github kcp-dev/kcp v0.31.0
on GitHub

7 hours ago

Special mentions

🚀 Rebase to Kubernetes 1.35.1 — #3842 (@xmudrii)
Foundation upgrade to Kubernetes 1.35.1 + Go 1.25.7. XL change touching the entire codebase — API adaptations, test adjustments, separate etcd lifecycle context to prevent shutdown blocking.

🔒 Cross-shard service account lookup — #3973 (@ntnn)
Enables service account validation across shards via a TTL cache. Removes the previous same-shard requirement for SAs. Drops the GlobalServiceAccount feature gate (now always-on).

⚙️ APIResourceSchema Virtual Workspace — #3881 (@mjudeikis)
New virtual workspace enabling providers to access consumer workspace schemas — key for kube-bind.io integration. Requires GlobalServiceAccounts and cross-workspace RBAC.

🔑 defaultSelector for PermissionClaim on APIExport — #3884 (@mjudeikis)
API change: providers can specify default permission claim selectors on APIExport that automatically apply when APIBindings are auto-created via WorkspaceType. Replaces a cache-replication approach (#3859) that had O(workspaces × bindings) scalability concerns.

🛟 Extract Virtual Workspace framework to staging repo — #3959 (@xmudrii)
Moves pkg/virtual/framework and pkg/virtual/options into github.com/kcp-dev/virtual-workspace-framework. External VW developers no longer need to vendor the entire kcp core repo. Also moves OpenAPI defs to SDK and crdpuller to the new repo.

🏋️ Load testing framework & infrastructure — #3796, #3866, #3895 (@SimonTheLeg)
Three-part effort: concept doc, k8s infra setup, and the framework itself. Inspired by clusterloader2, uses Go iterators for tuning sets, supports scenarios like "10,000 empty workspaces" with P99 stats.

🐛 Etcd key poisoning fix — #4011 (@mjudeikis)
Critical data integrity fix: unresolved workspace paths were poisoning etcd keys with malformed cluster names. Adds 404 handling and defense-in-depth filtering.

🔨 CLI permission claims management — #3956 (@rxinui) + #3946 (@ghdrope)
New kcp claims accept / kcp claims reject subcommands plus --accept-all-permission-claims / --reject-all-permission-claims flags on kubectl kcp bind. Significant UX improvement for API consumers.

🎁 SSA (Server-Side Apply) committer — #4002 (@swastik959)
Introduces Server-Side Apply support for controllers, fixing race conditions where JSON Merge Patch would lose concurrent condition updates.

🐞 VW proxy impersonation isolation — #4009 (@officialasishkumar)
Security fix: the shared ReverseProxy in VW was being mutated concurrently, causing impersonation header leakage between requests. Each request now gets an isolated proxy instance.

Honourable mentions

Changes by Kind

Chore

API Change

  • Action: Add defaultSelector field to PermissionClaim on APIExport. When APIBindings are auto-created via WorkspaceType.defaultAPIBindings, the selector is now taken from the APIExport's defaultSelector instead of defaulting to matchAll: true. Existing APIExports without defaultSelector retain the previous matchAll: true behavior. (#3884, @mjudeikis)
  • Update kcp to Kubernetes 1.35.1

Feature

  • Add /readyz now uses NewInformerSyncHealthz
    Add /livez now uses PingHealthz (#3935, @nuromirg)
  • Add apiresourceschema virtual workspace for schema access from provider side. (#3881, @mjudeikis)
  • Added --accept-all-permission-claims and --reject-all-permission-claims flags for BindOptions. (#3946, @ghdrope)
  • Cache-server: added etcd flags
    sharded-test-server: added --cache-kubeconfig flag to use an external cache-server (#3831, @gman0)
  • Enable kcp claims accept and kcp claims reject (#3956, @rxinui)
  • Enable cross-shard service account validation (#3973, @ntnn)
  • Extract pkg/virtual/framework and pkg/virtual/options packages into a dedicated staging repository (github.com/kcp-dev/virtual-workspace-framework
    • Move the OpenAPI definitions (pkg/openapi) to the SDK repository
    • Move pkg/crdpuller package to the newly added virtual-workspace-framework repository (#3959, @xmudrii)
  • The compat CLI now supports -old-version and -new-version flags to select which CRD versions to compare. When omitted, it defaults to the first version as before. (#3943, @nuromirg)

Bug or Regression

  • BREAKING CHANGE:
    Fix {cluster} extract logic for VirtualWorkspaces. Previously, if VirtualWorkspace, used in FrontProxy mapping, had a path cluster/{cluster} - it was not resolved, and so WorkspaceAuthorizationConfiguration was not run if used inside FrontProxy, but forwarded to VirtualWorkspace without checking. As a result, if one has misconfigured VirtualWorkspace, it might receive traffic intended for another recipient. (#3857, @mjudeikis)
  • Fix --shard-virtual-workspace-url, --shard-virtual-workspace-ca-file, --shard-client-key-file, --shard-client-cert-file not being taken into account when disabling the in-process kcp virtual workspaces server on a shard. (#3955, @xrstf)
  • Fix an etcd key-corruption bug where an unresolvable multi-segment workspace path in /clusters/<path>/... on a shard could cause resources to be written to etcd under a key segment containing the raw workspace path instead of the logical cluster name, producing orphaned rows invisible to the normal API read path. The shard now returns 404 for unresolvable workspace paths, and a new defense-in-depth filter rejects any request whose context carries a path-shaped cluster name before it can reach storage. (#4011, @mjudeikis)
  • Fix concurrent map writes panic in apiexport virtual workspace when
    multiple requests share the same user.Info reference. (#3856, @dweidenfeld)
  • Fix external cache bootstrapping issues that sometimes prevented shards from bootstrapping successfully. (#3974, @xrstf)
  • Fix external virtual workspace proxying so concurrent /services/... requests keep impersonation headers request-scoped. (#4009, @officialasishkumar)
  • Fix very rare openapi-related panic during startup. (#3833, @xrstf)
  • Fixed Inherited APIBindings now inherit permission claim selectors from parent workspaces instead of defaulting to matchAll: true. (#3786, @olamilekan000)
  • Fixed TestAPIExportAPIBindingsAccess error when trying to create a ws in a shard setup (#3817, @olamilekan000)
  • Fixed events.k8s.io permission denial through APIExport virtual workspace. (#3894, @cnvergence)
  • Send initial-events-end bookmark for CachedResource virtual storage (#3875, @maxpain)
  • Strip scopes from ServiceAccount tokens in maximal permission policy check (#3867, @mjudeikis)
  • Update build version to v1.24.13 for CVE-2025-68121 (#3864, @ntnn)
  • Workspace plugin: fix a bug where calling the 'tree' command on a parent workspace that has deleting children can result in a 403 error. (#3843, @neolit123)

Other (Cleanup or Flake)

  • All kcp binaries in the container images now have their debugging symbols stripped, saving roughly 25% in total image size. (#3898, @xrstf)
  • Change "ts" in JSON logging format to be ISO 8601 instead of UNIX timestamps.
    • Add --logging-format flag to the cache-server. (#3904, @xrstf)
  • Deprecate --external-hostname, determined based on --shard-base-url or --bind-address instead (#3832, @ntnn)
  • Deprecated the unused flag --shard-external-url for virtual-workspace (#3849, @ntnn)
  • Internal: consolidate identity secret generation and hashing logic into pkg/identity (#3937, @ghdrope)

Dependencies

Added

  • cyphar.com/go-pathrs: v0.2.1
  • github.com/Masterminds/semver/v3: v3.4.0
  • github.com/jellydator/ttlcache/v3: v3.4.0
  • go.uber.org/automaxprocs: v1.6.0
  • gonum.org/v1/gonum: v0.17.0

Changed

Removed

  • github.com/zeebo/errs: v1.4.0
  • gopkg.in/yaml.v2: v2.4.0
Check out latest releases or
releases around kcp-dev/kcp v0.31.0

Don't miss a new kcp release

NewReleases is sending notifications on new releases.

Get notifications