2912 Commits

Author SHA1 Message Date
Benjamin Elder
28dd6f2757 hack/update-vendor.sh 2026-04-24 21:41:50 -07:00
Kubernetes Prow Robot
eb51fbf7c6 Merge pull request #138346 from dashpole/update_otel_prop
Update go.opentelemetry.io/otel to v1.41.0
2026-04-14 02:34:37 +05:30
Davanum Srinivas
f6209104d2 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
Kubernetes-commit: 7e9c2c8eef26f99aa2f94d8e09d6d32de86c7769
2026-04-13 13:57:52 -04:00
David Ashpole
feda787db4 update go.opentelemetry.io/otel to v1.41.0 2026-04-13 14:23:49 +00:00
Anish Ramasekar
f5d48853c5 update google.golang.org/grpc to v1.79.3
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
2026-03-19 11:47:06 -05:00
Kubernetes Prow Robot
ec68099e62 Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
deps: Update `kube-openapi` to drop `ginkgo/gomega` indirect deps
2026-03-18 23:21:37 +05:30
Bryant Biggs
56cd74d879 dependencies: bump kube-openapi to drop ginkgo/gomega indirect deps
Bump k8s.io/kube-openapi to pick up kubernetes/kube-openapi#579 which
moved the last ginkgo/gomega tests to stdlib testing and ran go mod
tidy, removing ginkgo/gomega from kube-openapi's go.mod.

This drops ginkgo/gomega as indirect deps from apimachinery. It also
prunes Masterminds/semver, google/pprof, and golang.org/x/tools from
client-go and other staging modules where they were only needed
through kube-openapi's ginkgo/gomega chain.

Contributes to kubernetes/kubernetes#127888
2026-03-18 09:09:11 -05:00
Paco Xu
a304826799 bump spf13/cobra to v1.10.2 2026-03-18 16:46:23 +08:00
Kubernetes Prow Robot
2bd6c7fe3c Merge pull request #137298 from dims/dsri/cri-streaming-option-a-hardcut
cri streaming option a hardcut - add new staging repositories `streaming` and `cri-streaming`
2026-03-13 17:23:36 +05:30
Kubernetes Prow Robot
a3ac5144e7 Merge pull request #137501 from danwinship/nftables-list-redux
Fix kube-proxy on systems with nft 1.1.3 (take 2)
2026-03-12 19:41:45 +05:30
Davanum Srinivas
57d7c4d812 staging/streaming: replace testify with stdlib in tests
Remove github.com/stretchr/testify from k8s.io/streaming's test
files. testify's assert/yaml subpackage pulls in gopkg.in/yaml.v3,
whose test dependencies (gopkg.in/check.v1 → kr/pretty →
rogpeppe/go-internal) were propagating into k8s.io/apimachinery and
k8s.io/api via the streaming dependency.

Removes stretchr/testify, gopkg.in/yaml.v3, gopkg.in/check.v1,
github.com/kr/pretty, and github.com/rogpeppe/go-internal from
streaming/go.mod.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-03-12 09:59:56 -04:00
Davanum Srinivas
1ee1ff97fb staging: extract CRI streaming modules with client-go compatibility
Extract streaming code into dedicated staging modules while keeping stable
compatibility APIs for external client-go consumers.

This commit:
- adds `k8s.io/cri-streaming` for CRI exec/attach/portforward server code
- adds `k8s.io/streaming` as the canonical home for shared transport
  primitives (`httpstream`, `spdy`, `wsstream`, runtime helpers)
- switches in-tree transport consumers to `k8s.io/streaming`
- removes in-tree kubelet CRI streaming package
- preserves NO_PROXY/no_proxy CIDR handling in extracted SPDY proxier logic
- adds deprecated `k8s.io/apimachinery/pkg/util/httpstream` compatibility
  wrappers (`httpstream`, `spdy`, `wsstream`) backed by `k8s.io/streaming`
- restores exported client-go SPDY/portforward API signatures to
  apimachinery `httpstream` types for downstream compatibility
- adds streaming-native client-go adapters/constructors so in-tree callers
  can use `k8s.io/streaming` without changing external compatibility APIs
- deduplicates SPDY-over-websocket dial negotiation shared by compat and
  streaming tunneling dialers
- logs dropped unknown stream types in `RemoveStreams` adapter fallbacks to
  improve compatibility-path debuggability
- adds integration coverage for the streaming-upgrader-to-client-go-compat
  adapter path against a real cri-streaming exec endpoint
- clarifies kubectl streaming import aliasing to avoid `httpstream` package
  ambiguity
- updates tests, import restrictions, publishing metadata, and vendor/module
  metadata for the new staging modules

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-03-12 09:59:55 -04:00
Kubernetes Prow Robot
0909c60df9 Merge pull request #137605 from pacoxu/coredns-1.14.2
bump coredns to v1.14.2
2026-03-12 06:09:55 +05:30
Dan Winship
93de6acf5c Update knftables to v0.0.21 2026-03-11 10:50:07 -04:00
Paco Xu
8f41f5014f bump github.com/coredns/corefile-migration to v1.0.32 2026-03-11 07:59:40 +08:00
Patrick Ohly
56e0565c11 dependencies: klog v2.140.0
klog hasn't been updated in Kubernetes for a few releases. Several
enhancements have accumulated that are worth having.
2026-03-06 17:43:11 +01:00
Jordan Liggitt
f291ae40b0 Bump to go 1.26 2026-03-05 16:48:18 -05:00
Davanum Srinivas
c8826e0d23 Update google.golang.org/protobuf to v1.36.12-0.20260120151049-f2248ac996af
Pins google.golang.org/protobuf to HEAD commit f2248ac996afc39b3df0777cdcc269f6ade50b07
(v1.36.12-0.20260120151049-f2248ac996af) which includes fixes for dead code
elimination issues surfaced by Go 1.26's reflect changes.

Xref: https://github.com/golang/protobuf/issues/1704
Xref: https://github.com/kubernetes/kubernetes/issues/137445
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-03-05 10:30:01 -05:00
Jefftree
721eea74e7 update kube-openapi 2026-03-04 15:43:39 -05:00
Humble Devassy Chirammal
600d188f2b dependencies: bump gomega to v1.39.1 and ginkgo to v2.28.1 2026-02-27 18:44:36 +05:30
Humble Devassy Chirammal
c77b52f865 dependencies: bump cadvisor to v0.56.2
Update github.com/google/cadvisor from v0.56.0 to v0.56.2.

v0.56.2 fixes a nil pointer dereference when Docker GraphDriver is nil
(https://github.com/google/cadvisor/pull/3816).

Signed-off-by: Humble Devassy Chirammal <humble.devassy@gmail.com>
2026-02-27 12:52:37 +05:30
joshjms
9c00b4c1f5 etcd: bump etcd sdk to v3.6.8
Signed-off-by: joshjms <joshjms1607@gmail.com>
2026-02-25 00:17:17 +08:00
Dan Winship
219c13ae94 Revert "Update knftables to v0.0.20"
This reverts commit 62c3d8d820.
2026-02-20 08:30:05 -05:00
koba1t
656c0893a8 Update kubectl kustomize to kyaml/v0.21.1, cmd/config/v0.21.1, api/v0.21.1, kustomize/v5.8.1 2026-02-19 22:18:06 +09:00
Kubernetes Prow Robot
5b63a8c68e Merge pull request #136921 from dims/dump-from-utils
Move dump package from apimachinery to k8s.io/utils
2026-02-12 22:28:10 +05:30
Davanum Srinivas
550cc8645b Move dump package from apimachinery to k8s.io/utils
Replace all imports of k8s.io/apimachinery/pkg/util/dump with
k8s.io/utils/dump across the repo. The apimachinery dump package
now contains deprecated wrapper functions that delegate to
k8s.io/utils/dump for backwards compatibility.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-02-12 07:34:19 -05:00
Alessio Attilio
62c3d8d820 Update knftables to v0.0.20 2026-02-11 00:39:40 +01:00
Kubernetes Prow Robot
65f09e605c Merge pull request #136826 from alvaroaleman/bumpv0.32
Bump structured merge diff to v6.3.2
2026-02-11 00:08:13 +05:30
Alvaro Aleman
f59cfe60ef Bump structured merge diff to v6.3.2
Diff: https://github.com/kubernetes-sigs/structured-merge-diff/compare/v6.3.1...v6.3.2

It's just one change that prevents a NPD when an embedded pointer to a
struct is encountered.
2026-02-07 13:49:48 -05:00
Davanum Srinivas
275adf8b04 Update OpenTelemetry dependencies to latest versions
Bump OpenTelemetry dependencies:
- go.opentelemetry.io/otel v1.39.0 → v1.40.0
- go.opentelemetry.io/otel/metric v1.39.0 → v1.40.0
- go.opentelemetry.io/otel/sdk v1.39.0 → v1.40.0
- go.opentelemetry.io/otel/trace v1.39.0 → v1.40.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 → v1.40.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 → v1.40.0
- go.opentelemetry.io/contrib/.../otelrestful v0.64.0 → v0.65.0
- go.opentelemetry.io/contrib/.../otelhttp v0.64.0 → v0.65.0
- go.opentelemetry.io/contrib/.../otelgrpc v0.63.0 → v0.65.0

Unpin otelgrpc: the nil TracerProvider panic (kubernetes#135865) that
required pinning at v0.63.0 is fixed in v0.65.0. Removed the
pinnedModules entry from unwanted-dependencies.json.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-02-07 09:21:51 -05:00
Kubernetes Prow Robot
dc1ec1211e Merge pull request #136747 from dims/use-k8s-utils-btree
Use btree from k8s.io/utils instead of github.com/google/btree
2026-02-05 16:02:30 +05:30
Davanum Srinivas
a328ca88ad Use btree from k8s.io/utils instead of github.com/google/btree
The google/btree package is deprecated, so switch to the maintained
fork in k8s.io/utils/third_party/forked/golang/btree.

API differences:
- NewG -> New
- BTreeG[T] -> BTree[T]

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-02-04 16:11:16 -05:00
Davanum Srinivas
aa4159c2d2 Bump prometheus/common to v0.67.5 and prometheus/procfs to v0.19.2
prometheus/common v0.66.1 -> v0.67.5:
- Breaking: TextParser must now use NewTextParser() constructor
- Float/gauge histograms support in expfmt
- Fixed panic in tlsRoundTripper when CA file missing
- https://github.com/prometheus/common/compare/v0.66.1...v0.67.5

prometheus/procfs v0.16.1 -> v0.19.2:
- New: process shared memory, netfilter queue, hung_task metrics
- Enhanced meminfo (zswap, hugetlb fields)
- MD raid component devices exposed
- Fixed ZswappedBytes calculation
- https://github.com/prometheus/procfs/compare/v0.16.1...v0.19.2

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-02-03 21:25:04 -05:00
Kubernetes Prow Robot
4caf96e199 Merge pull request #136598 from dgrisonnet/update-go-systemd
Bump go-systemd to v22.7.0
2026-01-30 03:07:56 +05:30
xin.li
e1cbecc9d2 update vendor
Signed-off-by: xin.li <xin.li@daocloud.io>
2026-01-29 14:43:06 +08:00
Damien Grisonnet
e454bf04bb Bump go-systemd to v22.7.0
Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
2026-01-28 20:57:35 +01:00
yongruilin
65b579a036 Bump k8s.io/kube-openapi to latest 2026-01-27 21:39:39 +00:00
Ivan Valdes
63e442e167 Bump etcd 3.6.7 SDK 2026-01-22 08:51:06 -08:00
Davanum Srinivas
c40ea60b9f Update OpenTelemetry dependencies to latest versions
Core packages (opentelemetry-go):
- go.opentelemetry.io/otel: v1.38.0 → v1.39.0
- go.opentelemetry.io/otel/metric: v1.38.0 → v1.39.0
- go.opentelemetry.io/otel/trace: v1.38.0 → v1.39.0
- go.opentelemetry.io/otel/sdk: v1.38.0 → v1.39.0

Exporters:
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.34.0 → v1.39.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.34.0 → v1.39.0

Contrib instrumentation (opentelemetry-go-contrib):
- go.opentelemetry.io/contrib/.../otelhttp: v0.61.0 → v0.64.0
- go.opentelemetry.io/contrib/.../otelrestful: v0.44.0 → v0.64.0

Protocol definitions (opentelemetry-proto-go):
- go.opentelemetry.io/proto/otlp: v1.5.0 → v1.9.0

Notable changes:
- Go 1.24 is now the minimum required version (Go 1.23 support dropped) for OTEL components
- Performance: ~4x improvement in histogram concurrent operations; xxhash
  replaces fnv for attribute hashing
- Fixed goroutine leak in span processors when context is canceled
- otelrestful migrated semantic conventions from v1.20.0 to v1.34.0
  (e.g., http.method → http.request.method)
- Partial OTLP export errors now surfaced instead of being silently dropped
- otelrestful no longer depends on json-iterator/go, modern-go/concurrent,
  or modern-go/reflect2; unwanted-dependencies.json updated accordingly

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-20 18:24:44 -05:00
Kubernetes Prow Robot
8f76dbf79b Merge pull request #136227 from dims/update-grpc-ecosystem-deps-jan2026
Update gRPC ecosystem dependencies
2026-01-20 22:41:26 +05:30
carlory
299ec97e6f run hack/update-vendor.sh
Signed-off-by: carlory <baofa.fan@daocloud.io>
2026-01-19 11:35:30 +08:00
Davanum Srinivas
f727e938dc Update gRPC ecosystem dependencies
Update the gRPC ecosystem to pick up performance improvements,
bug fixes, and maintain compatibility with the latest protobuf
and OpenTelemetry releases.

Notable changes in grpc v1.78.0:
- mem.Reader interface changed to struct
- Legacy pick_first load balancer policy removed (pickfirstleaf)
- Improved connection state management

Updated dependencies:
- grpc-gateway/v2: v2.27.4 (2025-12-26)
- go-grpc-middleware/v2: v2.3.3 (2025-11-04)
- go-grpc-middleware/providers/prometheus: v1.1.0 (2025-06-16)
- google.golang.org/grpc: v1.78.0 (2025-12-23)
- genproto/googleapis/api: v0.0.0-20260112192933-99fd39fd28a9 (2026-01-12)
- genproto/googleapis/rpc: v0.0.0-20260112192933-99fd39fd28a9 (2026-01-12)

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-16 07:20:17 -05:00
Davanum Srinivas
5b478645cd Update security and stability dependencies
This PR updates several dependencies addressing security vulnerabilities,
stability fixes, and authentication improvements.

- golang.org/x/crypto: v0.46.0 -> v0.47.0
  - Includes latest X509 root certificate bundle updates
  - Security hardening for cryptographic operations
  - Foundation dependency for TLS and authentication

- github.com/golang-jwt/jwt/v5: v5.2.2 -> v5.3.0
  - IMPORTANT: v5.2.2 patched vulnerability GHSA-mh63-6h87-95cp (token
    validation security issue) - this update ensures we have the fix
  - Adds multiple audience validation support for JWT tokens
  - Go 1.21 minimum requirement (code modernization)
  - Replaced legacy interface{} with modern any keyword

- golang.org/x/net: v0.48.0 -> v0.49.0
  - HTTP/2 priority scheduler improvements (RFC 9218)
  - WebSocket security enhancements
  - Network layer stability fixes

- go.uber.org/zap: v1.27.0 -> v1.27.1
  - Fix: Prevent Object from panicking on nils (PR #1501)
  - Fix: Race condition in WithLazy (PR #1511)
  - Both fixes improve logging stability in concurrent scenarios

- github.com/godbus/dbus/v5: v5.2.0 -> v5.2.2
  - Security: Disabled SHA1 authentication by default on non-Windows
    platforms (v5.2.0 change now inherited)
  - Performance: Multiple optimizations reducing memory allocations
  - Fix: Alignment issues in decoder operations
  - Fix: Allow more than 32 containers/struct fields in a signature

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-15 19:57:11 -05:00
Davanum Srinivas
050c786014 Update vendored dependencies: cadvisor, containerd, runtime-spec, selinux
Update the following vendored dependencies:

- github.com/google/cadvisor: v0.55.1 -> v0.56.0
- github.com/containerd/containerd/api: v1.9.0 -> v1.10.0
- github.com/opencontainers/runtime-spec: v1.2.1 -> v1.3.0
- github.com/opencontainers/selinux: v1.13.0 -> v1.13.1

cadvisor v0.56.0 changes:
- Add s390x (IBM Z/mainframe) CPU topology support with NumBooks and
  NumDrawers fields in MachineInfo
- Add new Prometheus metrics: machine_cpu_books and machine_cpu_drawers
- Add standard deviation (Std) field to Percentiles for resource statistics
- Add sysfs constants CPUBookID and CPUDrawerID for s390x topology detection

containerd/api v1.10.0 changes:
- Add ActiveMount message type for tracking mounts with timestamps
- Add ActivationInfo message for mount management and lifecycle tracking

runtime-spec v1.3.0 changes (from ChangeLog):
- Add FreeBSD platform support with new Spec.FreeBSD field
- Add netDevices object for moving network devices to container namespaces
- Add memoryPolicy object for NUMA memory policy configuration
- Add hwConfig object for VM-based containers (vcpus, memory, device-tree)
- Add iomems for hardware I/O memory page access in VMs
- Add intelRdt.schemata and intelRdt.enableMonitoring fields
- Change LinuxPids.Limit to pointer type for optional handling
- Clarify intelRdt configuration and pids cgroup settings

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-15 10:26:13 -05:00
Davanum Srinivas
c825d80bbf Update security-critical authentication and protobuf dependencies
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-13 16:56:16 -05:00
Davanum Srinivas
0e67c56a8f Update golang.org/x dependencies to latest versions
updates the golang.org/x package family to newer releases:

- golang.org/x/crypto: v0.45.0 -> v0.46.0
- golang.org/x/net: v0.47.0 -> v0.48.0
- golang.org/x/sys: v0.38.0 -> v0.40.0
- golang.org/x/time: v0.9.0 -> v0.14.0
- golang.org/x/oauth2: v0.30.0 -> v0.34.0
- golang.org/x/text: v0.31.0 -> v0.33.0
- golang.org/x/term: v0.37.0 -> v0.39.0
- golang.org/x/sync: v0.18.0 -> v0.19.0
- golang.org/x/mod: v0.29.0 -> v0.32.0
- golang.org/x/tools: v0.38.0 -> v0.40.0
- golang.org/x/exp: 8a7402abbf56 -> 944ab1f22d93

Security & Stability:
- x/crypto: Updated X509 root certificate bundle
- x/net: HTTP/2 PING optimization to reduce DoS detection triggers,
  data race fix in trace RenderEvents
- x/sys: Fixed out-of-bounds memory access in sockaddrIUCVToAny
- x/time: Fixed rate limiter overflow when using very low rates that
  could cause the limiter to jam open

Performance:
- x/time: ~19% improvement in Sometimes.Do when no interval configured

Maintenance:
- Various vet diagnostic fixes for Go 1.26 compatibility
- Dependency updates across the golang.org/x ecosystem

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-11 16:26:07 -05:00
Patrick Ohly
f8a0c80ed8 dependencies: ginkgo v2.27.4, gomega v1.39.0
Latest release of both. The CurrentTreeConstructionNodeReport fix
is needed before being able to use it in the E2E framework.
2026-01-08 17:16:05 +01:00
Kubernetes Prow Robot
6f92c01979 Merge pull request #135391 from jpbetz/smd-6_3_1
Bump structured-merge-diff to pick up flake fix and bug fixes
2025-12-22 16:28:32 -08:00
Walter Fender
c8f8bb83d1 Update KAS apiserver network proxy to v0.34
Update konnectivity network proxy to v0.34.0. Includes bug fixes such as memory-leak in http-connect mode, stale count fix and updates to match/support kubernetes version 1.34
(https://github.com/kubernetes-sigs/apiserver-network-proxy/commits/v0.34.0)
2025-12-22 17:42:53 +00:00
Davanum Srinivas
95cf1f264d Update to github.com/google/cadvisor v0.55.1
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2025-12-21 08:13:06 -05:00