Merge pull request #44997 from drewhagen/merged-main-dev-1.30

Merge main branch into dev-1.30

Author: k8s-ci-robot

content/en/docs/concepts/security/rbac-good-practices.md

@@ -56,7 +56,7 @@ In cases where a workload requires powerful permissions, consider the following
   [Taints and Toleration](/docs/concepts/scheduling-eviction/taint-and-toleration/),
   [NodeAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity), or
   [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)
-  to ensure pods don't run alongside untrusted or less-trusted Pods. Pay especial attention to
+  to ensure pods don't run alongside untrusted or less-trusted Pods. Pay special attention to
   situations where less-trustworthy Pods are not meeting the **Restricted** Pod Security Standard.
 
 ### Hardening
@@ -130,8 +130,8 @@ reading data from other containers, and abusing the credentials of system servic
 
 You should only allow access to create PersistentVolume objects for:
 
-- users (cluster operators) that need this access for their work, and who you trust,
-- the Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
+- Users (cluster operators) that need this access for their work, and who you trust.
+- The Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
   that are configured for automatic provisioning.
   This is usually setup by the Kubernetes provider or by the operator when installing a CSI driver.
 

content/en/docs/concepts/services-networking/dns-pod-service.md

@@ -213,7 +213,7 @@ When you set `setHostnameAsFQDN: true` in the Pod spec, the kubelet writes the P
 {{< note >}}
 In Linux, the hostname field of the kernel (the `nodename` field of `struct utsname`) is limited to 64 characters.
 
-If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
+If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
 {{< /note >}}
 
 ### Pod's DNS Policy

content/en/docs/contribute/new-content/blogs-case-studies.md

@@ -124,6 +124,10 @@ Submissions need to be in Markdown format to be used by the [Hugo](https://gohug
 for the blog. There are [many resources available](https://gohugo.io/documentation/) on how to use
 this technology stack.
 
+For illustrations, diagrams or charts, the [figure shortcode](https://gohugo.io/content-management/shortcodes/#figure)
+can be used. For other images, we strongly encourage use of alt attributes; if an image doesn't
+need any alt attrribute, maybe it's not needed in the article at all.
+
 We recognize that this requirement makes the process more difficult for less-familiar folks to
 submit, and we're constantly looking at solutions to lower this bar. If you have ideas on how to
 lower the barrier, please volunteer to help out. 

content/en/docs/reference/command-line-tools-reference/feature-gates/default-host-network-ports-in-pod-templates.md

@@ -10,9 +10,12 @@ stages:
     defaultValue: false
     fromVersion: "1.28"  
 ---
-Changes when the default value of
-`PodSpec.containers[*].ports[*].hostPort`
-is assigned. The default is to only set a default value in Pods.
+This feature gate controls the point at which a default value for
+`.spec.containers[*].ports[*].hostPort`
+is assigned, for Pods using `hostNetwork: true`. The default since Kubernetes v1.28 is to only set a default
+value in Pods.
 
-Enabling this means a default will be assigned even to embedded
-PodSpecs (e.g. in a Deployment), which is the historical default.
+Enabling this means a default will be assigned even to the `.spec` of an embedded
+[PodTemplate](/docs/concepts/workloads/pods/#pod-templates) (for example, in a Deployment),
+which is the way that older releases of Kubernetes worked.
+You should migrate your code so that it does not rely on the legacy behavior.

content/en/docs/reference/using-api/cel.md

@@ -65,27 +65,21 @@ Example CEL expressions:
 
 CEL is configured with the following options, libraries and language features, introduced at the specified Kubernetes versions:
 
-| CEL option, library or language feature             | Included                                                                                                        | Availablity                |
-| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------- |
-| [Standard macros](stdmacros)                        | `has`, `all`, `exists`, `exists_one`, `map`, `filter`                                                           | All Kubernetes versions    |
-| [Standard functions](stdlib)                        | See [official list of standard definitions](stdlib)                                                             | All Kubernetes versions    |
-| [Homogeneous Aggregate Literals](opt1)              |                                                                                                                 | All Kubernetes versions    |
-| [Default UTC Time Zone](opt2)                       |                                                                                                                 | All Kubernetes versions    |
-| [Eagerly Validate Declarations](opt3)               |                                                                                                                 | All Kubernetes versions    |
-| [extended strings library](stringsgodoc), Version 1 | `charAt`, `indexOf`, `lastIndexOf`, `lowerAscii`, `upperAscii`, `replace`, `split`, `join`, `substring`, `trim` | All Kubernetes versions    |
-| Kubernetes list library                             | See [Kubernetes list library](#kubernetes-list-library)                                                         | All Kubernetes versions    |
-| Kubernetes regex library                            | See [Kubernetes regex library](#kubernetes-regex-library)                                                       | All Kubernetes versions    |
-| Kubernetes URL library                              | See [Kubernetes URL library](#kubernetes-url-library)                                                           | All Kubernetes versions    |
-| Kubernetes authorizer library                       | See [Kubernetes authorizer library](#kubernetes-authorizer-library)                                             | All Kubernetes versions    |
-
-[stdmacros]: https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros
-[stdlib]: https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions
-[stringsgodoc]: https://pkg.go.dev/github.com/google/cel-go/ext#Strings
-[opt1]: https://pkg.go.dev/github.com/google/[email protected]/cel#HomogeneousAggregateLiterals
-[opt2]: https://pkg.go.dev/github.com/google/[email protected]/cel#DefaultUTCTimeZone
-[opt3]: https://pkg.go.dev/github.com/google/[email protected]/cel#EagerlyValidateDeclarations
-[opt4]: https://pkg.go.dev/github.com/google/[email protected]/cel#OptionalTypes
-[opt5]: https://pkg.go.dev/github.com/google/[email protected]/cel#CrossTypeNumericComparisons
+| CEL option, library or language feature                                                                                | Included                                                                                                                                  | Availablity               |
+|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
+| [Standard macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)                                | `has`, `all`, `exists`, `exists_one`, `map`, `filter`                                                                                     | All Kubernetes versions   |
+| [Standard functions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions)       | See [official list of standard definitions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions)   | All Kubernetes versions   |
+| [Homogeneous Aggregate Literals](https://pkg.go.dev/github.com/google/[email protected]/cel#HomogeneousAggregateLiterals) |                                                                                                                                           | All Kubernetes versions   |
+| [Default UTC Time Zone](https://pkg.go.dev/github.com/google/[email protected]/cel#DefaultUTCTimeZone)                    |                                                                                                                                           | All Kubernetes versions   |
+| [Eagerly Validate Declarations](https://pkg.go.dev/github.com/google/[email protected]/cel#EagerlyValidateDeclarations)   |                                                                                                                                           | All Kubernetes versions   |
+| [extended strings library](https://pkg.go.dev/github.com/google/cel-go/ext#Strings), Version 1                         | `charAt`, `indexOf`, `lastIndexOf`, `lowerAscii`, `upperAscii`, `replace`, `split`, `join`, `substring`, `trim`                           | All Kubernetes versions   |
+| Kubernetes list library                                                                                                | See [Kubernetes list library](#kubernetes-list-library)                                                                                   | All Kubernetes versions   |
+| Kubernetes regex library                                                                                               | See [Kubernetes regex library](#kubernetes-regex-library)                                                                                 | All Kubernetes versions   |
+| Kubernetes URL library                                                                                                 | See [Kubernetes URL library](#kubernetes-url-library)                                                                                     | All Kubernetes versions   |
+| Kubernetes authorizer library                                                                                          | See [Kubernetes authorizer library](#kubernetes-authorizer-library)                                                                       | All Kubernetes versions   |
+| Kubernetes quantity library                                                                                            | See [Kubernetes quantity library](#kubernetes-quantity-library)                                                                           | Kubernetes versions 1.29+ |
+| CEL optional types                                                                                                     | See [CEL optional types](https://pkg.go.dev/github.com/google/[email protected]/cel#OptionalTypes)                                           | Kubernetes versions 1.29+ |
+| CEL CrossTypeNumericComparisons                                                                                        | See [CEL CrossTypeNumericComparisons](https://pkg.go.dev/github.com/google/[email protected]/cel#CrossTypeNumericComparisons)                | Kubernetes versions 1.29+ |
 
 CEL functions, features and language settings support Kubernetes control plane
 rollbacks. For example, _CEL Optional Values_ was introduced at Kubernetes 1.29
@@ -207,6 +201,50 @@ To perform an authorization check for a service account:
 See the [Kubernetes Authz library](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)
 godoc for more information.
 
+### Kubernetes quantity library
+
+Kubernetes 1.28 adds support for manipulating quantity strings (ex 1.5G, 512k, 20Mi)
+
+- `isQuantity(string)` checks if a string is a valid Quantity according to [Kubernetes'
+  resource.Quantity](https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Quantity). 
+- `quantity(string) Quantity` converts a string to a Quantity or results in an error if the
+  string is not a valid quantity.
+
+Once parsed via the `quantity` function, the resulting Quantity object has the 
+following library of member functions:
+
+{{< table caption="Available member functions of a Quantity" >}}
+| Member Function               | CEL Return Value  | Description                                                                                                                                                          |
+|-------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `isInteger()`                 | bool              | returns true if and only if asInteger is safe to call without an error                                                                                               |
+| `asInteger()`                 | int               | returns a representation of the current value as an int64 if possible or results in an error if conversion would result in overflow or loss of precision.             |
+| `asApproximateFloat()`        | float              | returns a float64 representation of the quantity which may lose precision. If the value of the quantity is outside the range of a float64 +Inf/-Inf will be returned.  |
+| `sign()`                      | int               | Returns `1` if the quantity is positive, `-1` if it is negative. `0` if it is zero                                                                                   |
+| `add(<Quantity>)`             | Quantity          | Returns sum of two quantities                                                                                                                                        |
+| `add(<int>)`                  | Quantity          | Returns sum of quantity and an integer                                                                                                                               | 
+| `sub(<Quantity>)`             | Quantity          | Returns difference between two quantities                                                                                                                            |
+| `sub(<int>)`                  | Quantity          | Returns difference between a quantity and an integer                                                                                                                 |
+| `isLessThan(<Quantity>)`      | bool              | Returns true if and only if the receiver is less than the operand                                                                                                    |
+| `isGreaterThan(<Quantity>)`   | bool              | Returns true if and only if the receiver is greater than the operand                                                                                                 |
+| `compareTo(<Quantity>)`       | int               | Compares receiver to operand and returns 0 if they are equal, 1 if the receiver is greater, or -1 if the receiver is less than the operand                           |
+{{< /table >}}
+
+Examples:
+
+{{< table caption="Examples of CEL expressions using URL library functions" >}}
+| CEL Expression                                                            | Purpose                                               |
+|---------------------------------------------------------------------------|-------------------------------------------------------|
+| `quantity("500000G").isInteger()`                                         | Test if conversion to integer would throw an error    |
+| `quantity("50k").asInteger()`                                             | Precise conversion to integer                         |
+| `quantity("9999999999999999999999999999999999999G").asApproximateFloat()` | Lossy conversion to float                              |
+| `quantity("50k").add("20k")`                                              | Add two quantities                                    |
+| `quantity("50k").sub(20000)`                                              | Subtract an integer from a quantity                   |
+| `quantity("50k").add(20).sub(quantity("100k")).sub(-50000)`               | Chain adding and subtracting integers and quantities  |
+| `quantity("200M").compareTo(quantity("0.2G"))`                            | Compare two quantities                                |
+| `quantity("150Mi").isGreaterThan(quantity("100Mi"))`                      | Test if a quantity is greater than the receiver       |
+| `quantity("50M").isLessThan(quantity("100M"))`                            | Test if a quantity is less than the receiver          |
+{{< /table >}}
+
 ## Type checking
 
 CEL is a [gradually typed language](https://github.com/google/cel-spec/blob/master/doc/langdef.md#gradual-type-checking).

content/en/docs/tasks/manage-gpus/scheduling-gpus.md

@@ -95,12 +95,13 @@ You also need a plugin for NFD that adds appropriate labels to your nodes; these
 labels or they could be vendor specific. Your GPU vendor may provide a third party
 plugin for NFD; check their documentation for more details.
 
-{{< highlight yaml "linenos=false,hl_lines=6-18" >}}
+{{< highlight yaml "linenos=false,hl_lines=7-18" >}}
 apiVersion: v1
 kind: Pod
 metadata:
   name: example-vector-add
 spec:
+  restartPolicy: OnFailure
   # You can use Kubernetes node affinity to schedule this Pod onto a node
   # that provides the kind of GPU that its container needs in order to work
   affinity:
@@ -113,7 +114,6 @@ spec:
             values: ["40535"]
           - key: "feature.node.kubernetes.io/pci-10.present" # NFD Feature label
             values: ["true"] # (optional) only schedule on nodes with PCI device 10
-  restartPolicy: OnFailure
   containers:
     - name: example-vector-add
       image: "registry.example/example-vector-add:v42"

content/ja/docs/concepts/services-networking/ingress-controllers.md

@@ -47,7 +47,7 @@ Ingressリソースが動作するためには、クラスターでIngressコン
 * [Skipper](https://opensource.zalando.com/skipper/kubernetes/ingress-controller/)は、カスタムプロキシーを構築するためのライブラリーとして設計された、Kubernetes Ingressなどのユースケースを含む、サービス構成用のHTTPルーターとリバースプロキシーです。
 * [Traefik Kubernetes Ingress provider](https://doc.traefik.io/traefik/providers/kubernetes-ingress/)は、[Traefik](https://traefik.io/traefik/) proxy向けのIngressコントローラーです。
 * [Tyk Operator](https://github.com/TykTechnologies/tyk-operator)はAPI管理機能をIngressに持たせるためにCustom ResourcesでAPIを拡張します。Tyk OperatorはOpen Source Tyk GatewayとTyk Cloudコントロールプレーンで動作します。
-* [Voyager](https://appscode.com/products/voyager)は、[HAProxy](https://www.haproxy.org/#desc)向けのIngressコントローラーです。
+* [Voyager](https://voyagermesh.com)は、[HAProxy](https://www.haproxy.org/#desc)向けのIngressコントローラーです。
 * [Wallarm Ingress Controller](https://www.wallarm.com/solutions/waf-for-kubernetes)はWAAP(WAF)やAPIセキュリティ機能を提供するIngressコントローラーです。
 
 ## 複数のIngressコントローラーの使用 {#using-multiple-ingress-controllers}