Merge pull request #52613 from kubernetes/dev-1.35

Add official 1.35 release docs

Author: Urvashi0109

content/en/docs/concepts/architecture/cgroups.md

@@ -124,6 +124,16 @@ For cgroup v2, the output is `cgroup2fs`.
 
 For cgroup v1, the output is `tmpfs.`
 
+## Deprecation of cgroup v1
+
+{{< feature-state for_k8s_version="v1.35" state="deprecated" >}}
+
+Kubernetes has deprecated cgroup v1.
+Removal will follow [Kubernetes deprecation policy](/docs/reference/using-api/deprecation-policy/).
+
+Kubelet will no longer start on a cgroup v1 node by default.
+To disable this setting a cluster admin should set `failCgroupV1` to false in the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/).
+
 ## {{% heading "whatsnext" %}}
 
 - Learn more about [cgroups](https://man7.org/linux/man-pages/man7/cgroups.7.html)

content/en/docs/concepts/architecture/garbage-collection.md

@@ -144,9 +144,7 @@ until disk usage reaches the `LowThresholdPercent` value.
 
 #### Garbage collection for unused container images {#image-maximum-age-gc}
 
-{{< feature-state feature_gate_name="ImageMaximumGCAge" >}}
-
-As a beta feature, you can specify the maximum time a local image can be unused for,
+You can specify the maximum time a local image can be unused for,
 regardless of disk usage. This is a kubelet setting that you configure for each node.
 
 To configure the setting, you need to set a value for the `imageMaximumGCAge`
@@ -207,4 +205,4 @@ configure garbage collection:
 
 * Learn more about [ownership of Kubernetes objects](/docs/concepts/overview/working-with-objects/owners-dependents/).
 * Learn more about Kubernetes [finalizers](/docs/concepts/overview/working-with-objects/finalizers/).
-* Learn about the [TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) that cleans up finished Jobs.
+* Learn about the [TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) that cleans up finished Jobs.

content/en/docs/concepts/architecture/mixed-version-proxy.md

@@ -12,20 +12,25 @@ weight: 220
 
 Kubernetes {{< skew currentVersion >}} includes an alpha feature that lets an
 {{< glossary_tooltip text="API Server" term_id="kube-apiserver" >}}
-proxy a resource requests to other _peer_ API servers. This is useful when there are multiple
+proxy resource requests to other _peer_ API servers. It also lets clients get 
+a holistic view of resources served across the entire cluster through discovery.
+This is useful when there are multiple
 API servers running different versions of Kubernetes in one cluster
 (for example, during a long-lived rollout to a new release of Kubernetes).
 
 This enables cluster administrators to configure highly available clusters that can be upgraded
-more safely, by directing resource requests (made during the upgrade) to the correct kube-apiserver.
-That proxying prevents users from seeing unexpected 404 Not Found errors that stem
-from the upgrade process.
+more safely, by :
 
-This mechanism is called the _Mixed Version Proxy_.
+1. ensuring that controllers relying on discovery to show a comprehensive list of resources
+for important tasks always get the complete view of all resources. We call this complete cluster wide 
+discovery- _Peer-aggregated discovery_ 
+1. directing resource requests (made during the upgrade) to the correct kube-apiserver.
+This proxying prevents users from seeing unexpected 404 Not Found errors that stem
+from the upgrade process. This mechanism is called the _Mixed Version Proxy_.
 
-## Enabling the Mixed Version Proxy
+## Enabling Peer-aggregated Discovery and Mixed Version Proxy
 
-Ensure that `UnknownVersionInteroperabilityProxy` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+Ensure that `UnknownVersionInteroperabilityProxy` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#UnknownVersionInteroperabilityProxy)
 is enabled when you start the {{< glossary_tooltip text="API Server" term_id="kube-apiserver" >}}:
 
 ```shell
@@ -67,6 +72,25 @@ If these flags are unspecified, peers will use the value from either `--advertis
 `--bind-address` command line argument to the kube-apiserver.
 If those too, are unset, the host's default interface is used.
 
+## Peer-aggregated discovery
+
+When you enable the feature, discovery requests are automatically enabled to serve
+a comprehensive discovery document (listing all resources served by any apiserver in the cluster)
+by default. 
+
+If you would like to request
+a non peer-aggregated discovery document, you can indicate so by adding the following Accept header to the discovery request:
+
+```
+application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer
+```
+
+{{< note >}}
+Peer-aggregated discovery is only supported
+for [Aggregated Discovery](/docs/concepts/overview/kubernetes-api/#aggregated-discovery) requests
+to the `/apis` endpoint and not for [Unaggregated (Legacy) Discovery](/docs/concepts/overview/kubernetes-api/#unaggregated-discovery) requests.
+{{< /note >}}
+
 ## Mixed version proxying
 
 When you enable mixed version proxying, the [aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
@@ -82,29 +106,16 @@ loads a special filter that does the following:
 ### How it works under the hood
 
 When an API Server receives a resource request, it first checks which API servers can
-serve the requested resource. This check happens using the internal
-[`StorageVersion` API](/docs/reference/generated/kubernetes-api/v{{< skew currentVersion >}}/#storageversioncondition-v1alpha1-internal-apiserver-k8s-io).
-
-* If the resource is known to the API server that received the request
-  (for example, `GET /api/v1/pods/some-pod`), the request is handled locally.
-
-* If there is no internal `StorageVersion` object found for the requested resource
-  (for example, `GET /my-api/v1/my-resource`) and the configured APIService specifies proxying
-  to an extension API server, that proxying happens following the usual
-  [flow](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) for extension APIs.
-
-* If a valid internal `StorageVersion` object is found for the requested resource
-  (for example, `GET /batch/v1/jobs`) and the API server trying to handle the request
-  (the _handling API server_) has the `batch` API disabled, then the _handling API server_
-  fetches the peer API servers that do serve the relevant API group / version / resource
-  (`api/v1/batch` in this case) using the information in the fetched `StorageVersion` object.
-  The _handling API server_ then proxies the request to one of the matching peer kube-apiservers
-  that are aware of the requested resource.
-
-  * If there is no peer known for that API group / version / resource, the handling API server
-    passes the request to its own handler chain which should eventually return a 404 ("Not Found") response.
-
-  * If the handling API server has identified and selected a peer API server, but that peer fails
-    to respond (for reasons such as network connectivity issues, or a data race between the request
-    being received and a controller registering the peer's info into the control plane), then the handling
-    API server responds with a 503 ("Service Unavailable") error.
+serve the requested resource. This check happens using the non peer-aggregated discovery document.
+
+* If the resource is listed in the non peer-aggregated discovery document retrieved from the API server that received the request(for example, `GET /api/v1/pods/some-pod`), the request is handled locally.
+
+* If the resource in a request (for example, `GET /apis/resource.k8s.io/v1beta1/resourceclaims`) is not found in the non peer-aggregated discovery document retrieved from the API server trying to handle the request (the _handling API server_), likely because the `resource.k8s.io/v1beta1` API was introduced in a newer Kubernetes version and the _handling API server_ is running an older version that does not support it, then the _handling API server_ fetches the peer API servers that do serve the relevant API group / version / resource (`resource.k8s.io/v1beta1/resourceclaims` in this case) by checking the non peer-aggregated discovery documents from all peer API servers. The _handling API server_ then proxies the request to one of the matching peer kube-apiservers that are aware of the requested resource.
+
+* If there is no peer known for that API group / version / resource, the handling API server
+passes the request to its own handler chain which should eventually return a 404 ("Not Found") response.
+
+* If the handling API server has identified and selected a peer API server, but that peer fails
+to respond (for reasons such as network connectivity issues, or a data race between the request
+being received and a controller registering the peer's info into the control plane), then the handling
+API server responds with a 503 ("Service Unavailable") error.

content/en/docs/concepts/containers/images.md

@@ -221,7 +221,7 @@ the kubelet will pull the images in parallel on behalf of the two different Pods
 
 ### Maximum parallel image pulls
 
-{{< feature-state for_k8s_version="v1.32" state="beta" >}}
+{{< feature-state for_k8s_version="v1.35" state="stable" >}}
 
 When `serializeImagePulls` is set to false, the kubelet defaults to no limit on
 the maximum number of images being pulled at the same time. If you would like to
@@ -409,7 +409,7 @@ on images hosted in a private registry.
 Access to pre-pulled images may be authorized according to [image pull credential verification](#ensureimagepullcredentialverification).
 {{< /note >}}
 
-#### Ensure image pull credential verification {#ensureimagepullcredentialverification}
+### Ensure image pull credential verification {#ensureimagepullcredentialverification}
 
 {{< feature-state feature_gate_name="KubeletEnsureSecretPulledImages" >}}
 
@@ -446,7 +446,23 @@ will continue to verify without the need to access the registry. New or rotated
 will require the image to be re-pulled from the registry.
 {{< /note >}}
 
-#### Creating a Secret with a Docker config
+#### Enabling `KubeletEnsureSecretPulledImages` for the first time
+
+When the `KubeletEnsureSecretPulledImages` gets enabled for the first time, either
+by a kubelet upgrade or by explicitly enabling the feature, if a kubelet is able to
+access any images at that time, these will all be considered pre-pulled. This happens
+because in this case the kubelet has no records about the images being pulled.
+The kubelet will only be able to start making image pull records as any image gets
+pulled for the first time.
+
+If this is a concern, it is advised to clean up nodes of all images that should not
+be considered pre-pulled before enabling the feature.
+
+Note that removing the directory holding the image pulled records will have the same
+effect on kubelet restart, particularly the images currently cached in the nodes by
+the container runtime will all be considered pre-pulled.
+
+### Creating a Secret with a Docker config
 
 You need to know the username, registry password and client email address for authenticating
 to the registry, as well as its hostname.
@@ -514,7 +530,7 @@ for detailed instructions.
 You can use this in conjunction with a per-node `.docker/config.json`. The credentials
 will be merged.
 
-## Use cases
+### Use cases
 
 There are a number of solutions for configuring private registries.  Here are some
 common use cases and suggested solutions.

content/en/docs/concepts/extend-kubernetes/api-extension/custom-resources.md

@@ -266,6 +266,12 @@ Installing an Aggregated API server always involves running a new Deployment.
 Custom resources consume storage space in the same way that ConfigMaps do. Creating too many
 custom resources may overload your API server's storage space.
 
+Custom resources are placed into storage based upon the the current storage
+version of the resource, defined in the CRD spec. Any update to a custom
+resource will use the currently defined storage version to store the resource.
+All other versions either need to have all the fields of that version or define
+conversions to work properly.
+
 Aggregated API servers may use the same storage as the main API server, in which case the same
 warning applies.
 

content/en/docs/concepts/overview/working-with-objects/storage-version.md

@@ -0,0 +1,167 @@
+---
+title: Storage Versions
+content_type: concept
+weight: 110
+---
+
+<!-- overview -->
+The Kubernetes API server stores objects, relying on an etcd-compatible backing
+store (often, the backing storage is etcd itself). Each object is serialized
+using a particular version of that API type; for example, the v1 representation
+of a ConfigMap. Kubernetes uses the term _storage version_ to describe how an
+object is stored in your cluster.
+
+The Kubernetes API also relies on automatic conversion; for example, if you have
+a HorizontalPodAutoscaler, then you can interact with that
+HorizontalPodAutoscaler using any mix of the v1 and v2 versions of the
+HorizontalPodAutoscaler API. Kubernetes is responsible for converting each API
+call so that clients do not see what version is actually serialized. 
+
+For cluster administrators, object storage version is an important concept to
+understand since it is what links the API representation of the object to the
+actual encoding in the storage backend. This can be important for when the
+underlying binary encodings of the object matter, such as for encryption at
+rest, or API deprecation.
+
+The same API may have multiple storage versions that the API Server can then
+convert to an object schema. A single object that is part of that resource must
+only have one storage version at any time. This means that the API Server is
+aware of the binary encodings of the objects and is able to convert between all
+the stored versions to the API Representation of the object dynamically.
+
+The version of an object is separate from the storage version entirely. For
+example, a `v1alpha1` and `v1beta1` API Object for the same Resource will be
+encoded the same in storage as long as the storage version has not been updated
+between the two objects.
+
+<!-- body -->
+
+## Storage version to resource mapping
+
+Every resource will have 1 active storage version at any point in time, meaning
+that any write to an object will store the object at that storage version. The
+storage version can be updated however, making it so that objects can be stored
+at differing versions. One object will only be stored at one storage version at
+any time.
+
+Reads from the API Server will convert the stored data to the API representation
+of the object. This makes it so that old storage versions can sit indefinitely
+as long as no updates occur to the object. Writes, on the other hand, will
+convert the stored object to the new representation upon update. 
+
+## Storage versions for custom resources {#CustomResourceDefinition-storage-version}
+
+[Custom
+resources](/docs/concepts/extend-kubernetes/api-extension/custom-resources/#storage) are
+defined dynamically, and as such differ from built in Kubernetes types with
+their storage version. Builtin objects generally have their storage encoding
+defined separately from their API types, where the stored object acts as a hub
+and the specific version of the resource does not matter apart from being a
+field in the object schema. 
+
+However, for custom resources, a certain version of the resource must be set as
+the storage version. The schema defined by that specific version of the custom
+resource will be used as the encoding of the resource in the storage layer. See
+the [advanced CRD
+featureset](/docs/concepts/extend-kubernetes/api-extension/custom-resources/#advanced-features-and-flexibility)
+for more detailed information on the API setup and versioning.
+
+For example see this CustomResourceDefinition for _crontabs_:
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: crontabs.example.com
+spec:
+  group: example.com
+  # list of versions supported by this CustomResourceDefinition
+  versions:
+  - name: v1beta1
+    # Each version can be enabled/disabled by Served flag.
+    served: true
+    # One and only one version must be marked as the storage version.
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          host:
+            type: string
+          port:
+            type: string
+  - name: v1
+    served: true
+    storage: false
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          host:
+            type: string
+          port:
+            type: string
+          time:
+            type: string
+  conversion:
+    strategy: None
+  scope: Namespaced
+  names:
+    plural: crontabs
+    singular: crontab
+    kind: CronTab
+    shortNames:
+    - ct
+```
+
+The `v1beta1` API definition is used as the storage version, meaning that any
+updates or creation of `crontabs` will be stored with the object schema of the
+`v1beta1` api. In this case it actually would mean that the `v1` API object
+would never be able to store the `time` field since it is not part of the
+storage definition. This schema is used in the storage layer as the binary
+encoding of the object itself. Trying to set two versions as the stored version
+at the same time is considered invalid, since that would mean that two data
+schemes would be considered valid ways to store the objects at the same time.
+
+Upon modification of the version that is used for storage, that version of the
+API will be used to store any new or update CRs. Watching or getting the object
+will have the object be in use but will just convert the object from the old
+storage version and not affect the object. Only updating or creating will have
+an effect and use the newly defined storage version.  
+
+## How storage versions are relevant to encryption at rest
+
+There are tools to [encrypt the at rest
+storage](/docs/tasks/administer-cluster/kms-provider/) of a cluster, especially
+for cluster secrets. This adds an additional layer of protection for data
+exfiltration since the actual stored data in the cluster is encrypted. This
+means that the API Server is actually decrypting the data as it retrieves them
+from storage. the data from storage. The APIServer must have the key for that
+storage version in order to decode the object properly.
+
+The storage version in this case is more than just the binary encoding of the
+object. As long as what is stored can be somehow converted into the API object,
+it can be used as a storage version.
+
+## Migrating to a different storage version
+
+Multiple storage versions for a single resource can pose problems for cluster
+administrators. A cluster administrator may not remove old versions of an API
+for CRDs which may be unsupported until they are sure that all objects are no
+longer using the storege version associated with it. With a large number of
+objects and an opaque view into which ones are new and which ones still are
+backed by old storage versions, it makes it difficult to tell when a version can
+be safely removed. If a version is removed prematurely, it can mean being unable
+to read the object entirely.
+
+Another important issue is the use of encryption keys as defined in the section
+above. Since a resource must be actively in use to update the storage version,
+when a key rotation is done, both the old encryption key and the new encryption
+key must remain in use until the administrator is sure all objects have been
+written to at least once. This poses both security risks and usability issues,
+since a key cannot be fully removed from use until then. 
+
+See [storage version
+migration](/docs/tasks/manage-kubernetes-objects/storage-version-migration) on
+examples of how to run a migration to ensure that all objects are using a newer
+storage version without manual intervention.

content/en/docs/concepts/policy/node-resource-managers.md

@@ -203,9 +203,9 @@ listed in alphabetical order:
 `full-pcpus-only` (GA, visible by default)
 : Always allocate full physical cores (available since Kubernetes v1.22, GA since Kubernetes v1.33)
 
-`strict-cpu-reservation` (beta, visible by default)
+`strict-cpu-reservation` (GA, visible by default)
 : Prevent all the pods regardless of their Quality of Service class to run on reserved CPUs
-  (available since Kubernetes v1.32)
+  (available since Kubernetes v1.32, GA since Kubernetes v1.35)
 
 `prefer-align-cpus-by-uncorecache` (beta, visible by default)
 : Align CPUs by uncore (Last-Level) cache boundary on a best-effort way