github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2026-01-20 08:53:55 +00:00
Code Issues Projects Releases Wiki Activity
5,220 Commits 35 Branches 1,532 Tags
ff70f47ee286a98dfb5c01c2f8a9a8661b6c7470
Commit Graph

5220 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kubernetes Publisher
ff70f47ee2 Merge pull request #135322 from carlory/rm-portworx 
[1.36] Remove intree volume plugin portworx

Kubernetes-commit: d047572e817aafc3af859c191d79d954cf1855d9
 2026-01-19 17:43:40 +00:00
carlory
9cbf88a315 run hack/update-vendor.sh 
Signed-off-by: carlory <baofa.fan@daocloud.io>

Kubernetes-commit: 299ec97e6fa2295ccc14d22f501280164377914a
 2025-11-13 10:54:21 +08:00
Kubernetes Publisher
1a68af1383 Merge pull request #136212 from dims/update-security-deps-jan2026-v2 
Update security and stability dependencies

Kubernetes-commit: a94970c0c5de0fa56b0ed82823850db7e0257685
 2026-01-16 13:31:47 +00:00
Davanum Srinivas
95129d1f2f Update security and stability dependencies 
This PR updates several dependencies addressing security vulnerabilities,
stability fixes, and authentication improvements.

- golang.org/x/crypto: v0.46.0 -> v0.47.0
  - Includes latest X509 root certificate bundle updates
  - Security hardening for cryptographic operations
  - Foundation dependency for TLS and authentication

- github.com/golang-jwt/jwt/v5: v5.2.2 -> v5.3.0
  - IMPORTANT: v5.2.2 patched vulnerability GHSA-mh63-6h87-95cp (token
    validation security issue) - this update ensures we have the fix
  - Adds multiple audience validation support for JWT tokens
  - Go 1.21 minimum requirement (code modernization)
  - Replaced legacy interface{} with modern any keyword

- golang.org/x/net: v0.48.0 -> v0.49.0
  - HTTP/2 priority scheduler improvements (RFC 9218)
  - WebSocket security enhancements
  - Network layer stability fixes

- go.uber.org/zap: v1.27.0 -> v1.27.1
  - Fix: Prevent Object from panicking on nils (PR #1501)
  - Fix: Race condition in WithLazy (PR #1511)
  - Both fixes improve logging stability in concurrent scenarios

- github.com/godbus/dbus/v5: v5.2.0 -> v5.2.2
  - Security: Disabled SHA1 authentication by default on non-Windows
    platforms (v5.2.0 change now inherited)
  - Performance: Multiple optimizations reducing memory allocations
  - Fix: Alignment issues in decoder operations
  - Fix: Allow more than 32 containers/struct fields in a signature

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 5b478645cdb3be5ed92a21d2f7b417b6328cfa6e
 2026-01-13 23:08:03 -05:00
Kubernetes Publisher
518241d079 Merge pull request #136008 from michaelasp/atomicResync 
Add atomic resync operation for real fifo

Kubernetes-commit: b82b03b9240e13b72635a39304b352afdf6a1fde
 2026-01-16 01:32:19 +00:00
Michael Aspinwall
2f59c18c8b Add atomic resync and remove usage of store in FIFO 
Kubernetes-commit: 6fbaebc054fc61f4775bb3a803beba7e924e266b
 2026-01-15 20:22:36 +00:00
Kubernetes Publisher
24e4401379 Merge pull request #136143 from pohly/client-go-fake-list-and-watch-fix 
client-go testing: fix List+Watch support

Kubernetes-commit: 8392659d3c90fea03be805968b53ec7a05dea183
 2026-01-15 17:32:16 +00:00
Kubernetes Publisher
14e71d2850 Merge pull request #135462 from michaelasp/atomicReplace 
Add atomic replace in client-go

Kubernetes-commit: 8322d26d1f0384f98baf6b640af58a471eb66f19
 2026-01-15 01:32:08 +00:00
Michael Aspinwall
aad3a6de89 Add support for ReplacedAll delta handling 
Kubernetes-commit: 3d585f1c500be795dfaf24e2c6a7b024986481c1
 2026-01-14 13:46:37 -05:00
Michael Aspinwall
0a8284b969 Plumb AtomicFIFO options into controller/store construction 
Kubernetes-commit: 022fec7ba8b0e2c71e1f38634a31f296d0090b31
 2026-01-14 13:23:12 -05:00
Michael Aspinwall
06f647297d Add AtomicFIFO feature gate 
Kubernetes-commit: 9e25c19199ece559f91615cc70947da64e740fce
 2026-01-14 12:39:28 -05:00
Michael Aspinwall
2cb222485f Guard against unexpected delta types in batch processing 
Kubernetes-commit: 64f780c1ecd7e9ec0989cb3ebd584cd9249a4c8c
 2026-01-14 12:41:04 -05:00
Michael Aspinwall
14f3889b62 Make PopBatch process a single-item batch identically to Pop 
Kubernetes-commit: b8470beda4e4a17ad38e9a58ce86c96f420bb720
 2026-01-14 13:18:37 -05:00
Michael Aspinwall
759b00eb22 Expand controller unit test coverage 
Kubernetes-commit: 1c29ee7e7b5e039b8df1a5cb75798c0359ca73d9
 2026-01-14 13:08:26 -05:00
Michael Aspinwall
4678a135e1 Plumb keyFunc to informer/controller/delta handling 
Kubernetes-commit: 4171c8cff8e79d3624f7e3bc83513fbec1671a24
 2026-01-14 13:04:31 -05:00
Michael Aspinwall
c38fc0fb1f Refactor RealFIFO#Replace delete/update handling to reconcileReplacement 
Kubernetes-commit: b94e610244ea8e37bcade7eec7e77be0ff61e572
 2026-01-14 12:56:32 -05:00
Michael Aspinwall
f3701130c2 Fix Replaced delta documentation 
Kubernetes-commit: ebd6959b126bad49c305d8088103455ce13241b2
 2026-01-14 12:45:13 -05:00
Michael Aspinwall
548663c679 Refactor delta addition/clearing 
Kubernetes-commit: 2dad39751d993757b3f218fda93a380a450a2257
 2026-01-14 12:44:38 -05:00
Patrick Ohly
bb190d443d client-go testing: start ResourceVersion at 1 for empty set 
List should never return "0", that has a special meaning in queries.

Kubernetes-commit: 3783a720e7278466859fe140d2bfbbfb054f5313
 2026-01-14 12:19:32 +01:00
Patrick Ohly
70ee41c382 client-go testing: include event handler in List+Watch unit test 
The event handler must receive both object (the initial one from List, the
newer one from Watch) and it must be considered synced.

Kubernetes-commit: 359aff0552ed3b60d544158e5edf33d28492f01a
 2026-01-14 11:57:24 +01:00
Kubernetes Publisher
d8ad3ab106 Merge pull request #136162 from dims/update-security-deps-jan2026 
Update security-critical authentication and protobuf dependencies

Kubernetes-commit: c29a5d73a6fd04896033fe615c259f2949c5e94f
 2026-01-14 01:31:55 +00:00
Davanum Srinivas
179e2aab49 Update security-critical authentication and protobuf dependencies 
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: c825d80bbf2c82666192c329478a686fa3a1d5dc
 2026-01-11 16:50:37 -05:00
Kubernetes Publisher
0b06cf5bf0 Merge pull request #129344 from pohly/log-client-go-apimachinery-network-util 
apimachinery: contextual logging in network util code

Kubernetes-commit: c6be0527684a967c1b0dd14486ae2241832723f0
 2026-01-13 21:32:02 +00:00
Kubernetes Publisher
934ba1dfa5 Merge pull request #136161 from dims/update-golang-x-deps-jan2026 
Update golang.org/x dependencies to latest versions

Kubernetes-commit: 1c894014ebe25e0b042efa91698284f527493d90
 2026-01-13 01:36:55 +00:00
Davanum Srinivas
07c57c562d Update golang.org/x dependencies to latest versions 
updates the golang.org/x package family to newer releases:

- golang.org/x/crypto: v0.45.0 -> v0.46.0
- golang.org/x/net: v0.47.0 -> v0.48.0
- golang.org/x/sys: v0.38.0 -> v0.40.0
- golang.org/x/time: v0.9.0 -> v0.14.0
- golang.org/x/oauth2: v0.30.0 -> v0.34.0
- golang.org/x/text: v0.31.0 -> v0.33.0
- golang.org/x/term: v0.37.0 -> v0.39.0
- golang.org/x/sync: v0.18.0 -> v0.19.0
- golang.org/x/mod: v0.29.0 -> v0.32.0
- golang.org/x/tools: v0.38.0 -> v0.40.0
- golang.org/x/exp: 8a7402abbf56 -> 944ab1f22d93

Security & Stability:
- x/crypto: Updated X509 root certificate bundle
- x/net: HTTP/2 PING optimization to reduce DoS detection triggers,
  data race fix in trace RenderEvents
- x/sys: Fixed out-of-bounds memory access in sockaddrIUCVToAny
- x/time: Fixed rate limiter overflow when using very low rates that
  could cause the limiter to jam open

Performance:
- x/time: ~19% improvement in Sometimes.Do when no interval configured

Maintenance:
- Various vet diagnostic fixes for Go 1.26 compatibility
- Dependency updates across the golang.org/x ecosystem

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 0e67c56a8f26ace2889fd24e098b78e13f9bbffe
 2026-01-11 16:25:45 -05:00
Patrick Ohly
42c6ae81ab client-go testing: fix List+Watch support 
56448506075c3db1d added support for List+Watch to a fake client-go instance.
However, that support was not quite working yet as seen when analyzing a test
flake:

- List returned early when there were no objects, without adding the
  ResourceVersion. The ResourceVersion should have been "0" instead.
- When encountering "" as ResourceVersion, Watch didn't deliver
  any objects. That was meant to preserve compatibility with clients
  which don't expect objects from a Watch, but the right semantic of
  "" is "Start at most recent", which includes delivering existing
  objects.

Tests which meddle with the List implementation via a reactor (like
clustertrustbundlepublisher) have to be aware that Watch now may
return objects when given an empty ResourceVersion.

Kubernetes-commit: 6bfa727bee264f5d7e4471066c1b48a28d0c1929
 2026-01-09 16:54:10 +01:00
Kubernetes Publisher
811a272277 Merge pull request #136108 from pohly/ginkgo-gomega-update 
dependencies: ginkgo v2.27.4, gomega v1.39.0

Kubernetes-commit: 758ef0ffbce5cbca7a893d839dde892d79c2738f
 2026-01-08 22:43:17 +00:00
Patrick Ohly
2e32132ba0 dependencies: ginkgo v2.27.4, gomega v1.39.0 
Latest release of both. The CurrentTreeConstructionNodeReport fix
is needed before being able to use it in the E2E framework.

Kubernetes-commit: f8a0c80ed81711f6add7a765d22b56d2d41ac522
 2026-01-08 16:53:03 +01:00
Kubernetes Publisher
52d9854c37 Merge pull request #136068 from aojea/leader_race_time 
fix leader election data race reading observedtime

Kubernetes-commit: 0f4705e12e12439b37e81ea6df2318def4b4a2c5
 2026-01-07 18:34:00 +00:00
Kubernetes Publisher
2f784525d5 Merge pull request #135959 from pohly/client-go-testing-list-and-watch-race 
client-go testing: support List+Watch with ResourceVersion

Kubernetes-commit: fe36b79c2ab54cd7cc10733ca50e5642e2304f86
 2026-01-07 14:33:55 +00:00
Kubernetes Publisher
736bd66226 Merge pull request #132145 from inkel/inkel/client-go/improve-bearerauthrt-roundtrip-perf 
fix(client): Concatenate string instead of using `fmt.Sprintf`

Kubernetes-commit: ed17ca808f5db19c9309ffa32694885d2f30ca7a
 2026-01-07 14:33:53 +00:00
Antonio Ojea
7761b3a081 leaderelection RWlock 
We need to lock on observedTime reads to avoid races, before we were
only locking to read the observed record.

Use a RW lock since there are much more reads that writes.

Kubernetes-commit: d5ac0e408a0a1e50197e1b599b9b8b2e505bfe46
 2026-01-07 13:16:25 +00:00
Kubernetes Publisher
65de5216f1 Merge pull request #134798 from aditigupta96/fix-runwithcontext-apimachinery 
apimachinery: Use informer.RunWithContext in various components

Kubernetes-commit: 6af6361e3b6a5eafc8349b05227afff54e0594ed
 2026-01-07 02:39:25 +00:00
Kubernetes Publisher
c9ded7e60b Merge pull request #136053 from tchap/kcm-leader-election-thread-mgmt 
leasecandidate: Improve goroutine management

Kubernetes-commit: 3edae6c1c49958fd10a708d9cc8c4c9e7f5fb6e8
 2026-01-06 20:59:08 +05:30
Ondra Kupka
0728b482e1 leasecandidate: Improve goroutine management 
Make sure all goroutines are terminated when Run returns.

Kubernetes-commit: 498896ec4270b790e971a6fb01a292aa4c8cdfe0
 2026-01-06 10:43:05 +01:00
Patrick Ohly
58e70dff3d client-go testing: support List+Watch with ResourceVersion 
Quite a lot of unit tests set up informers with a fake client, do
informerFactory.WaitForCacheSync, then create or modify objects. Such tests
suffered from a race: because the fake client only delivered objects to the
watch after the watch has been created, creating an object too early caused
that object to not get delivered to the informer.

Usually the timing worked out okay because WaitForCacheSync typically slept a
bit while polling, giving the Watch call time to complete, but this race has
also gone wrong occasionally. Now with WaitForCacheSync returning more promptly
without polling (work in progress), the race goes wrong more often.

Instead of working around this in unit tests it's better to improve the fake
client such that List+Watch works reliably, regardless of the timing. The fake
client has traditionally not touched ResourceVersion in stored objects and
doing so now might break unit tests, so the added support for ResourceVersion
is intentionally limited to List+Watch.

The test simulates "real" usage of informers. It runs in a synctest bubble and
completes quickly:

    go  test -v .
    === RUN   TestListAndWatch
        listandwatch_test.go:67: I0101 01:00:00.000000] Listed configMaps="&ConfigMapList{ListMeta:{ 1  <nil>},Items:[]ConfigMap{ConfigMap{ObjectMeta:{cm1  default    0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},Data:map[string]string{},BinaryData:map[string][]byte{},Immutable:nil,},},}" err=null
        listandwatch_test.go:79: I0101 01:00:00.000000] Delaying Watch...
        listandwatch_test.go:90: I0101 01:00:00.100000] Caches synced
        listandwatch_test.go:107: I0101 01:00:00.100000] Created second ConfigMap
        listandwatch_test.go:81: I0101 01:00:00.100000] Continuing Watch...
    --- PASS: TestListAndWatch (0.00s)
    PASS
    ok  	k8s.io/client-go/testing/internal	0.009s

Some users of the fake client need to be updated to avoid test failures:
- ListMeta comparisons have to be updated.
- Optional: pass ListOptions into tracker.Watch. It's optional because
  the implementation behaves as before when options are missing,
  but the List+Watch race fix only works when options are passed.

Kubernetes-commit: 56448506075c3db1d16b5bbf0c581b833a4646f1
 2025-12-27 21:57:54 +01:00
Kubernetes Publisher
d9d16a9e17 Merge pull request #135391 from jpbetz/smd-6_3_1 
Bump structured-merge-diff to pick up flake fix and bug fixes

Kubernetes-commit: 6f92c01979b7666f6631a556a8626e21b88d1f2a
 2025-12-23 14:30:15 +00:00
Kubernetes Publisher
af9dcc3651 Merge pull request #135867 from dims/pin-versions-of-dbus-and-otelgrpc-to-avoid-breakage 
Pin versions of dbus and otelgrpc to avoid breakage

Kubernetes-commit: dce2e8cef737ebce3a4d13d74654c50bcb244846
 2025-12-21 02:29:37 +00:00
Davanum Srinivas
aa82641b9d updated to last known good dependencies for otelgrpc and dbus 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: 60cce0abd05d31f74ece404e584f53c915a7f3d5
 2025-12-20 15:27:53 -05:00
Kubernetes Publisher
687c6c1315 Merge pull request #135836 from pohly/ginkgo-gomega-update 
dependencies: ginkgo v2.27.3 + gomega v1.38.3

Kubernetes-commit: 268bdbe214ac64b5a31a59cfae6b96f3a1585bd3
 2025-12-19 18:29:40 +00:00
Kubernetes Publisher
1078d9cd6f Merge pull request #135845 from skitt/drop-armon-circbuf 
Replace armon/circbuf with k8s.io/utils/buffer

Kubernetes-commit: 0ea38248603ce745956d779787874cfd91ca29ae
 2025-12-19 18:29:38 +00:00
Stephen Kitt
85ab7843a2 Replace armon/circbuf with k8s.io/utils/buffer 
This uses the new generic fixed ring implementation in k8s.io/utils.

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Kubernetes-commit: 3653ae2b9a7768da89e47ef84d503ae9cf0b910b
 2025-12-19 09:59:41 +01:00
Kubernetes Publisher
f36ae1f45e Merge pull request #135840 from michaelasp/makeDeterministic 
Fix issue with TestReplaceEvents not sending history deterministically

Kubernetes-commit: 09ca6040f7a0d6f80cd74fbbd9691341190b092f
 2025-12-19 06:29:13 +00:00
Michael Aspinwall
e07f72a3ec Fix issue with test not sending history deterministically 
Kubernetes-commit: 2b330f0357cb825de0dc196b426c858b2bba7f2c
 2025-12-19 00:45:43 +00:00
Kubernetes Publisher
66d2ca7fea Merge pull request #135832 from liggitt/test-replace-flake 
Make TestReplaceEvents deterministic for delete event comparison

Kubernetes-commit: e07199dbc63e4aaa448f173045161ab209c71ec8
 2025-12-18 18:29:04 +00:00
Kubernetes Publisher
ba82880ed7 Merge pull request #135539 from dims/move-httpcache-to-third_party/forked 
move httpcache to third_party/forked

Kubernetes-commit: 04d866b37de3aefac063b2b6e12f11b30701c9ff
 2025-12-18 18:29:02 +00:00
Jordan Liggitt
8e36d0d305 Make TestReplaceEvents deterministic for delete event comparison 
Kubernetes-commit: fb288e3ce164e86f590768d8dce92152e9ea0bbe
 2025-12-18 09:54:56 -05:00
Patrick Ohly
a01f268c3e dependencies: ginkgo v2.27.3 + gomega v1.38.3 
This fixes some issues found in Kubernetes (data race in ginkgo CLI, gomega
formatting) and helps with diagnosing OOM killing in CI jobs (exit status of
processes).

The modified gomega formatting shows up in some of the output tests for the E2E
framework. They get updated accordingly.

Kubernetes-commit: db841afdbb193ea7d612472c7cc4c7b3f58eb676
 2025-12-16 14:32:00 +01:00
Davanum Srinivas
f0e0dbdb4b move httpcache to third_party/forked 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: ab1ffaf12e243798df20a5c98192b8d108ba9a9b
 2025-12-01 21:58:55 -05:00
Kubernetes Publisher
8f891d54a2 Merge pull request #135665 from michaelasp/replaceTest 
Add test for replace events in client-go controller

Kubernetes-commit: 9d8404426fc33f6fbb2e5180b2e80f685b16bbd6
 2025-12-18 14:29:09 +00:00