github kcp-dev/kcp v0.29.0
on GitHub

4 hours ago

Changes by Kind

API Change

  • Add per-workspace authentication feature (behind the disabled by default feature gate WorkspaceAuthentication), allowing to configure additional authenticators (JWT/OIDC at the moment) for workspace types in order to admit external users into logical clusters. (#3481, @xrstf)
  • Added path to cachedresource so that CachedResourceEndpointSlice can reference a CachedResource in another workspace (#3726, @olamilekan000)
  • Allow for custom cleanup logic of LogicalClusters through the terminating virtualworkspace (#3615, @SimonTheLeg)
  • Changes in APIExport API: resource schema storage virtual, added Virtual resources support (#3620, @gman0)
  • Implement the admission framework for virtual workspaces. The VirtualWorkspace interface has been extended with two new interfaces (admission.Mutator and admission.Validator). Virtual workspace builders who are not using the DynamicVirtualWorkspaces framework have to modify their implementations to implement these two interfaces. Virtual workspace builders who are using the DynamicVirtualWorkspaces framework do not have to do anything if they don't want to use admission in their virtual workspaces (#3494, @xmudrii)
  • Implement label selectors (matchLabels and matchExpressions) for PermissionClaims (#3494, @xmudrii)
  • Rebase to kubernetes v1.33.3. WatchList has been disabled upstream, following this Watchers will no longer receive the state of objects when starting a watch (#3511, @ntnn)
  • Stop printing Ready column for APIExports as virtual workspace URLs are no longer populated by default (#3493, @embik)
  • The kcp CLI has been moved from github.com/kcp-dev/kcp/cli to github.com/kcp-dev/cli. The source code is maintained in staging/src/github.com/kcp-dev/cli in the main kcp repo (i.e. cli is a staged repository). This does not effect the existing cli releases. The CLI users will be required to change the import paths in their Go code and go.mod upon upgrading the CLI. (#3697, @xmudrii)
  • The kcp SDK has been moved from github.com/kcp-dev/kcp/sdk to github.com/kcp-dev/sdk. The source code is maintained in staging/src/github.com/kcp-dev/sdk in the main kcp repo (i.e. sdk is a staged repository). This does not effect the existing sdk releases. The SDK users will be required to change the import paths in their Go code and go.mod upon upgrading the SDK. (#3694, @xmudrii)
  • Users from other workspaces can be authorized by granting permission to the system:cluster:<clusterid> group. Authorization webhooks now get a payload with the target cluster in the authorization.kcp.io/cluster-name extra. The authorization.kubernetes.io/cluster-name extra is deprecated and will be removed in a future release (#3530, @ntnn)

Feature

  • Add --preserve-resources to apigen tool to enable resource preservation. Without this it always overrides resources on generation. (#3646, @mjudeikis)
  • Add metrics for logical clusters count (#3496, @cnvergence)
  • Add new kcp_indexed_logicalclusters metric that contains the number of known logicalclusters per shard (metric has a shard label). (#3482, @xrstf)
  • Added --i and --interactive flags to the workspace command for exploring and managing workspaces interactively. (#3611, @olamilekan000)
  • Added --create-context flag to create-workspace command to automatically create a kubeconfig context for the new workspace. Use --create-context=<name> to create without switching, or combine with --enter to create and switch context in one step. (#3550, @vishalanarase)
  • Added workspace cluster id as part of information displayed when in interactive mode. (#3728, @olamilekan000)
  • Adds resource version and UID to object's annotation before persisting to the cache server (#3648, @olamilekan000)
  • Path mappings in the front-proxy are treated as standard Go ServerMux patterns and can make use of the {cluster} placeholder to provide a cluster context to the WorkspaceAuthentication for virtual workspaces (e.g. /services/myservice/clusters/{cluster}). (#3628, @xrstf)
  • The extra authentication.kubernetes.io/cluster-name in the user info of Service Accounts has been renamed to authentication.kcp.io/cluster-name (#3568, @ntnn)

Documentation

  • Production deployment documentation (#3712, @mjudeikis)
  • Fix cache replication issue where object were not updated post first create (#3626, @mjudeikis)

Bug or Regression

  • Prevent goroutine leaks when deleting workspaces (#3491, @ntnn)
  • Fix CRDs with kind Cluster leading to errors. Fix URLs with multiple /cluster/... segments being silently ignored (#3537, @ntnn)
  • Fix APIBinding admission mishandling v1alpha1 API version. This fixes the bug where it was impossible to apply v1alpha1 APIBindings (#3543, @xmudrii)
  • Fix TokenReviews when using WorkspaceAuthentication (#3624, @xrstf)
  • Fix create-workspace on an existing workspace throwing a panic (#3518, @ntnn)
  • Fix kubectl kcp bind command after verbs permission claims migration (#3523, @mjudeikis)
  • Fix permission claim controller hot loop when claiming events in an APIExport (#3501, @mjudeikis)
  • Fixed a bug that prevents the deletion of a cachedresource that makes a reference to a resource that doesn't have GVR. (#3730, @olamilekan000)
  • Fixed an issue where APIEndpointExportSlices are not recreated by APIExport when deleted (#3645, @olamilekan000)
  • Fixed an issue where the kubectl ws command did not correctly handle kubeconfig flag (--kubeconfig ). (#3596, @olamilekan000)
  • Fixed reconciliation logic to detect selector changes in APIBinding permission claims. (#3710, @olamilekan000)
  • Make SDK go installable after monorepo migration. This is a temporary solution. (#3656, @mjudeikis)
  • The kcp kubectl plugin now supports kcp <0.28 again. In kcp 0.28+, kubectl kcp claims get apibinding now shows the permission claim verbs. (#3539, @xrstf)
  • kubectl kcp returns error instead of panic when converting CRD with service webhook reference (#3671, @m-szalik)
  • Consistently use the user-provided base URL as the default for ShardBaseURL and VirtualWorkspacesURL (#3636, @mjudeikis)

Other (Cleanup or Flake)

Dependencies

Added

  • github.com/containerd/errdefs/pkg: v0.3.0
  • github.com/containerd/typeurl/v2: v2.2.2
  • github.com/go-jose/go-jose/v3: v3.0.4
  • github.com/golang-jwt/jwt/v5: v5.2.2
  • github.com/ntnn/goleak: cbb740d
  • github.com/opencontainers/cgroups: v0.0.1
  • github.com/opencontainers/image-spec: v1.1.1
  • github.com/xrstf/mockoidc: 711cc4e
  • gopkg.in/go-jose/go-jose.v2: v2.6.3
  • sigs.k8s.io/randfill: v1.0.0

Changed

Removed

  • github.com/asaskevich/govalidator: a9d515a
  • github.com/go-kit/log: v0.2.1
  • github.com/kcp-dev/apimachinery/v2: ebb573a
  • github.com/kcp-dev/client-go: decc4df
  • github.com/kcp-dev/code-generator/v3: 4094fb8
  • github.com/opencontainers/runc: v1.2.1
  • go.uber.org/goleak: v1.3.0
Check out latest releases or
releases around kcp-dev/kcp v0.29.0

Don't miss a new kcp release

NewReleases is sending notifications on new releases.

Get notifications