This release provides support for Kubernetes 1.22, has Control Groups v2 enabled by default and includes the Vertical Pod autoscaler.
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration
, MutatingWebhookConfiguration
, CustomResourceDefinition
, APIService
, TokenReview
, SubjectAccessReview
, CertificateSigningRequest
, Lease
, Ingress
, and IngressClass
APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.
Related to this topic, the in-tree Azure and GCP authentication plugins have been deprecated in favor of out-of-tree implementations.
Server-side Apply is a new object merge algorithm, as well as tracking of field ownership, running on the Kubernetes API server. Server-side Apply helps users and controllers manage their resources via declarative configurations. It allows them to create and/or modify their objects declaratively, simply by sending their fully specified intent. After being in beta for a couple releases, Server-side Apply is now generally available.
CSI support for Windows nodes moves to GA in the 1.22 release. In Kubernetes v1.22, Windows privileged containers are only an alpha feature. To allow using CSI storage on Windows nodes, CSIProxy enables CSI node plugins to be deployed as unprivileged pods, using the proxy to perform privileged storage operations on the node.
Another feature moving to GA in v1.22 is CSI Service Account Token support. This feature allows CSI drivers to use pods’ bound service account tokens instead of a more privileged identity. It also provides control over to re-publishing these volumes, so that short-lived tokens can be refreshed.
A new alpha feature allows running the kubeadm control plane components as non-root users. This is a long requested security measure in kubeadm. To try it you must enable the kubeadm-specific RootlessControlPlane
feature gate. When you deploy a cluster using this alpha feature, your control plane runs with lower privileges.
Kubernetes’ default backend storage, etcd, has a new release 3.5.0 and the community embraced it. The new release comes with improvements to the Security, performance, monitoring and developer experience. There are numerous bug fixes to lease objects causing memory leaks, and compact operation causing deadlocks and more. A couple of new features are also introduced like the migration to structured logging and build in log rotation. The release comes with a detailed future roadmap to implement a solution to traffic overload. A full and detailed list of changes can be read in the 3.5.0 release announcement.
Every system administrator or Kubernetes user has been in the same boat regarding setting up and using Kubernetes: disable swap space. With the release of Kubernetes 1.22, alpha support is available to run nodes with swap memory. This change lets administrators opt in to configuring swap on Linux nodes, treating a portion of block storage as additional virtual memory.
Originally, Kubernetes used the v1 cgroups API. With that design, the QoS class for a pod only applied to CPU resources (such as cpu_shares
). The Kubernetes cgroup manager uses memory.limit_in_bytes
in v1 cgroups to limit the memory capacity for a container, and uses oom_scores
to recommend an order for killing container processes if an out-of-memory event occurs. This implementation has shortcomings: for Guaranteed
pods, memory can not be fully reserved, and the page cache is at risk of being recycled. For Burstable
pods, overcommitting memory (setting request
less than limit
) could increase the risk of a container being killed when the Linux kernel detects an out of memory condition.
As an alpha feature, Kubernetes v1.22 can use the cgroups v2 API to control memory allocation and isolation. This feature is designed to improve workload and node availability when there is contention for memory resources.
A regression bug was found where guaranteed Pods with multiple containers do not work properly with set allocations for CPU, Memory, and Device manager. The fix will be availability in coming releases.
If CSIMigrationvSphere feature gate is enabled, user should not upgrade to Kubernetes v1.22. vSphere CSI Driver does not support Kubernetes v1.22 yet because it uses v1beta1 CRD APIs. Support for v1.22 will be added at a later release. Check the following document for supported Kubernetes releases for a given vSphere CSI Driver version.
A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.
This vulnerability was reported by Fabricio Voznika and Mark Wolters of Google.
A new score extension for NodeResourcesFit plugin that merges the functionality of NodeResourcesLeastAllocated
, NodeResourcesMostAllocated
, RequestedToCapacityRatio
plugins, which are marked as deprecated as of v1beta2. In v1beta1, the three plugins can still be used in v1beta1 but not at the same time with the score extension of NodeResourcesFit
. (#101822, @yuzhiquan)
A value of Auto
is now a valid for the service.kubernetes.io/topology-aware-hints
annotation. (#100728, @robscott)
Add DataSourceRef
alpha field to PVC spec, which allows contents other than PVCs
and VolumeSnapshots
to be data sources. (#103276, @bswartz)
Add PersistentVolumeClaimDeletePoilcy
to StatefulSet API. (#99378, @mattcary)
Add a new Priority and Fairness rule that exempts all probes (/readyz
, /healthz
, /livez
) to prevent restarting of healthy kube-apiserver
instance by kubelet. (#100678, @tkashem)
Add alpha support for HostProcess containers on Windows (#99576, @marosset) [SIG API Machinery, Apps, Node, Testing and Windows]
Add distributed tracing to the kube-apiserver
. It is can be enabled with the feature gate APIServerTracing
(#94942, @dashpole)
Add three metrics to the job controller to monitor if a job works in healthy condition.
IndexedJob
has been promoted to Beta. (#101292, @AliceZhang2016)
Added field .status.uncountedTerminatedPods
to the Job resource. This field is used by the job controller to keep track of finished pods before adding them to the Job status counters. Pods created by the job controller get the finalizer batch.kubernetes.io/job-tracking
Jobs that are tracked using this mechanism get the annotation batch.kubernetes.io/job-tracking
. This is a temporary measure. Two releases after this feature graduates to beta, the annotation won’t be added to Jobs anymore. (#98817, @alculquicondor)
Added new kubelet alpha feature SeccompDefault
. This feature enables falling back to
the RuntimeDefault
(former runtime/default
) seccomp profile if nothing else is specified
in the pod/container SecurityContext
or the pod annotation level. To use the feature, enable
the feature gate as well as set the kubelet configuration option SeccompDefault
(--seccomp-default
) to true
. (#101943, @saschagrunert) [SIG Node]
Adds the ReadWriteOncePod
access mode for PersistentVolumes
and PersistentVolumeClaims
. Restricts volume access to a single pod on a single node. (#102028, @chrishenzie)
Alpha swap support can now be enabled on Kubernetes nodes with the NodeSwapEnabled
feature flag. See KEP-2400 for details. (#102823, @ehashman)
Because of the implementation logic of time.Format
in golang, the displayed time zone is not consistent. (#102366, @cndoit18)
Corrected the documentation for escaping dollar signs in a container’s env, command and args property. (#101916, @MartinKanters) [SIG Apps]
Enable MaxSurge
for DaemonSet
by default. (#101742, @ravisantoshgudimetla)
Enforce the ReadWriteOncePod
PVC access mode during scheduling (#103082, @chrishenzie)
Ephemeral containers are now allowed to configure a securityContext
that differs from that of the Pod. Cluster administrators should ensure that security policy controllers support EphemeralContainers
before enabling this feature in clusters. (#99023, @verb)
Exec plugin authors can override default handling of standard input via new interactiveMode
kubeconfig field. (#99310, @ankeesler)
If someone had the ProbeTerminationGracePeriod
alpha feature enabled in 1.21, they should update/delete any workloads/pods with probe terminationGracePeriods
< 1 before upgrading (#103245, @wzshiming)
Improved parsing of label selectors (#102188, @alculquicondor) [SIG API Machinery]
Introduce minReadySeconds
api to the StatefulSets
. (#100842, @ravisantoshgudimetla)
Introducing Memory quality of service support with cgroups v2 (Alpha)
. The MemoryQoS
feature is now in Alpha. This allows kubelet
running with cgroups v2
to set memory QoS at container, pod and QoS level to protect and guarantee better memory quality. This feature can be enabled through feature gate Memory QoS. (#102970, @borgerli)
Kube API server accepts Impersonate-Uid
header to impersonate a user with a specific UID, in the same way that you can currently use Impersonate-User
, Impersonate-Group
and Impersonate-Extra
. (#99961, @margocrawf)
Kube-apiserver: --service-account-issuer
can be specified multiple times now, to enable non-disruptive change of issuer. (#101155, @zshihang) [SIG API Machinery, Auth, Node and Testing]
Kube-controller-manager: the --horizontal-pod-autoscaler-use-rest-clients
flag and Heapster support in the horizontal pod autoscaler, deprecated since 1.12, is removed. (#90368, @serathius)
Kube-scheduler: a plugin enabled in a v1beta2 configuration file takes precedence over the default configuration for that plugin. This simplifies enabling default plugins with custom configuration without needing to explicitly disable those default plugins. (#99582, @chendave)
New node-high
priority-level has been added to Suggested API Priority and Fairness configuration.(#101151, @mborsz)
NodeSwapEnabled feature flag was renamed to NodeSwap
The flag was only available in the 1.22.0-beta.1 release, and the new flag should be used going forward. (#103553, @ehashman) [SIG Node]
Omit comparison with boolean constant (#101523, @chuntaochen) [SIG CLI and Cloud Provider]
Removed the feature flag for probe-level termination grace period from Kubelet. If a user wants to disable this feature on already created pods, they will have to delete and recreate the pods. (#103168, @raisaat) [SIG Apps and Node]
Revert addition of Add PersistentVolumeClaimDeletePoilcy
to StatefulSet
API. (#103747, @mattcary)
Scheduler could be configured to consider new resources beside CPU and memory, GPU for example, for the score plugin of NodeResourcesBalancedAllocation
. (#101946, @chendave) [SIG Scheduling]
Server Side Apply now treats all Selector fields as atomic (meaning the entire selector is managed by a single writer and updated together), since they contain interrelated and inseparable fields that do not merge in intuitive ways. (#97989, @Danil-Grigorev) [SIG API Machinery]
Suspend Job feature graduated to beta. Added the action
label to Job controller sync metrics job_sync_total
and job_sync_duration_seconds
. (#102022, @adtac)
The API documentation for the DaemonSet’s spec.updateStrategy.rollingUpdate.maxUnavailable
field was corrected to state that the value is rounded up. (#101296, @Miciah)
The CSIServiceAccountToken
graduates to Ga and is unconditionally enabled. (#103001, @zshihang)
The CertificateSigningRequest.certificates.k8s.io
API supports an optional expirationSeconds field to allow the client to request a particular duration for the issued certificate. The default signer implementations provided by the Kubernetes controller manager will honor this field as long as it does not exceed the –cluster-signing-duration flag. (#99494, @enj)
The EndpointSlicen Mirroring controller
no longer mirrors the last-applied-configuration
annotation created by kubectl
to update EndpointSlices
. (#102731, @sharmarajdaksh)
The NetworkPolicyEndPort
is graduated to beta and is enabled by default. (#102834, @rikatz)
The PodDeletionCost
feature has been promoted to beta, and enabled by default. (#101080, @ahg-g)
The Server Side Apply
treats certain structs as atomic. Meaning the entire selector field is managed by a single writer and updated together. (#100684, @Jefftree)
The ServiceAppProtocol
feature gate has been removed. It reached GA in Kubernetes (#103190, @robscott)
The TerminationGracePeriodSeconds
on pod specs and container probes should not be negative. Negative values of TerminationGracePeriodSeconds
will be treated as the value 1s
on the delete path. Immutable field validation will be relaxed in order to update negative values. In a future release, negative values will not be permitted. (#98866, @wzshiming)
The kube-scheduler
component config v1beta2
API available
Three scheduler plugins deprecated (NodeLabel
, ServiceAffinity
, NodePreferAvoidPods
). (#99597, @adtac)
The pod/eviction
subresource now accepts policy/v1
eviction requests in addition to policy/v1beta1
eviction requests (#100724, @liggitt)
The podAffinity
, NamespaceSelector
and the associated CrossNamespaceAffinity
quota scope features graduate to Beta and they are now enabled by default. (#101496, @ahg-g)
The pods/ephemeralcontainers
API now returns and expects a Pod
object instead of EphemeralContainers
. This is incompatible with the previous alpha-level API. (#101034, @verb) [SIG Apps, Auth, CLI and Testing]
The v1.Node
and .status.images[].names
are now optional. (#102159, @roycaihw)
The deprecated flag --algorithm-provider
has been removed from kube-scheduler
. Use instead ComponentConfig
to configure the set of enabled plugins. (#102239, @Haleygo)
The options --ssh-user
and --ssh-key
are removed. They only functioned on GCE, and only in-tree. Use the apiserver network proxy instead. (#102297, @deads2k)
Track Job completion through status and Pod finalizers, removing dependency on Pod tombstones. (#98238, @alculquicondor) [SIG API Machinery, Apps, Auth and Testing]
Track ownership of scale subresource for all scalable resources i.e. Deployment, ReplicaSet, StatefulSet, ReplicationController, and Custom Resources. (#98377, @nodo) [SIG API Machinery and Testing]
Kube-apiserver: when merging lists, Server Side Apply now prefers the order of the submitted request instead of the existing persisted object (#107568, @jiahuif) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Storage and Testing]
Kubernetes is now built with Golang 1.16.12 (#106982, @cpanato) [SIG Cloud Provider, Instrumentation, Release and Testing]
Update golang.org/x/net to v0.0.0-20211209124913-491a49abca63 (#106960, @cpanato) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]
Kubernetes is now built with Golang 1.16.10 (#106223, @cpanato) [SIG Cloud Provider, Instrumentation, Release and Testing]
Update debian-base, debian-iptables, setcap images to pick up CVE fixes
- Debian-base to v1.9.0
- Debian-iptables to v1.6.7
- setcap to v2.0.4 (#106143, @cpanato) [SIG Release and Testing]
A system-cluster-critical
pod should not get a low OOM Score.
As of now both system-node-critical
and system-cluster-critical
pods have -997 OOM score, making them one of the last processes to be OOMKilled. By definition system-cluster-critical
pods can be scheduled elsewhere if there is a resource crunch on the node where as system-node-critical
pods cannot be rescheduled. This was the reason for system-node-critical
to have higher priority value than system-cluster-critical
. This change allows only system-node-critical
priority class to have low OOMScore.
action required
If the user wants to have the pod to be OOMKilled last and the pod has system-cluster-critical
priority class, it has to be changed to system-node-critical
priority class to preserve the existing behavior (#99729, @ravisantoshgudimetla)
API Server tracing can now trace re-entrant api requests. (#103218, @dashpole) [SIG API Machinery, CLI, Cloud Provider, Cluster Lifecycle and Instrumentation]
APIServerTracing now collects spans from etcd client calls, and propagates context to etcd. (#103216, @dashpole) [SIG API Machinery, Cloud Provider and Instrumentation]
APIServerTracing now collects spans from outgoing requests to admission webhooks. (#103601, @dashpole) [SIG API Machinery]
Add a namespace label for all apiserver_admission_* metrics
.
Expand the histogram range to 0-10s for all apiserver_admission_*_duration_seconds
metrics. (#101208, @voutcn)
Add unified map on CRI to support cgroup v2
. Refer to https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#unified. (#102578, @payall4u)
Added BinaryData description to kubectl describe
command. (#100568, @lauchokyip)
Added a new metric apiserver_flowcontrol_request_concurrency_in_use
that shows the number of
seats (concurrency) occupied by the currently executing requests in the API Priority and Fairness system. (#102795, @tkashem)
Added field-selector option for kubectl top pod
(#102155, @lauchokyip) [SIG CLI]
Added new metrics about API Priority and Fairness. Each one has a label priority_level
. The last two also have a label bound
taking values min
and `max.
- apiserver_flowcontrol_current_r: R(the time of the last change in state of the queues)
- apiserver_flowcontrol_dispatch_r: R(the time of the latest request dispatch)
- apiserver_flowcontrol_latest_s: S(the request last dispatched) = R(when that request starts executing in the virtual world)
- apiserver_flowcontrol_next_s_bounds: min and max next S among non-empty queues
- apiserver_flowcontrol_next_discounted_s_bounds: min and max next S - (sum [over requests executing] width * estimatedDuration) among non-empty queues (#102859, @MikeSpreitzer) [SIG API Machinery and Instrumentation]
Adding --restart-kubelet
flag on E2E Node test suite (#97028, @knabben) [SIG Node and Testing]
Adds feature gate KubeletInUserNamespace
which enables support for running kubelet in a user namespace.
The user namespace has to be created before running kubelet.
All the node components such as CRI need to be running in the same user namespace.
When the feature gate is enabled, kubelet ignores errors that happens during setting the following sysctl values: vm.overcommit_memory
, vm.panic_on_oom
, kernel.panic
, kernel.panic_on_oops
, kernel.keys.root_maxkeys
, kernel.keys.root_maxbytes
. (These sysctl values for the host, not for the containers)
kubelet also ignores an error during opening /dev/kmsg
.
This feature gate also allows kube-proxy to ignore an error during setting RLIMIT_NOFILE
.
This feature gate is especially useful for running Kubernetes inside Rootless Docker/Podman with kind
or minikube
. (#92863, @AkihiroSuda) [SIG Network, Node and Testing]
Adds metrics for the delegated authenticator used by extension APIs that delegate authentication logic to the Kube API server. (#99364, @p0lyn0mial)
Adds metrics for the delegated authorizer used by extension APIs that delegate authorization logic to the Kube API server. (#100339, @p0lyn0mial)
Adds two kubemark flags, --max-pods
and --extended-resources
. (#100267, @Jeffwan)
An audit log entry will be generated when a ValidatingAdmissionWebhook
is failing to open. (#92739, @cnphil)
Base images: Updated to
Base-images: Update to debian-base:buster-v1.7.1
(#102594, @mengjiao-liu)
Deprecated warning message for igonre-errors
flag. (#102677, @yuzhiquan)
Endpoints that have more than 1000 endpoints will be truncated and the endpoints.kubernetes.io/over-capacity
annotation on the Endpoints resource will be set to truncated
. (#103520, @swetharepakula) [SIG Apps and Network]
Expose /debug/flags/v
to allow dynamically setting log level for kube-proxy. (#98306, @borgerli) [SIG Network]
Expose container start time as container_start_time_seconds
in the kubelet /metrics/resource
endpoint. (#102444, @sanwishe)
Extended resources defined in LeastAllocated
, MostAllocated
and RequestedToCapacityRatio
plugin argument are bypassed by the scheduler if the incoming Pod doesn’t request them in the pod spec. (#103169, @Huang-Wei)
Feat: change parittion style to GPT on Windows (#101412, @andyzhangx) [SIG Storage and Windows]
Features gates EndpointSliceProxying
& WindowsEndpointSliceProxying
graduates to GA and are unconditionally enabled. Kube-proxy will use EndpointSlices for endpoint information. (#103451, @swetharepakula)
Fluentd: isolate logging resources in separate namespace logging
(#68004, @saravanan30erd)
For kubeadm
: add --validity-period
flag for kubeadm kubeconfig user
command. (#100907, @SataQiu)
Implement minReadySeconds
for the StatefulSets
. (#101316, @ravisantoshgudimetla)
Improve logging of APIService
availability changes in kube-apiserver. (#101420, @sttts)
Introduce a feature gate DisableCloudProviders
allowing to disable cloud-provider initialization in KAPI, KCM and kubelet.
DisableCloudProviders
FeatureGate is currently in Alpha, which means is currently disabled by default. Once the FeatureGate moves to beta, in-tree cloud providers would be disabled by default, and a user won’t be able to specify --cloud-provider=<aws|openstack|azure|gcp|vsphere>
anymore to any of KCM, KAPI or kubelet. Only a ‘–cloud-provider=external’ would be allowed. CCM would have to run out-of-tree with CSI. (#100136, @Danil-Grigorev)
JSON logging format is no longer available by default in non-core Kubernetes Components and require owners to opt in. (#102869, @mengjiao-liu) [SIG API Machinery, Cluster Lifecycle and Instrumentation]
Kube-apiserver: the alpha PodSecurity feature can be enabled by passing --feature-gates=PodSecurity=true
, and enables controlling allowed pods using namespace labels. See https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement for more details. (#103099, @liggitt) [SIG API Machinery, Auth, Instrumentation, Release, Security and Testing]
Kube-proxy uses V1 EndpointSlices
. (#103306, @swetharepakula)
Kubeadm: Add the RootlessControlPlane
kubeadm specific feature gate (Alpha in 1.22, disabled by default). It can be used to enable an experimental feature that makes the control plane component static Pod containers for kube-apiserver
, kube-controller-manager
, kube-scheduler
and etcd
to run as a non-root users. (#102158, @vinayakankugoyal)
Kubeadm: Set the seccompProfile
to runtime/default
in the PodSecurityContext
of the control-plane components that run as static Pods. (#100234, @vinayakankugoyal)
Kubeadm: add a new field skipPhases
to v1beta3
InitConfiguration
and JoinConfiguration
that can contain a list of phases to skip during “kubeadm init” and “kubeadm join”. The flag “–skip-phases” takes precedence over this field. (#101923, @neolit123)
Kubeadm: add the --dry-run
flag to the control-plane
phase of “kubeadm init”. (#102722, @vinayakankugoyal)
Kubeadm: add the imagePullPolicy
field in the nodeRegistration
section of InitConfiguration
and JoinConfiguration
in v1beta3
. This allows the user to specify the image pull policy during “kubeadm init” and “kubeadm join”. The value of this field must be one of Always
, IfNotPresent
or Never
. The default behavior continues to be IfNotPresent
. (#102901, @wangyysde)
Kubeadm: during “kubeadm init/join/upgrade”, always default the cgroupDriver
value in the KubeletConfiguration
to systemd
, unless the user was explicit about the value. See configure-cgroup-driver for more details. (#102133, @pacoxu)
Kubeadm: update CoreDNS
to 1.8.4. Grant CoreDNS
permissions to “list” and “watch” EndpointSlice
objects to accommodate dual-stack support. (#102466, @pacoxu)
Kubectl: add LAST RESTART
column to kubectl get pods
output. (#100142, @Ethyling)
Kubemark’s hollow-node will now print flags before starting. (#101181, @mm4tt)
Kubernetes is now built with Golang 1.16.3 (#101206, @justaugustus) [SIG Cloud Provider, Instrumentation, Release and Testing]
Kubernetes is now built with Golang 1.16.4 (#101809, @justaugustus) [SIG Cloud Provider, Instrumentation, Release and Testing]
Kubernetes is now built with Golang 1.16.5. (#102689, @cpanato)
Kubernetes is now built with Golang 1.16.6 (#103669, @cpanato) [SIG Cloud Provider, Instrumentation, Release and Testing]
Leader Migration for controller managers graduated to beta. (#103533, @jiahuif) [SIG API Machinery and Cloud Provider]
Make kubectl command headers default for beta. (#103238, @seans3) [SIG CLI]
Mark net.ipv4.ip_unprivileged_port_start
as safe sysctl
. (#103326, @pacoxu)
Metrics server nanny has now poll period set to 30s (previously 5 minutes) to allow faster scaling of metrics server. (#101869, @olagacek) [SIG Cloud Provider and Instrumentation]
NetworkPolicy validation framework support for windows. (#98077, @jayunit100)
New feature gate ExpandedDNSConfig
is now available. This feature allows Kubernetes to have expanded DNS configuration. (#100651, @gjkim42)
New metrics: apiserver_kube_aggregator_x509_missing_san_total
and apiserver_webhooks_x509_missing_san_total
. This metric measures a number of connections to webhooks/aggregated API servers that use certificates without Subject Alternative Names. It being non-zero is a warning sign that these connections will stop functioning in the future since Golang is going to deprecate x509 certificate subject Common Names for server hostname verification. (#95396, @stlaz) [SIG API Machinery, Auth and Instrumentation]
Node Problem Detector is now available for GCE Windows nodes. (#101539, @jeremyje) [SIG Cloud Provider, Node and Windows]
Promote Cronjobs storage version to batch/v1
. (#102363, @mengjiao-liu)
Promote CronJobControllerV2
flag to GA, with removal in 1.23. (#102529, @soltysh)
Promote EndpointSliceTerminatingCondition
to Beta. This enables the terminating
and serving
conditions for EndpointSlice by default. (#103596, @andrewsykim)
Run etcd as non-root on GCE provider (#100635, @cindy52)
Scheduler nows provides an option for plugin developers to move Pods
to activeQ. (#103383, @Huang-Wei)
Secret values are now masked by default in kubectl diff
output. (#96084, @loozhengyuan)
Services with externalTrafficPolicy: Local
now support graceful termination when using
the iptables or ipvs mode of kube-proxy with EndpointSlices
enabled. Specifically, if a
connection for such a service arrives on a node when there are no “Ready” endpoints
for the service, but there is at least one Terminating pod for that service on the node,
then kube-proxy will send the traffic to the Terminating pod rather than dropping it. This
patches up a race condition between when a pod is killed and when the external load
balancer notices that it has been killed. (#97238, @andrewsykim)
Shell completion has been migrated to Cobra’s go solution. kubectl
is now smarter about disabling file completion when it does not apply. Furthermore, completion for the cp
command does not show all files unless the user has started typing something. (#96087, @marckhouzam) [SIG CLI]
Some of the in-tree storage drivers indicate support for the MetricsProvider
interface, but fail to configure this for BlockMode volumes. With a recent change, Kubelet
will call GetMetrics()
for BlockMode volumes, and the in-tree drivers that miss the support cause a Go panic. Now the in-tree storage drivers that support BlockMode volumes, will return the Capacity of the volume in the GetMetrics()
call. (#101587, @nixpanic)
Support FakeClientset
match subresource. (#100939, @wzshiming)
The “Leader Migration” now support a wildcard component name and the default value. (#102711, @jiahuif)
The CSI driver supports the NodeServiceCapability VOLUME_MOUNT_GROUP
and the DelegateFSGroupToCSIDriver
feature gate is enabled, kubelet will delegate applying FSGroup to the driver by passing it to NodeStageVolume
and NodePublishVolume
, regardless of what other FSGroup
policies are set, this is an alpha feature. (#103244, @verult)
The Memory Manager feature graduates to Beta and it is enabled by default. (#101947, @cynepco3hahue)
The BoundServiceAccountTokenVolume
graduates to GA and thus will be unconditionally enabled. The feature gate is going to be removed in 1.23. (#101992, @zshihang)
The EmptyDir
memory backed volumes are sized as the the minimum of pod allocatable memory on a host and an optional explicit user provided value. (#101048, @dims)
The HugePageStorageMediumSize
feature graduates to GA and unconditionally enabled. Allowing unconditional usage of multiple sizes huge page resources on a container level. (#99144, @bart0sh)
The IngressClassNamespacedParams
feature gate has graduated to beta and is enabled by default. This means IngressClass resource will now have two new fields - spec.paramters.namespace
and spec.parameters.scope
. (#101711, @hbagdi)
The LogarithmicScaleDown
feature graduates to Beta and enabled by default. (#101767, @damemi)
The NamespaceDefaultLabelName
is promoted to GA in this release. All Namespace API objects have a kubernetes.io/metadata.name
label matching their metadata.name
field to allow selecting any namespace
by its name using a label selector. (#101342, @rosenhouse)
The ServiceInternalTrafficPolicy
feature graduates to Beta and enable by default, which enables the internalTrafficPolicy
field of Service by default. (#103462, @andrewsykim)
The ServiceLBNodePortControl
graduates to Beta and is enabled by default. (#100412, @hanlins)
The SetHostnameAsFQDN
graduates to GA and thus will be unconditionally disabled. (#101294, @javidiaz)
The WarningHeader
feature is now GA and is unconditionally enabled. The apiserver_requested_deprecated_apis
metric has graduated to stable status. The WarningHeader
feature-gate is no longer operative and will be removed in v1.24. (#100754, @liggitt) [SIG API Machinery, Instrumentation and Testing]
The kubectl debug
is able to create ephemeral containers in pre-1.22 clusters with the EphemeralContainers
feature enabled. Note that versions of kubectl prior to 1.22 are unable to create ephemeral containers in clusters version 1.22 and greater due to an API change. (#103292, @verb)
The client-go credential plugins are now GA and are enabled by default. (#102890, @ankeesler)
The feature gate SSA
graduated to GA in v1.22 and therefore is unconditionally enabled. (#100139, @Jefftree)
The job controller removes running pods when the number of completions is achieved. (#99963, @alculquicondor)
The kubeconfig is now exposed in the kube-scheduler
framework handle. Out-of-tree plugins can leverage that to build CRD informers easily. (#100644, @Huang-Wei)
The new flag --chunk-size=SIZE
for kubectl drain
has been promoted to beta, and enabled by default. This flag may be used to alter the number of items or disable this feature when 0
is passed. (#100148, @KnVerey)
The new flag --chunk-size=SIZE
has been added to kubectl describe
. This flag may be used to alter the number of items or disable this feature when 0
is passed. (#101171, @KnVerey)
The pod resource API will provide memory manager metrics in the case when the memory manager feature gate is enabled, and the memory manager policy is static. (#101030, @cynepco3hahue)
The prefer nominated node graduates to Beta and enabld by default. (#102201, @chendave)
Update etcd version to 3.5.0-beta.3. (#102062, @serathius)
Update the Debian images to pick up CVE fixes in the base images:
- Update the
debian-base
image to v1.7.0 - Update the
debian-iptables
image to v1.6.1 (#102302, @xmudrii)
Update the setcap image to buster-v2.0.1. (#102377, @xmudrii)
Update the system-validators library to v1.5.0. Includes validation for seccomp
and fixes a stdout/stderr problem in the Docker validator. (#103390, @ironyman)
Updates the following images to pick up CVE fixes:
debian
to v1.8.0debian-iptables
to v1.6.5setcap
to v2.0.3 (#103235, @thejoycekung) [SIG API Machinery, Release and Testing]
Warnings for the use of deprecated and known-bad values in pod specs are now sent. (#101688, @liggitt)
Watch requests are now handled throttled by priority and fairness filter in kube-apiserver
. (#102171, @wojtek-t)
You can use this Builder function to create events Field Selector (#101817, @cndoit18) [SIG API Machinery and Scalability]
Scheduler
now registers event handlers dynamically. (#101394, @Huang-Wei)
kubectl
: Enable using protocol buffers to request Metrics API. (#102039, @serathius)
An inefficient lock in EndpointSlice controller metrics cache has been reworked. Network programming latency may be significantly reduced in certain scenarios, especially in clusters with a large number of Services. (#107168, @robscott) [SIG Apps and Network]
Client-go: fix that paged list calls with ResourceVersionMatch set would fail once paging kicked in. (#107335, @fasaxc) [SIG API Machinery]
Fix a panic when using invalid output format in kubectl create secret command (#107346, @rikatz) [SIG CLI]
Fix: azuredisk parameter lowercase translation issue (#107429, @andyzhangx) [SIG Cloud Provider and Storage]
Fixes a rare race condition handling requests that timeout (#107459, @liggitt) [SIG API Machinery]
Mount-utils: Detect potential stale file handle (#107039, @andyzhangx) [SIG Storage]
A pod that the Kubelet rejects was still considered as being accepted for a brief period of time after rejection, which might cause some pods to be rejected briefly that could fit on the node. A pod that is still terminating (but has status indicating it has failed) may also still be consuming resources and so should also be considered. (#104918, @ehashman) [SIG Node]
Fix: skip instance not found when decoupling vmss from lb (#105836, @nilo19) [SIG Cloud Provider]
Kubeadm: allow the “certs check-expiration” command to not require the existence of the cluster CA key (ca.key file) when checking the expiration of managed certificates in kubeconfig files. (#106930, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: during execution of the “check expiration” command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all entries in the output table is included - for both certificates on disk and in kubeconfig files. (#106925, @neolit123) [SIG Cluster Lifecycle]
Respect grace period when updating static pods. (#106394, @gjkim42) [SIG Node and Testing]
Reverts graceful node shutdown to match 1.21 behavior of setting pods that have not yet successfully completed to “Failed” phase if the GracefulNodeShutdown feature is enabled in kubelet. The GracefulNodeShutdown feature is beta and must be explicitly configured via kubelet config to be enabled in 1.21+. This changes 1.22 and 1.23 behavior on node shutdown to match 1.21. If you do not want pods to be marked terminated on node shutdown in 1.22 and 1.23, disable the GracefulNodeShutdown feature. (#106899, @bobbypage) [SIG Node]
Scheduler’s assumed pods have 2min instead of 30s to receive nodeName pod updates (#106633, @ahg-g) [SIG Scheduling]
EndpointSlice Mirroring controller now cleans up managed EndpointSlices when a Service selector is added (#106132, @robscott) [SIG Apps, Network and Testing]
Fix a bug that --disabled-metrics
doesn’t function well. (#105793, @Huang-Wei) [SIG API Machinery, Cluster Lifecycle and Instrumentation]
Fix a panic in kubectl when creating secrets with an improper output type (#106356, @lauchokyip) [SIG CLI]
Fix concurrent map access causing panics when logging timed-out API calls. (#106112, @marseel) [SIG API Machinery]
Fix kube-proxy regression on UDP services because the logic to detect stale connections was not considering if the endpoint was ready. (#106239, @aojea) [SIG Network and Testing]
Fix scoring for NodeResourcesBalancedAllocation plugins when nodes have containers with no requests. (#106081, @ahmad-diaa) [SIG Scheduling]
Support more than 100 disk mounts on Windows (#105673, @andyzhangx) [SIG Storage and Windows]
The –leader-elect* CLI args are now honored correctly in scheduler. (#106130, @Huang-Wei) [SIG Scheduling]
The kube-proxy sync_proxy_rules_iptables_total metric now gives
the correct number of rules, rather than being off by one.
Fixed multiple iptables proxy regressions introduced in 1.22:
When using Services with SessionAffinity, client affinity for an
endpoint now gets broken when that endpoint becomes non-ready
(rather than continuing until the endpoint is fully deleted).
Traffic to a service IP now starts getting rejected (as opposed to
merely dropped) as soon as there are no longer any usable
endpoints, rather than waiting until all of the terminating
endpoints have terminated even when those terminating endpoints
were not being used.
Chains for endpoints that won’t be used are no longer output to
iptables, saving a bit of memory/time/cpu. (#106373, @aojea) [SIG Network]
Watch requests that are delegated to aggregated apiservers no longer reserve concurrency units (seats) in the API Priority and Fairness dispatcher for their entire duration. (#105827, @benluddy) [SIG API Machinery]
Fix Job tracking with finalizers for more than 500 pods, ensuring all finalizers are removed before counting the Pod. (#104876, @alculquicondor) [SIG Apps]
Fix: skip case sensitivity when checking Azure NSG rules
fix: ensure InstanceShutdownByProviderID return false for creating Azure VMs (#104446, @feiskyer) [SIG Cloud Provider]
Fixed occasional pod cgroup freeze when using cgroup v1 and systemd driver. (#104529, @kolyshkin) [SIG Node]
Fixes a regression that could cause panics in LRU caches in controller-manager, kubelet, kube-apiserver, or client-go EventSourceObjectSpamFilter (#104469, @liggitt) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Storage]
When using kubectl replace
(or the equivalent API call) on a Service, the caller no longer needs to do a read-modify-write cycle to fetch the allocated values for .spec.clusterIP
and .spec.ports[].nodePort
. Instead the API server will automatically carry these forward from the original object when the new object does not specify them. (#104672, @thockin) [SIG Network]
Fix kube-apiserver metric reporting for the deprecated watch path of /api//watch/… (#104188, @wojtek-t) [SIG API Machinery and Instrumentation]
Kube-proxy: delete stale conntrack UDP entries for loadbalancer ingress IP. (#104009, @aojea) [SIG Network]
Pass additional flags to subpath mount to avoid flakes in certain conditions (#104346, @mauriciopoppe) [SIG Storage]
Added jitter factor to lease controller that better smears load on kube-apiserver over time. (#101652, @marseel) [SIG API Machinery and Scalability]
Added privileges for EndpointSlice
to the default view & edit RBAC roles. (#101203, @mtougeron)
After DBus restarts, make GracefulNodeShutdown
work again (#100369, @wzshiming)
Aggregate errors when putting vmss. (#98350, @nilo19)
Aggregate write permissions on events to users with edit and admin role. (#102858, @tumido)
Aggregated roles no longer include write access to EndpointSlices
. This rolls back part of a change that was introduced earlier in the Kubernetes 1.22 cycle. (#103703, @robscott)
Applying fix for not deleting existing public IP when a service is deleted in Azure. (#100694, @nilo19)
Applying fix for not tagging static public IP. (#101752, @nilo19)
Applying fix so that deleting non-existing disk returns success. (#102083, @andyzhangx)
Applying fix: cleanup outdated routes. (#102935, @nilo19)
Avoid caching the Azure VMSS instances whose network profile is nil (#100948, @feiskyer) [SIG Cloud Provider]
Azure: Avoid setting cached Sku when updating VMSS and VMSS instances. (#102005, @feiskyer)
Azurefile: Normalize share name to not include the capital letters (#100731, @kassarl)
Chain the field manager creation calls in newDefaultFieldManager
to be explicit about the order of operations. (#101076, @kevindelgado)
Disruption controller shouldn’t error while syncing for unmanaged pods. (#103414, @ravisantoshgudimetla) [SIG Apps and Testing]
Ensure service is deleted when the Azure resource group has been deleted. (#100944, @feiskyer)
Ensures ExecProbeTimeout=false
kubelet feature gate with dockershim is taken into account, when the exec probe takes longer than timeoutSeconds
configuration. (#100200, @jackfrancis)
Expose rest_client_rate_limiter_duration_seconds
metric to component-base to track client side rate limiter latency in seconds. Broken down by verb and URL. (#100311, @IonutBajescu) [SIG API Machinery, Cluster Lifecycle and Instrumentation]
Fire an event when failing to open NodePort
. (#100599, @masap)
Fix Azure node public IP fetching issues from instance metadata service when the node is part of standard load balancer backend pool. (#100690, @feiskyer) [SIG Cloud Provider]
Fix EndpointSlice
describe panic when an Endpoint doesn’t have zone. (#101025, @tnqn)
Fix kubectl set env
or resources
not working for initcontainers. (#101669, @carlory)
Fix kubectl
alpha debug node does not work on tainted(NoExecute) nodes and tolerate everything. (#98431, @wawa0210)
Fix a bug on the endpointslicemirroring
controller where endpoint NotReadyAddresses
were mirrored as Ready to the corresponding EndpointSlice
. (#102683, @aojea)
Fix a bug that a preemptor pod may exist as a phantom in the scheduler. (#102498, @Huang-Wei)
Fix a number of race conditions in the kubelet when pods are starting up or shutting down that might cause pods to take a long time to shut down. (#102344, @smarterclayton) [SIG Apps, Node, Storage and Testing]
Fix an issue with kubectl
on certain older version of Windows or when legacy console mode is enabled on Windows 8 which causes kubectl exec
to crash. (#102825, @n4j)
Fix availability set cache in vmss cache (#100110, @CecileRobertMichon) [SIG Cloud Provider]
Fix how nulls are handled in array and objects in json patches. (#102467, @pacoxu)
Fix panic when kubectl create ingress
has annotation flag and an empty value set. (#101377, @rikatz)
Fix performance regression for update and apply operations on large CRDs. (#103318, @jpbetz) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Storage]
Fix raw block mode CSI NodePublishVolume
stage miss pod info. (#99069, @phantooom)
Fix resource enforcement when using systemd cgroup driver (#102147, @kolyshkin)
Fix rounding of volume storage requests. (#100100, @maxlaverse)
Fix runtime container status for PostStart
hook error. (#100608, @pacoxu)
Fix scoring for NodeResourcesMostAllocated
and NodeResourcesBalancedAllocation
plugins when nodes have containers with no requests. This was leaving to under-utilization of small nodes. (#102925, @alculquicondor)
Fix the code is leaking the defaulting between unrelated pod instances. (#103284, @kebe7jun) [SIG CLI]
Fix winkernel kube-proxy to only use dual stack when host and networking supports it (#101047, @jsturtevant) [SIG Network and Windows]
Fix: Azure file inline volume namespace issue in CSI migration translation (#101235, @andyzhangx)
Fix: Bug in kube-proxy
latency metrics to calculate only the latency value for the Endpoints
that are created after it starts running. This is needed because all the Endpoints
objects are processed on restarts, independently when they were. (#100861, @aojea)
Fix: avoid nil-pointer panic when checking the frontend IP configuration (#101739, @nilo19) [SIG Cloud Provider]
Fix: display of Job completion mode in kubectl describe
. (#101160, @alculquicondor)
Fix: return empty VMAS name if using standalone VM (#103470, @nilo19) [SIG Cloud Provider]
Fix: set “host is down” as corrupted mount. When SMB server is down, there is no way to terminate pod which is using SMB mount, would get an error. (#101398, @andyzhangx)
Fix: using NVMe AWS EBS volumes partitions. (#100500, @jsafrane)
Fixed ‘kubelet’ runtime panic for timed-out portforward streams. (#102489, @saschagrunert)
Fixed SELinux relabeling of CSI volumes after CSI driver failure. (#103154, @jsafrane) [SIG Node and Storage]
Fixed garbage collection
of dangling VolumeAttachments
for PersistentVolumes
migrated to CSI on startup of kube-controller-manager
. (#102176, @timebertt)
Fixed port-forward
memory leak for long-running and heavily used connections. (#99839, @saschagrunert)
Fixed a bug due to which the controller was not populating the lastSuccessfulTime
field added to cronjob.status
in batch/v1
. (#102642, @alaypatel07)
Fixed a bug that kubectl create configmap
always returns zero exit code when failed. (#101780, @nak3) [SIG CLI]
Fixed a bug that scheduler extenders are not called on preemptions. (#103019, @ordovicia)
Fixed a bug where startupProbe
stopped working after a container’s first restart. (#101093, @wzshiming)
Fixed an issue blocking azure auth to prompt to device code authentication flow when refresh token expires. (#102063, @tdihp)
Fixed false-positive uncertain volume attachments, which led to unexpected detachment of CSI migrated volumes (#101737, @Jiawei0227) [SIG Apps and Storage]
Fixed mounting of NFS volumes when IPv6 address is used as a server. (#101067, @Elbehery) [SIG Storage]
Fixed starting new pods after previous pod timed out unmounting its volumes. (#100183, @jsafrane)
Fixed very rare volume corruption when a pod is deleted while kubelet is offline. (#102059, @jsafrane)
Fixes a data race issue in the priority and fairness API server filter. (#100638, @tkashem)
Fixes issue with websocket-based watches of Service objects not closing correctly on timeout. (#102539, @liggitt)
For kubeadm
: support for custom imagetags for etcd images which contain build metadata, when imagetags are in the form of version_metadata. For instance, if the etcd version is v3.4.13+patch.0, the supported imagetag would be v3.4.13_patch.0 (#100350, @jr0d)
For vSphere: fix regression during attach disk if datastore is within a storage folder or datastore cluster. (#102892, @gnufied)
GCE Windows clusters have their TCP/IP parameters are set to GCE’s recommended values. (#103057, @jeremyje) [SIG Cloud Provider and Windows]
GCE Windows will no longer install Docker on containerd nodes. (#101747, @jeremyje) [SIG Cloud Provider and Windows]
Generated OpenAPI now correctly specifies 201 as a possible response code for PATCH operations. (#100141, @brendandburns)
Graceful termination will now be honored when deleting a collection of pods. (#100101, @deads2k)
If kube-proxy
mode is userspace do not enable EndpointSlices
. (#100913, @JornShen)
Kubeadm: allow passing the flag --log-file
if --config
is passed. If you wish to log to a file you must also pass --logtostderr=false
or --alsologtostderr=true
. Alternatively you can pipe to a file using “kubeadm … | tee …”. (#101449, @CaoDonghui123)
Kubeadm: enable --experimental-patches
flag for kubeadm join phase control-plane-join all
command. (#101110, @SataQiu)
Kubeadm: fix a bug where kubeadm join
for control plane nodes would download certificates and keys from the cluster, but would not write publicly readable certificates and public keys with mode 0644
and instead use mode 0600
. (#103313, @neolit123)
Kubeadm: fix the bug that kubeadm
only uses the first hash in caCertHashes
to verify the root CA. (#101977, @SataQiu)
Kubeadm: remove the “ephemeral_storage” request from the etcd static pod that kubeadm deploys on stacked etcd control plane nodes. This request has caused sporadic failures on some setups due to a problem in the kubelet with cadvisor and the LocalStorageCapacityIsolation feature gate. See this issue for more details: https://github.com/kubernetes/kubernetes/issues/99305 (#102673, @jackfrancis) [SIG Cluster Lifecycle]
Kubeadm: when using a custom image repository for CoreDNS kubeadm now will append the coredns
image name instead of coredns/coredns
, thus restoring the behaviour existing before the v1.21 release. Users who rely on nested folder for the coredns image should set the clusterConfiguration.dns.imageRepository
value including the nested path name (e.g using registry.company.xyz/coredns
will force kubeadm to use registry.company.xyz/coredns/coredns
image). No action is needed if using the default registry (k8s.gcr.io). (#102502, @ykakarap)
Kubelet: improve the performance when waiting for a synchronization of the node list with the kube-apiserver
. (#99336, @neolit123)
Kubelet: the returned value for PodIPs is the same in the Downward API and in the pod.status.PodIPs
field (#103307, @aojea)
Limit vSphere volume name to 63 characters long. (#100404, @gnufied)
Logging for GCE Windows clusters will be more accurate and complete when using Fluent bit. (#101271, @jeremyje)
Metrics Server will use Addon Manager 1.8.3 (#103541, @jbartosik) [SIG Cloud Provider and Instrumentation]
Output for kubectl describe podsecuritypolicy
is now kind specific and cleaner (#101436, @KnVerey)
Parsing of cpuset information now properly detects more invalid input such as 1--3
or 10-6
. (#100565, @lack)
Pods that are known to the kubelet to have previously been Running should not revert to Pending state, the kubelet will now infer a termination. (#102821, @ehashman)
Prevent Kubelet stuck in DiskPressure
when imagefs.minReclaim
is set (#99095, @maxlaverse)
Reduces delay initializing on non-AWS platforms docker runtime. (#93260, @nckturner) [SIG Cloud Provider]
Register/Deregister Targets in chunks for AWS TargetGroup (#101592, @M00nF1sh) [SIG Cloud Provider]
Removed /sbin/apparmor_parser
requirement for the AppArmor host validation.
This allows using AppArmor on distributions which ship the binary in a different path. (#97968, @saschagrunert) [SIG Node and Testing]
Renames the timeout field for the DelegatingAuthenticationOptions
to TokenRequestTimeout
and set the timeout only for the token review client. Previously the timeout was also applied to watches making them reconnecting every 10 seconds. (#100959, @p0lyn0mial)
Reorganized iptables rules to reduce rules in KUBE-SERVICES
and KUBE-NODEPORTS
. (#96959, @tssurya)
Respect annotation size limit for server-side apply updates to the client-side apply annotation. Also, fix opt-out of this behavior by setting the client-side apply annotation to the empty string. (#102105, @julianvmodesto) [SIG API Machinery]
Retry FibreChannel
devices cleanup after error to ensure FibreChannel
device is detached before it can be used on another node. (#101862, @jsafrane)
Support correct sorting for cpu, memory, storage, ephemeral-storage, hugepages, and attachable-volumes. (#100435, @lauchokyip)
Switch scheduler to generate the merge patch on pod status instead of the full pod (#103133, @marwanad) [SIG Scheduling]
The EndpointSlice
IP validation now matches Endpoints
IP validation. (#101084, @robscott)
The kube-apiserver
now reports the synthetic verb when logging requests, better explaining the user intent and matching what is reported in the metrics. (#102934, @lavalamp)
The kube-controller-manager'
sets the upper-bound timeout limit for outgoing requests to 70s. Previously (#99358, @p0lyn0mial)
The kube-proxy
log now shows the “Skipping topology aware endpoint filtering since no hints were provided for zone” warning under the right conditions. (#101857, @dervoeti)
The kubectl create service
now respects the namespace
flag. (#101005, @zxh326)
The kubectl get
now truncates multi-line strings to avoid breaking printing (#103514, @soltysh)
The kubectl wait --for=delete
command now ignores the not found error correctly. (#96702, @lingsamuel)
The kubelet
now reports distinguishes log messages about certificate rotation for its client cert and server cert separately to make debugging problems with one or the other easier. (#101252, @smarterclayton)
The serviceOwnsFrontendIP
shouldn’t report error when the public IP doesn’t match. (#102516, @nilo19)
The system:aggregate-to-edit
role no longer includes write access to the Endpoints API. For new Kubernetes 1.22 clusters, the edit
and admin
roles will no longer include that access in newly created Kubernetes 1.22 clusters. This will have no affect on existing clusters upgrading to Kubernetes 1.22. To retain write access to Endpoints in the aggregated edit
and admin
roles for newly created 1.22 clusters, refer to https://github.com/kubernetes/website/pull/29025. (#103704, @robscott) [SIG Auth and Network]
The conformance tests:
- Services should serve multiport endpoints from pods
- Services should serve a basic endpoint from pods
were only validating the API objects, not performing any validation on the actual Services implementation.
Those tests now validate that the Services under test are able to forward traffic to the endpoints. (#101709, @aojea) [SIG Network and Testing]
The current behavior for Services that IPFamilyPolicy
set as PreferDualstack
. The current behavior when the cluster is upgraded to dual-stack is:
- Services that have been set to IPFamilyPolicy = PreferDualstack will be upgraded when the service object is updated. e.g., when a user change a label.
This behavior will change to:
- Services that have been set IPFamilyPolicy = PreferDualstack will not be upgraded when the service object is updated. User can still change policy, type etc and existing behaviors remain the same. (#102898, @khenidak) [SIG Network and Testing]
The reason and message fields for pod status are no longer reset unless the phase also changes. (#103785, @smarterclayton) [SIG Node]
Treat VSphere “File (vmdk path here) was not found” errors as success during volume deletion (#92372, @breunigs) [SIG Cloud Provider and Storage]
Update kube-proxy
base image debian-iptables
to v1.6.2 to pickup documentation
\n"- debian-iptables
: select nft mode if ntf lines > legacy lines, matching iptables-wrappers" (#102590, @BenTheElder)
Update klog v2.9.0. (#102332, @pacoxu)
Updated the Graceful Node Shutdown Pod termination reason and message.
Updated the Graceful Node Shutdown Pod rejection reason and message. (#102840, @Kissy)
Updates dependency sigs.k8s.io/structured-merge-diff
to v4.1.1. (#100784, @kevindelgado)
Updates hostprocess tests to specify user. (#102965, @jsturtevant)
Upgrades functionality of kubectl kustomize
as described at
https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.2.0 (#103419, @natasha41575) [SIG CLI]
Upgrades functionality of kubectl kustomize
as described at kustomize/v4.1.2 (#101120, @monopole)
Upgrading etcd: kubeadm
upgrade etcd to 3.4.13-3 (#100612, @pacoxu)
Use default timeout of 10s for Azure ACR credential provider. (#100686, @hasheddan) [SIG Cloud Provider]
We no longer allow the cluster operator to delete any suggested priority & fairness bootstrap configuration object. If a cluster operator removes a suggested configuration, it will be restored by the apiserver. (#102067, @tkashem)
When DisableAcceleratorUsageMetrics
is set, do not collect accelerator metrics using cAdvisor. (#101712, @SergeyKanzhelev) [SIG Instrumentation and Node]
YAML documents separators ("—") can now be followed by whitespace and comments ("# ….") on the same line. This fixes a bug where documents starting with a comment after the separator were ignored. Other types of content on the same line will result in an error. (#103457, @codearky) [SIG API Machinery]
oc describe quota
used has the same unit format as hard (#102177, @atiratree) [SIG CLI]
For users of BGP you can now view the status of your BGP routers, including session status, RIB / FIB contents, and agent health via the new CalicoNodeStatus API. See the API documentation for more details.
In addition, you can control BGP advertisement of certain prefixes using the new disableBGPExport option on each IP pool, allowing greater control of your route sharing scheme.
In v3.20, we introduced egress policy rules that can match on Kubernetes services. In v3.21, we improved upon that in two ways. First, you can now use service matches in Calico NetworkPolicy and GlobalNetworkPolicy ingress rules. Second, you can now use service-based network policy rules on Windows nodes.
Calico can now optionally run in non-privileged and non-root mode, with some limitations. See the documentation for more information.
You can use the new IPReservations API to reserve certain IP addresses so that they will not be used by Calico IPAM. This allows for fine-grained control of the IP space in your cluster.
This release contains some changes to mitigate rate limiting on AWS clusters. Please take note of the defaults
for values aws.batchChangeInterval
, aws.zonesCacheDuration
, externalDNS.interval
and externalDNS.minEventSyncInterval
.
If you already specify --aws-batch-change-interval
or --aws-zones-cache-duration
, please migrate to the new values aws.batchChangeInterval
and aws.zonesCacheDuration
.