version 2 v29.0.0a1 Kubernetes API Version: v1.29.0 API Change - '`kube-apiserver`: adds `--authentication-config` flag for reading `AuthenticationConfiguration` files. `--authentication-config` flag is mutually exclusive with the existing `--oidc-*` flags.' - '`kube-scheduler` component config (`KubeSchedulerConfiguration`) `kubescheduler.config.k8s.io/v1beta3` is removed in `v1.29`. Migrated `kube-scheduler` configuration files to `kubescheduler.config.k8s.io/v1`.' - A new sleep action for the `PreStop` lifecycle hook was added, allowing containers to pause for a specified duration before termination. - Added CEL expressions to `v1alpha1 AuthenticationConfiguration`. - Added Windows support for InPlace Pod Vertical Scaling feature. - Added `ImageMaximumGCAge` field to Kubelet configuration, which allows a user to set the maximum age an image is unused before it's garbage collected. - Added `UserNamespacesPodSecurityStandards` feature gate to enable user namespace support for Pod Security Standards. Enabling this feature will modify all Pod Security Standard rules to allow setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`. This feature gate should only be enabled if all nodes in the cluster support the user namespace feature and have it enabled. The feature gate will not graduate or be enabled by default in future Kubernetes releases. - Added `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting CRD schema constraints. - Added a new `ServiceCIDR` type that allows to dynamically configure the cluster range used to allocate `Service ClusterIPs` addresses. - Added a new `ipMode` field to the `.status` of Services where `type` is set to `LoadBalancer`. The new field is behind the `LoadBalancerIPMode` feature gate. - Added options for configuring `nf_conntrack_udp_timeout`, and `nf_conntrack_udp_timeout_stream` variables of netfilter conntrack subsystem. - Added support for CEL expressions to `v1alpha1 AuthorizationConfiguration` webhook `matchConditions`. - Added support for projecting `certificates.k8s.io/v1alpha1` ClusterTrustBundle objects into pods. - Added the `DisableNodeKubeProxyVersion` feature gate. If `DisableNodeKubeProxyVersion` is enabled, the `kubeProxyVersion` field is not set. - Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps. The incorrect cost was evident when the result of a function was used in subsequent operations. - Fixed the API comments for the Job `Ready` field in status. - Fixed the API comments for the `FailIndex` Job pod failure policy action. - Go API: the `ResourceRequirements` struct was replaced with `VolumeResourceRequirements` for use with volumes. - Graduated `Job BackoffLimitPerIndex` feature to `beta`. - Marked the `onPodConditions` field as optional in `Job`'s pod failure policy. - Promoted `PodReadyToStartContainers` condition to `beta`. - The `flowcontrol.apiserver.k8s.io/v1beta3` `FlowSchema` and `PriorityLevelConfiguration` APIs has been promoted to `flowcontrol.apiserver.k8s.io/v1`, with the following changes: - `PriorityLevelConfiguration`: the `.spec.limited.nominalConcurrencyShares` field defaults to `30` only if the field is omitted (v1beta3 also defaulted an explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in the `v1` version in v1.29 to ensure compatibility with `v1.28` API servers. In `v1.30`, explicit `0` values will be allowed in this field in the `v1` API. The `flowcontrol.apiserver.k8s.io/v1beta3` APIs are deprecated and will no longer be served in v1.32. All existing objects are available via the `v1` APIs. Transition clients and manifests to use the `v1` APIs before upgrading to `v1.32`. - The `kube-proxy` command-line documentation was updated to clarify that `--bind-address` does not actually have anything to do with binding to an address, and you probably don't actually want to be using it. - The `kube-scheduler` `selectorSpread` plugin has been removed, please use the `podTopologySpread` plugin instead. - The `matchLabelKeys/mismatchLabelKeys` feature is introduced to the hard/soft `PodAffinity/PodAntiAffinity`. - When updating a CRD, per-expression cost limit check are now skipped for `x-kubernetes-validations` rules of versions that are not mutated. - `CSINodeExpandSecret` feature has been promoted to `GA` in this release and is enabled by default. The CSI drivers can make use of the `secretRef` values passed in `NodeExpansion` request optionally sent by the CSI Client from this release onwards. - `NodeStageVolume` calls will now be retried if the CSI node driver is not running. - `PersistentVolumeLastPhaseTransitionTime` is now beta and enabled by default. - `ValidatingAdmissionPolicy` type checking now supports CRDs and API extensions types. - `kube-apiserver`: added `--authorization-config` flag for reading a configuration file containing an `apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration` object. The `--authorization-config` flag is mutually exclusive with `--authorization-modes` and `--authorization-webhook-*` flags. The `alpha` `StructuredAuthorizationConfiguration` feature flag must be enabled for `--authorization-config` to be specified. - `kube-proxy` now has a new nftables-based mode, available by running `kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables` This is currently an alpha-level feature and while it probably will not eat your data, it may nibble at it a bit. (It passes e2e testing but has not yet seen real-world use.) At this point it should be functionally mostly identical to the iptables mode, except that it does not (and will not) support Service NodePorts on 127.0.0.1. (Also note that there are currently no command-line arguments for the nftables-specific config; you will need to use a config file if you want to set the equivalent of any of the `--iptables-xxx` options.) As this code is still very new, it has not been heavily optimized yet; while it is expected to _eventually_ have better performance than the iptables backend, very little performance testing has been done so far. - `kube-proxy`: Added an option/flag for configuring the `nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack subsystem). When enabled, `kube-proxy` will not install the `DROP` rule for invalid conntrack states, which currently breaks users of asymmetric routing. - Added support for projecting certificates.k8s.io/v1alpha1 ClusterTrustBundle objects into pods. - Adds `optionalOldSelf` to `x-kubernetes-validations` to support ratcheting CRD schema constraints - Fix API comment for the Job Ready field in status - Fix API comments for the FailIndex Job pod failure policy action. - A new sleep action for the PreStop lifecycle hook is added, allowing containers to pause for a specified duration before termination. - Add ImageMaximumGCAge field to Kubelet configuration, which allows a user to set the maximum age an image is unused before it's garbage collected. - Add a new ServiceCIDR type that allows to dynamically configure the cluster range used to allocate Service ClusterIPs addresses - Add the DisableNodeKubeProxyVersion feature gate. If DisableNodeKubeProxyVersion is enabled, the kubeProxyVersion field is not set. - Added Windows support for InPlace Pod Vertical Scaling feature. - Added `UserNamespacesPodSecurityStandards` feature gate to enable user namespace support for Pod Security Standards. Enabling this feature will modify all Pod Security Standard rules to allow setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`. This feature gate should only be enabled if all nodes in the cluster support the user namespace feature and have it enabled. The feature gate will not graduate or be enabled by default in future Kubernetes releases. - Added options for configuring nf_conntrack_udp_timeout, and nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem. - Adds CEL expressions to v1alpha1 AuthenticationConfiguration. - Adds support for CEL expressions to v1alpha1 AuthorizationConfiguration webhook matchConditions. - CSINodeExpandSecret feature has been promoted to GA in this release and enabled by default. The CSI drivers can make use of the `secretRef` values passed in NodeExpansion request optionally sent by the CSI Client from this release onwards. - Graduate Job BackoffLimitPerIndex feature to Beta - Kube-apiserver: adds --authorization-config flag for reading a configuration file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration object. --authorization-config flag is mutually exclusive with --authorization-modes and --authorization-webhook-* flags. The alpha StructuredAuthorizationConfiguration feature flag must be enabled for --authorization-config to be specified. - Kube-proxy now has a new nftables-based mode, available by running kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables This is currently an alpha-level feature and while it probably will not eat your data, it may nibble at it a bit. (It passes e2e testing but has not yet seen real-world use.) At this point it should be functionally mostly identical to the iptables mode, except that it does not (and will not) support Service NodePorts on 127.0.0.1. (Also note that there are currently no command-line arguments for the nftables-specific config; you will need to use a config file if you want to set the equivalent of any of the `--iptables-xxx` options.) As this code is still very new, it has not been heavily optimized yet; while it is expected to _eventually_ have better performance than the iptables backend, very little performance testing has been done so far. - Kube-proxy: Added an option/flag for configuring the `nf_conntrack_tcp_be_liberal` sysctl (in the kernel's netfilter conntrack subsystem). When enabled, kube-proxy will not install the DROP rule for invalid conntrack states, which currently breaks users of asymmetric routing. - PersistentVolumeLastPhaseTransitionTime is now beta, enabled by default. - Promote PodReadyToStartContainers condition to beta. - The flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema and PriorityLevelConfiguration APIs has been promoted to flowcontrol.apiserver.k8s.io/v1, with the following changes: - PriorityLevelConfiguration: the `.spec.limited.nominalConcurrencyShares` field defaults to `30` only if the field is omitted (v1beta3 also defaulted an explicit `0` value to `30`). Specifying an explicit `0` value is not allowed in the `v1` version in v1.29 to ensure compatibility with 1.28 API servers. In v1.30, explicit `0` values will be allowed in this field in the `v1` API. The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer be served in v1.32. All existing objects are available via the `v1` APIs. Transition clients and manifests to use the `v1` APIs before upgrading to v1.32. - The kube-proxy command-line documentation was updated to clarify that `--bind-address` does not actually have anything to do with binding to an address, and you probably don't actually want to be using it. - The matchLabelKeys/mismatchLabelKeys feature is introduced to the hard/soft PodAffinity/PodAntiAffinity. - ValidatingAdmissionPolicy Type Checking now supports CRDs and API extensions types. - When updating a CRD, per-expression cost limit check is skipped for x-kubernetes-validations rules of versions that are not mutated. - Added a new `ipMode` field to the `.status` of Services where `type` is set to `LoadBalancer`. The new field is behind the `LoadBalancerIPMode` feature gate. - Fixed a bug where CEL expressions in CRD validation rules would incorrectly compute a high estimated cost for functions that return strings, lists or maps. The incorrect cost was evident when the result of a function was used in subsequent operations. - Go API: the ResourceRequirements struct needs to be replaced with VolumeResourceRequirements for use with volumes. - Kube-apiserver: adds --authentication-config flag for reading AuthenticationConfiguration files. --authentication-config flag is mutually exclusive with the existing --oidc-* flags. - Kube-scheduler component config (KubeSchedulerConfiguration) kubescheduler.config.k8s.io/v1beta3 is removed in v1.29. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1. - Mark the onPodConditions field as optional in Job's pod failure policy. - Retry NodeStageVolume calls if CSI node driver is not running - The kube-scheduler `selectorSpread` plugin has been removed, please use the `podTopologySpread` plugin instead. module: pkgsrc subject: 'CVS commit: pkgsrc/sysutils/py-kubernetes' unixtime: '1715169357' user: adam