From e08aca77c0bc410d6969555461a49560f2864895 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:14:19 +0000 Subject: [PATCH 01/11] update last_rebase.sh --- scripts/auto-rebase/last_rebase.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index adb2014869..b6473efb9a 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.19.0-0.nightly-2026-02-13-223750" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.19.0-0.nightly-arm64-2026-02-15-195328" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.19.0-0.nightly-2026-02-22-194444" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.19.0-0.nightly-arm64-2026-02-22-231812" From 52981004e818d7eff11cc11f088224c31c7788d5 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:14:20 +0000 Subject: [PATCH 02/11] update changelog --- scripts/auto-rebase/changelog.txt | 110 +++++++++++++++++++++++------- scripts/auto-rebase/commits.txt | 10 +-- 2 files changed, 89 insertions(+), 31 deletions(-) diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index d1e8e494ba..4b25c0b4b2 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,31 +1,89 @@ -- cluster-kube-apiserver-operator embedded-component 8ce34d695b2ee3a93e748cd039db7c238ffc9f12 to 4bbd3be9dfda4a08dca98648209151de2a869f25 - - 8047018 2025-11-05T16:34:26+00:00 Add priority field to prevent early shutdown +- kubernetes embedded-component 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 to 346896bae752bb9def8cacca75fdc7f7dcae9496 + - 4591c3293 2026-02-17T13:52:33-05:00 UPSTREAM: : hack/update-vendor.sh, make update and update image + - 39350c63d 2026-02-10T12:54:39+00:00 Release commit for Kubernetes v1.32.12 + - 21615dafa 2026-01-30T11:13:36+01:00 Bump dependencies, images and versions used to Go 1.24.12 and distroless iptables + - 1d30ce5a0 2026-01-29T15:03:25-05:00 Apparently some EC2 images we use do not have /proc/net/nf_conntrack + - 168701dda 2026-01-29T15:03:25-05:00 test: cleanup from review + - 4a485a05a 2026-01-29T15:03:24-05:00 test: Fix KubeProxy CLOSE_WAIT test for IPv6 environments + - 78ace1048 2026-01-29T15:03:22-05:00 test: Read /proc/net/nf_conntrack instead of using conntrack binary + - eb7391688 2026-01-27T14:34:56+01:00 DRA scheduler: fix another root cause of double device allocation + - 6179b6db5 2026-01-27T14:34:56+01:00 DRA scheduler: fix one root cause of double device allocation + - a44152180 2026-01-20T16:01:41-08:00 kubeadm: waiting for etcd learner member to be started before promoting during 'kubeadm join' + - 4957b71b2 2026-01-08T13:49:59+01:00 mark QuotaMonitor as not running and invalidate monitors list + - 8a9586e02 2026-01-07T14:26:50+01:00 kubeadm: always retry Patch() Node API calls + - 5df89e6f4 2025-12-19T17:42:39+01:00 kubeadm: do not sort extraArgs alpha-numerically + - 60e446a7b 2025-12-18T18:06:00+09:00 hack/lib/util.sh: support uutils' `date` command + - 5ed8e8aa8 2025-12-16T18:27:43+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.11 + - 2195eae9e 2025-12-16T17:59:23+00:00 Release commit for Kubernetes v1.32.11 + - cabe97a6e 2025-12-10T11:57:13+01:00 upgrade to cos 121 + - 1fb4fe155 2025-12-05T11:49:06+01:00 Bump dependencies, images and versions used to Go 1.24.11 and distroless iptables + - fff934eed 2025-12-03T12:20:05-08:00 fix docker IP address detection for rsync + - 8ffde8cfc 2025-11-29T11:19:27+01:00 Bump dependencies, images and versions used to Go 1.24.10 and distroless iptables + - 9af05b650 2025-11-25T18:15:23+00:00 Fallback to live ns lookup on admission if lister cannot find namespace + - 7247ba38f 2025-11-11T20:52:28+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.10 + - aeeda7b58 2025-11-07T03:06:43+00:00 mark device manager as haelthy before it started for the first time + - 00ab04409 2025-11-03T15:50:07+00:00 Mark API server errors as transient in csi raw block driver -- cluster-kube-scheduler-operator embedded-component 8740a60de76690a17d5081db078eb93dfdb7a066 to b5671f10f0b03ac19e584e08b08267f67dd2d709 - - ca3fba9 2026-01-30T12:59:18-05:00 Update ks_pod_scenario_3.yaml - - b35f237 2026-01-30T12:59:18-05:00 Update ks_pod_scenario_2.yaml - - bb1599c 2026-01-30T12:59:17-05:00 Update ks_pod_scenario_1.yaml - - 95d235b 2026-01-30T12:59:17-05:00 Add priority field to prevent early shutdown +- machine-config-operator embedded-component 25321abfd952d282486d28fe27c4ab6052469ebf to 91ec81a0818330ccdf396f3881f09cb009cfce15 + - 3513ac82 2026-02-19T15:50:14+00:00 fix pull secret log spam make verify error + - 4c423326 2026-02-12T21:56:37+00:00 fixes exposure of sensitive data in log files + - fa437a60 2026-02-08T06:33:31-05:00 hack: add AMI update automation script + - 9de890b0 2026-02-08T06:33:31-05:00 move msbic controller to bootimage/ -- etcd embedded-component 0737eac4bbe3903f725064c06a88af761418e5fd to 3ebce536634cb76794f1b9668072a094c132c16a - - da481c1f 2026-02-06T10:54:08-05:00 UPSTREAM: : Revert "dependency: Bump golang.org/x/crypto from 0.38.0 to 0.45.0" - - 847c0464 2026-02-06T10:45:22-05:00 UPSTREAM: : manually resolve conflicts - - 65251b30 2025-12-18T03:27:13+08:00 version: bump up to 3.5.26 - - 751f1628 2025-12-15T22:36:25-06:00 dependency: Bump golang.org/x/crypto from 0.38.0 to 0.45.0 - - 47f9b5aa 2025-12-10T09:37:59-05:00 server: cleanup zombie membership information - - 5ff84215 2025-12-10T09:36:18-05:00 tests: setup two testcases to reproduce 20967 issue - - a8ffc2e2 2025-12-06T21:32:18+08:00 Bump go to 1.24.11 - - 80e15b8f 2025-11-18T13:11:14+00:00 Fix a typo of 'etcdctl snapshot restore/status' commands - - 8bdb0edc 2025-11-17T17:56:45+00:00 Print token fingerprint instead of the original tokens in log messages - - e2eff772 2025-11-12T00:00:11-05:00 version: bump up to 3.5.25 - - 26c67519 2025-11-06T21:57:49-08:00 Bump from go1.24.9 to go1.24.10 - - 547d6f42 2025-11-06T19:37:43+00:00 Fix the '--force-new-cluster' can't clean up learners issue - - 2cdacbc4 2025-11-06T19:35:12+00:00 Add an e2e test cases to reproduce the '--force-new-cluster' can't remove learners issue - - 67ddeb51 2025-11-04T09:30:54-05:00 etcdutl: add --wal-dir for check-v2store +- operator-framework-olm embedded-component 8332256a5954ab312b33e91fd1befa847f551a0b to 05a5a754366264a0926abf61e1ae11837a94b393 + - eddd12ad 2026-02-11T14:01:03-05:00 fixup! Remove the collect-profiles job + - 9af6e609 2026-02-11T13:59:52-05:00 fixup! Remove the collect-profiles job + - 7eaf98ab 2026-02-11T13:52:34-05:00 Remove the collect-profiles job -- machine-config-operator embedded-component b405535023b88949e231be90778e5cf63e438c40 to 25321abfd952d282486d28fe27c4ab6052469ebf - - 1b30b594 2026-01-28T16:02:00-06:00 Fix MCN conditions not updating during OCL sync +- kubernetes image-amd64 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 to 346896bae752bb9def8cacca75fdc7f7dcae9496 + - 4591c3293 2026-02-17T13:52:33-05:00 UPSTREAM: : hack/update-vendor.sh, make update and update image + - 39350c63d 2026-02-10T12:54:39+00:00 Release commit for Kubernetes v1.32.12 + - 21615dafa 2026-01-30T11:13:36+01:00 Bump dependencies, images and versions used to Go 1.24.12 and distroless iptables + - 1d30ce5a0 2026-01-29T15:03:25-05:00 Apparently some EC2 images we use do not have /proc/net/nf_conntrack + - 168701dda 2026-01-29T15:03:25-05:00 test: cleanup from review + - 4a485a05a 2026-01-29T15:03:24-05:00 test: Fix KubeProxy CLOSE_WAIT test for IPv6 environments + - 78ace1048 2026-01-29T15:03:22-05:00 test: Read /proc/net/nf_conntrack instead of using conntrack binary + - eb7391688 2026-01-27T14:34:56+01:00 DRA scheduler: fix another root cause of double device allocation + - 6179b6db5 2026-01-27T14:34:56+01:00 DRA scheduler: fix one root cause of double device allocation + - a44152180 2026-01-20T16:01:41-08:00 kubeadm: waiting for etcd learner member to be started before promoting during 'kubeadm join' + - 4957b71b2 2026-01-08T13:49:59+01:00 mark QuotaMonitor as not running and invalidate monitors list + - 8a9586e02 2026-01-07T14:26:50+01:00 kubeadm: always retry Patch() Node API calls + - 5df89e6f4 2025-12-19T17:42:39+01:00 kubeadm: do not sort extraArgs alpha-numerically + - 60e446a7b 2025-12-18T18:06:00+09:00 hack/lib/util.sh: support uutils' `date` command + - 5ed8e8aa8 2025-12-16T18:27:43+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.11 + - 2195eae9e 2025-12-16T17:59:23+00:00 Release commit for Kubernetes v1.32.11 + - cabe97a6e 2025-12-10T11:57:13+01:00 upgrade to cos 121 + - 1fb4fe155 2025-12-05T11:49:06+01:00 Bump dependencies, images and versions used to Go 1.24.11 and distroless iptables + - fff934eed 2025-12-03T12:20:05-08:00 fix docker IP address detection for rsync + - 8ffde8cfc 2025-11-29T11:19:27+01:00 Bump dependencies, images and versions used to Go 1.24.10 and distroless iptables + - 9af05b650 2025-11-25T18:15:23+00:00 Fallback to live ns lookup on admission if lister cannot find namespace + - 7247ba38f 2025-11-11T20:52:28+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.10 + - aeeda7b58 2025-11-07T03:06:43+00:00 mark device manager as haelthy before it started for the first time + - 00ab04409 2025-11-03T15:50:07+00:00 Mark API server errors as transient in csi raw block driver -- ovn-kubernetes image-amd64 16e5e201025c67a8cc2253851ebbbe3dfa7d7910 to 194e289903051ba951e479c227ad3d44f9fc321a - - 1ce92737 2026-01-21T14:02:20+01:00 fix(localnet, ipamless): Prevent LSP deletion on sync +- kubernetes image-arm64 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 to 346896bae752bb9def8cacca75fdc7f7dcae9496 + - 4591c3293 2026-02-17T13:52:33-05:00 UPSTREAM: : hack/update-vendor.sh, make update and update image + - 39350c63d 2026-02-10T12:54:39+00:00 Release commit for Kubernetes v1.32.12 + - 21615dafa 2026-01-30T11:13:36+01:00 Bump dependencies, images and versions used to Go 1.24.12 and distroless iptables + - 1d30ce5a0 2026-01-29T15:03:25-05:00 Apparently some EC2 images we use do not have /proc/net/nf_conntrack + - 168701dda 2026-01-29T15:03:25-05:00 test: cleanup from review + - 4a485a05a 2026-01-29T15:03:24-05:00 test: Fix KubeProxy CLOSE_WAIT test for IPv6 environments + - 78ace1048 2026-01-29T15:03:22-05:00 test: Read /proc/net/nf_conntrack instead of using conntrack binary + - eb7391688 2026-01-27T14:34:56+01:00 DRA scheduler: fix another root cause of double device allocation + - 6179b6db5 2026-01-27T14:34:56+01:00 DRA scheduler: fix one root cause of double device allocation + - a44152180 2026-01-20T16:01:41-08:00 kubeadm: waiting for etcd learner member to be started before promoting during 'kubeadm join' + - 4957b71b2 2026-01-08T13:49:59+01:00 mark QuotaMonitor as not running and invalidate monitors list + - 8a9586e02 2026-01-07T14:26:50+01:00 kubeadm: always retry Patch() Node API calls + - 5df89e6f4 2025-12-19T17:42:39+01:00 kubeadm: do not sort extraArgs alpha-numerically + - 60e446a7b 2025-12-18T18:06:00+09:00 hack/lib/util.sh: support uutils' `date` command + - 5ed8e8aa8 2025-12-16T18:27:43+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.11 + - 2195eae9e 2025-12-16T17:59:23+00:00 Release commit for Kubernetes v1.32.11 + - cabe97a6e 2025-12-10T11:57:13+01:00 upgrade to cos 121 + - 1fb4fe155 2025-12-05T11:49:06+01:00 Bump dependencies, images and versions used to Go 1.24.11 and distroless iptables + - fff934eed 2025-12-03T12:20:05-08:00 fix docker IP address detection for rsync + - 8ffde8cfc 2025-11-29T11:19:27+01:00 Bump dependencies, images and versions used to Go 1.24.10 and distroless iptables + - 9af05b650 2025-11-25T18:15:23+00:00 Fallback to live ns lookup on admission if lister cannot find namespace + - 7247ba38f 2025-11-11T20:52:28+00:00 Update CHANGELOG/CHANGELOG-1.32.md for v1.32.10 + - aeeda7b58 2025-11-07T03:06:43+00:00 mark device manager as haelthy before it started for the first time + - 00ab04409 2025-11-03T15:50:07+00:00 Mark API server errors as transient in csi raw block driver diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 962723ab4e..b6c43552da 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -10,11 +10,11 @@ https://github.com/openshift/cluster-openshift-controller-manager-operator embed https://github.com/openshift/cluster-policy-controller embedded-component 748524784686a5f397490563882cbfb88f9acd01 https://github.com/openshift/csi-external-snapshotter embedded-component 580c6960cd665dfdc3d77538bb7744b8754aca26 https://github.com/openshift/etcd embedded-component 3ebce536634cb76794f1b9668072a094c132c16a -https://github.com/openshift/kubernetes embedded-component 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 +https://github.com/openshift/kubernetes embedded-component 346896bae752bb9def8cacca75fdc7f7dcae9496 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component fdef30c84b3d45ede364500984221c3f492b1415 -https://github.com/openshift/machine-config-operator embedded-component 25321abfd952d282486d28fe27c4ab6052469ebf +https://github.com/openshift/machine-config-operator embedded-component 91ec81a0818330ccdf396f3881f09cb009cfce15 https://github.com/openshift/openshift-controller-manager embedded-component 5b3063ff149f290bebca0783fc508dfbf07689a5 -https://github.com/openshift/operator-framework-olm embedded-component 8332256a5954ab312b33e91fd1befa847f551a0b +https://github.com/openshift/operator-framework-olm embedded-component 05a5a754366264a0926abf61e1ae11837a94b393 https://github.com/openshift/route-controller-manager embedded-component bc97534a12a7a6bac096e4ed488b29535c8d4f33 https://github.com/openshift/service-ca-operator embedded-component 4dfa6916f984d0fd7188380edc88b250738f07f7 https://github.com/openshift/oc image-amd64 24755b6e82745a4dfa5a6db4b467564c237f244c @@ -23,7 +23,7 @@ https://github.com/openshift/csi-external-snapshotter image-amd64 580c6960cd665d https://github.com/openshift/router image-amd64 5fe8cc069b2f44b3393545ac92c3201e8a87d82b https://github.com/openshift/kube-rbac-proxy image-amd64 591277560f328601273f88f2881e09ccccd90a97 https://github.com/openshift/ovn-kubernetes image-amd64 194e289903051ba951e479c227ad3d44f9fc321a -https://github.com/openshift/kubernetes image-amd64 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 +https://github.com/openshift/kubernetes image-amd64 346896bae752bb9def8cacca75fdc7f7dcae9496 https://github.com/openshift/service-ca-operator image-amd64 4dfa6916f984d0fd7188380edc88b250738f07f7 https://github.com/openshift/oc image-arm64 24755b6e82745a4dfa5a6db4b467564c237f244c https://github.com/openshift/coredns image-arm64 4f64931403bf747b78bccb40ad877b08da534e23 @@ -31,5 +31,5 @@ https://github.com/openshift/csi-external-snapshotter image-arm64 580c6960cd665d https://github.com/openshift/router image-arm64 5fe8cc069b2f44b3393545ac92c3201e8a87d82b https://github.com/openshift/kube-rbac-proxy image-arm64 591277560f328601273f88f2881e09ccccd90a97 https://github.com/openshift/ovn-kubernetes image-arm64 194e289903051ba951e479c227ad3d44f9fc321a -https://github.com/openshift/kubernetes image-arm64 9d45edc58ca6d5240fc84d3d50eb7490aa683c16 +https://github.com/openshift/kubernetes image-arm64 346896bae752bb9def8cacca75fdc7f7dcae9496 https://github.com/openshift/service-ca-operator image-arm64 4dfa6916f984d0fd7188380edc88b250738f07f7 From af702041f3f25bc64f3664be19972d0a3da59b4d Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:16:28 +0000 Subject: [PATCH 03/11] update microshift/go.mod --- go.mod | 54 +++++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index 2875911e63..2a7d8c39f3 100644 --- a/go.mod +++ b/go.mod @@ -38,16 +38,16 @@ require ( github.com/prometheus/common v0.62.0 github.com/prometheus/prometheus v0.302.1 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v1.32.10 - k8s.io/apiextensions-apiserver v1.32.10 - k8s.io/apimachinery v1.32.10 - k8s.io/apiserver v1.32.10 - k8s.io/cli-runtime v1.32.10 - k8s.io/client-go v1.32.10 - k8s.io/cloud-provider v1.32.10 - k8s.io/component-base v1.32.10 - k8s.io/kube-aggregator v1.32.10 - k8s.io/kubectl v1.32.10 + k8s.io/api v1.32.12 + k8s.io/apiextensions-apiserver v1.32.12 + k8s.io/apimachinery v1.32.12 + k8s.io/apiserver v1.32.12 + k8s.io/cli-runtime v1.32.12 + k8s.io/client-go v1.32.12 + k8s.io/cloud-provider v1.32.12 + k8s.io/component-base v1.32.12 + k8s.io/kube-aggregator v1.32.12 + k8s.io/kubectl v1.32.12 k8s.io/utils v0.0.0-20241210054802-24370beab758 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 sigs.k8s.io/kustomize/api v0.20.1 @@ -147,22 +147,22 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect - k8s.io/cluster-bootstrap v1.32.10 // indirect - k8s.io/component-helpers v1.32.10 // indirect - k8s.io/controller-manager v1.32.10 // indirect - k8s.io/cri-api v1.32.10 // indirect - k8s.io/cri-client v1.32.10 // indirect - k8s.io/csi-translation-lib v1.32.10 // indirect - k8s.io/dynamic-resource-allocation v1.32.10 // indirect - k8s.io/endpointslice v1.32.10 // indirect - k8s.io/externaljwt v1.32.10 // indirect - k8s.io/kms v1.32.10 // indirect - k8s.io/kube-controller-manager v1.32.10 // indirect - k8s.io/kube-scheduler v1.32.10 // indirect - k8s.io/kubelet v1.32.10 // indirect - k8s.io/metrics v1.32.10 // indirect - k8s.io/mount-utils v1.32.10 // indirect - k8s.io/pod-security-admission v1.32.10 // indirect + k8s.io/cluster-bootstrap v1.32.12 // indirect + k8s.io/component-helpers v1.32.12 // indirect + k8s.io/controller-manager v1.32.12 // indirect + k8s.io/cri-api v1.32.12 // indirect + k8s.io/cri-client v1.32.12 // indirect + k8s.io/csi-translation-lib v1.32.12 // indirect + k8s.io/dynamic-resource-allocation v1.32.12 // indirect + k8s.io/endpointslice v1.32.12 // indirect + k8s.io/externaljwt v1.32.12 // indirect + k8s.io/kms v1.32.12 // indirect + k8s.io/kube-controller-manager v1.32.12 // indirect + k8s.io/kube-scheduler v1.32.12 // indirect + k8s.io/kubelet v1.32.12 // indirect + k8s.io/metrics v1.32.12 // indirect + k8s.io/mount-utils v1.32.12 // indirect + k8s.io/pod-security-admission v1.32.12 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect ) @@ -211,7 +211,7 @@ require ( google.golang.org/protobuf v1.36.4 // indirect k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.32.10 + k8s.io/kubernetes v1.32.12 sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect ) From 8befc48081d5e457cc0ad3b2e3b7e9c38746d86a Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:16:28 +0000 Subject: [PATCH 04/11] update microshift/deps --- .../openshift/kubernetes/.go-version | 2 +- .../kubernetes/CHANGELOG/CHANGELOG-1.32.md | 425 ++++++++++++++---- .../build/build-image/cross/VERSION | 2 +- .../openshift/kubernetes/build/common.sh | 6 +- .../kubernetes/build/dependencies.yaml | 8 +- .../kubernetes/cluster/gce/config-default.sh | 2 +- .../kubernetes/cluster/gce/config-test.sh | 2 +- .../cmd/kubeadm/app/apis/kubeadm/types.go | 3 + .../kubeadm/app/apis/kubeadm/v1beta4/types.go | 3 + .../kubeadm/app/util/apiclient/idempotency.go | 5 +- .../app/util/apiclient/idempotency_test.go | 48 -- .../cmd/kubeadm/app/util/arguments.go | 48 +- .../cmd/kubeadm/app/util/arguments_test.go | 47 +- .../cmd/kubeadm/app/util/etcd/etcd.go | 126 ++++-- .../cmd/kubeadm/app/util/etcd/etcd_test.go | 75 +++- .../openshift/kubernetes/hack/lib/util.sh | 10 +- .../openshift/kubernetes/hack/lib/version.sh | 2 +- .../images/hyperkube/Dockerfile.rhel | 2 +- .../resourcequota/resource_quota_monitor.go | 10 +- .../cm/devicemanager/plugin/v1beta1/server.go | 21 +- .../dynamicresources/allocateddevices.go | 28 +- .../plugins/dynamicresources/dra_manager.go | 31 +- .../dynamicresources/dynamicresources.go | 22 +- .../util/assumecache/assume_cache.go | 32 +- .../kubernetes/pkg/volume/csi/csi_block.go | 15 +- .../pkg/volume/csi/csi_block_test.go | 41 ++ .../kubernetes/staging/publishing/rules.yaml | 2 +- .../plugin/policy/generic/policy_matcher.go | 9 +- .../plugin/policy/matching/matching.go | 5 +- .../plugin/policy/mutating/dispatcher.go | 6 +- .../policy/validating/admission_test.go | 2 +- .../plugin/policy/validating/dispatcher.go | 2 +- .../webhook/predicates/namespace/matcher.go | 9 +- .../kubernetes/test/e2e/network/kube_proxy.go | 67 +-- .../openshift/kubernetes/test/images/Makefile | 2 +- .../kubernetes/test/utils/image/manifest.go | 2 +- 36 files changed, 791 insertions(+), 331 deletions(-) diff --git a/deps/github.com/openshift/kubernetes/.go-version b/deps/github.com/openshift/kubernetes/.go-version index eb716f77a7..5c854ab238 100644 --- a/deps/github.com/openshift/kubernetes/.go-version +++ b/deps/github.com/openshift/kubernetes/.go-version @@ -1 +1 @@ -1.24.9 +1.24.12 diff --git a/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md b/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md index fe1ac62a5a..fe497c0c86 100644 --- a/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md +++ b/deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.32.md @@ -1,294 +1,523 @@ -- [v1.32.9](#v1329) - - [Downloads for v1.32.9](#downloads-for-v1329) +- [v1.32.11](#v13211) + - [Downloads for v1.32.11](#downloads-for-v13211) - [Source Code](#source-code) - [Client Binaries](#client-binaries) - [Server Binaries](#server-binaries) - [Node Binaries](#node-binaries) - [Container Images](#container-images) - - [Changelog since v1.32.8](#changelog-since-v1328) + - [Changelog since v1.32.10](#changelog-since-v13210) - [Changes by Kind](#changes-by-kind) - [Feature](#feature) - [Bug or Regression](#bug-or-regression) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies) - [Added](#added) - [Changed](#changed) - [Removed](#removed) -- [v1.32.8](#v1328) - - [Downloads for v1.32.8](#downloads-for-v1328) +- [v1.32.10](#v13210) + - [Downloads for v1.32.10](#downloads-for-v13210) - [Source Code](#source-code-1) - [Client Binaries](#client-binaries-1) - [Server Binaries](#server-binaries-1) - [Node Binaries](#node-binaries-1) - [Container Images](#container-images-1) - - [Changelog since v1.32.7](#changelog-since-v1327) - - [Important Security Information](#important-security-information) - - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference) + - [Changelog since v1.32.9](#changelog-since-v1329) - [Changes by Kind](#changes-by-kind-1) - [Feature](#feature-1) - [Bug or Regression](#bug-or-regression-1) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies-1) - [Added](#added-1) - [Changed](#changed-1) - [Removed](#removed-1) -- [v1.32.7](#v1327) - - [Downloads for v1.32.7](#downloads-for-v1327) +- [v1.32.9](#v1329) + - [Downloads for v1.32.9](#downloads-for-v1329) - [Source Code](#source-code-2) - [Client Binaries](#client-binaries-2) - [Server Binaries](#server-binaries-2) - [Node Binaries](#node-binaries-2) - [Container Images](#container-images-2) - - [Changelog since v1.32.6](#changelog-since-v1326) + - [Changelog since v1.32.8](#changelog-since-v1328) - [Changes by Kind](#changes-by-kind-2) + - [Feature](#feature-2) - [Bug or Regression](#bug-or-regression-2) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-2) - [Added](#added-2) - [Changed](#changed-2) - [Removed](#removed-2) -- [v1.32.6](#v1326) - - [Downloads for v1.32.6](#downloads-for-v1326) +- [v1.32.8](#v1328) + - [Downloads for v1.32.8](#downloads-for-v1328) - [Source Code](#source-code-3) - [Client Binaries](#client-binaries-3) - [Server Binaries](#server-binaries-3) - [Node Binaries](#node-binaries-3) - [Container Images](#container-images-3) - - [Changelog since v1.32.5](#changelog-since-v1325) - - [Important Security Information](#important-security-information-1) - - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks) + - [Changelog since v1.32.7](#changelog-since-v1327) + - [Important Security Information](#important-security-information) + - [CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference](#cve-2025-5187-nodes-can-delete-themselves-by-adding-an-ownerreference) - [Changes by Kind](#changes-by-kind-3) - - [Feature](#feature-2) + - [Feature](#feature-3) - [Bug or Regression](#bug-or-regression-3) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-3) - [Added](#added-3) - [Changed](#changed-3) - [Removed](#removed-3) -- [v1.32.5](#v1325) - - [Downloads for v1.32.5](#downloads-for-v1325) +- [v1.32.7](#v1327) + - [Downloads for v1.32.7](#downloads-for-v1327) - [Source Code](#source-code-4) - [Client Binaries](#client-binaries-4) - [Server Binaries](#server-binaries-4) - [Node Binaries](#node-binaries-4) - [Container Images](#container-images-4) - - [Changelog since v1.32.4](#changelog-since-v1324) + - [Changelog since v1.32.6](#changelog-since-v1326) - [Changes by Kind](#changes-by-kind-4) - - [Feature](#feature-3) - [Bug or Regression](#bug-or-regression-4) - [Dependencies](#dependencies-4) - [Added](#added-4) - [Changed](#changed-4) - [Removed](#removed-4) -- [v1.32.4](#v1324) - - [Downloads for v1.32.4](#downloads-for-v1324) +- [v1.32.6](#v1326) + - [Downloads for v1.32.6](#downloads-for-v1326) - [Source Code](#source-code-5) - [Client Binaries](#client-binaries-5) - [Server Binaries](#server-binaries-5) - [Node Binaries](#node-binaries-5) - [Container Images](#container-images-5) - - [Changelog since v1.32.3](#changelog-since-v1323) + - [Changelog since v1.32.5](#changelog-since-v1325) + - [Important Security Information](#important-security-information-1) + - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks) - [Changes by Kind](#changes-by-kind-5) + - [Feature](#feature-4) - [Bug or Regression](#bug-or-regression-5) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-5) - [Added](#added-5) - [Changed](#changed-5) - [Removed](#removed-5) -- [v1.32.3](#v1323) - - [Downloads for v1.32.3](#downloads-for-v1323) +- [v1.32.5](#v1325) + - [Downloads for v1.32.5](#downloads-for-v1325) - [Source Code](#source-code-6) - [Client Binaries](#client-binaries-6) - [Server Binaries](#server-binaries-6) - [Node Binaries](#node-binaries-6) - [Container Images](#container-images-6) - - [Changelog since v1.32.2](#changelog-since-v1322) + - [Changelog since v1.32.4](#changelog-since-v1324) - [Changes by Kind](#changes-by-kind-6) - - [API Change](#api-change) + - [Feature](#feature-5) - [Bug or Regression](#bug-or-regression-6) - [Dependencies](#dependencies-6) - [Added](#added-6) - [Changed](#changed-6) - [Removed](#removed-6) -- [v1.32.2](#v1322) - - [Downloads for v1.32.2](#downloads-for-v1322) +- [v1.32.4](#v1324) + - [Downloads for v1.32.4](#downloads-for-v1324) - [Source Code](#source-code-7) - [Client Binaries](#client-binaries-7) - [Server Binaries](#server-binaries-7) - [Node Binaries](#node-binaries-7) - [Container Images](#container-images-7) - - [Changelog since v1.32.1](#changelog-since-v1321) - - [Important Security Information](#important-security-information-2) - - [CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api) + - [Changelog since v1.32.3](#changelog-since-v1323) - [Changes by Kind](#changes-by-kind-7) - - [Feature](#feature-4) - [Bug or Regression](#bug-or-regression-7) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-7) - [Added](#added-7) - [Changed](#changed-7) - [Removed](#removed-7) -- [v1.32.1](#v1321) - - [Downloads for v1.32.1](#downloads-for-v1321) +- [v1.32.3](#v1323) + - [Downloads for v1.32.3](#downloads-for-v1323) - [Source Code](#source-code-8) - [Client Binaries](#client-binaries-8) - [Server Binaries](#server-binaries-8) - [Node Binaries](#node-binaries-8) - [Container Images](#container-images-8) - - [Changelog since v1.32.0](#changelog-since-v1320) - - [Important Security Information](#important-security-information-3) - - [CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API](#cve-2024-9042-command-injection-affecting-windows-nodes-via-nodeslogsquery-api) + - [Changelog since v1.32.2](#changelog-since-v1322) - [Changes by Kind](#changes-by-kind-8) - - [API Change](#api-change-1) - - [Feature](#feature-5) + - [API Change](#api-change) - [Bug or Regression](#bug-or-regression-8) - [Dependencies](#dependencies-8) - [Added](#added-8) - [Changed](#changed-8) - [Removed](#removed-8) -- [v1.32.0](#v1320) - - [Downloads for v1.32.0](#downloads-for-v1320) +- [v1.32.2](#v1322) + - [Downloads for v1.32.2](#downloads-for-v1322) - [Source Code](#source-code-9) - [Client Binaries](#client-binaries-9) - [Server Binaries](#server-binaries-9) - [Node Binaries](#node-binaries-9) - [Container Images](#container-images-9) - - [Changelog since v1.31.0](#changelog-since-v1310) - - [Urgent Upgrade Notes](#urgent-upgrade-notes) + - [Changelog since v1.32.1](#changelog-since-v1321) + - [Important Security Information](#important-security-information-2) + - [CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API](#cve-2025-0426-node-denial-of-service-via-kubelet-checkpoint-api) - [Changes by Kind](#changes-by-kind-9) - - [Deprecation](#deprecation) - - [API Change](#api-change-2) - [Feature](#feature-6) - - [Documentation](#documentation) - - [Failing Test](#failing-test) - [Bug or Regression](#bug-or-regression-9) - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) - [Dependencies](#dependencies-9) - [Added](#added-9) - [Changed](#changed-9) - [Removed](#removed-9) -- [v1.32.0-rc.2](#v1320-rc2) - - [Downloads for v1.32.0-rc.2](#downloads-for-v1320-rc2) +- [v1.32.1](#v1321) + - [Downloads for v1.32.1](#downloads-for-v1321) - [Source Code](#source-code-10) - [Client Binaries](#client-binaries-10) - [Server Binaries](#server-binaries-10) - [Node Binaries](#node-binaries-10) - [Container Images](#container-images-10) - - [Changelog since v1.32.0-rc.1](#changelog-since-v1320-rc1) + - [Changelog since v1.32.0](#changelog-since-v1320) + - [Important Security Information](#important-security-information-3) + - [CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API](#cve-2024-9042-command-injection-affecting-windows-nodes-via-nodeslogsquery-api) - [Changes by Kind](#changes-by-kind-10) - - [API Change](#api-change-3) + - [API Change](#api-change-1) + - [Feature](#feature-7) - [Bug or Regression](#bug-or-regression-10) - [Dependencies](#dependencies-10) - [Added](#added-10) - [Changed](#changed-10) - [Removed](#removed-10) -- [v1.32.0-rc.1](#v1320-rc1) - - [Downloads for v1.32.0-rc.1](#downloads-for-v1320-rc1) +- [v1.32.0](#v1320) + - [Downloads for v1.32.0](#downloads-for-v1320) - [Source Code](#source-code-11) - [Client Binaries](#client-binaries-11) - [Server Binaries](#server-binaries-11) - [Node Binaries](#node-binaries-11) - [Container Images](#container-images-11) - - [Changelog since v1.32.0-rc.0](#changelog-since-v1320-rc0) + - [Changelog since v1.31.0](#changelog-since-v1310) + - [Urgent Upgrade Notes](#urgent-upgrade-notes) + - [Changes by Kind](#changes-by-kind-11) + - [Deprecation](#deprecation) + - [API Change](#api-change-2) + - [Feature](#feature-8) + - [Documentation](#documentation) + - [Failing Test](#failing-test) + - [Bug or Regression](#bug-or-regression-11) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) - [Dependencies](#dependencies-11) - [Added](#added-11) - [Changed](#changed-11) - [Removed](#removed-11) -- [v1.32.0-rc.0](#v1320-rc0) - - [Downloads for v1.32.0-rc.0](#downloads-for-v1320-rc0) +- [v1.32.0-rc.2](#v1320-rc2) + - [Downloads for v1.32.0-rc.2](#downloads-for-v1320-rc2) - [Source Code](#source-code-12) - [Client Binaries](#client-binaries-12) - [Server Binaries](#server-binaries-12) - [Node Binaries](#node-binaries-12) - [Container Images](#container-images-12) - - [Changelog since v1.32.0-beta.0](#changelog-since-v1320-beta0) - - [Changes by Kind](#changes-by-kind-11) - - [API Change](#api-change-4) - - [Feature](#feature-7) - - [Bug or Regression](#bug-or-regression-11) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) + - [Changelog since v1.32.0-rc.1](#changelog-since-v1320-rc1) + - [Changes by Kind](#changes-by-kind-12) + - [API Change](#api-change-3) + - [Bug or Regression](#bug-or-regression-12) - [Dependencies](#dependencies-12) - [Added](#added-12) - [Changed](#changed-12) - [Removed](#removed-12) -- [v1.32.0-beta.0](#v1320-beta0) - - [Downloads for v1.32.0-beta.0](#downloads-for-v1320-beta0) +- [v1.32.0-rc.1](#v1320-rc1) + - [Downloads for v1.32.0-rc.1](#downloads-for-v1320-rc1) - [Source Code](#source-code-13) - [Client Binaries](#client-binaries-13) - [Server Binaries](#server-binaries-13) - [Node Binaries](#node-binaries-13) - [Container Images](#container-images-13) - - [Changelog since v1.32.0-alpha.3](#changelog-since-v1320-alpha3) - - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) - - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) - - [Changes by Kind](#changes-by-kind-12) - - [Deprecation](#deprecation-1) - - [API Change](#api-change-5) - - [Feature](#feature-8) - - [Bug or Regression](#bug-or-regression-12) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5) + - [Changelog since v1.32.0-rc.0](#changelog-since-v1320-rc0) - [Dependencies](#dependencies-13) - [Added](#added-13) - [Changed](#changed-13) - [Removed](#removed-13) -- [v1.32.0-alpha.3](#v1320-alpha3) - - [Downloads for v1.32.0-alpha.3](#downloads-for-v1320-alpha3) +- [v1.32.0-rc.0](#v1320-rc0) + - [Downloads for v1.32.0-rc.0](#downloads-for-v1320-rc0) - [Source Code](#source-code-14) - [Client Binaries](#client-binaries-14) - [Server Binaries](#server-binaries-14) - [Node Binaries](#node-binaries-14) - [Container Images](#container-images-14) - - [Changelog since v1.32.0-alpha.2](#changelog-since-v1320-alpha2) + - [Changelog since v1.32.0-beta.0](#changelog-since-v1320-beta0) - [Changes by Kind](#changes-by-kind-13) - - [API Change](#api-change-6) + - [API Change](#api-change-4) - [Feature](#feature-9) - - [Documentation](#documentation-1) - [Bug or Regression](#bug-or-regression-13) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-6) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5) - [Dependencies](#dependencies-14) - [Added](#added-14) - [Changed](#changed-14) - [Removed](#removed-14) -- [v1.32.0-alpha.2](#v1320-alpha2) - - [Downloads for v1.32.0-alpha.2](#downloads-for-v1320-alpha2) +- [v1.32.0-beta.0](#v1320-beta0) + - [Downloads for v1.32.0-beta.0](#downloads-for-v1320-beta0) - [Source Code](#source-code-15) - [Client Binaries](#client-binaries-15) - [Server Binaries](#server-binaries-15) - [Node Binaries](#node-binaries-15) - [Container Images](#container-images-15) - - [Changelog since v1.32.0-alpha.1](#changelog-since-v1320-alpha1) + - [Changelog since v1.32.0-alpha.3](#changelog-since-v1320-alpha3) + - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) + - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) - [Changes by Kind](#changes-by-kind-14) - - [API Change](#api-change-7) + - [Deprecation](#deprecation-1) + - [API Change](#api-change-5) - [Feature](#feature-10) - - [Documentation](#documentation-2) - [Bug or Regression](#bug-or-regression-14) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-7) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-6) - [Dependencies](#dependencies-15) - [Added](#added-15) - [Changed](#changed-15) - [Removed](#removed-15) -- [v1.32.0-alpha.1](#v1320-alpha1) - - [Downloads for v1.32.0-alpha.1](#downloads-for-v1320-alpha1) +- [v1.32.0-alpha.3](#v1320-alpha3) + - [Downloads for v1.32.0-alpha.3](#downloads-for-v1320-alpha3) - [Source Code](#source-code-16) - [Client Binaries](#client-binaries-16) - [Server Binaries](#server-binaries-16) - [Node Binaries](#node-binaries-16) - [Container Images](#container-images-16) - - [Changelog since v1.31.0](#changelog-since-v1310-1) + - [Changelog since v1.32.0-alpha.2](#changelog-since-v1320-alpha2) - [Changes by Kind](#changes-by-kind-15) - - [Deprecation](#deprecation-2) - - [API Change](#api-change-8) + - [API Change](#api-change-6) - [Feature](#feature-11) - - [Documentation](#documentation-3) - - [Failing Test](#failing-test-1) + - [Documentation](#documentation-1) - [Bug or Regression](#bug-or-regression-15) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-8) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-7) - [Dependencies](#dependencies-16) - [Added](#added-16) - [Changed](#changed-16) - [Removed](#removed-16) +- [v1.32.0-alpha.2](#v1320-alpha2) + - [Downloads for v1.32.0-alpha.2](#downloads-for-v1320-alpha2) + - [Source Code](#source-code-17) + - [Client Binaries](#client-binaries-17) + - [Server Binaries](#server-binaries-17) + - [Node Binaries](#node-binaries-17) + - [Container Images](#container-images-17) + - [Changelog since v1.32.0-alpha.1](#changelog-since-v1320-alpha1) + - [Changes by Kind](#changes-by-kind-16) + - [API Change](#api-change-7) + - [Feature](#feature-12) + - [Documentation](#documentation-2) + - [Bug or Regression](#bug-or-regression-16) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-8) + - [Dependencies](#dependencies-17) + - [Added](#added-17) + - [Changed](#changed-17) + - [Removed](#removed-17) +- [v1.32.0-alpha.1](#v1320-alpha1) + - [Downloads for v1.32.0-alpha.1](#downloads-for-v1320-alpha1) + - [Source Code](#source-code-18) + - [Client Binaries](#client-binaries-18) + - [Server Binaries](#server-binaries-18) + - [Node Binaries](#node-binaries-18) + - [Container Images](#container-images-18) + - [Changelog since v1.31.0](#changelog-since-v1310-1) + - [Changes by Kind](#changes-by-kind-17) + - [Deprecation](#deprecation-2) + - [API Change](#api-change-8) + - [Feature](#feature-13) + - [Documentation](#documentation-3) + - [Failing Test](#failing-test-1) + - [Bug or Regression](#bug-or-regression-17) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-9) + - [Dependencies](#dependencies-18) + - [Added](#added-18) + - [Changed](#changed-18) + - [Removed](#removed-18) +# v1.32.11 + + +## Downloads for v1.32.11 + + + +### Source Code + +filename | sha512 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes.tar.gz) | 4502c78853a2a36240ad66e7d8058c539f259381908371ae0bf0a4cca0796b63cad9e2bdbde80e09b3cd6e3a6150dbd9adcfe6490eb879350302980802115f07 +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-src.tar.gz) | eac1b724837d0696d8453beca3d8c616820c25563cd0616296868fda7fbe94212831c3d0babd52ad2968466bc68a8d2cf0daf5e639f4863b1c1bf67e5c187166 + +### Client Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-darwin-amd64.tar.gz) | 30988c325e6a50d282b24c9580fa41002bfcc96760633c1640ee1c5ab22c55bf74e3f5f31ce188a8cdeaa0a1748a652de6358c16c41dcbb45168f7657f211fa8 +[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-darwin-arm64.tar.gz) | ca18716ca9b910598335745d38ff84f88a68ac8160c684a0a3ce7e07c2a427a5812c80f7c4c56a28015c4ed899976ea88c462aefbc31ffbccb05c5772fd9561c +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-386.tar.gz) | 562b8f95ef5e85f8042403b3afe35a54b390c9c7ed94568ab786e65396cff1793ceebb70e1cd35d2e5eec1c557a92d603abfd45da5d62bcf5190c49a6d01fc29 +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-amd64.tar.gz) | 3e2e4679e94889245ca61fa50b0c3e46278c523b4b78e6cecfb6d2f73d69b1a4264f58d855ec5d736ad008542d5be00bd67220038137f0cdce83d5a184d2046c +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-arm.tar.gz) | c023f766fae5323d3f88e26368214f3f9e4f2301c3ace07447cf4dfe79fcdfceb39c13e9ba7364eadf977dd79b35a89091259db3c4ab0f18f76d1975557e10b0 +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-arm64.tar.gz) | f12d59be4c00fecba8fdb976893397b77f5d90202299d26d6542211a95cac1d55778640ab92ee25cb03fdcda0c765c23f2436ea2cca7b6d3c4e297979d3f3ab4 +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-ppc64le.tar.gz) | b39a18245dc7e65ce93cd83fb2b0c4018ea3a3728ce0edfeabf998b33f80aac9859cd5831da400d0b40ef57eedea921e4bc5e8e5f113bb556b4ea9695c300077 +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-linux-s390x.tar.gz) | 846c5cefa5dd6052c096ad838a273c499d4e594991cca26f30cd513233e16f82bdeaf7f3a9c024d06ade82261184fb59058851a984ce99a3b228c9c5d39039da +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-windows-386.tar.gz) | d6c4b7dedbd11fd0a336e4e3133b0af34475b9e49b208b5176ce01c29d890fee28eb7b60dc7d71aada3743ec23099c640b71083f648594ad0d48fda09f36b228 +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-windows-amd64.tar.gz) | e572c5c0e5265dfe882ad24d9f54146c8cf1173603ea634ccb73780814534a2b0cf616a7619dc9b7b660803f66ad5c4d9270bdd136328608e3a6094a2828d518 +[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-client-windows-arm64.tar.gz) | b15b9cd8f14231e2f3418e3db697318a9b2ed5f510c6e36073ae65b14b515a7c50a62574edad27b394359a8ce3f4353ffff02bca99c58c76fedf28d4ce86879c + +### Server Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-server-linux-amd64.tar.gz) | 9a463f9383e5425c88c81ed55928bb289cdfe206ecd5dba99d13ab3ecdee675448e1c01ee4f9d073e4b992fd7345390ad936ba216fd7a941ca73b1ace0dea85e +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-server-linux-arm64.tar.gz) | 2f9a3959790b18e6adaf7a9dca5fea513e1a3fdc01206905320674e0c0e9fc75aea6e606e24dc84ae8459d656ba4e55cbdea09f784f3eba190a1fc20433006a0 +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-server-linux-ppc64le.tar.gz) | 04707206ae70c25d0c6b79f31c6c21d11da20bb243f3e8b15e0a49bce866077f5e8ca0bea035bf0ee7a1dbc6f293c7dfbb625fd912a29a885d1063d73b8f2cfe +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-server-linux-s390x.tar.gz) | d0056d6d09265a7cc7596c1439168605f0c51b2f97122ce68247017f5396bfa1869892b0cf636bef197660525832a7b8d9cffd16be6a5b378bac55ac14ea8de6 + +### Node Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-node-linux-amd64.tar.gz) | 3472194408158f36cbc48d9682359c0b6deb545bc0d35c55ab167665a7bfff01be4784ba38df7ed729c25b6e44d29ad83e4389d4c69dba76e2dac91fa63ee193 +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-node-linux-arm64.tar.gz) | c173f6c297b7144fa460fdb808a18c14d3218959ace7fcd03e7e00899a06b69382b46a329305d1f53600eefe8b0a31c6541c4857d1f5d0b78ea223ae119311c3 +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-node-linux-ppc64le.tar.gz) | 9f3aaf6a690cab758fbbbf816b88a2c13cc61430b29c08e40185fb4e180d38511ef2ae7fb4578e1ddd910efa42a97bf56b7453180c502baae7e7608dbc669fbf +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-node-linux-s390x.tar.gz) | 028dab834fb9f6b7543b116b62df5c838446c1ba281e449ea7eec2921fea19a0fbd234a156557dfc14c831620c177db3abe8d00452889cf6c3e0160a2a36f72b +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.11/kubernetes-node-windows-amd64.tar.gz) | 07777166d8a17a736550a99133e6600769577d3f3e0234532216229740792fe31438a5ad60a8498c48c1cb1f5db11cc29876d19aea471cdda3dc564986249010 + +### Container Images + +All container images are available as manifest lists and support the described +architectures. It is also possible to pull a specific architecture directly by +adding the "-$ARCH" suffix to the container image name. + +name | architectures +---- | ------------- +[registry.k8s.io/conformance:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x) +[registry.k8s.io/kube-apiserver:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x) +[registry.k8s.io/kube-controller-manager:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x) +[registry.k8s.io/kube-proxy:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x) +[registry.k8s.io/kube-scheduler:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x) +[registry.k8s.io/kubectl:v1.32.11](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x) + +## Changelog since v1.32.10 + +## Changes by Kind + +### Feature + +- Kubernetes is now built using Go 1.24.10 ([#135508](https://github.com/kubernetes/kubernetes/pull/135508), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing] +- Kubernetes is now built using Go 1.24.11 ([#135614](https://github.com/kubernetes/kubernetes/pull/135614), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing] + +### Bug or Regression + +- Fixes a spurious "namespace not found" error possible in default configurations in 1.30+ when using ValidatingAdmissionPolicy or MutatingAdmissionPolicy to intercept namespaced objects in newly-created namespaces ([#135444](https://github.com/kubernetes/kubernetes/pull/135444), [@lalitc375](https://github.com/lalitc375)) [SIG API Machinery] +- Make / build: fix docker IP address detection ([#135578](https://github.com/kubernetes/kubernetes/pull/135578), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release and Testing] +- The slow initialization of container runtime will not cause System WatchDog to kill kubelet. Device Manager is not considered healthy before it attempted to start listening on the port. ([#135209](https://github.com/kubernetes/kubernetes/pull/135209), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG Node] + +## Dependencies + +### Added +_Nothing has changed._ + +### Changed +_Nothing has changed._ + +### Removed +_Nothing has changed._ + + + +# v1.32.10 + + +## Downloads for v1.32.10 + + + +### Source Code + +filename | sha512 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes.tar.gz) | a78839f0496b1fa3d96c8f536cdc0e5ee063af564d94cef2df321a5efd31f58e8ee4e12c6ed97e607bdcb9f5567a06271f447495f65a690acb434ef4998a95b8 +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-src.tar.gz) | 614cd7035384779d5370eb1499250ad33db8bc43aed46f5eb53b6f6fe0524e01209cbc4df3b56ec320daa190c6c9fc11109dc78168a25519bba0b91c69ffa8e7 + +### Client Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-darwin-amd64.tar.gz) | e425a10ba71e22857b80bae74d290dfc3794d08b1f214168bf2a4a76e04ead20cb684f4fa2684eec39108144082cd3cdd7767fef4bc7ca139025522ccb3cfc7e +[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-darwin-arm64.tar.gz) | b234d43a9fcf73f58751165e78d14b7f008fee8191b993517781412a6415ff1f1bf54b913a23df3b298575014b3724ad58b44658d98bbb129e2ed3d9617a090b +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-386.tar.gz) | 64e35e8bbaf5dda4585008fcb8af745ad1d2ae3b2187db2e5d92fdd933ffa1c8914897aea5b128422f7e7adb5c18d6a022064bca542b19a6534ba12eef02bc92 +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-amd64.tar.gz) | 6495623903a3dd2f42e65f4a90edbb28c60a6bff351cecec7eca74836af0465e62a253afa48ca6ef939d692ebe1d0d282494496776ae314645cb3cc6858ad666 +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-arm.tar.gz) | 7a870f1f8c2f15f4b4ca1e8bd07c24fb5efef03ba69b71b5f3da831167f9007828f6ae2ea4947fba323a282b7f3cd615eac116251557f097a38911e2b756dc06 +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-arm64.tar.gz) | 49f49ae3715595d7053975d0a1157d640794429882feed44c89df200eef9ea981c18f416df09c924176d5e7c87c6c81c94fddbc01e13d8193c45fcc03f4b8180 +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-ppc64le.tar.gz) | 78132e0e4e55935ba5f977fb0cc878f14e32d260f16a07f8cc7922d9f00321aa4db88d844ad72d2f94ffb0fffc9f15ba5ddff897fd64116c48b1f1c7b7768f0a +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-linux-s390x.tar.gz) | 4ea7038bd2aaa1d8fe31f85ab078e3a8c20d8e7f2eb9d096cbbb1693a501a76937981cddb111359453693d0c07b98607322ca05f02a0dd96025ef4771ca14a56 +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-windows-386.tar.gz) | b3b6c6c7f48ff7265f23502bc15faf0523cdc06215a561e9528e4002e65b815acaec14243092353f511e50d012dd656c21822c1b7f33892846d760451dd9072d +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-windows-amd64.tar.gz) | 8ebac97032b64f01079f76035e867208d67a3372d1b1c72b94e76fd6eb5c82c7be6365c679cfcd1c07b81ac28572420f850cebe55deda5472eb286b04327c5c6 +[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-client-windows-arm64.tar.gz) | 591fe00592b4ec605b4a3cf0edea748fe68c8b8033f271757c0202242efb6806f3840b8184653716e66c35eb634d347004e63eedf67cc0d4ee783b9ed2a4dc43 + +### Server Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-server-linux-amd64.tar.gz) | eadc51664580896d50ed2241725c262185c1bc96da804ab9ceab73678e7c0038bd08508c93bf4c2d7ed2c285049252244e0c2e83fa613971f71872027870e188 +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-server-linux-arm64.tar.gz) | d72b6952689c126f7db95f41abe9ccd31e69a514db158b1c2b603a3bdb2b854d8d55ff51f5329d6a009d66f07c5eac6eeda06f04e74cbafceffb5aea2d33f306 +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-server-linux-ppc64le.tar.gz) | af234b76aafe8fe63078f95b01e685a5668c47e3207ce9a0e8d65663f495c604d040250abb97b9527ca4dd654f873293feed4a3dba82e5ea117aa2650bfd50a3 +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-server-linux-s390x.tar.gz) | 01a7ffe86ac56f9a775137803b80fc51cae30f64f3baa07c4953f6135451b1a321abb9b97a818cb3a4097ec99dbe2fca5a04efd7c0e26b2cae99f10c41c44362 + +### Node Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-node-linux-amd64.tar.gz) | 12cc5f959ab61c63ff2434aa2000e4fa9bd2739cf9e31a521d712af9fb923cd7fa9a88d3eb9afb97ae8e907d6013fdeb122a4d6fe8084aba8f3909869f4a3362 +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-node-linux-arm64.tar.gz) | f0aef1d3577ac6f41b2140ab3506b6f1693069922ff02ba143e6664346e183f8028b0aa599fccf6f8ac4a5acfa77c4415927f7e01aa93152186cb926bfa479b1 +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-node-linux-ppc64le.tar.gz) | ab1e17a6ae538fed20a2b18a27324b3423a70c31567ca09c5287c79d02003c0ff4908540602efd13a04bd4bfb52bb9ee7402c8390e5181b12417636085edc3eb +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-node-linux-s390x.tar.gz) | b5ee16af4c450a0811d04970a3f9ad0a1fae3b2f0f9c20f06d3812db52b5bb85a7399477e3061782acca097e677ab82fdb47319b590aad39aa9323f56861940e +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.32.10/kubernetes-node-windows-amd64.tar.gz) | 580fc6b2d3d78746123abebe39478795736511c4ba8a1896ad56b882d547eb3e80ba83fb95eeb68c1277fc32a9974ed01be87e1f7d3a91734b0ea399e0491511 + +### Container Images + +All container images are available as manifest lists and support the described +architectures. It is also possible to pull a specific architecture directly by +adding the "-$ARCH" suffix to the container image name. + +name | architectures +---- | ------------- +[registry.k8s.io/conformance:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x) +[registry.k8s.io/kube-apiserver:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x) +[registry.k8s.io/kube-controller-manager:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x) +[registry.k8s.io/kube-proxy:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x) +[registry.k8s.io/kube-scheduler:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x) +[registry.k8s.io/kubectl:v1.32.10](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x) + +## Changelog since v1.32.9 + +## Changes by Kind + +### Feature + +- Kubernetes is now built using Go 1.24.9 + - update setcap and debian-base to bookworm-v1.0.6 ([#134617](https://github.com/kubernetes/kubernetes/pull/134617), [@cpanato](https://github.com/cpanato)) [SIG Architecture, Auth, Cloud Provider, Etcd, Release, Storage and Testing] + +### Bug or Regression + +- Bump system-validators to v1.9.2: remove version-specific cgroup kernel config checks to avoid false failures on cgroup v2 systems when v1-only configs are missing. ([#134090](https://github.com/kubernetes/kubernetes/pull/134090), [@pacoxu](https://github.com/pacoxu)) [SIG Cluster Lifecycle] +- Fix Windows kube-proxy (winkernel) issue where stale RemoteEndpoints remained + when a Deployment was referenced by multiple Services due to premature clearing + of the terminatedEndpoints map. ([#135172](https://github.com/kubernetes/kubernetes/pull/135172), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows] +- Fix Windows kube-proxy to prevent intermittent deletion of ClusterIP load balancers in HNS when internalTrafficPolicy=Local, ensuring stable service connectivity. ([#134033](https://github.com/kubernetes/kubernetes/pull/134033), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows] +- Fix the bug which could result in Job status updates failing with the error: + status.startTime: Required value: startTime cannot be removed for unsuspended job + The error could be raised after a Job is resumed, if started and suspended previously. ([#135128](https://github.com/kubernetes/kubernetes/pull/135128), [@dejanzele](https://github.com/dejanzele)) [SIG Apps and Testing] +- Fix: The requests for a config FromClass in the status of a ResourceClaim were not referenced. ([#135109](https://github.com/kubernetes/kubernetes/pull/135109), [@LionelJouin](https://github.com/LionelJouin)) [SIG Node] +- Kubeadm: avoid panicing if the user has malformed the kubeconfig in the cluster-info config map to not include a valid current context. Include proper validation at the appropriate locations and throw errors instead. ([#134725](https://github.com/kubernetes/kubernetes/pull/134725), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle] +- Kubeadm: fixed a bug where the node registration information for a given node was not fetched correctly during "kubeadm upgrade node" and the node name can end up being incorrect in cases where the node name is not the same as the host name. ([#134364](https://github.com/kubernetes/kubernetes/pull/134364), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle] +- Kubeadm: fixes a preflight check that can fail hostname construction in IPV6 setups ([#134591](https://github.com/kubernetes/kubernetes/pull/134591), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Cloud Provider, Cluster Lifecycle and Testing] +- Reduce event spam during volume operation errors in Portworx in-tree driver ([#135193](https://github.com/kubernetes/kubernetes/pull/135193), [@gohilankit](https://github.com/gohilankit)) [SIG Storage] + +### Other (Cleanup or Flake) + +- Kubeadm: updated the supported etcd version to v3.5.24 for the skewed control plane version v1.33. ([#135019](https://github.com/kubernetes/kubernetes/pull/135019), [@hakman](https://github.com/hakman)) [SIG Cloud Provider, Cluster Lifecycle and Etcd] + +## Dependencies + +### Added +_Nothing has changed._ + +### Changed +- k8s.io/system-validators: v1.9.1 → v1.9.2 + +### Removed +_Nothing has changed._ + + + # v1.32.9 diff --git a/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION b/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION index 530e204da0..319e848699 100644 --- a/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION +++ b/deps/github.com/openshift/kubernetes/build/build-image/cross/VERSION @@ -1 +1 @@ -v1.32.0-go1.24.9-bullseye.0 +v1.32.0-go1.24.12-bullseye.0 diff --git a/deps/github.com/openshift/kubernetes/build/common.sh b/deps/github.com/openshift/kubernetes/build/common.sh index fc090b94a6..973ca95b3a 100755 --- a/deps/github.com/openshift/kubernetes/build/common.sh +++ b/deps/github.com/openshift/kubernetes/build/common.sh @@ -97,8 +97,8 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}" readonly KUBE_CONTAINER_RSYNC_PORT=8730 # These are the default versions (image tags) for their respective base images. -readonly __default_distroless_iptables_version=v0.7.11 -readonly __default_go_runner_version=v2.4.0-go1.24.9-bookworm.0 +readonly __default_distroless_iptables_version=v0.7.14 +readonly __default_go_runner_version=v2.4.0-go1.24.12-bookworm.0 readonly __default_setcap_version=bookworm-v1.0.6 # These are the base images for the Docker-wrapped binaries. @@ -621,7 +621,7 @@ function kube::build::start_rsyncd_container() { fi local container_ip - container_ip=$("${DOCKER[@]}" inspect --format '{{ .NetworkSettings.IPAddress }}' "${KUBE_RSYNC_CONTAINER_NAME}") + container_ip=$("${DOCKER[@]}" inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}},{{end}}' "${KUBE_RSYNC_CONTAINER_NAME}" | cut -d',' -f1) # Sometimes we can reach rsync through localhost and a NAT'd port. Other # times (when we are running in another docker container on the Jenkins diff --git a/deps/github.com/openshift/kubernetes/build/dependencies.yaml b/deps/github.com/openshift/kubernetes/build/dependencies.yaml index 114ca1ed72..ab884553ff 100644 --- a/deps/github.com/openshift/kubernetes/build/dependencies.yaml +++ b/deps/github.com/openshift/kubernetes/build/dependencies.yaml @@ -112,7 +112,7 @@ dependencies: # Golang - name: "golang: upstream version" - version: 1.24.9 + version: 1.24.12 refPaths: - path: .go-version - path: build/build-image/cross/VERSION @@ -137,7 +137,7 @@ dependencies: match: golang:([0-9]+\.[0-9]+).0-bullseye - name: "registry.k8s.io/kube-cross: dependents" - version: v1.32.0-go1.24.9-bullseye.0 + version: v1.32.0-go1.24.12-bullseye.0 refPaths: - path: build/build-image/cross/VERSION @@ -175,7 +175,7 @@ dependencies: match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?) - name: "registry.k8s.io/distroless-iptables: dependents" - version: v0.7.11 + version: v0.7.14 refPaths: - path: build/common.sh match: __default_distroless_iptables_version= @@ -183,7 +183,7 @@ dependencies: match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"} - name: "registry.k8s.io/go-runner: dependents" - version: v2.4.0-go1.24.9-bookworm.0 + version: v2.4.0-go1.24.12-bookworm.0 refPaths: - path: build/common.sh match: __default_go_runner_version= diff --git a/deps/github.com/openshift/kubernetes/cluster/gce/config-default.sh b/deps/github.com/openshift/kubernetes/cluster/gce/config-default.sh index 0d4b4d0f10..ae28d5cf64 100755 --- a/deps/github.com/openshift/kubernetes/cluster/gce/config-default.sh +++ b/deps/github.com/openshift/kubernetes/cluster/gce/config-default.sh @@ -88,7 +88,7 @@ fi # By default, the latest image from the image family will be used unless an # explicit image will be set. GCI_VERSION=${KUBE_GCI_VERSION:-} -IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-109-lts} +IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-121-lts} export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-} export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}} export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud} diff --git a/deps/github.com/openshift/kubernetes/cluster/gce/config-test.sh b/deps/github.com/openshift/kubernetes/cluster/gce/config-test.sh index 98e7b9a1ba..f3fd32002a 100755 --- a/deps/github.com/openshift/kubernetes/cluster/gce/config-test.sh +++ b/deps/github.com/openshift/kubernetes/cluster/gce/config-test.sh @@ -101,7 +101,7 @@ ALLOWED_NOTREADY_NODES=${ALLOWED_NOTREADY_NODES:-$(($(get-num-nodes) / 100))} # By default, the latest image from the image family will be used unless an # explicit image will be set. GCI_VERSION=${KUBE_GCI_VERSION:-} -IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-109-lts} +IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-121-lts} export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-} export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}} export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud} diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/types.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/types.go index 8f2005d278..d3db8aab69 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/types.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/types.go @@ -165,6 +165,7 @@ type ControlPlaneComponent struct { // An argument name in this list is the flag name as it appears on the // command line except without leading dash(es). Extra arguments will override existing // default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. ExtraArgs []Arg // ExtraVolumes is an extra set of host volumes, mounted to the control plane component. @@ -247,6 +248,7 @@ type NodeRegistrationOptions struct { // Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. // An argument name in this list is the flag name as it appears on the command line except without leading dash(es). // Extra arguments will override existing default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. KubeletExtraArgs []Arg // IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. @@ -298,6 +300,7 @@ type LocalEtcd struct { // An argument name in this list is the flag name as it appears on the // command line except without leading dash(es). Extra arguments will override existing // default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. ExtraArgs []Arg // ExtraEnvs is an extra set of environment variables to pass to the control plane component. diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go index 519b6bf09d..d85f85eb8e 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go @@ -170,6 +170,7 @@ type ControlPlaneComponent struct { // An argument name in this list is the flag name as it appears on the // command line except without leading dash(es). Extra arguments will override existing // default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. // +optional ExtraArgs []Arg `json:"extraArgs,omitempty"` @@ -260,6 +261,7 @@ type NodeRegistrationOptions struct { // Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. // An argument name in this list is the flag name as it appears on the command line except without leading dash(es). // Extra arguments will override existing default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. // +optional KubeletExtraArgs []Arg `json:"kubeletExtraArgs,omitempty"` @@ -321,6 +323,7 @@ type LocalEtcd struct { // An argument name in this list is the flag name as it appears on the // command line except without leading dash(es). Extra arguments will override existing // default arguments. Duplicate extra arguments are allowed. + // The default arguments are sorted alpha-numerically but the extra arguments are not. // +optional ExtraArgs []Arg `json:"extraArgs,omitempty"` diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go index bbe9862fa2..895879096e 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go @@ -404,10 +404,7 @@ func PatchNodeOnce(client clientset.Interface, nodeName string, patchFn func(*v1 if _, err := client.CoreV1().Nodes().Patch(ctx, n.Name, types.StrategicMergePatchType, patchBytes, metav1.PatchOptions{}); err != nil { *lastError = errors.Wrapf(err, "error patching Node %q", n.Name) - if apierrors.IsTimeout(err) || apierrors.IsConflict(err) || apierrors.IsServerTimeout(err) || apierrors.IsServiceUnavailable(err) { - return false, nil - } - return false, *lastError + return false, nil } return true, nil diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency_test.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency_test.go index 9acea1153a..56beb15fac 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency_test.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency_test.go @@ -858,54 +858,6 @@ func TestPatchNodeOnce(t *testing.T) { }, success: false, }, - { - name: "patch node when timeout", - lookupName: "testnode", - node: v1.Node{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testnode", - Labels: map[string]string{v1.LabelHostname: ""}, - }, - }, - success: false, - fakeError: apierrors.NewTimeoutError("fake timeout", -1), - }, - { - name: "patch node when conflict", - lookupName: "testnode", - node: v1.Node{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testnode", - Labels: map[string]string{v1.LabelHostname: ""}, - }, - }, - success: false, - fakeError: apierrors.NewConflict(schema.GroupResource{}, "fake conflict", nil), - }, - { - name: "patch node when there is a server timeout", - lookupName: "testnode", - node: v1.Node{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testnode", - Labels: map[string]string{v1.LabelHostname: ""}, - }, - }, - success: false, - fakeError: apierrors.NewServerTimeout(schema.GroupResource{}, "fake server timeout", 1), - }, - { - name: "patch node when the service is unavailable", - lookupName: "testnode", - node: v1.Node{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testnode", - Labels: map[string]string{v1.LabelHostname: ""}, - }, - }, - success: false, - fakeError: apierrors.NewServiceUnavailable("fake service unavailable"), - }, { name: "patch node failed with unknown error", lookupName: "testnode", diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments.go index 342fadca97..942f57a56a 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments.go @@ -30,37 +30,34 @@ import ( ) // ArgumentsToCommand takes two Arg slices, one with the base arguments and one -// with optional override arguments. In the return list override arguments will precede base -// arguments. If an argument is present in the overrides, it will cause +// with optional override arguments. In the return list, base arguments will precede +// override arguments. If an argument is present in the overrides, it will cause // all instances of the same argument in the base list to be discarded, leaving // only the instances of this argument in the overrides to be applied. -func ArgumentsToCommand(base []kubeadmapi.Arg, overrides []kubeadmapi.Arg) []string { - var command []string - // Copy the overrides arguments into a new slice. - args := make([]kubeadmapi.Arg, len(overrides)) - copy(args, overrides) +func ArgumentsToCommand(base, overrides []kubeadmapi.Arg) []string { + // Sort only the base. + sortArgsSlice(&base) - // overrideArgs is a set of args which will replace the args defined in the base + // Collect all overrides in a set. overrideArgs := sets.New[string]() for _, arg := range overrides { overrideArgs.Insert(arg.Name) } + // Append only the base args that do not have overrides. + args := make([]kubeadmapi.Arg, 0, len(base)+len(overrides)) for _, arg := range base { if !overrideArgs.Has(arg.Name) { args = append(args, arg) } } - sort.Slice(args, func(i, j int) bool { - if args[i].Name == args[j].Name { - return args[i].Value < args[j].Value - } - return args[i].Name < args[j].Name - }) + // Append the overrides. + args = append(args, overrides...) - for _, arg := range args { - command = append(command, fmt.Sprintf("--%s=%s", arg.Name, arg.Value)) + command := make([]string, len(args)) + for i, arg := range args { + command[i] = fmt.Sprintf("--%s=%s", arg.Name, arg.Value) } return command @@ -86,12 +83,8 @@ func ArgumentsFromCommand(command []string) []kubeadmapi.Arg { args = append(args, kubeadmapi.Arg{Name: key, Value: val}) } - sort.Slice(args, func(i, j int) bool { - if args[i].Name == args[j].Name { - return args[i].Value < args[j].Value - } - return args[i].Name < args[j].Name - }) + sortArgsSlice(&args) + return args } @@ -118,3 +111,14 @@ func parseArgument(arg string) (string, string, error) { return keyvalSlice[0], keyvalSlice[1], nil } + +// sortArgsSlice sorts a slice of Args alpha-numerically. +func sortArgsSlice(argsPtr *[]kubeadmapi.Arg) { + args := *argsPtr + sort.Slice(args, func(i, j int) bool { + if args[i].Name == args[j].Name { + return args[i].Value < args[j].Value + } + return args[i].Name < args[j].Name + }) +} diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments_test.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments_test.go index a796293fb1..da8b2fc589 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments_test.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/arguments_test.go @@ -41,8 +41,8 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"}, }, expected: []string{ - "--admission-control=NamespaceLifecycle,LimitRanger", "--allow-privileged=true", + "--admission-control=NamespaceLifecycle,LimitRanger", }, }, { @@ -56,9 +56,9 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "tls-sni-cert-key", Value: "/some/new/path/subpath"}, }, expected: []string{ + "--token-auth-file=/token", "--tls-sni-cert-key=/some/new/path", "--tls-sni-cert-key=/some/new/path/subpath", - "--token-auth-file=/token", }, }, { @@ -72,8 +72,8 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "tls-sni-cert-key", Value: "/some/new/path"}, }, expected: []string{ - "--tls-sni-cert-key=/some/new/path", "--token-auth-file=/token", + "--tls-sni-cert-key=/some/new/path", }, }, { @@ -85,8 +85,8 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"}, }, expected: []string{ - "--admission-control=NamespaceLifecycle,LimitRanger", "--allow-privileged=true", + "--admission-control=NamespaceLifecycle,LimitRanger", }, }, { @@ -99,9 +99,9 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"}, }, expected: []string{ - "--admission-control=NamespaceLifecycle,LimitRanger", "--allow-privileged=true", "--something-that-allows-empty-string=", + "--admission-control=NamespaceLifecycle,LimitRanger", }, }, { @@ -115,11 +115,31 @@ func TestArgumentsToCommand(t *testing.T) { {Name: "something-that-allows-empty-string", Value: ""}, }, expected: []string{ - "--admission-control=NamespaceLifecycle,LimitRanger", "--allow-privileged=true", + "--admission-control=NamespaceLifecycle,LimitRanger", "--something-that-allows-empty-string=", }, }, + { + name: "base are sorted and overrides are not", + base: []kubeadmapi.Arg{ + {Name: "b", Value: "true"}, + {Name: "c", Value: "true"}, + {Name: "a", Value: "true"}, + }, + overrides: []kubeadmapi.Arg{ + {Name: "e", Value: "true"}, + {Name: "b", Value: "true"}, + {Name: "d", Value: "true"}, + }, + expected: []string{ + "--a=true", + "--c=true", + "--e=true", + "--b=true", + "--d=true", + }, + }, } for _, rt := range tests { @@ -189,6 +209,21 @@ func TestArgumentsFromCommand(t *testing.T) { {Name: "tls-sni-cert-key", Value: "/some/path/subpath"}, }, }, + { + name: "args are sorted", + args: []string{ + "--c=foo", + "--a=foo", + "--b=foo", + "--b=bar", + }, + expected: []kubeadmapi.Arg{ + {Name: "a", Value: "foo"}, + {Name: "b", Value: "bar"}, + {Name: "b", Value: "foo"}, + {Name: "c", Value: "foo"}, + }, + }, } for _, rt := range tests { diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go index 8dba40b85d..a8724c16fc 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go @@ -284,31 +284,42 @@ type Member struct { PeerURL string } +func (c *Client) listMembersOnce() (*clientv3.MemberListResponse, error) { + cli, err := c.newEtcdClient(c.Endpoints) + if err != nil { + return nil, err + } + defer func() { _ = cli.Close() }() + + ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout) + resp, err := cli.MemberList(ctx) + cancel() + if err == nil { + return resp, nil + } + klog.V(5).Infof("Failed to get etcd member list: %v", err) + return nil, err +} + func (c *Client) listMembers(timeout time.Duration) (*clientv3.MemberListResponse, error) { // Gets the member list - var lastError error - var resp *clientv3.MemberListResponse + var ( + err error + lastError error + resp *clientv3.MemberListResponse + ) + if timeout == 0 { timeout = kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration } - err := wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, timeout, + err = wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, timeout, true, func(_ context.Context) (bool, error) { - cli, err := c.newEtcdClient(c.Endpoints) + resp, err = c.listMembersOnce() if err != nil { lastError = err - return false, nil - } - defer func() { _ = cli.Close() }() - - ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout) - resp, err = cli.MemberList(ctx) - cancel() - if err == nil { - return true, nil + return false, err } - klog.V(5).Infof("Failed to get etcd member list: %v", err) - lastError = err - return false, nil + return true, nil }) if err != nil { return nil, lastError @@ -528,38 +539,74 @@ func (c *Client) addMember(name string, peerAddrs string, isLearner bool) ([]Mem return ret, nil } -// isLearner returns true if the given member ID is a learner. -func (c *Client) isLearner(memberID uint64) (bool, error) { - resp, err := c.listMembersFunc(0) +// getMemberStatus returns the status of the given member ID. +// It returns whether the member is a learner and whether it is started. +func (c *Client) getMemberStatus(memberID uint64) (isLearner bool, started bool, err error) { + resp, err := c.listMembersOnce() if err != nil { - return false, err + return false, false, err } + var m *etcdserverpb.Member for _, member := range resp.Members { - if member.ID == memberID && member.IsLearner { - return true, nil + if member.ID == memberID { + m = member + break } } - return false, nil + if m == nil { + return false, false, fmt.Errorf("member %s not found", strconv.FormatUint(memberID, 16)) + } + + started = true + // There is no field for "started". + // If the member is not started, the Name and ClientURLs fields are set to their respective zero values. + if len(m.Name) == 0 { + started = false + } + + return m.IsLearner, started, nil } // MemberPromote promotes a member as a voting member. If the given member ID is already a voting member this method -// will return early and do nothing. +// will return early and do nothing. It waits for the member to be started before attempting to promote. func (c *Client) MemberPromote(learnerID uint64) error { - isLearner, err := c.isLearner(learnerID) + var ( + lastError error + learnerIDUint = strconv.FormatUint(learnerID, 16) + ) + + klog.V(1).Infof("[etcd] Waiting for a learner to start: %s", learnerIDUint) + + err := wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration, + true, func(_ context.Context) (bool, error) { + isLearner, started, err := c.getMemberStatus(learnerID) + if err != nil { + lastError = errors.WithMessagef(err, "failed to get member %s status", learnerIDUint) + return false, nil + } + if !isLearner { + klog.V(1).Infof("[etcd] Member %s was already promoted.", learnerIDUint) + return true, nil + } + if !started { + klog.V(1).Infof("[etcd] Member %s is not started yet. Waiting for it to be started.", learnerIDUint) + lastError = errors.Errorf("the etcd member %s is not started", learnerIDUint) + return false, nil + } + return true, nil + }) if err != nil { - return err - } - if !isLearner { - klog.V(1).Infof("[etcd] Member %s already promoted.", strconv.FormatUint(learnerID, 16)) - return nil + return lastError } - klog.V(1).Infof("[etcd] Promoting a learner as a voting member: %s", strconv.FormatUint(learnerID, 16)) + klog.V(1).Infof("[etcd] Promoting a learner as a voting member: %s", learnerIDUint) + cli, err := c.newEtcdClient(c.Endpoints) if err != nil { return err } + defer func() { _ = cli.Close() }() // TODO: warning logs from etcd client should be removed. @@ -568,29 +615,16 @@ func (c *Client) MemberPromote(learnerID uint64) error { // 2. context deadline exceeded // 3. peer URLs already exists // Once the client provides a way to check if the etcd learner is ready to promote, the retry logic can be revisited. - var ( - lastError error - ) err = wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration, true, func(_ context.Context) (bool, error) { ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout) defer cancel() - - isLearner, err := c.isLearner(learnerID) - if err != nil { - return false, err - } - if !isLearner { - klog.V(1).Infof("[etcd] Member %s was already promoted.", strconv.FormatUint(learnerID, 16)) - return true, nil - } - _, err = cli.MemberPromote(ctx, learnerID) if err == nil { - klog.V(1).Infof("[etcd] The learner was promoted as a voting member: %s", strconv.FormatUint(learnerID, 16)) + klog.V(1).Infof("[etcd] The learner was promoted as a voting member: %s", learnerIDUint) return true, nil } - klog.V(5).Infof("[etcd] Promoting the learner %s failed: %v", strconv.FormatUint(learnerID, 16), err) + klog.V(5).Infof("[etcd] Promoting the learner %s failed: %v", learnerIDUint, err) lastError = err return false, nil }) diff --git a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd_test.go b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd_test.go index cbdba0f295..d88968f6f9 100644 --- a/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd_test.go +++ b/deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd_test.go @@ -637,18 +637,19 @@ func TestListMembers(t *testing.T) { } } -func TestIsLearner(t *testing.T) { +func TestGetMemberStatus(t *testing.T) { type fields struct { Endpoints []string newEtcdClient func(endpoints []string) (etcdClient, error) listMembersFunc func(timeout time.Duration) (*clientv3.MemberListResponse, error) } tests := []struct { - name string - fields fields - memberID uint64 - want bool - wantError bool + name string + fields fields + memberID uint64 + wantLearner bool + wantStarted bool + wantError bool }{ { name: "The specified member is not a learner", @@ -670,8 +671,9 @@ func TestIsLearner(t *testing.T) { return f, nil }, }, - memberID: 1, - want: false, + memberID: 1, + wantLearner: false, + wantStarted: true, }, { name: "The specified member is a learner", @@ -700,8 +702,9 @@ func TestIsLearner(t *testing.T) { return f, nil }, }, - memberID: 1, - want: true, + memberID: 1, + wantLearner: true, + wantStarted: true, }, { name: "The specified member does not exist", @@ -714,8 +717,10 @@ func TestIsLearner(t *testing.T) { return f, nil }, }, - memberID: 3, - want: false, + memberID: 3, + wantLearner: false, + wantStarted: false, + wantError: true, }, { name: "Learner ID is empty", @@ -736,7 +741,32 @@ func TestIsLearner(t *testing.T) { return f, nil }, }, - want: true, + wantLearner: true, + wantStarted: true, + }, + { + name: "Learner member is not started (no name)", + fields: fields{ + Endpoints: []string{}, + newEtcdClient: func(endpoints []string) (etcdClient, error) { + f := &fakeEtcdClient{ + members: []*pb.Member{ + { + ID: 1, + Name: "", + PeerURLs: []string{ + "https://member2:2380", + }, + IsLearner: true, + }, + }, + } + return f, nil + }, + }, + memberID: 1, + wantLearner: true, + wantStarted: false, }, { name: "ListMembers returns an error", @@ -760,8 +790,10 @@ func TestIsLearner(t *testing.T) { return nil, errNotImplemented }, }, - want: false, - wantError: true, + memberID: 1, + wantLearner: false, + wantStarted: false, + wantError: true, }, } for _, tt := range tests { @@ -778,12 +810,15 @@ func TestIsLearner(t *testing.T) { return resp, nil } } - got, err := c.isLearner(tt.memberID) - if got != tt.want { - t.Errorf("isLearner() = %v, want %v", got, tt.want) + gotLearner, gotStarted, err := c.getMemberStatus(tt.memberID) + if gotLearner != tt.wantLearner { + t.Errorf("getMemberStatus() isLearner = %v, want %v", gotLearner, tt.wantLearner) } - if (err != nil) != (tt.wantError) { - t.Errorf("isLearner() error = %v, wantError %v", err, tt.wantError) + if gotStarted != tt.wantStarted { + t.Errorf("getMemberStatus() started = %v, want %v", gotStarted, tt.wantStarted) + } + if (err != nil) != tt.wantError { + t.Errorf("getMemberStatus() error = %v, wantError %v", err, tt.wantError) } }) } diff --git a/deps/github.com/openshift/kubernetes/hack/lib/util.sh b/deps/github.com/openshift/kubernetes/hack/lib/util.sh index cae8a49920..ed067cc7a3 100755 --- a/deps/github.com/openshift/kubernetes/hack/lib/util.sh +++ b/deps/github.com/openshift/kubernetes/hack/lib/util.sh @@ -720,22 +720,22 @@ function kube::util::ensure-gnu-sed { kube::util::sourced_variable "${SED}" } -# kube::util::ensure-gnu-date +# kube::util::ensure-gnu-compatible-date # Determines which date binary is gnu-date on linux/darwin # # Sets: # DATE: The name of the gnu-date binary # -function kube::util::ensure-gnu-date { +function kube::util::ensure-gnu-compatible-date { # NOTE: the echo below is a workaround to ensure date is executed before the grep. # see: https://github.com/kubernetes/kubernetes/issues/87251 - date_help="$(LANG=C date --help 2>&1 || true)" - if echo "${date_help}" | grep -q "GNU\|BusyBox"; then + date_version="$(LANG=C date --version 2>&1 || true)" + if echo "${date_version}" | grep -q "GNU\|BusyBox\|uutils"; then DATE="date" elif command -v gdate &>/dev/null; then DATE="gdate" else - kube::log::error "Failed to find GNU date as date or gdate. If you are on Mac: brew install coreutils." >&2 + kube::log::error "Failed to find GNU-compatible date as date or gdate. If you are on Mac: brew install coreutils." >&2 return 1 fi kube::util::sourced_variable "${DATE}" diff --git a/deps/github.com/openshift/kubernetes/hack/lib/version.sh b/deps/github.com/openshift/kubernetes/hack/lib/version.sh index ae3853df38..9b6efaaff4 100644 --- a/deps/github.com/openshift/kubernetes/hack/lib/version.sh +++ b/deps/github.com/openshift/kubernetes/hack/lib/version.sh @@ -163,7 +163,7 @@ kube::version::ldflags() { ) } - kube::util::ensure-gnu-date + kube::util::ensure-gnu-compatible-date add_ldflag "buildDate" "$(${DATE} ${SOURCE_DATE_EPOCH:+"--date=@${SOURCE_DATE_EPOCH}"} -u +'%Y-%m-%dT%H:%M:%SZ')" if [[ -n ${KUBE_GIT_COMMIT-} ]]; then diff --git a/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel b/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel index 2ddcec7485..44da709016 100644 --- a/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel +++ b/deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel @@ -14,4 +14,4 @@ COPY --from=builder /tmp/build/* /usr/bin/ LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \ io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \ io.openshift.tags="openshift,hyperkube" \ - io.openshift.build.versions="kubernetes=1.32.10" \ No newline at end of file + io.openshift.build.versions="kubernetes=1.32.12" diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go b/deps/github.com/openshift/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go index d0d0f30b97..6e894a7941 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go @@ -78,8 +78,9 @@ type QuotaMonitor struct { // This channel is also protected by monitorLock. stopCh <-chan struct{} - // running tracks whether Run() has been called. - // it is protected by monitorLock. + // running is set to true when the Run() function has been called. + // It will revert to false when the Run() function receives a cancellation. + // It is protected by monitorLock. running bool // monitors are the producer of the resourceChanges queue @@ -331,6 +332,10 @@ func (qm *QuotaMonitor) Run(ctx context.Context) { // Stop any running monitors. qm.monitorLock.Lock() defer qm.monitorLock.Unlock() + // Mark as not running so that no new monitors can be started. + // Not doing this here could cause goroutine leaks and deadlocks since it would make it possible for startMonitors + // to proceed and start new monitors after stopMonitors has been called. + qm.running = false monitors := qm.monitors stopped := 0 for _, monitor := range monitors { @@ -339,6 +344,7 @@ func (qm *QuotaMonitor) Run(ctx context.Context) { close(monitor.stopCh) } } + qm.monitors = nil logger.Info("QuotaMonitor stopped monitors", "stopped", stopped, "total", len(monitors)) } diff --git a/deps/github.com/openshift/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go b/deps/github.com/openshift/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go index 312aa930a0..cee0fecef2 100644 --- a/deps/github.com/openshift/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go +++ b/deps/github.com/openshift/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go @@ -57,8 +57,8 @@ type server struct { chandler ClientHandler clients map[string]Client - // isStarted indicates whether the service has started successfully. - isStarted bool + // lastError records the last runtime error. A server is considered healthy till an actual error occurs. + lastError error } // NewServer returns an initialized device plugin registration server. @@ -117,7 +117,7 @@ func (s *server) Start() error { defer s.wg.Done() s.setHealthy() if err = s.grpc.Serve(ln); err != nil { - s.setUnhealthy() + s.setUnhealthy(err) klog.ErrorS(err, "Error while serving device plugin registration grpc server") } }() @@ -207,18 +207,19 @@ func (s *server) Name() string { } func (s *server) Check(_ *http.Request) error { - if s.isStarted { - return nil - } - return fmt.Errorf("device plugin registration gRPC server failed and no device plugins can register") + return s.lastError } // setHealthy sets the health status of the gRPC server. func (s *server) setHealthy() { - s.isStarted = true + s.lastError = nil } // setUnhealthy sets the health status of the gRPC server to unhealthy. -func (s *server) setUnhealthy() { - s.isStarted = false +func (s *server) setUnhealthy(err error) { + if err == nil { + s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register") + return + } + s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register: %w", err) } diff --git a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go index 9c8d2305b2..e26b72398a 100644 --- a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go +++ b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go @@ -62,12 +62,19 @@ func foreachAllocatedDevice(claim *resourceapi.ResourceClaim, cb func(deviceID s // This is cheaper than repeatedly calling List, making strings unique, and building the set // each time PreFilter is called. // +// To simplify detecting concurrent changes, each modification bumps a revision counter, +// similar to ResourceVersion in the apiserver. Get and Capacities include the +// current value in their result. A caller than can compare againt the current value +// to determine whether some prior results are still up-to-date, without having to get +// and compare them. +// // All methods are thread-safe. Get returns a cloned set. type allocatedDevices struct { logger klog.Logger - mutex sync.RWMutex - ids sets.Set[structured.DeviceID] + mutex sync.RWMutex + revision int64 + ids sets.Set[structured.DeviceID] } func newAllocatedDevices(logger klog.Logger) *allocatedDevices { @@ -77,11 +84,18 @@ func newAllocatedDevices(logger klog.Logger) *allocatedDevices { } } -func (a *allocatedDevices) Get() sets.Set[structured.DeviceID] { +func (a *allocatedDevices) Get() (sets.Set[structured.DeviceID], int64) { a.mutex.RLock() defer a.mutex.RUnlock() - return a.ids.Clone() + return a.ids.Clone(), a.revision +} + +func (a *allocatedDevices) Revision() int64 { + a.mutex.RLock() + defer a.mutex.RUnlock() + + return a.revision } func (a *allocatedDevices) handlers() cache.ResourceEventHandler { @@ -147,8 +161,13 @@ func (a *allocatedDevices) addDevices(claim *resourceapi.ResourceClaim) { deviceIDs = append(deviceIDs, deviceID) }) + if len(deviceIDs) == 0 { + return + } + a.mutex.Lock() defer a.mutex.Unlock() + a.revision++ for _, deviceID := range deviceIDs { a.ids.Insert(deviceID) } @@ -169,6 +188,7 @@ func (a *allocatedDevices) removeDevices(claim *resourceapi.ResourceClaim) { a.mutex.Lock() defer a.mutex.Unlock() + a.revision++ for _, deviceID := range deviceIDs { a.ids.Delete(deviceID) } diff --git a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go index db10e126ac..eeca7c6711 100644 --- a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go +++ b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go @@ -18,6 +18,7 @@ package dynamicresources import ( "context" + "errors" "fmt" "sync" @@ -199,10 +200,29 @@ func (c *claimTracker) List() ([]*resourceapi.ResourceClaim, error) { return result, nil } +// errClaimTrackerConcurrentModification gets returned if ListAllAllocatedDevices +// or GatherAllocatedState need to be retried. +// +// There is a rare race when a claim is initially in-flight: +// - allocated is created from cache (claim not there) +// - someone removes from the in-flight claims and adds to the cache +// - we start checking in-flight claims (claim not there anymore) +// => claim ignored +// +// A proper fix would be to rewrite the assume cache, allocatedDevices, +// and the in-flight map so that they are under a single lock. But that's +// a pretty big change and prevents reusing the assume cache. So instead +// we check for changes in the set of allocated devices and keep trying +// until we get an attempt with no concurrent changes. +// +// A claim being first in the cache, then only in-flight cannot happen, +// so we don't need to re-check the in-flight claims. +var errClaimTrackerConcurrentModification = errors.New("conflicting concurrent modification") + func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error) { // Start with a fresh set that matches the current known state of the // world according to the informers. - allocated := c.allocatedDevices.Get() + allocated, revision := c.allocatedDevices.Get() // Whatever is in flight also has to be checked. c.inFlightAllocations.Range(func(key, value any) bool { @@ -213,8 +233,13 @@ func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], }) return true }) - // There's no reason to return an error in this implementation, but the error might be helpful for other implementations. - return allocated, nil + + if revision == c.allocatedDevices.Revision() { + // Our current result is valid, nothing changed in the meantime. + return allocated, nil + } + + return nil, errClaimTrackerConcurrentModification } func (c *claimTracker) AssumeClaimAfterAPICall(claim *resourceapi.ResourceClaim) error { diff --git a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go index 886a9b9c84..7fd297f2f0 100644 --- a/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go +++ b/deps/github.com/openshift/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go @@ -22,6 +22,7 @@ import ( "fmt" "slices" "sync" + "time" "github.com/google/go-cmp/cmp" @@ -33,6 +34,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/kubernetes" "k8s.io/client-go/util/retry" "k8s.io/component-helpers/scheduling/corev1/nodeaffinity" @@ -471,9 +473,25 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state *framework.Cycl // Claims (and thus their devices) are treated as "allocated" if they are in the assume cache // or currently their allocation is in-flight. This does not change // during filtering, so we can determine that once. - allAllocatedDevices, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices() + // + // This might have to be retried in the unlikely case that some concurrent modification made + // the result invalid. + var allAllocatedDevices sets.Set[structured.DeviceID] + err = wait.PollUntilContextTimeout(ctx, time.Microsecond, 5*time.Second, true /* immediate */, func(context.Context) (bool, error) { + ad, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices() + if err != nil { + if errors.Is(err, errClaimTrackerConcurrentModification) { + logger.V(6).Info("Conflicting modification during ListAllAllocatedDevices, trying again") + return false, nil + } + return false, err + } + // Done. + allAllocatedDevices = ad + return true, nil + }) if err != nil { - return nil, statusError(logger, err) + return nil, statusError(logger, fmt.Errorf("gather allocation state: %w", err)) } slices, err := pl.draManager.ResourceSlices().List() if err != nil { diff --git a/deps/github.com/openshift/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go b/deps/github.com/openshift/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go index c7392129cb..034ca18c86 100644 --- a/deps/github.com/openshift/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go +++ b/deps/github.com/openshift/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go @@ -124,6 +124,9 @@ type AssumeCache struct { // Synchronizes updates to all fields below. rwMutex sync.RWMutex + // cond is used by emitEvents. + cond *sync.Cond + // All registered event handlers. eventHandlers []cache.ResourceEventHandler handlerRegistration cache.ResourceEventHandlerRegistration @@ -149,6 +152,9 @@ type AssumeCache struct { // of events would no longer be guaranteed. eventQueue queue.FIFO[func()] + // emittingEvents is true while one emitEvents call is actively emitting events. + emittingEvents bool + // describes the object stored description string @@ -195,6 +201,7 @@ func NewAssumeCache(logger klog.Logger, informer Informer, description, indexNam indexFunc: indexFunc, indexName: indexName, } + c.cond = sync.NewCond(&c.rwMutex) indexers := cache.Indexers{} if indexName != "" && indexFunc != nil { indexers[indexName] = c.objInfoIndexFunc @@ -507,8 +514,31 @@ func (c *AssumeCache) AddEventHandler(handler cache.ResourceEventHandler) cache. } // emitEvents delivers all pending events that are in the queue, in the order -// in which they were stored there (FIFO). +// in which they were stored there (FIFO). Only one goroutine at a time is +// delivering events, to ensure correct order. func (c *AssumeCache) emitEvents() { + c.rwMutex.Lock() + for c.emittingEvents { + // Wait for the active caller of emitEvents to finish. + // When it is done, it may or may not have drained + // the events pushed by our caller. + // We'll check below ourselves. + c.cond.Wait() + } + c.emittingEvents = true + c.rwMutex.Unlock() + + defer func() { + c.rwMutex.Lock() + c.emittingEvents = false + // Hand over the batton to one other goroutine, if there is one. + // We don't need to wake up more than one because only one of + // them would be able to grab the "emittingEvents" responsibility. + c.cond.Signal() + c.rwMutex.Unlock() + }() + + // When we get here, this instance of emitEvents is the active one. for { c.rwMutex.Lock() deliver, ok := c.eventQueue.Pop() diff --git a/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block.go b/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block.go index 80c6b088dd..3b1d0ac2ca 100644 --- a/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block.go +++ b/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block.go @@ -68,7 +68,6 @@ package csi import ( "context" "errors" - "fmt" "os" "path/filepath" @@ -171,8 +170,8 @@ func (m *csiBlockMapper) stageVolumeForBlock( if csiSource.NodeStageSecretRef != nil { nodeStageSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodeStageSecretRef) if err != nil { - return "", fmt.Errorf("failed to get NodeStageSecretRef %s/%s: %v", - csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err) + return "", volumetypes.NewTransientOperationFailure(log("failed to get NodeStageSecretRef %s/%s: %v", + csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err)) } } @@ -223,11 +222,11 @@ func (m *csiBlockMapper) publishVolumeForBlock( volAttribs := csiSource.VolumeAttributes podInfoEnabled, err := m.plugin.podInfoEnabled(string(m.driverName)) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err)) } volumeLifecycleMode, err := m.plugin.getVolumeLifecycleMode(m.spec) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err)) } if podInfoEnabled { volAttribs = mergeMap(volAttribs, getPodInfoAttrs(m.pod, volumeLifecycleMode)) @@ -237,7 +236,7 @@ func (m *csiBlockMapper) publishVolumeForBlock( if csiSource.NodePublishSecretRef != nil { nodePublishSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodePublishSecretRef) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v", + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v", csiSource.NodePublishSecretRef.Namespace, csiSource.NodePublishSecretRef.Name, err)) } } @@ -304,7 +303,7 @@ func (m *csiBlockMapper) SetUpDevice() (string, error) { attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName) attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{}) if err != nil { - return "", errors.New(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err)) } } @@ -366,7 +365,7 @@ func (m *csiBlockMapper) MapPodDevice() (string, error) { attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName) attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{}) if err != nil { - return "", errors.New(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err)) } } diff --git a/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block_test.go b/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block_test.go index 3b06ff1c7c..deffc6b39f 100644 --- a/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block_test.go +++ b/deps/github.com/openshift/kubernetes/pkg/volume/csi/csi_block_test.go @@ -18,6 +18,7 @@ package csi import ( "context" + "errors" "fmt" "os" "path/filepath" @@ -491,6 +492,46 @@ func TestBlockMapperMapPodDeviceNoClientError(t *testing.T) { } } +func TestBlockMapperMapPodDeviceGetStageSecretsError(t *testing.T) { + transientError := volumetypes.NewTransientOperationFailure("") + plug, tmpDir := newTestPlugin(t, nil) + defer func() { + if err := os.RemoveAll(tmpDir); err != nil { + t.Error(err) + } + }() + + csiMapper, _, pv, err := prepareBlockMapperTest(plug, "test-pv", t) + if err != nil { + t.Fatalf("Failed to make a new Mapper: %v", err) + } + + // set a stage secret for the pv + pv.Spec.PersistentVolumeSource.CSI.NodePublishSecretRef = &api.SecretReference{ + Name: "foo", + Namespace: "default", + } + pvName := pv.GetName() + nodeName := string(plug.host.GetNodeName()) + + csiMapper.csiClient = setupClient(t, true) + + attachID := getAttachmentName(csiMapper.volumeID, string(csiMapper.driverName), nodeName) + attachment := makeTestAttachment(attachID, nodeName, pvName) + attachment.Status.Attached = true + if _, err = csiMapper.k8s.StorageV1().VolumeAttachments().Create(context.Background(), attachment, metav1.CreateOptions{}); err != nil { + t.Fatalf("failed to setup VolumeAttachment: %v", err) + } + t.Log("created attachment ", attachID) + + _, err = csiMapper.MapPodDevice() + if err == nil { + t.Errorf("test should fail, but no error occurred") + } else if !errors.As(err, &transientError) { + t.Errorf("expected a transient error but got %v", err) + } +} + func TestBlockMapperTearDownDevice(t *testing.T) { plug, tmpDir := newTestPlugin(t, nil) defer os.RemoveAll(tmpDir) diff --git a/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml b/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml index e7337f14ef..ad4fc61561 100644 --- a/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml +++ b/deps/github.com/openshift/kubernetes/staging/publishing/rules.yaml @@ -2900,4 +2900,4 @@ rules: - staging/src/k8s.io/externaljwt recursive-delete-patterns: - '*/.gitattributes' -default-go-version: 1.24.9 +default-go-version: 1.24.12 diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go index d243b0710b..08ddcbf0a0 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go @@ -17,6 +17,7 @@ limitations under the License. package generic import ( + "context" "fmt" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" @@ -41,8 +42,8 @@ type PolicyMatcher interface { BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error) // GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case - // GetNamespace must return nil, nil - GetNamespace(name string) (*corev1.Namespace, error) + // GetNamespace must return nil, NotFound + GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) } type matcher struct { @@ -82,8 +83,8 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter return isMatch, err } -func (c *matcher) GetNamespace(name string) (*corev1.Namespace, error) { - return c.Matcher.GetNamespace(name) +func (c *matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) { + return c.Matcher.GetNamespace(ctx, name) } var _ matching.MatchCriteria = &matchCriteria{} diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go index eebe769434..30a6cbebe9 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go @@ -17,6 +17,7 @@ limitations under the License. package matching import ( + "context" "fmt" v1 "k8s.io/api/admissionregistration/v1" @@ -44,8 +45,8 @@ type Matcher struct { objectMatcher *object.Matcher } -func (m *Matcher) GetNamespace(name string) (*corev1.Namespace, error) { - return m.namespaceMatcher.GetNamespace(name) +func (m *Matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) { + return m.namespaceMatcher.GetNamespace(ctx, name) } // NewMatcher initialize the matcher with dependencies requires diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go index 918a07d0f7..61dfda11da 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go @@ -120,8 +120,12 @@ func (d *dispatcher) dispatchInvocations( // if it is cluster scoped, namespaceName will be empty // Otherwise, get the Namespace resource. if namespaceName != "" { - namespace, err = d.matcher.GetNamespace(namespaceName) + namespace, err = d.matcher.GetNamespace(ctx, namespaceName) if err != nil { + var statusError *k8serrors.StatusError + if errors.As(err, &statusError) { + return nil, statusError + } return nil, k8serrors.NewNotFound(schema.GroupResource{Group: "", Resource: "namespaces"}, namespaceName) } } diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go index 14f33b1759..03ddc31d8b 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go @@ -268,7 +268,7 @@ func (f *fakeMatcher) ValidateInitialization() error { return nil } -func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) { +func (f *fakeMatcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) { return nil, nil } diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go index 8f3e22f64d..0b5474b756 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go @@ -189,7 +189,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm // if it is cluster scoped, namespaceName will be empty // Otherwise, get the Namespace resource. if namespaceName != "" { - namespace, err = c.matcher.GetNamespace(namespaceName) + namespace, err = c.matcher.GetNamespace(ctx, namespaceName) if err != nil { return err } diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go index 6427bc6748..01d706bd41 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go @@ -44,8 +44,13 @@ type Matcher struct { Client clientset.Interface } -func (m *Matcher) GetNamespace(name string) (*v1.Namespace, error) { - return m.NamespaceLister.Get(name) +func (m *Matcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) { + ns, err := m.NamespaceLister.Get(name) + if apierrors.IsNotFound(err) && len(name) > 0 { + // in case of latency in our caches, make a call direct to storage to verify that it truly exists or not + ns, err = m.Client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) + } + return ns, err } // Validate checks if the Matcher has a NamespaceLister and Client. diff --git a/deps/github.com/openshift/kubernetes/test/e2e/network/kube_proxy.go b/deps/github.com/openshift/kubernetes/test/e2e/network/kube_proxy.go index 3e6573f167..04471002d3 100644 --- a/deps/github.com/openshift/kubernetes/test/e2e/network/kube_proxy.go +++ b/deps/github.com/openshift/kubernetes/test/e2e/network/kube_proxy.go @@ -46,6 +46,18 @@ import ( netutils "k8s.io/utils/net" ) +// expandIPv6ForConntrack expands an IPv6 address to the format used in /proc/net/nf_conntrack. +// e.g., "fc00:f853:ccd:e793::3" -> "fc00:f853:0ccd:e793:0000:0000:0000:0003" +func expandIPv6ForConntrack(ipStr string) string { + ip := netutils.ParseIPSloppy(ipStr) + if !netutils.IsIPv6(ip) { + return ipStr + } + return fmt.Sprintf("%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x", + ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], + ip[8], ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15]) +} + var kubeProxyE2eImage = imageutils.GetE2EImage(imageutils.Agnhost) var _ = common.SIGDescribe("KubeProxy", func() { @@ -205,51 +217,56 @@ var _ = common.SIGDescribe("KubeProxy", func() { e2epod.NewPodClient(fr).CreateSync(ctx, clientPodSpec) ginkgo.By("Checking conntrack entries for the timeout") - // These must be synchronized from the default values set in - // pkg/apis/../defaults.go ConntrackTCPCloseWaitTimeout. The - // current defaults are hidden in the initialization code. const epsilonSeconds = 60 const expectedTimeoutSeconds = 60 * 60 - // the conntrack file uses the IPv6 expanded format + + // Detect conntrack method and build command ip := serverNodeInfo.nodeIP ipFamily := "ipv4" if netutils.IsIPv6String(ip) { ipFamily = "ipv6" } - // Obtain the corresponding conntrack entry on the host checking - // the nf_conntrack file from the pod e2e-net-exec. - // It retries in a loop if the entry is not found. - cmd := fmt.Sprintf("conntrack -L -f %s -d %v "+ - "| grep -m 1 'CLOSE_WAIT.*dport=%v' ", - ipFamily, ip, testDaemonTCPPort) + + var cmd, dumpCmd string + var timeoutIdx int + if _, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "test -f /proc/net/nf_conntrack"); err == nil { + procIP := ip + if ipFamily == "ipv6" { + procIP = expandIPv6ForConntrack(ip) + } + cmd = fmt.Sprintf("cat /proc/net/nf_conntrack | grep -m 1 -E 'CLOSE_WAIT.*dst=%s.*dport=%d'", procIP, testDaemonTCPPort) + dumpCmd = "cat /proc/net/nf_conntrack" + timeoutIdx = 4 // ipv4 2 tcp 6 CLOSE_WAIT ... + } else if _, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "which conntrack"); err == nil { + cmd = fmt.Sprintf("conntrack -L -f %s -d %s 2>/dev/null | grep -m 1 'CLOSE_WAIT.*dport=%d'", ipFamily, ip, testDaemonTCPPort) + dumpCmd = "conntrack -L 2>/dev/null" + timeoutIdx = 2 // tcp 6 CLOSE_WAIT ... + } else { + e2eskipper.Skipf("Neither /proc/net/nf_conntrack nor conntrack binary available") + } + if err := wait.PollImmediate(2*time.Second, epsilonSeconds*time.Second, func() (bool, error) { result, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", cmd) - // retry if we can't obtain the conntrack entry if err != nil { - framework.Logf("failed to obtain conntrack entry: %v %v", result, err) + framework.Logf("failed to obtain conntrack entry: %v", err) return false, nil } - framework.Logf("conntrack entry for node %v and port %v: %v", serverNodeInfo.nodeIP, testDaemonTCPPort, result) - // Timeout in seconds is available as the third column of the matched entry - line := strings.Fields(result) - if len(line) < 3 { - return false, fmt.Errorf("conntrack entry does not have a timeout field: %v", line) + fields := strings.Fields(result) + if len(fields) <= timeoutIdx { + return false, nil } - timeoutSeconds, err := strconv.Atoi(line[2]) + timeoutSeconds, err := strconv.Atoi(fields[timeoutIdx]) if err != nil { - return false, fmt.Errorf("failed to convert matched timeout %s to integer: %w", line[2], err) + return false, nil } + framework.Logf("conntrack timeout for %v:%v = %v", serverNodeInfo.nodeIP, testDaemonTCPPort, timeoutSeconds) if math.Abs(float64(timeoutSeconds-expectedTimeoutSeconds)) < epsilonSeconds { return true, nil } return false, fmt.Errorf("wrong TCP CLOSE_WAIT timeout: %v expected: %v", timeoutSeconds, expectedTimeoutSeconds) }); err != nil { - // Dump all conntrack entries for debugging - result, err2 := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "conntrack -L") - if err2 != nil { - framework.Logf("failed to obtain conntrack entry: %v %v", result, err2) - } - framework.Logf("conntrack entries for node %v: %v", serverNodeInfo.nodeIP, result) + result, _ := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", dumpCmd) + framework.Logf("conntrack entries: %v", result) framework.Failf("no valid conntrack entry for port %d on node %s: %v", testDaemonTCPPort, serverNodeInfo.nodeIP, err) } }) diff --git a/deps/github.com/openshift/kubernetes/test/images/Makefile b/deps/github.com/openshift/kubernetes/test/images/Makefile index 4cda4a67fc..7018d8d00a 100644 --- a/deps/github.com/openshift/kubernetes/test/images/Makefile +++ b/deps/github.com/openshift/kubernetes/test/images/Makefile @@ -16,7 +16,7 @@ REGISTRY ?= registry.k8s.io/e2e-test-images GOARM ?= 7 DOCKER_CERT_BASE_PATH ?= QEMUVERSION=v5.1.0-2 -GOLANG_VERSION=1.24.9 +GOLANG_VERSION=1.24.12 export ifndef WHAT diff --git a/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go b/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go index cd25d986d9..ca2602c622 100644 --- a/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go +++ b/deps/github.com/openshift/kubernetes/test/utils/image/manifest.go @@ -223,7 +223,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"} configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.7.11"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.7.14"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.16-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} From 5499bc6f8f72d34d2b78298e3bf5fd661f0b563a Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:16:57 +0000 Subject: [PATCH 05/11] update microshift/vendor --- .../plugin/policy/generic/policy_matcher.go | 9 ++-- .../plugin/policy/matching/matching.go | 5 +- .../plugin/policy/mutating/dispatcher.go | 6 ++- .../plugin/policy/validating/dispatcher.go | 2 +- .../webhook/predicates/namespace/matcher.go | 9 +++- .../resourcequota/resource_quota_monitor.go | 10 +++- .../cm/devicemanager/plugin/v1beta1/server.go | 21 ++++---- .../dynamicresources/allocateddevices.go | 28 ++++++++-- .../plugins/dynamicresources/dra_manager.go | 31 +++++++++-- .../dynamicresources/dynamicresources.go | 22 +++++++- .../util/assumecache/assume_cache.go | 32 ++++++++++- .../kubernetes/pkg/volume/csi/csi_block.go | 15 +++--- vendor/modules.txt | 54 +++++++++---------- 13 files changed, 177 insertions(+), 67 deletions(-) diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go index d243b0710b..08ddcbf0a0 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go @@ -17,6 +17,7 @@ limitations under the License. package generic import ( + "context" "fmt" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" @@ -41,8 +42,8 @@ type PolicyMatcher interface { BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error) // GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case - // GetNamespace must return nil, nil - GetNamespace(name string) (*corev1.Namespace, error) + // GetNamespace must return nil, NotFound + GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) } type matcher struct { @@ -82,8 +83,8 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter return isMatch, err } -func (c *matcher) GetNamespace(name string) (*corev1.Namespace, error) { - return c.Matcher.GetNamespace(name) +func (c *matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) { + return c.Matcher.GetNamespace(ctx, name) } var _ matching.MatchCriteria = &matchCriteria{} diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go index eebe769434..30a6cbebe9 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go @@ -17,6 +17,7 @@ limitations under the License. package matching import ( + "context" "fmt" v1 "k8s.io/api/admissionregistration/v1" @@ -44,8 +45,8 @@ type Matcher struct { objectMatcher *object.Matcher } -func (m *Matcher) GetNamespace(name string) (*corev1.Namespace, error) { - return m.namespaceMatcher.GetNamespace(name) +func (m *Matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) { + return m.namespaceMatcher.GetNamespace(ctx, name) } // NewMatcher initialize the matcher with dependencies requires diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go index 918a07d0f7..61dfda11da 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go @@ -120,8 +120,12 @@ func (d *dispatcher) dispatchInvocations( // if it is cluster scoped, namespaceName will be empty // Otherwise, get the Namespace resource. if namespaceName != "" { - namespace, err = d.matcher.GetNamespace(namespaceName) + namespace, err = d.matcher.GetNamespace(ctx, namespaceName) if err != nil { + var statusError *k8serrors.StatusError + if errors.As(err, &statusError) { + return nil, statusError + } return nil, k8serrors.NewNotFound(schema.GroupResource{Group: "", Resource: "namespaces"}, namespaceName) } } diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go index 8f3e22f64d..0b5474b756 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go @@ -189,7 +189,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm // if it is cluster scoped, namespaceName will be empty // Otherwise, get the Namespace resource. if namespaceName != "" { - namespace, err = c.matcher.GetNamespace(namespaceName) + namespace, err = c.matcher.GetNamespace(ctx, namespaceName) if err != nil { return err } diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go index 6427bc6748..01d706bd41 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go @@ -44,8 +44,13 @@ type Matcher struct { Client clientset.Interface } -func (m *Matcher) GetNamespace(name string) (*v1.Namespace, error) { - return m.NamespaceLister.Get(name) +func (m *Matcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) { + ns, err := m.NamespaceLister.Get(name) + if apierrors.IsNotFound(err) && len(name) > 0 { + // in case of latency in our caches, make a call direct to storage to verify that it truly exists or not + ns, err = m.Client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) + } + return ns, err } // Validate checks if the Matcher has a NamespaceLister and Client. diff --git a/vendor/k8s.io/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go b/vendor/k8s.io/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go index d0d0f30b97..6e894a7941 100644 --- a/vendor/k8s.io/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go +++ b/vendor/k8s.io/kubernetes/pkg/controller/resourcequota/resource_quota_monitor.go @@ -78,8 +78,9 @@ type QuotaMonitor struct { // This channel is also protected by monitorLock. stopCh <-chan struct{} - // running tracks whether Run() has been called. - // it is protected by monitorLock. + // running is set to true when the Run() function has been called. + // It will revert to false when the Run() function receives a cancellation. + // It is protected by monitorLock. running bool // monitors are the producer of the resourceChanges queue @@ -331,6 +332,10 @@ func (qm *QuotaMonitor) Run(ctx context.Context) { // Stop any running monitors. qm.monitorLock.Lock() defer qm.monitorLock.Unlock() + // Mark as not running so that no new monitors can be started. + // Not doing this here could cause goroutine leaks and deadlocks since it would make it possible for startMonitors + // to proceed and start new monitors after stopMonitors has been called. + qm.running = false monitors := qm.monitors stopped := 0 for _, monitor := range monitors { @@ -339,6 +344,7 @@ func (qm *QuotaMonitor) Run(ctx context.Context) { close(monitor.stopCh) } } + qm.monitors = nil logger.Info("QuotaMonitor stopped monitors", "stopped", stopped, "total", len(monitors)) } diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go b/vendor/k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go index 312aa930a0..cee0fecef2 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go @@ -57,8 +57,8 @@ type server struct { chandler ClientHandler clients map[string]Client - // isStarted indicates whether the service has started successfully. - isStarted bool + // lastError records the last runtime error. A server is considered healthy till an actual error occurs. + lastError error } // NewServer returns an initialized device plugin registration server. @@ -117,7 +117,7 @@ func (s *server) Start() error { defer s.wg.Done() s.setHealthy() if err = s.grpc.Serve(ln); err != nil { - s.setUnhealthy() + s.setUnhealthy(err) klog.ErrorS(err, "Error while serving device plugin registration grpc server") } }() @@ -207,18 +207,19 @@ func (s *server) Name() string { } func (s *server) Check(_ *http.Request) error { - if s.isStarted { - return nil - } - return fmt.Errorf("device plugin registration gRPC server failed and no device plugins can register") + return s.lastError } // setHealthy sets the health status of the gRPC server. func (s *server) setHealthy() { - s.isStarted = true + s.lastError = nil } // setUnhealthy sets the health status of the gRPC server to unhealthy. -func (s *server) setUnhealthy() { - s.isStarted = false +func (s *server) setUnhealthy(err error) { + if err == nil { + s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register") + return + } + s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register: %w", err) } diff --git a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go index 9c8d2305b2..e26b72398a 100644 --- a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go +++ b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go @@ -62,12 +62,19 @@ func foreachAllocatedDevice(claim *resourceapi.ResourceClaim, cb func(deviceID s // This is cheaper than repeatedly calling List, making strings unique, and building the set // each time PreFilter is called. // +// To simplify detecting concurrent changes, each modification bumps a revision counter, +// similar to ResourceVersion in the apiserver. Get and Capacities include the +// current value in their result. A caller than can compare againt the current value +// to determine whether some prior results are still up-to-date, without having to get +// and compare them. +// // All methods are thread-safe. Get returns a cloned set. type allocatedDevices struct { logger klog.Logger - mutex sync.RWMutex - ids sets.Set[structured.DeviceID] + mutex sync.RWMutex + revision int64 + ids sets.Set[structured.DeviceID] } func newAllocatedDevices(logger klog.Logger) *allocatedDevices { @@ -77,11 +84,18 @@ func newAllocatedDevices(logger klog.Logger) *allocatedDevices { } } -func (a *allocatedDevices) Get() sets.Set[structured.DeviceID] { +func (a *allocatedDevices) Get() (sets.Set[structured.DeviceID], int64) { a.mutex.RLock() defer a.mutex.RUnlock() - return a.ids.Clone() + return a.ids.Clone(), a.revision +} + +func (a *allocatedDevices) Revision() int64 { + a.mutex.RLock() + defer a.mutex.RUnlock() + + return a.revision } func (a *allocatedDevices) handlers() cache.ResourceEventHandler { @@ -147,8 +161,13 @@ func (a *allocatedDevices) addDevices(claim *resourceapi.ResourceClaim) { deviceIDs = append(deviceIDs, deviceID) }) + if len(deviceIDs) == 0 { + return + } + a.mutex.Lock() defer a.mutex.Unlock() + a.revision++ for _, deviceID := range deviceIDs { a.ids.Insert(deviceID) } @@ -169,6 +188,7 @@ func (a *allocatedDevices) removeDevices(claim *resourceapi.ResourceClaim) { a.mutex.Lock() defer a.mutex.Unlock() + a.revision++ for _, deviceID := range deviceIDs { a.ids.Delete(deviceID) } diff --git a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go index db10e126ac..eeca7c6711 100644 --- a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go +++ b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go @@ -18,6 +18,7 @@ package dynamicresources import ( "context" + "errors" "fmt" "sync" @@ -199,10 +200,29 @@ func (c *claimTracker) List() ([]*resourceapi.ResourceClaim, error) { return result, nil } +// errClaimTrackerConcurrentModification gets returned if ListAllAllocatedDevices +// or GatherAllocatedState need to be retried. +// +// There is a rare race when a claim is initially in-flight: +// - allocated is created from cache (claim not there) +// - someone removes from the in-flight claims and adds to the cache +// - we start checking in-flight claims (claim not there anymore) +// => claim ignored +// +// A proper fix would be to rewrite the assume cache, allocatedDevices, +// and the in-flight map so that they are under a single lock. But that's +// a pretty big change and prevents reusing the assume cache. So instead +// we check for changes in the set of allocated devices and keep trying +// until we get an attempt with no concurrent changes. +// +// A claim being first in the cache, then only in-flight cannot happen, +// so we don't need to re-check the in-flight claims. +var errClaimTrackerConcurrentModification = errors.New("conflicting concurrent modification") + func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error) { // Start with a fresh set that matches the current known state of the // world according to the informers. - allocated := c.allocatedDevices.Get() + allocated, revision := c.allocatedDevices.Get() // Whatever is in flight also has to be checked. c.inFlightAllocations.Range(func(key, value any) bool { @@ -213,8 +233,13 @@ func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], }) return true }) - // There's no reason to return an error in this implementation, but the error might be helpful for other implementations. - return allocated, nil + + if revision == c.allocatedDevices.Revision() { + // Our current result is valid, nothing changed in the meantime. + return allocated, nil + } + + return nil, errClaimTrackerConcurrentModification } func (c *claimTracker) AssumeClaimAfterAPICall(claim *resourceapi.ResourceClaim) error { diff --git a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go index 886a9b9c84..7fd297f2f0 100644 --- a/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go +++ b/vendor/k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go @@ -22,6 +22,7 @@ import ( "fmt" "slices" "sync" + "time" "github.com/google/go-cmp/cmp" @@ -33,6 +34,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/kubernetes" "k8s.io/client-go/util/retry" "k8s.io/component-helpers/scheduling/corev1/nodeaffinity" @@ -471,9 +473,25 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state *framework.Cycl // Claims (and thus their devices) are treated as "allocated" if they are in the assume cache // or currently their allocation is in-flight. This does not change // during filtering, so we can determine that once. - allAllocatedDevices, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices() + // + // This might have to be retried in the unlikely case that some concurrent modification made + // the result invalid. + var allAllocatedDevices sets.Set[structured.DeviceID] + err = wait.PollUntilContextTimeout(ctx, time.Microsecond, 5*time.Second, true /* immediate */, func(context.Context) (bool, error) { + ad, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices() + if err != nil { + if errors.Is(err, errClaimTrackerConcurrentModification) { + logger.V(6).Info("Conflicting modification during ListAllAllocatedDevices, trying again") + return false, nil + } + return false, err + } + // Done. + allAllocatedDevices = ad + return true, nil + }) if err != nil { - return nil, statusError(logger, err) + return nil, statusError(logger, fmt.Errorf("gather allocation state: %w", err)) } slices, err := pl.draManager.ResourceSlices().List() if err != nil { diff --git a/vendor/k8s.io/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go b/vendor/k8s.io/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go index c7392129cb..034ca18c86 100644 --- a/vendor/k8s.io/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go +++ b/vendor/k8s.io/kubernetes/pkg/scheduler/util/assumecache/assume_cache.go @@ -124,6 +124,9 @@ type AssumeCache struct { // Synchronizes updates to all fields below. rwMutex sync.RWMutex + // cond is used by emitEvents. + cond *sync.Cond + // All registered event handlers. eventHandlers []cache.ResourceEventHandler handlerRegistration cache.ResourceEventHandlerRegistration @@ -149,6 +152,9 @@ type AssumeCache struct { // of events would no longer be guaranteed. eventQueue queue.FIFO[func()] + // emittingEvents is true while one emitEvents call is actively emitting events. + emittingEvents bool + // describes the object stored description string @@ -195,6 +201,7 @@ func NewAssumeCache(logger klog.Logger, informer Informer, description, indexNam indexFunc: indexFunc, indexName: indexName, } + c.cond = sync.NewCond(&c.rwMutex) indexers := cache.Indexers{} if indexName != "" && indexFunc != nil { indexers[indexName] = c.objInfoIndexFunc @@ -507,8 +514,31 @@ func (c *AssumeCache) AddEventHandler(handler cache.ResourceEventHandler) cache. } // emitEvents delivers all pending events that are in the queue, in the order -// in which they were stored there (FIFO). +// in which they were stored there (FIFO). Only one goroutine at a time is +// delivering events, to ensure correct order. func (c *AssumeCache) emitEvents() { + c.rwMutex.Lock() + for c.emittingEvents { + // Wait for the active caller of emitEvents to finish. + // When it is done, it may or may not have drained + // the events pushed by our caller. + // We'll check below ourselves. + c.cond.Wait() + } + c.emittingEvents = true + c.rwMutex.Unlock() + + defer func() { + c.rwMutex.Lock() + c.emittingEvents = false + // Hand over the batton to one other goroutine, if there is one. + // We don't need to wake up more than one because only one of + // them would be able to grab the "emittingEvents" responsibility. + c.cond.Signal() + c.rwMutex.Unlock() + }() + + // When we get here, this instance of emitEvents is the active one. for { c.rwMutex.Lock() deliver, ok := c.eventQueue.Pop() diff --git a/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_block.go b/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_block.go index 80c6b088dd..3b1d0ac2ca 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_block.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/csi/csi_block.go @@ -68,7 +68,6 @@ package csi import ( "context" "errors" - "fmt" "os" "path/filepath" @@ -171,8 +170,8 @@ func (m *csiBlockMapper) stageVolumeForBlock( if csiSource.NodeStageSecretRef != nil { nodeStageSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodeStageSecretRef) if err != nil { - return "", fmt.Errorf("failed to get NodeStageSecretRef %s/%s: %v", - csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err) + return "", volumetypes.NewTransientOperationFailure(log("failed to get NodeStageSecretRef %s/%s: %v", + csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err)) } } @@ -223,11 +222,11 @@ func (m *csiBlockMapper) publishVolumeForBlock( volAttribs := csiSource.VolumeAttributes podInfoEnabled, err := m.plugin.podInfoEnabled(string(m.driverName)) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err)) } volumeLifecycleMode, err := m.plugin.getVolumeLifecycleMode(m.spec) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err)) } if podInfoEnabled { volAttribs = mergeMap(volAttribs, getPodInfoAttrs(m.pod, volumeLifecycleMode)) @@ -237,7 +236,7 @@ func (m *csiBlockMapper) publishVolumeForBlock( if csiSource.NodePublishSecretRef != nil { nodePublishSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodePublishSecretRef) if err != nil { - return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v", + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v", csiSource.NodePublishSecretRef.Namespace, csiSource.NodePublishSecretRef.Name, err)) } } @@ -304,7 +303,7 @@ func (m *csiBlockMapper) SetUpDevice() (string, error) { attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName) attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{}) if err != nil { - return "", errors.New(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err)) } } @@ -366,7 +365,7 @@ func (m *csiBlockMapper) MapPodDevice() (string, error) { attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName) attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{}) if err != nil { - return "", errors.New(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err)) + return "", volumetypes.NewTransientOperationFailure(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err)) } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 1f65d48cf2..6b10210f5c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1166,7 +1166,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/api +# k8s.io/api v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/api ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -1227,7 +1227,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver +# k8s.io/apiextensions-apiserver v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver ## explicit; go 1.23.0 k8s.io/apiextensions-apiserver/pkg/apihelpers k8s.io/apiextensions-apiserver/pkg/apis/apiextensions @@ -1274,7 +1274,7 @@ k8s.io/apiextensions-apiserver/pkg/generated/openapi k8s.io/apiextensions-apiserver/pkg/registry/customresource k8s.io/apiextensions-apiserver/pkg/registry/customresource/tableconvertor k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition -# k8s.io/apimachinery v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery +# k8s.io/apimachinery v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -1346,7 +1346,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver +# k8s.io/apiserver v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver ## explicit; go 1.23.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1527,13 +1527,13 @@ k8s.io/apiserver/plugin/pkg/authenticator/token/oidc k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/cli-runtime v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime +# k8s.io/cli-runtime v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go +# k8s.io/client-go v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1897,7 +1897,7 @@ k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cloud-provider +# k8s.io/cloud-provider v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cloud-provider ## explicit; go 1.23.0 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1916,14 +1916,14 @@ k8s.io/cloud-provider/service/helpers k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/errors k8s.io/cloud-provider/volume/helpers -# k8s.io/cluster-bootstrap v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cluster-bootstrap +# k8s.io/cluster-bootstrap v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cluster-bootstrap ## explicit; go 1.23.0 k8s.io/cluster-bootstrap/token/api k8s.io/cluster-bootstrap/token/jws k8s.io/cluster-bootstrap/token/util k8s.io/cluster-bootstrap/util/secrets k8s.io/cluster-bootstrap/util/tokens -# k8s.io/component-base v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base +# k8s.io/component-base v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base ## explicit; go 1.23.0 k8s.io/component-base/cli k8s.io/component-base/cli/flag @@ -1960,7 +1960,7 @@ k8s.io/component-base/version/verflag k8s.io/component-base/zpages/features k8s.io/component-base/zpages/flagz k8s.io/component-base/zpages/statusz -# k8s.io/component-helpers v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-helpers +# k8s.io/component-helpers v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-helpers ## explicit; go 1.23.0 k8s.io/component-helpers/apimachinery/lease k8s.io/component-helpers/apps/poddisruptionbudget @@ -1974,7 +1974,7 @@ k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/ephemeral k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/controller-manager +# k8s.io/controller-manager v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/controller-manager ## explicit; go 1.23.0 k8s.io/controller-manager/app k8s.io/controller-manager/config @@ -1991,35 +1991,35 @@ k8s.io/controller-manager/pkg/informerfactory k8s.io/controller-manager/pkg/leadermigration k8s.io/controller-manager/pkg/leadermigration/config k8s.io/controller-manager/pkg/leadermigration/options -# k8s.io/cri-api v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-api +# k8s.io/cri-api v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-api ## explicit; go 1.23.0 k8s.io/cri-api/pkg/apis k8s.io/cri-api/pkg/apis/runtime/v1 k8s.io/cri-api/pkg/errors -# k8s.io/cri-client v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-client +# k8s.io/cri-client v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/cri-client ## explicit; go 1.23.0 k8s.io/cri-client/pkg k8s.io/cri-client/pkg/internal k8s.io/cri-client/pkg/logs k8s.io/cri-client/pkg/util -# k8s.io/csi-translation-lib v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/csi-translation-lib +# k8s.io/csi-translation-lib v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/csi-translation-lib ## explicit; go 1.23.0 k8s.io/csi-translation-lib k8s.io/csi-translation-lib/plugins -# k8s.io/dynamic-resource-allocation v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/dynamic-resource-allocation +# k8s.io/dynamic-resource-allocation v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/dynamic-resource-allocation ## explicit; go 1.23.0 k8s.io/dynamic-resource-allocation/api k8s.io/dynamic-resource-allocation/cel k8s.io/dynamic-resource-allocation/resourceclaim k8s.io/dynamic-resource-allocation/structured -# k8s.io/endpointslice v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice +# k8s.io/endpointslice v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/endpointslice ## explicit; go 1.23.0 k8s.io/endpointslice k8s.io/endpointslice/metrics k8s.io/endpointslice/topologycache k8s.io/endpointslice/trafficdist k8s.io/endpointslice/util -# k8s.io/externaljwt v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt +# k8s.io/externaljwt v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/externaljwt ## explicit; go 1.23.0 k8s.io/externaljwt/apis/v1alpha1 # k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 @@ -2040,13 +2040,13 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kms v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kms +# k8s.io/kms v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kms ## explicit; go 1.23.0 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 k8s.io/kms/pkg/service k8s.io/kms/pkg/util -# k8s.io/kube-aggregator v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator +# k8s.io/kube-aggregator v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator ## explicit; go 1.23.0 k8s.io/kube-aggregator/pkg/apis/apiregistration k8s.io/kube-aggregator/pkg/apis/apiregistration/install @@ -2079,7 +2079,7 @@ k8s.io/kube-aggregator/pkg/controllers/status/remote k8s.io/kube-aggregator/pkg/registry/apiservice k8s.io/kube-aggregator/pkg/registry/apiservice/etcd k8s.io/kube-aggregator/pkg/registry/apiservice/rest -# k8s.io/kube-controller-manager v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager +# k8s.io/kube-controller-manager v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-controller-manager ## explicit; go 1.23.0 k8s.io/kube-controller-manager/config/v1alpha1 # k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 @@ -2113,11 +2113,11 @@ k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson k8s.io/kube-openapi/pkg/validation/validate -# k8s.io/kube-scheduler v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-scheduler +# k8s.io/kube-scheduler v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-scheduler ## explicit; go 1.23.0 k8s.io/kube-scheduler/config/v1 k8s.io/kube-scheduler/extender/v1 -# k8s.io/kubectl v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl +# k8s.io/kubectl v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl ## explicit; go 1.23.0 k8s.io/kubectl/pkg/apps k8s.io/kubectl/pkg/cmd/apiresources @@ -2152,7 +2152,7 @@ k8s.io/kubectl/pkg/util/storage k8s.io/kubectl/pkg/util/templates k8s.io/kubectl/pkg/util/term k8s.io/kubectl/pkg/validation -# k8s.io/kubelet v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubelet +# k8s.io/kubelet v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubelet ## explicit; go 1.23.0 k8s.io/kubelet/config/v1 k8s.io/kubelet/config/v1alpha1 @@ -2174,7 +2174,7 @@ k8s.io/kubelet/pkg/cri/streaming k8s.io/kubelet/pkg/cri/streaming/portforward k8s.io/kubelet/pkg/cri/streaming/remotecommand k8s.io/kubelet/pkg/types -# k8s.io/kubernetes v1.32.10 => ./deps/github.com/openshift/kubernetes +# k8s.io/kubernetes v1.32.12 => ./deps/github.com/openshift/kubernetes ## explicit; go 1.23.0 k8s.io/kubernetes/cmd/kube-apiserver/app k8s.io/kubernetes/cmd/kube-apiserver/app/options @@ -2994,7 +2994,7 @@ k8s.io/kubernetes/third_party/forked/gonum/graph/simple k8s.io/kubernetes/third_party/forked/gonum/graph/traverse k8s.io/kubernetes/third_party/forked/libcontainer/apparmor k8s.io/kubernetes/third_party/forked/libcontainer/utils -# k8s.io/metrics v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics +# k8s.io/metrics v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics ## explicit; go 1.23.0 k8s.io/metrics/pkg/apis/custom_metrics k8s.io/metrics/pkg/apis/custom_metrics/v1beta1 @@ -3009,10 +3009,10 @@ k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1 k8s.io/metrics/pkg/client/custom_metrics k8s.io/metrics/pkg/client/custom_metrics/scheme k8s.io/metrics/pkg/client/external_metrics -# k8s.io/mount-utils v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils +# k8s.io/mount-utils v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils ## explicit; go 1.23.0 k8s.io/mount-utils -# k8s.io/pod-security-admission v1.32.10 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission +# k8s.io/pod-security-admission v1.32.12 => ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission ## explicit; go 1.23.0 k8s.io/pod-security-admission/admission k8s.io/pod-security-admission/admission/api From a584d51605e46b32694b47262b81975e7b0dcc24 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:16:57 +0000 Subject: [PATCH 06/11] update etcd/go.mod --- etcd/go.mod | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/etcd/go.mod b/etcd/go.mod index 3305834ba7..9469a7847e 100644 --- a/etcd/go.mod +++ b/etcd/go.mod @@ -15,11 +15,11 @@ require ( github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c github.com/spf13/cobra v1.8.1 go.etcd.io/etcd/server/v3 v3.5.16 - k8s.io/apimachinery v1.32.10 - k8s.io/cli-runtime v1.32.10 - k8s.io/component-base v1.32.10 + k8s.io/apimachinery v1.32.12 + k8s.io/cli-runtime v1.32.12 + k8s.io/component-base v1.32.12 k8s.io/klog/v2 v2.130.1 - k8s.io/kubectl v1.32.10 + k8s.io/kubectl v1.32.12 sigs.k8s.io/yaml v1.5.0 ) @@ -45,7 +45,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect - k8s.io/apiserver v1.32.10 // indirect + k8s.io/apiserver v1.32.12 // indirect ) require ( @@ -133,8 +133,8 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v1.32.10 // indirect - k8s.io/client-go v1.32.10 // indirect + k8s.io/api v1.32.12 // indirect + k8s.io/client-go v1.32.12 // indirect k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect From d22cc8f274e1f9b4d90a68129dbcdd96acfc88e1 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:17:04 +0000 Subject: [PATCH 07/11] update etcd/vendor --- etcd/vendor/modules.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/etcd/vendor/modules.txt b/etcd/vendor/modules.txt index d55abc92f9..6f8422e6d3 100644 --- a/etcd/vendor/modules.txt +++ b/etcd/vendor/modules.txt @@ -636,7 +636,7 @@ gopkg.in/natefinch/lumberjack.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/api +# k8s.io/api v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/api ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -697,7 +697,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apimachinery v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery +# k8s.io/apimachinery v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -759,18 +759,18 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver +# k8s.io/apiserver v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver ## explicit; go 1.23.0 k8s.io/apiserver/pkg/apis/audit k8s.io/apiserver/pkg/apis/audit/v1 k8s.io/apiserver/pkg/authentication/user -# k8s.io/cli-runtime v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime +# k8s.io/cli-runtime v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/cli-runtime ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go +# k8s.io/client-go v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -929,7 +929,7 @@ k8s.io/client-go/util/jsonpath k8s.io/client-go/util/keyutil k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/component-base v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base +# k8s.io/component-base v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/component-base ## explicit; go 1.23.0 k8s.io/component-base/cli k8s.io/component-base/cli/flag @@ -966,7 +966,7 @@ k8s.io/kube-openapi/pkg/spec3 k8s.io/kube-openapi/pkg/util/proto k8s.io/kube-openapi/pkg/util/proto/validation k8s.io/kube-openapi/pkg/validation/spec -# k8s.io/kubectl v1.32.10 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl +# k8s.io/kubectl v1.32.12 => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/kubectl ## explicit; go 1.23.0 k8s.io/kubectl/pkg/cmd/util k8s.io/kubectl/pkg/scheme From cc8cc26b0177e02724574d9912a17cf8aef118de Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:17:05 +0000 Subject: [PATCH 08/11] update component images --- packaging/crio.conf.d/10-microshift_amd64.conf | 2 +- packaging/crio.conf.d/10-microshift_arm64.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf index 61225075e7..b43ff5bbf0 100644 --- a/packaging/crio.conf.d/10-microshift_amd64.conf +++ b/packaging/crio.conf.d/10-microshift_amd64.conf @@ -24,6 +24,6 @@ plugin_dirs = [ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:60cb9f970bb2807e7cfe9a4daae64563ca21cbf559e53ac8d51204c520b88e3a" +pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:85f3538d5387e83d0bacca8a578d5eddfdd82f5913dfd440bf855e04510f986b" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/packaging/crio.conf.d/10-microshift_arm64.conf b/packaging/crio.conf.d/10-microshift_arm64.conf index 4f0d0a1c30..fe7d9340e9 100644 --- a/packaging/crio.conf.d/10-microshift_arm64.conf +++ b/packaging/crio.conf.d/10-microshift_arm64.conf @@ -24,6 +24,6 @@ plugin_dirs = [ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:879e1327ea5450d6c6462a1a22f0179c66e61a41706b76a506f33893c03848b5" +pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4183704bd9c20f448be64d6d9455f4602b4adef06170438878b0f97875d46ca7" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" From 2cb620a92b6fd8624b54004ddc0eff505f93d02f Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:17:06 +0000 Subject: [PATCH 09/11] update manifests --- assets/components/multus/release-multus-aarch64.json | 2 +- assets/components/multus/release-multus-x86_64.json | 2 +- .../0000_50_olm_07-olm-operator.deployment.yaml | 8 -------- .../0000_50_olm_08-catalog-operator.deployment.yaml | 8 -------- .../operator-lifecycle-manager/kustomization.x86_64.yaml | 8 ++++---- .../operator-lifecycle-manager/release-olm-aarch64.json | 2 +- .../operator-lifecycle-manager/release-olm-x86_64.json | 6 +++--- assets/release/release-aarch64.json | 6 +++--- assets/release/release-x86_64.json | 6 +++--- 9 files changed, 16 insertions(+), 32 deletions(-) diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json index 9cf751644f..7ba723518b 100644 --- a/assets/components/multus/release-multus-aarch64.json +++ b/assets/components/multus/release-multus-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2026-02-15-195328" + "base": "4.19.0-0.nightly-arm64-2026-02-22-231812" }, "images": { "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:42d5b23827d0b78ede1ae83e1de18ef08845c94e263217dcbf6289e130538ee5", diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json index 24490fec7c..a2e44e1e19 100644 --- a/assets/components/multus/release-multus-x86_64.json +++ b/assets/components/multus/release-multus-x86_64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-2026-02-13-223750" + "base": "4.19.0-0.nightly-2026-02-22-194444" }, "images": { "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c849bb8f387e6c9cb706231be5436377912b6413aaae895cfb3c6a4c10d3610e", diff --git a/assets/optional/operator-lifecycle-manager/0000_50_olm_07-olm-operator.deployment.yaml b/assets/optional/operator-lifecycle-manager/0000_50_olm_07-olm-operator.deployment.yaml index ebec29236f..fe8908540d 100644 --- a/assets/optional/operator-lifecycle-manager/0000_50_olm_07-olm-operator.deployment.yaml +++ b/assets/optional/operator-lifecycle-manager/0000_50_olm_07-olm-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: olm-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: olm-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/olm args: @@ -57,8 +51,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --protectedCopiedCSVNamespaces - openshift image: quay.io/operator-framework/olm diff --git a/assets/optional/operator-lifecycle-manager/0000_50_olm_08-catalog-operator.deployment.yaml b/assets/optional/operator-lifecycle-manager/0000_50_olm_08-catalog-operator.deployment.yaml index 9b5370c81e..d493387f78 100644 --- a/assets/optional/operator-lifecycle-manager/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/assets/optional/operator-lifecycle-manager/0000_50_olm_08-catalog-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: catalog-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: catalog-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/catalog args: @@ -63,8 +57,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --set-workload-user-id=false image: quay.io/operator-framework/olm imagePullPolicy: IfNotPresent diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml index 0dbbfbf26e..59ae54d3d5 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml @@ -2,10 +2,10 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:a224b3683ffc3daea34f936d9b1d1b006365ae4c58f7ab7645637bf93f7ccd97 + digest: sha256:8ca47b7d0a0325b7d528eb78e448cfd93e88283ee4f0e2dde6e68cf1700f9973 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev - digest: sha256:d2716e85a1cf7d80f6bd6c9749ef67a48045a6932493060726440373d187790a + digest: sha256:4767e66b27f3777d39629553e70a4827d35f07d25c29389d467805ba8651fcc8 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v4.0-art-dev digest: sha256:e36719cf555cefc4d6215f01ad68474c797e972eae8f27f6f0e8c5f0a3aaa46d @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2716e85a1cf7d80f6bd6c9749ef67a48045a6932493060726440373d187790a + value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4767e66b27f3777d39629553e70a4827d35f07d25c29389d467805ba8651fcc8 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a224b3683ffc3daea34f936d9b1d1b006365ae4c58f7ab7645637bf93f7ccd97 + value: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8ca47b7d0a0325b7d528eb78e448cfd93e88283ee4f0e2dde6e68cf1700f9973 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json index 1dc60fc02c..1b0575b67f 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2026-02-15-195328" + "base": "4.19.0-0.nightly-arm64-2026-02-22-231812" }, "images": { "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bc31f73c5ebec7303d5b22fa256261cd097deca3e2b01b2520b2f086ce8e5435", diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json index b32b4dd4ce..62b8d61313 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json @@ -1,10 +1,10 @@ { "release": { - "base": "4.19.0-0.nightly-2026-02-13-223750" + "base": "4.19.0-0.nightly-2026-02-22-194444" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a224b3683ffc3daea34f936d9b1d1b006365ae4c58f7ab7645637bf93f7ccd97", - "operator-registry": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2716e85a1cf7d80f6bd6c9749ef67a48045a6932493060726440373d187790a", + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8ca47b7d0a0325b7d528eb78e448cfd93e88283ee4f0e2dde6e68cf1700f9973", + "operator-registry": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4767e66b27f3777d39629553e70a4827d35f07d25c29389d467805ba8651fcc8", "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e36719cf555cefc4d6215f01ad68474c797e972eae8f27f6f0e8c5f0a3aaa46d" } } diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index f367ca34f5..226bd3f567 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,14 +1,14 @@ { "release": { - "base": "4.19.0-0.nightly-arm64-2026-02-15-195328" + "base": "4.19.0-0.nightly-arm64-2026-02-22-231812" }, "images": { "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:67c13bb92505bb1eae64cce8a772729a36dff434623219a18dcc9545ad0e92e3", "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b34e78b06e25217a27fd759c9f80ad8db46af9a12796169befeefa97123b2f31", "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4640c517d6b0ab4dbc854178761cad7357b4fc922d53aafa3d07c8e6fcd573fc", "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4659510efeade3741edd0d727ee90127bb045526dc1987ce1f9307039218e717", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2810a52aadaec785ed1d4e3cb7e4768134ccc925d91565c734b58c177369662", - "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:879e1327ea5450d6c6462a1a22f0179c66e61a41706b76a506f33893c03848b5", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8a2c4813c93c74676fc088bcd02a272881c13b6e5c0d00832d56359526a7d7be", + "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4183704bd9c20f448be64d6d9455f4602b4adef06170438878b0f97875d46ca7", "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:983edf0cddaf85df75fb46cfce33754d27c62f9942cd4ad6ff6c08cbb13e460e", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:03771d66c0ed8a422c012ffaf6f390d8c3191e02330ef9b9dee00af518928d6e", "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:255c209dde1418dac18e10cf3ed9b5c0e15aef5078f132e963a6c24d90b122c7" diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index 55cd290921..1f49648b5d 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,14 +1,14 @@ { "release": { - "base": "4.19.0-0.nightly-2026-02-13-223750" + "base": "4.19.0-0.nightly-2026-02-22-194444" }, "images": { "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e327e7fc9185167218a51663bb810a1ceee15b743fec880da4ce03bb997c5007", "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b69cb75b26bb8ae08c2df25c952611d105f09c39f4ac9485cbcf109cf440ef40", "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:53343097c20b60865a9b8eb16ef260085ec5ac7e1ecc76d526f78be6e62fde45", "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e36719cf555cefc4d6215f01ad68474c797e972eae8f27f6f0e8c5f0a3aaa46d", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4e5b72696e84c2899a73838f332cb9d0093d6531ddb437bc880a3fb223b90261", - "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:60cb9f970bb2807e7cfe9a4daae64563ca21cbf559e53ac8d51204c520b88e3a", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1e37abfcddc92b0fff558d7057ba12801a90ffbca22851bb4163655ce668a709", + "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:85f3538d5387e83d0bacca8a578d5eddfdd82f5913dfd440bf855e04510f986b", "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2508eab4798a3aef1f85208c043f16f353843bab1b3ed310ec78ae77563eead0", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:c5f0ad26372afdd4d3e6a37fdb5cdf0c91304c0e994ec885e2db89e851081504", "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f74086262b94057f465da47f82ee9b0bde52d44d3d2dc77dca5fdca2a816d42b" From 2a564cee46f802ffc07146b1b2c9130c73f94b7b Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:17:14 +0000 Subject: [PATCH 10/11] update buildfiles --- Makefile.kube_git.var | 4 ++-- Makefile.version.aarch64.var | 2 +- Makefile.version.x86_64.var | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var index c61d21f44f..2c9622d61f 100644 --- a/Makefile.kube_git.var +++ b/Makefile.kube_git.var @@ -1,5 +1,5 @@ KUBE_GIT_MAJOR=1 KUBE_GIT_MINOR=32 -KUBE_GIT_VERSION=v1.32.10 -KUBE_GIT_COMMIT=9d45edc58ca6d5240fc84d3d50eb7490aa683c16 +KUBE_GIT_VERSION=v1.32.12 +KUBE_GIT_COMMIT=346896bae752bb9def8cacca75fdc7f7dcae9496 KUBE_GIT_TREE_STATE=clean diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var index 3196d497c0..f21dbb4e92 100644 --- a/Makefile.version.aarch64.var +++ b/Makefile.version.aarch64.var @@ -1 +1 @@ -OCP_VERSION := 4.19.0-0.nightly-arm64-2026-02-15-195328 +OCP_VERSION := 4.19.0-0.nightly-arm64-2026-02-22-231812 diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var index 9a84b0efce..855a25d448 100644 --- a/Makefile.version.x86_64.var +++ b/Makefile.version.x86_64.var @@ -1 +1 @@ -OCP_VERSION := 4.19.0-0.nightly-2026-02-13-223750 +OCP_VERSION := 4.19.0-0.nightly-2026-02-22-194444 From 7ab7968c324c7d998e5f2b896b8e089b79082855 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Mon, 23 Feb 2026 04:17:14 +0000 Subject: [PATCH 11/11] update kubernetes version in CNCF scripts --- scripts/multinode/configure-sec.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/multinode/configure-sec.sh b/scripts/multinode/configure-sec.sh index 0396ce57cc..b6ff021536 100755 --- a/scripts/multinode/configure-sec.sh +++ b/scripts/multinode/configure-sec.sh @@ -77,10 +77,10 @@ function configure_kubelet() { # Checksums can be obtained from https://www.downloadkubernetes.com/ # or by downloading a "${url}.sha256" file (see below for ${url}). For example: - # version=v1.32.10; for kube_arch in amd64 arm64; do echo "${kube_arch}: $(curl -L https://dl.k8s.io/release/${version}/bin/linux/${kube_arch}/kubelet.sha256 2>/dev/null)"; done - local -r version="v1.32.10" - local -r kube_hash_amd64="bfff8f244992162c0491f8f42d807165ed5c685aecfb3e8000412535ad18a873" - local -r kube_hash_arm64="21cc3d98550d3a23052d649e77956f2557e7f6119ff1e27dc82b852d006136cd" + # version=v1.32.12; for kube_arch in amd64 arm64; do echo "${kube_arch}: $(curl -L https://dl.k8s.io/release/${version}/bin/linux/${kube_arch}/kubelet.sha256 2>/dev/null)"; done + local -r version="v1.32.12" + local -r kube_hash_amd64="a4573f91d6a2cf4cc7345db223051a754f60e550ab6fee078007e2be1b6b7178" + local -r kube_hash_arm64="6f0031185222f9e9c998aa1cc67985dd843a5c292647438eab765302b94f0ccf" local kube_arch="" local kube_hash=""