diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var index c2b22f1c52..8a83df5018 100644 --- a/Makefile.kube_git.var +++ b/Makefile.kube_git.var @@ -1,5 +1,5 @@ KUBE_GIT_MAJOR=1 KUBE_GIT_MINOR=32 -KUBE_GIT_VERSION=v1.32.7 -KUBE_GIT_COMMIT=97b7f2e2ecbbf844812a7158086030bfff2bd324 +KUBE_GIT_VERSION=v1.32.8 +KUBE_GIT_COMMIT=2f14046818a7ff3ae3e9da76376991698d7188f1 KUBE_GIT_TREE_STATE=clean diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var index bc87872d98..bb451bdf1b 100644 --- a/Makefile.version.aarch64.var +++ b/Makefile.version.aarch64.var @@ -1 +1 @@ -OCP_VERSION := 4.19.0-0.nightly-arm64-2025-08-27-171348 +OCP_VERSION := 4.19.0-0.nightly-arm64-2025-08-30-002356 diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var index 99660ca54e..60c5afa013 100644 --- a/Makefile.version.x86_64.var +++ b/Makefile.version.x86_64.var @@ -1 +1 @@ -OCP_VERSION := 4.19.0-0.nightly-2025-08-25-155239 +OCP_VERSION := 4.19.0-0.nightly-2025-08-28-080135 diff --git a/assets/components/multus/kustomization.x86_64.yaml b/assets/components/multus/kustomization.x86_64.yaml index b1a38bcaf0..20b6af6d54 100644 --- a/assets/components/multus/kustomization.x86_64.yaml +++ b/assets/components/multus/kustomization.x86_64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:6d429691cd93f74dca610b6ba596c5b8f76cf4891702ccc737c4c86e1f48503e + digest: sha256:aaa95e54149c167e1574a49b94940b7dd8a2d842dcaf799a544eb7a4fff81206 - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:da1d19f119e3dfa6f510ee88e458ca60a6efe39389ffd850f347e979045d9d66 + digest: sha256:45f9a9bcf08c7c85a9ded243b9f3d66f4d81915a2723e266a3e7afe7164a42fa diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json index 3f6a227f9e..1ab065d9b4 100644 --- a/assets/components/multus/release-multus-aarch64.json +++ b/assets/components/multus/release-multus-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2025-08-27-171348" + "base": "4.19.0-0.nightly-arm64-2025-08-30-002356" }, "images": { "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d6352263861dfe58dfecd01c006647942ceadd221ae218011c4210f18d6fae1", diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json index 6c5e64873f..5e91693da8 100644 --- a/assets/components/multus/release-multus-x86_64.json +++ b/assets/components/multus/release-multus-x86_64.json @@ -1,9 +1,9 @@ { "release": { - "base": "4.19.0-0.nightly-2025-08-25-155239" + "base": "4.19.0-0.nightly-2025-08-28-080135" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6d429691cd93f74dca610b6ba596c5b8f76cf4891702ccc737c4c86e1f48503e", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:da1d19f119e3dfa6f510ee88e458ca60a6efe39389ffd850f347e979045d9d66" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:aaa95e54149c167e1574a49b94940b7dd8a2d842dcaf799a544eb7a4fff81206", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:45f9a9bcf08c7c85a9ded243b9f3d66f4d81915a2723e266a3e7afe7164a42fa" } } diff --git a/assets/optional/kube-proxy/kustomization.x86_64.yaml b/assets/optional/kube-proxy/kustomization.x86_64.yaml index 4feac1a47c..84b12e46c0 100644 --- a/assets/optional/kube-proxy/kustomization.x86_64.yaml +++ b/assets/optional/kube-proxy/kustomization.x86_64.yaml @@ -2,4 +2,4 @@ images: - name: kube-proxy newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:f642607b50a7a84888b3df1cc94552ea35a5fb6d3106e3b9c29c72e53c103300 + digest: sha256:c9b5bb82e6d64c4e0859c72cc129c646997dae0bd54ebc157da7505fbac72b7d diff --git a/assets/optional/kube-proxy/release-kube-proxy-aarch64.json b/assets/optional/kube-proxy/release-kube-proxy-aarch64.json index ab2eff2c10..0f1c86e8d2 100644 --- a/assets/optional/kube-proxy/release-kube-proxy-aarch64.json +++ b/assets/optional/kube-proxy/release-kube-proxy-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2025-08-27-171348" + "base": "4.19.0-0.nightly-arm64-2025-08-30-002356" }, "images": { "kube-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b04da659b92cff560f06d7e43d9a79256203e2079cbc67d869d4c14c9c4afaf8" diff --git a/assets/optional/kube-proxy/release-kube-proxy-x86_64.json b/assets/optional/kube-proxy/release-kube-proxy-x86_64.json index b3ef0e949c..8ce41e5f68 100644 --- a/assets/optional/kube-proxy/release-kube-proxy-x86_64.json +++ b/assets/optional/kube-proxy/release-kube-proxy-x86_64.json @@ -1,8 +1,8 @@ { "release": { - "base": "4.19.0-0.nightly-2025-08-25-155239" + "base": "4.19.0-0.nightly-2025-08-28-080135" }, "images": { - "kube-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f642607b50a7a84888b3df1cc94552ea35a5fb6d3106e3b9c29c72e53c103300" + "kube-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c9b5bb82e6d64c4e0859c72cc129c646997dae0bd54ebc157da7505fbac72b7d" } } diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml index 7e16dbcf80..90e157ee33 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:5fefa40a3586bc274f4a2a23f9a17ba64e1c1cfa154aac2e73eb59061fac503e + digest: sha256:6a9b23dbc7a79bd28b48503d14b8cb264d53317ad1a7562c702680b8dc33cbc4 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:7c00bf6f1ff40cea8f05277562ada0ce37140f9341ddb65aa5a33885fa67f33e + digest: sha256:12202291615293e44645091592528665858d3c5664ebd50345082cf2d83681e6 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:853d04063892683305fe2ca31a9083bbdeacce4ff85e009c69fa852203025546 + digest: sha256:e2eaed4c4c062fd66ef3d814ca134159ff260315abf5714bc986a858b7cc9860 patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7c00bf6f1ff40cea8f05277562ada0ce37140f9341ddb65aa5a33885fa67f33e + value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:12202291615293e44645091592528665858d3c5664ebd50345082cf2d83681e6 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5fefa40a3586bc274f4a2a23f9a17ba64e1c1cfa154aac2e73eb59061fac503e + value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6a9b23dbc7a79bd28b48503d14b8cb264d53317ad1a7562c702680b8dc33cbc4 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json index 1db25a626b..9c76144322 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2025-08-27-171348" + "base": "4.19.0-0.nightly-arm64-2025-08-30-002356" }, "images": { "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:27d0f8fe2a77f86abc103a1d40e3b22d9f0dd73c2527ecd974d07dd00cee2292", diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json index c1f644f18f..bca858ebc5 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json @@ -1,10 +1,10 @@ { "release": { - "base": "4.19.0-0.nightly-2025-08-25-155239" + "base": "4.19.0-0.nightly-2025-08-28-080135" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5fefa40a3586bc274f4a2a23f9a17ba64e1c1cfa154aac2e73eb59061fac503e", - "operator-registry": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7c00bf6f1ff40cea8f05277562ada0ce37140f9341ddb65aa5a33885fa67f33e", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:853d04063892683305fe2ca31a9083bbdeacce4ff85e009c69fa852203025546" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6a9b23dbc7a79bd28b48503d14b8cb264d53317ad1a7562c702680b8dc33cbc4", + "operator-registry": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:12202291615293e44645091592528665858d3c5664ebd50345082cf2d83681e6", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e2eaed4c4c062fd66ef3d814ca134159ff260315abf5714bc986a858b7cc9860" } } diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 3358817600..cda2be9560 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,13 +1,13 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2025-08-27-171348" + "base": "4.19.0-0.nightly-arm64-2025-08-30-002356" }, "images": { "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:01d166f019e899fce2d3a18f03fb6b47d4e2d1ff4902eeb51ab5191576332117", "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:647d3c6ab38660682b38f71d6d84a2f5098e6b47529015460857006e4a59fc9e", "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:05e93dfa937e14d66fcf9fc495dcf8c1267543090a0dd2fda1ccdefe2999167c", "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ca02215c8768dbcf45d3dbd1307498bec58e8bdf511eb5213f6c42273fdb7bf6", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4b5be449376c4d1db497d5f5ddf40f9cacb832b86618dcca3f100b7d6c2216bd", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c8c48fbed7990a460c2d2e4026b0ceca53e2a30063ebfc234e60e6722955f0b1", "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2cc9810b1b08720ef659c0e2fc931c3e9211993cf5011ba133e83eca724afc64", "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5eb8b82960b4edfc81270aec479407bc8d2777929e13f636bcbf9ae814e58c5f", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:03771d66c0ed8a422c012ffaf6f390d8c3191e02330ef9b9dee00af518928d6e", diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index 439eb3fef1..741cc72f37 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,16 +1,16 @@ { "release": { - "base": "4.19.0-0.nightly-2025-08-25-155239" + "base": "4.19.0-0.nightly-2025-08-28-080135" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:01d6df4b9198697924138aac1f2829efc01cd4fc5df1d021e6836752d4eaea52", - "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:39f941e0e9993d4ce0718a6125a36c4eae08a8db848930d94332af857a5d51bf", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ab4c0e79387cc202e61eee5cf3adac1e4164f7b8abc6d93936b7c71c32498530", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:853d04063892683305fe2ca31a9083bbdeacce4ff85e009c69fa852203025546", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d373a4ff00a2dc12f1af29ebec8a656695280240a7f89e045c5d8b1cd41b6ca0", - "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2bcd811bc8d32af1df2ac7b3daf96a94b75f18da3acf9a43bf15fe6b32259dbf", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c360d302a6db03e049229c3fdffc43b45de5d4cf354f9ab4c3d76b77391d2c6b", + "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d64c69218f60db8c4131996130e7f2af21e508dcffe26c61b468af045be51058", + "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f9c07bac72b6146912af9eb6308ef09d0506f125114740144b18a533aa0ab8a1", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a4e9a9878842ea97a73fe0754c2e87ac49ebbaae2bcb8f98453dfc6a2c54faa2", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e2eaed4c4c062fd66ef3d814ca134159ff260315abf5714bc986a858b7cc9860", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:698883c5e441f88f0dcf7faffb9d5cb7e781ebd4f85ed7835ea0ab1555c8d750", + "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:696bcf0b046c5d2fa8e9a92055366f7fde226a9b782ceeb6bc8994d410cc534e", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e4d2ae274e48c925325db8ceaed8d49f9e820d1a1d9eee8d1db1b131a89b9efa", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:c5f0ad26372afdd4d3e6a37fdb5cdf0c91304c0e994ec885e2db89e851081504", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:07f65ed1c3b20c6bb9039957aa1435bdef174dba5fd98519f0cfedecd701b643" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:06da7d2653d7992bae6c74ec662f14a6019769450dc60c4307ed158ebcc50004" } } diff --git a/deps/github.com/openshift/kubernetes/.go-version b/deps/github.com/openshift/kubernetes/.go-version index b6773170a5..aafdde18c8 100644 --- a/deps/github.com/openshift/kubernetes/.go-version +++ b/deps/github.com/openshift/kubernetes/.go-version @@ -1 +1 @@ -1.23.10 +1.23.11 diff --git a/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md b/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md index 92c26fde8c..36142c53b8 100644 --- a/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md +++ b/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md @@ -1,247 +1,348 @@ -- [v1.32.6](#v1326) - - [Downloads for v1.32.6](#downloads-for-v1326) +- [v1.32.7](#v1327) + - [Downloads for v1.32.7](#downloads-for-v1327) - [Source Code](#source-code) - [Client Binaries](#client-binaries) - [Server Binaries](#server-binaries) - [Node Binaries](#node-binaries) - [Container Images](#container-images) - - [Changelog since v1.32.5](#changelog-since-v1325) - - [Important Security Information](#important-security-information) - - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks) + - [Changelog since v1.32.6](#changelog-since-v1326) - [Changes by Kind](#changes-by-kind) - - [Feature](#feature) - [Bug or Regression](#bug-or-regression) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies) - [Added](#added) - [Changed](#changed) - [Removed](#removed) -- [v1.32.5](#v1325) - - [Downloads for v1.32.5](#downloads-for-v1325) +- [v1.32.6](#v1326) + - [Downloads for v1.32.6](#downloads-for-v1326) - [Source Code](#source-code-1) - [Client Binaries](#client-binaries-1) - [Server Binaries](#server-binaries-1) - [Node Binaries](#node-binaries-1) - [Container Images](#container-images-1) - - [Changelog since v1.32.4](#changelog-since-v1324) + - [Changelog since v1.32.5](#changelog-since-v1325) + - [Important Security Information](#important-security-information) + - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks) - [Changes by Kind](#changes-by-kind-1) - - [Feature](#feature-1) + - [Feature](#feature) - [Bug or Regression](#bug-or-regression-1) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies-1) - [Added](#added-1) - [Changed](#changed-1) - [Removed](#removed-1) -- [v1.32.4](#v1324) - - [Downloads for v1.32.4](#downloads-for-v1324) +- [v1.32.5](#v1325) + - [Downloads for v1.32.5](#downloads-for-v1325) - [Source Code](#source-code-2) - [Client Binaries](#client-binaries-2) - [Server Binaries](#server-binaries-2) - [Node Binaries](#node-binaries-2) - [Container Images](#container-images-2) - - [Changelog since v1.32.3](#changelog-since-v1323) + - [Changelog since v1.32.4](#changelog-since-v1324) - [Changes by Kind](#changes-by-kind-2) + - [Feature](#feature-1) - [Bug or Regression](#bug-or-regression-2) - [Dependencies](#dependencies-2) - [Added](#added-2) - [Changed](#changed-2) - [Removed](#removed-2) -- [v1.32.3](#v1323) - - [Downloads for v1.32.3](#downloads-for-v1323) +- [v1.32.4](#v1324) + - [Downloads for v1.32.4](#downloads-for-v1324) - [Source Code](#source-code-3) - [Client Binaries](#client-binaries-3) - [Server Binaries](#server-binaries-3) - [Node Binaries](#node-binaries-3) - [Container Images](#container-images-3) - - [Changelog since v1.32.2](#changelog-since-v1322) + - [Changelog since v1.32.3](#changelog-since-v1323) - [Changes by Kind](#changes-by-kind-3) - - [API Change](#api-change) - [Bug or Regression](#bug-or-regression-3) - [Dependencies](#dependencies-3) - [Added](#added-3) - [Changed](#changed-3) - [Removed](#removed-3) -- [v1.32.2](#v1322) - - [Downloads for v1.32.2](#downloads-for-v1322) +- [v1.32.3](#v1323) + - [Downloads for v1.32.3](#downloads-for-v1323) - [Source Code](#source-code-4) - [Client Binaries](#client-binaries-4) - [Server Binaries](#server-binaries-4) - [Node Binaries](#node-binaries-4) - [Container Images](#container-images-4) - - [Changelog since v1.32.1](#changelog-since-v1321) - - [Important Security Information](#important-security-information-1) - - [CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api) + - [Changelog since v1.32.2](#changelog-since-v1322) - [Changes by Kind](#changes-by-kind-4) - - [Feature](#feature-2) + - [API Change](#api-change) - [Bug or Regression](#bug-or-regression-4) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-4) - [Added](#added-4) - [Changed](#changed-4) - [Removed](#removed-4) -- [v1.32.1](#v1321) - - [Downloads for v1.32.1](#downloads-for-v1321) +- [v1.32.2](#v1322) + - [Downloads for v1.32.2](#downloads-for-v1322) - [Source Code](#source-code-5) - [Client Binaries](#client-binaries-5) - [Server Binaries](#server-binaries-5) - [Node Binaries](#node-binaries-5) - [Container Images](#container-images-5) - - [Changelog since v1.32.0](#changelog-since-v1320) - - [Important Security Information](#important-security-information-2) - - [CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API](#cve-2024-9042-command-injection-affecting-windows-nodes-via-nodeslogsquery-api) + - [Changelog since v1.32.1](#changelog-since-v1321) + - [Important Security Information](#important-security-information-1) + - [CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api) - [Changes by Kind](#changes-by-kind-5) - - [API Change](#api-change-1) - - [Feature](#feature-3) + - [Feature](#feature-2) - [Bug or Regression](#bug-or-regression-5) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-5) - [Added](#added-5) - [Changed](#changed-5) - [Removed](#removed-5) -- [v1.32.0](#v1320) - - [Downloads for v1.32.0](#downloads-for-v1320) +- [v1.32.1](#v1321) + - [Downloads for v1.32.1](#downloads-for-v1321) - [Source Code](#source-code-6) - [Client Binaries](#client-binaries-6) - [Server Binaries](#server-binaries-6) - [Node Binaries](#node-binaries-6) - [Container Images](#container-images-6) - - [Changelog since v1.31.0](#changelog-since-v1310) - - [Urgent Upgrade Notes](#urgent-upgrade-notes) + - [Changelog since v1.32.0](#changelog-since-v1320) + - [Important Security Information](#important-security-information-2) + - [CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API](#cve-2024-9042-command-injection-affecting-windows-nodes-via-nodeslogsquery-api) - [Changes by Kind](#changes-by-kind-6) - - [Deprecation](#deprecation) - - [API Change](#api-change-2) - - [Feature](#feature-4) - - [Documentation](#documentation) - - [Failing Test](#failing-test) + - [API Change](#api-change-1) + - [Feature](#feature-3) - [Bug or Regression](#bug-or-regression-6) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-6) - [Added](#added-6) - [Changed](#changed-6) - [Removed](#removed-6) -- [v1.32.0-rc.2](#v1320-rc2) - - [Downloads for v1.32.0-rc.2](#downloads-for-v1320-rc2) +- [v1.32.0](#v1320) + - [Downloads for v1.32.0](#downloads-for-v1320) - [Source Code](#source-code-7) - [Client Binaries](#client-binaries-7) - [Server Binaries](#server-binaries-7) - [Node Binaries](#node-binaries-7) - [Container Images](#container-images-7) - - [Changelog since v1.32.0-rc.1](#changelog-since-v1320-rc1) + - [Changelog since v1.31.0](#changelog-since-v1310) + - [Urgent Upgrade Notes](#urgent-upgrade-notes) - [Changes by Kind](#changes-by-kind-7) - - [API Change](#api-change-3) + - [Deprecation](#deprecation) + - [API Change](#api-change-2) + - [Feature](#feature-4) + - [Documentation](#documentation) + - [Failing Test](#failing-test) - [Bug or Regression](#bug-or-regression-7) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-7) - [Added](#added-7) - [Changed](#changed-7) - [Removed](#removed-7) -- [v1.32.0-rc.1](#v1320-rc1) - - [Downloads for v1.32.0-rc.1](#downloads-for-v1320-rc1) +- [v1.32.0-rc.2](#v1320-rc2) + - [Downloads for v1.32.0-rc.2](#downloads-for-v1320-rc2) - [Source Code](#source-code-8) - [Client Binaries](#client-binaries-8) - [Server Binaries](#server-binaries-8) - [Node Binaries](#node-binaries-8) - [Container Images](#container-images-8) - - [Changelog since v1.32.0-rc.0](#changelog-since-v1320-rc0) + - [Changelog since v1.32.0-rc.1](#changelog-since-v1320-rc1) + - [Changes by Kind](#changes-by-kind-8) + - [API Change](#api-change-3) + - [Bug or Regression](#bug-or-regression-8) - [Dependencies](#dependencies-8) - [Added](#added-8) - [Changed](#changed-8) - [Removed](#removed-8) -- [v1.32.0-rc.0](#v1320-rc0) - - [Downloads for v1.32.0-rc.0](#downloads-for-v1320-rc0) +- [v1.32.0-rc.1](#v1320-rc1) + - [Downloads for v1.32.0-rc.1](#downloads-for-v1320-rc1) - [Source Code](#source-code-9) - [Client Binaries](#client-binaries-9) - [Server Binaries](#server-binaries-9) - [Node Binaries](#node-binaries-9) - [Container Images](#container-images-9) - - [Changelog since v1.32.0-beta.0](#changelog-since-v1320-beta0) - - [Changes by Kind](#changes-by-kind-8) - - [API Change](#api-change-4) - - [Feature](#feature-5) - - [Bug or Regression](#bug-or-regression-8) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) + - [Changelog since v1.32.0-rc.0](#changelog-since-v1320-rc0) - [Dependencies](#dependencies-9) - [Added](#added-9) - [Changed](#changed-9) - [Removed](#removed-9) -- [v1.32.0-beta.0](#v1320-beta0) - - [Downloads for v1.32.0-beta.0](#downloads-for-v1320-beta0) +- [v1.32.0-rc.0](#v1320-rc0) + - [Downloads for v1.32.0-rc.0](#downloads-for-v1320-rc0) - [Source Code](#source-code-10) - [Client Binaries](#client-binaries-10) - [Server Binaries](#server-binaries-10) - [Node Binaries](#node-binaries-10) - [Container Images](#container-images-10) - - [Changelog since v1.32.0-alpha.3](#changelog-since-v1320-alpha3) - - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) - - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) + - [Changelog since v1.32.0-beta.0](#changelog-since-v1320-beta0) - [Changes by Kind](#changes-by-kind-9) - - [Deprecation](#deprecation-1) - - [API Change](#api-change-5) - - [Feature](#feature-6) + - [API Change](#api-change-4) + - [Feature](#feature-5) - [Bug or Regression](#bug-or-regression-9) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) - [Dependencies](#dependencies-10) - [Added](#added-10) - [Changed](#changed-10) - [Removed](#removed-10) -- [v1.32.0-alpha.3](#v1320-alpha3) - - [Downloads for v1.32.0-alpha.3](#downloads-for-v1320-alpha3) +- [v1.32.0-beta.0](#v1320-beta0) + - [Downloads for v1.32.0-beta.0](#downloads-for-v1320-beta0) - [Source Code](#source-code-11) - [Client Binaries](#client-binaries-11) - [Server Binaries](#server-binaries-11) - [Node Binaries](#node-binaries-11) - [Container Images](#container-images-11) - - [Changelog since v1.32.0-alpha.2](#changelog-since-v1320-alpha2) + - [Changelog since v1.32.0-alpha.3](#changelog-since-v1320-alpha3) + - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) + - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) - [Changes by Kind](#changes-by-kind-10) - - [API Change](#api-change-6) - - [Feature](#feature-7) - - [Documentation](#documentation-1) + - [Deprecation](#deprecation-1) + - [API Change](#api-change-5) + - [Feature](#feature-6) - [Bug or Regression](#bug-or-regression-10) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) - [Dependencies](#dependencies-11) - [Added](#added-11) - [Changed](#changed-11) - [Removed](#removed-11) -- [v1.32.0-alpha.2](#v1320-alpha2) - - [Downloads for v1.32.0-alpha.2](#downloads-for-v1320-alpha2) +- [v1.32.0-alpha.3](#v1320-alpha3) + - [Downloads for v1.32.0-alpha.3](#downloads-for-v1320-alpha3) - [Source Code](#source-code-12) - [Client Binaries](#client-binaries-12) - [Server Binaries](#server-binaries-12) - [Node Binaries](#node-binaries-12) - [Container Images](#container-images-12) - - [Changelog since v1.32.0-alpha.1](#changelog-since-v1320-alpha1) + - [Changelog since v1.32.0-alpha.2](#changelog-since-v1320-alpha2) - [Changes by Kind](#changes-by-kind-11) - - [API Change](#api-change-7) - - [Feature](#feature-8) - - [Documentation](#documentation-2) + - [API Change](#api-change-6) + - [Feature](#feature-7) + - [Documentation](#documentation-1) - [Bug or Regression](#bug-or-regression-11) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-6) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5) - [Dependencies](#dependencies-12) - [Added](#added-12) - [Changed](#changed-12) - [Removed](#removed-12) -- [v1.32.0-alpha.1](#v1320-alpha1) - - [Downloads for v1.32.0-alpha.1](#downloads-for-v1320-alpha1) +- [v1.32.0-alpha.2](#v1320-alpha2) + - [Downloads for v1.32.0-alpha.2](#downloads-for-v1320-alpha2) - [Source Code](#source-code-13) - [Client Binaries](#client-binaries-13) - [Server Binaries](#server-binaries-13) - [Node Binaries](#node-binaries-13) - [Container Images](#container-images-13) - - [Changelog since v1.31.0](#changelog-since-v1310-1) + - [Changelog since v1.32.0-alpha.1](#changelog-since-v1320-alpha1) - [Changes by Kind](#changes-by-kind-12) + - [API Change](#api-change-7) + - [Feature](#feature-8) + - [Documentation](#documentation-2) + - [Bug or Regression](#bug-or-regression-12) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-6) + - [Dependencies](#dependencies-13) + - [Added](#added-13) + - [Changed](#changed-13) + - [Removed](#removed-13) +- [v1.32.0-alpha.1](#v1320-alpha1) + - [Downloads for v1.32.0-alpha.1](#downloads-for-v1320-alpha1) + - [Source Code](#source-code-14) + - [Client Binaries](#client-binaries-14) + - [Server Binaries](#server-binaries-14) + - [Node Binaries](#node-binaries-14) + - [Container Images](#container-images-14) + - [Changelog since v1.31.0](#changelog-since-v1310-1) + - [Changes by Kind](#changes-by-kind-13) - [Deprecation](#deprecation-2) - [API Change](#api-change-8) - [Feature](#feature-9) - [Documentation](#documentation-3) - [Failing Test](#failing-test-1) - - [Bug or Regression](#bug-or-regression-12) + - [Bug or Regression](#bug-or-regression-13) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-7) - - [Dependencies](#dependencies-13) - - [Added](#added-13) - - [Changed](#changed-13) - - [Removed](#removed-13) + - [Dependencies](#dependencies-14) + - [Added](#added-14) + - [Changed](#changed-14) + - [Removed](#removed-14) +# v1.32.7 + + +## Downloads for v1.32.7 + + + +### Source Code + +filename | sha512 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes.tar.gz) | 00d360a2c858f6254b93fdb7369cddb163d04667da330a02205cbcd50bf7c9720f363e445546ecdb3baf96afafd499215163c79a713526fb1685061b4b306af9 +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-src.tar.gz) | 03b0306b28c9973ecbb4de4058dafa16a153e4b30036bb9fd9f0fc6c8bbf9f50a535e663e464ff8ec75c1d3b193d1e84c31ddbe5cdc0f6328a9f342b3f5943c0 + +### Client Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-darwin-amd64.tar.gz) | d11144e36472fb00b4faca4e2f48cef65fe9351e3ed5ca7e2914be85187bd524c29db1bd6eb4b424086a5bc9b23ed06203af2463fa421ac0b08c28090ce6ed7f +[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-darwin-arm64.tar.gz) | f4470d333130926a0de81298c19a9018b35cc58d675751c94c4933598927d416a719b39b6ff9ff65ebd4547f49ff6c7b1cb813b33ad34bcc72689a600f2138ee +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-386.tar.gz) | 52464b81ee9205b4439e499723f81a24d4284908f8c8a14f407c6415386a74320ed23cacc7b198a5160dc7dd308d83edf7de20e7dacf6391dbfff8f1d39c5623 +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-amd64.tar.gz) | fb31a1727c8a50ae1a2b0a74434569d32e847fd5248a35b2345c063d588e435e676fffea6db861e8abf6621fc41ace92a48e5b2c34df2272db955fe951d37cfe +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-arm.tar.gz) | 3a598034d6339340386e82abddf85b7dcfed17b59bd933ccff0fd8f88c09ef6a4dc697fc245b9045cd73c0fa8d637987fafd49d4d1b31d111070ad66f4a93933 +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-arm64.tar.gz) | 9106c73bb66996211468ed78e0fac7bd8481a9037f9d121ca2b05dc9187cefb502c6c459a23f2732e1235958f20521c17061cf5f741b8bc542ee698937ccd942 +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-ppc64le.tar.gz) | 82331d4c35644a90cfe99af1468050c18ca550b1ca5f29712075f731641daa3e4f96c2f0401d30f445cbd2fd6892dfc605e802fc9d7beb805c25aa0a3525b806 +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-linux-s390x.tar.gz) | d13e41f644e7a4ece99d980d645b761d4981927af29c472bc15a88acfaef47d074ddfed27e1adaa185ac748f11c0eae58ed705d8784dfaf7216d8685047b3b01 +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-windows-386.tar.gz) | 4ae3690372063a134b30364f48329e8795ce7aa03d03053d2687807fbfcd50f2c5d0e0c9388c0dd12dedda4d31483d217399e0707c5770bedea960af71d46fd0 +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-windows-amd64.tar.gz) | e9c62241b4ce59c00dca577992e2f6a065e817673b357d70498b1a4bf204736957815b611f9fecaa53ac7a1eb4000fd69b1458d4ab9c3105d8dc3f8cd8d4bdf3 +[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-client-windows-arm64.tar.gz) | 33ffcbc77480c71a80122e037d6fbf372b0ad109fa22fd73de8e373d380ed014aab7852d11cc5983e3afc43c9d07e869b4e401c192dc04601879d9b08933e3b0 + +### Server Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-server-linux-amd64.tar.gz) | ff7e724f8527553f61b005371bf2688c889d525d21966a7799ffa4a997d6faddbeb7577ad8df5cb7fd6e08037d41634259fa85a158b857b20eb4672fe8d4baa5 +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-server-linux-arm64.tar.gz) | 2e42207d09f49348546db0209109aa1c1bebf96e3818ccad22553ee3f65c13a6e36cb812b2ae7262941b655868fa16b9d8e681bb0b8555271ab03f4fd33798b1 +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-server-linux-ppc64le.tar.gz) | f031afcfc656c573ebcc45de0f28656fbd6bb45c458f30c3372114940d04b12a05bfa33c0454834d927566b07a39ea78225702676adb2a2bd0fb4eebbd41ad99 +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-server-linux-s390x.tar.gz) | aebaf89debfaf6d8543528eb2c334290452db6ef00520818d90022088a195811f6a4219a8156aeee37c841c4197d89020e17e15cda3eb80c729e041ce1626193 + +### Node Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-node-linux-amd64.tar.gz) | b6f44877cc57914cf86ae1ba1df136f4cbb1ba40d9dd39a0c455d8bc13df54af61e53c470c89c2d8ff3d47be5de360e23bb764a83038f30d1afdf54fd5f5ba6d +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-node-linux-arm64.tar.gz) | 2934d28b5cf6856444ee1a4b4a224be19d89447b4596014507f2c0f5cc33bbbf52ed884d1366c6bc9a39e088f2dbe0e1ef389f8973c2bf3cadba80d388a9d6cb +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-node-linux-ppc64le.tar.gz) | 20fee6ba042870d930ea3e4c650f5ba8b7b7755c85ffc0f61a93dbf92c3f1239633aee9b0e2b0e4462dba056148d9e63eb5554f8af4fd97046d7750fae96bcb4 +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-node-linux-s390x.tar.gz) | 63ac2e7861eb709b331365c71198adb4de1e3533d76e63d7f08fd7e9cf6eb457ffc5388c22967f0eb4fc6b3cb1061d345e4e52e76fbdda444ad21d3830a0d03a +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.7/kubernetes-node-windows-amd64.tar.gz) | acd5cfc416407353c010621ba93829dd263b21981814ec8a1c10434eeb4cea37a92f1b9343cecca97a4680a7b6443048583d1688a915d14bffe9a72398f75faa + +### Container Images + +All container images are available as manifest lists and support the described +architectures. It is also possible to pull a specific architecture directly by +adding the "-$ARCH" suffix to the container image name. + +name | architectures +---- | ------------- +[registry.k8s.io/conformance:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x) +[registry.k8s.io/kube-apiserver:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x) +[registry.k8s.io/kube-controller-manager:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x) +[registry.k8s.io/kube-proxy:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x) +[registry.k8s.io/kube-scheduler:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x) +[registry.k8s.io/kubectl:v1.32.7](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x) + +## Changelog since v1.32.6 + +## Changes by Kind + +### Bug or Regression + +- Fix a bug causing unexpected delay of creating pods for newly created jobs ([#132159](https://github.com/kubernetes/kubernetes/pull/132159), [@linxiulei](https://github.com/linxiulei)) [SIG Apps and Testing] +- Fix validation for Job with suspend=true, and completions=0 to set the Complete condition. ([#132727](https://github.com/kubernetes/kubernetes/pull/132727), [@mimowo](https://github.com/mimowo)) [SIG Apps and Testing] +- Kubeadm: fixed issue where etcd member promotion fails with an error saying the member was already promoted ([#132281](https://github.com/kubernetes/kubernetes/pull/132281), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle] + +## Dependencies + +### Added +_Nothing has changed._ + +### Changed +_Nothing has changed._ + +### Removed +_Nothing has changed._ + + + # v1.32.6 diff --git a/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION b/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION index 0d4ae66aa1..121f717023 100644 --- a/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION +++ b/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION @@ -1 +1 @@ -v1.32.0-go1.23.10-bullseye.0 +v1.32.0-go1.23.11-bullseye.0 diff --git a/deps/github.com/openshift/kubernetes/build/common.sh b/deps/github.com/openshift/kubernetes/build/common.sh index e79b172ae8..730288da7c 100755 --- a/deps/github.com/openshift/kubernetes/build/common.sh +++ b/deps/github.com/openshift/kubernetes/build/common.sh @@ -97,8 +97,8 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}" readonly KUBE_CONTAINER_RSYNC_PORT=8730 # These are the default versions (image tags) for their respective base images. -readonly __default_distroless_iptables_version=v0.6.11 -readonly __default_go_runner_version=v2.4.0-go1.23.10-bookworm.0 +readonly __default_distroless_iptables_version=v0.6.12 +readonly __default_go_runner_version=v2.4.0-go1.23.11-bookworm.0 readonly __default_setcap_version=bookworm-v1.0.4 # These are the base images for the Docker-wrapped binaries. diff --git a/deps/github.com/openshift/kubernetes/build/dependencies.yaml b/deps/github.com/openshift/kubernetes/build/dependencies.yaml index 4d4bc159e3..f7fe33dd33 100644 --- a/deps/github.com/openshift/kubernetes/build/dependencies.yaml +++ b/deps/github.com/openshift/kubernetes/build/dependencies.yaml @@ -116,7 +116,7 @@ dependencies: # Golang - name: "golang: upstream version" - version: 1.23.10 + version: 1.23.11 refPaths: - path: .go-version - path: build/build-image/cross/VERSION @@ -140,7 +140,7 @@ dependencies: match: golang:([0-9]+\.[0-9]+).0-bullseye - name: "registry.k8s.io/kube-cross: dependents" - version: v1.32.0-go1.23.10-bullseye.0 + version: v1.32.0-go1.23.11-bullseye.0 refPaths: - path: build/build-image/cross/VERSION @@ -178,7 +178,7 @@ dependencies: match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?) - name: "registry.k8s.io/distroless-iptables: dependents" - version: v0.6.11 + version: v0.6.12 refPaths: - path: build/common.sh match: __default_distroless_iptables_version= @@ -186,7 +186,7 @@ dependencies: match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"} - name: "registry.k8s.io/go-runner: dependents" - version: v2.4.0-go1.23.10-bookworm.0 + version: v2.4.0-go1.23.11-bookworm.0 refPaths: - path: build/common.sh match: __default_go_runner_version= diff --git a/deps/github.com/openshift/kubernetes/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go b/deps/github.com/openshift/kubernetes/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go index 8b92a331ea..99bca0c091 100644 --- a/deps/github.com/openshift/kubernetes/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go +++ b/deps/github.com/openshift/kubernetes/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go @@ -1481,8 +1481,6 @@ var Annotations = map[string]string{ "[sig-node] Container Runtime blackbox test on terminated container should report termination message if TerminationMessagePath is set as non-root user and at a non-default path [NodeConformance] [Conformance]": " [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]", - "[sig-node] Container Runtime blackbox test when running a container with a new image should be able to pull from private registry with secret [NodeConformance]": " [Disabled:Broken] [Suite:k8s]", - "[sig-node] Container Runtime blackbox test when running a container with a new image should be able to pull image [NodeConformance]": " [Suite:openshift/conformance/parallel] [Suite:k8s]", "[sig-node] Container Runtime blackbox test when running a container with a new image should not be able to pull from private registry without secret [NodeConformance]": " [Suite:openshift/conformance/parallel] [Suite:k8s]", diff --git a/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel b/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel index 9770d554ca..8ff19b1745 100644 --- a/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel +++ b/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel @@ -14,4 +14,4 @@ COPY --from=builder /tmp/build/* /usr/bin/ LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \ io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \ io.openshift.tags="openshift,hyperkube" \ - io.openshift.build.versions="kubernetes=1.32.7" \ No newline at end of file + io.openshift.build.versions="kubernetes=1.32.8" \ No newline at end of file diff --git a/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission.go b/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission.go index 419de31a99..1163f6bc20 100644 --- a/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission.go +++ b/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission.go @@ -518,6 +518,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error { return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName)) } + // Don't allow a node to update its own ownerReferences. + if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) { + return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName)) + } + // Don't allow a node to update labels outside the allowed set. // This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself. modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels) diff --git a/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go b/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go index 86a2666ef8..b8325dbff3 100644 --- a/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go +++ b/deps/github.com/openshift/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go @@ -254,10 +254,14 @@ func (a *admitTestCase) run(t *testing.T) { func Test_nodePlugin_Admit(t *testing.T) { var ( - mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}} - bob = &user.DefaultInfo{Name: "bob"} + trueRef = true + mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}} + bob = &user.DefaultInfo{Name: "bob"} + + mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"} + mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}} + mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}} - mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"} mynodeObj = &api.Node{ObjectMeta: mynodeObjMeta} mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{ ConfigMap: &api.ConfigMapNodeConfigSource{ @@ -274,9 +278,11 @@ func Test_nodePlugin_Admit(t *testing.T) { KubeletConfigKey: "kubelet", }}}} - mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}} - mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}} - othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}} + mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}} + mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}} + mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA} + mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB} + othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}} coremymirrorpod, v1mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true) coreothermirrorpod, v1othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true) @@ -1167,6 +1173,24 @@ func Test_nodePlugin_Admit(t *testing.T) { attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode), err: `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`, }, + { + name: "forbid update of my node: add owner reference", + podsGetter: existingPods, + attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode), + err: "node \"mynode\" is not allowed to modify ownerReferences", + }, + { + name: "forbid update of my node: remove owner reference", + podsGetter: existingPods, + attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode), + err: "node \"mynode\" is not allowed to modify ownerReferences", + }, + { + name: "forbid update of my node: change owner reference", + podsGetter: existingPods, + attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode), + err: "node \"mynode\" is not allowed to modify ownerReferences", + }, // Other node object { diff --git a/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml b/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml index e3db4a7fc3..fc316e1d27 100644 --- a/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml +++ b/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml @@ -2900,4 +2900,4 @@ rules: - staging/src/k8s.io/externaljwt recursive-delete-patterns: - '*/.gitattributes' -default-go-version: 1.23.10 +default-go-version: 1.23.11 diff --git a/deps/github.com/openshift/kubernetes/test/e2e/common/node/runtime.go b/deps/github.com/openshift/kubernetes/test/e2e/common/node/runtime.go index fedf1241c2..8caf4cf4c4 100644 --- a/deps/github.com/openshift/kubernetes/test/e2e/common/node/runtime.go +++ b/deps/github.com/openshift/kubernetes/test/e2e/common/node/runtime.go @@ -19,13 +19,10 @@ package node import ( "context" "fmt" - "os" "path" "time" v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/pkg/kubelet/images" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" @@ -262,7 +259,7 @@ while true; do sleep 1; done // Images used for ConformanceContainer are not added into NodePrePullImageList, because this test is // testing image pulling, these images don't need to be prepulled. The ImagePullPolicy // is v1.PullAlways, so it won't be blocked by framework image pre-pull list check. - imagePullTest := func(ctx context.Context, image string, hasSecret bool, expectedPhase v1.PodPhase, expectedPullStatus bool, windowsImage bool) { + imagePullTest := func(ctx context.Context, image string, expectedPhase v1.PodPhase, expectedPullStatus bool, windowsImage bool) { command := []string{"/bin/sh", "-c", "while true; do sleep 1; done"} if windowsImage { // -t: Ping the specified host until stopped. @@ -278,34 +275,7 @@ while true; do sleep 1; done }, RestartPolicy: v1.RestartPolicyNever, } - if hasSecret { - // The service account only has pull permission - auth := ` -{ - "auths": { - "https://gcr.io": { - "auth": "X2pzb25fa2V5OnsKICAidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAogICJwcm9qZWN0X2lkIjogImF1dGhlbnRpY2F0ZWQtaW1hZ2UtcHVsbGluZyIsCiAgInByaXZhdGVfa2V5X2lkIjogImI5ZjJhNjY0YWE5YjIwNDg0Y2MxNTg2MDYzZmVmZGExOTIyNGFjM2IiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzdTSG5LVEVFaVlMamZcbkpmQVBHbUozd3JCY2VJNTBKS0xxS21GWE5RL3REWGJRK2g5YVl4aldJTDhEeDBKZTc0bVovS01uV2dYRjVLWlNcbm9BNktuSU85Yi9SY1NlV2VpSXRSekkzL1lYVitPNkNjcmpKSXl4anFWam5mVzJpM3NhMzd0OUE5VEZkbGZycm5cbjR6UkpiOWl4eU1YNGJMdHFGR3ZCMDNOSWl0QTNzVlo1ODhrb1FBZmgzSmhhQmVnTWorWjRSYko0aGVpQlFUMDNcbnZVbzViRWFQZVQ5RE16bHdzZWFQV2dydDZOME9VRGNBRTl4bGNJek11MjUzUG4vSzgySFpydEx4akd2UkhNVXhcbng0ZjhwSnhmQ3h4QlN3Z1NORit3OWpkbXR2b0wwRmE3ZGducFJlODZWRDY2ejNZenJqNHlLRXRqc2hLZHl5VWRcbkl5cVhoN1JSQWdNQkFBRUNnZ0VBT3pzZHdaeENVVlFUeEFka2wvSTVTRFVidi9NazRwaWZxYjJEa2FnbmhFcG9cbjFJajJsNGlWMTByOS9uenJnY2p5VlBBd3pZWk1JeDFBZVF0RDdoUzRHWmFweXZKWUc3NkZpWFpQUm9DVlB6b3VcbmZyOGRDaWFwbDV0enJDOWx2QXNHd29DTTdJWVRjZmNWdDdjRTEyRDNRS3NGNlo3QjJ6ZmdLS251WVBmK0NFNlRcbmNNMHkwaCtYRS9kMERvSERoVy96YU1yWEhqOFRvd2V1eXRrYmJzNGYvOUZqOVBuU2dET1lQd2xhbFZUcitGUWFcbkpSd1ZqVmxYcEZBUW14M0Jyd25rWnQzQ2lXV2lGM2QrSGk5RXRVYnRWclcxYjZnK1JRT0licWFtcis4YlJuZFhcbjZWZ3FCQWtKWjhSVnlkeFVQMGQxMUdqdU9QRHhCbkhCbmM0UW9rSXJFUUtCZ1FEMUNlaWN1ZGhXdGc0K2dTeGJcbnplanh0VjFONDFtZHVjQnpvMmp5b1dHbzNQVDh3ckJPL3lRRTM0cU9WSi9pZCs4SThoWjRvSWh1K0pBMDBzNmdcblRuSXErdi9kL1RFalk4MW5rWmlDa21SUFdiWHhhWXR4UjIxS1BYckxOTlFKS2ttOHRkeVh5UHFsOE1veUdmQ1dcbjJ2aVBKS05iNkhabnY5Q3lqZEo5ZzJMRG5RS0JnUUREcVN2eURtaGViOTIzSW96NGxlZ01SK205Z2xYVWdTS2dcbkVzZlllbVJmbU5XQitDN3ZhSXlVUm1ZNU55TXhmQlZXc3dXRldLYXhjK0krYnFzZmx6elZZdFpwMThNR2pzTURcbmZlZWZBWDZCWk1zVXQ3Qmw3WjlWSjg1bnRFZHFBQ0xwWitaLzN0SVJWdWdDV1pRMWhrbmxHa0dUMDI0SkVFKytcbk55SDFnM2QzUlFLQmdRQ1J2MXdKWkkwbVBsRklva0tGTkh1YTBUcDNLb1JTU1hzTURTVk9NK2xIckcxWHJtRjZcbkMwNGNTKzQ0N0dMUkxHOFVUaEpKbTRxckh0Ti9aK2dZOTYvMm1xYjRIakpORDM3TVhKQnZFYTN5ZUxTOHEvK1JcbjJGOU1LamRRaU5LWnhQcG84VzhOSlREWTVOa1BaZGh4a2pzSHdVNGRTNjZwMVRESUU0MGd0TFpaRFFLQmdGaldcbktyblFpTnEzOS9iNm5QOFJNVGJDUUFKbmR3anhTUU5kQTVmcW1rQTlhRk9HbCtqamsxQ1BWa0tNSWxLSmdEYkpcbk9heDl2OUc2Ui9NSTFIR1hmV3QxWU56VnRocjRIdHNyQTB0U3BsbWhwZ05XRTZWejZuQURqdGZQSnMyZUdqdlhcbmpQUnArdjhjY21MK3dTZzhQTGprM3ZsN2VlNXJsWWxNQndNdUdjUHhBb0dBZWRueGJXMVJMbVZubEFpSEx1L0xcbmxtZkF3RFdtRWlJMFVnK1BMbm9Pdk81dFE1ZDRXMS94RU44bFA0cWtzcGtmZk1Rbk5oNFNZR0VlQlQzMlpxQ1RcbkpSZ2YwWGpveXZ2dXA5eFhqTWtYcnBZL3ljMXpmcVRaQzBNTzkvMVVjMWJSR2RaMmR5M2xSNU5XYXA3T1h5Zk9cblBQcE5Gb1BUWGd2M3FDcW5sTEhyR3pNPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImltYWdlLXB1bGxpbmdAYXV0aGVudGljYXRlZC1pbWFnZS1wdWxsaW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjExMzc5NzkxNDUzMDA3MzI3ODcxMiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2ltYWdlLXB1bGxpbmclNDBhdXRoZW50aWNhdGVkLWltYWdlLXB1bGxpbmcuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iCn0=", - "email": "image-pulling@authenticated-image-pulling.iam.gserviceaccount.com" - } - } -}` - // we might be told to use a different docker config JSON. - if framework.TestContext.DockerConfigFile != "" { - contents, err := os.ReadFile(framework.TestContext.DockerConfigFile) - framework.ExpectNoError(err) - auth = string(contents) - } - secret := &v1.Secret{ - Data: map[string][]byte{v1.DockerConfigJsonKey: []byte(auth)}, - Type: v1.SecretTypeDockerConfigJson, - } - secret.Name = "image-pull-secret-" + string(uuid.NewUUID()) - ginkgo.By("create image pull secret") - _, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, secret, metav1.CreateOptions{}) - framework.ExpectNoError(err) - ginkgo.DeferCleanup(f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Delete, secret.Name, metav1.DeleteOptions{}) - container.ImagePullSecrets = []string{secret.Name} - } + // checkContainerStatus checks whether the container status matches expectation. checkContainerStatus := func(ctx context.Context) error { status, err := container.GetStatus(ctx) @@ -370,29 +340,24 @@ while true; do sleep 1; done f.It("should not be able to pull image from invalid registry", f.WithNodeConformance(), func(ctx context.Context) { image := imageutils.GetE2EImage(imageutils.InvalidRegistryImage) - imagePullTest(ctx, image, false, v1.PodPending, true, false) + imagePullTest(ctx, image, v1.PodPending, true, false) }) f.It("should be able to pull image", f.WithNodeConformance(), func(ctx context.Context) { // NOTE(claudiub): The agnhost image is supposed to work on both Linux and Windows. image := imageutils.GetE2EImage(imageutils.Agnhost) - imagePullTest(ctx, image, false, v1.PodRunning, false, false) + imagePullTest(ctx, image, v1.PodRunning, false, false) }) + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Switch this to use a locally hosted private image and not depend on this host f.It("should not be able to pull from private registry without secret", f.WithNodeConformance(), func(ctx context.Context) { image := imageutils.GetE2EImage(imageutils.AuthenticatedAlpine) - imagePullTest(ctx, image, false, v1.PodPending, true, false) + imagePullTest(ctx, image, v1.PodPending, true, false) }) - f.It("should be able to pull from private registry with secret", f.WithNodeConformance(), func(ctx context.Context) { - image := imageutils.GetE2EImage(imageutils.AuthenticatedAlpine) - isWindows := false - if framework.NodeOSDistroIs("windows") { - image = imageutils.GetE2EImage(imageutils.AuthenticatedWindowsNanoServer) - isWindows = true - } - imagePullTest(ctx, image, true, v1.PodRunning, false, isWindows) - }) + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Add a sustainable test for pulling with a private registry secret }) }) }) diff --git a/deps/github.com/openshift/kubernetes/test/e2e_node/runtime_conformance_test.go b/deps/github.com/openshift/kubernetes/test/e2e_node/runtime_conformance_test.go deleted file mode 100644 index 0aa256d400..0000000000 --- a/deps/github.com/openshift/kubernetes/test/e2e_node/runtime_conformance_test.go +++ /dev/null @@ -1,156 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package e2enode - -import ( - "context" - "fmt" - "os" - "path/filepath" - "time" - - v1 "k8s.io/api/core/v1" - "k8s.io/kubernetes/pkg/kubelet/images" - "k8s.io/kubernetes/test/e2e/common/node" - "k8s.io/kubernetes/test/e2e/framework" - e2epod "k8s.io/kubernetes/test/e2e/framework/pod" - "k8s.io/kubernetes/test/e2e_node/services" - admissionapi "k8s.io/pod-security-admission/api" - - "github.com/onsi/ginkgo/v2" -) - -var _ = SIGDescribe("Container Runtime Conformance Test", func() { - f := framework.NewDefaultFramework("runtime-conformance") - f.NamespacePodSecurityLevel = admissionapi.LevelBaseline - - ginkgo.Describe("container runtime conformance blackbox test", func() { - - ginkgo.Context("when running a container with a new image", func() { - // The service account only has pull permission - auth := ` -{ - "auths": { - "https://gcr.io": { - "auth": "X2pzb25fa2V5OnsKICAidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAogICJwcm9qZWN0X2lkIjogImF1dGhlbnRpY2F0ZWQtaW1hZ2UtcHVsbGluZyIsCiAgInByaXZhdGVfa2V5X2lkIjogImI5ZjJhNjY0YWE5YjIwNDg0Y2MxNTg2MDYzZmVmZGExOTIyNGFjM2IiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzdTSG5LVEVFaVlMamZcbkpmQVBHbUozd3JCY2VJNTBKS0xxS21GWE5RL3REWGJRK2g5YVl4aldJTDhEeDBKZTc0bVovS01uV2dYRjVLWlNcbm9BNktuSU85Yi9SY1NlV2VpSXRSekkzL1lYVitPNkNjcmpKSXl4anFWam5mVzJpM3NhMzd0OUE5VEZkbGZycm5cbjR6UkpiOWl4eU1YNGJMdHFGR3ZCMDNOSWl0QTNzVlo1ODhrb1FBZmgzSmhhQmVnTWorWjRSYko0aGVpQlFUMDNcbnZVbzViRWFQZVQ5RE16bHdzZWFQV2dydDZOME9VRGNBRTl4bGNJek11MjUzUG4vSzgySFpydEx4akd2UkhNVXhcbng0ZjhwSnhmQ3h4QlN3Z1NORit3OWpkbXR2b0wwRmE3ZGducFJlODZWRDY2ejNZenJqNHlLRXRqc2hLZHl5VWRcbkl5cVhoN1JSQWdNQkFBRUNnZ0VBT3pzZHdaeENVVlFUeEFka2wvSTVTRFVidi9NazRwaWZxYjJEa2FnbmhFcG9cbjFJajJsNGlWMTByOS9uenJnY2p5VlBBd3pZWk1JeDFBZVF0RDdoUzRHWmFweXZKWUc3NkZpWFpQUm9DVlB6b3VcbmZyOGRDaWFwbDV0enJDOWx2QXNHd29DTTdJWVRjZmNWdDdjRTEyRDNRS3NGNlo3QjJ6ZmdLS251WVBmK0NFNlRcbmNNMHkwaCtYRS9kMERvSERoVy96YU1yWEhqOFRvd2V1eXRrYmJzNGYvOUZqOVBuU2dET1lQd2xhbFZUcitGUWFcbkpSd1ZqVmxYcEZBUW14M0Jyd25rWnQzQ2lXV2lGM2QrSGk5RXRVYnRWclcxYjZnK1JRT0licWFtcis4YlJuZFhcbjZWZ3FCQWtKWjhSVnlkeFVQMGQxMUdqdU9QRHhCbkhCbmM0UW9rSXJFUUtCZ1FEMUNlaWN1ZGhXdGc0K2dTeGJcbnplanh0VjFONDFtZHVjQnpvMmp5b1dHbzNQVDh3ckJPL3lRRTM0cU9WSi9pZCs4SThoWjRvSWh1K0pBMDBzNmdcblRuSXErdi9kL1RFalk4MW5rWmlDa21SUFdiWHhhWXR4UjIxS1BYckxOTlFKS2ttOHRkeVh5UHFsOE1veUdmQ1dcbjJ2aVBKS05iNkhabnY5Q3lqZEo5ZzJMRG5RS0JnUUREcVN2eURtaGViOTIzSW96NGxlZ01SK205Z2xYVWdTS2dcbkVzZlllbVJmbU5XQitDN3ZhSXlVUm1ZNU55TXhmQlZXc3dXRldLYXhjK0krYnFzZmx6elZZdFpwMThNR2pzTURcbmZlZWZBWDZCWk1zVXQ3Qmw3WjlWSjg1bnRFZHFBQ0xwWitaLzN0SVJWdWdDV1pRMWhrbmxHa0dUMDI0SkVFKytcbk55SDFnM2QzUlFLQmdRQ1J2MXdKWkkwbVBsRklva0tGTkh1YTBUcDNLb1JTU1hzTURTVk9NK2xIckcxWHJtRjZcbkMwNGNTKzQ0N0dMUkxHOFVUaEpKbTRxckh0Ti9aK2dZOTYvMm1xYjRIakpORDM3TVhKQnZFYTN5ZUxTOHEvK1JcbjJGOU1LamRRaU5LWnhQcG84VzhOSlREWTVOa1BaZGh4a2pzSHdVNGRTNjZwMVRESUU0MGd0TFpaRFFLQmdGaldcbktyblFpTnEzOS9iNm5QOFJNVGJDUUFKbmR3anhTUU5kQTVmcW1rQTlhRk9HbCtqamsxQ1BWa0tNSWxLSmdEYkpcbk9heDl2OUc2Ui9NSTFIR1hmV3QxWU56VnRocjRIdHNyQTB0U3BsbWhwZ05XRTZWejZuQURqdGZQSnMyZUdqdlhcbmpQUnArdjhjY21MK3dTZzhQTGprM3ZsN2VlNXJsWWxNQndNdUdjUHhBb0dBZWRueGJXMVJMbVZubEFpSEx1L0xcbmxtZkF3RFdtRWlJMFVnK1BMbm9Pdk81dFE1ZDRXMS94RU44bFA0cWtzcGtmZk1Rbk5oNFNZR0VlQlQzMlpxQ1RcbkpSZ2YwWGpveXZ2dXA5eFhqTWtYcnBZL3ljMXpmcVRaQzBNTzkvMVVjMWJSR2RaMmR5M2xSNU5XYXA3T1h5Zk9cblBQcE5Gb1BUWGd2M3FDcW5sTEhyR3pNPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImltYWdlLXB1bGxpbmdAYXV0aGVudGljYXRlZC1pbWFnZS1wdWxsaW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjExMzc5NzkxNDUzMDA3MzI3ODcxMiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2ltYWdlLXB1bGxpbmclNDBhdXRoZW50aWNhdGVkLWltYWdlLXB1bGxpbmcuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iCn0=", - "email": "image-pulling@authenticated-image-pulling.iam.gserviceaccount.com" - } - } -}` - // The following images are not added into NodePrePullImageList, because this test is - // testing image pulling, these images don't need to be prepulled. The ImagePullPolicy - // is v1.PullAlways, so it won't be blocked by framework image pre-pull list check. - for _, testCase := range []struct { - description string - image string - phase v1.PodPhase - waiting bool - }{ - { - description: "should be able to pull from private registry with credential provider", - image: "gcr.io/authenticated-image-pulling/alpine:3.7", - phase: v1.PodRunning, - waiting: false, - }, - } { - testCase := testCase - f.It(testCase.description+"", f.WithNodeConformance(), func(ctx context.Context) { - name := "image-pull-test" - command := []string{"/bin/sh", "-c", "while true; do sleep 1; done"} - container := node.ConformanceContainer{ - PodClient: e2epod.NewPodClient(f), - Container: v1.Container{ - Name: name, - Image: testCase.image, - Command: command, - // PullAlways makes sure that the image will always be pulled even if it is present before the test. - ImagePullPolicy: v1.PullAlways, - }, - RestartPolicy: v1.RestartPolicyNever, - } - - configFile := filepath.Join(services.KubeletRootDirectory, "config.json") - err := os.WriteFile(configFile, []byte(auth), 0644) - framework.ExpectNoError(err) - defer os.Remove(configFile) - - // checkContainerStatus checks whether the container status matches expectation. - checkContainerStatus := func(ctx context.Context) error { - status, err := container.GetStatus(ctx) - if err != nil { - return fmt.Errorf("failed to get container status: %w", err) - } - // We need to check container state first. The default pod status is pending, If we check - // pod phase first, and the expected pod phase is Pending, the container status may not - // even show up when we check it. - // Check container state - if !testCase.waiting { - if status.State.Running == nil { - return fmt.Errorf("expected container state: Running, got: %q", - node.GetContainerState(status.State)) - } - } - if testCase.waiting { - if status.State.Waiting == nil { - return fmt.Errorf("expected container state: Waiting, got: %q", - node.GetContainerState(status.State)) - } - reason := status.State.Waiting.Reason - if reason != images.ErrImagePull.Error() && - reason != images.ErrImagePullBackOff.Error() { - return fmt.Errorf("unexpected waiting reason: %q", reason) - } - } - // Check pod phase - phase, err := container.GetPhase(ctx) - if err != nil { - return fmt.Errorf("failed to get pod phase: %w", err) - } - if phase != testCase.phase { - return fmt.Errorf("expected pod phase: %q, got: %q", testCase.phase, phase) - } - return nil - } - // The image registry is not stable, which sometimes causes the test to fail. Add retry mechanism to make this - // less flaky. - const flakeRetry = 3 - for i := 1; i <= flakeRetry; i++ { - var err error - ginkgo.By("create the container") - container.Create(ctx) - ginkgo.By("check the container status") - for start := time.Now(); time.Since(start) < node.ContainerStatusRetryTimeout; time.Sleep(node.ContainerStatusPollInterval) { - if err = checkContainerStatus(ctx); err == nil { - break - } - } - ginkgo.By("delete the container") - _ = container.Delete(ctx) - if err == nil { - break - } - if i < flakeRetry { - framework.Logf("No.%d attempt failed: %v, retrying...", i, err) - } else { - framework.Failf("All %d attempts failed: %v", flakeRetry, err) - } - } - }) - } - }) - }) -}) diff --git a/deps/github.com/openshift/kubernetes/test/images/.permitted-images b/deps/github.com/openshift/kubernetes/test/images/.permitted-images index ec7dac61ab..042af1417c 100644 --- a/deps/github.com/openshift/kubernetes/test/images/.permitted-images +++ b/deps/github.com/openshift/kubernetes/test/images/.permitted-images @@ -4,7 +4,6 @@ # The sources for which are in test/images/agnhost. # If agnhost is missing functionality for your tests, please reach out to SIG Testing. gcr.io/authenticated-image-pulling/alpine -gcr.io/authenticated-image-pulling/windows-nanoserver gcr.io/k8s-authenticated-test/agnhost invalid.registry.k8s.io/invalid/alpine registry.k8s.io/build-image/distroless-iptables diff --git a/deps/github.com/openshift/kubernetes/test/images/Makefile b/deps/github.com/openshift/kubernetes/test/images/Makefile index a96a629816..7048c9fa86 100644 --- a/deps/github.com/openshift/kubernetes/test/images/Makefile +++ b/deps/github.com/openshift/kubernetes/test/images/Makefile @@ -16,7 +16,7 @@ REGISTRY ?= registry.k8s.io/e2e-test-images GOARM ?= 7 DOCKER_CERT_BASE_PATH ?= QEMUVERSION=v5.1.0-2 -GOLANG_VERSION=1.23.10 +GOLANG_VERSION=1.23.11 export ifndef WHAT diff --git a/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go b/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go index 135e121def..15ef54ffbe 100644 --- a/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go +++ b/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go @@ -129,13 +129,17 @@ func readFromURL(url string, writer io.Writer) error { var ( initRegistry = RegistryList{ - GcAuthenticatedRegistry: "gcr.io/authenticated-image-pulling", - PromoterE2eRegistry: "registry.k8s.io/e2e-test-images", - BuildImageRegistry: "registry.k8s.io/build-image", - InvalidRegistry: "invalid.registry.k8s.io/invalid", - GcEtcdRegistry: "registry.k8s.io", - GcRegistry: "registry.k8s.io", - SigStorageRegistry: "registry.k8s.io/sig-storage", + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate GcAuthenticatedRegistry. + GcAuthenticatedRegistry: "gcr.io/authenticated-image-pulling", + PromoterE2eRegistry: "registry.k8s.io/e2e-test-images", + BuildImageRegistry: "registry.k8s.io/build-image", + InvalidRegistry: "invalid.registry.k8s.io/invalid", + GcEtcdRegistry: "registry.k8s.io", + GcRegistry: "registry.k8s.io", + SigStorageRegistry: "registry.k8s.io/sig-storage", + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate PrivateRegistry. PrivateRegistry: "gcr.io/k8s-authenticated-test", DockerLibraryRegistry: "docker.io/library", CloudProviderGcpRegistry: "registry.k8s.io/cloud-provider-gcp", @@ -152,15 +156,17 @@ const ( // Agnhost image Agnhost // AgnhostPrivate image + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate this. AgnhostPrivate // APIServer image APIServer // AppArmorLoader image AppArmorLoader // AuthenticatedAlpine image + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate this. AuthenticatedAlpine - // AuthenticatedWindowsNanoServer image - AuthenticatedWindowsNanoServer // BusyBox image BusyBox // DistrolessIptables Image @@ -219,11 +225,10 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[Agnhost] = Config{list.PromoterE2eRegistry, "agnhost", "2.53"} configs[AgnhostPrivate] = Config{list.PrivateRegistry, "agnhost", "2.6"} configs[AuthenticatedAlpine] = Config{list.GcAuthenticatedRegistry, "alpine", "3.7"} - configs[AuthenticatedWindowsNanoServer] = Config{list.GcAuthenticatedRegistry, "windows-nanoserver", "v1"} configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"} configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.11"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.12"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.16-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} @@ -270,7 +275,7 @@ func GetMappedImageConfigs(originalImageConfigs map[ImageID]Config, repo string) for i, config := range originalImageConfigs { switch i { case InvalidRegistryImage, AuthenticatedAlpine, - AuthenticatedWindowsNanoServer, AgnhostPrivate: + AgnhostPrivate: // These images are special and can't be run out of the cloud - some because they // are authenticated, and others because they are not real images. Tests that depend // on these images can't be run without access to the public internet. diff --git a/etcd/go.mod b/etcd/go.mod index 91689cde42..811ca776bf 100644 --- a/etcd/go.mod +++ b/etcd/go.mod @@ -15,11 +15,11 @@ require ( github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c github.com/spf13/cobra v1.8.1 go.etcd.io/etcd/server/v3 v3.5.16 - k8s.io/apimachinery v1.32.7 - k8s.io/cli-runtime v1.32.7 - k8s.io/component-base v1.32.7 + k8s.io/apimachinery v1.32.8 + k8s.io/cli-runtime v1.32.8 + k8s.io/component-base v1.32.8 k8s.io/klog/v2 v2.130.1 - k8s.io/kubectl v1.32.7 + k8s.io/kubectl v1.32.8 sigs.k8s.io/yaml v1.4.0 ) @@ -43,7 +43,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect - k8s.io/apiserver v1.32.7 // indirect + k8s.io/apiserver v1.32.8 // indirect ) require ( @@ -132,8 +132,8 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v1.32.7 // indirect - k8s.io/client-go v1.32.7 // indirect + k8s.io/api v1.32.8 // indirect + k8s.io/client-go v1.32.8 // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect diff --git a/etcd/vendor/modules.txt b/etcd/vendor/modules.txt index ade22af168..0d46fa4536 100644 --- a/etcd/vendor/modules.txt +++ b/etcd/vendor/modules.txt @@ -631,7 +631,7 @@ gopkg.in/natefinch/lumberjack.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/api +# k8s.io/api v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/api ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -692,7 +692,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apimachinery v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery +# k8s.io/apimachinery v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -754,18 +754,18 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver +# k8s.io/apiserver v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver ## explicit; go 1.23.0 k8s.io/apiserver/pkg/apis/audit k8s.io/apiserver/pkg/apis/audit/v1 k8s.io/apiserver/pkg/authentication/user -# k8s.io/cli-runtime v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime +# k8s.io/cli-runtime v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go +# k8s.io/client-go v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -924,7 +924,7 @@ k8s.io/client-go/util/jsonpath k8s.io/client-go/util/keyutil k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/component-base v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base +# k8s.io/component-base v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base ## explicit; go 1.23.0 k8s.io/component-base/cli k8s.io/component-base/cli/flag @@ -961,7 +961,7 @@ k8s.io/kube-openapi/pkg/spec3 k8s.io/kube-openapi/pkg/util/proto k8s.io/kube-openapi/pkg/util/proto/validation k8s.io/kube-openapi/pkg/validation/spec -# k8s.io/kubectl v1.32.7 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl +# k8s.io/kubectl v1.32.8 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl ## explicit; go 1.23.0 k8s.io/kubectl/pkg/cmd/util k8s.io/kubectl/pkg/scheme diff --git a/go.mod b/go.mod index 410eedfef2..149af75cbc 100644 --- a/go.mod +++ b/go.mod @@ -38,16 +38,16 @@ require ( github.com/prometheus/common v0.62.0 github.com/prometheus/prometheus v0.302.1 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v1.32.7 - k8s.io/apiextensions-apiserver v1.32.7 - k8s.io/apimachinery v1.32.7 - k8s.io/apiserver v1.32.7 - k8s.io/cli-runtime v1.32.7 - k8s.io/client-go v1.32.7 - k8s.io/cloud-provider v1.32.7 - k8s.io/component-base v1.32.7 - k8s.io/kube-aggregator v1.32.7 - k8s.io/kubectl v1.32.7 + k8s.io/api v1.32.8 + k8s.io/apiextensions-apiserver v1.32.8 + k8s.io/apimachinery v1.32.8 + k8s.io/apiserver v1.32.8 + k8s.io/cli-runtime v1.32.8 + k8s.io/client-go v1.32.8 + k8s.io/cloud-provider v1.32.8 + k8s.io/component-base v1.32.8 + k8s.io/kube-aggregator v1.32.8 + k8s.io/kubectl v1.32.8 k8s.io/utils v0.0.0-20241210054802-24370beab758 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 sigs.k8s.io/kustomize/api v0.18.0 @@ -146,22 +146,22 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect - k8s.io/cluster-bootstrap v1.32.7 // indirect - k8s.io/component-helpers v1.32.7 // indirect - k8s.io/controller-manager v1.32.7 // indirect - k8s.io/cri-api v1.32.7 // indirect - k8s.io/cri-client v1.32.7 // indirect - k8s.io/csi-translation-lib v1.32.7 // indirect - k8s.io/dynamic-resource-allocation v1.32.7 // indirect - k8s.io/endpointslice v1.32.7 // indirect - k8s.io/externaljwt v1.32.7 // indirect - k8s.io/kms v1.32.7 // indirect - k8s.io/kube-controller-manager v1.32.7 // indirect - k8s.io/kube-scheduler v1.32.7 // indirect - k8s.io/kubelet v1.32.7 // indirect - k8s.io/metrics v1.32.7 // indirect - k8s.io/mount-utils v1.32.7 // indirect - k8s.io/pod-security-admission v1.32.7 // indirect + k8s.io/cluster-bootstrap v1.32.8 // indirect + k8s.io/component-helpers v1.32.8 // indirect + k8s.io/controller-manager v1.32.8 // indirect + k8s.io/cri-api v1.32.8 // indirect + k8s.io/cri-client v1.32.8 // indirect + k8s.io/csi-translation-lib v1.32.8 // indirect + k8s.io/dynamic-resource-allocation v1.32.8 // indirect + k8s.io/endpointslice v1.32.8 // indirect + k8s.io/externaljwt v1.32.8 // indirect + k8s.io/kms v1.32.8 // indirect + k8s.io/kube-controller-manager v1.32.8 // indirect + k8s.io/kube-scheduler v1.32.8 // indirect + k8s.io/kubelet v1.32.8 // indirect + k8s.io/metrics v1.32.8 // indirect + k8s.io/mount-utils v1.32.8 // indirect + k8s.io/pod-security-admission v1.32.8 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect ) @@ -210,7 +210,7 @@ require ( google.golang.org/protobuf v1.36.4 // indirect k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.32.7 + k8s.io/kubernetes v1.32.8 sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect ) diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf index e524cc104d..46236bd026 100644 --- a/packaging/crio.conf.d/10-microshift_amd64.conf +++ b/packaging/crio.conf.d/10-microshift_amd64.conf @@ -24,6 +24,6 @@ plugin_dirs = [ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2bcd811bc8d32af1df2ac7b3daf96a94b75f18da3acf9a43bf15fe6b32259dbf" +pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:696bcf0b046c5d2fa8e9a92055366f7fde226a9b782ceeb6bc8994d410cc534e" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index 58a9eeab66..e48c599a56 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,130 +1,20 @@ -- api embedded-component 97812373b6b447ff6b55d3e2625b4f62aff1a16f to 1c614f54419fa23266ae2f6660b9034893749079 - - bcdc61a8 2025-08-19T11:17:14-04:00 MachineOSConfig name should match MachineConfigPool - - 108cd61b 2025-08-12T14:07:14Z Update crd-schema.json to release 1.33 branch +- cluster-kube-apiserver-operator embedded-component e2ad6c193a3a0ee71a2bd128d5a4692ad8a6776a to f9683e5669a03f0b93cf555d2942a04f3a2c5912 + - 47fb4aa 2025-08-20T09:34:13+00:00 certrotation: ensure that all rotated secrets/configmaps have RefreshOnlyWhenExpired set + - 7f8eb29 2025-08-14T05:28:52+00:00 certrotationcontroller: extend node-system-admin-signer lifetime -- cluster-network-operator embedded-component f17bb7a589e7a9516c35aa0a3bd1bbc55f071ebd to bc62016ccc39a66406caf5110ac7140f285fb264 - - e2ba945 2025-08-21T11:19:06Z Allow overriding OVN-Kubernetes configuration - - fd0e7e9 2025-08-14T20:44:23Z Fix multus webhook match condition for spec changes - -- operator-framework-olm embedded-component 8bcf1556a550efa7bb380ec315c077cf29438695 to 5c83a8adfd3fb0a5b3f2f8a26d3d05eefd5ba9d0 - - cd2a2af8 2025-08-18T14:39:30-04:00 Upstream: : regenerate manifests - - 1b5a100e 2025-08-15T15:45:46-04:00 Upstream: 3580: add NetworkPolicy as a supported kind - - 1aa6bb51 2025-08-14T13:53:32-04:00 Upstream: : Add allow-all networkpolicy for openshift-operators namespace - - 36252801 2025-08-14T10:50:59-04:00 Upstream: 1675: Add NetworkPolicy as a supported kind - -- ovn-kubernetes image-amd64 e24389403dd961a14b6512e40cda7e3e5d0a4b20 to 1e27e7a22ddb5a30fe5ae7ccb8e1d3967bc645ec - - 2784783b 2025-08-18T14:02:52-07:00 add back the removed OCP hack from d/s merge - - b90abc54 2025-07-23T13:24:08+02:00 fix: skip gw IP check for DPU and improve gateway initialization readability - - 6c4bc78b 2025-07-23T08:56:24Z e2e: label RouteAdvertisement test cases & skip extended ones - - 45bf0b39 2025-07-23T10:53:18+02:00 Revert "e2e: Use ovnk allocator and reserve IPs" - - 5b5bc069 2025-07-22T19:06:40+02:00 gateway: Refactor gateway initialization and DPU host handling - - d127877f 2025-07-22T15:53:32+01:00 build, vendor: consume ipamclaims v0.5.0-alpha - - 34b5a46c 2025-07-22T13:52:53Z e2e: test against L2 networks in VRF-Lite test cases - - e72e62b3 2025-07-22T13:12:33Z Remove unused portbinding code - - dfc14b4e 2025-07-22T10:22:05Z e2e: refactor podIPOfFamilyOnPrimaryNetwork into more reusable code - - 5ece8463 2025-07-22T10:22:05Z e2e: add VRF-Lite test cases - - edb05ca1 2025-07-22T10:22:05Z kind.sh: Use FRRConfiguration label when advertising default network - - 926ba1ad 2025-07-22T10:22:05Z e2e: use index in kind infra inspect templates to allow special characters - - acef39f4 2025-07-22T10:22:05Z e2e: make ExtPort not required in container infra provider API - - 3dea4f52 2025-07-22T10:22:05Z e2e: add RuntimeArgs to container infra provider API - - 90e56b92 2025-07-22T10:22:05Z e2e: rename testdata package to testscenario - - dc437b63 2025-07-22T10:22:05Z RouteAdvertisements: appropriately update status even if no updates - - b4eabd9c 2025-07-21T19:04:23Z Bump the go_modules group across 2 directories with 1 update - - fa12bb26 2025-07-21T12:09:59-04:00 Bump fedora from 41 -> 42 - - d565fd86 2025-07-21T14:41:46+05:30 Add e2e tests for ex gw pods in terminating or not ready state - - d942a7d8 2025-07-21T14:41:46+05:30 Add unit tests for ex gw pods in terminating or not ready state - - 3d32558b 2025-07-21T14:41:44+05:30 Remove routes of ex gw pods in terminating or not ready state - - ec378a7b 2025-07-18T17:56:44Z Bump golang.org/x/oauth2 - - 293f6dda 2025-07-18T16:57:43Z ci: run tests only if files other than docs are changed - - 527c19fc 2025-07-18T18:08:55+02:00 Add support for --disable-requestedchassis flag in ovnkube controller - - 290eb038 2025-07-18T09:42:17-04:00 Add metrics for UDN - - 33e20b83 2025-07-18T11:16:38+02:00 [bridgeconfig] AI suggested fixes. - - f531e3d3 2025-07-18T11:16:38+02:00 [node/gateway] make PatchedNetConfigs internal, remove locking - - fd5e7915 2025-07-18T11:16:38+02:00 [node/gateway] nodePortWatcher should use its own bridgeConfiguration. - - a0c90f26 2025-07-18T11:16:38+02:00 [bridgeconfig] make mutex internal. - - fa6076bc 2025-07-18T11:16:38+02:00 [bridgeconfig] move nextHops to the gateway where it is used. - - 4ad1727c 2025-07-18T11:16:38+02:00 [bridgeconfig] make most members internal, ensure correct locking. - - 5a5e3b6d 2025-07-18T11:16:38+02:00 [bridgeconfig] move flow generation locking into methods. - - 28f9c1ec 2025-07-18T11:16:38+02:00 [bridgeconfig] move bridge flows generation functions to the pkg. - - b607e93d 2025-07-18T11:16:38+02:00 [bridgeconfig] add some getters/setters with lock to the pkg. - - 836e0f64 2025-07-18T11:16:38+02:00 [bridgeconfig] move setBridgeOfPorts to the package. - - cf93ef30 2025-07-18T11:16:38+02:00 [bridgeconfig] start moving methods that use internal mutex to the pkg - - a4d421a3 2025-07-18T11:16:37+02:00 [bridgeconfig] simply move functions around, no change - - 3b073327 2025-07-18T11:16:37+02:00 [bridgeconfig] only create BridgeConfigurations inside the package. - - 420d9f1c 2025-07-18T11:16:37+02:00 [bridgeconfig] make mutex a public field to turn it into internal later - - b65a01ef 2025-07-18T11:16:37+02:00 [node/bridgeconfig] move [udn]bridgeconfig to ite own package. - - f1a4b4b0 2025-07-18T11:16:24+02:00 [node/egressipgw] Move egressIP functionality to its own package. - - 956981a0 2025-07-18T10:24:09+02:00 kv, e2e: Use PrimaryNetwork() - - 115b25a3 2025-07-18T10:24:09+02:00 e2e: Move http servers to external container - - ae5b6387 2025-07-18T10:24:09+02:00 e2e: Move underlay setup to providers - - 1870116b 2025-07-18T10:24:09+02:00 e2e, kv: Use bgpnet for external container network - - 9fed90c7 2025-07-18T10:24:09+02:00 e2e: Use ovnk allocator and reserve IPs - - f1c76a61 2025-07-18T10:24:09+02:00 e2e, kv: Increase network status timeout - - 7c1de13e 2025-07-18T10:24:09+02:00 e2e: Remove harcoded breth0 - - 318782be 2025-07-18T10:24:09+02:00 kv, e2e: Use the ExternalContainer struct instead of name - - b60dbcd9 2025-07-18T10:24:09+02:00 kv, e2e: ensure there is no dots at podtest name - - a0101b56 2025-07-18T10:24:07+02:00 kv, e2e: Download virtctl at tests - - 098a3aa7 2025-06-27T14:15:27+02:00 Fix UDN nftables mark chain cleanup - -- ovn-kubernetes image-arm64 e24389403dd961a14b6512e40cda7e3e5d0a4b20 to 1e27e7a22ddb5a30fe5ae7ccb8e1d3967bc645ec - - 2784783b 2025-08-18T14:02:52-07:00 add back the removed OCP hack from d/s merge - - b90abc54 2025-07-23T13:24:08+02:00 fix: skip gw IP check for DPU and improve gateway initialization readability - - 6c4bc78b 2025-07-23T08:56:24Z e2e: label RouteAdvertisement test cases & skip extended ones - - 45bf0b39 2025-07-23T10:53:18+02:00 Revert "e2e: Use ovnk allocator and reserve IPs" - - 5b5bc069 2025-07-22T19:06:40+02:00 gateway: Refactor gateway initialization and DPU host handling - - d127877f 2025-07-22T15:53:32+01:00 build, vendor: consume ipamclaims v0.5.0-alpha - - 34b5a46c 2025-07-22T13:52:53Z e2e: test against L2 networks in VRF-Lite test cases - - e72e62b3 2025-07-22T13:12:33Z Remove unused portbinding code - - dfc14b4e 2025-07-22T10:22:05Z e2e: refactor podIPOfFamilyOnPrimaryNetwork into more reusable code - - 5ece8463 2025-07-22T10:22:05Z e2e: add VRF-Lite test cases - - edb05ca1 2025-07-22T10:22:05Z kind.sh: Use FRRConfiguration label when advertising default network - - 926ba1ad 2025-07-22T10:22:05Z e2e: use index in kind infra inspect templates to allow special characters - - acef39f4 2025-07-22T10:22:05Z e2e: make ExtPort not required in container infra provider API - - 3dea4f52 2025-07-22T10:22:05Z e2e: add RuntimeArgs to container infra provider API - - 90e56b92 2025-07-22T10:22:05Z e2e: rename testdata package to testscenario - - dc437b63 2025-07-22T10:22:05Z RouteAdvertisements: appropriately update status even if no updates - - b4eabd9c 2025-07-21T19:04:23Z Bump the go_modules group across 2 directories with 1 update - - fa12bb26 2025-07-21T12:09:59-04:00 Bump fedora from 41 -> 42 - - d565fd86 2025-07-21T14:41:46+05:30 Add e2e tests for ex gw pods in terminating or not ready state - - d942a7d8 2025-07-21T14:41:46+05:30 Add unit tests for ex gw pods in terminating or not ready state - - 3d32558b 2025-07-21T14:41:44+05:30 Remove routes of ex gw pods in terminating or not ready state - - ec378a7b 2025-07-18T17:56:44Z Bump golang.org/x/oauth2 - - 293f6dda 2025-07-18T16:57:43Z ci: run tests only if files other than docs are changed - - 527c19fc 2025-07-18T18:08:55+02:00 Add support for --disable-requestedchassis flag in ovnkube controller - - 290eb038 2025-07-18T09:42:17-04:00 Add metrics for UDN - - 33e20b83 2025-07-18T11:16:38+02:00 [bridgeconfig] AI suggested fixes. - - f531e3d3 2025-07-18T11:16:38+02:00 [node/gateway] make PatchedNetConfigs internal, remove locking - - fd5e7915 2025-07-18T11:16:38+02:00 [node/gateway] nodePortWatcher should use its own bridgeConfiguration. - - a0c90f26 2025-07-18T11:16:38+02:00 [bridgeconfig] make mutex internal. - - fa6076bc 2025-07-18T11:16:38+02:00 [bridgeconfig] move nextHops to the gateway where it is used. - - 4ad1727c 2025-07-18T11:16:38+02:00 [bridgeconfig] make most members internal, ensure correct locking. - - 5a5e3b6d 2025-07-18T11:16:38+02:00 [bridgeconfig] move flow generation locking into methods. - - 28f9c1ec 2025-07-18T11:16:38+02:00 [bridgeconfig] move bridge flows generation functions to the pkg. - - b607e93d 2025-07-18T11:16:38+02:00 [bridgeconfig] add some getters/setters with lock to the pkg. - - 836e0f64 2025-07-18T11:16:38+02:00 [bridgeconfig] move setBridgeOfPorts to the package. - - cf93ef30 2025-07-18T11:16:38+02:00 [bridgeconfig] start moving methods that use internal mutex to the pkg - - a4d421a3 2025-07-18T11:16:37+02:00 [bridgeconfig] simply move functions around, no change - - 3b073327 2025-07-18T11:16:37+02:00 [bridgeconfig] only create BridgeConfigurations inside the package. - - 420d9f1c 2025-07-18T11:16:37+02:00 [bridgeconfig] make mutex a public field to turn it into internal later - - b65a01ef 2025-07-18T11:16:37+02:00 [node/bridgeconfig] move [udn]bridgeconfig to ite own package. - - f1a4b4b0 2025-07-18T11:16:24+02:00 [node/egressipgw] Move egressIP functionality to its own package. - - 956981a0 2025-07-18T10:24:09+02:00 kv, e2e: Use PrimaryNetwork() - - 115b25a3 2025-07-18T10:24:09+02:00 e2e: Move http servers to external container - - ae5b6387 2025-07-18T10:24:09+02:00 e2e: Move underlay setup to providers - - 1870116b 2025-07-18T10:24:09+02:00 e2e, kv: Use bgpnet for external container network - - 9fed90c7 2025-07-18T10:24:09+02:00 e2e: Use ovnk allocator and reserve IPs - - f1c76a61 2025-07-18T10:24:09+02:00 e2e, kv: Increase network status timeout - - 7c1de13e 2025-07-18T10:24:09+02:00 e2e: Remove harcoded breth0 - - 318782be 2025-07-18T10:24:09+02:00 kv, e2e: Use the ExternalContainer struct instead of name - - b60dbcd9 2025-07-18T10:24:09+02:00 kv, e2e: ensure there is no dots at podtest name - - a0101b56 2025-07-18T10:24:07+02:00 kv, e2e: Download virtctl at tests - - 098a3aa7 2025-06-27T14:15:27+02:00 Fix UDN nftables mark chain cleanup +- kubernetes embedded-component 97b7f2e2ecbbf844812a7158086030bfff2bd324 to 2f14046818a7ff3ae3e9da76376991698d7188f1 + - 558b4826c 2025-08-25T09:51:25-04:00 UPSTREAM: : hack/update-vendor.sh, make update and update image + - 2e83bc4bf 2025-08-13T14:21:20+00:00 Release commit for Kubernetes v1.32.8 + - 21b02fabc 2025-08-10T15:09:08-07:00 do not allow the node to update it's owner reference + - e497bc6fe 2025-07-28T16:35:24-07:00 remove failing test that depends on expired credential, remove credential, add TODOs + - a1bc55e31 2025-07-15T18:23:11+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.7 + - cb4682131 2025-07-11T20:39:18+02:00 Bump images, dependencies and versions to go 1.23.11 and distroless iptables -- kubernetes image-arm64 97b7f2e2ecbbf844812a7158086030bfff2bd324 to 2f14046818a7ff3ae3e9da76376991698d7188f1 +- kubernetes image-amd64 97b7f2e2ecbbf844812a7158086030bfff2bd324 to 2f14046818a7ff3ae3e9da76376991698d7188f1 - 558b4826c 2025-08-25T09:51:25-04:00 UPSTREAM: : hack/update-vendor.sh, make update and update image - - 2e83bc4bf 2025-08-13T14:21:20Z Release commit for Kubernetes v1.32.8 + - 2e83bc4bf 2025-08-13T14:21:20+00:00 Release commit for Kubernetes v1.32.8 - 21b02fabc 2025-08-10T15:09:08-07:00 do not allow the node to update it's owner reference - e497bc6fe 2025-07-28T16:35:24-07:00 remove failing test that depends on expired credential, remove credential, add TODOs - - a1bc55e31 2025-07-15T18:23:11Z Update CHANGELOG/CHANGELOG-1.32.md for v1.32.7 + - a1bc55e31 2025-07-15T18:23:11+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.7 - cb4682131 2025-07-11T20:39:18+02:00 Bump images, dependencies and versions to go 1.23.11 and distroless iptables diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 32c2144a01..e3fd4b1678 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -2,7 +2,7 @@ https://github.com/openshift/api embedded-component 1c614f54419fa23266ae2f6660b9 https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component cf99de974354133f853928cff9e19ad19c5347d9 https://github.com/openshift/cluster-dns-operator embedded-component 659813065170f4e52f80b7a29bbab64bfa9aa172 https://github.com/openshift/cluster-ingress-operator embedded-component ddd78734833eb45f2cd5fba677fe50e4ae9f063b -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component e2ad6c193a3a0ee71a2bd128d5a4692ad8a6776a +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component f9683e5669a03f0b93cf555d2942a04f3a2c5912 https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component 3dfbb67635ce056fd55c360937be9868a3cf8ad5 https://github.com/openshift/cluster-kube-scheduler-operator embedded-component 8740a60de76690a17d5081db078eb93dfdb7a066 https://github.com/openshift/cluster-network-operator embedded-component bc62016ccc39a66406caf5110ac7140f285fb264 @@ -10,7 +10,7 @@ https://github.com/openshift/cluster-openshift-controller-manager-operator embed https://github.com/openshift/cluster-policy-controller embedded-component 748524784686a5f397490563882cbfb88f9acd01 https://github.com/openshift/csi-external-snapshotter embedded-component ac82cafc95b301f67f46ee0db93720d55177a19b https://github.com/openshift/etcd embedded-component a5421dfe551a2e9c911a75062a4cdeb7473f5c26 -https://github.com/openshift/kubernetes embedded-component 97b7f2e2ecbbf844812a7158086030bfff2bd324 +https://github.com/openshift/kubernetes embedded-component 2f14046818a7ff3ae3e9da76376991698d7188f1 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component fdef30c84b3d45ede364500984221c3f492b1415 https://github.com/openshift/machine-config-operator embedded-component 366ecc0d61006b46a8e05cddb8dfffd5e347a09b https://github.com/openshift/openshift-controller-manager embedded-component a672407574befa9faf6a56078d6852229701f8c6 @@ -23,7 +23,7 @@ https://github.com/openshift/csi-external-snapshotter image-amd64 ac82cafc95b301 https://github.com/openshift/router image-amd64 b41f9d05467fb7b3f6c2dafa6ac4b5e25164c0b6 https://github.com/openshift/kube-rbac-proxy image-amd64 591277560f328601273f88f2881e09ccccd90a97 https://github.com/openshift/ovn-kubernetes image-amd64 1e27e7a22ddb5a30fe5ae7ccb8e1d3967bc645ec -https://github.com/openshift/kubernetes image-amd64 97b7f2e2ecbbf844812a7158086030bfff2bd324 +https://github.com/openshift/kubernetes image-amd64 2f14046818a7ff3ae3e9da76376991698d7188f1 https://github.com/openshift/service-ca-operator image-amd64 4dfa6916f984d0fd7188380edc88b250738f07f7 https://github.com/openshift/oc image-arm64 298429ba9831d1d72b89edd9beb82a6ee665c3b7 https://github.com/openshift/coredns image-arm64 4f64931403bf747b78bccb40ad877b08da534e23 diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index e2e0b3fba7..2687e6bec3 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.19.0-0.nightly-2025-08-25-155239" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.19.0-0.nightly-arm64-2025-08-27-171348" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.19.0-0.nightly-2025-08-28-080135" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.19.0-0.nightly-arm64-2025-08-30-002356" diff --git a/scripts/multinode/configure-sec.sh b/scripts/multinode/configure-sec.sh index 871f0b8360..8ad1728a13 100755 --- a/scripts/multinode/configure-sec.sh +++ b/scripts/multinode/configure-sec.sh @@ -77,10 +77,10 @@ function configure_kubelet() { # Checksums can be obtained from https://www.downloadkubernetes.com/ # or by downloading a "${url}.sha256" file (see below for ${url}). For example: - # version=v1.32.7; for kube_arch in amd64 arm64; do echo "${kube_arch}: $(curl -L https://dl.k8s.io/release/${version}/bin/linux/${kube_arch}/kubelet.sha256 2>/dev/null)"; done - local -r version="v1.32.7" - local -r kube_hash_amd64="7ab96898436475640cbd416b2446f33aba1c2cb62dae876302ff7775d850041c" - local -r kube_hash_arm64="b862a8d550875924c8abed6c15ba22564f7e232c239aa6a2e88caf069a0ab548" + # version=v1.32.8; for kube_arch in amd64 arm64; do echo "${kube_arch}: $(curl -L https://dl.k8s.io/release/${version}/bin/linux/${kube_arch}/kubelet.sha256 2>/dev/null)"; done + local -r version="v1.32.8" + local -r kube_hash_amd64="7dfca4da9cdf592c0f70800e09fb42553765bc0951cade3d6e0c571daf3f23ee" + local -r kube_hash_arm64="d5527714fac08eac4c1ddcbd8a3c6db35f3acd335d43360219d733273b672cce" local kube_arch="" local kube_hash="" diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/server_v1.go b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/server_v1.go index 7d10449ad1..30caf3352f 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/server_v1.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/server_v1.go @@ -22,6 +22,7 @@ import ( v1 "k8s.io/api/core/v1" utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/klog/v2" podutil "k8s.io/kubernetes/pkg/api/v1/pod" kubefeatures "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/kubelet/metrics" @@ -36,17 +37,21 @@ type v1PodResourcesServer struct { cpusProvider CPUsProvider memoryProvider MemoryProvider dynamicResourcesProvider DynamicResourcesProvider + useActivePods bool } // NewV1PodResourcesServer returns a PodResourcesListerServer which lists pods provided by the PodsProvider // with device information provided by the DevicesProvider func NewV1PodResourcesServer(providers PodResourcesProviders) podresourcesv1.PodResourcesListerServer { + useActivePods := true + klog.InfoS("podresources", "method", "list", "useActivePods", useActivePods) return &v1PodResourcesServer{ podsProvider: providers.Pods, devicesProvider: providers.Devices, cpusProvider: providers.Cpus, memoryProvider: providers.Memory, dynamicResourcesProvider: providers.DynamicResources, + useActivePods: useActivePods, } } @@ -55,7 +60,13 @@ func (p *v1PodResourcesServer) List(ctx context.Context, req *podresourcesv1.Lis metrics.PodResourcesEndpointRequestsTotalCount.WithLabelValues("v1").Inc() metrics.PodResourcesEndpointRequestsListCount.WithLabelValues("v1").Inc() - pods := p.podsProvider.GetPods() + var pods []*v1.Pod + if p.useActivePods { + pods = p.podsProvider.GetActivePods() + } else { + pods = p.podsProvider.GetPods() + } + podResources := make([]*podresourcesv1.PodResources, len(pods)) p.devicesProvider.UpdateAllocatedDevices() diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/types.go b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/types.go index ee1269d969..66d7c6cfda 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/types.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/podresources/types.go @@ -34,6 +34,7 @@ type DevicesProvider interface { // PodsProvider knows how to provide the pods admitted by the node type PodsProvider interface { + GetActivePods() []*v1.Pod GetPods() []*v1.Pod GetPodByName(namespace, name string) (*v1.Pod, bool) } diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet.go b/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet.go index f20ad4759f..46fa9d8779 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/kubelet.go @@ -3058,6 +3058,22 @@ func (kl *Kubelet) ListenAndServeReadOnly(address net.IP, port uint, tp trace.Tr server.ListenAndServeKubeletReadOnlyServer(kl, kl.resourceAnalyzer, kl.containerManager.GetHealthCheckers(), address, port, tp) } +type kubeletPodsProvider struct { + kl *Kubelet +} + +func (pp *kubeletPodsProvider) GetActivePods() []*v1.Pod { + return pp.kl.GetActivePods() +} + +func (pp *kubeletPodsProvider) GetPods() []*v1.Pod { + return pp.kl.podManager.GetPods() +} + +func (pp *kubeletPodsProvider) GetPodByName(namespace, name string) (*v1.Pod, bool) { + return pp.kl.podManager.GetPodByName(namespace, name) +} + // ListenAndServePodResources runs the kubelet podresources grpc service func (kl *Kubelet) ListenAndServePodResources() { endpoint, err := util.LocalEndpoint(kl.getPodResourcesDir(), podresources.Socket) @@ -3067,7 +3083,7 @@ func (kl *Kubelet) ListenAndServePodResources() { } providers := podresources.PodResourcesProviders{ - Pods: kl.podManager, + Pods: &kubeletPodsProvider{kl: kl}, Devices: kl.containerManager, Cpus: kl.containerManager, Memory: kl.containerManager, diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go index 419de31a99..1163f6bc20 100644 --- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go +++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go @@ -518,6 +518,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error { return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName)) } + // Don't allow a node to update its own ownerReferences. + if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) { + return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName)) + } + // Don't allow a node to update labels outside the allowed set. // This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself. modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels) diff --git a/vendor/modules.txt b/vendor/modules.txt index b54dc3b3d0..8c8416d9d8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1163,7 +1163,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/api +# k8s.io/api v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/api ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -1224,7 +1224,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver +# k8s.io/apiextensions-apiserver v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver ## explicit; go 1.23.0 k8s.io/apiextensions-apiserver/pkg/apihelpers k8s.io/apiextensions-apiserver/pkg/apis/apiextensions @@ -1271,7 +1271,7 @@ k8s.io/apiextensions-apiserver/pkg/generated/openapi k8s.io/apiextensions-apiserver/pkg/registry/customresource k8s.io/apiextensions-apiserver/pkg/registry/customresource/tableconvertor k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition -# k8s.io/apimachinery v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery +# k8s.io/apimachinery v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -1343,7 +1343,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver +# k8s.io/apiserver v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver ## explicit; go 1.23.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1524,13 +1524,13 @@ k8s.io/apiserver/plugin/pkg/authenticator/token/oidc k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/cli-runtime v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime +# k8s.io/cli-runtime v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go +# k8s.io/client-go v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1894,7 +1894,7 @@ k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cloud-provider +# k8s.io/cloud-provider v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cloud-provider ## explicit; go 1.23.0 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1913,14 +1913,14 @@ k8s.io/cloud-provider/service/helpers k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/errors k8s.io/cloud-provider/volume/helpers -# k8s.io/cluster-bootstrap v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cluster-bootstrap +# k8s.io/cluster-bootstrap v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cluster-bootstrap ## explicit; go 1.23.0 k8s.io/cluster-bootstrap/token/api k8s.io/cluster-bootstrap/token/jws k8s.io/cluster-bootstrap/token/util k8s.io/cluster-bootstrap/util/secrets k8s.io/cluster-bootstrap/util/tokens -# k8s.io/component-base v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base +# k8s.io/component-base v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base ## explicit; go 1.23.0 k8s.io/component-base/cli k8s.io/component-base/cli/flag @@ -1957,7 +1957,7 @@ k8s.io/component-base/version/verflag k8s.io/component-base/zpages/features k8s.io/component-base/zpages/flagz k8s.io/component-base/zpages/statusz -# k8s.io/component-helpers v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-helpers +# k8s.io/component-helpers v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-helpers ## explicit; go 1.23.0 k8s.io/component-helpers/apimachinery/lease k8s.io/component-helpers/apps/poddisruptionbudget @@ -1971,7 +1971,7 @@ k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/ephemeral k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/controller-manager +# k8s.io/controller-manager v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/controller-manager ## explicit; go 1.23.0 k8s.io/controller-manager/app k8s.io/controller-manager/config @@ -1988,35 +1988,35 @@ k8s.io/controller-manager/pkg/informerfactory k8s.io/controller-manager/pkg/leadermigration k8s.io/controller-manager/pkg/leadermigration/config k8s.io/controller-manager/pkg/leadermigration/options -# k8s.io/cri-api v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-api +# k8s.io/cri-api v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-api ## explicit; go 1.23.0 k8s.io/cri-api/pkg/apis k8s.io/cri-api/pkg/apis/runtime/v1 k8s.io/cri-api/pkg/errors -# k8s.io/cri-client v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-client +# k8s.io/cri-client v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-client ## explicit; go 1.23.0 k8s.io/cri-client/pkg k8s.io/cri-client/pkg/internal k8s.io/cri-client/pkg/logs k8s.io/cri-client/pkg/util -# k8s.io/csi-translation-lib v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/csi-translation-lib +# k8s.io/csi-translation-lib v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/csi-translation-lib ## explicit; go 1.23.0 k8s.io/csi-translation-lib k8s.io/csi-translation-lib/plugins -# k8s.io/dynamic-resource-allocation v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/dynamic-resource-allocation +# k8s.io/dynamic-resource-allocation v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/dynamic-resource-allocation ## explicit; go 1.23.0 k8s.io/dynamic-resource-allocation/api k8s.io/dynamic-resource-allocation/cel k8s.io/dynamic-resource-allocation/resourceclaim k8s.io/dynamic-resource-allocation/structured -# k8s.io/endpointslice v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice +# k8s.io/endpointslice v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice ## explicit; go 1.23.0 k8s.io/endpointslice k8s.io/endpointslice/metrics k8s.io/endpointslice/topologycache k8s.io/endpointslice/trafficdist k8s.io/endpointslice/util -# k8s.io/externaljwt v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt +# k8s.io/externaljwt v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt ## explicit; go 1.23.0 k8s.io/externaljwt/apis/v1alpha1 # k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 @@ -2037,13 +2037,13 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kms v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kms +# k8s.io/kms v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kms ## explicit; go 1.23.0 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 k8s.io/kms/pkg/service k8s.io/kms/pkg/util -# k8s.io/kube-aggregator v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator +# k8s.io/kube-aggregator v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator ## explicit; go 1.23.0 k8s.io/kube-aggregator/pkg/apis/apiregistration k8s.io/kube-aggregator/pkg/apis/apiregistration/install @@ -2076,7 +2076,7 @@ k8s.io/kube-aggregator/pkg/controllers/status/remote k8s.io/kube-aggregator/pkg/registry/apiservice k8s.io/kube-aggregator/pkg/registry/apiservice/etcd k8s.io/kube-aggregator/pkg/registry/apiservice/rest -# k8s.io/kube-controller-manager v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager +# k8s.io/kube-controller-manager v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager ## explicit; go 1.23.0 k8s.io/kube-controller-manager/config/v1alpha1 # k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f @@ -2109,11 +2109,11 @@ k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson k8s.io/kube-openapi/pkg/validation/validate -# k8s.io/kube-scheduler v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-scheduler +# k8s.io/kube-scheduler v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-scheduler ## explicit; go 1.23.0 k8s.io/kube-scheduler/config/v1 k8s.io/kube-scheduler/extender/v1 -# k8s.io/kubectl v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl +# k8s.io/kubectl v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl ## explicit; go 1.23.0 k8s.io/kubectl/pkg/apps k8s.io/kubectl/pkg/cmd/apiresources @@ -2148,7 +2148,7 @@ k8s.io/kubectl/pkg/util/storage k8s.io/kubectl/pkg/util/templates k8s.io/kubectl/pkg/util/term k8s.io/kubectl/pkg/validation -# k8s.io/kubelet v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubelet +# k8s.io/kubelet v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubelet ## explicit; go 1.23.0 k8s.io/kubelet/config/v1 k8s.io/kubelet/config/v1alpha1 @@ -2170,7 +2170,7 @@ k8s.io/kubelet/pkg/cri/streaming k8s.io/kubelet/pkg/cri/streaming/portforward k8s.io/kubelet/pkg/cri/streaming/remotecommand k8s.io/kubelet/pkg/types -# k8s.io/kubernetes v1.32.7 => ./deps/github.com/openshift/kubernetes +# k8s.io/kubernetes v1.32.8 => ./deps/github.com/openshift/kubernetes ## explicit; go 1.23.0 k8s.io/kubernetes/cmd/kube-apiserver/app k8s.io/kubernetes/cmd/kube-apiserver/app/options @@ -2990,7 +2990,7 @@ k8s.io/kubernetes/third_party/forked/gonum/graph/simple k8s.io/kubernetes/third_party/forked/gonum/graph/traverse k8s.io/kubernetes/third_party/forked/libcontainer/apparmor k8s.io/kubernetes/third_party/forked/libcontainer/utils -# k8s.io/metrics v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics +# k8s.io/metrics v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics ## explicit; go 1.23.0 k8s.io/metrics/pkg/apis/custom_metrics k8s.io/metrics/pkg/apis/custom_metrics/v1beta1 @@ -3005,10 +3005,10 @@ k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1 k8s.io/metrics/pkg/client/custom_metrics k8s.io/metrics/pkg/client/custom_metrics/scheme k8s.io/metrics/pkg/client/external_metrics -# k8s.io/mount-utils v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils +# k8s.io/mount-utils v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils ## explicit; go 1.23.0 k8s.io/mount-utils -# k8s.io/pod-security-admission v1.32.7 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission +# k8s.io/pod-security-admission v1.32.8 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission ## explicit; go 1.23.0 k8s.io/pod-security-admission/admission k8s.io/pod-security-admission/admission/api