Introduce support for specifying allowed TLS key exchange mechanisms
(IANA TLS Supported Groups) via a new --tls-curve-preferences flag,
following the same pattern as --tls-cipher-suites.
Curve preferences are specified as numeric IANA TLS Supported Group IDs
(e.g. 23,29,4588) rather than string names. This avoids maintaining a
hardcoded name-to-ID map that would become stale with each Go release,
and ensures new curves (such as Go 1.26's SecP256r1MLKEM768 and
SecP384r1MLKEM1024) work automatically when rebuilding with a newer Go
version -- no code changes required.
Changes:
- Add curves_flag.go in component-base/cli/flag with a simple
int-to-tls.CurveID cast function
- Add CurvePreferences field ([]int32) to SecureServingOptions, registered
via IntSliceVar, and wire it through to tls.Config
The order of the list is ignored; Go selects from the set using an
internal preference order. If omitted, Go defaults are used. The set of
accepted values depends on the Go version used to build the binary; see
https://pkg.go.dev/crypto/tls#CurveID for reference.
It's GA now. To regenerate the files I did:
make WHAT=cmd/kube-apiserver
make update
While we are there, remove the reference that the field is alpha.
Signed-off-by: Rodrigo Campos <rodrigo@amutable.com>
* Drop WorkloadRef field and introduce SchedulingGroup field in Pod API
* Introduce v1alpha2 Workload and PodGroup APIs, drop v1alpha1 Workload API
Co-authored-by: yongruilin <yongrlin@outlook.com>
* Run hack/update-codegen.sh
* Adjust kube-scheduler code and integration tests to v1alpha2 API
* Drop v1alpha1 scheduling API group and run make update
---------
Co-authored-by: yongruilin <yongrlin@outlook.com>
* Promote MutableCSINodeAllocatableCount to GA
Signed-off-by: Eddie Torres <torredil@amazon.com>
* Lock MutableCSINodeAllocatableCount feature gate to default
Signed-off-by: Eddie Torres <torredil@amazon.com>
---------
Signed-off-by: Eddie Torres <torredil@amazon.com>
In practice, TimeAdded is managed by the API server. When admins used
DeviceTaintRule to simulate eviction, then change the effect to really evict,
it is useful to calculate tolerations based on the time when that second
update happened. Therefore the TimeAdded field gets bumped automatically
when changing the effect.
Add missing +optional and +required markers to authentication API types
across v1, v1beta1, and v1alpha1 versions, and remove authentication
from the linter exception lists.
Part of kubernetes/kubernetes#134671
Run hack/update-openapi-spec.sh to regenerate the static OpenAPI
specification files after adding +optional markers to
PodDisruptionBudgetStatus fields.
