Merge pull request #2765 from sreeram-venkitesh/release-notes-draft-v1.33.0-rc.1

Release Notes draft for k/k v1.33.0-rc.1

Author: k8s-ci-robot

releases/release-1.33/release-notes/maps/pr-122550-map.yaml

@@ -0,0 +1,21 @@
+pr: 122550
+releasenote:
+  text: |-
+    When the `StrictIPCIDRValidation` feature gate is enabled, Kubernetes will be
+    slightly stricter about what values will be accepted as IP addresses and network
+    address ranges ("CIDR blocks").
+
+    In particular, octets within IPv4 addresses are not allowed to have any leading
+    `0`s, and IPv4-mapped IPv6 values (e.g. `::ffff:192.168.0.1`) are forbidden.
+    These sorts of values can potentially cause security problems when different
+    components interpret the same string as referring to different IP addresses
+    (as in CVE-2021-29923).
+
+    This tightening applies only to fields in build-in API kinds, and not to
+    custom resource kinds, values in Kubernetes configuration files, or
+    command-line arguments.
+
+    (When the feature gate is disabled, creating an object with such an invalid
+    IP or CIDR value will result in a warning from the API server about the fact
+    that it will be rejected in the future).
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-122646-map.yaml

@@ -0,0 +1,5 @@
+pr: 122646
+releasenote:
+  text: 'kube-apiserver: shortening the grace period during a pod deletion no longer
+    moves the `metadata.deletionTimestamp` into the past.'
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-124360-map.yaml

@@ -0,0 +1,8 @@
+pr: 124360
+releasenote:
+  text: "It introduces a new scope name `VolumeAttributesClass`. \n\nIt matches all
+    PVC objects that have the volume attributes class mentioned. \n\nIf you want to
+    limit the count of PVCs that have a specific volume attributes class. In that
+    case, you can create a quota object with the scope name `VolumeAttributesClass`
+    and a `matchExpressions` that match the volume attributes class."
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-127053-map.yaml

@@ -0,0 +1,5 @@
+pr: 127053
+releasenote:
+  text: Respect the incoming trace context for authenticated requests to the kube-apiserver
+    for APIServer tracing.
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-127092-map.yaml

@@ -0,0 +1,9 @@
+pr: 127092
+releasenote:
+  text: Automatically copy `topology.k8s.io/zone`, `topology.k8s.io/region` and `kubernetes.io/hostname`
+    labels from Node objects to Pods when they are scheduled to a node (via the `pods/binding`
+    endpoint) to allow applications that need to be explicitly aware of their assigned
+    node topology to access this information via the downward API, rather than requiring
+    permission to `get node` objects (exposing the entire API surface of the Node
+    object to otherwise unprivileged workloads).
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-127577-map.yaml

@@ -0,0 +1,8 @@
+pr: 127577
+releasenote:
+  text: "`mergeDefaultEvictionSettings` indicates that defaults for the evictionHard,
+    evictionSoft, evictionSoftGracePeriod, and evictionMinimumReclaim fields should
+    be merged into values specified for those fields in this configuration. Signals
+    specified in this configuration take precedence. Signals not specified in this
+    configuration inherit their defaults."
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-127696-map.yaml

@@ -0,0 +1,6 @@
+pr: 127696
+releasenote:
+  text: Implemented a warning message to inform users about the debug container's capabilities
+    granted by debugging profile may not work as expected if a non-root user is specified
+    in target Pod's `.Spec.SecurityContext.RunAsUser` field.
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-128152-map.yaml

@@ -0,0 +1,7 @@
+pr: 128152
+releasenote:
+  text: |-
+    New configuration is introduced to the kubelet that allows it to track container images and the list of authentication information that lead to their successful pulls . This data is persisted across reboots of the host and restarts of the kubelet.
+
+    The kubelet ensures any image requiring credential verification is always pulled if authentication information from an image pull is not yet present, thus enforcing authentication / re-authentication. This means an image pull might be attempted even in cases where a pod requests the `IfNotPresent` image pull policy, and might lead to the pod not starting if its pull policy is `Never` and is unable to present authentication information that lead to a previous successful pull of the image it is requesting.
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-128184-map.yaml

@@ -0,0 +1,9 @@
+pr: 128184
+releasenote:
+  text: The `StorageCapacityScoring` feature gate was added to score nodes by available
+    storage capacity. It's in alpha and disabled by default. The `VolumeCapacityPriority`
+    alpha feature was replaced with this, and the default behavior was changed. The
+    `VolumeCapacityPriority` preferred a node with the least allocatable, but the
+    `StorageCapacityScoring` preferred a node with the maximum allocatable. See [KEP-4049](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/4049-storage-capacity-scoring-of-nodes-for-dynamic-provisioning/README.md)
+    for details.
+pr_body: ""

releases/release-1.33/release-notes/maps/pr-128372-map.yaml

@@ -0,0 +1,10 @@
+pr: 128372
+releasenote:
+  text: Expanded the on-disk kubelet credential provider configuration to allow an
+    optional `tokenAttribute` field to be configured. When it is set, the Kubelet
+    will provision a token with the given audience bound to the current pod and its
+    service account. This KSA token along with required annotations on the KSA defined
+    in configuration will be sent to the credential provider plugin via its standard
+    input (along with the image information that is already sent today). The KSA annotations
+    to be sent are configurable in the kubelet credential provider configuration.
+pr_body: ""