Merge pull request #48590 from sftim/20241029_feature_gate_changes

k8s-ci-robot · web-flow · commit 30442f80b72b · 2024-11-12T01:08:46.000Z
Update feature gate information for v1.31
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/allow-dns-only-node-csr.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/allow-dns-only-node-csr.md
@@ -0,0 +1,14 @@
+---
+title: AllowDNSOnlyNodeCSR
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: deprecated
+    defaultValue: false
+    fromVersion: "1.31"
+---
+Allow kubelet to request a certificate without any Node IP available, only with DNS names.
+
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/allow-insecure-kubelet-certificate-signing-requests.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/allow-insecure-kubelet-certificate-signing-requests.md
@@ -0,0 +1,18 @@
+---
+title: AllowInsecureKubeletCertificateSigningRequests
+content_type: feature_gate
+
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: deprecated
+    defaultValue: false
+    fromVersion: "1.31"
+---
+Disable node admission validation of
+[CertificateSigningRequests](/docs/reference/access-authn-authz/certificate-signing-requests/#certificate-signing-requests)
+for kubelet signers. Unless you disable this feature gate, Kubernetes enforces that new
+kubelet certificates have a `commonName` matching `system:node:$nodeName`.
+
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md
@@ -6,9 +6,9 @@ _build:
   render: false
 
 stages:
-  - stage: alpha 
+  - stage: alpha
     defaultValue: false
     fromVersion: "1.31"
+
 ---
-Enable [configurable endpoints for anonymous auth](/docs/reference/access-authn-authz/authentication/#anonymous-authenticator-configuration) 
-for the API server.
+Enable configuring anonymous authentication / authorization for only certain API server endpoints.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/app-armor-fields.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/app-armor-fields.md
@@ -0,0 +1,22 @@
+---
+title: AppArmorFields
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: beta
+    defaultValue: true
+    fromVersion: "1.30"
+    toVersion: "1.30"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.31"
+---
+Enable AppArmor related security context settings.
+
+For more information about AppArmor and Kubernetes, read the
+[AppArmor](/docs/concepts/security/linux-kernel-security-constraints/#apparmor) section
+within
+[security features in the Linux kernel](/docs/concepts/security/linux-kernel-security-constraints/#linux-security-features).
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/concurrent-watch-object-decode.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/concurrent-watch-object-decode.md
@@ -0,0 +1,16 @@
+---
+title: ConcurrentWatchObjectDecode
+content_type: feature_gate
+
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: beta
+    defaultValue: false
+    fromVersion: "1.31"
+
+---
+Enable concurrent watch object decoding. This is to avoid starving the API server's
+watch cache when a conversion webhook is installed.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/csi-migration-portworx.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/csi-migration-portworx.md
@@ -13,6 +13,10 @@ stages:
   - stage: beta
     defaultValue: false
     fromVersion: "1.25"
+    toVersion: "1.30"
+  - stage: beta
+    defaultValue: true
+    fromVersion: "1.31"
 ---
 Enables shims and translation logic to route volume operations
 from the Portworx in-tree plugin to Portworx CSI plugin.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-allocator-dual-write.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-allocator-dual-write.md
@@ -0,0 +1,18 @@
+---
+title: DisableAllocatorDualWrite
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: alpha
+    defaultValue: false
+    fromVersion: "1.31"
+---
+You can enable the `MultiCIDRServiceAllocator` feature gate. The API server supports migration
+from the old bitmap ClusterIP allocators to the new IPAddress allocators.
+
+The API server performs a dual-write on both allocators. This feature gate disables the dual write
+on the new Cluster IP allocators; you can enable this feature gate if you have completed the
+relevant stage of the migration.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-cloud-providers.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-cloud-providers.md
@@ -10,10 +10,19 @@ stages:
     defaultValue: false
     fromVersion: "1.22"
     toVersion: "1.28"
-  - stage: beta 
+  - stage: beta
     defaultValue: true
-    fromVersion: "1.29"    
+    fromVersion: "1.29"
+    toVersion": "1.30"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.31"
+
 ---
-Disables any functionality in `kube-apiserver`,
-`kube-controller-manager` and `kubelet` related to the `--cloud-provider`
-component flag.
+Enabling this feature gate deactivated functionality in `kube-apiserver`,
+`kube-controller-manager` and `kubelet` that related to the `--cloud-provider`
+command line argument.
+
+In Kubernetes v1.31 and later, the only valid values for `--cloud-provider`
+are the empty string (no cloud provider integration), or "external"
+(integration via a separate cloud-controller-manager).
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-kubelet-cloud-credential-providers.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/disable-kubelet-cloud-credential-providers.md
@@ -9,10 +9,16 @@ stages:
   - stage: alpha
     defaultValue: false
     fromVersion: "1.23"
-    toVersion: "1.28"    
-  - stage: beta 
+    toVersion: "1.28"
+  - stage: beta
     defaultValue: true
-    fromVersion: "1.29"     
+    fromVersion: "1.29"
+    toVersion: "1.30"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.31"
+
 ---
-Disable the in-tree functionality in kubelet
-to authenticate to a cloud provider container registry for image pull credentials.
+Enabling the feature gate deactivated the legacy in-tree functionality within the
+kubelet, that allowed the kubelet to to authenticate to a cloud provider container registry
+for container image pulls.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/proc-mount-type.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/proc-mount-type.md
@@ -6,9 +6,13 @@ _build:
   render: false
 
 stages:
-  - stage: alpha 
+  - stage: alpha
     defaultValue: false
     fromVersion: "1.12"
+    toVersion: "1.30"
+  - stage: beta
+    defaultValue: false
+    fromVersion: "1.31"
 ---
 Enables control over the type proc mounts for containers
-by setting the `procMount` field of a SecurityContext.
+by setting the `procMount` field of a Pod's `securityContext`.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/reload-kubelet-server-certificate-file.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/reload-kubelet-server-certificate-file.md
@@ -0,0 +1,17 @@
+---
+title: ReloadKubeletServerCertificateFile
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: beta
+    defaultValue: true
+    fromVersion: "1.31"
+
+---
+Enable the kubelet TLS server to update its certificate if the specified certificate file are changed.
+
+This feature is useful when specifying `tlsCertFile` and `tlsPrivateKeyFile` in kubelet configuration.
+The feature gate has no effect for other cases such as using TLS boostrap.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/retry-generate-name.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/retry-generate-name.md
@@ -9,9 +9,15 @@ stages:
   - stage: alpha
     defaultValue: false
     fromVersion: "1.30"
+    toVersion: "1.30"
+  - stage: beta
+    defaultValue: true
+    fromVersion: "1.31"
+
 ---
 Enables retrying of object creation when the
 {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
 is expected to generate a [name](/docs/concepts/overview/working-with-objects/names/#names).
+
 When this feature is enabled, requests using `generateName` are retried automatically in case the
 control plane detects a name conflict with an existing object, up to a limit of 8 total attempts.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/strict-cost-enforcement-for-vap.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/strict-cost-enforcement-for-vap.md
@@ -0,0 +1,15 @@
+---
+title: StrictCostEnforcementForVAP
+content_type: feature_gate
+
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: beta
+    defaultValue: false
+    fromVersion: "1.31"
+---
+Apply strict CEL cost validation for ValidatingAdmissionPolicies.
+
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/strict-cost-enforcement-for-webhooks.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/strict-cost-enforcement-for-webhooks.md
@@ -0,0 +1,15 @@
+---
+title: StrictCostEnforcementForWebhooks
+content_type: feature_gate
+
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: beta
+    defaultValue: false
+    fromVersion: "1.31"
+---
+Apply strict CEL cost validation for `matchConditions` within
+admission webhooks.
