v0.28.0

Changes by Kind

Security

• Update github.com/golang-jwt/jwt/v4 to v4.5.2 (addressing CVE-2025-30204) (#3352, @embik) (#3454, @xrstf)

Deprecation

• Deprecate APIExport Virtual Workspace URL population. Add feature flag EnableDeprecatedAPIExportVirtualWorkspacesUrls to re-enable deprecated APIExport Virtual Workspace URLs (#3411, @mjudeikis)

API Change

• Add caching API under cache.kcp.io to be able to interact with cache server programmatically (#3382, @mjudeikis)
• Add optional spec.mount to Workspace objects to stabilize mount API (#3380, @mjudeikis)
• Add CachedResourcesEndpointSlice resource (#3442, @gman0)
• Add new version of APIBinding to apis.kcp.io/v1alpha2 (#3384, @xmudrii)
• Add new version of APIExport to apis.kcp.io/v1alpha2 (#3318, @xrstf)
• Implement support for verbs in PermissionClaims (#3402, @xmudrii)
• Make CachedResource GVR immutable and unique in the logical cluster (#3476, @gman0)
• Rebase to Kubernetes v1.32.3 (#3383, @gman0)
  • ValidatingAdmissionPolicy has been removed from admissionregistration.k8s.io/v1alpha1 as per Kubernetes v1.32 API lifecycle management
  • admissionregistration.k8s.io/v1alpha1 is no longer being served by default
• Stop printing Ready column for APIExports as virtual workspace URLs are no longer populated by default (#3493, @embik)
• Add sdk/testing/server.ContextRunInProcessFunc. Deprecate sdk/testing/server.RunInProcessFunc (#3388, @ntnn)
• Serve both v1alpha1 and v1alpha2 of APIBindings in the APIExport Virtual Workspace (#3430, @xmudrii)
  • Fix a panic in the OpenAPI v3 endpoint for Virtual Workspaces happening if there's a resource with two or more versions

Feature

• Add Replication virtual workspace for CachedResource. Endpoint for the Replication VW is now displayed in its respective CachedResourceEndpointSlice (#3480, @gman0)
• Add a new --root-identities-file CLI flag to kcp used to bootstrap APIExport identities inside the root workspace (#3400, @gman0)
• Add a controller to automatically keep defaultAPIBindings defined in a WorkspaceType up to date in all workspaces that derive from it. This behaviour is enabled by configuring .spec.defaultAPIBindingLifecycle (#3381, @MisterMX)
• Enable CLI flag --encryption-provider-config in the kcp binary (#3470, @adrianrobotka)
• Print flags in sections for kcp-front-proxy binary (#3385, @sttts)
• Run the admission chain in the virtual workspace (forwarding) registry with the create verb upon creating a new object using server-side apply. As a result, running the server-side apply for a claimed resource in the APIExport Virtual Workspace requires the create verb (#3439, @xmudrii)
• The kcp specific CRDs are now bundled into one yaml file that is part of the release (#3466, @mikkeldamsgaard)

Bug or Regression

• Authorization checks on resources from an APIExport delegate to the next authorizer if the APIExport is not found (#3467, @ntnn)
• Disable the cd semantic notice when --short is provided (#3423, @ntnn)
• Fix --bind-address not being honoured in some generated configuration files (#3418, @ntnn)
• Fix APIResourceSchema name for the WorkspaceTypes resource to unblock upgrade from previous versions (#3349, @embik)
• Fix URL update when logicalcluster URL changes but workspace URL is not updated (#3474, @mjudeikis)
• Only set experimental.tenancy.kcp.io/owner annotation on LogicalCluster if Workspace has the annotation (#3438, @embik)
• Remove VOLUME from Dockerfile so no /data volume is mounted anymore (#3434, @embik)

Other (Cleanup or Flake)

• Fix consistency for DynamicRestMapper & workspace cleaner (#3447, @mjudeikis)
• Move to use dynamicRestMapper everywhere to dynamically resolve Kind to resource and vice versa (#3462, @mjudeikis)
• Update to Go 1.23.10 (#3443, @xrstf)
• Update to kcp/code-generator v3 (#3406, @xrstf)
• Stop exposing mini-front-proxy handlers (including /metrics) on kcp server unless --additional-mappings-file is passed (#3361, @embik)

Dependencies

Added

• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.24.2
• github.com/Microsoft/hnslib: v0.0.8
• github.com/containerd/containerd/api: v1.7.19
• github.com/containerd/errdefs: v0.1.0
• github.com/containerd/log: v0.1.0
• github.com/kcp-dev/code-generator/v3: 4094fb8
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/externaljwt: ddbe171
• github.com/klauspost/compress: v1.17.11
• github.com/kylelemons/godebug: v1.1.0
• github.com/moby/sys/userns: v0.1.0
• github.com/planetscale/vtprotobuf: 0393e58
• go.opentelemetry.io/auto/sdk: v1.1.0
• go.opentelemetry.io/contrib/detectors/gcp: v1.31.0
• go.opentelemetry.io/otel/sdk/metric: v1.31.0

Changed

• cel.dev/expr: v0.15.0 → v0.19.1
• cloud.google.com/go/accessapproval: v1.7.1 → v1.7.5
• cloud.google.com/go/accesscontextmanager: v1.8.1 → v1.8.5
• cloud.google.com/go/aiplatform: v1.48.0 → v1.60.0
• cloud.google.com/go/analytics: v0.21.3 → v0.23.0
• cloud.google.com/go/apigateway: v1.6.1 → v1.6.5
• cloud.google.com/go/apigeeconnect: v1.6.1 → v1.6.5
• cloud.google.com/go/apigeeregistry: v0.7.1 → v0.8.3
• cloud.google.com/go/appengine: v1.8.1 → v1.8.5
• cloud.google.com/go/area120: v0.8.1 → v0.8.5
• cloud.google.com/go/artifactregistry: v1.14.1 → v1.14.7
• cloud.google.com/go/asset: v1.14.1 → v1.17.2
• cloud.google.com/go/assuredworkloads: v1.11.1 → v1.11.5
• cloud.google.com/go/automl: v1.13.1 → v1.13.5
• cloud.google.com/go/baremetalsolution: v1.1.1 → v1.2.4
• cloud.google.com/go/batch: v1.3.1 → v1.8.0
• cloud.google.com/go/beyondcorp: v1.0.0 → v1.0.4
• cloud.google.com/go/bigquery: v1.53.0 → v1.59.1
• cloud.google.com/go/billing: v1.16.0 → v1.18.2
• cloud.google.com/go/binaryauthorization: v1.6.1 → v1.8.1
• cloud.google.com/go/certificatemanager: v1.7.1 → v1.7.5
• cloud.google.com/go/channel: v1.16.0 → v1.17.5
• cloud.google.com/go/cloudbuild: v1.13.0 → v1.15.1
• cloud.google.com/go/clouddms: v1.6.1 → v1.7.4
• cloud.google.com/go/cloudtasks: v1.12.1 → v1.12.6
• cloud.google.com/go/compute/metadata: v0.3.0 → v0.5.2
• cloud.google.com/go/compute: v1.23.0 → v1.24.0
• cloud.google.com/go/contactcenterinsights: v1.10.0 → v1.13.0
• cloud.google.com/go/container: v1.24.0 → v1.31.0
• cloud.google.com/go/containeranalysis: v0.10.1 → v0.11.4
• cloud.google.com/go/datacatalog: v1.16.0 → v1.19.3
• cloud.google.com/go/dataflow: v0.9.1 → v0.9.5
• cloud.google.com/go/dataform: v0.8.1 → v0.9.2
• cloud.google.com/go/datafusion: v1.7.1 → v1.7.5
• cloud.google.com/go/datalabeling: v0.8.1 → v0.8.5
• cloud.google.com/go/dataplex: v1.9.0 → v1.14.2
• cloud.google.com/go/dataproc/v2: v2.0.1 → v2.4.0
• cloud.google.com/go/dataqna: v0.8.1 → v0.8.5
• cloud.google.com/go/datastore: v1.13.0 → v1.15.0
• cloud.google.com/go/datastream: v1.10.0 → v1.10.4
• cloud.google.com/go/deploy: v1.13.0 → v1.17.1
• cloud.google.com/go/dialogflow: v1.40.0 → v1.49.0
• cloud.google.com/go/dlp: v1.10.1 → v1.11.2
• cloud.google.com/go/documentai: v1.22.0 → v1.25.0
• cloud.google.com/go/domains: v0.9.1 → v0.9.5
• cloud.google.com/go/edgecontainer: v1.1.1 → v1.1.5
• cloud.google.com/go/essentialcontacts: v1.6.2 → v1.6.6
• cloud.google.com/go/eventarc: v1.13.0 → v1.13.4
• cloud.google.com/go/filestore: v1.7.1 → v1.8.1
• cloud.google.com/go/firestore: v1.12.0 → v1.14.0
• cloud.google.com/go/functions: v1.15.1 → v1.16.0
• cloud.google.com/go/gkebackup: v1.3.0 → v1.3.5
• cloud.google.com/go/gkeconnect: v0.8.1 → v0.8.5
• cloud.google.com/go/gkehub: v0.14.1 → v0.14.5
• cloud.google.com/go/gkemulticloud: v1.0.0 → v1.1.1
• cloud.google.com/go/gsuiteaddons: v1.6.1 → v1.6.5
• cloud.google.com/go/iam: v1.1.1 → v1.1.6
• cloud.google.com/go/iap: v1.8.1 → v1.9.4
• cloud.google.com/go/ids: v1.4.1 → v1.4.5
• cloud.google.com/go/iot: v1.7.1 → v1.7.5
• cloud.google.com/go/kms: v1.15.0 → v1.15.7
• cloud.google.com/go/language: v1.10.1 → v1.12.3
• cloud.google.com/go/lifesciences: v0.9.1 → v0.9.5
• cloud.google.com/go/logging: v1.7.0 → v1.9.0
• cloud.google.com/go/longrunning: v0.5.1 → v0.5.5
• cloud.google.com/go/managedidentities: v1.6.1 → v1.6.5
• cloud.google.com/go/maps: v1.4.0 → v1.6.4
• cloud.google.com/go/mediatranslation: v0.8.1 → v0.8.5
• cloud.google.com/go/memcache: v1.10.1 → v1.10.5
• cloud.google.com/go/metastore: v1.12.0 → v1.13.4
• cloud.google.com/go/monitoring: v1.15.1 → v1.18.0
• cloud.google.com/go/networkconnectivity: v1.12.1 → v1.14.4
• cloud.google.com/go/networkmanagement: v1.8.0 → v1.9.4
• cloud.google.com/go/networksecurity: v0.9.1 → v0.9.5
• cloud.google.com/go/notebooks: v1.9.1 → v1.11.3
• cloud.google.com/go/optimization: v1.4.1 → v1.6.3
• cloud.google.com/go/orchestration: v1.8.1 → v1.8.5
• cloud.google.com/go/orgpolicy: v1.11.1 → v1.12.1
• cloud.google.com/go/osconfig: v1.12.1 → v1.12.5
• cloud.google.com/go/oslogin: v1.10.1 → v1.13.1
• cloud.google.com/go/phishingprotection: v0.8.1 → v0.8.5
• cloud.google.com/go/policytroubleshooter: v1.8.0 → v1.10.3
• cloud.google.com/go/privatecatalog: v0.9.1 → v0.9.5
• cloud.google.com/go/pubsub: v1.33.0 → v1.36.1
• cloud.google.com/go/recaptchaenterprise/v2: v2.7.2 → v2.9.2
• cloud.google.com/go/recommendat...

v0.27.1

Changes by Kind

Security

• Update github.com/golang-jwt/jwt/v4 to v4.5.2 (addressing CVE-2025-30204) (#3356, @embik)

Bug or Regression

• Fix APIResourceSchema name for the WorkspaceTypes resource to unblock upgrade from previous versions (#3353, @embik)

Dependencies

Added

Nothing has changed.

Changed

• github.com/golang-jwt/jwt/v4: v4.5.0 → v4.5.2

Removed

Nothing has changed.

v0.27.0

Changes by Kind

Breaking Change

• Release artifacts for ppc64le are no longer published (#3211, @embik)

Security

• Fix impersonation for non-system users (GHSA-c7xh-gjv4-4jgv) (#3206, @mjudeikis)
• Add additional authorizer to APIExport Virtual Workspace that queries APIBinding for authorization decisions (GHSA-w2rr-38wv-8rrp / CVE-2025-29922) (#3338, @embik)

API Change

• Expose the kcp e2e test framework through the SDK. (#3327, @sttts)
• Updated dependencies to be in line with Kubernetes v1.31.6 (#3307, @gman0)

Feature

• Pass through original identity of controllers accessing a logical cluster through the APIExport virtual workspace. To get the required permissions, a warrant mechanism is added through user extra fields that attaches secondary user identities purely used for authorization. (#3156, @sttts)
• Make APIExportEndpointSlices consumer aware (#3256, @mjudeikis)
• Add workspace phase reporter reconciler (#3183, @mjudeikis)
• Add the Unavailable phase to the API (#3183, @mjudeikis)
• Implement exclusion of Unavailable workspaces from serving via proxy to avoid serving something which is not supposed to be served. (#3183, @mjudeikis)
• Add OpenAPI v3 schema support to the Virtual Workspace framework (#3246, @xmudrii)
• Add --accept-permission-claim and --reject-permission-claim flag to kubectl kcp bind apiexport (#3334, @mjudeikis)
• Add original user/groups information as extra to the impersonating client used by virtual workspace. (#3155, @turkenh)
• Add support for external webhook authorization. (#3198, @xrstf)
• Add user info support for scopes through the extra key authentication.kcp.io/scopes: cluster:<name>,... to contain a user in a certain cluster. Multiple extra values are conjunctive, i.e. their intersection is the allowed scope. (#3235, @sttts)
• Enable structured authentication configuration from a file with —authentication-config flag. (#3295, @cnvergence)
• Enhance local development experience for VirtualWorkspaces, adding --mappings-file option for local dev (#3199, @mjudeikis)
• Provide --authorization-order flag that allows kcp administrator to tune the authorizer behaviour and rearrange the order. (#3281, @cnvergence)
• Provide a feature gate GlobalServiceAccount that enables cross-workspace ServiceAccount authorization (requires --service-account-lookup=false in sharded environments). (#3328, @cnvergence)
• Replicate APIExportEndpointSlices to cache server (#3277, @mjudeikis)

Bug or Regression

• Fix critical race condition between APIBindings and CRDs potentially allowing the same resource to be bound by multiple bindings or CRDs, leading to data loss or inconsistent state. (#3251, @sttts)
• Fix external modifications to annotations being reverted by admission webhook (#3229, @ntnn)
• Add additional validation for impersonation to prevent groups and extras privileged impersonations. (#3243, @mjudeikis)
• Fix regression in DeepCopy generator (#3188, @mjudeikis)
• Purposefully crash if leader election was won but controllers failed to install, allowing another instance to take leadership (#3196, @embik)
• Update kcp start options to print to stdout (#3237, @jmcshane)

Other (Cleanup or Flake)

• Add wget to final image (#3240, @mjudeikis)
• Build apigen binary on releases (#3326, @mjudeikis)
• Crd-puller will generate files with 0644 permissions instead of 0777. (#3319, @xrstf)
• Update golangci-lint to 1.26.2, remove dependency on standalone staticcheck binary (#3208, @xrstf)
• kcp is built with Go 1.23.7 (#3331, @embik)
• kcp is built with Go 1.22.10 (#3212, @embik)
• kcp is built with Go 1.22.9 (#3200, @embik)

Dependencies

Added

• github.com/kcp-dev/embeddedetcd: v1.0.2

Changed

• github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
• github.com/go-openapi/jsonreference: v0.20.2 → v0.21.0
• github.com/go-openapi/swag: v0.22.4 → v0.23.0
• github.com/google/gnostic-models: v0.6.8 → v0.6.9
• github.com/kcp-dev/apimachinery/v2: a9eb975 → 431177b
• github.com/kcp-dev/client-go: f5949d8 → 3dea338
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ab5c3a6 → 0011b8c
• github.com...

v0.26.3

Note: v0.26.2 has not been released properly due to an issue in our release engineering tools and thus, should be skipped.

Changes by Kind

Security

• Add additional authorizer to APIExport Virtual Workspace that queries APIBinding for authorization decisions (GHSA-w2rr-38wv-8rrp) (#3338, @embik)

v0.27.0-rc.1

Changelog

• 2309e76 Merge pull request #3324 from Soot3/main
• 28f5a2c Merge pull request #3326 from mjudeikis/mjudeikis/add.apigen.build
• 68bef78 Update docs/content/concepts/workspaces/workspace-types.md
• 4a43c68 build apigen on make build
• 4f11204 update upload gh action
• aaa0f4b build apigen on releases
• 84b4e02 Update workspace-types.md
• 265b734 Merge pull request #3319 from xrstf/fix-crd-permissions
• 4194fde Merge pull request #3317 from gman0/verify-go-modules-no-pager
• ee3cfd3 Merge pull request #3322 from sttts/sttts-e2e-more-helpers
• 299da74 test/e2e/framework: move more helpers
• 4195908 Merge pull request #3321 from sttts/sttts-e2e-unused
• 3e3a4f8 test/e2e/framework: split server code apart
• ef21ddb test/e2e: remove empty shard test and unused helpers
• edb6028 do not create executable YAML files from crd-puller
• c7b02b3 hack/verify-go-modules.sh: don't run pager with git diff
• dfcda9f Merge pull request #3314 from embik/reduce-jobs-for-docs
• 943bcf8 Merge pull request #3312 from gman0/compare-deps-versions
• 9ea768b Merge pull request #3315 from gman0/fix-indexctr-updatehandler
• f19f2c9 Fix update handler in pkg/proxy/index controller
• 4d953ae Limit several jobs to not run for doc changes
• 1e741bb Merge pull request #3313 from Skarlso/doc-update-location
• f01aea5 Merge pull request #3311 from mjudeikis/mjudeikis/tmc.nit
• 47a9b9b doc: remove superflous output from make install command in the docs
• ae51cc9 hack/verify-go-modules.sh: compare dependency versions against k8s.io/kubernetes
• d86e180 nit in TMC investigation

v0.26.1

Changes by Kind

API Change

• Fix impersonation for non-system users (GHSA-c7xh-gjv4-4jgv) (#3206, @mjudeikis)

Uncategorized

• Kcp is built with Go 1.22.10 (#3213, @embik)
• Release artifacts for ppc64le are no longer published (#3211, @embik)

Dependencies

Added

Nothing has changed.

Changed

• github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/sample-apiserver: ab5c3a6 → 70835f6
• github.com/kcp-dev/kubernetes: ab5c3a6 → 70835f6

Removed

Nothing has changed.

v0.26.0

Changes by Kind

API Change

• Rebase 1.31 (#3160, @mjudeikis)

Feature

• Add support for internal.kcp.io/inactive annotation on logical clusters to forbid any access beyond logical clusters. (#3152, @RedbackThomson)

Performance & Optimizations

• Fix performance issue of all watches to termindate after 30s. (#3162, @sttts)
• Fix performance problem in virtual workspace authorization. (#3163, @sttts)
• Make workspace deletion more reliable, trying harder to not leak LogicalClusters. (#3119, @sttts)
• Optimize apibinding reconciler to produce less work for the memory garbage collector. (#3166, @sttts)
• Optimize authorization in virtual workspaces. (#3167, @sttts)
• Reduce memory consumption of the admission webhook plugin. (#3165, @sttts)
• Skip attempt to create root directory if --root-directory="" is set (#3158, @embik)

Dependencies

Added

• cel.dev/expr: v0.15.0
• github.com/antlr4-go/antlr/v4: v4.13.0
• github.com/go-task/slim-sprig/v3: v3.0.0
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6
• github.com/shurcooL/sanitized_anchor_name: v1.0.0
• github.com/urfave/cli: v1.22.1
• gopkg.in/evanphx/json-patch.v4: v4.12.0

Changed

• cloud.google.com/go/compute/metadata: v0.2.3 → v0.3.0
• github.com/Microsoft/hcsshim: v0.8.25 → v0.8.26
• github.com/alecthomas/kingpin/v2: v2.3.2 → v2.4.0
• github.com/cenkalti/backoff/v4: v4.2.1 → v4.3.0
• github.com/cespare/xxhash/v2: v2.2.0 → v2.3.0
• github.com/cncf/udpa/go: c52dc94 → 269d4d4
• github.com/cncf/xds/go: e9ce688 → 555b57e
• github.com/container-storage-interface/spec: v1.8.0 → v1.9.0
• github.com/coredns/corefile-migration: v1.0.21 → v1.0.23
• github.com/cpuguy83/go-md2man/v2: v2.0.2 → v2.0.4
• github.com/davecgh/go-spew: v1.1.1 → d8f796a
• github.com/envoyproxy/go-control-plane: v0.11.1 → v0.12.0
• github.com/envoyproxy/protoc-gen-validate: v1.0.2 → v1.0.4
• github.com/fxamacker/cbor/v2: v2.6.0 → v2.7.0
• github.com/go-logr/logr: v1.4.1 → v1.4.2
• github.com/go-openapi/swag: v0.22.3 → v0.22.4
• github.com/golang/glog: v1.1.2 → v1.2.1
• github.com/golang/mock: v1.6.0 → v1.1.1
• github.com/google/cel-go: v0.17.8 → v0.20.1
• github.com/google/pprof: 4bb14d4 → 4bfdf5a
• github.com/google/uuid: v1.3.1 → v1.6.0
• github.com/grpc-ecosystem/grpc-gateway/v2: v2.16.0 → v2.20.0
• github.com/kcp-dev/apimachinery/v2: v2.0.0 → a9eb975
• github.com/kcp-dev/client-go: bf1c9b8 → f5949d8
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: 321bee1 → ab5c3a6
• github.com/kcp-dev/kubernetes/stagi...

v0.25.0

Changes by Kind

Dependency Change

• Kcp is built with Go 1.22.5 now (#3145, @embik)
• Update dependencies to address CVE-2023-45288 and CVE-2024-24786 (#3136, @embik)

API Change

• Allow claiming SubjectAccessReview and LocalSubjectAccessReview in apiexports. (#3129, @sttts)
• Fix apply configuration client for APIExport. (#3153, @sttts)
• Remove ClusterWorkspaces resource as it has been replaced by Workspaces in previous releases (#3123, @embik)
• Remove the need to put a replace directive in place for github.com/kcp-dev/kcp/cli when importing github.com/kcp-dev/kcp (#3146, @embik)
• Set the kcp.io/cluster annotation on objects passed to an admission webhook on create. (#3124, @sttts)
• Update to Kubernetes 1.30 (#3140, @embik)
• Update to Kubernetes 1.30.3 (#3150, @embik)

Feature

• Add --version flag to kubectl-workspace (#3135, @embik)
• Add kubectl create workspace plugin. (#3154, @sttts)
• Add support for internal.kcp.io/inactive annotation on logical clusters to forbid any access beyond logical clusters. (#3152, @RedbackThomson)

Bug or Regression

• Calls intialize indexer only once before the informer starts (#3139, @ramramu3433)
• Fix postStartHook being present two times on log lines (#3134, @embik)
• Fix sequencing of controllers/informers start and leader election (#3132, @ramramu3433)

Other (Cleanup or Flake)

• Remove kcp-core binary (kcp remains unchanged) (#3148, @embik)
• Write diagnostics (deprecation notices and warnings) in kubectl-workspace to stderr instead of stdout (#3133, @embik)

v0.24.0

User Facing Changes

• Add experimental workspace mount reconciler (#3058, @mjudeikis)
• Kcp ws use support for relative and absolute multi-step navigation (#3088, @mjudeikis)
• ✨ Add Webhook URL based CRD conversions (#3090, @palnabarun)
• Add support for /openapi/v3 endpoints for workspaces with awareness of static resources, CRDs and APIBindings. (#3118, @sttts)
• Fix workspaces hot reload for index controller (#3095, @mjudeikis)
• Implement SelfSubjectRulesReview API, enabling usage of e.g. kubectl auth can-i --list (#3097, @embik)
• Re-enable Kubernetes Webhook Token Authentication (#3096, @ajwdev)
• Update etcd version to 3.5.13 (#3114, @embik)

Dependencies

• github.com/golang/protobuf: v1.5.3 → v1.5.4
• github.com/kcp-dev/logicalcluster/v3: v3.0.4 → v3.0.5
• github.com/sirupsen/logrus: v1.9.0 → v1.9.3
• go.etcd.io/bbolt: v1.3.7 → v1.3.9
• go.etcd.io/etcd/api/v3: v3.5.9 → v3.5.13
• go.etcd.io/etcd/client/pkg/v3: v3.5.9 → v3.5.13
• go.etcd.io/etcd/client/v2: v2.305.9 → v2.305.13
• go.etcd.io/etcd/client/v3: v3.5.9 → v3.5.13
• go.etcd.io/etcd/pkg/v3: v3.5.9 → v3.5.13
• go.etcd.io/etcd/raft/v3: v3.5.9 → v3.5.13
• go.etcd.io/etcd/server/v3: v3.5.9 → v3.5.13
• golang.org/x/sync: v0.4.0 → v0.5.0
• google.golang.org/protobuf: v1.31.0 → v1.33.0

PRs

• ✨ Index mounting ordering & few debug nits by @mjudeikis in #3085
• ✨ Add workspace mount battery & controller by @mjudeikis in #3058
• 🌱 add mount test into index by @mjudeikis in #3089
• 🐛 fix mount workspace reload by @mjudeikis in #3095
• ✨ add krew index build by @mjudeikis in #3094
• ✨ Feature: Re-enable webhook token authentication by @ajwdev in #3096
• 📖 Document how storage keys are computed for workspaces by @p0lyn0mial in #1905
• 📖 Update documentation with CNCF community group by @embik in #3101
• 📖 Deploy most recent release documentation as 'latest' alias by @embik in #3102
• ✨ kubectl support ../../ & ..:..: by @mjudeikis in #3088
• ✨ cli/use: simplify tests and add tests for relative paths by @sttts in #3103
• 🌱 Publish RC candidates by @mjudeikis in #3105
• ✨ Add Tilt setup to contrib by @mjudeikis in #3037
• ✨ Webhook URL based CRD conversions by @palnabarun in #3090
• 📖 Update documentation dependencies and add dark mode by @embik in #3109
• 📖 Organize generated CRD documentation by API group by @embik in #3110
• ✨ Implement RulesFor for GlobalAuthorizer and LocalAuthorizer to enable SelfSubjectRulesReview by @embik in #3097
• 📖 Add architecture brain-dump. by @sttts in #3108
• 📖 Refactor documentation sections and mention Helm chart by @embik in #3113
• 🌱 Bump etcd dependencies to 3.5.13 by @embik in #3114
• 🌱 Set controller rest config timeout to 30secs by @sankar17 in #3112
• ✨ Implement cluster-aware OpenAPI v3 by @sttts in #3118
• 🐛 Implement RoundTripperWrapper everywhere to allow cancellation by @sttts in #3120

New Contributors

• @ajwdev made their first contribution in #3096
• @palnabarun made their first contribution in #3090
• @sankar17 made their first contribution in #3112

Full Changelog: v0.23.0...v0.24.0

v0.23.0

Changes by Kind

API Change

• Add optional nameValidation field to ApiResourceSchemaSpec. This field is used to add an internal annotation to the bound API and the name validation strategy is decided based on the value. (#3082, @praveenrewar)

Uncategorized

• The kubectl plugins have been moved into their own github.com/kcp-dev/kcp/cli module for easier vendoring. (#3084, @sttts)
• Use correct verb in metrics-viewer ClusterRole to give access to /metrics (#3081, @embik)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.