Skip to content

Releases: kcp-dev/kcp

v0.31.0

13 Apr 11:55
@github-actions github-actions
v0.31.0
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
8ac8b61
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.31.0 Latest
Latest

Special mentions

🚀 Rebase to Kubernetes 1.35.1 — #3842 (@xmudrii)
Foundation upgrade to Kubernetes 1.35.1 + Go 1.25.7. XL change touching the entire codebase — API adaptations, test adjustments, separate etcd lifecycle context to prevent shutdown blocking.

🔒 Cross-shard service account lookup — #3973 (@ntnn)
Enables service account validation across shards via a TTL cache. Removes the previous same-shard requirement for SAs. Drops the GlobalServiceAccount feature gate (now always-on).

⚙️ APIResourceSchema Virtual Workspace — #3881 (@mjudeikis)
New virtual workspace enabling providers to access consumer workspace schemas — key for kube-bind.io integration. Requires GlobalServiceAccounts and cross-workspace RBAC.

🔑 defaultSelector for PermissionClaim on APIExport — #3884 (@mjudeikis)
API change: providers can specify default permission claim selectors on APIExport that automatically apply when APIBindings are auto-created via WorkspaceType. Replaces a cache-replication approach (#3859) that had O(workspaces × bindings) scalability concerns.

🛟 Extract Virtual Workspace framework to staging repo — #3959 (@xmudrii)
Moves pkg/virtual/framework and pkg/virtual/options into github.com/kcp-dev/virtual-workspace-framework. External VW developers no longer need to vendor the entire kcp core repo. Also moves OpenAPI defs to SDK and crdpuller to the new repo.

🏋️ Load testing framework & infrastructure — #3796, #3866, #3895 (@SimonTheLeg)
Three-part effort: concept doc, k8s infra setup, and the framework itself. Inspired by clusterloader2, uses Go iterators for tuning sets, supports scenarios like "10,000 empty workspaces" with P99 stats.

🐛 Etcd key poisoning fix — #4011 (@mjudeikis)
Critical data integrity fix: unresolved workspace paths were poisoning etcd keys with malformed cluster names. Adds 404 handling and defense-in-depth filtering.

🔨 CLI permission claims management — #3956 (@rxinui) + #3946 (@ghdrope)
New kcp claims accept / kcp claims reject subcommands plus --accept-all-permission-claims / --reject-all-permission-claims flags on kubectl kcp bind. Significant UX improvement for API consumers.

🎁 SSA (Server-Side Apply) committer — #4002 (@swastik959)
Introduces Server-Side Apply support for controllers, fixing race conditions where JSON Merge Patch would lose concurrent condition updates.

🐞 VW proxy impersonation isolation — #4009 (@officialasishkumar)
Security fix: the shared ReverseProxy in VW was being mutated concurrently, causing impersonation header leakage between requests. Each request now gets an isolated proxy instance.

Honourable mentions

Changes by Kind

Chore

API Change

  • Action: Add defaultSelector field to PermissionClaim on APIExport. When APIBindings are auto-created via WorkspaceType.defaultAPIBindings, the selector is now taken from the APIExport's defaultSelector instead of defaulting to matchAll: true. Existing APIExports without defaultSelector retain the previous matchAll: true behavior. (#3884, @mjudeikis)
  • Update kcp to Kubernetes 1.35.1

Feature

  • Add /readyz now uses NewInformerSyncHealthz
    Add /livez now uses PingHealthz (#3935, @nuromirg)
  • Add apiresourceschema virtual workspace for schema access from provider side. (#3881, @mjudeikis)
  • Added --accept-all-permission-claims and --reject-all-permission-claims flags for BindOptions. (#3946, @ghdrope)
  • Cache-server: added etcd flags
    sharded-test-server: added --cache-kubeconfig flag to use an external cache-server (#3831, @gman0)
  • Enable kcp claims accept and kcp claims reject (#3956, @rxinui)
  • Enable cross-shard service account validation (#3973, @ntnn)
  • Extract pkg/virtual/framework and pkg/virtual/options packages into a dedicated staging repository (github.com/kcp-dev/virtual-workspace-framework
    • Move the OpenAPI definitions (pkg/openapi) to the SDK repository
    • Move pkg/crdpuller package to the newly added virtual-workspace-framework repository (#3959, @xmudrii)
  • The compat CLI now supports -old-version and -new-version flags to select which CRD versions to compare. When omitted, it defaults to the first version as before. (#3943, @nuromirg)

Bug or Regression

  • BREAKING CHANGE:
    Fix {cluster} extract logic for VirtualWorkspaces. Previously, if VirtualWorkspace, used in FrontProxy mapping, had a path cluster/{cluster} - it was not resolved, and so WorkspaceAuthorizationConfiguration was not run if used inside FrontProxy, but forwarded to VirtualWorkspace without checking. As a result, if one has misconfigured VirtualWorkspace, it might receive traffic intended for another recipient. (#3857, @mjudeikis)
  • Fix --shard-virtual-workspace-url, --shard-virtual-workspace-ca-file, --shard-client-key-file, --shard-client-cert-file not being taken into account when disabling the in-process kcp virtual workspaces server on a shard. (#3955, @xrstf)
  • Fix an etcd key-corruption bug where an unresolvable multi-segment workspace path in /clusters/<path>/... on a shard could cause resources to be written to etcd under a key segment containing the raw workspace path instead of the logical cluster name, producing orphaned rows invisible to the normal API read path. The shard now returns 404 for unresolvable workspace paths, and a new defense-in-depth filter rejects any request whose context carries a path-shaped cluster name before it can reach storage. (#4011, @mjudeikis)
  • Fix concurrent map writes panic in apiexport virtual workspace when
    multiple requests share the same user.Info reference. (#3856, @dweidenfeld)
  • Fix external cache bootstrapping issues that sometimes prevented shards from bootstrapping successfully. (#3974, @xrstf)
  • Fix external virtual workspace proxying so concurrent /services/... requests keep impersonation headers request-scoped. (#4009, @officialasishkumar)
  • Fix very rare openapi-related panic during startup. (#3833, @xrstf)
  • Fixed Inherited APIBindings now inherit permission claim selectors from parent workspaces instead of defaulting to matchAll: true. (#3786, @olamilekan000)
  • Fixed TestAPIExportAPIBindingsAccess error when trying to create a ws in a shard setup (#3817, @olamilekan000)
  • Fixed events.k8s.io permission denial through APIExport virtual workspace. (#3894, @cnvergence)
  • Send initial-events-end bookmark for CachedResource virtual storage (#3875, @maxpain)
  • Strip scopes from ServiceAccount tokens in maximal permission policy check (#3867, @mjudeikis)
  • Update build version to v1.24.13 for CVE-2025-68121 (#3864, @ntnn)
  • Workspace plugin: fix a bug where calling the 'tree' command on a parent workspace that has deleting children can result in a 403 error. (#3843, @neolit123)

Other (Cleanup or Flake)

  • All kcp binaries in the container images now have their debugging symbols stripped, saving roughly 25% in total image size. (#3898, @xrstf)
  • Change "ts" in JSON logging format to be ISO 8601 instead of UNIX timestamps.
    • Add --logging-format flag to the cache-server. (#3904, @xrstf)
  • Deprecate --external-hostname, determined based on --shard-base-url or --bind-address instead (#3832, @ntnn)
  • Deprecated the unused flag --shard-external-url for virtual-workspace (#3849, @ntnn)
  • Internal: consolidate identity secret generation and hashing logic into pkg/identity (#3937, @ghdrope)

Dependencies

Added

  • cyphar.com/go-pathrs: v0.2.1
  • github.com/Masterminds/semver/v3: v3.4.0
  • github.com/jellydator/ttlcache/v3: v3.4.0
  • go.uber.org/automaxprocs: v1.6.0
  • gonum.org/v1/gonum: v0.17.0

Changed

  • cel.dev/expr: v0.24.0 → v0.25.1
  • cloud.google.com/go/compute/metadata: v0.6.0 → v0.9.0
  • github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.26.0 → v1.31.0
  • github.com/Microsoft/hnslib: v0.1.1 → v0.1.2
  • github.com/cncf/xds/go: 2f00578 → ee656c7
  • github.com/containerd/containerd/api: v1.8.0 → v1.9.0
  • github.com/containerd/ttrpc: [v1.2.6 → ...
Read more

Contributors

xrstf, neolit123, and 14 other contributors
Assets 30

v0.30.3

02 Apr 05:23
@mjudeikis mjudeikis
v0.30.3
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
d28209d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.30.3

What's Changed

  • [release-0.30] fix endless retry loop during external cache bootstrap by more than one kcp server replica by @kcp-ci-bot in #3978

Full Changelog: v0.30.2...v0.30.3

Contributors

kcp-ci-bot
Loading

v0.29.3

02 Apr 05:24
@mjudeikis mjudeikis
v0.29.3
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
42f2e02
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.29.3

What's Changed

  • [release-0.29] fix endless retry loop during external cache bootstrap by more than one kcp server replica by @kcp-ci-bot in #3979
  • [release-0.29] fix configured CA not being used when running an external kcp virtual-workspaces server by @kcp-ci-bot in #3977

Full Changelog: v0.29.2...v0.29.3

Contributors

kcp-ci-bot
Loading

v0.30.2

01 Apr 08:04
@mjudeikis mjudeikis
v0.30.2
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
5cf8b15
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.30.2

What's Changed

  • [release-0.30] strip debug info in container images by @kcp-ci-bot in #3903
  • [release-0.30] fix configured CA not being used when running an external kcp virtual-workspaces server by @kcp-ci-bot in #3958
  • Inter-shard by @ntnn in #3967

Full Changelog: v0.30.1...v0.30.2

Contributors

ntnn and kcp-ci-bot
Loading

v0.29.2

01 Apr 09:31
@mjudeikis mjudeikis
v0.29.2
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
db5b668
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.29.2

What's Changed

Full Changelog: v0.29.1...v0.29.2

Contributors

ntnn
Loading

v0.30.1

02 Mar 07:54
@mjudeikis mjudeikis
v0.30.1
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
5e721a0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.30.1

What's Changed

Full Changelog: v0.30.0...v0.30.1

Contributors

kcp-ci-bot
Loading

v0.29.1

02 Mar 07:56
@mjudeikis mjudeikis
v0.29.1
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
7b87059
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.29.1

What's Changed

  • [release-0.29] Bump to go v1.24.13 by @ntnn in #3868

Full Changelog: v0.29.0...v0.29.1

Contributors

ntnn
Loading

v0.30.0

02 Feb 12:10
@github-actions github-actions
v0.30.0
This tag was signed with the committer’s verified signature.
mjudeikis Mangirdas Judeikis
GPG key ID: 43EB0806F2DB6247
Verified
Learn about vigilant mode.
b36d1ba
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.30.0

Changes by Kind

Chore

API Change

  • Add kcp.io/path annotation to APIBindings (#3691, @mjudeikis)
  • Add kubernetes lifecycle plugin & add kube-system namespace (#3769, @mjudeikis)
  • Added cross-workspace implementation for ValidatingAdmissionPolicy. (#3743, @olamilekan000)
  • Added to path to cachedresource so that CachedResourceEndpointSlice can reference a CachedResource in another workspace (#3726, @olamilekan000)
  • Adds a type field to the VirtualWorkspace API schema to distinguish between initializing and terminating workspace URLs. (#3707, @olamilekan000)
  • JSON representation of APIExportEndpointSlice.status.endpoints field is now omitted when empty
    • JSON representation of CachedResourceEndpointSlice.status.endpoints field is now omitted when empty (#3766, @gman0)
  • Rebase k/k 1.34.2 (#3742, @mjudeikis)

Feature

Documentation

  • Add documentation for geo-distributed deployment (#3792, @mjudeikis)
  • Added documentation for Event Audit log. (#3756, @olamilekan000)
  • Added sticky warning banner on "main" branch documentation to alert users they're viewing unreleased content. (#3737, @olamilekan000)

Bug or Regression

Dependencies

Added

  • buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go: 63bb56e
  • github.com/bufbuild/protovalidate-go: v0.9.1
  • github.com/envoyproxy/go-control-plane/envoy: v1.32.4
  • github.com/envoyproxy/go-control-plane/ratelimit: v0.1.0
  • github.com/go-jose/go-jose/v4: v4.0.4
  • github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.0.1
  • github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.3.0
  • github.com/spiffe/go-spiffe/v2: v2.5.0
  • github.com/zeebo/errs: v1.4.0
  • go.etcd.io/raft/v3: v3.6.0
  • go.uber.org/goleak: 2b7fd8a
  • go.yaml.in/yaml/v2: v2.4.2
  • go.yaml.in/yaml/v3: v3.0.4
  • golang.org/x/tools/go/expect: v0.1.1-deprecated
  • golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
  • sigs.k8s.io/structured-merge-diff/v6: v6.3.0

Changed

Read more

Contributors

xrstf, gman0, and 2 other contributors
Loading

v0.29.0

02 Dec 13:56
@github-actions github-actions
v0.29.0
This tag was signed with the committer’s verified signature.
xmudrii Marko Mudrinić
SSH Key Fingerprint: iAbMxOsFU75aNCTDnrphBxbYFUFBqDOE6rHOStTuLN8
Verified
Learn about vigilant mode.
a6829d3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.29.0

Changes by Kind

API Change

  • Add per-workspace authentication feature (behind the disabled by default feature gate WorkspaceAuthentication), allowing to configure additional authenticators (JWT/OIDC at the moment) for workspace types in order to admit external users into logical clusters. (#3481, @xrstf)
  • Added path to cachedresource so that CachedResourceEndpointSlice can reference a CachedResource in another workspace (#3726, @olamilekan000)
  • Allow for custom cleanup logic of LogicalClusters through the terminating virtualworkspace (#3615, @SimonTheLeg)
  • Changes in APIExport API: resource schema storage virtual, added Virtual resources support (#3620, @gman0)
  • Implement the admission framework for virtual workspaces. The VirtualWorkspace interface has been extended with two new interfaces (admission.Mutator and admission.Validator). Virtual workspace builders who are not using the DynamicVirtualWorkspaces framework have to modify their implementations to implement these two interfaces. Virtual workspace builders who are using the DynamicVirtualWorkspaces framework do not have to do anything if they don't want to use admission in their virtual workspaces (#3494, @xmudrii)
  • Implement label selectors (matchLabels and matchExpressions) for PermissionClaims (#3494, @xmudrii)
  • Rebase to kubernetes v1.33.3. WatchList has been disabled upstream, following this Watchers will no longer receive the state of objects when starting a watch (#3511, @ntnn)
  • Stop printing Ready column for APIExports as virtual workspace URLs are no longer populated by default (#3493, @embik)
  • The kcp CLI has been moved from github.com/kcp-dev/kcp/cli to github.com/kcp-dev/cli. The source code is maintained in staging/src/github.com/kcp-dev/cli in the main kcp repo (i.e. cli is a staged repository). This does not effect the existing cli releases. The CLI users will be required to change the import paths in their Go code and go.mod upon upgrading the CLI. (#3697, @xmudrii)
  • The kcp SDK has been moved from github.com/kcp-dev/kcp/sdk to github.com/kcp-dev/sdk. The source code is maintained in staging/src/github.com/kcp-dev/sdk in the main kcp repo (i.e. sdk is a staged repository). This does not effect the existing sdk releases. The SDK users will be required to change the import paths in their Go code and go.mod upon upgrading the SDK. (#3694, @xmudrii)
  • Users from other workspaces can be authorized by granting permission to the system:cluster:<clusterid> group. Authorization webhooks now get a payload with the target cluster in the authorization.kcp.io/cluster-name extra. The authorization.kubernetes.io/cluster-name extra is deprecated and will be removed in a future release (#3530, @ntnn)

Feature

  • Add --preserve-resources to apigen tool to enable resource preservation. Without this it always overrides resources on generation. (#3646, @mjudeikis)
  • Add metrics for logical clusters count (#3496, @cnvergence)
  • Add new kcp_indexed_logicalclusters metric that contains the number of known logicalclusters per shard (metric has a shard label). (#3482, @xrstf)
  • Added --i and --interactive flags to the workspace command for exploring and managing workspaces interactively. (#3611, @olamilekan000)
  • Added --create-context flag to create-workspace command to automatically create a kubeconfig context for the new workspace. Use --create-context=<name> to create without switching, or combine with --enter to create and switch context in one step. (#3550, @vishalanarase)
  • Added workspace cluster id as part of information displayed when in interactive mode. (#3728, @olamilekan000)
  • Adds resource version and UID to object's annotation before persisting to the cache server (#3648, @olamilekan000)
  • Path mappings in the front-proxy are treated as standard Go ServerMux patterns and can make use of the {cluster} placeholder to provide a cluster context to the WorkspaceAuthentication for virtual workspaces (e.g. /services/myservice/clusters/{cluster}). (#3628, @xrstf)
  • The extra authentication.kubernetes.io/cluster-name in the user info of Service Accounts has been renamed to authentication.kcp.io/cluster-name (#3568, @ntnn)

Documentation

  • Production deployment documentation (#3712, @mjudeikis)
  • Fix cache replication issue where object were not updated post first create (#3626, @mjudeikis)

Bug or Regression

  • Prevent goroutine leaks when deleting workspaces (#3491, @ntnn)
  • Fix CRDs with kind Cluster leading to errors. Fix URLs with multiple /cluster/... segments being silently ignored (#3537, @ntnn)
  • Fix APIBinding admission mishandling v1alpha1 API version. This fixes the bug where it was impossible to apply v1alpha1 APIBindings (#3543, @xmudrii)
  • Fix TokenReviews when using WorkspaceAuthentication (#3624, @xrstf)
  • Fix create-workspace on an existing workspace throwing a panic (#3518, @ntnn)
  • Fix kubectl kcp bind command after verbs permission claims migration (#3523, @mjudeikis)
  • Fix permission claim controller hot loop when claiming events in an APIExport (#3501, @mjudeikis)
  • Fixed a bug that prevents the deletion of a cachedresource that makes a reference to a resource that doesn't have GVR. (#3730, @olamilekan000)
  • Fixed an issue where APIEndpointExportSlices are not recreated by APIExport when deleted (#3645, @olamilekan000)
  • Fixed an issue where the kubectl ws command did not correctly handle kubeconfig flag (--kubeconfig ). (#3596, @olamilekan000)
  • Fixed reconciliation logic to detect selector changes in APIBinding permission claims. (#3710, @olamilekan000)
  • Make SDK go installable after monorepo migration. This is a temporary solution. (#3656, @mjudeikis)
  • The kcp kubectl plugin now supports kcp <0.28 again. In kcp 0.28+, kubectl kcp claims get apibinding now shows the permission claim verbs. (#3539, @xrstf)
  • kubectl kcp returns error instead of panic when converting CRD with service webhook reference (#3671, @m-szalik)
  • Consistently use the user-provided base URL as the default for ShardBaseURL and VirtualWorkspacesURL (#3636, @mjudeikis)

Other (Cleanup or Flake)

Dependencies

Added

  • github.com/containerd/errdefs/pkg: v0.3.0
  • github.com/containerd/typeurl/v2: v2.2.2
  • github.com/go-jose/go-jose/v3: v3.0.4
  • github.com/golang-jwt/jwt/v5: v5.2.2
  • github.com/ntnn/goleak: cbb740d
  • github.com/opencontainers/cgroups: v0.0.1
  • github.com/opencontainers/image-spec: v1.1.1
  • github.com/xrstf/mockoidc: 711cc4e
  • gopkg.in/go-jose/go-jose.v2: v2.6.3
  • sigs.k8s.io/randfill: v1.0.0

Changed

Read more

Contributors

xrstf, gman0, and 9 other contributors
Loading

v0.28.3

26 Sep 08:18
@github-actions github-actions
v0.28.3
This tag was signed with the committer’s verified signature.
embik Marvin Beckers
GPG key ID: 8D1FDCE97DA8B385
Verified
Learn about vigilant mode.
b4fde00
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.28.3

Warning

v0.28.2 failed its release pipeline and is thus not a valid release. Please use v0.28.3 (this release).

Changes by Kind

Security

Bug or Regression

  • Fixes unserved schemas via APIExports VirutalWorkspace, when listType=atomic is used in resource schema. (#3597, @mjudeikis)

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.

Contributors

mjudeikis and SimonTheLeg
Loading