Releases: kcp-dev/kcp
Releases · kcp-dev/kcp
v0.29.0
Changes by Kind
API Change
- Add per-workspace authentication feature (behind the disabled by default feature gate
WorkspaceAuthentication), allowing to configure additional authenticators (JWT/OIDC at the moment) for workspace types in order to admit external users into logical clusters. (#3481, @xrstf) - Added path to cachedresource so that CachedResourceEndpointSlice can reference a CachedResource in another workspace (#3726, @olamilekan000)
- Allow for custom cleanup logic of LogicalClusters through the terminating virtualworkspace (#3615, @SimonTheLeg)
- Changes in APIExport API: resource schema storage
virtual, added Virtual resources support (#3620, @gman0) - Implement the admission framework for virtual workspaces. The
VirtualWorkspaceinterface has been extended with two new interfaces (admission.Mutatorandadmission.Validator). Virtual workspace builders who are not using theDynamicVirtualWorkspacesframework have to modify their implementations to implement these two interfaces. Virtual workspace builders who are using theDynamicVirtualWorkspacesframework do not have to do anything if they don't want to use admission in their virtual workspaces (#3494, @xmudrii) - Implement label selectors (
matchLabelsandmatchExpressions) for PermissionClaims (#3494, @xmudrii) - Rebase to kubernetes v1.33.3. WatchList has been disabled upstream, following this Watchers will no longer receive the state of objects when starting a watch (#3511, @ntnn)
- Stop printing Ready column for
APIExportsas virtual workspace URLs are no longer populated by default (#3493, @embik) - The kcp CLI has been moved from
github.com/kcp-dev/kcp/clitogithub.com/kcp-dev/cli. The source code is maintained instaging/src/github.com/kcp-dev/cliin the main kcp repo (i.e.cliis a staged repository). This does not effect the existingclireleases. The CLI users will be required to change the import paths in their Go code andgo.modupon upgrading the CLI. (#3697, @xmudrii) - The kcp SDK has been moved from
github.com/kcp-dev/kcp/sdktogithub.com/kcp-dev/sdk. The source code is maintained instaging/src/github.com/kcp-dev/sdkin the main kcp repo (i.e.sdkis a staged repository). This does not effect the existingsdkreleases. The SDK users will be required to change the import paths in their Go code andgo.modupon upgrading the SDK. (#3694, @xmudrii) - Users from other workspaces can be authorized by granting permission to the
system:cluster:<clusterid>group. Authorization webhooks now get a payload with the target cluster in theauthorization.kcp.io/cluster-nameextra. Theauthorization.kubernetes.io/cluster-nameextra is deprecated and will be removed in a future release (#3530, @ntnn)
Feature
- Add --preserve-resources to apigen tool to enable resource preservation. Without this it always overrides resources on generation. (#3646, @mjudeikis)
- Add metrics for logical clusters count (#3496, @cnvergence)
- Add new
kcp_indexed_logicalclustersmetric that contains the number of known logicalclusters per shard (metric has ashardlabel). (#3482, @xrstf) - Added --i and --interactive flags to the workspace command for exploring and managing workspaces interactively. (#3611, @olamilekan000)
- Added
--create-contextflag tocreate-workspacecommand to automatically create a kubeconfig context for the new workspace. Use--create-context=<name>to create without switching, or combine with--enterto create and switch context in one step. (#3550, @vishalanarase) - Added workspace cluster id as part of information displayed when in interactive mode. (#3728, @olamilekan000)
- Adds resource version and UID to object's annotation before persisting to the cache server (#3648, @olamilekan000)
- Path mappings in the front-proxy are treated as standard Go ServerMux patterns and can make use of the
{cluster}placeholder to provide a cluster context to the WorkspaceAuthentication for virtual workspaces (e.g./services/myservice/clusters/{cluster}). (#3628, @xrstf) - The extra
authentication.kubernetes.io/cluster-namein the user info of Service Accounts has been renamed toauthentication.kcp.io/cluster-name(#3568, @ntnn)
Documentation
- Production deployment documentation (#3712, @mjudeikis)
- Fix cache replication issue where object were not updated post first create (#3626, @mjudeikis)
Bug or Regression
- Prevent goroutine leaks when deleting workspaces (#3491, @ntnn)
- Fix CRDs with kind
Clusterleading to errors. Fix URLs with multiple/cluster/...segments being silently ignored (#3537, @ntnn) - Fix APIBinding admission mishandling v1alpha1 API version. This fixes the bug where it was impossible to apply v1alpha1 APIBindings (#3543, @xmudrii)
- Fix TokenReviews when using WorkspaceAuthentication (#3624, @xrstf)
- Fix
create-workspaceon an existing workspace throwing a panic (#3518, @ntnn) - Fix
kubectl kcp bindcommand after verbs permission claims migration (#3523, @mjudeikis) - Fix permission claim controller hot loop when claiming events in an
APIExport(#3501, @mjudeikis) - Fixed a bug that prevents the deletion of a cachedresource that makes a reference to a resource that doesn't have GVR. (#3730, @olamilekan000)
- Fixed an issue where APIEndpointExportSlices are not recreated by APIExport when deleted (#3645, @olamilekan000)
- Fixed an issue where the kubectl ws command did not correctly handle kubeconfig flag (--kubeconfig ). (#3596, @olamilekan000)
- Fixed reconciliation logic to detect selector changes in APIBinding permission claims. (#3710, @olamilekan000)
- Make SDK
go installableafter monorepo migration. This is a temporary solution. (#3656, @mjudeikis) - The kcp kubectl plugin now supports kcp <0.28 again. In kcp 0.28+,
kubectl kcp claims get apibindingnow shows the permission claim verbs. (#3539, @xrstf) kubectl kcpreturns error instead of panic when converting CRD with service webhook reference (#3671, @m-szalik)- Consistently use the user-provided base URL as the default for ShardBaseURL and VirtualWorkspacesURL (#3636, @mjudeikis)
Other (Cleanup or Flake)
- Kcp is built with Go 1.24.8 (#3634, @embik)
- Kcp is built with Go 1.24.9 (#3651, @embik)
- Kuberentes 1.33.5 patch rebase (#3722, @SimonTheLeg)
Dependencies
Added
- github.com/containerd/errdefs/pkg: v0.3.0
- github.com/containerd/typeurl/v2: v2.2.2
- github.com/go-jose/go-jose/v3: v3.0.4
- github.com/golang-jwt/jwt/v5: v5.2.2
- github.com/ntnn/goleak: cbb740d
- github.com/opencontainers/cgroups: v0.0.1
- github.com/opencontainers/image-spec: v1.1.1
- github.com/xrstf/mockoidc: 711cc4e
- gopkg.in/go-jose/go-jose.v2: v2.6.3
- sigs.k8s.io/randfill: v1.0.0
Changed
- github.com/Microsoft/hnslib: v0.0.8 → v0.1.1
- github.com/containerd/containerd/api: v1.7.19 → v1.8.0
- github.com/containerd/errdefs: v0.1.0 → v1.0.0
- github.com/containerd/ttrpc: v1.2.5 → v1.2.6
- github.com/coredns/corefile-migration: v1.0.24 → v1.0.25
- github.com/coreos/go-oidc: v2.2.1+incompatible → v2.3.0+incompatible
- github.com/cyphar/filepath-securejoin: v0.3.4 → v0.4.1
- github.com/go-logfmt/logfmt: v0.5.1 → v0.4.0
- github.com/google/cadvisor: v0.51.0 → v0.52.1
- github.com/google/cel-go: v0.22.1 → v0.23.2
- github.com/google/gofuzz: v1.2.0 → v1.0.0
- github.com/google/pprof: 40e02aa → d1b30fe
- github.com/gorilla/websocket: v1.5.0 → e064f32
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.25.1 → v2.24.0
- github.com/kcp-dev/embeddedetcd: 89d1631 → a4839a8
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ddbe171 → f038ec6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ddbe171 → f038ec6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ddbe171 → f038ec6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ddbe171 → f038ec6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: [ddbe171 → f038ec...
Contributors
xrstf, gman0, and 9 other contributors
Assets 30
- 31.2 MB
2025-12-02T12:14:03Z - 29.5 MB
2025-12-02T12:14:03Z - 31.1 MB
2025-12-02T12:14:02Z - 28.9 MB
2025-12-02T12:14:02Z - 198 KB
2025-12-02T12:14:11Z - 2.8 KB
2025-12-02T12:14:11Z - 65.4 MB
2025-12-02T12:13:59Z - 63.1 MB
2025-12-02T12:13:59Z - 64.8 MB
2025-12-02T12:13:59Z - 61.2 MB
2025-12-02T12:14:00Z -
2025-12-02T11:50:48Z -
2025-12-02T11:50:48Z - Loading
v0.28.3
Warning
v0.28.2 failed its release pipeline and is thus not a valid release. Please use v0.28.3 (this release).
Changes by Kind
Security
- GHSA-q6hv-wcjr-wp8h: Execute object validation in virtual workspaces (#3599, @SimonTheLeg)
Bug or Regression
- Fixes unserved schemas via APIExports VirutalWorkspace, when
listType=atomicis used in resource schema. (#3597, @mjudeikis)
Dependencies
Added
Nothing has changed.
Changed
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/externaljwt: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/sample-apiserver: ddbe171 → bdb5e92
- github.com/kcp-dev/kubernetes: ddbe171 → bdb5e92
Removed
Nothing has changed.
Contributors
mjudeikis and SimonTheLeg
Assets 30
v0.28.1
Changes by Kind
Bug or Regression
- Fix APIBinding admission mishandling v1alpha1 API version. This fixes the bug where it was impossible to apply v1alpha1 APIBindings (#3544, @xmudrii)
- Stop printing Ready column for
APIExportsas virtual workspace URLs are no longer populated by default (#3493, @embik) - Fix CRDs with kind
Clusterleading to errors and fix URLs with multiple/cluster/...segments being silently ignored (#3548, @ntnn) - Fix
create-workspaceon an existing workspace throwing a panic (#3524, @ntnn) - Fix
kubectl kcp bindcommand after verbs permission claims migration (#3531, @mjudeikis) - Fix permission claim controller hot loop when claiming events in an
APIExport(#3503, @mjudeikis) - The kcp kubectl plugin now supports kcp <0.28 again. In kcp 0.28+,
kubectl kcp claims get apibindingnow shows the permission claim verbs (#3541, @xrstf)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
xrstf, mjudeikis, and 3 other contributors
Assets 30
v0.28.0
Changes by Kind
Security
- Update
github.com/golang-jwt/jwt/v4to v4.5.2 (addressing CVE-2025-30204) (#3352, @embik) (#3454, @xrstf)
Deprecation
- Deprecate
APIExportVirtual Workspace URL population. Add feature flagEnableDeprecatedAPIExportVirtualWorkspacesUrlsto re-enable deprecatedAPIExportVirtual Workspace URLs (#3411, @mjudeikis)
API Change
- Add caching API under
cache.kcp.ioto be able to interact with cache server programmatically (#3382, @mjudeikis) - Add optional
spec.mounttoWorkspaceobjects to stabilize mount API (#3380, @mjudeikis) - Add
CachedResourcesEndpointSliceresource (#3442, @gman0) - Add new version of
APIBindingtoapis.kcp.io/v1alpha2(#3384, @xmudrii) - Add new version of
APIExporttoapis.kcp.io/v1alpha2(#3318, @xrstf) - Implement support for verbs in PermissionClaims (#3402, @xmudrii)
- Make
CachedResourceGVR immutable and unique in the logical cluster (#3476, @gman0) - Rebase to Kubernetes v1.32.3 (#3383, @gman0)
ValidatingAdmissionPolicyhas been removed fromadmissionregistration.k8s.io/v1alpha1as per Kubernetes v1.32 API lifecycle managementadmissionregistration.k8s.io/v1alpha1is no longer being served by default
- Stop printing Ready column for
APIExportsas virtual workspace URLs are no longer populated by default (#3493, @embik) - Add
sdk/testing/server.ContextRunInProcessFunc. Deprecatesdk/testing/server.RunInProcessFunc(#3388, @ntnn) - Serve both
v1alpha1andv1alpha2ofAPIBindingsin theAPIExportVirtual Workspace (#3430, @xmudrii)- Fix a panic in the OpenAPI v3 endpoint for Virtual Workspaces happening if there's a resource with two or more versions
Feature
- Add Replication virtual workspace for
CachedResource. Endpoint for the Replication VW is now displayed in its respectiveCachedResourceEndpointSlice(#3480, @gman0) - Add a new
--root-identities-fileCLI flag tokcpused to bootstrap APIExport identities inside the root workspace (#3400, @gman0) - Add a controller to automatically keep defaultAPIBindings defined in a
WorkspaceTypeup to date in all workspaces that derive from it. This behaviour is enabled by configuring.spec.defaultAPIBindingLifecycle(#3381, @MisterMX) - Enable CLI flag
--encryption-provider-configin thekcpbinary (#3470, @adrianrobotka) - Print flags in sections for
kcp-front-proxybinary (#3385, @sttts) - Run the admission chain in the virtual workspace (forwarding) registry with the
createverb upon creating a new object using server-side apply. As a result, running the server-side apply for a claimed resource in the APIExport Virtual Workspace requires thecreateverb (#3439, @xmudrii) - The kcp specific CRDs are now bundled into one yaml file that is part of the release (#3466, @mikkeldamsgaard)
Bug or Regression
- Authorization checks on resources from an
APIExportdelegate to the next authorizer if theAPIExportis not found (#3467, @ntnn) - Disable the
cd semanticnotice when--shortis provided (#3423, @ntnn) - Fix
--bind-addressnot being honoured in some generated configuration files (#3418, @ntnn) - Fix
APIResourceSchemaname for theWorkspaceTypesresource to unblock upgrade from previous versions (#3349, @embik) - Fix URL update when logicalcluster URL changes but workspace URL is not updated (#3474, @mjudeikis)
- Only set
experimental.tenancy.kcp.io/ownerannotation onLogicalClusterifWorkspacehas the annotation (#3438, @embik) - Remove
VOLUMEfrom Dockerfile so no/datavolume is mounted anymore (#3434, @embik)
Other (Cleanup or Flake)
- Fix consistency for DynamicRestMapper & workspace cleaner (#3447, @mjudeikis)
- Move to use dynamicRestMapper everywhere to dynamically resolve Kind to resource and vice versa (#3462, @mjudeikis)
- Update to Go 1.23.10 (#3443, @xrstf)
- Update to kcp/code-generator v3 (#3406, @xrstf)
- Stop exposing mini-front-proxy handlers (including
/metrics) on kcp server unless--additional-mappings-fileis passed (#3361, @embik)
Dependencies
Added
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.24.2
- github.com/Microsoft/hnslib: v0.0.8
- github.com/containerd/containerd/api: v1.7.19
- github.com/containerd/errdefs: v0.1.0
- github.com/containerd/log: v0.1.0
- github.com/kcp-dev/code-generator/v3: 4094fb8
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/externaljwt: ddbe171
- github.com/klauspost/compress: v1.17.11
- github.com/kylelemons/godebug: v1.1.0
- github.com/moby/sys/userns: v0.1.0
- github.com/planetscale/vtprotobuf: 0393e58
- go.opentelemetry.io/auto/sdk: v1.1.0
- go.opentelemetry.io/contrib/detectors/gcp: v1.31.0
- go.opentelemetry.io/otel/sdk/metric: v1.31.0
Changed
- cel.dev/expr: v0.15.0 → v0.19.1
- cloud.google.com/go/accessapproval: v1.7.1 → v1.7.5
- cloud.google.com/go/accesscontextmanager: v1.8.1 → v1.8.5
- cloud.google.com/go/aiplatform: v1.48.0 → v1.60.0
- cloud.google.com/go/analytics: v0.21.3 → v0.23.0
- cloud.google.com/go/apigateway: v1.6.1 → v1.6.5
- cloud.google.com/go/apigeeconnect: v1.6.1 → v1.6.5
- cloud.google.com/go/apigeeregistry: v0.7.1 → v0.8.3
- cloud.google.com/go/appengine: v1.8.1 → v1.8.5
- cloud.google.com/go/area120: v0.8.1 → v0.8.5
- cloud.google.com/go/artifactregistry: v1.14.1 → v1.14.7
- cloud.google.com/go/asset: v1.14.1 → v1.17.2
- cloud.google.com/go/assuredworkloads: v1.11.1 → v1.11.5
- cloud.google.com/go/automl: v1.13.1 → v1.13.5
- cloud.google.com/go/baremetalsolution: v1.1.1 → v1.2.4
- cloud.google.com/go/batch: v1.3.1 → v1.8.0
- cloud.google.com/go/beyondcorp: v1.0.0 → v1.0.4
- cloud.google.com/go/bigquery: v1.53.0 → v1.59.1
- cloud.google.com/go/billing: v1.16.0 → v1.18.2
- cloud.google.com/go/binaryauthorization: v1.6.1 → v1.8.1
- cloud.google.com/go/certificatemanager: v1.7.1 → v1.7.5
- cloud.google.com/go/channel: v1.16.0 → v1.17.5
- cloud.google.com/go/cloudbuild: v1.13.0 → v1.15.1
- cloud.google.com/go/clouddms: v1.6.1 → v1.7.4
- cloud.google.com/go/cloudtasks: v1.12.1 → v1.12.6
- cloud.google.com/go/compute/metadata: v0.3.0 → v0.5.2
- cloud.google.com/go/compute: v1.23.0 → v1.24.0
- cloud.google.com/go/contactcenterinsights: v1.10.0 → v1.13.0
- cloud.google.com/go/container: v1.24.0 → v1.31.0
- cloud.google.com/go/containeranalysis: v0.10.1 → v0.11.4
- cloud.google.com/go/datacatalog: v1.16.0 → v1.19.3
- cloud.google.com/go/dataflow: v0.9.1 → v0.9.5
- cloud.google.com/go/dataform: v0.8.1 → v0.9.2
- cloud.google.com/go/datafusion: v1.7.1 → v1.7.5
- cloud.google.com/go/datalabeling: v0.8.1 → v0.8.5
- cloud.google.com/go/dataplex: v1.9.0 → v1.14.2
- cloud.google.com/go/dataproc/v2: v2.0.1 → v2.4.0
- cloud.google.com/go/dataqna: v0.8.1 → v0.8.5
- cloud.google.com/go/datastore: v1.13.0 → v1.15.0
- cloud.google.com/go/datastream: v1.10.0 → v1.10.4
- cloud.google.com/go/deploy: v1.13.0 → v1.17.1
- cloud.google.com/go/dialogflow: v1.40.0 → v1.49.0
- cloud.google.com/go/dlp: v1.10.1 → v1.11.2
- cloud.google.com/go/documentai: v1.22.0 → v1.25.0
- cloud.google.com/go/domains: v0.9.1 → v0.9.5
- cloud.google.com/go/edgecontainer: v1.1.1 → v1.1.5
- cloud.google.com/go/essentialcontacts: v1.6.2 → v1.6.6
- cloud.google.com/go/eventarc: v1.13.0 → v1.13.4
- cloud.google.com/go/filestore: v1.7.1 → v1.8.1
- cloud.google.com/go/firestore: v1.12.0 → v1.14.0
- cloud.google.com/go/functions: v1.15.1 → v1.16.0
- cloud.google.com/go/gkebackup: v1.3.0 → v1.3.5
- cloud.google.com/go/gkeconnect: v0.8.1 → v0.8.5
- cloud.google.com/go/gkehub: v0.14.1 → v0.14.5
- cloud.google.com/go/gkemulticloud: v1.0.0 → v1.1.1
- cloud.google.com/go/gsuiteaddons: v1.6.1 → v1.6.5
- cloud.google.com/go/iam: v1.1.1 → v1.1.6
- cloud.google.com/go/iap: v1.8.1 → v1.9.4
- cloud.google.com/go/ids: v1.4.1 → v1.4.5
- cloud.google.com/go/iot: v1.7.1 → v1.7.5
- cloud.google.com/go/kms: v1.15.0 → v1.15.7
- cloud.google.com/go/language: v1.10.1 → v1.12.3
- cloud.google.com/go/lifesciences: v0.9.1 → v0.9.5
- cloud.google.com/go/logging: v1.7.0 → v1.9.0
- cloud.google.com/go/longrunning: v0.5.1 → v0.5.5
- cloud.google.com/go/managedidentities: v1.6.1 → v1.6.5
- cloud.google.com/go/maps: v1.4.0 → v1.6.4
- cloud.google.com/go/mediatranslation: v0.8.1 → v0.8.5
- cloud.google.com/go/memcache: v1.10.1 → v1.10.5
- cloud.google.com/go/metastore: v1.12.0 → v1.13.4
- cloud.google.com/go/monitoring: v1.15.1 → v1.18.0
- cloud.google.com/go/networkconnectivity: v1.12.1 → v1.14.4
- cloud.google.com/go/networkmanagement: v1.8.0 → v1.9.4
- cloud.google.com/go/networksecurity: v0.9.1 → v0.9.5
- cloud.google.com/go/notebooks: v1.9.1 → v1.11.3
- cloud.google.com/go/optimization: v1.4.1 → v1.6.3
- cloud.google.com/go/orchestration: v1.8.1 → v1.8.5
- cloud.google.com/go/orgpolicy: v1.11.1 → v1.12.1
- cloud.google.com/go/osconfig: v1.12.1 → v1.12.5
- cloud.google.com/go/oslogin: v1.10.1 → v1.13.1
- cloud.google.com/go/phishingprotection: v0.8.1 → v0.8.5
- cloud.google.com/go/policytroubleshooter: v1.8.0 → v1.10.3
- cloud.google.com/go/privatecatalog: v0.9.1 → v0.9.5
- cloud.google.com/go/pubsub: v1.33.0 → v1.36.1
- cloud.google.com/go/recaptchaenterprise/v2: v2.7.2 → v2.9.2
- cloud.google.com/go/recommendat...
Contributors
xrstf, sttts, and 8 other contributors
Assets 30
v0.27.1
Changes by Kind
Security
- Update
github.com/golang-jwt/jwt/v4to v4.5.2 (addressing CVE-2025-30204) (#3356, @embik)
Bug or Regression
- Fix
APIResourceSchemaname for theWorkspaceTypesresource to unblock upgrade from previous versions (#3353, @embik)
Dependencies
Added
Nothing has changed.
Changed
- github.com/golang-jwt/jwt/v4: v4.5.0 → v4.5.2
Removed
Nothing has changed.
Contributors
embik
Assets 29
v0.27.0
Changes by Kind
Breaking Change
Security
- Fix impersonation for non-system users (GHSA-c7xh-gjv4-4jgv) (#3206, @mjudeikis)
- Add additional authorizer to APIExport Virtual Workspace that queries APIBinding for authorization decisions (GHSA-w2rr-38wv-8rrp / CVE-2025-29922) (#3338, @embik)
API Change
- Expose the kcp e2e test framework through the SDK. (#3327, @sttts)
- Updated dependencies to be in line with Kubernetes v1.31.6 (#3307, @gman0)
Feature
- Pass through original identity of controllers accessing a logical cluster through the APIExport virtual workspace. To get the required permissions, a warrant mechanism is added through user extra fields that attaches secondary user identities purely used for authorization. (#3156, @sttts)
- Make APIExportEndpointSlices consumer aware (#3256, @mjudeikis)
- Add workspace phase reporter reconciler (#3183, @mjudeikis)
- Add the Unavailable phase to the API (#3183, @mjudeikis)
- Implement exclusion of Unavailable workspaces from serving via proxy to avoid serving something which is not supposed to be served. (#3183, @mjudeikis)
- Add OpenAPI v3 schema support to the Virtual Workspace framework (#3246, @xmudrii)
- Add
--accept-permission-claimand--reject-permission-claimflag tokubectl kcp bind apiexport(#3334, @mjudeikis) - Add original user/groups information as extra to the impersonating client used by virtual workspace. (#3155, @turkenh)
- Add support for external webhook authorization. (#3198, @xrstf)
- Add user info support for scopes through the extra key
authentication.kcp.io/scopes: cluster:<name>,...to contain a user in a certain cluster. Multiple extra values are conjunctive, i.e. their intersection is the allowed scope. (#3235, @sttts) - Enable structured authentication configuration from a file with —authentication-config flag. (#3295, @cnvergence)
- Enhance local development experience for VirtualWorkspaces, adding
--mappings-fileoption for local dev (#3199, @mjudeikis) - Provide
--authorization-orderflag that allows kcp administrator to tune the authorizer behaviour and rearrange the order. (#3281, @cnvergence) - Provide a feature gate
GlobalServiceAccountthat enables cross-workspaceServiceAccountauthorization (requires--service-account-lookup=falsein sharded environments). (#3328, @cnvergence) - Replicate
APIExportEndpointSlicesto cache server (#3277, @mjudeikis)
Bug or Regression
- Fix critical race condition between APIBindings and CRDs potentially allowing the same resource to be bound by multiple bindings or CRDs, leading to data loss or inconsistent state. (#3251, @sttts)
- Fix external modifications to annotations being reverted by admission webhook (#3229, @ntnn)
- Add additional validation for impersonation to prevent groups and extras privileged impersonations. (#3243, @mjudeikis)
- Fix regression in DeepCopy generator (#3188, @mjudeikis)
- Purposefully crash if leader election was won but controllers failed to install, allowing another instance to take leadership (#3196, @embik)
- Update kcp start options to print to stdout (#3237, @jmcshane)
Other (Cleanup or Flake)
- Add wget to final image (#3240, @mjudeikis)
- Build apigen binary on releases (#3326, @mjudeikis)
- Crd-puller will generate files with 0644 permissions instead of 0777. (#3319, @xrstf)
- Update golangci-lint to 1.26.2, remove dependency on standalone staticcheck binary (#3208, @xrstf)
- kcp is built with Go 1.23.7 (#3331, @embik)
- kcp is built with Go 1.22.10 (#3212, @embik)
- kcp is built with Go 1.22.9 (#3200, @embik)
Dependencies
Added
- github.com/kcp-dev/embeddedetcd: v1.0.2
Changed
- github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
- github.com/go-openapi/jsonreference: v0.20.2 → v0.21.0
- github.com/go-openapi/swag: v0.22.4 → v0.23.0
- github.com/google/gnostic-models: v0.6.8 → v0.6.9
- github.com/kcp-dev/apimachinery/v2: a9eb975 → 431177b
- github.com/kcp-dev/client-go: f5949d8 → 3dea338
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ab5c3a6 → 0011b8c
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ab5c3a6 → 0011b8c
- github.com...
Contributors
xrstf, sttts, and 8 other contributors
Assets 29
v0.26.3
Note: v0.26.2 has not been released properly due to an issue in our release engineering tools and thus, should be skipped.
Changes by Kind
Security
- Add additional authorizer to APIExport Virtual Workspace that queries APIBinding for authorization decisions (GHSA-w2rr-38wv-8rrp) (#3338, @embik)
Contributors
embik
Assets 25
v0.27.0-rc.1
v0.27.0-rc.1
This tag was signed with the committer’s verified signature.
mjudeikis
Mangirdas Judeikis
Changelog
- 2309e76 Merge pull request #3324 from Soot3/main
- 28f5a2c Merge pull request #3326 from mjudeikis/mjudeikis/add.apigen.build
- 68bef78 Update docs/content/concepts/workspaces/workspace-types.md
- 4a43c68 build apigen on make build
- 4f11204 update upload gh action
- aaa0f4b build apigen on releases
- 84b4e02 Update workspace-types.md
- 265b734 Merge pull request #3319 from xrstf/fix-crd-permissions
- 4194fde Merge pull request #3317 from gman0/verify-go-modules-no-pager
- ee3cfd3 Merge pull request #3322 from sttts/sttts-e2e-more-helpers
- 299da74 test/e2e/framework: move more helpers
- 4195908 Merge pull request #3321 from sttts/sttts-e2e-unused
- 3e3a4f8 test/e2e/framework: split server code apart
- ef21ddb test/e2e: remove empty shard test and unused helpers
- edb6028 do not create executable YAML files from crd-puller
- c7b02b3 hack/verify-go-modules.sh: don't run pager with git diff
- dfcda9f Merge pull request #3314 from embik/reduce-jobs-for-docs
- 943bcf8 Merge pull request #3312 from gman0/compare-deps-versions
- 9ea768b Merge pull request #3315 from gman0/fix-indexctr-updatehandler
- f19f2c9 Fix update handler in pkg/proxy/index controller
- 4d953ae Limit several jobs to not run for doc changes
- 1e741bb Merge pull request #3313 from Skarlso/doc-update-location
- f01aea5 Merge pull request #3311 from mjudeikis/mjudeikis/tmc.nit
- 47a9b9b doc: remove superflous output from make install command in the docs
- ae51cc9 hack/verify-go-modules.sh: compare dependency versions against k8s.io/kubernetes
- d86e180 nit in TMC investigation
v0.26.1
Changes by Kind
API Change
- Fix impersonation for non-system users (GHSA-c7xh-gjv4-4jgv) (#3206, @mjudeikis)
Uncategorized
- Kcp is built with Go 1.22.10 (#3213, @embik)
- Release artifacts for ppc64le are no longer published (#3211, @embik)
Dependencies
Added
Nothing has changed.
Changed
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/sample-apiserver: ab5c3a6 → 70835f6
- github.com/kcp-dev/kubernetes: ab5c3a6 → 70835f6
Removed
Nothing has changed.
Contributors
mjudeikis and embik
Assets 25
v0.26.0
Changes by Kind
API Change
- Rebase 1.31 (#3160, @mjudeikis)
Feature
- Add support for
internal.kcp.io/inactiveannotation on logical clusters to forbid any access beyond logical clusters. (#3152, @RedbackThomson)
Performance & Optimizations
- Fix performance issue of all watches to termindate after 30s. (#3162, @sttts)
- Fix performance problem in virtual workspace authorization. (#3163, @sttts)
- Make workspace deletion more reliable, trying harder to not leak
LogicalClusters. (#3119, @sttts) - Optimize apibinding reconciler to produce less work for the memory garbage collector. (#3166, @sttts)
- Optimize authorization in virtual workspaces. (#3167, @sttts)
- Reduce memory consumption of the admission webhook plugin. (#3165, @sttts)
- Skip attempt to create root directory if
--root-directory=""is set (#3158, @embik)
Dependencies
Added
- cel.dev/expr: v0.15.0
- github.com/antlr4-go/antlr/v4: v4.13.0
- github.com/go-task/slim-sprig/v3: v3.0.0
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6
- github.com/shurcooL/sanitized_anchor_name: v1.0.0
- github.com/urfave/cli: v1.22.1
- gopkg.in/evanphx/json-patch.v4: v4.12.0
Changed
- cloud.google.com/go/compute/metadata: v0.2.3 → v0.3.0
- github.com/Microsoft/hcsshim: v0.8.25 → v0.8.26
- github.com/alecthomas/kingpin/v2: v2.3.2 → v2.4.0
- github.com/cenkalti/backoff/v4: v4.2.1 → v4.3.0
- github.com/cespare/xxhash/v2: v2.2.0 → v2.3.0
- github.com/cncf/udpa/go: c52dc94 → 269d4d4
- github.com/cncf/xds/go: e9ce688 → 555b57e
- github.com/container-storage-interface/spec: v1.8.0 → v1.9.0
- github.com/coredns/corefile-migration: v1.0.21 → v1.0.23
- github.com/cpuguy83/go-md2man/v2: v2.0.2 → v2.0.4
- github.com/davecgh/go-spew: v1.1.1 → d8f796a
- github.com/envoyproxy/go-control-plane: v0.11.1 → v0.12.0
- github.com/envoyproxy/protoc-gen-validate: v1.0.2 → v1.0.4
- github.com/fxamacker/cbor/v2: v2.6.0 → v2.7.0
- github.com/go-logr/logr: v1.4.1 → v1.4.2
- github.com/go-openapi/swag: v0.22.3 → v0.22.4
- github.com/golang/glog: v1.1.2 → v1.2.1
- github.com/golang/mock: v1.6.0 → v1.1.1
- github.com/google/cel-go: v0.17.8 → v0.20.1
- github.com/google/pprof: 4bb14d4 → 4bfdf5a
- github.com/google/uuid: v1.3.1 → v1.6.0
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.16.0 → v2.20.0
- github.com/kcp-dev/apimachinery/v2: v2.0.0 → a9eb975
- github.com/kcp-dev/client-go: bf1c9b8 → f5949d8
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: 321bee1 → ab5c3a6
- github.com/kcp-dev/kubernetes/stagi...
Contributors
sttts, RedbackThomson, and 2 other contributors