kube-rs/kube 4.0.0

on GitHub

New Major

As per the release schedule to match up with the latest Kubernetes ハル release.
Lots of fixes and improvements. Thanks to everyone who contributed!

Kubernetes v1_36 support via k8s-openapi 0.28

Please upgrade k8s-openapi along with kube to avoid conflicts.

CEL Validation

A new optional crate kube-cel is being re-exported through kube::core::cel via #1954

Kubernetes CRDs support CEL validation rules via x-kubernetes-validations, and were supported from 3.0 via KubeSchema, but these rules could only be evaluated server-side by the API server.

The new crate allows evaluating these rules locally using rules matching the upstream Kubernetes CEL libraries.

While low-level, a higher-level CEL validator integrates with CustomResource via #[kube(cel)] from #2011 and can be used as;

#[derive(CustomResource, Serialize, Deserialize, Clone, KubeSchema)]
#[kube(group = "example.com", version = "v1", kind = "Foo", namespaced)]
#[kube(cel, validation = "self.spec.replicas >= 0")] // cel trigger + validation rule
struct FooSpec { replicas: i32 }

let foo = Foo::new("test", FooSpec { replicas: -1 });
foo.validate_cel()?;                     // new impl; checks creation rules
new_foo.validate_cel_update(&old_foo)?;  // new impl; checks transition rules

See examples/crd_derive_cel.rs for more details.

This is available under the kube/cel feature, courtesy of @doxxx93.

Config

A lot of improvements to config handling;

• better error handling of malformed client certs in #1966
• add missing Kubeconfig fields in #1965
• Kubeconfig future key compatibility for new fields by adding catch-all other key via #1964
• deserialization changed from serde-yaml to serde-saphyr to get rid of the long-deprecated dependency. #1975

Retry and Timeouts

Better timeout and retry handling to better deal with flaky network conditions, and busy or initializing apiservers.

• default global read timeouts has been unset in favor of watcher level timeouts in #1945 (see #1798 for context)
• regular (non-watch) queries now respect the RetryPolicy - now enabled by default in #2007.

Client

• properly handling rotating ca certs in cluster via #1962
• handle tls-server-name with openssl-tls via #1993
• auth exec: accept yaml output from exec plugins via #2003
• fix ws task leak and drop, and a deadlock on join() via #1978
• change: client tracing now opt-in due to issues. see #1972

Runtime

• watcher automatically uses the metadata_ api methods when called with PartialObjectMeta<K> via #1952
  • (this deprecates metadata_watcher in favor of an explicit change from Api::<K> to Api::<PartialObjectMeta<K>>)
• added wait::conditions::is_created as a counter to is_deleted #2000
• added Store::state_filtered and Store::state_filter_selector to allow more efficient slicing of the locked cache via #2002 + #1998

What's Changed

Added

• feat: add typed kubeconfig fields for client-go parity by @alex-lapuka in #1965
• Add CEL validation via kube-cel re-export by @doxxx93 in #1954
• Add AdmissionRequest::to_cel_request() for VAP CEL bridging by @doxxx93 in #1991
• runtime: implement Store::state_with and Store::state_filtered by @Alvov1 in #1998
• runtime: add wait::conditions::is_created helper by @orangecms in #2000
• refactor(runtime): rename Store::state_with/state_filtered per review feedback by @Alvov1 in #2002
• deps: bump kube-cel to 0.6.1 (validation surface flattened) by @doxxx93 in #2005
• Enable RetryPolicy::server_retry by default for Client by @Danil-Grigorev in #2007
• feat(derive): client-side CEL validation via #[kube(cel)] / #[x_kube(cel)] by @doxxx93 in #2011

Changed

• preserve unknown kubeconfig fields via serde(flatten) by @alex-lapuka in #1964
• Remove global read_timeout default, add watcher-level idle timeout by @doxxx93 in #1945
• Update tokio-tungstenite requirement from 0.28.0 to 0.29.0 by @dependabot[bot] in #1963
• convert from serde-yaml to serde-saphyr by @clux in #1975
• features: making client tracing opt-in by @mattklein123 in #1972
• client: reload in-cluster CA bundle on rotation (rustls-tls) by @chrnorm in #1962
• Api<PartialObjectMeta> should opportunistically degrade to metadata requests by @doxxx93 in #1952
• Chore(deps): Update garde requirement from 0.22.0 to 0.23.0 by @dependabot[bot] in #1989
• bump k8s-openapi to 0.28 by @clux in #2009
• Box a large runtime error in ReconcilerErr by @clux in #1880

Fixed

• fix: feature-flag CREATE_NO_WINDOW to not break stderr inheritance by @cristeigabriela in #1971
• Remove silent error when client-key/client-certificate is malformed by @goenning in #1966
• Fix AttachedProcess task leak on drop and join() deadlock by @SebTardif in #1978
• support auth exec yaml output by @aviramha in #2003
• fix(client): apply tls-server-name on the openssl-tls path by @dgunzy in #1993
• Use the resource's own name for the schema title by @cehoffman in #1985

New Contributors

• @alex-lapuka made their first contribution in #1965
• @cristeigabriela made their first contribution in #1971
• @mattklein123 made their first contribution in #1972
• @chrnorm made their first contribution in #1962
• @SebTardif made their first contribution in #1978
• @Alvov1 made their first contribution in #1998
• @orangecms made their first contribution in #2000
• @dgunzy made their first contribution in #1993
• @cehoffman made their first contribution in #1985

Full Changelog: 3.1.0...4.0.0