upgrade to latest dependencies (#413)

bumping knative.dev/client/pkg 6f59afe...a23801d:
  > a23801d upgrade to latest dependencies (# 2072)
bumping knative.dev/serving 85563f5...62b04a0:
  > 62b04a0 Change SecurePodDefaults default from Disabled to Enabled (# 16042)
  > b2f3ee3 Update net-contour nightly (# 16133)
  > c4b10ef Update net-gateway-api nightly (# 16134)
  > d5d241f [main] Upgrade to latest dependencies (# 16131)
  > c26592a Update net-kourier nightly (# 16135)
bumping knative.dev/eventing 9fe13ee...3f59df1:
  > 3f59df1 feat: Supporting using pod default credentials for Integration Source and Sink (# 8731)

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -12,7 +12,7 @@ require (
 	k8s.io/api v0.33.5
 	k8s.io/apimachinery v0.33.5
 	k8s.io/client-go v0.33.5
-	knative.dev/client/pkg v0.0.0-20251008140714-6f59afe28d11
+	knative.dev/client/pkg v0.0.0-20251009022514-a23801d4bdc2
 	knative.dev/eventing-kafka-broker v0.46.1-0.20251008145913-06d47e7a1fb6
 	knative.dev/hack v0.0.0-20250902153942-1499de21e119
 	knative.dev/pkg v0.0.0-20251007184713-a624c759bede
@@ -106,9 +106,9 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
-	knative.dev/eventing v0.46.1-0.20251008070512-9fe13ee820cf // indirect
+	knative.dev/eventing v0.46.1-0.20251008160113-3f59df18d8d5 // indirect
 	knative.dev/networking v0.0.0-20251008015313-0e1a0aa62ad1 // indirect
-	knative.dev/serving v0.46.1-0.20251008121813-85563f5d21ca // indirect
+	knative.dev/serving v0.46.1-0.20251008225413-62b04a0c5d5e // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect

go.sum

@@ -747,10 +747,10 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/client/pkg v0.0.0-20251008140714-6f59afe28d11 h1:2n36RjePcJqhZfTliakmA5wFf1VpZwKOSZUtmKlkU14=
-knative.dev/client/pkg v0.0.0-20251008140714-6f59afe28d11/go.mod h1:A9dCnjXXg9OwsxdVMfv4wkRol+rphfriVO4KY+BO++A=
-knative.dev/eventing v0.46.1-0.20251008070512-9fe13ee820cf h1:WB5f7+QLLYEBUzpNJroPq5q5Gn3yXjBPKnMSmY2DYTQ=
-knative.dev/eventing v0.46.1-0.20251008070512-9fe13ee820cf/go.mod h1:ME0N0ZEonRDClEWKCeKo7EeqWGLmalWfZ5B0VX8zdmA=
+knative.dev/client/pkg v0.0.0-20251009022514-a23801d4bdc2 h1:3WCIrPyLloKe62C+XpED5V2Qw4oKqTJFsyn9uyXnZ68=
+knative.dev/client/pkg v0.0.0-20251009022514-a23801d4bdc2/go.mod h1:YQ1JZudQayawjJZ5BVK+VSDVFXZMf/cOkvIlTCbhAE0=
+knative.dev/eventing v0.46.1-0.20251008160113-3f59df18d8d5 h1:+cAKlWQMKrY5jQYGLALeO4AsHIdQNVXBCDmDJWzx+y4=
+knative.dev/eventing v0.46.1-0.20251008160113-3f59df18d8d5/go.mod h1:ME0N0ZEonRDClEWKCeKo7EeqWGLmalWfZ5B0VX8zdmA=
 knative.dev/eventing-kafka-broker v0.46.1-0.20251008145913-06d47e7a1fb6 h1:lac46QLb6JrfBK6jJbDNK52HRXEV1M13UtgKOBQrR2U=
 knative.dev/eventing-kafka-broker v0.46.1-0.20251008145913-06d47e7a1fb6/go.mod h1:4nUBomNMoFOqtjPsUurPqbTADN1r6mZiE5VVB4GNq8Y=
 knative.dev/hack v0.0.0-20250902153942-1499de21e119 h1:NbQvjnFK1tL489LN0qAybWy0E17Jpziwcv/XIHwfp6M=
@@ -759,8 +759,8 @@ knative.dev/networking v0.0.0-20251008015313-0e1a0aa62ad1 h1:mmUlK6ogxaY1EEFHUY1
 knative.dev/networking v0.0.0-20251008015313-0e1a0aa62ad1/go.mod h1:VoeeRbQKTTnHZ5eNQ0hAMPBs/O12v++DPNmbPfKkErE=
 knative.dev/pkg v0.0.0-20251007184713-a624c759bede h1:ADQEXMQlfbjBjicJdou8R5WjPHm0/5FyyV58RQ9eYPU=
 knative.dev/pkg v0.0.0-20251007184713-a624c759bede/go.mod h1:pNETfvzYq5MmPTi+XGGIjjgvQSYvu4pxxLF1muKunhs=
-knative.dev/serving v0.46.1-0.20251008121813-85563f5d21ca h1:JvydL+ArWTsnU+6PJWSjyLiL46QVH1xNMZ+SrJqO1uM=
-knative.dev/serving v0.46.1-0.20251008121813-85563f5d21ca/go.mod h1:He+gUCV8wQCm2JY1+hVPoATFVbrdub7mNTTFmUJG920=
+knative.dev/serving v0.46.1-0.20251008225413-62b04a0c5d5e h1:RnOUSWtgmpxMpHdxOcEHMUE50XhSi+EcJWE8xhdu4kk=
+knative.dev/serving v0.46.1-0.20251008225413-62b04a0c5d5e/go.mod h1:DIHl/Cdn7bisvFjTAdVXcZ4zMtuzmqvX+jBVxHIsqoY=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/apis/common/integration/v1alpha1/auth.go

@@ -25,11 +25,13 @@ type Auth struct {
 
 	// SecretKey is the AWS secret access key.
 	SecretKey string `json:"secretKey,omitempty"`
+
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 func (a *Auth) HasAuth() bool {
-	return a != nil && a.Secret != nil &&
-		a.Secret.Ref != nil && a.Secret.Ref.Name != ""
+	return a != nil && ((a.Secret != nil &&
+		a.Secret.Ref != nil && a.Secret.Ref.Name != "") || a.ServiceAccountName != "")
 }
 
 type Secret struct {

vendor/knative.dev/serving/pkg/apis/config/features.go

@@ -37,6 +37,9 @@ const (
 	// Allowed neither explicitly disables or enables a behavior.
 	// eg. allow a client to control behavior with an annotation or allow a new value through validation.
 	Allowed Flag = "Allowed"
+	// AllowRootBounded is used by secure-pod-defaults to apply secure defaults without enforcing strict policies;
+	// sets RunAsNonRoot to true if not already specified
+	AllowRootBounded Flag = "AllowRootBounded"
 )
 
 // service annotations under features.knative.dev/*
@@ -124,7 +127,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) {
 		asFlag("multi-container-probing", &nc.MultiContainerProbing),
 		asFlag("queueproxy.mount-podinfo", &nc.QueueProxyMountPodInfo),
 		asFlag("queueproxy.resource-defaults", &nc.QueueProxyResourceDefaults),
-		asFlag("secure-pod-defaults", &nc.SecurePodDefaults),
+		asSecurePodDefaultsFlag("secure-pod-defaults", &nc.SecurePodDefaults),
 		asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting),
 		asFlag(FeatureContainerSpecAddCapabilities, &nc.ContainerSpecAddCapabilities),
 		asFlag(FeaturePodSpecAffinity, &nc.PodSpecAffinity),
@@ -198,6 +201,7 @@ type Features struct {
 }
 
 // asFlag parses the value at key as a Flag into the target, if it exists.
+// Only accepts Enabled, Disabled, and Allowed values.
 func asFlag(key string, target *Flag) cm.ParseFunc {
 	return func(data map[string]string) error {
 		if raw, ok := data[key]; ok {
@@ -211,3 +215,19 @@ func asFlag(key string, target *Flag) cm.ParseFunc {
 		return nil
 	}
 }
+
+// asSecurePodDefaultsFlag parses the value at key as a Flag into the target, if it exists.
+// Accepts Enabled, Disabled, Allowed, and SecureDefaultsOverridable values.
+func asSecurePodDefaultsFlag(key string, target *Flag) cm.ParseFunc {
+	return func(data map[string]string) error {
+		if raw, ok := data[key]; ok {
+			for _, flag := range []Flag{Disabled, AllowRootBounded, Enabled} {
+				if strings.EqualFold(raw, string(flag)) {
+					*target = flag
+					return nil
+				}
+			}
+		}
+		return nil
+	}
+}

vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go

@@ -21,6 +21,7 @@ package serving
 
 import (
 	"context"
+	"slices"
 
 	corev1 "k8s.io/api/core/v1"
 	"knative.dev/serving/pkg/apis/config"
@@ -664,7 +665,7 @@ func PodSecurityContextMask(ctx context.Context, in *corev1.PodSecurityContext)
 
 	out := new(corev1.PodSecurityContext)
 
-	if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled {
+	if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.SecurePodDefaults) {
 		// Allow to opt out of more-secure defaults if SecurePodDefaults is enabled.
 		// This aligns with defaultSecurityContext in revision_defaults.go.
 		if in.SeccompProfile != nil {
@@ -749,8 +750,8 @@ func CapabilitiesMask(ctx context.Context, in *corev1.Capabilities) *corev1.Capa
 
 	if config.FromContextOrDefaults(ctx).Features.ContainerSpecAddCapabilities == config.Enabled {
 		out.Add = in.Add
-	} else if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled {
-		if len(in.Add) == 1 && in.Add[0] == "NET_BIND_SERVICE" {
+	} else if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.SecurePodDefaults) {
+		if slices.Equal(in.Add, []corev1.Capability{"NET_BIND_SERVICE"}) {
 			out.Add = in.Add
 		} else {
 			out.Add = nil

vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"math"
 	"path"
+	"slices"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -985,14 +986,19 @@ func ValidatePodSecurityContext(ctx context.Context, sc *corev1.PodSecurityConte
 // Note that this **explicitly** does not warn on dangerous SecurityContext
 // settings, the purpose is to avoid accidentally-insecure settings, not to
 // block deliberate use of dangerous settings.
-func warnDefaultContainerSecurityContext(_ context.Context, psc *corev1.PodSecurityContext, sc *corev1.SecurityContext) *apis.FieldError {
+func warnDefaultContainerSecurityContext(ctx context.Context, psc *corev1.PodSecurityContext, sc *corev1.SecurityContext) *apis.FieldError {
 	if sc == nil {
 		sc = &corev1.SecurityContext{}
 	}
 	if psc == nil {
 		psc = &corev1.PodSecurityContext{}
 	}
 
+	// if the user has explicitly enabled the feature, we don't need to warn
+	if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext) {
+		return nil
+	}
+
 	insecureDefault := func(fieldPath string) *apis.FieldError {
 		return apis.ErrGeneric("Kubernetes default value is insecure, Knative may default this to secure in a future release", fieldPath).At(apis.WarningLevel)
 	}

vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go

@@ -17,7 +17,9 @@ limitations under the License.
 package v1
 
 import (
+	"cmp"
 	"context"
+	"slices"
 	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
@@ -203,10 +205,13 @@ func (*RevisionSpec) applyGRPCProbeDefaults(container *corev1.Container) {
 
 // Upgrade SecurityContext for this container and the Pod definition to use settings
 // for the `restricted` profile when the feature flag is enabled.
-// This does not currently set `runAsNonRoot` for the restricted profile, because
-// that feels harder to default safely.
+// when the feature flag is enabled or AllowRootBounded:
+// `seccompProfile` is set to `RuntimeDefault` if its empty or nil
+// `capabilities` is set to `NET_BIND_SERVICE` if its empty or nil
+// when the feature flag is set to Enabled:
+// `runAsNonRoot` is set to true only if its empty or nil
 func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, container *corev1.Container, cfg *config.Config) {
-	if cfg.Features.SecurePodDefaults != config.Enabled {
+	if !slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, cfg.Features.SecurePodDefaults) {
 		return
 	}
 
@@ -224,9 +229,7 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
 	}
 	if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" {
-		if updatedSC.SeccompProfile == nil {
-			updatedSC.SeccompProfile = &corev1.SeccompProfile{}
-		}
+		updatedSC.SeccompProfile = cmp.Or(updatedSC.SeccompProfile, &corev1.SeccompProfile{})
 		if updatedSC.SeccompProfile.Type == "" {
 			updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault
 		}
@@ -247,8 +250,12 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		}
 	}
 
-	if psc.RunAsNonRoot == nil {
-		updatedSC.RunAsNonRoot = ptr.Bool(true)
+	if cfg.Features.SecurePodDefaults == config.Enabled {
+		if psc.RunAsNonRoot == nil {
+			if updatedSC.RunAsNonRoot == nil {
+				updatedSC.RunAsNonRoot = ptr.Bool(true)
+			}
+		}
 	}
 
 	if *updatedSC != (corev1.SecurityContext{}) {

vendor/knative.dev/serving/pkg/testing/v1/revision.go

@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/clock"
 	"knative.dev/pkg/kmeta"
+	"knative.dev/pkg/ptr"
 	"knative.dev/serving/pkg/apis/serving"
 	v1 "knative.dev/serving/pkg/apis/serving/v1"
 )
@@ -246,9 +247,29 @@ func WithRevisionInitContainers() RevisionOption {
 		r.Spec.InitContainers = []corev1.Container{{
 			Name:  "init1",
 			Image: "initimage",
+			SecurityContext: &corev1.SecurityContext{
+				RunAsNonRoot:             ptr.Bool(true),
+				AllowPrivilegeEscalation: ptr.Bool(false),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
 		}, {
 			Name:  "init2",
 			Image: "initimage",
+			SecurityContext: &corev1.SecurityContext{
+				RunAsNonRoot:             ptr.Bool(true),
+				AllowPrivilegeEscalation: ptr.Bool(false),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
 		}}
 	}
 }

vendor/modules.txt

@@ -855,7 +855,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/client/pkg v0.0.0-20251008140714-6f59afe28d11
+# knative.dev/client/pkg v0.0.0-20251009022514-a23801d4bdc2
 ## explicit; go 1.24.0
 knative.dev/client/pkg/apis/client
 knative.dev/client/pkg/apis/client/v1alpha1
@@ -882,7 +882,7 @@ knative.dev/client/pkg/util/errors
 knative.dev/client/pkg/util/mock
 knative.dev/client/pkg/util/test
 knative.dev/client/pkg/wait
-# knative.dev/eventing v0.46.1-0.20251008070512-9fe13ee820cf
+# knative.dev/eventing v0.46.1-0.20251008160113-3f59df18d8d5
 ## explicit; go 1.24.0
 knative.dev/eventing/pkg/apis/common/integration/v1alpha1
 knative.dev/eventing/pkg/apis/config
@@ -996,7 +996,7 @@ knative.dev/pkg/test/logging
 knative.dev/pkg/test/spoof
 knative.dev/pkg/tracker
 knative.dev/pkg/webhook/resourcesemantics
-# knative.dev/serving v0.46.1-0.20251008121813-85563f5d21ca
+# knative.dev/serving v0.46.1-0.20251008225413-62b04a0c5d5e
 ## explicit; go 1.24.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1