Update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	major	v4 → v6
actions/download-artifact	action	major	v4 → v7
actions/setup-python	action	major	v5 → v6
actions/upload-artifact	action	major	v4 → v6
coverage	dependencies	minor	7.10.2 → 7.13.4
kubernetes	dependencies	major	33.1.0 → 35.0.0
pylint (changelog)	dependencies	major	^3.0.0 → ^4.0.0
sphinxcontrib-apidoc	dependencies	minor	^0.5.0 → ^0.6.0

---

Release Notes

actions/checkout (actions/checkout)

v6

Compare Source

v5

Compare Source

actions/download-artifact (actions/download-artifact)

v7

Compare Source

v6

Compare Source

v5

Compare Source

actions/setup-python (actions/setup-python)

v6

Compare Source

actions/upload-artifact (actions/upload-artifact)

v6

Compare Source

v5

Compare Source

coveragepy/coveragepy (coverage)

v7.13.4

Compare Source

• Fix: the third-party code fix in 7.13.3 required examining the parent
  directories where coverage was run. In the unusual situation that one of the
  parent directories is unreadable, a PermissionError would occur, as
  described in issue 2129_. This is now fixed.

• Fix: in test suites that change sys.path, coverage.py could fail with
  "RuntimeError: Set changed size during iteration" as described and fixed in
  pull 2130_. Thanks, Noah Fatsi.

• We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: #​2121
.. _issue 2129: #​2129
.. _pull 2130: #​2130

.. _changes_7-13-3:

v7.13.3

Compare Source

• Fix: in some situations, third-party code was measured when it shouldn't have
  been, slowing down test execution. This happened with layered virtual
  environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is
  considered third-party code.

.. _issue 2082: #​2082

.. _changes_7-13-2:

v7.13.2

Compare Source

• Fix: when Python is installed via symlinks, for example with Homebrew, the
  standard library files could be incorrectly included in coverage reports.
  This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step
  would fail completely. Now a warning is issued and the file is skipped.
  Closes issue 2117_.

.. _issue 2115: #​2115
.. _issue 2117: #​2117

.. _changes_7-13-1:

v7.13.1

Compare Source

• Added: the JSON report now includes a "start_line" key for function and
  class regions, indicating the first line of the region in the source. Closes
  issue 2110_.

• Added: The debug data command now takes file names as arguments on the
  command line, so you can inspect specific data files without needing to set
  the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines,
  which no other report did, as described in issue 2105_. This is now fixed,
  thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where
  third-party code is installed, and avoids measuring it. This shouldn't change
  any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part
  of the file name. This lets us skip duplicate data more quickly, speeding the
  combining step.

• Docs: added a section explaining more about what is considered a missing
  branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if
  COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #​1597
.. _pull 2092: #​2092
.. _issue 2105: #​2105
.. _issue 2109: #​2109
.. _issue 2110: #​2110

.. _changes_7-13-0:

v7.13.0

Compare Source

• Feature: coverage.py now supports :file:.coveragerc.toml configuration
  files. These files use TOML syntax and take priority over
  :file:pyproject.toml but lower priority than :file:.coveragerc files.
  Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.

• Fix: we now include a permanent .pth file which is installed with the code,
  fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work
  when using the source wheel (py3-none-any). This is now fixed. Thanks,
  Henry Schreiner <pull 2100_>.

• Deprecated: when coverage.py is installed, it creates three command entry
  points: coverage, coverage3, and coverage-3.10 (if installed for
  Python 3.10). The second and third of these are not needed and will
  eventually be removed. They still work for now, but print a message about
  their deprecation.

.. _issue 1643: #​1643
.. _pull 1952: #​1952
.. _pull 2100: #​2100

.. _changes_7-12-1b1:

v7.12.0

Compare Source

• The HTML report now shows separate coverage totals for statements and
  branches, as well as the usual combined coverage percentage. Thanks to Ryuta
  Otsuka for the discussion <issue 2081_>_ and the implementation <pull 2085_>_.

• The JSON report now includes separate coverage totals for statements and
  branches, thanks to Ryuta Otsuka <pull 2090_>_.

• Fix: except* clauses were not handled properly under the "sysmon"
  measurement core, causing KeyError exceptions as described in issue 2086_.
  This is now fixed.

• Fix: we now defend against aggressive mocking of open() that could cause
  errors inside coverage.py. An example of a failure is in issue 2083_.

• Fix: in unusual cases where a test suite intentionally exhausts the system's
  file descriptors to test handling errors in open(), coverage.py would
  fail when trying to open source files, as described in issue 2091_. This
  is now fixed.

• A small tweak to the HTML report: file paths now use thin spaces around
  slashes to make them easier to read.

.. _issue 2081: #​2081
.. _issue 2083: #​2083
.. _pull 2085: #​2085
.. _issue 2086: #​2086
.. _pull 2090: #​2090
.. _issue 2091: #​2091

.. _changes_7-11-3:

v7.11.3

Compare Source

• Fix: the 7.11.1 changes meant that conflicts between a requested measurement
  core and other settings would raise an error. This was a breaking change from
  previous behavior, as reported in issue 2076_ and issue 2078_.

  The previous behavior has been restored: when the requested core conflicts
  with other settings, another core is used instead, and a warning is issued.

• For contributors: the repo has moved from Ned's nedbat GitHub account_ to
  the coveragepy GitHub organization_. The default branch has changed from
  master to main.

.. _issue 2076: #​2076
.. _issue 2078: #​2078
.. _nedbat GitHub account: https://github.com/nedbat
.. _coveragepy GitHub organization: https://github.com/coveragepy

.. _changes_7-11-2:

v7.11.2

Compare Source

• Fix: using the "sysmon" measurement core in 7.11.1, if Python code was
  claimed to come from a non-Python file, a NotPython exception could be
  raised. This could happen for example with Jinja templates compiled to
  Python, as reported in issue 2077_. This is now fixed.

• Doc: corrected the first entry in the 7.11.1 changelog.

.. _issue 2077: #​2077

.. _changes_7-11-1:

v7.11.1

Compare Source

• Fix: some chanages to details of how the measurement core is chosen, and how
  conflicting settings are handled. The "sysmon" core cannot be used with some
  conurrency settings, with dynamic context, and in Python 3.12/3.13, with
  branch measurement.

  • If the core is not specified and defaults to "sysmon" (Python 3.14+), but
    other settings conflict with sysmon, then the "ctrace" core will be used
    instead with no warning. For concurrency conflicts, this used to produce an
    error, as described in issue 2064_.

  • If the "sysmon" core is explicitly requested in your configuration, but
    other settings conflict, an error is now raised. This used to produce a
    warning.

• Fix: some multi-line case clauses or for loops (and probably other
  constructs) could cause incorrect claims of missing branches with the
  sys.monitoring core, as described in issue 2070_. This is now fixed.

• Fix: when running in pytest under coverage, a breakpoint() would stop in
  the wrong frame, one level down from where it should, as described in issue 1420_. This was due to a coverage change in v6.4.1 that seemed to give a
  slight performance improvement, but I couldn't reproduce the performance
  gain, so it's been reverted, fixing the debugger problem.

• A new debug option --debug=core shows which core is in use and why.

• Split sqlite debugging information out of the sys :ref:coverage debug <cmd_debug> and :ref:cmd_run_debug options since it's bulky and not
  very useful.

• Updated the :ref:howitworks page to better describe the three different
  measurement cores.

.. _issue 1420: #​1420
.. _issue 2064: #​2064
.. _issue 2070: #​2070

.. _changes_7-11-0:

v7.11.0

Compare Source

• Dropped support for Python 3.9, declared support for Python 3.15 alpha.

.. _changes_7-10-7:

v7.10.7

Compare Source

• Performance: with branch coverage in large files, generating HTML, JSON, or
  LCOV reports could take far too long due to some quadratic behavior when
  creating the function and class index pages. This is now fixed, closing
  issue 2048_. Thanks to Daniel Diniz for help diagnosing the problem.

• Most warnings and a few errors now have links to a page in the docs
  explaining the specific message. Closes issue 1921_.

.. _issue 1921: #​1921
.. _issue 2048: #​2048

.. _changes_7-10-6:

v7.10.6

Compare Source

• Fix: source directories were not properly communicated to subprocesses
  that ran in different directories, as reported in issue 1499_. This is now
  fixed.

• Performance: Alex Gaynor continues fine-tuning <pull 2038_>_ the speed of
  combination, especially with many contexts.

.. _issue 1499: #​1499
.. _pull 2038: #​2038

.. _changes_7-10-5:

v7.10.5

Compare Source

• Big speed improvements for coverage combine: it's now about twice as
  fast! Huge thanks to Alex Gaynor for pull requests 2032 <pull 2032_>,
  2033 <pull 2033_>, and 2034 <pull 2034_>_.

.. _pull 2032: #​2032
.. _pull 2033: #​2033
.. _pull 2034: #​2034

.. _changes_7-10-4:

v7.10.4

Compare Source

• Added patch = fork for times when the built-in forking support is
  insufficient.

• Fix: patch = execv also inherits the entire coverage configuration now.

.. _changes_7-10-3:

v7.10.3

Compare Source

• Fixes for patch = subprocess:

  • If subprocesses spawned yet more subprocesses simultaneously, some coverage
    could be missed. This is now fixed, closing issue 2024_.

  • If subprocesses were created in other directories, their data files were
    stranded there and not combined into the totals, as described in issue 2025_. This is now fixed.

  • On Windows (or maybe only some Windows?) the patch would fail with a
    ModuleNotFound error trying to import coverage. This is now fixed,
    closing issue 2022_.

  • Originally only options set in the coverage configuration file would apply
    to subprocesses. Options set on the coverage run command line (such as
    --branch) wouldn't be communicated to the subprocesses. This could
    lead to combining failures, as described in issue 2021_. Now the entire
    configuration is used in subprocesses, regardless of its origin.

  • Added debug=patch to help diagnose problems.

• Fix: really close all SQLite databases, even in-memory ones. Closes issue 2017_.

.. _issue 2017: #​2017
.. _issue 2021: #​2021
.. _issue 2022: #​2022
.. _issue 2024: #​2024
.. _issue 2025: #​2025

.. _changes_7-10-2:

kubernetes-client/python (kubernetes)

v35.0.0

Compare Source

Kubernetes API Version: v1.35.0

API Change

• Added ObservedGeneration to CustomResourceDefinition conditions. (kubernetes/kubernetes#134984, @​michaelasp)

• Added WithOrigin within apis/core/validation with adjusted tests. (kubernetes/kubernetes#132825, @​PatrickLaabs)

• Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. (kubernetes/kubernetes#134711, @​mortent) [SIG Node, Scheduling and Testing]

• Added the --min-compatibility-version flag to kube-apiserver, kube-controller-manager, and kube-scheduler. (kubernetes/kubernetes#133980, @​siyuanfoundation) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]

• Added the StorageVersionMigration v1beta1 API and removed the v1alpha1 API.

  ACTION REQUIRED: The v1alpha1 API is no longer supported. Users must remove any v1alpha1 resources before upgrading. (kubernetes/kubernetes#134784, @​michaelasp) [SIG API Machinery, Apps, Auth, Etcd and Testing]

• Added validation to ensure log-flush-frequency is a positive value, returning an error instead of causing a panic. (kubernetes/kubernetes#133540, @​BenTheElder) [SIG Architecture, Instrumentation, Network and Node]

• All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind RestartAllContainersOnContainerExit. (kubernetes/kubernetes#134345, @​yuanwang04) [SIG Apps, Node and Testing]

• CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting spec.serviceAccountTokenInSecrets: true in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the CSIServiceAccountTokenSecrets feature gate (beta in v1.35). (kubernetes/kubernetes#134826, @​aramase) [SIG API Machinery, Auth, Storage and Testing]

• Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, credPluginPolicy and credPluginAllowlist. This is documented in KEP-3104 and documentation is added to the website by kubernetes/website#52877 (kubernetes/kubernetes#134870, @​pmengelbert) [SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]

• DRA device taints: DeviceTaintRule status provides information about the rule, including whether Pods still need to be evicted (EvictionInProgress condition). The newly added None effect can be used to preview what a DeviceTaintRule would do if it used the NoExecute effect and to taint devices (device health) without immediately affecting scheduling or running Pods. (kubernetes/kubernetes#134152, @​pohly) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]

• DRA: The DynamicResourceAllocation feature gate for the core functionality (GA in v1.34) has now been locked to enabled-by-default and cannot be disabled anymore. (kubernetes/kubernetes#134452, @​pohly) [SIG Auth, Node, Scheduling and Testing]

• Enabled kubectl get -o kyaml by default. To disable it, set KUBECTL_KYAML=false. (kubernetes/kubernetes#133327, @​thockin)

• Enabled in-place resizing of pod-level resources.

  • Added Resources in PodStatus to capture resources set in the pod-level cgroup.
  • Added AllocatedResources in PodStatus to capture resources requested in the PodSpec. (kubernetes/kubernetes#132919, @​ndixita) [SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]

• Enabled the NominatedNodeNameForExpectation feature in kube-scheduler by default.

  • Enabled the ClearingNominatedNodeNameAfterBinding feature in kube-apiserver by default. (kubernetes/kubernetes#135103, @​ania-borowiec) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]

• Enhanced discovery responses to merge API groups and resources from all peer apiservers when the UnknownVersionInteroperabilityProxy feature is enabled. (kubernetes/kubernetes#133648, @​richabanker) [SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]

• Extended core/v1 Toleration to support numeric comparison operators (Gt,Lt). (kubernetes/kubernetes#134665, @​helayoty) [SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]

• Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that AllAlpha=true will no longer work without enabling disabled-by-default beta features that are depended on (either with AllBeta=true or explicitly enumerating the disabled dependencies). (kubernetes/kubernetes#133697, @​tallclair) [SIG API Machinery, Architecture, Cluster Lifecycle and Node]

• Generated OpenAPI model packages for API types into zz_generated.model_name.go files, accessible via the OpenAPIModelName() function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. (kubernetes/kubernetes#131755, @​jpbetz) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]

• Implemented constrained impersonation as described in KEP-5284. (kubernetes/kubernetes#134803, @​enj) [SIG API Machinery, Auth and Testing]

• Introduced a new declarative validation tag +k8s:customUnique to control listmap uniqueness. (kubernetes/kubernetes#134279, @​yongruilin) [SIG API Machinery and Auth]

• Introduced a structured and versioned v1alpha1 response for the statusz endpoint. (kubernetes/kubernetes#134313, @​richabanker) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• Introduced a structured and versioned v1alpha1 response format for the flagz endpoint. (kubernetes/kubernetes#134995, @​yongruilin) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the scheduling.k8s.io/v1alpha1 Workload API. (kubernetes/kubernetes#134722, @​macsko) [SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]

• Introduced the Node Declared Features capability (alpha), which includes:

  • A new Node.Status.DeclaredFeatures field for publishing node-specific features.
  • A component-helpers library for feature registration and inference.
  • A NodeDeclaredFeatures scheduler plugin to match pods with nodes that provide required features.
  • A NodeDeclaredFeatureValidator admission plugin to validate pod updates against a node's declared features. (kubernetes/kubernetes#133389, @​pravk03) [SIG API Machinery, Apps, Node, Release, Scheduling and Testing]

• Introduced the scheduling.k8s.io/v1alpha1 Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. (kubernetes/kubernetes#134564, @​macsko) [SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]

• Introduced the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the status.startTime field for suspended Jobs. (kubernetes/kubernetes#135104, @​mimowo) [SIG Apps and Testing]

• Kube-apiserver: Fixed a v1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties. (kubernetes/kubernetes#133896, @​yongruilin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]

• Kube-apiserver: Fixed a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a status property in the openAPIV3Schema. (kubernetes/kubernetes#133721, @​fusida) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]

• Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement ProtoMessage() by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a kubernetes_protomessage_one_more_release build tag, but will be removed in v1.36. (kubernetes/kubernetes#134256, @​liggitt) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]

• Made node affinity in Persistent Volume mutable. (kubernetes/kubernetes#134339, @​huww98) [SIG API Machinery, Apps and Node]

• Moved the ImagePullIntent and ImagePulledRecord objects used by the kubelet to track image pulls to the v1beta1 API version. (kubernetes/kubernetes#132579, @​stlaz) [SIG Auth and Node]

• Pod resize now only allows CPU and memory resources; other resource types are forbidden. (kubernetes/kubernetes#135084, @​tallclair) [SIG Apps, Node and Testing]

• Prevented Pods from being scheduled onto nodes that lack the required CSI driver. (kubernetes/kubernetes#135012, @​gnufied) [SIG API Machinery, Scheduling, Storage and Testing]

• Promoted HPA configurable tolerance to beta. The HPAConfigurableTolerance feature gate has now been enabled by default. (kubernetes/kubernetes#133128, @​jm-franc) [SIG API Machinery and Autoscaling]

• Promoted ReplicaSet and Deployment .status.terminatingReplicas tracking to beta. The DeploymentReplicaSetTerminatingReplicas feature gate is now enabled by default. (kubernetes/kubernetes#133087, @​atiratree) [SIG API Machinery, Apps and Testing]

• Promoted PodObservedGenerationTracking to GA. (kubernetes/kubernetes#134948, @​natasha41575) [SIG API Machinery, Apps, Node, Scheduling and Testing]

• Promoted the JobManagedBy feature to general availability. The JobManagedBy feature gate was locked to true and will be removed in a future Kubernetes release. (kubernetes/kubernetes#135080, @​dejanzele) [SIG API Machinery, Apps and Testing]

• Promoted the MaxUnavailableStatefulSet feature to beta and enabling it by default. (kubernetes/kubernetes#133153, @​helayoty) [SIG API Machinery and Apps]

• Removed the StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, which were locked since v1.32. (kubernetes/kubernetes#134994, @​liggitt) [SIG API Machinery, Auth, Node and Testing]

• Scheduler: Added the bindingTimeout argument to the DynamicResources plugin configuration, allowing customization of the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. (kubernetes/kubernetes#134905, @​fj-naji) [SIG Node and Scheduling]

• The DRA device taints and toleration feature received a separate feature gate, DRADeviceTaintRules, which controlled support for DeviceTaintRules. This allowed disabling it while keeping DRADeviceTaints enabled so that tainting via ResourceSlices continued to work. (kubernetes/kubernetes#135068, @​pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]

• The Pod Certificates feature moved to beta. The PodCertificateRequest feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in v1beta1 and enable the PodCertificateRequest feature gate. The UserAnnotations field was added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations field was added to the PodCertificateRequest API. (kubernetes/kubernetes#134624, @​yt2985) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]

• The KubeletEnsureSecretPulledImages feature was promoted to Beta and enabled by default. (kubernetes/kubernetes#135228, @​aramase) [SIG Auth, Node and Testing]

• The PreferSameZone and PreferSameNode values for the Service
  trafficDistribution field graduated to general availability. The
  PreferClose value is now deprecated in favor of the more explicit
  PreferSameZone. (kubernetes/kubernetes#134457, @​danwinship) [SIG API Machinery, Apps, Network and Testing]

• Updated ResourceQuota to count device class requests within a ResourceClaim as two additional quotas when the DRAExtendedResource feature is enabled:

  • requests.deviceclass.resource.k8s.io/<deviceclass> is charged based on the worst-case number of devices requested.
  • Device classes mapping to an extended resource now consume requests.<extended resource name>. (kubernetes/kubernetes#134210, @​yliaog) [SIG API Machinery, Apps, Node, Scheduling and Testing]

• Updated storage version for MutatingAdmissionPolicy to v1beta1. (kubernetes/kubernetes#133715, @​cici37) [SIG API Machinery, Etcd and Testing]

• Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. (kubernetes/kubernetes#134189, @​mortent) [SIG API Machinery, Node, Scheduling and Testing]

• Upgraded the PodObservedGenerationTracking feature to beta in v1.34 and removed the alpha version description from the OpenAPI specification. (kubernetes/kubernetes#133883, @​yangjunmyfm192085)

• Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. (kubernetes/kubernetes#134711, @​mortent) [SIG Node, Scheduling and Testing]

• Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. (kubernetes/kubernetes#134345, @​yuanwang04) [SIG Apps, Node and Testing]

• Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, credPluginPolicy and credPluginAllowlist. This is documented in KEP-3104 and documentation is added to the website by kubernetes/website#52877 (kubernetes/kubernetes#134870, @​pmengelbert) [SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]

• Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled (kubernetes/kubernetes#133648, @​richabanker) [SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]

• Extend core/v1 Toleration to support numeric comparison operators (Gt, Lt). (kubernetes/kubernetes#134665, @​helayoty) [SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]

• Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. (kubernetes/kubernetes#135103, @​ania-borowiec) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]

• Implement changes to prevent pod scheduling to a node without CSI driver (kubernetes/kubernetes#135012, @​gnufied) [SIG API Machinery, Scheduling, Storage and Testing]

• Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. (kubernetes/kubernetes#134564, @​macsko) [SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]

• Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:

  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs (kubernetes/kubernetes#135104, @​mimowo) [SIG Apps and Testing]

• Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. (kubernetes/kubernetes#134722, @​macsko) [SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]

• PV node affinity is now mutable. (kubernetes/kubernetes#134339, @​huww98) [SIG API Machinery, Apps and Node]

• ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:

  • requests.deviceclass.resource.k8s.io/<deviceclass> with a quantity equal to the worst case count of devices requested
  • requests for device classes that map to an extended resource consume requests.<extended resource name> (kubernetes/kubernetes#134210, @​yliaog) [SIG API Machinery, Apps, Node, Scheduling and Testing]

• The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. (kubernetes/kubernetes#135068, @​pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]

• The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. (kubernetes/kubernetes#132579, @​stlaz) [SIG Auth and Node]

• The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. (kubernetes/kubernetes#135228, @​aramase) [SIG Auth, Node and Testing]

• This change adds a new alpha feature Node Declared Features, which includes:

  • A new Node.Status.DeclaredFeatures field for Kubelet to publish node-specific features.
  • A library in component-helpers for feature registration and inference.
  • A scheduler plugin (NodeDeclaredFeatures) scheduler plugin to match pods with nodes that provide their required features.
  • An admission plugin (NodeDeclaredFeatureValidator) to validate pod updates against a node's declared features. (kubernetes/kubernetes#133389, @​pravk03) [SIG API Machinery, Apps, Node, Release, Scheduling and Testing]

• This change allows In Place Resize of Pod Level Resources

  • Add Resources in PodStatus to capture resources set at pod-level cgroup
  • Add AllocatedResources in PodStatus to capture resources requested in the PodSpec (kubernetes/kubernetes#132919, @​ndixita) [SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]

• Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. (kubernetes/kubernetes#134189, @​mortent) [SIG API Machinery, Node, Scheduling and Testing]

• Add ObservedGeneration to CustomResourceDefinition Conditions. (kubernetes/kubernetes#134984, @​michaelasp) [SIG API Machinery]

• Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. (kubernetes/kubernetes#134784, @​michaelasp) [SIG API Machinery, Apps, Auth, Etcd and Testing]

• CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting spec.serviceAccountTokenInSecrets: true in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the CSIServiceAccountTokenSecrets feature gate (Beta in v1.35). (kubernetes/kubernetes#134826, @​aramase) [SIG API Machinery, Auth, Storage and Testing]

• DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. (kubernetes/kubernetes#134152, @​pohly) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]

• DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. (kubernetes/kubernetes#134452, @​pohly) [SIG Auth, Node, Scheduling and Testing]

• Forbid adding resources other than CPU & memory on pod resize. (kubernetes/kubernetes#135084, @​tallclair) [SIG Apps, Node and Testing]

• Implement constrained impersonation as described in https://kep.k8s.io/5284 (kubernetes/kubernetes#134803, @​enj) [SIG API Machinery, Auth and Testing]

• Introduces a structured and versioned v1alpha1 response for flagz (kubernetes/kubernetes#134995, @​yongruilin) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• Introduces a structured and versioned v1alpha1 response for statusz (kubernetes/kubernetes#134313, @​richabanker) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• New --min-compatibility-version flag for apiserver, kcm and kube scheduler (kubernetes/kubernetes#133980, @​siyuanfoundation) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]

• Promote PodObservedGenerationTracking to GA. (kubernetes/kubernetes#134948, @​natasha41575) [SIG API Machinery, Apps, Node, Scheduling and Testing]

• Promoted Job Managed By to general availability. The JobManagedBy feature gate is now locked to true, and will be removed in a future release of Kubernetes. (kubernetes/kubernetes#135080, @​dejanzele) [SIG API Machinery, Apps and Testing]

• Promoted ReplicaSet and Deployment .status.terminatingReplicas tracking to beta. The DeploymentReplicaSetTerminatingReplicas feature gate is now enabled by default. (kubernetes/kubernetes#133087, @​atiratree) [SIG API Machinery, Apps and Testing]

• Scheduler: added a new bindingTimeout argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. (kubernetes/kubernetes#134905, @​fj-naji) [SIG Node and Scheduling]

• The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. (kubernetes/kubernetes#134624, @​yt2985) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]

• The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed (kubernetes/kubernetes#134994, @​liggitt) [SIG API Machinery, Auth, Node and Testing]

• The PreferSameZone and PreferSameNode values for Service's
  trafficDistribution field are now GA. The old value PreferClose is now
  deprecated in favor of the more-explicit PreferSameZone. (kubernetes/kubernetes#134457, @​danwinship) [SIG API Machinery, Apps, Network and Testing]

• Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a status property in the openAPIV3Schema (kubernetes/kubernetes#133721, @​fusida) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]

• Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement ProtoMessage() by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a kubernetes_protomessage_one_more_release build tag, but will be removed in 1.36. (kubernetes/kubernetes#134256, @​liggitt) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]

• Promoted HPA configurable tolerance to beta. The HPAConfigurableTolerance feature gate is now enabled by default. (kubernetes/kubernetes#133128, @​jm-franc) [SIG API Machinery and Autoscaling]

• The MaxUnavailableStatefulSet feature is now beta and enabled by default. (kubernetes/kubernetes#133153, @​helayoty) [SIG API Machinery and Apps

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.