Knative Serving release v0.25.2

🚨 Breaking or Notable

1. Fixes for K8s 1.22

Related issue: #11448

Our webhook parser no longer rejects unknown fields in an object's metadata. New fields were introduced in K8s 1.22 which caused Knative's webhook to reject certain operations.

2. Renaming of some net-kourier components

Related issue: knative/networking#448

As part of our efforts to GA/1.0 we've standardized on the naming of our networking plugins that are installed along side Serving. If you're managing your Knative deployment manually with kubectl this will require a two-phase upgrade process. In order to upgrade net-kourier to v0.25.0 using kubectl please follow the steps:

# Apply the new release
$ kubectl apply -f net-kourier.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-kourier.yaml \
  --prune -l networking.knative.dev/ingress-provider=kourier

3. Disabling namespace certificate provisioning legacy label

The namespace label networking.internal.knative.dev/disableWildcardCert has been deprecated since v0.15.0 release in favour of networking.knative.dev/disableWildcardCert. We have dropped support for this legacy label. (#11626, @nak3)

💫 New Features & Changes

• A feature flag is available to enable priorityClassName for Knative Services. See config-features for details. (#11746, @nealhu)
• Add memory metrics for HPA: hpa.autoscaling.knative.dev (#11668, @zhaojizhuang)
• Added app.kubernetes.io/name labels to resources. It will be replacing app labels in the future. (#11655, @upodroid)
• Containers[*].securityContext.runAsNonRoot can be set to true without a feature flag (#11606, @senthilnathan)
• Users can set spec.template.spec.automountServiceAccountToken to false in a PodSpec in order to opt-out of Kubenetes' default behaviour of mounting a ServiceAccount token in that Pod's containers. (#11723, @psschwei)
• Add v1beta1 version of DomainMapping crd (#11682, @julz)

🐞 Bug Fixes

• Set ENABLE_HTTP2_AUTO_DETECTION to false by default if the feature is not enabled. (#11760, @psschwei)

Dependencies

Added

• github.com/benbjohnson/clock: v1.1.0
• github.com/cncf/xds/go: fbca930
• github.com/kr/fs: v0.1.0
• github.com/pkg/sftp: v1.10.1
• go.etcd.io/etcd/api/v3: v3.5.0
• go.etcd.io/etcd/client/pkg/v3: v3.5.0
• go.etcd.io/etcd/client/v2: v2.305.0
• go.opentelemetry.io/proto/otlp: v0.7.0

Changed

• cloud.google.com/go: v0.83.0 → v0.84.0
• github.com/ahmetb/gen-crd-api-reference-docs: c1402a7 → 0067dc6
• github.com/bketelsen/crypt: 5cbc8cc → v0.0.4
• github.com/coreos/go-systemd/v22: v22.1.0 → v22.3.2
• github.com/envoyproxy/go-control-plane: 668b12f → 63b5d3c
• github.com/go-sql-driver/mysql: v1.5.0 → v1.4.0
• github.com/gobuffalo/flect: v0.2.2 → v0.2.3
• github.com/godbus/dbus/v5: v5.0.3 → v5.0.4
• github.com/google/go-containerregistry: f0ce227 → b448aba
• github.com/google/uuid: v1.2.0 → v1.3.0
• github.com/grpc-ecosystem/grpc-gateway: v1.14.8 → v1.16.0
• github.com/magiconair/properties: v1.8.1 → v1.8.5
• github.com/mitchellh/mapstructure: v1.1.2 → v1.4.1
• github.com/pelletier/go-toml: v1.8.1 → v1.9.3
• github.com/spf13/afero: v1.2.2 → v1.6.0
• github.com/spf13/cast: v1.3.0 → v1.3.1
• github.com/spf13/cobra: v1.1.3 → v1.2.1
• github.com/spf13/jwalterweatherman: v1.0.0 → v1.1.0
• github.com/spf13/viper: v1.7.0 → v1.8.1
• go.uber.org/atomic: v1.8.0 → v1.9.0
• go.uber.org/zap: v1.17.0 → v1.18.1
• golang.org/x/net: abc4532 → c6fcb2d
• golang.org/x/oauth2: f6687ab → a41e5a7
• golang.org/x/sys: 9665404 → 59db8d7
• golang.org/x/time: f8bda1e → 38a9dc6
• golang.org/x/tools: v0.1.2 → v0.1.5
• gonum.org/v1/netlib: 7672324 → 8cb4219
• google.golang.org/api: v0.47.0 → v0.50.0
• google.golang.org/genproto: f16073e → 8bfb893
• google.golang.org/grpc: v1.38.0 → v1.39.0
• google.golang.org/protobuf: v1.26.0 → v1.27.1
• gopkg.in/ini.v1: v1.51.0 → v1.62.0
• knative.dev/caching: 95f67e0 → 4e553d2
• knative.dev/networking: 53f45d6 → acdfd41
• knative.dev/pkg: dd0db4b → 21eb4c1

Removed

• contrib.go.opencensus.io/exporter/stackdriver: v0.13.5
• github.com/remyoudompheng/bigfft: 52369c6
• modernc.org/cc: v1.0.0
• modernc.org/golex: v1.0.0
• modernc.org/mathutil: v1.0.0
• modernc.org/strutil: v1.0.0
• modernc.org/xc: v1.0.0

Knative Serving release v0.24.2

Changes by Kind

🚨 Breaking or Notable

1. Renaming of some net-* components

Related issue: knative/networking#448

As part of our efforts to GA/1.0 we've standardized on the naming of our networking plugins that are installed along side Serving. If you're managing your Knative deployment manually with kubectl this will require a two-phase upgrade process. Please see the below sections:

Upgrade of net-http01 to v0.24.0

# Apply the new release
$ kubectl apply -f net-http01.yaml

# Once the deployment is ready delete the old resources
$ kubectl delete deployment http01-controller -n knative-serving
$ kubectl delete service challenger -n knative-serving

Upgrade of net-certmanager to v0.24.0

# Apply the new release
$ kubectl apply -f net-certmanager.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-certmanager.yaml \
  --prune -l networking.knative.dev/certificate-provider=cert-manager

Upgrade net-istio to v0.24.0

# Apply the new release
$ kubectl apply -f net-istio.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-istio.yaml \
  --prune -l networking.knative.dev/ingress-provider=istio

Upgrade of net-contour to v0.24.0

# Apply the new release
$ kubectl apply -f net-contour.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-contour.yaml -f contour.yaml \
  --prune -l networking.knative.dev/ingress-provider=contour

Upgrade of namespace certificate controller to v0.24.0

# Apply the new release
$ kubectl apply -f serving-nscert.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f serving-nscert.yaml \
  --prune -l networking.knative.dev/wildcard-certificate-provider=nscert

Upgrade of net-kourier to v0.24.0

At this point we've defered the renaming to net-kourier until the next release. We're looking to ensure there is no traffic disruption as part of the upgrade. Thus upgrading to v0.24.0 requires no special instructions.

2. Kubernetes 1.19 is now required

As part of our Kubernetes Minimum Version Principle we now have a hard requirement on Kubernetes Version 1.19.

3. Webhook/Controller RBAC changes

The recommended way to delete a Knative installation is to run kubectl delete -f serving-core.yaml and other release YAMLs you may have applied. There's been a misconception that deleting the knative-serving namespace will perform a similar cleanup but this does not remove cluster scoped resources. In prior releases the cluster state would have prevented the reinstall of Knative Serving. We've addressed this problem but it will require some RBAC permissions on namespaces & finalizers.

Please see the relevant issues & PRs:

• Original issue: knative/pkg#2044
• Workaround: (knative/pkg#2098, @novahe)
• knative-serving-core cluster role has requires permission for namespaces/finalizers. (#11517, @nak3)

4. DomainMapping feature is now BETA

This means it is built in to the main serving-core yaml by default. It is still possible to opt out of the feature by setting replica count of the domainmapping-controller to zero.

As part of this transition the default value for autocreateClusterDomainClaims in the config-network config map has been changed to false meaning cluster-wide permissions are required to delegate the ability to create particular DomainMappings to namespaces.Single tenant clusters may wish to allow arbitrary users to create Domain Mappings by changing this value back to true. (#11573, @julz)

💫 New Features & Changes

• Allow dropping capabilities from a container's security context (#11344, @psschwei)
• Domainmapping can now specify a tls secret to be used as the https certificate (#11250, @shinigambit)
• Provides a feature gate that, when enabled, allows adding capabilities from a container's security context (#11410, @psschwei)
• defaultExternalScheme can now be used to default routes to surface a URL scheme of your choice rather than the default "http". (#11480, @markusthoemmes)
• Optimized generated routes to minimize Envoy configuration size (net-istio#632, @howardjohn)
• Rename Contonr's ClusterRole and ClusterRoleBinding to differ from existing contour installation (net-contour#500, @izabelacg)
• Add a new ConfigMap config-kourier, with the initial enable-service-access-logging setting (net-kourier#523, @markusthoemmes)

🐞 Bug Fixes

• Fixed a bug where traffic would briefly be routed 'wrong', leading to errors due to exceeded queues in deployments with a large activator count and a low service pod count. (#11375, @markusthoemmes)
• Traffic status in Route is updated whenever traffic configuration was wrong. (#11477, @nak3)
• Validates, consistently with other configmaps, that the _example section of the features configmap is not accidentally modified. (#11391, @julz)

Dependencies Changes

Added

• bazil.org/fuse: 371fbbd
• cloud.google.com/go/firestore: v1.1.0
• github.com/Microsoft/hcsshim/test: 43a75bb
• github.com/Microsoft/hcsshim: v0.8.16
• github.com/Shopify/logrus-bugsnag: 577dee2
• github.com/alexflint/go-filemutex: 72bdc8e
• github.com/bitly/go-simplejson: v0.5.0
• github.com/bketelsen/crypt: 5cbc8cc
• github.com/bmizerany/assert: b7ed37b
• github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
• github.com/buger/jsonparser: f4dd9f5
• github.com/bugsnag/bugsnag-go: b1d1530
• github.com/bugsnag/osext: 0dd3f91
• github.com/bugsnag/panicwrap: e2c2850
• github.com/checkpoint-restore/go-criu/v4: v4.1.0
• github.com/cilium/ebpf: v0.4.0
• github.com/containerd/aufs: v1.0.0
• github.com/containerd/btrfs: v1.0.0
• github.com/containerd/cgroups: v1.0.1
• github.com/containerd/console: v1.0.2
• github.com/containerd/continuity: v0.1.0
• github.com/containerd/fifo: v1.0.0
• github.com/containerd/go-cni: v1.0.2
• github.com/containerd/go-runc: v1.0.0
• github.com/containerd/imgcrypt: v1.1.1
• github.com/containerd/nri: v0.1.0
• github.com/containerd/ttrpc: v1.0.2
• github.com/containerd/typeurl: v1.0.2
• github.com/containerd/zfs: v1.0.0
• github.com/containernetworking/cni: v0.8.1
• github.com/containernetworking/plugins: v0.9.1
• github.com/containers/ocicrypt: v1.1.1
• github.com/coreos/go-iptables: v0.5.0
• github.com/coreos/go-systemd/v22: v22.1.0
• github.com/cyphar/filepath-securejoin: [v0.2.2](https://github.com/cyphar/filepath-secure...

Knative Serving release v1.0.1

🚨 Breaking or Notable

• The per-namespace wildcard certificate provisioner has been integrated into the base controllers
  and is now controlled by the namespace-wildcard-cert-selector field. This field allows you
  to use a Kubernetes LabelSelector to choose which namespaces should have certificates
  provisioned.

  To migrate existing usage of the serving-nscert controller, do the following:

  1. Set the namespace-wildcard-cert-selector to the value:

     matchExpressions:
      - key: "networking.knative.dev/disableWildcardCert"
        operator: "NotIn"
        values: ["true"]
     

  2. Remove the Deployment, Service and ClusterRole defined by the serving-nscert.yaml resources
     in the previous release. (#12174, @evankanderson)

💫 New Features & Changes

• Per-namespace wildcard certificate provisioning has been integrated into the main
  Knative controllers and is no longer a separate install. It is now controlled by a
  label selector on Kubernetes namespaces.
• A new experimental feature, "concurrencyStateEndpoint", allows a webhook to be informed when a container's concurrency goes to/from zero (#11802, #12162, #11917, @psschwei)
• When mesh compatibility mode is not set to "auto" in the networking config map,
  the activator will respect Kubernetes's readiness state and avoid probing when
  kubernetes readiness propagates more quickly than the activator's probe. (#12086, @julz)

🐞 Bug Fixes

• Fixes an issue where TLS certificates are requested before domain-ownership is established. (#12080, @mattmoor)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/storage: v1.10.0 → v1.18.2
• cloud.google.com/go: v0.84.0 → v0.97.0
• github.com/cncf/xds/go: fbca930 → aa0b789
• github.com/envoyproxy/go-control-plane: 63b5d3c → cf90f65
• github.com/golang/mock: v1.5.0 → v1.6.0
• github.com/google/pprof: 01bbb19 → 4bb14d4
• github.com/googleapis/gax-go/v2: v2.0.5 → v2.1.1
• github.com/prometheus/common: v0.30.0 → v0.31.1
• github.com/yuin/goldmark: v1.3.5 → v1.4.0
• go.uber.org/goleak: v1.1.10 → 6911603
• go.uber.org/zap: v1.19.0 → v1.19.1
• golang.org/x/net: e898025 → 4f30a5c
• golang.org/x/oauth2: 2bc19b1 → 6b3c2da
• golang.org/x/sys: 59db8d7 → d61c044
• golang.org/x/tools: v0.1.5 → v0.1.7
• google.golang.org/api: v0.50.0 → v0.58.0
• google.golang.org/genproto: 8bfb893 → 37fc393
• google.golang.org/grpc: v1.40.0 → v1.41.0
• k8s.io/gengo: de9496d → 39e73c8
• knative.dev/caching: 0184eb9 → f2af269
• knative.dev/hack: 815cd31 → b96d65a
• knative.dev/networking: 69ad454 → c3606d9
• knative.dev/pkg: 5ae4821 → 5d9d300
• sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

Nothing has changed.

Knative Serving release v1.0.0

🚨 Breaking or Notable

• The per-namespace wildcard certificate provisioner has been integrated into the base controllers
  and is now controlled by the namespace-wildcard-cert-selector field. This field allows you
  to use a Kubernetes LabelSelector to choose which namespaces should have certificates
  provisioned.

  To migrate existing usage of the serving-nscert controller, do the following:

  1. Set the namespace-wildcard-cert-selector to the value:

     matchExpressions:
      - key: "networking.knative.dev/disableWildcardCert"
        operator: "NotIn"
        values: ["true"]
     

  2. Remove the Deployment, Service and ClusterRole defined by the serving-nscert.yaml resources
     in the previous release. (#12174, @evankanderson)

💫 New Features & Changes

• Per-namespace wildcard certificate provisioning has been integrated into the main
  Knative controllers and is no longer a separate install. It is now controlled by a
  label selector on Kubernetes namespaces.
• A new experimental feature, "concurrencyStateEndpoint", allows a webhook to be informed when a container's concurrency goes to/from zero (#11802, #12162, #11917, @psschwei)
• When mesh compatibility mode is not set to "auto" in the networking config map,
  the activator will respect Kubernetes's readiness state and avoid probing when
  kubernetes readiness propagates more quickly than the activator's probe. (#12086, @julz)

🐞 Bug Fixes

• Fixes an issue where TLS certificates are requested before domain-ownership is established. (#12080, @mattmoor)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/storage: v1.10.0 → v1.18.2
• cloud.google.com/go: v0.84.0 → v0.97.0
• github.com/cncf/xds/go: fbca930 → aa0b789
• github.com/envoyproxy/go-control-plane: 63b5d3c → cf90f65
• github.com/golang/mock: v1.5.0 → v1.6.0
• github.com/google/pprof: 01bbb19 → 4bb14d4
• github.com/googleapis/gax-go/v2: v2.0.5 → v2.1.1
• github.com/prometheus/common: v0.30.0 → v0.31.1
• github.com/yuin/goldmark: v1.3.5 → v1.4.0
• go.uber.org/goleak: v1.1.10 → 6911603
• go.uber.org/zap: v1.19.0 → v1.19.1
• golang.org/x/net: e898025 → 4f30a5c
• golang.org/x/oauth2: 2bc19b1 → 6b3c2da
• golang.org/x/sys: 59db8d7 → d61c044
• golang.org/x/tools: v0.1.5 → v0.1.7
• google.golang.org/api: v0.50.0 → v0.58.0
• google.golang.org/genproto: 8bfb893 → 37fc393
• google.golang.org/grpc: v1.40.0 → v1.41.0
• k8s.io/gengo: de9496d → 39e73c8
• knative.dev/caching: 0184eb9 → f2af269
• knative.dev/hack: 815cd31 → b96d65a
• knative.dev/networking: 69ad454 → c3606d9
• knative.dev/pkg: 5ae4821 → 5d9d300
• sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

Nothing has changed.

Knative Serving release v0.23.3

🚨 Breaking or Notable

• Change the default post-install job to use sslip.io rather than xip.io. (#11298, @julz)

💫 New Features & Changes

• The stats scraping in the autoscaler is now sensitive to the EnableMeshPodAddressability setting. A restart of the autoscaler is required for the setting to take effect if changed. (#11161, @markusthoemmes)
• The state keeping in the activator is now sensitive to the EnableMeshPodAddressability setting. A restart of the activator is required for the setting to take effect if changed. (#11172, @markusthoemmes)
• Tightens the heuristic for mesh being abled in the service scraper. We now expect all errors to be related to mesh (i.e. 503 status code). This prevents accidentally falling in to service scrape mode when errors are encountered for other reasons. (#11174, @julz)

🐞 Bug Fixes

Uncategorized

• Added schemas to all CRDs. (#11244, @markusthoemmes)
• Changed the rollout behavior of application deployment changes (due to Knative upgrade for example) to never have less ready posd than required. (#11140, @markusthoemmes)
• Rate limits digest resolution (10 QPS, retry back-off 1s to 1000s) to prevent exceeding quota at remote registries (#11279, @julz)
• Revision replicas shut down 15s quicker. (#11249, @markusthoemmes)
• The activator's proxy is now sensitive to the EnableMeshPodAddressability setting. (#11162, @markusthoemmes)
• Update the User-Agent used during tag resolution (#10590, @jonjohnsonjr)

Dependencies

Added

• github.com/ahmetb/gen-crd-api-reference-docs: c1402a7

Changed

• contrib.go.opencensus.io/exporter/prometheus: 6bcf6f8 → v0.3.0
• github.com/containerd/stargz-snapshotter/estargz: a9a0c2d → v0.4.1
• github.com/envoyproxy/go-control-plane: fd9021f → 668b12f
• github.com/golang/protobuf: v1.4.3 → v1.5.2
• github.com/google/go-containerregistry/pkg/authn/k8schain: 5c4818d → 9cf3ed4
• github.com/google/go-containerregistry: 19c2b63 → v0.5.0
• github.com/prometheus/client_golang: v1.9.0 → v1.10.0
• github.com/prometheus/common: v0.19.0 → v0.20.0
• github.com/prometheus/procfs: v0.2.0 → v0.6.0
• github.com/prometheus/statsd_exporter: v0.15.0 → v0.20.0
• golang.org/x/crypto: eec23a3 → 4f45737
• golang.org/x/lint: 738671d → 83fdc39
• golang.org/x/net: 5f4716e → e915ea6
• golang.org/x/oauth2: f9ce19e → 5e61552
• golang.org/x/sync: 09787c9 → 036812b
• golang.org/x/sys: 22da62e → 4fbd30e
• golang.org/x/text: v0.3.5 → v0.3.6
• golang.org/x/time: 7e3f01d → f8bda1e
• google.golang.org/genproto: 8c77b98 → 9910b6c
• google.golang.org/grpc: v1.36.0 → v1.37.0
• google.golang.org/protobuf: v1.25.0 → v1.26.0
• knative.dev/caching: 5691bb3 → 9227826
• knative.dev/hack: b6ab329 → 93ad912
• knative.dev/networking: 999a770 → ace2d33
• knative.dev/pkg: 952fdd9 → 4564797

Removed

Nothing has changed.

Knative Serving release v0.26.0

Changelog since 0.25

🚨 Breaking or Notable

• Kubernetes 1.20 is now required

💫 New Features & Changes

• Allow users to set container[*].securityContext.runAsGroup (#12003, @dprotaso)

• A new setting, mesh-compatibility-mode, in the networking config map allows an administrator
  to explicitly tell Activator and Autoscaler to use Direct Pod IP (most efficient, but not compatible
  with mesh being enabled), Cluster IP (less efficient, but needed if mesh is enabled), or to
  Autodetect (the current behaviour, and the default, causes Activator and Autoscaler to first attempt
  Direct Pod IP communication, and then fall back to Cluster IP if it sees a mesh-related error status
  code). (#11999, @julz)

🐞 Bug Fixes

Uncategorized

• Adds more debug logs to background digest resolver (#11959, @julz)
• Dropped the startup probe on the queue-proxy which makes the pods start ~500ms quicker on average. (#11965, @markusthoemmes)
• Removes the ServiceName field from RevisionStatus which has been deprecated for several releases. This field was effectively equal to the revision name. (#11817, @julz)
• User-supplied readinessProbes with a probePeriod set greater than zero are no longer silently ignored after pod startup. (#11190, @julz)
• When enabled, queue proxy tracks the request count for each pod (disabled by default) (#11783, @psschwei)

Dependencies

Added

• github.com/moby/spdystream: v0.2.0
• k8s.io/controller-manager: v0.21.0

Changed

• contrib.go.opencensus.io/exporter/prometheus: v0.3.0 → v0.4.0
• github.com/NYTimes/gziphandler: 56545f4 → v1.1.1
• github.com/containerd/stargz-snapshotter/estargz: v0.6.4 → v0.7.0
• github.com/creack/pty: v1.1.9 → v1.1.11
• github.com/go-kit/kit: v0.10.0 → v0.9.0
• github.com/golang/groupcache: 8c9f03a → 41bb18b
• github.com/google/go-containerregistry/pkg/authn/k8schain: c086c7f → ce35c99
• github.com/google/go-containerregistry: b448aba → v0.6.0
• github.com/hashicorp/consul/api: v1.3.0 → v1.1.0
• github.com/hashicorp/consul/sdk: v0.3.0 → v0.1.1
• github.com/moby/term: 672ec06 → df9cb8a
• github.com/pierrec/lz4: v2.0.5+incompatible → 473cd7c
• github.com/prometheus/common: v0.26.0 → v0.30.0
• github.com/prometheus/statsd_exporter: v0.20.0 → v0.21.0
• github.com/streadway/amqp: edfb901 → 75d898a
• github.com/vdemeester/k8s-pkg-credentialprovider: v1.20.7 → v1.21.0-1
• go.uber.org/zap: v1.18.1 → v1.19.0
• golang.org/x/crypto: c07d793 → 32db794
• golang.org/x/net: c6fcb2d → e898025
• golang.org/x/oauth2: a41e5a7 → 2bc19b1
• golang.org/x/term: 2321bbc → 6a3ed07
• golang.org/x/time: 38a9dc6 → 1f47c86
• google.golang.org/grpc: v1.39.0 → v1.40.0
• gopkg.in/gcfg.v1: v1.2.3 → v1.2.0
• gopkg.in/warnings.v0: v0.1.2 → v0.1.1
• k8s.io/api: v0.20.7 → v0.21.4
• k8s.io/apiextensions-apiserver: v0.20.7 → v0.21.4
• k8s.io/apimachinery: v0.20.7 → v0.21.4
• k8s.io/apiserver: v0.20.7 → v0.21.4
• k8s.io/client-go: v0.20.7 → v0.21.4
• k8s.io/cloud-provider: v0.19.7 → v0.21.0
• k8s.io/code-generator: v0.20.7 → v0.21.4
• k8s.io/component-base: v0.20.7 → v0.21.4
• k8s.io/csi-translation-lib: v0.19.7 → v0.21.0
• k8s.io/klog/v2: v2.5.0 → v2.8.0
• k8s.io/kube-openapi: 8566a33 → 591a79e
• k8s.io/legacy-cloud-providers: v0.19.7 → v0.21.0
• knative.dev/caching: 4e553d2 → 0184eb9
• knative.dev/hack: e28525d → 815cd31
• knative.dev/networking: acdfd41 → 69ad454
• knative.dev/pkg: 21eb4c1 → 5ae4821
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.15 → v0.0.22
• sigs.k8s.io/structured-merge-diff/v4: v4.0.3 → v4.1.2

Removed

• github.com/Knetic/govaluate: 9aa4983
• github.com/VividCortex/gohistogram: v1.0.0
• github.com/afex/hystrix-go: fa1af6a
• github.com/apache/thrift: v0.13.0
• github.com/aryann/difflib: e206f87
• github.com/aws/aws-lambda-go: v1.13.3
• github.com/aws/aws-sdk-go-v2: v0.18.0
• github.com/casbin/casbin/v2: v2.1.2
• github.com/cenkalti/backoff: v2.2.1+incompatible
• github.com/clbanning/x2j: 8252494
• github.com/codahale/hdrhistogram: 3a0bb77
• github.com/edsrzf/mmap-go: v1.0.0
• github.com/franela/goblin: c9ffbef
• github.com/franela/goreq: bcd34c9
• github.com/go-sql-driver/mysql: v1.4.0
• github.com/hashicorp/go-version: v1.2.0
• github.com/hudl/fargo: v1.3.0
• github.com/influxdata/influxdb1-client: 8bf82d3
• github.com/lightstep/lightstep-tracer-common/golang/gogo: bc2310a
• github.com/lightstep/lightstep-tracer-go: v0.18.1
• github.com/nats-io/jwt: v0.3.2
• github.com/nats-io/nats-server/v2: v2.1.2
• github.com/nats-io/nats.go: v1.9.1
• github.com/nats-io/nkeys: v0.1.3
• github.com/nats-io/nuid: v1.0.1
• github.com/oklog/oklog: v0.3.2
• github.com/oklog/run: v1.0.0
• github.com/op/go-logging: 970db52
• github.com/opentracing-contrib/go-observer: a52f234
• github.com/opentracing/basictracer-go: v1.0.0
• github.com/opentracing/opentracing-go: v1.1.0
• github.com/openzipkin-contrib/zipkin-go-opentracing: v0.4.5
• github.com/pact-foundation/pact-go: v1.0.4
• github.com/pborman/uuid: v1.2.0
• github.com/performancecopilot/speed: v3.0.0+incompatible
• github.com/samuel/go-zookeeper: 2cc03de
• github.com/sony/gobreaker: v0.4.1
• github.com/streadway/handy: d5acb31
• go.uber.org/tools: 2cfd321
• sourcegraph.com/sourcegraph/appdash: ebfcffb

Knative Serving release v0.25.1

🚨 Breaking or Notable

1. Fixes for K8s 1.22

Related issue: #11448

Our webhook parser no longer rejects unknown fields in an object's metadata. New fields were introduced in K8s 1.22 which caused Knative's webhook to reject certain operations.

2. Renaming of some net-kourier components

Related issue: knative/networking#448

As part of our efforts to GA/1.0 we've standardized on the naming of our networking plugins that are installed along side Serving. If you're managing your Knative deployment manually with kubectl this will require a two-phase upgrade process. In order to upgrade net-kourier to v0.25.0 using kubectl please follow the steps:

# Apply the new release
$ kubectl apply -f net-kourier.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-kourier.yaml \
  --prune -l networking.knative.dev/ingress-provider=kourier

3. Disabling namespace certificate provisioning legacy label

The namespace label networking.internal.knative.dev/disableWildcardCert has been deprecated since v0.15.0 release in favour of networking.knative.dev/disableWildcardCert. We have dropped support for this legacy label. (#11626, @nak3)

💫 New Features & Changes

• A feature flag is available to enable priorityClassName for Knative Services. See config-features for details. (#11746, @nealhu)
• Add memory metrics for HPA: hpa.autoscaling.knative.dev (#11668, @zhaojizhuang)
• Added app.kubernetes.io/name labels to resources. It will be replacing app labels in the future. (#11655, @upodroid)
• Containers[*].securityContext.runAsNonRoot can be set to true without a feature flag (#11606, @senthilnathan)
• Users can set spec.template.spec.automountServiceAccountToken to false in a PodSpec in order to opt-out of Kubenetes' default behaviour of mounting a ServiceAccount token in that Pod's containers. (#11723, @psschwei)
• Add v1beta1 version of DomainMapping crd (#11682, @julz)

🐞 Bug Fixes

• Set ENABLE_HTTP2_AUTO_DETECTION to false by default if the feature is not enabled. (#11760, @psschwei)

Dependencies

Added

• github.com/benbjohnson/clock: v1.1.0
• github.com/cncf/xds/go: fbca930
• github.com/kr/fs: v0.1.0
• github.com/pkg/sftp: v1.10.1
• go.etcd.io/etcd/api/v3: v3.5.0
• go.etcd.io/etcd/client/pkg/v3: v3.5.0
• go.etcd.io/etcd/client/v2: v2.305.0
• go.opentelemetry.io/proto/otlp: v0.7.0

Changed

• cloud.google.com/go: v0.83.0 → v0.84.0
• github.com/ahmetb/gen-crd-api-reference-docs: c1402a7 → 0067dc6
• github.com/bketelsen/crypt: 5cbc8cc → v0.0.4
• github.com/coreos/go-systemd/v22: v22.1.0 → v22.3.2
• github.com/envoyproxy/go-control-plane: 668b12f → 63b5d3c
• github.com/go-sql-driver/mysql: v1.5.0 → v1.4.0
• github.com/gobuffalo/flect: v0.2.2 → v0.2.3
• github.com/godbus/dbus/v5: v5.0.3 → v5.0.4
• github.com/google/go-containerregistry: f0ce227 → b448aba
• github.com/google/uuid: v1.2.0 → v1.3.0
• github.com/grpc-ecosystem/grpc-gateway: v1.14.8 → v1.16.0
• github.com/magiconair/properties: v1.8.1 → v1.8.5
• github.com/mitchellh/mapstructure: v1.1.2 → v1.4.1
• github.com/pelletier/go-toml: v1.8.1 → v1.9.3
• github.com/spf13/afero: v1.2.2 → v1.6.0
• github.com/spf13/cast: v1.3.0 → v1.3.1
• github.com/spf13/cobra: v1.1.3 → v1.2.1
• github.com/spf13/jwalterweatherman: v1.0.0 → v1.1.0
• github.com/spf13/viper: v1.7.0 → v1.8.1
• go.uber.org/atomic: v1.8.0 → v1.9.0
• go.uber.org/zap: v1.17.0 → v1.18.1
• golang.org/x/net: abc4532 → c6fcb2d
• golang.org/x/oauth2: f6687ab → a41e5a7
• golang.org/x/sys: 9665404 → 59db8d7
• golang.org/x/time: f8bda1e → 38a9dc6
• golang.org/x/tools: v0.1.2 → v0.1.5
• gonum.org/v1/netlib: 7672324 → 8cb4219
• google.golang.org/api: v0.47.0 → v0.50.0
• google.golang.org/genproto: f16073e → 8bfb893
• google.golang.org/grpc: v1.38.0 → v1.39.0
• google.golang.org/protobuf: v1.26.0 → v1.27.1
• gopkg.in/ini.v1: v1.51.0 → v1.62.0
• knative.dev/caching: 95f67e0 → 4e553d2
• knative.dev/networking: 53f45d6 → acdfd41
• knative.dev/pkg: dd0db4b → 21eb4c1

Removed

• contrib.go.opencensus.io/exporter/stackdriver: v0.13.5
• github.com/remyoudompheng/bigfft: 52369c6
• modernc.org/cc: v1.0.0
• modernc.org/golex: v1.0.0
• modernc.org/mathutil: v1.0.0
• modernc.org/strutil: v1.0.0
• modernc.org/xc: v1.0.0

Knative Serving release v0.24.1

Changes by Kind

🚨 Breaking or Notable

1. Renaming of some net-* components

Related issue: knative/networking#448

As part of our efforts to GA/1.0 we've standardized on the naming of our networking plugins that are installed along side Serving. If you're managing your Knative deployment manually with kubectl this will require a two-phase upgrade process. Please see the below sections:

Upgrade of net-http01 to v0.24.0

# Apply the new release
$ kubectl apply -f net-http01.yaml

# Once the deployment is ready delete the old resources
$ kubectl delete deployment http01-controller -n knative-serving
$ kubectl delete service challenger -n knative-serving

Upgrade of net-certmanager to v0.24.0

# Apply the new release
$ kubectl apply -f net-certmanager.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-certmanager.yaml \
  --prune -l networking.knative.dev/certificate-provider=cert-manager

Upgrade net-istio to v0.24.0

# Apply the new release
$ kubectl apply -f net-istio.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-istio.yaml \
  --prune -l networking.knative.dev/ingress-provider=istio

Upgrade of net-contour to v0.24.0

# Apply the new release
$ kubectl apply -f net-contour.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f net-contour.yaml -f contour.yaml \
  --prune -l networking.knative.dev/ingress-provider=contour

Upgrade of namespace certificate controller to v0.24.0

# Apply the new release
$ kubectl apply -f serving-nscert.yaml

# Once the deployment is ready apply the same file but 
# prune the old resources
$ kubectl apply -f serving-nscert.yaml \
  --prune -l networking.knative.dev/wildcard-certificate-provider=nscert

Upgrade of net-kourier to v0.24.0

At this point we've defered the renaming to net-kourier until the next release. We're looking to ensure there is no traffic disruption as part of the upgrade. Thus upgrading to v0.24.0 requires no special instructions.

2. Kubernetes 1.19 is now required

As part of our Kubernetes Minimum Version Principle we now have a hard requirement on Kubernetes Version 1.19.

3. Webhook/Controller RBAC changes

The recommended way to delete a Knative installation is to run kubectl delete -f serving-core.yaml and other release YAMLs you may have applied. There's been a misconception that deleting the knative-serving namespace will perform a similar cleanup but this does not remove cluster scoped resources. In prior releases the cluster state would have prevented the reinstall of Knative Serving. We've addressed this problem but it will require some RBAC permissions on namespaces & finalizers.

Please see the relevant issues & PRs:

• Original issue: knative/pkg#2044
• Workaround: (knative/pkg#2098, @novahe)
• knative-serving-core cluster role has requires permission for namespaces/finalizers. (#11517, @nak3)

4. DomainMapping feature is now BETA

This means it is built in to the main serving-core yaml by default. It is still possible to opt out of the feature by setting replica count of the domainmapping-controller to zero.

As part of this transition the default value for autocreateClusterDomainClaims in the config-network config map has been changed to false meaning cluster-wide permissions are required to delegate the ability to create particular DomainMappings to namespaces.Single tenant clusters may wish to allow arbitrary users to create Domain Mappings by changing this value back to true. (#11573, @julz)

💫 New Features & Changes

• Allow dropping capabilities from a container's security context (#11344, @psschwei)
• Domainmapping can now specify a tls secret to be used as the https certificate (#11250, @shinigambit)
• Provides a feature gate that, when enabled, allows adding capabilities from a container's security context (#11410, @psschwei)
• defaultExternalScheme can now be used to default routes to surface a URL scheme of your choice rather than the default "http". (#11480, @markusthoemmes)
• Optimized generated routes to minimize Envoy configuration size (net-istio#632, @howardjohn)
• Rename Contonr's ClusterRole and ClusterRoleBinding to differ from existing contour installation (net-contour#500, @izabelacg)
• Add a new ConfigMap config-kourier, with the initial enable-service-access-logging setting (net-kourier#523, @markusthoemmes)

🐞 Bug Fixes

• Fixed a bug where traffic would briefly be routed 'wrong', leading to errors due to exceeded queues in deployments with a large activator count and a low service pod count. (#11375, @markusthoemmes)
• Traffic status in Route is updated whenever traffic configuration was wrong. (#11477, @nak3)
• Validates, consistently with other configmaps, that the _example section of the features configmap is not accidentally modified. (#11391, @julz)

Dependencies Changes

Added

• bazil.org/fuse: 371fbbd
• cloud.google.com/go/firestore: v1.1.0
• github.com/Microsoft/hcsshim/test: 43a75bb
• github.com/Microsoft/hcsshim: v0.8.16
• github.com/Shopify/logrus-bugsnag: 577dee2
• github.com/alexflint/go-filemutex: 72bdc8e
• github.com/bitly/go-simplejson: v0.5.0
• github.com/bketelsen/crypt: 5cbc8cc
• github.com/bmizerany/assert: b7ed37b
• github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
• github.com/buger/jsonparser: f4dd9f5
• github.com/bugsnag/bugsnag-go: b1d1530
• github.com/bugsnag/osext: 0dd3f91
• github.com/bugsnag/panicwrap: e2c2850
• github.com/checkpoint-restore/go-criu/v4: v4.1.0
• github.com/cilium/ebpf: v0.4.0
• github.com/containerd/aufs: v1.0.0
• github.com/containerd/btrfs: v1.0.0
• github.com/containerd/cgroups: v1.0.1
• github.com/containerd/console: v1.0.2
• github.com/containerd/continuity: v0.1.0
• github.com/containerd/fifo: v1.0.0
• github.com/containerd/go-cni: v1.0.2
• github.com/containerd/go-runc: v1.0.0
• github.com/containerd/imgcrypt: v1.1.1
• github.com/containerd/nri: v0.1.0
• github.com/containerd/ttrpc: v1.0.2
• github.com/containerd/typeurl: v1.0.2
• github.com/containerd/zfs: v1.0.0
• github.com/containernetworking/cni: v0.8.1
• github.com/containernetworking/plugins: v0.9.1
• github.com/containers/ocicrypt: v1.1.1
• github.com/coreos/go-iptables: v0.5.0
• github.com/coreos/go-systemd/v22: [v22....

Knative Serving release v0.23.2

🚨 Breaking or Notable

• Change the default post-install job to use sslip.io rather than xip.io. (#11298, @julz)

💫 New Features & Changes

• The stats scraping in the autoscaler is now sensitive to the EnableMeshPodAddressability setting. A restart of the autoscaler is required for the setting to take effect if changed. (#11161, @markusthoemmes)
• The state keeping in the activator is now sensitive to the EnableMeshPodAddressability setting. A restart of the activator is required for the setting to take effect if changed. (#11172, @markusthoemmes)
• Tightens the heuristic for mesh being abled in the service scraper. We now expect all errors to be related to mesh (i.e. 503 status code). This prevents accidentally falling in to service scrape mode when errors are encountered for other reasons. (#11174, @julz)

🐞 Bug Fixes

Uncategorized

• Added schemas to all CRDs. (#11244, @markusthoemmes)
• Changed the rollout behavior of application deployment changes (due to Knative upgrade for example) to never have less ready posd than required. (#11140, @markusthoemmes)
• Rate limits digest resolution (10 QPS, retry back-off 1s to 1000s) to prevent exceeding quota at remote registries (#11279, @julz)
• Revision replicas shut down 15s quicker. (#11249, @markusthoemmes)
• The activator's proxy is now sensitive to the EnableMeshPodAddressability setting. (#11162, @markusthoemmes)
• Update the User-Agent used during tag resolution (#10590, @jonjohnsonjr)

Dependencies

Added

• github.com/ahmetb/gen-crd-api-reference-docs: c1402a7

Changed

• contrib.go.opencensus.io/exporter/prometheus: 6bcf6f8 → v0.3.0
• github.com/containerd/stargz-snapshotter/estargz: a9a0c2d → v0.4.1
• github.com/envoyproxy/go-control-plane: fd9021f → 668b12f
• github.com/golang/protobuf: v1.4.3 → v1.5.2
• github.com/google/go-containerregistry/pkg/authn/k8schain: 5c4818d → 9cf3ed4
• github.com/google/go-containerregistry: 19c2b63 → v0.5.0
• github.com/prometheus/client_golang: v1.9.0 → v1.10.0
• github.com/prometheus/common: v0.19.0 → v0.20.0
• github.com/prometheus/procfs: v0.2.0 → v0.6.0
• github.com/prometheus/statsd_exporter: v0.15.0 → v0.20.0
• golang.org/x/crypto: eec23a3 → 4f45737
• golang.org/x/lint: 738671d → 83fdc39
• golang.org/x/net: 5f4716e → e915ea6
• golang.org/x/oauth2: f9ce19e → 5e61552
• golang.org/x/sync: 09787c9 → 036812b
• golang.org/x/sys: 22da62e → 4fbd30e
• golang.org/x/text: v0.3.5 → v0.3.6
• golang.org/x/time: 7e3f01d → f8bda1e
• google.golang.org/genproto: 8c77b98 → 9910b6c
• google.golang.org/grpc: v1.36.0 → v1.37.0
• google.golang.org/protobuf: v1.25.0 → v1.26.0
• knative.dev/caching: 5691bb3 → 9227826
• knative.dev/hack: b6ab329 → 93ad912
• knative.dev/networking: 999a770 → ace2d33
• knative.dev/pkg: 952fdd9 → 4564797

Removed

Nothing has changed.

Knative Serving release v0.22.3

🚨 Breaking or Notable

1. Fixes for K8s 1.22

Related issue: #11448

Our webhook parser no longer rejects unknown fields in an object's metadata. New fields were introduced in K8s 1.22 which caused Knative's webhook to reject certain operations.

💫 New Features & Changes

• Added an autoscaling annotation to choose a different aggregation algorithm for the autoscaling metrics. This is experimental currently. (#10840, @vagababov)
• Added autocreateClusterDomainClaims flag to network config map. (networking#330, @julz)

🐞 Bug Fixes

• Adds validation that a default max-scale is set if a max-scale-limit is specified in the autoscaler configmap (since otherwise the default max-scale, i.e. 0 = no max, would fail validation as it is above the max-scale-limit). (#10921, @julz)
• Bumped the resource request and limits of the autoscaler to 100m/100Mi, 1000m/1000Mi respectively. (#10865, @markusthoemmes)
• Fixed a regression where the pod bringup time might have a latency of 10s or more even though the container should be up quickly. (#10992, @markusthoemmes)
• Reduced the necessary memory allocations in the activator significantly, especially with disabled tracing. (#11016, #11013, #11009, #11008, @markusthoemmes)
• Fix the incorrect Gateway name format for DomainMapping auto TLS feature for net-istio implmenetation. (net-istio#532, @ZhiminXiang)

Dependencies

Added

Nothing has changed.

Changed

• github.com/google/go-cmp: v0.5.4 → v0.5.5
• github.com/prometheus/common: v0.15.0 → v0.19.0
• go.opencensus.io: v0.22.6 → v0.23.0
• google.golang.org/grpc: v1.35.0 → v1.36.0
• knative.dev/caching: 1212288 → 5691bb3
• knative.dev/hack: 8368e1f → b6ab329
• knative.dev/networking: 088986a → 999a770
• knative.dev/pkg: 84c98f3 → 952fdd9

Removed

Nothing has changed.