KEP 4317: Pod Certificates

content/en/docs/concepts/cluster-administration/node-shutdown.md

@@ -217,9 +217,7 @@ these pods will be stuck in terminating status on the shutdown node forever.
 
 To mitigate the above situation, a user can manually add the taint `node.kubernetes.io/out-of-service`
 with either `NoExecute` or `NoSchedule` effect to a Node marking it out-of-service.
-If the `NodeOutOfServiceVolumeDetach`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is enabled on {{< glossary_tooltip text="kube-controller-manager" term_id="kube-controller-manager" >}},
-and a Node is marked out-of-service with this taint, the pods on the node will be forcefully deleted
+If a Node is marked out-of-service with this taint, the pods on the node will be forcefully deleted
 if there are no matching tolerations on it and volume detach operations for the pods terminating on
 the node will happen immediately. This allows the Pods on the out-of-service node to recover quickly
 on a different node.

content/en/docs/concepts/overview/working-with-objects/names.md

@@ -32,6 +32,12 @@ of the same resource. API resources are distinguished by their API group, resour
 In cases when objects represent a physical entity, like a Node representing a physical host, when the host is re-created under the same name without deleting and re-creating the Node, Kubernetes treats the new host as the old one, which may lead to inconsistencies.
 {{< /note >}}
 
+The server may generate a name when `generateName` is provided instead of `name` in a resource create request.
+When `generateName` is used, the provided value is used as a name prefix, which server appends a generated suffix
+to. Even though the name is generated, it may conflict with existing names resulting in a HTTP 409 resopnse. This
+became far less likely to happen in Kubernetes v1.31 and later, since the server will make up to 8 attempt to generate a
+unique name before returning a HTTP 409 response.
+
 Below are four types of commonly used name constraints for resources.
 
 ### DNS Subdomain Names

content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md

@@ -99,7 +99,7 @@ your cluster. Those fields are:
   <!-- OK to remove this note once v1.29 Kubernetes is out of support -->
   {{< note >}}
   Before Kubernetes v1.30, the `minDomains` field was only available if the
-  `MinDomainsInPodTopologySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+  `MinDomainsInPodTopologySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates-removed/)
   was enabled (default since v1.28). In older Kubernetes clusters it might be explicitly
   disabled or the field might not be available.
   {{< /note >}}

content/en/docs/concepts/services-networking/service.md

@@ -681,14 +681,11 @@ The value of `spec.loadBalancerClass` must be a label-style identifier,
 with an optional prefix such as "`internal-vip`" or "`example.com/internal-vip`".
 Unprefixed names are reserved for end-users.
 
-#### Specifying IPMode of load balancer status {#load-balancer-ip-mode}
+#### Load balancer IP address mode {#load-balancer-ip-mode}
 
 {{< feature-state feature_gate_name="LoadBalancerIPMode" >}}
 
-As a Beta feature in Kubernetes 1.30,
-a [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) 
-named `LoadBalancerIPMode` allows you to set the `.status.loadBalancer.ingress.ipMode` 
-for a Service with `type` set to `LoadBalancer`. 
+For a Service of `type: LoadBalancer`, a controller can set `.status.loadBalancer.ingress.ipMode`. 
 The `.status.loadBalancer.ingress.ipMode` specifies how the load-balancer IP behaves. 
 It may be specified only when the `.status.loadBalancer.ingress.ip` field is also specified.
 

content/en/docs/concepts/workloads/controllers/job.md

@@ -695,8 +695,8 @@ triggered and all Pod finalizers were removed. However, some Pods would still
 be running or terminating at the moment that the terminal condition was added.
 
 In Kubernetes v1.31 and later, the controller only adds the Job terminal conditions
-_after_ all of the Pods are terminated. You can enable this behavior by using the
-`JobManagedBy` or the `JobPodReplacementPolicy` (enabled by default)
+_after_ all of the Pods are terminated. You can control this behavior by using the
+`JobManagedBy` and the `JobPodReplacementPolicy` (both enabled by default)
 [feature gates](/docs/reference/command-line-tools-reference/feature-gates/).
 
 ### Termination of Job pods
@@ -1137,7 +1137,7 @@ status:
 {{< note >}}
 You can only set the `managedBy` field on Jobs if you enable the `JobManagedBy`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-(disabled by default).
+(enabled by default).
 {{< /note >}}
 
 This feature allows you to disable the built-in Job controller, for a specific

content/en/docs/concepts/workloads/pods/pod-lifecycle.md

@@ -677,8 +677,7 @@ Additionally, PodGC cleans up any Pods which satisfy any of the following condit
 1. are orphan Pods - bound to a node which no longer exists,
 1. are unscheduled terminating Pods,
 1. are terminating Pods, bound to a non-ready node tainted with
-   [`node.kubernetes.io/out-of-service`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-out-of-service),
-   when the `NodeOutOfServiceVolumeDetach` feature gate is enabled.
+   [`node.kubernetes.io/out-of-service`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-out-of-service).
 
 Along with cleaning up the Pods, PodGC will also mark them as failed if they are in a non-terminal
 phase. Also, PodGC adds a Pod disruption condition when cleaning up an orphan Pod.

content/en/docs/reference/access-authn-authz/authentication.md

@@ -466,6 +466,12 @@ jwt:
       expression: 'claims.sub'
     # extra attributes to be added to the UserInfo object. Keys must be domain-prefix path and must be unique.
     extra:
+      # key is a string to use as the extra attribute key.
+      # key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+      # subdomain as defined by RFC 1123. All characters trailing the first "/" must
+      # be valid HTTP Path characters as defined by RFC 3986.
+      # k8s.io, kubernetes.io and their subdomains are reserved for Kubernetes use and cannot be used.
+      # key must be lowercase and unique across all extra attributes.
     - key: 'example.com/tenant'
       # valueExpression is a CEL expression that evaluates to a string or a list of strings.
       valueExpression: 'claims.tenant'

content/en/docs/reference/access-authn-authz/authorization.md

@@ -177,7 +177,7 @@ You can use the following modes:
 * `--authorization-mode=AlwaysDeny` (always denies requests)
 
 You can choose more than one authorization mode; for example:
-`--authorization-mode=Node,Webhook`
+`--authorization-mode=Node,RBAC,Webhook`
 
 Kubernetes checks authorization modules based on the order that you specify them
 on the API server's command line, so an earlier module has higher priority to allow
@@ -197,7 +197,7 @@ For more information on command line arguments to the API server, read the
 
 {{< feature-state feature_gate_name="StructuredAuthorizationConfiguration" >}}
 
-As a beta feature, Kubernetes lets you configure authorization chains that can include multiple
+Kubernetes lets you configure authorization chains that can include multiple
 webhooks. The authorization items in that chain can have well-defined parameters that validate
 requests in a particular order, offering you fine-grained control, such as explicit Deny on failures.
 
@@ -220,7 +220,7 @@ are only available if you use an authorization configuration file.
 #
 # DO NOT USE THE CONFIG AS IS. THIS IS AN EXAMPLE.
 #
-apiVersion: apiserver.config.k8s.io/v1beta1
+apiVersion: apiserver.config.k8s.io/v1
 kind: AuthorizationConfiguration
 authorizers:
   - type: Webhook

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md

@@ -15,6 +15,8 @@ content_type: concept
 weight: 60
 ---
 
+<!-- TODO(KEP-4317): Document PodCertificateRequest -->
+
 <!-- overview -->
 
 Kubernetes certificate and trust bundle APIs enable automation of

content/en/docs/reference/access-authn-authz/node.md

@@ -69,7 +69,24 @@ the local `hostname` and the `--hostname-override` option.
 For specifics about how the kubelet determines the hostname, see the
 [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).
 
-To enable the Node authorizer, start the apiserver with `--authorization-mode=Node`.
+To enable the Node authorizer, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
+with the `--authorization-config` flag set to a file that includes the `Node` authorizer; for example:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthorizationConfiguration
+authorizers:
+  ...
+  - type: Node
+  ...
+```
+
+Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with
+the `--authorization-mode` flag set to a comma-separated list that includes `Node`;
+for example:
+```shell
+kube-apiserver --authorization-mode=...,Node --other-options --more-options
+```
 
 To limit the API objects kubelets are able to write, enable the
 [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction)

content/en/docs/reference/access-authn-authz/rbac.md

@@ -20,10 +20,22 @@ RBAC authorization uses the `rbac.authorization.k8s.io`
 decisions, allowing you to dynamically configure policies through the Kubernetes API.
 
 To enable RBAC, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
-with the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`;
+with the `--authorization-config` flag set to a file that includes the `RBAC` authorizer; for example:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthorizationConfiguration
+authorizers:
+  ...
+  - type: RBAC
+  ...
+```
+
+Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with
+the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`;
 for example:
 ```shell
-kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
+kube-apiserver --authorization-mode=...,RBAC --other-options --more-options
 ```
 
 ## API objects {#api-overview}

content/en/docs/reference/command-line-tools-reference/feature-gates/cloud-dual-stack-node-ips.md

@@ -17,7 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
 
+removed: true
 ---
 Enables dual-stack `kubelet --node-ip` with external cloud providers.
 See [Configure IPv4/IPv6 dual-stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)

content/en/docs/reference/command-line-tools-reference/feature-gates/job-managed-by.md

@@ -10,5 +10,9 @@ stages:
   - stage: alpha
     defaultValue: false
     fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: beta
+    defaultValue: false
+    fromVersion: "1.32"
 ---
 Allows to delegate reconciliation of a Job object to an external controller.

content/en/docs/reference/command-line-tools-reference/feature-gates/kmsv2-kdf.md

@@ -12,7 +12,10 @@ stages:
     toVersion: "1.28"
   - stage: stable
     defaultValue: true
-    fromVersion: "1.29"  
+    fromVersion: "1.29"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables KMS v2 to generate single use data encryption keys.
 See [Using a KMS Provider for data encryption](/docs/tasks/administer-cluster/kms-provider) for more details.

content/en/docs/reference/command-line-tools-reference/feature-gates/kmsv2.md

@@ -16,6 +16,9 @@ stages:
     toVersion: "1.28" 
   - stage: stable
     defaultValue: true
-    fromVersion: "1.29"  
+    fromVersion: "1.29"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables KMS v2 API for encryption at rest. See [Using a KMS Provider for data encryption](/docs/tasks/administer-cluster/kms-provider) for more details.

content/en/docs/reference/command-line-tools-reference/feature-gates/legacy-service-account-token-clean-up.md

@@ -17,6 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enable cleaning up Secret-based
 [service account tokens](/docs/concepts/security/service-accounts/#get-a-token)

content/en/docs/reference/command-line-tools-reference/feature-gates/load-balancer-ip-mode.md

@@ -13,6 +13,10 @@ stages:
   - stage: beta
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Allows setting `ipMode` for Services where `type` is set to `LoadBalancer`.
 See [Specifying IPMode of load balancer status](/docs/concepts/services-networking/service/#load-balancer-ip-mode)

content/en/docs/reference/command-line-tools-reference/feature-gates/min-domains-in-pod-topology-spread.md

@@ -21,6 +21,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enable `minDomains` in
 [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/).

content/en/docs/reference/command-line-tools-reference/feature-gates/new-volume-manager-reconstruction.md

@@ -17,6 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables improved discovery of mounted volumes during kubelet
 startup. Since the associated code had been significantly refactored, Kubernetes versions 1.25 to 1.29

content/en/docs/reference/command-line-tools-reference/feature-gates/node-out-of-service-volume-detach.md

@@ -17,6 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.28"  
+    toVersion: "1.31"
+
+removed: true
 ---
 When a Node is marked out-of-service using the
 `node.kubernetes.io/out-of-service` taint, Pods on the node will be forcefully deleted

content/en/docs/reference/command-line-tools-reference/feature-gates/retry-generate-name.md

@@ -9,6 +9,14 @@ stages:
   - stage: alpha
     defaultValue: false
     fromVersion: "1.30"
+    toVersion: "1.30"
+  - stage: beta
+    defaultValue: true
+    fromVersion: "1.31"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Enables retrying of object creation when the
 {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}

content/en/docs/reference/command-line-tools-reference/feature-gates/server-side-apply.md

@@ -17,6 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.22"  
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables the [Sever Side Apply (SSA)](/docs/reference/using-api/server-side-apply/)
 feature on the API Server.

content/en/docs/reference/command-line-tools-reference/feature-gates/server-side-field-validation.md

@@ -17,6 +17,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.27"  
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables server-side field validation. This means the validation
 of resource schema is performed at the API server side rather than the client side

content/en/docs/reference/command-line-tools-reference/feature-gates/stable-load-balancer-node-set.md

@@ -13,6 +13,9 @@ stages:
   - stage: stable
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+
+removed: true
 ---
 Enables less load balancer re-configurations by
 the service controller (KCCM) as an effect of changing node state.

content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md

@@ -6,13 +6,17 @@ _build:
   render: false
 
 stages:
-  - stage: alpha 
+  - stage: alpha
     defaultValue: false
     fromVersion: "1.29"
     toVersion: "1.29"
-  - stage: beta 
+  - stage: beta
     defaultValue: true
     fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Enable structured authorization configuration, so that cluster administrators
 can specify more than one [authorization webhook](/docs/reference/access-authn-authz/webhook/)

content/en/docs/reference/labels-annotations-taints/_index.md

@@ -1614,10 +1614,8 @@ Example: `node.kubernetes.io/out-of-service:NoExecute`
 Used on: Node
 
 A user can manually add the taint to a Node marking it out-of-service.
-If the `NodeOutOfServiceVolumeDetach`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is enabled on `kube-controller-manager`, and a Node is marked out-of-service with this taint,
-the Pods on the node will be forcefully deleted if there are no matching tolerations on it and
+If a Node is marked out-of-service with this taint, the Pods on the node 
+will be forcefully deleted if there are no matching tolerations on it and
 volume detach operations for the Pods terminating on the node will happen immediately.
 This allows the Pods on the out-of-service node to recover quickly on a different node.
 

content/en/docs/reference/node/kernel-version-requirements.md

@@ -32,6 +32,8 @@ Code: https://github.com/kubernetes/kubernetes/blob/00236ae0d73d2455a2470469ed10
 - `net.ipv4.tcp_keepalive_intvl` (since Kubernetes 1.29, needs kernel 4.5+);
 - `net.ipv4.tcp_keepalive_probes` (since Kubernetes 1.29, needs kernel 4.5+);
 - `net.ipv4.tcp_syncookies` (namespaced since kernel 4.6+).
+- `net.ipv4.tcp_rmem` (since Kubernetes 1.32, needs kernel 4.15+).
+- `net.ipv4.tcp_wmem` (since Kubernetes 1.32, needs kernel 4.15+).
 - `net.ipv4.vs.conn_reuse_mode` (used in `ipvs` proxy mode, needs kernel 4.1+);
 
 ### kube proxy `nftables` proxy mode

content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md

@@ -156,7 +156,7 @@ List of feature gates:
 Feature | Default | Alpha | Beta | GA
 :-------|:--------|:------|:-----|:----
 `ControlPlaneKubeletLocalMode` | `false` | 1.31 | - | -
-`EtcdLearnerMode` | `true` | 1.27 | 1.29 | -
+`EtcdLearnerMode` | `true` | 1.27 | 1.29 | 1.32
 `PublicKeysECDSA` | `false` | 1.19 | - | -
 `WaitForAllControlPlaneComponents` | `false` | 1.30 | - | -
 {{< /table >}}

content/en/docs/setup/production-environment/_index.md

@@ -232,7 +232,7 @@ As someone setting up authentication and authorization on your production Kubern
 
 - *Set the authorization mode*: When the Kubernetes API server
   ([kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/))
-  starts, the supported authentication modes must be set using the *--authorization-mode*
+  starts, supported authorization modes must be set using an *--authorization-config* file or the *--authorization-mode*
   flag. For example, that flag in the *kube-adminserver.yaml* file (in */etc/kubernetes/manifests*)
   could be set to Node,RBAC. This would allow Node and RBAC authorization for authenticated requests.
 - *Create user certificates and role bindings (RBAC)*: If you are using RBAC

content/en/docs/tasks/administer-cluster/sysctl-cluster.md

@@ -81,6 +81,8 @@ The following sysctls are supported in the _safe_ set:
 - `net.ipv4.tcp_fin_timeout` (since Kubernetes 1.29, needs kernel 4.6+);
 - `net.ipv4.tcp_keepalive_intvl` (since Kubernetes 1.29, needs kernel 4.5+);
 - `net.ipv4.tcp_keepalive_probes` (since Kubernetes 1.29, needs kernel 4.5+).
+- `net.ipv4.tcp_rmem` (since Kubernetes 1.32, needs kernel 4.15+).
+- `net.ipv4.tcp_wmem` (since Kubernetes 1.32, needs kernel 4.15+).
 
 {{< note >}}
 There are some exceptions to the set of safe sysctls: