Skip to content

Codify feature gate dependencies#133697

Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
tallclair:feature-deps
Sep 30, 2025
Merged

Codify feature gate dependencies#133697
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
tallclair:feature-deps

Conversation

@tallclair
Copy link
Copy Markdown
Member

@tallclair tallclair commented Aug 25, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Codify inter-feature gate dependencies.

This PR adds a new method AddDependencies(features map[Feature][]Feature) error to MutableVersionedFeatureGate to set explicit feature gate dependencies. Dependencies are validated according to these rules:

  1. Validated at test time: A feature gate cannot depend on a feature with a lower stability level (only the latest version is checked).
  2. Validated at runtime: A feature gate cannot be enabled if it depends on a disabled feature gate

This PR also adds dependencies to kube_features.go for InPlacePodVerticalScaling. This is probably not a comprehensive list of feature gate dependencies.

This PR also adds feature gate validation to Kubelet.

Which issue(s) this PR is related to:

Fixes #133533

Special notes for your reviewer:

I would have prefered to declare dependencies in-line with the feature gate spec, but that would require changing the API for adding features since it currently takes a map[Feature][]FeatureSpec, and wrapping []FeatureSpec in a struct would have been a larger change. I'm still open to this approach though.

Does this PR introduce a user-facing change?

Action Required: Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies).

/sig architecture api-machinery cluster-lifecycle node

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Aug 25, 2025

Please note that we're already in Test Freeze for the release-1.34 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.34.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Mon Aug 25 20:07:03 UTC 2025.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/node Categorizes an issue or PR as relevant to SIG Node. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 25, 2025
@k8s-ci-robot k8s-ci-robot requested a review from dchen1107 August 25, 2025 22:21
@k8s-ci-robot k8s-ci-robot requested a review from thockin August 25, 2025 22:21
@k8s-ci-robot k8s-ci-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 25, 2025
@tallclair tallclair mentioned this pull request Aug 25, 2025
Closed
@BenTheElder
Copy link
Copy Markdown
Member

BenTheElder commented Aug 25, 2025

We should consider exposing this info to e2e through framework.WithFeatureGate as if you passed the dependent featuregates as well so you can just pass the feature being tested if you've already declared the dependency relationship in the featuregate registration.

@k8s-triage-robot
Copy link
Copy Markdown

k8s-triage-robot commented Aug 25, 2025

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@tallclair
Copy link
Copy Markdown
Member Author

tallclair commented Aug 25, 2025

We should consider exposing this info to e2e through framework.WithFeatureGate as if you passed the dependent featuregates as well so you can just pass the feature being tested if you've already declared the dependency relationship in the featuregate registration.

Why does it need to be exposed to the test framework? Wouldn't the test just declare that it requires the dependent feature gate, and the other dependencies are implicit since the dependent one can't be enabled without them? In other words, a test for InPlacePodVerticalScalingExclusiveMemory would just use framework.WithFeatureGate(features.InPlacePodVerticalScalingExclusiveMemory) - no need to check InPlacePodVerticalScaling and MemoryManager.

@BenTheElder
Copy link
Copy Markdown
Member

BenTheElder commented Aug 25, 2025
edited
Loading

Why does it need to be exposed to the test framework? Wouldn't the test just declare that it requires the dependent feature gate, and the other dependencies are implicit since the dependent one can't be enabled without them? In other words, a test for InPlacePodVerticalScalingExclusiveMemory would just use framework.WithFeatureGate(features.InPlacePodVerticalScalingExclusiveMemory) - no need to check InPlacePodVerticalScaling and MemoryManager.

Good point, but right now tests commonly do the opposite (manually passing all featuregates), it may still be useful to expose this sort of info, e.g. you could imagine wanting to query all e2e tests that depend on InPlacePodVerticalScalingExclusiveMemory in dry-run mode without having to write some custom logic.

@BenTheElder
Copy link
Copy Markdown
Member

BenTheElder commented Aug 25, 2025

We have jobs that do "select all tests that depend on default-enabled features" or "beta features" or "alpha features"

For those to work correctly, I think the full list of dependent gates needs to be considered when injecting the test selection labels based on the supplied gate.

@liyuerich liyuerich mentioned this pull request Aug 26, 2025
Closed
liggitt
liggitt reviewed Aug 26, 2025
View reviewed changes
Comment thread staging/src/k8s.io/component-base/featuregate/feature_gate.go Outdated
Comment thread staging/src/k8s.io/component-base/featuregate/feature_gate.go Outdated
if versioned, ok := known[dep]; !ok {
return fmt.Errorf("cannot add dependency from %s to unknown feature %s", feature, dep)
} else {
latest := versioned[len(versioned)-1] // only check the stability of the latest release
Copy link
Copy Markdown
Member

@liggitt liggitt Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the dependency relationship is unversioned, right?

Will only checking the latest version of the dependency gate let weird situations escape like:

  • 1.10: add Foo as alpha
  • 1.11: progress Foo to beta, on by default
  • 1.12: add Bar as alpha
  • 1.13: progress Bar to beta, on by default, mark Foo depending on Bar

Would emulating older versions still see Foo as depending on Bar?

Would that fail validation for default enablement when emulating 1.12 (Foo is enabled but depends on less stable off-by-default feature)?

Would that fail configurations that used to work when emulating 1.10 and 1.11 opting into enabling Foo? (Foo is enabled but depends on less stable or non-existent feature)?

It might be necessary (or at least a lot easier to reason about) to require dependencies to:

  1. exist in all versions the dependent features exist in
  2. be at least as stable in all versions the dependent features exist in
  3. be enabled by default in all versions the dependent features are enabled by default

Copy link
Copy Markdown
Member Author

@tallclair tallclair Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the dependency relationship is unversioned, right?

Yeah. Allowing dependencies to change across versions just seems weird and unnecessarily complicated.

It might be necessary (or at least a lot easier to reason about) to require dependencies to:
exist in all versions the dependent features exist in

Done.

be at least as stable in all versions the dependent features exist in

Done.

be enabled by default in all versions the dependent features are enabled by default

Done.

Also added validation for LockToDefault.

Copy link
Copy Markdown
Member

@BenTheElder BenTheElder Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. Allowing dependencies to change across versions just seems weird and unnecessarily complicated.

I don't like it, but I feel like this will bite us.

Imagine if in 1.36 we have more DRA features that interact in the alpha/beta state.

A non-GA feature may wind up depending on another feature before it is GA-ed, and that feature may not have even existed in an older release.

This sort of assumes we never discover any overlap later or any scope changes.

With emulation version, I may be using a N+1 binary to emulate N, and in N+1 we may have decided to start enforcing the relationship between gates in a way that N did not ... that seems like a big footgun without versioning.

Copy link
Copy Markdown
Member Author

@tallclair tallclair Aug 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'm having a hard time wrapping my head around this...

The emulation version is emulating the state of feature gates... it's not actually changing the code behind those gates. So, if I declare that feature X depends on feature Y, then there could be code that assumes if feature X is enabled, then feature Y is enabled, or code gated by feature X that depends on behaviors gated by feature Y. It doesn't matter if that assumption wasn't baked into the code in release v1.30 - the assumption is baked in now. So, if I use EmulatedVersion=v1.30, it still need to respect the dependency that's baked into the code now.

A non-GA feature may wind up depending on another feature before it is GA-ed, and that feature may not have even existed in an older release.

Good point, but I'm not sure what the right way to handle this is. Emulated versions makes this pretty weird... Here are a few options I can think of:

  1. Only enforce stability ordering (i.e. beta can't depend on alpha) in the latest version. For earlier versions, just enforce the on/off state. This still runs into problems when a previously on-by default feature adds a dependency on something that wasn't on-by-default in the previous version. But maybe that's not something that should be done anyway?
  2. Require a new feature gate to add the dependency that is consistent with the validation rules, and migrate to the new feature. This is sort of a cheat though, and also breaks some assumptions about what emulated versioning is doing. Yuck.

I think 1 might be the better option, and if you run into the issue of enabled-by-default/off-by-default conflict, force the dev to figure out how to reconcile that.

I think this also highlights why we need this PR. Without it, someone might code in the implicit dependency without thinking about the implications here.

Copy link
Copy Markdown
Member Author

@tallclair tallclair Aug 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only support version emulation to N-3, right? So maybe we should only check those versions (how do we get the current version?), which makes the situation less bad.

Copy link
Copy Markdown
Member Author

@tallclair tallclair Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After sig-arch discussion, we decided to leave the validation as-is (validate each version), but allow alpha features to depend on pre-alpha features.

Comment thread pkg/features/kube_features.go
@aaron-prindle
Copy link
Copy Markdown
Contributor

aaron-prindle commented Aug 26, 2025

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 26, 2025
@tallclair tallclair changed the title Feature deps Codify feature gate dependencies Aug 26, 2025
@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Sep 22, 2025
@tallclair
Copy link
Copy Markdown
Member Author

tallclair commented Sep 22, 2025

FYI, I've update the release note to highlight the new implications for AllAlpha=true. I've also queued up an email to [email protected] for when this merges:

[ACTION REQUIRED] Feature Gate Dependencies

Until now, feature gate dependencies have been ad-hoc or implicit. Now, with #kubernetes/133697, feature gate dependencies can be explicitly declared and enforced. In particular, this means that components will refuse to start if a feature is enabled but a dependency is disabled.

For feature owners:
#kubernetes/133912 backfills dependencies for existing features, and makes it required for every feature to explicitly declare dependencies (or explicitly declare an empty set if there are none). If you are the owner of an existing feature gate, please review the backfilled dependencies for correctness.

For feature users:
The default feature enablement at every emulated version is guaranteed to continue working (enforced through tests), but if you manually enable or disable features you may now be required to enable or disable additional dependent feature gates.

In particular, setting AllAlpha=true will no longer work on its own! The simplest solution is to always set AllBeta=true whenever setting AllAlpha=true, or you can explicitly set the off-by-default beta dependencies. (Note that the reverse is not the case, since a Beta feature cannot depend on an Alpha feature).

Thank you.

@tallclair
Copy link
Copy Markdown
Member Author

tallclair commented Sep 23, 2025

With kubernetes/test-infra#35546 merged, I think this is ready to go?

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 23, 2025
@aojea
Copy link
Copy Markdown
Member

aojea commented Sep 25, 2025

it seems it is better to squash all the commits

@tallclair
Copy link
Copy Markdown
Member Author

tallclair commented Sep 25, 2025

it seems it is better to squash all the commits

Done.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Sep 26, 2025

@tallclair: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-unit-windows-master 2c78bc9 link false /test pull-kubernetes-unit-windows-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@liggitt
Copy link
Copy Markdown
Member

liggitt commented Sep 30, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 30, 2025
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Sep 30, 2025

LGTM label has been added.

DetailsGit tree hash: 9a4cf29124fe6ece7958fba4dd6736c0c5815fcf

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Sep 30, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 30, 2025
@k8s-ci-robot k8s-ci-robot merged commit 14fb5e6 into kubernetes:master Sep 30, 2025
17 of 18 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.35 milestone Sep 30, 2025
@natasha41575 natasha41575 mentioned this pull request Oct 1, 2025
Merged
This was referenced Oct 6, 2025
Open
Merged
@macsko macsko mentioned this pull request Oct 13, 2025
Merged
@liggitt liggitt mentioned this pull request Oct 22, 2025
Merged
@natasha41575 natasha41575 mentioned this pull request Oct 23, 2025
Merged
github-merge-queue Bot pushed a commit to open-telemetry/otel-arrow that referenced this pull request Jan 19, 2026
@renovate
chore(deps): update dependency kubernetes to v35 (#1820)
c28577d 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [kubernetes](https://redirect.github.com/kubernetes-client/python) |
`==34.1.0` → `==35.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/kubernetes/35.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/kubernetes/34.1.0/35.0.0?slim=true)
|

---

### Release Notes

<details>
<summary>kubernetes-client/python (kubernetes)</summary>

###
[`v35.0.0`](https://redirect.github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

[Compare
Source](https://redirect.github.com/kubernetes-client/python/compare/v34.1.0...v35.0.0)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions.
([kubernetes/kubernetes#134984](https://redirect.github.com/kubernetes/kubernetes/pull/134984),
[@&#8203;michaelasp](https://redirect.github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests.
([kubernetes/kubernetes#132825](https://redirect.github.com/kubernetes/kubernetes/pull/132825),
[@&#8203;PatrickLaabs](https://redirect.github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best
satisfy the highest-ranked subrequests were chosen.
([kubernetes/kubernetes#134711](https://redirect.github.com/kubernetes/kubernetes/pull/134711),
[@&#8203;mortent](https://redirect.github.com/mortent)) \[SIG Node,
Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`,
`kube-controller-manager`, and `kube-scheduler`.
([kubernetes/kubernetes#133980](https://redirect.github.com/kubernetes/kubernetes/pull/133980),
[@&#8203;siyuanfoundation](https://redirect.github.com/siyuanfoundation))
\[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling
and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the
`v1alpha1` API.

ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must
remove any `v1alpha1` resources before upgrading.
([kubernetes/kubernetes#134784](https://redirect.github.com/kubernetes/kubernetes/pull/134784),
[@&#8203;michaelasp](https://redirect.github.com/michaelasp)) \[SIG API
Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value,
returning an error instead of causing a panic.
([kubernetes/kubernetes#133540](https://redirect.github.com/kubernetes/kubernetes/pull/133540),
[@&#8203;BenTheElder](https://redirect.github.com/BenTheElder)) \[SIG
Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart
policy rule exits. This alpha feature is gated behind
`RestartAllContainersOnContainerExit`.
([kubernetes/kubernetes#134345](https://redirect.github.com/kubernetes/kubernetes/pull/134345),
[@&#8203;yuanwang04](https://redirect.github.com/yuanwang04)) \[SIG
Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the
secrets field instead of volume context by setting
`spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This
prevents tokens from being exposed in logs and other outputs. The
feature is gated by the `CSIServiceAccountTokenSecrets` feature gate
(beta in `v1.35`).
([kubernetes/kubernetes#134826](https://redirect.github.com/kubernetes/kubernetes/pull/134826),
[@&#8203;aramase](https://redirect.github.com/aramase)) \[SIG API
Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to
kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This
is documented in
[KEP-3104](https://redirect.github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details)
and documentation is added to the website by
[kubernetes/website#52877](https://redirect.github.com/kubernetes/website/pull/52877)
([kubernetes/kubernetes#134870](https://redirect.github.com/kubernetes/kubernetes/pull/134870),
[@&#8203;pmengelbert](https://redirect.github.com/pmengelbert)) \[SIG
API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about
the rule, including whether Pods still need to be evicted
(`EvictionInProgress` condition). The newly added `None` effect can be
used to preview what a `DeviceTaintRule` would do if it used the
`NoExecute` effect and to taint devices (`device health`) without
immediately affecting scheduling or running Pods.
([kubernetes/kubernetes#134152](https://redirect.github.com/kubernetes/kubernetes/pull/134152),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG API Machinery,
Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core
functionality (GA in `v1.34`) has now been locked to enabled-by-default
and cannot be disabled anymore.
([kubernetes/kubernetes#134452](https://redirect.github.com/kubernetes/kubernetes/pull/134452),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG Auth, Node,
Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set
`KUBECTL_KYAML=false`.
([kubernetes/kubernetes#133327](https://redirect.github.com/kubernetes/kubernetes/pull/133327),
[@&#8203;thockin](https://redirect.github.com/thockin))
- Enabled in-place resizing of pod-level resources.
- Added `Resources` in `PodStatus` to capture resources set in the
pod-level cgroup.
- Added `AllocatedResources` in `PodStatus` to capture resources
requested in the `PodSpec`.
([kubernetes/kubernetes#132919](https://redirect.github.com/kubernetes/kubernetes/pull/132919),
[@&#8203;ndixita](https://redirect.github.com/ndixita)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node,
Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in
kube-scheduler by default.
- Enabled the `ClearingNominatedNodeNameAfterBinding` feature in
kube-apiserver by default.
([kubernetes/kubernetes#135103](https://redirect.github.com/kubernetes/kubernetes/pull/135103),
[@&#8203;ania-borowiec](https://redirect.github.com/ania-borowiec))
\[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud
Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node,
Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from
all peer apiservers when the `UnknownVersionInteroperabilityProxy`
feature is enabled.
([kubernetes/kubernetes#133648](https://redirect.github.com/kubernetes/kubernetes/pull/133648),
[@&#8203;richabanker](https://redirect.github.com/richabanker)) \[SIG
API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison
operators (`Gt`,`Lt`).
([kubernetes/kubernetes#134665](https://redirect.github.com/kubernetes/kubernetes/pull/134665),
[@&#8203;helayoty](https://redirect.github.com/helayoty)) \[SIG API
Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup.
A feature can no longer be enabled if it depends on a disabled feature.
In particular, this means that `AllAlpha=true` will no longer work
without enabling disabled-by-default beta features that are depended on
(either with `AllBeta=true` or explicitly enumerating the disabled
dependencies).
([kubernetes/kubernetes#133697](https://redirect.github.com/kubernetes/kubernetes/pull/133697),
[@&#8203;tallclair](https://redirect.github.com/tallclair)) \[SIG API
Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into
`zz_generated.model_name.go` files, accessible via the
`OpenAPIModelName()` function. This allows API authors to declare
desired OpenAPI model packages instead of relying on the Go package path
of API types.
([kubernetes/kubernetes#131755](https://redirect.github.com/kubernetes/kubernetes/pull/131755),
[@&#8203;jpbetz](https://redirect.github.com/jpbetz)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster
Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and
Testing]
- Implemented constrained impersonation as described in
[KEP-5284](https://kep.k8s.io/5284).
([kubernetes/kubernetes#134803](https://redirect.github.com/kubernetes/kubernetes/pull/134803),
[@&#8203;enj](https://redirect.github.com/enj)) \[SIG API Machinery,
Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to
control listmap uniqueness.
([kubernetes/kubernetes#134279](https://redirect.github.com/kubernetes/kubernetes/pull/134279),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the
`statusz` endpoint.
([kubernetes/kubernetes#134313](https://redirect.github.com/kubernetes/kubernetes/pull/134313),
[@&#8203;richabanker](https://redirect.github.com/richabanker)) \[SIG
API Machinery, Architecture, Instrumentation, Network, Node, Scheduling
and Testing]
- Introduced a structured and versioned `v1alpha1` response format for
the `flagz` endpoint.
([kubernetes/kubernetes#134995](https://redirect.github.com/kubernetes/kubernetes/pull/134995),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery, Architecture, Instrumentation, Network, Node, Scheduling and
Testing]
- Introduced the GangScheduling kube-scheduler plugin to support
"all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1`
Workload API.
([kubernetes/kubernetes#134722](https://redirect.github.com/kubernetes/kubernetes/pull/134722),
[@&#8203;macsko](https://redirect.github.com/macsko)) \[SIG API
Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which
includes:
- A new `Node.Status.DeclaredFeatures` field for publishing
node-specific features.
- A `component-helpers` library for feature registration and inference.
- A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes
that provide required features.
- A `NodeDeclaredFeatureValidator` admission plugin to validate pod
updates against a node's declared features.
([kubernetes/kubernetes#133389](https://redirect.github.com/kubernetes/kubernetes/pull/133389),
[@&#8203;pravk03](https://redirect.github.com/pravk03)) \[SIG API
Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express
workload-level scheduling requirements and allow the kube-scheduler to
act on them.
([kubernetes/kubernetes#134564](https://redirect.github.com/kubernetes/kubernetes/pull/134564),
[@&#8203;macsko](https://redirect.github.com/macsko)) \[SIG API
Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs`
feature gate (disabled by default), which allows mutating a Job's
scheduling directives while the Job is suspended.
It also updates the Job controller to clears the `status.startTime`
field for suspended Jobs.
([kubernetes/kubernetes#135104](https://redirect.github.com/kubernetes/kubernetes/pull/135104),
[@&#8203;mimowo](https://redirect.github.com/mimowo)) \[SIG Apps and
Testing]
- Kube-apiserver: Fixed a `v1.34` regression in
`CustomResourceDefinition` handling that incorrectly warned about
unrecognized formats on number and integer properties.
([kubernetes/kubernetes#133896](https://redirect.github.com/kubernetes/kubernetes/pull/133896),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor
Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource
whose `CustomResourceDefinition` indicates a status subresource exists,
but which does not define a `status` property in the `openAPIV3Schema`.
([kubernetes/kubernetes#133721](https://redirect.github.com/kubernetes/kubernetes/pull/133721),
[@&#8203;fusida](https://redirect.github.com/fusida)) \[SIG API
Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider,
Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release,
Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the
`github.com/gogo/protobuf` library, and are no longer registered into
the global gogo type registry. Kubernetes API Go types were not suitable
for use with the `google.golang.org/protobuf` library, and no longer
implement `ProtoMessage()` by default to avoid accidental incompatible
use. If removal of these marker methods impacts your use, it can be
re-enabled for one more release with a
`kubernetes_protomessage_one_more_release` build tag, but will be
removed in `v1.36`.
([kubernetes/kubernetes#134256](https://redirect.github.com/kubernetes/kubernetes/pull/134256),
[@&#8203;liggitt](https://redirect.github.com/liggitt)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle,
Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable.
([kubernetes/kubernetes#134339](https://redirect.github.com/kubernetes/kubernetes/pull/134339),
[@&#8203;huww98](https://redirect.github.com/huww98)) \[SIG API
Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by
the kubelet to track image pulls to the `v1beta1` API version.
([kubernetes/kubernetes#132579](https://redirect.github.com/kubernetes/kubernetes/pull/132579),
[@&#8203;stlaz](https://redirect.github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource
types are forbidden.
([kubernetes/kubernetes#135084](https://redirect.github.com/kubernetes/kubernetes/pull/135084),
[@&#8203;tallclair](https://redirect.github.com/tallclair)) \[SIG Apps,
Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required
CSI driver.
([kubernetes/kubernetes#135012](https://redirect.github.com/kubernetes/kubernetes/pull/135012),
[@&#8203;gnufied](https://redirect.github.com/gnufied)) \[SIG API
Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The
`HPAConfigurableTolerance` feature gate has now been enabled by default.
([kubernetes/kubernetes#133128](https://redirect.github.com/kubernetes/kubernetes/pull/133128),
[@&#8203;jm-franc](https://redirect.github.com/jm-franc)) \[SIG API
Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas`
tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature
gate is now enabled by default.
([kubernetes/kubernetes#133087](https://redirect.github.com/kubernetes/kubernetes/pull/133087),
[@&#8203;atiratree](https://redirect.github.com/atiratree)) \[SIG API
Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA.
([kubernetes/kubernetes#134948](https://redirect.github.com/kubernetes/kubernetes/pull/134948),
[@&#8203;natasha41575](https://redirect.github.com/natasha41575)) \[SIG
API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The
`JobManagedBy` feature gate was locked to `true` and will be removed in
a future Kubernetes release.
([kubernetes/kubernetes#135080](https://redirect.github.com/kubernetes/kubernetes/pull/135080),
[@&#8203;dejanzele](https://redirect.github.com/dejanzele)) \[SIG API
Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling
it by default.
([kubernetes/kubernetes#133153](https://redirect.github.com/kubernetes/kubernetes/pull/133153),
[@&#8203;helayoty](https://redirect.github.com/helayoty)) \[SIG API
Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and
`StrictCostEnforcementForWebhooks` feature gates, which were locked
since `v1.32`.
([kubernetes/kubernetes#134994](https://redirect.github.com/kubernetes/kubernetes/pull/134994),
[@&#8203;liggitt](https://redirect.github.com/liggitt)) \[SIG API
Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources
plugin configuration, allowing customization of the wait duration in
`PreBind` for device binding conditions.
Defaults to 10 minutes when `DRADeviceBindingConditions` and
`DRAResourceClaimDeviceStatus` are both enabled.
([kubernetes/kubernetes#134905](https://redirect.github.com/kubernetes/kubernetes/pull/134905),
[@&#8203;fj-naji](https://redirect.github.com/fj-naji)) \[SIG Node and
Scheduling]
- The DRA device taints and toleration feature received a separate
feature gate, `DRADeviceTaintRules`, which controlled support for
`DeviceTaintRules`. This allowed disabling it while keeping
`DRADeviceTaints` enabled so that tainting via `ResourceSlices`
continued to work.
([kubernetes/kubernetes#135068](https://redirect.github.com/kubernetes/kubernetes/pull/135068),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG API Machinery,
Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The
`PodCertificateRequest` feature gate is set disabled by default. To use
the feature, users must enable the certificates API groups in `v1beta1`
and enable the `PodCertificateRequest` feature gate. The
`UserAnnotations` field was added to the `PodCertificateProjection` API
and the corresponding `UnverifiedUserAnnotations` field was added to the
`PodCertificateRequest` API.
([kubernetes/kubernetes#134624](https://redirect.github.com/kubernetes/kubernetes/pull/134624),
[@&#8203;yt2985](https://redirect.github.com/yt2985)) \[SIG API
Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and
enabled by default.
([kubernetes/kubernetes#135228](https://redirect.github.com/kubernetes/kubernetes/pull/135228),
[@&#8203;aramase](https://redirect.github.com/aramase)) \[SIG Auth, Node
and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
`PreferSameZone`.
([kubernetes/kubernetes#134457](https://redirect.github.com/kubernetes/kubernetes/pull/134457),
[@&#8203;danwinship](https://redirect.github.com/danwinship)) \[SIG API
Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a
`ResourceClaim` as two additional quotas when the `DRAExtendedResource`
feature is enabled:
- `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based
on the worst-case number of devices requested.
- Device classes mapping to an extended resource now consume
`requests.<extended resource name>`.
([kubernetes/kubernetes#134210](https://redirect.github.com/kubernetes/kubernetes/pull/134210),
[@&#8203;yliaog](https://redirect.github.com/yliaog)) \[SIG API
Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`.
([kubernetes/kubernetes#133715](https://redirect.github.com/kubernetes/kubernetes/pull/133715),
[@&#8203;cici37](https://redirect.github.com/cici37)) \[SIG API
Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing
counter sets across ResourceSlices within the same resource pool.
Devices from incomplete pools were no longer considered for allocation.
This change introduced backwards-incompatible updates to the alpha
feature, requiring any ResourceSlices using it to be removed before
upgrading or downgrading between v1.34 and v1.35.
([kubernetes/kubernetes#134189](https://redirect.github.com/kubernetes/kubernetes/pull/134189),
[@&#8203;mortent](https://redirect.github.com/mortent)) \[SIG API
Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in
`v1.34` and removed the alpha version description from the OpenAPI
specification.
([kubernetes/kubernetes#133883](https://redirect.github.com/kubernetes/kubernetes/pull/133883),
[@&#8203;yangjunmyfm192085](https://redirect.github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can
satisfy the best ranked subrequests are chosen.
([kubernetes/kubernetes#134711](https://redirect.github.com/kubernetes/kubernetes/pull/134711),
[@&#8203;mortent](https://redirect.github.com/mortent)) \[SIG Node,
Scheduling and Testing]
- Allows restart all containers when the source container exits with a
matching restart policy rule. This is an alpha feature behind feature
gate RestartAllContainersOnContainerExit.
([kubernetes/kubernetes#134345](https://redirect.github.com/kubernetes/kubernetes/pull/134345),
[@&#8203;yuanwang04](https://redirect.github.com/yuanwang04)) \[SIG
Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to
kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This
is documented in
[KEP-3104](https://redirect.github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details)
and documentation is added to the website by
[kubernetes/website#52877](https://redirect.github.com/kubernetes/website/pull/52877)
([kubernetes/kubernetes#134870](https://redirect.github.com/kubernetes/kubernetes/pull/134870),
[@&#8203;pmengelbert](https://redirect.github.com/pmengelbert)) \[SIG
API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources
from all peer apiservers when UnknownVersionInteroperabilityProxy
feature is enabled
([kubernetes/kubernetes#133648](https://redirect.github.com/kubernetes/kubernetes/pull/133648),
[@&#8203;richabanker](https://redirect.github.com/richabanker)) \[SIG
API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators
(`Gt`, `Lt`).
([kubernetes/kubernetes#134665](https://redirect.github.com/kubernetes/kubernetes/pull/134665),
[@&#8203;helayoty](https://redirect.github.com/helayoty)) \[SIG API
Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and
CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled
by default.
([kubernetes/kubernetes#135103](https://redirect.github.com/kubernetes/kubernetes/pull/135103),
[@&#8203;ania-borowiec](https://redirect.github.com/ania-borowiec))
\[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud
Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node,
Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI
driver
([kubernetes/kubernetes#135012](https://redirect.github.com/kubernetes/kubernetes/pull/135012),
[@&#8203;gnufied](https://redirect.github.com/gnufied)) \[SIG API
Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for
expressing workload-level scheduling requirements and let kube-scheduler
act on those.
([kubernetes/kubernetes#134564](https://redirect.github.com/kubernetes/kubernetes/pull/134564),
[@&#8203;macsko](https://redirect.github.com/macsko)) \[SIG API
Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs
feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
2. makes the Job controller to clear the status.startTime field for
suspended Jobs
([kubernetes/kubernetes#135104](https://redirect.github.com/kubernetes/kubernetes/pull/135104),
[@&#8203;mimowo](https://redirect.github.com/mimowo)) \[SIG Apps and
Testing]
- Introduced GangScheduling kube-scheduler plugin to enable
"all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1
is used to express the desired policy.
([kubernetes/kubernetes#134722](https://redirect.github.com/kubernetes/kubernetes/pull/134722),
[@&#8203;macsko](https://redirect.github.com/macsko)) \[SIG API
Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable.
([kubernetes/kubernetes#134339](https://redirect.github.com/kubernetes/kubernetes/pull/134339),
[@&#8203;huww98](https://redirect.github.com/huww98)) \[SIG API
Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim
object as consuming two additional quotas when the DRAExtendedResource
feature is enabled:
- `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity
equal to the worst case count of devices requested
- requests for device classes that map to an extended resource consume
`requests.<extended resource name>`
([kubernetes/kubernetes#134210](https://redirect.github.com/kubernetes/kubernetes/pull/134210),
[@&#8203;yliaog](https://redirect.github.com/yliaog)) \[SIG API
Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate
feature gate, DRADeviceTaintRules, which controls whether support for
DeviceTaintRules is enabled. It is possible to disable that and keep
DRADeviceTaints enabled, in which case tainting by DRA drivers through
ResourceSlices continues to work.
([kubernetes/kubernetes#135068](https://redirect.github.com/kubernetes/kubernetes/pull/135068),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG API Machinery,
Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to
store information about image pulls have been moved to the v1beta1 API
version.
([kubernetes/kubernetes#132579](https://redirect.github.com/kubernetes/kubernetes/pull/132579),
[@&#8203;stlaz](https://redirect.github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by
default.
([kubernetes/kubernetes#135228](https://redirect.github.com/kubernetes/kubernetes/pull/135228),
[@&#8203;aramase](https://redirect.github.com/aramase)) \[SIG Auth, Node
and Testing]
- This change adds a new alpha feature Node Declared Features, which
includes:
- A new `Node.Status.DeclaredFeatures` field for Kubelet to publish
node-specific features.
- A library in `component-helpers` for feature registration and
inference.
- A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match
pods with nodes that provide their required features.
- An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod
updates against a node's declared features.
([kubernetes/kubernetes#133389](https://redirect.github.com/kubernetes/kubernetes/pull/133389),
[@&#8203;pravk03](https://redirect.github.com/pravk03)) \[SIG API
Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
- Add Resources in PodStatus to capture resources set at pod-level
cgroup
- Add AllocatedResources in PodStatus to capture resources requested in
the PodSpec
([kubernetes/kubernetes#132919](https://redirect.github.com/kubernetes/kubernetes/pull/132919),
[@&#8203;ndixita](https://redirect.github.com/ndixita)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node,
Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for
referencing counter sets across different ResourceSlices within the same
resource pool.

  Devices from incomplete pools are no longer considered for allocation.

This contains backwards incompatible changes to the Partitionable
Devices alpha feature, so any ResourceSlices that uses the feature
should be removed prior to upgrading or downgrading between 1.34 and
1.35.
([kubernetes/kubernetes#134189](https://redirect.github.com/kubernetes/kubernetes/pull/134189),
[@&#8203;mortent](https://redirect.github.com/mortent)) \[SIG API
Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions.
([kubernetes/kubernetes#134984](https://redirect.github.com/kubernetes/kubernetes/pull/134984),
[@&#8203;michaelasp](https://redirect.github.com/michaelasp)) \[SIG API
Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
users must remove any v1alpha1 resources prior to upgrade.
([kubernetes/kubernetes#134784](https://redirect.github.com/kubernetes/kubernetes/pull/134784),
[@&#8203;michaelasp](https://redirect.github.com/michaelasp)) \[SIG API
Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the
secrets field instead of volume context by setting
`spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This
prevents tokens from being exposed in logs and other outputs. The
feature is gated by the `CSIServiceAccountTokenSecrets` feature gate
(Beta in v1.35).
([kubernetes/kubernetes#134826](https://redirect.github.com/kubernetes/kubernetes/pull/134826),
[@&#8203;aramase](https://redirect.github.com/aramase)) \[SIG API
Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about
the rule, in particular whether pods still need to be evicted
("EvictionInProgress" condition). The new "None" effect can be used to
preview what a DeviceTaintRule would do if it used the "NoExecute"
effect and to taint devices ("device health") without immediately
affecting scheduling or running pods.
([kubernetes/kubernetes#134152](https://redirect.github.com/kubernetes/kubernetes/pull/134152),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG API Machinery,
Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core
functionality (GA in 1.34) is now locked to enabled-by-default and thus
cannot be disabled anymore.
([kubernetes/kubernetes#134452](https://redirect.github.com/kubernetes/kubernetes/pull/134452),
[@&#8203;pohly](https://redirect.github.com/pohly)) \[SIG Auth, Node,
Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize.
([kubernetes/kubernetes#135084](https://redirect.github.com/kubernetes/kubernetes/pull/135084),
[@&#8203;tallclair](https://redirect.github.com/tallclair)) \[SIG Apps,
Node and Testing]
- Implement constrained impersonation as described in
<https://kep.k8s.io/5284>
([kubernetes/kubernetes#134803](https://redirect.github.com/kubernetes/kubernetes/pull/134803),
[@&#8203;enj](https://redirect.github.com/enj)) \[SIG API Machinery,
Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz
([kubernetes/kubernetes#134995](https://redirect.github.com/kubernetes/kubernetes/pull/134995),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery, Architecture, Instrumentation, Network, Node, Scheduling and
Testing]
- Introduces a structured and versioned v1alpha1 response for statusz
([kubernetes/kubernetes#134313](https://redirect.github.com/kubernetes/kubernetes/pull/134313),
[@&#8203;richabanker](https://redirect.github.com/richabanker)) \[SIG
API Machinery, Architecture, Instrumentation, Network, Node, Scheduling
and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube
scheduler
([kubernetes/kubernetes#133980](https://redirect.github.com/kubernetes/kubernetes/pull/133980),
[@&#8203;siyuanfoundation](https://redirect.github.com/siyuanfoundation))
\[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling
and Testing]
- Promote PodObservedGenerationTracking to GA.
([kubernetes/kubernetes#134948](https://redirect.github.com/kubernetes/kubernetes/pull/134948),
[@&#8203;natasha41575](https://redirect.github.com/natasha41575)) \[SIG
API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy`
feature gate is now locked to true, and will be removed in a future
release of Kubernetes.
([kubernetes/kubernetes#135080](https://redirect.github.com/kubernetes/kubernetes/pull/135080),
[@&#8203;dejanzele](https://redirect.github.com/dejanzele)) \[SIG API
Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas`
tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature
gate is now enabled by default.
([kubernetes/kubernetes#133087](https://redirect.github.com/kubernetes/kubernetes/pull/133087),
[@&#8203;atiratree](https://redirect.github.com/atiratree)) \[SIG API
Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the
DynamicResources plugin configuration.
This allows customizing the wait duration in PreBind for device binding
conditions.
Defaults to 10 minutes when DRADeviceBindingConditions and
DRAResourceClaimDeviceStatus are both enabled.
([kubernetes/kubernetes#134905](https://redirect.github.com/kubernetes/kubernetes/pull/134905),
[@&#8203;fj-naji](https://redirect.github.com/fj-naji)) \[SIG Node and
Scheduling]
- The Pod Certificates feature is moving to beta. The
PodCertificateRequest feature gate is still set false by default. To use
the feature, users will need to enable the certificates API groups in
v1beta1 and enable the feature gate PodCertificateRequest. A new field
UserAnnotations is added to the PodCertificateProjection API and the
corresponding UnverifiedUserAnnotations is added to the
PodCertificateRequest API.
([kubernetes/kubernetes#134624](https://redirect.github.com/kubernetes/kubernetes/pull/134624),
[@&#8203;yt2985](https://redirect.github.com/yt2985)) \[SIG API
Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks
feature gates, locked on since 1.32, have been removed
([kubernetes/kubernetes#134994](https://redirect.github.com/kubernetes/kubernetes/pull/134994),
[@&#8203;liggitt](https://redirect.github.com/liggitt)) \[SIG API
Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
`trafficDistribution` field are now GA. The old value `PreferClose` is
now
deprecated in favor of the more-explicit `PreferSameZone`.
([kubernetes/kubernetes#134457](https://redirect.github.com/kubernetes/kubernetes/pull/134457),
[@&#8203;danwinship](https://redirect.github.com/danwinship)) \[SIG API
Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource
whose CustomResourceDefinition indicates a status subresource exists,
but which does not define a `status` property in the `openAPIV3Schema`
([kubernetes/kubernetes#133721](https://redirect.github.com/kubernetes/kubernetes/pull/133721),
[@&#8203;fusida](https://redirect.github.com/fusida)) \[SIG API
Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider,
Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release,
Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the
github.com/gogo/protobuf library, and are no longer registered into the
global gogo type registry. Kubernetes API Go types were not suitable for
use with the google.golang.org/protobuf library, and no longer implement
`ProtoMessage()` by default to avoid accidental incompatible use. If
removal of these marker methods impacts your use, it can be re-enabled
for one more release with a `kubernetes_protomessage_one_more_release`
build tag, but will be removed in 1.36.
([kubernetes/kubernetes#134256](https://redirect.github.com/kubernetes/kubernetes/pull/134256),
[@&#8203;liggitt](https://redirect.github.com/liggitt)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle,
Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The
`HPAConfigurableTolerance` feature gate is now enabled by default.
([kubernetes/kubernetes#133128](https://redirect.github.com/kubernetes/kubernetes/pull/133128),
[@&#8203;jm-franc](https://redirect.github.com/jm-franc)) \[SIG API
Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by
default.
([kubernetes/kubernetes#133153](https://redirect.github.com/kubernetes/kubernetes/pull/133153),
[@&#8203;helayoty](https://redirect.github.com/helayoty)) \[SIG API
Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests
([kubernetes/kubernetes#132825](https://redirect.github.com/kubernetes/kubernetes/pull/132825),
[@&#8203;PatrickLaabs](https://redirect.github.com/PatrickLaabs)) \[SIG
Apps]
- Component-base: validate that log-flush-frequency is positive and
return an error instead of panic-ing
([kubernetes/kubernetes#133540](https://redirect.github.com/kubernetes/kubernetes/pull/133540),
[@&#8203;BenTheElder](https://redirect.github.com/BenTheElder)) \[SIG
Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup.
A feature can no longer be enabled if it depends on a disabled feature.
In particular, this means that `AllAlpha=true` will no longer work
without enabling disabled-by-default beta features that are depended on
(either with `AllBeta=true` or explicitly enumerating the disabled
dependencies).
([kubernetes/kubernetes#133697](https://redirect.github.com/kubernetes/kubernetes/pull/133697),
[@&#8203;tallclair](https://redirect.github.com/tallclair)) \[SIG API
Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been
upgraded to beta, and the description of the alpha version in the
openapi has been removed.
([kubernetes/kubernetes#133883](https://redirect.github.com/kubernetes/kubernetes/pull/133883),
[@&#8203;yangjunmyfm192085](https://redirect.github.com/yangjunmyfm192085))
\[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to
control listmap uniqueness
([kubernetes/kubernetes#134279](https://redirect.github.com/kubernetes/kubernetes/pull/134279),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition
handling that incorrectly warned about unrecognized formats on number
and integer properties
([kubernetes/kubernetes#133896](https://redirect.github.com/kubernetes/kubernetes/pull/133896),
[@&#8203;yongruilin](https://redirect.github.com/yongruilin)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor
Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into
`zz_generated.model_name.go` files and are accessible using the
`OpenAPIModelName()` function. This allows API authors to declare the
desired OpenAPI model packages instead of using the go package path of
API types.
([kubernetes/kubernetes#131755](https://redirect.github.com/kubernetes/kubernetes/pull/131755),
[@&#8203;jpbetz](https://redirect.github.com/jpbetz)) \[SIG API
Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster
Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and
Testing]
- Support for `kubectl get -o kyaml` is now on by default. To disable
it, set `KUBECTL_KYAML=false`.
([kubernetes/kubernetes#133327](https://redirect.github.com/kubernetes/kubernetes/pull/133327),
[@&#8203;thockin](https://redirect.github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1.
([kubernetes/kubernetes#133715](https://redirect.github.com/kubernetes/kubernetes/pull/133715),
[@&#8203;cici37](https://redirect.github.com/cici37)) \[SIG API
Machinery, Etcd and Testing]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 8am on Monday" (UTC),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-telemetry/otel-arrow).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Jan 20, 2026
@renovate
chore(deps): update dependency kubernetes to v35
46255f4 
##### [\`35.0.0\`](https://github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.

  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin))
- Enabled in-place resizing of pod-level resources.
  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.
  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which includes:
  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
  - A `component-helpers` library for feature registration and inference.
  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
  `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI driver ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- This change adds a new alpha feature Node Declared Features, which includes:
  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
  - A library in `component-helpers` for feature registration and inference.
  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
  - Add Resources in PodStatus to capture resources set at pod-level cgroup
  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Implement constrained impersonation as described in <https://kep.k8s.io/5284> ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduces a structured and versioned v1alpha1 response for statusz ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Promote PodObservedGenerationTracking to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
  `trafficDistribution` field are now GA. The old value `PreferClose` is now
  deprecated in favor of the more-explicit `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) \[SIG Apps]
- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) \[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Feb 2, 2026
@renovate
chore(deps): update dependency kubernetes to v35
c8cab90 
##### [\`35.0.0\`](https://github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.

  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin))
- Enabled in-place resizing of pod-level resources.
  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.
  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which includes:
  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
  - A `component-helpers` library for feature registration and inference.
  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
  `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI driver ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- This change adds a new alpha feature Node Declared Features, which includes:
  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
  - A library in `component-helpers` for feature registration and inference.
  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
  - Add Resources in PodStatus to capture resources set at pod-level cgroup
  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Implement constrained impersonation as described in <https://kep.k8s.io/5284> ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduces a structured and versioned v1alpha1 response for statusz ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Promote PodObservedGenerationTracking to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
  `trafficDistribution` field are now GA. The old value `PreferClose` is now
  deprecated in favor of the more-explicit `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) \[SIG Apps]
- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) \[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Feb 12, 2026
@renovate
chore(deps): update dependency kubernetes to v35
4fb5d1b 
##### [\`35.0.0\`](https://github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.

  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin))
- Enabled in-place resizing of pod-level resources.
  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.
  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which includes:
  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
  - A `component-helpers` library for feature registration and inference.
  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
  `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI driver ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- This change adds a new alpha feature Node Declared Features, which includes:
  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
  - A library in `component-helpers` for feature registration and inference.
  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
  - Add Resources in PodStatus to capture resources set at pod-level cgroup
  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Implement constrained impersonation as described in <https://kep.k8s.io/5284> ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduces a structured and versioned v1alpha1 response for statusz ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Promote PodObservedGenerationTracking to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
  `trafficDistribution` field are now GA. The old value `PreferClose` is now
  deprecated in favor of the more-explicit `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) \[SIG Apps]
- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) \[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Feb 21, 2026
@renovate
chore(deps): update dependency kubernetes to v35
0a16c11 
##### [\`35.0.0\`](https://github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.

  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin))
- Enabled in-place resizing of pod-level resources.
  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.
  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which includes:
  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
  - A `component-helpers` library for feature registration and inference.
  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
  `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI driver ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- This change adds a new alpha feature Node Declared Features, which includes:
  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
  - A library in `component-helpers` for feature registration and inference.
  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
  - Add Resources in PodStatus to capture resources set at pod-level cgroup
  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Implement constrained impersonation as described in <https://kep.k8s.io/5284> ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduces a structured and versioned v1alpha1 response for statusz ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Promote PodObservedGenerationTracking to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
  `trafficDistribution` field are now GA. The old value `PreferClose` is now
  deprecated in favor of the more-explicit `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) \[SIG Apps]
- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) \[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request Feb 26, 2026
@renovate @sdwilsh
chore(deps): update dependency kubernetes to v35
33c8e8f 
##### [\`35.0.0\`](https://github.com/kubernetes-client/python/blob/HEAD/CHANGELOG.md#v3500snapshot)

Kubernetes API Version: v1.35.0

##### API Change

- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp))
- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.

  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin))
- Enabled in-place resizing of pod-level resources.
  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.
  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- Introduced the Node Declared Features capability (alpha), which includes:
  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
  - A `component-helpers` library for feature registration and inference.
  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended.
  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Made node affinity in Persistent Volume mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Promoted `PodObservedGenerationTracking` to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for the Service
  `trafficDistribution` field graduated to general availability. The
  `PreferClose` value is now deprecated in favor of the more explicit
  `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([kubernetes/kubernetes#134711](kubernetes/kubernetes#134711), [@mortent](https://github.com/mortent)) \[SIG Node, Scheduling and Testing]
- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([kubernetes/kubernetes#134345](kubernetes/kubernetes#134345), [@yuanwang04](https://github.com/yuanwang04)) \[SIG Apps, Node and Testing]
- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](kubernetes/website#52877) ([kubernetes/kubernetes#134870](kubernetes/kubernetes#134870), [@pmengelbert](https://github.com/pmengelbert)) \[SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([kubernetes/kubernetes#133648](kubernetes/kubernetes#133648), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([kubernetes/kubernetes#134665](kubernetes/kubernetes#134665), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([kubernetes/kubernetes#135103](kubernetes/kubernetes#135103), [@ania-borowiec](https://github.com/ania-borowiec)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Implement changes to prevent pod scheduling to a node without CSI driver ([kubernetes/kubernetes#135012](kubernetes/kubernetes#135012), [@gnufied](https://github.com/gnufied)) \[SIG API Machinery, Scheduling, Storage and Testing]
- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([kubernetes/kubernetes#134564](kubernetes/kubernetes#134564), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
  1. allows to mutate Job's scheduling directives for suspended Jobs
  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([kubernetes/kubernetes#135104](kubernetes/kubernetes#135104), [@mimowo](https://github.com/mimowo)) \[SIG Apps and Testing]
- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([kubernetes/kubernetes#134722](kubernetes/kubernetes#134722), [@macsko](https://github.com/macsko)) \[SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
- PV node affinity is now mutable. ([kubernetes/kubernetes#134339](kubernetes/kubernetes#134339), [@huww98](https://github.com/huww98)) \[SIG API Machinery, Apps and Node]
- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([kubernetes/kubernetes#134210](kubernetes/kubernetes#134210), [@yliaog](https://github.com/yliaog)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([kubernetes/kubernetes#135068](kubernetes/kubernetes#135068), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([kubernetes/kubernetes#132579](kubernetes/kubernetes#132579), [@stlaz](https://github.com/stlaz)) \[SIG Auth and Node]
- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([kubernetes/kubernetes#135228](kubernetes/kubernetes#135228), [@aramase](https://github.com/aramase)) \[SIG Auth, Node and Testing]
- This change adds a new alpha feature Node Declared Features, which includes:
  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
  - A library in `component-helpers` for feature registration and inference.
  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([kubernetes/kubernetes#133389](kubernetes/kubernetes#133389), [@pravk03](https://github.com/pravk03)) \[SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
- This change allows In Place Resize of Pod Level Resources
  - Add Resources in PodStatus to capture resources set at pod-level cgroup
  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([kubernetes/kubernetes#132919](kubernetes/kubernetes#132919), [@ndixita](https://github.com/ndixita)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.

  Devices from incomplete pools are no longer considered for allocation.

  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([kubernetes/kubernetes#134189](kubernetes/kubernetes#134189), [@mortent](https://github.com/mortent)) \[SIG API Machinery, Node, Scheduling and Testing]
- Add ObservedGeneration to CustomResourceDefinition Conditions. ([kubernetes/kubernetes#134984](kubernetes/kubernetes#134984), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery]
- Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and
  users must remove any v1alpha1 resources prior to upgrade. ([kubernetes/kubernetes#134784](kubernetes/kubernetes#134784), [@michaelasp](https://github.com/michaelasp)) \[SIG API Machinery, Apps, Auth, Etcd and Testing]
- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([kubernetes/kubernetes#134826](kubernetes/kubernetes#134826), [@aramase](https://github.com/aramase)) \[SIG API Machinery, Auth, Storage and Testing]
- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([kubernetes/kubernetes#134152](kubernetes/kubernetes#134152), [@pohly](https://github.com/pohly)) \[SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([kubernetes/kubernetes#134452](kubernetes/kubernetes#134452), [@pohly](https://github.com/pohly)) \[SIG Auth, Node, Scheduling and Testing]
- Forbid adding resources other than CPU & memory on pod resize. ([kubernetes/kubernetes#135084](kubernetes/kubernetes#135084), [@tallclair](https://github.com/tallclair)) \[SIG Apps, Node and Testing]
- Implement constrained impersonation as described in <https://kep.k8s.io/5284> ([kubernetes/kubernetes#134803](kubernetes/kubernetes#134803), [@enj](https://github.com/enj)) \[SIG API Machinery, Auth and Testing]
- Introduces a structured and versioned v1alpha1 response for flagz ([kubernetes/kubernetes#134995](kubernetes/kubernetes#134995), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- Introduces a structured and versioned v1alpha1 response for statusz ([kubernetes/kubernetes#134313](kubernetes/kubernetes#134313), [@richabanker](https://github.com/richabanker)) \[SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([kubernetes/kubernetes#133980](kubernetes/kubernetes#133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) \[SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
- Promote PodObservedGenerationTracking to GA. ([kubernetes/kubernetes#134948](kubernetes/kubernetes#134948), [@natasha41575](https://github.com/natasha41575)) \[SIG API Machinery, Apps, Node, Scheduling and Testing]
- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([kubernetes/kubernetes#135080](kubernetes/kubernetes#135080), [@dejanzele](https://github.com/dejanzele)) \[SIG API Machinery, Apps and Testing]
- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([kubernetes/kubernetes#133087](kubernetes/kubernetes#133087), [@atiratree](https://github.com/atiratree)) \[SIG API Machinery, Apps and Testing]
- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
  This allows customizing the wait duration in PreBind for device binding conditions.
  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([kubernetes/kubernetes#134905](kubernetes/kubernetes#134905), [@fj-naji](https://github.com/fj-naji)) \[SIG Node and Scheduling]
- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([kubernetes/kubernetes#134624](kubernetes/kubernetes#134624), [@yt2985](https://github.com/yt2985)) \[SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([kubernetes/kubernetes#134994](kubernetes/kubernetes#134994), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Auth, Node and Testing]
- The `PreferSameZone` and `PreferSameNode` values for Service's
  `trafficDistribution` field are now GA. The old value `PreferClose` is now
  deprecated in favor of the more-explicit `PreferSameZone`. ([kubernetes/kubernetes#134457](kubernetes/kubernetes#134457), [@danwinship](https://github.com/danwinship)) \[SIG API Machinery, Apps, Network and Testing]
- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([kubernetes/kubernetes#133721](kubernetes/kubernetes#133721), [@fusida](https://github.com/fusida)) \[SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([kubernetes/kubernetes#134256](kubernetes/kubernetes#134256), [@liggitt](https://github.com/liggitt)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([kubernetes/kubernetes#133128](kubernetes/kubernetes#133128), [@jm-franc](https://github.com/jm-franc)) \[SIG API Machinery and Autoscaling]
- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([kubernetes/kubernetes#133153](kubernetes/kubernetes#133153), [@helayoty](https://github.com/helayoty)) \[SIG API Machinery and Apps]
- Added WithOrigin within apis/core/validation with adjusted tests ([kubernetes/kubernetes#132825](kubernetes/kubernetes#132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) \[SIG Apps]
- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([kubernetes/kubernetes#133540](kubernetes/kubernetes#133540), [@BenTheElder](https://github.com/BenTheElder)) \[SIG Architecture, Instrumentation, Network and Node]
- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([kubernetes/kubernetes#133697](kubernetes/kubernetes#133697), [@tallclair](https://github.com/tallclair)) \[SIG API Machinery, Architecture, Cluster Lifecycle and Node]
- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([kubernetes/kubernetes#133883](kubernetes/kubernetes#133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) \[SIG Apps]
- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([kubernetes/kubernetes#134279](kubernetes/kubernetes#134279), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery and Auth]
- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([kubernetes/kubernetes#133896](kubernetes/kubernetes#133896), [@yongruilin](https://github.com/yongruilin)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([kubernetes/kubernetes#131755](kubernetes/kubernetes#131755), [@jpbetz](https://github.com/jpbetz)) \[SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([kubernetes/kubernetes#133327](kubernetes/kubernetes#133327), [@thockin](https://github.com/thockin)) \[SIG CLI]
- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([kubernetes/kubernetes#133715](kubernetes/kubernetes#133715), [@cici37](https://github.com/cici37)) \[SIG API Machinery, Etcd and Testing]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenTheElder BenTheElder BenTheElder left review comments

@liggitt liggitt liggitt left review comments

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@thockin thockin Awaiting requested review from thockin

+2 more reviewers

@pohly pohly pohly left review comments

@JoelSpeed JoelSpeed JoelSpeed left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@liggitt liggitt

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Projects

SIG Node: code and documentation PRs
Archived in project

Milestone

v1.35

Development

Successfully merging this pull request may close these issues.

Codify inter-FeatureGate dependencies

10 participants

@tallclair @k8s-ci-robot @BenTheElder @k8s-triage-robot @aaron-prindle @pohly @liggitt @aojea @JoelSpeed @benjaminapetersen