Weekly GitHub Report for Kubernetes

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v1.32.3

1.2 Version Information:

The Kubernetes version released on March 11, 2025, introduces key updates detailed in the official CHANGELOG, with additional binary downloads available. For comprehensive information on new features and changes, users are encouraged to consult the Kubernetes announce forum and the linked CHANGELOG.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [SIG/API-MACHINERY] [KIND/FEATURE] [TRIAGE/ACCEPTED] [AREA/API-VALIDATION] [declarative validation] Framework/CI-level checks to prevent merging ineffective or inconsistent Declarative Validation (DV) markers: This issue requests the addition of CI-level checks to ensure Declarative Validation (DV) markers are correctly wired, consistently applied across API versions, and accompanied by appropriate test coverage to prevent ineffective or inconsistent DV usage from passing unnoticed. It highlights the current gap where DV tags can be added without proper wiring or tests, leading to misleading green CI results, and proposes static analysis tools as a solution to enforce these requirements before merging.

   • The comments discuss the feasibility and implementation approaches for these checks, favoring static analysis over runtime hooks to avoid polluting core code, and consider integrating these checks into existing tools or lightweight CI scripts; overall, the interaction reflects a collaborative effort to refine the proposal and ensure practical, maintainable enforcement of DV marker correctness.
   • Number of comments this week: 7

2. [KIND/BUG] [NEEDS-SIG] [NEEDS-TRIAGE] Possible name collision between RS and STS controllers: This issue describes a potential name collision between ReplicaSet and StatefulSet controllers in Kubernetes, where both create pods with similar naming patterns that can overlap if the ReplicaSet's hash suffix is purely numeric and matches the StatefulSet's ordinal suffix. The user demonstrates how this collision can occur, especially in large-scale deployments or when StatefulSet ordinals are manually set, and suggests that adding an auto-generated suffix to StatefulSet pod names might prevent such conflicts.

   • The comments discuss possible solutions including preventing ReplicaSet from using all-digit suffixes, adding suffixes to generated pod names, and concerns about naming consistency; the conversation also touches on whether this should be addressed via documentation or code changes, with no definitive resolution reached.
   • Number of comments this week: 7

3. [SIG/SCHEDULING] [NEEDS-TRIAGE] [WG/DEVICE-MANAGEMENT] DRA: scheduler performance issue with ResourceClaim event handling: This issue addresses a performance bottleneck in the Kubernetes scheduler where handling ResourceClaim events causes the scheduler to iterate over every pod in the unschedulable queue under an exclusive lock, leading to significant CPU usage and blocking other queue operations at scale. The proposed improvement is to leverage the OwnerReference on per-pod ResourceClaims to requeue only the affected pod instead of scanning the entire unschedulable pod pool, potentially reducing the computational overhead.

   • The comments discuss the complexity of integrating this optimization due to the scheduler's design, suggest introducing a queuing hint to limit pod evaluation, consider the need for an index of pods referencing ResourceClaims, and debate whether a formal enhancement proposal is necessary; there is also a suggestion to transfer the issue to the main Kubernetes repository for further handling.
   • Number of comments this week: 7

4. [KIND/BUG] [PRIORITY/IMPORTANT-SOON] [SIG/NODE] [TRIAGE/ACCEPTED] kubelet panic when cgroupsPerQOS set false: This issue describes a panic occurring in the kubelet when the configuration option cgroupsPerQOS is set to false, causing a runtime error due to a nil pointer dereference in the doPodResizeAction function. The panic happens because the currentPodMemoryConfig is nil when calling GetPodCgroupConfig, leading to a crash during pod resize operations, which is triggered by explicitly setting cgroupsPerQOS to false and performing ResizePodInPlace.

   • The comments include triage acknowledgments and severity assessment, noting the bug was introduced in a recent change and is triggered by a non-default configuration; the issue is recognized as a panic bug with potential security implications, and backporting the fix is recommended despite a low blast radius.
   • Number of comments this week: 6

5. [SIG/API-MACHINERY] [NEEDS-TRIAGE] Feature Request: Easy & Efficient CEL Access to all containers in Pods: This issue requests a feature to provide easy and efficient access to all containers within Pods using CEL (Common Expression Language), addressing the current challenges of verbosity, error-proneness, and inefficiency when manually inspecting containers or allocating combined variables. The goal is to simplify policy writing and reduce potential vulnerabilities by enabling a straightforward method to visit all containers, including different container types, in MAP/VAP contexts.

   • The comments show support for the idea, with suggestions for syntax improvements and recognition of the recurring need for this functionality; one user expresses willingness to work on the issue, and the issue is assigned for further action.
   • Number of comments this week: 4

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 21

Summarized Issues:

• Pod Status and Eviction Inconsistencies: There is an inconsistency in pod status reporting after eviction due to ephemeral storage limits, where the pod status sometimes appears as Failed if the pod is deleted before the status is set, and other times as Completed when retrieved from the container runtime interface. This leads to unreliable pod state information following eviction events.
  • issues/137992

• Kubelet Panics and Runtime Crashes: Multiple issues cause runtime panics in the kubelet, including a nil pointer dereference during pod resizing when cgroupsPerQOS is false and a panic in CPU Manager tests due to inconsistent resource updates leading to crashes during KubeletConfiguration defaulting. These bugs result in unstable kubelet behavior and test failures.
  • issues/137993, issues/138039

• Flaky and Intermittent Test Failures: Several tests across unit, integration, and e2e suites are flaky or intermittently fail due to timeouts, resource exhaustion, or race conditions. These include failures in Horizontal Pod Autoscaler metrics, PersistentVolume NFS mounts, PodGroup admission and protection controllers, CSI Mock volume capacity, and CustomResourceDefinition deletion tests, impacting test reliability.
  • issues/137995, issues/138008, issues/138011, issues/138012, issues/138015, issues/138051, issues/138085

• Validation and Static Analysis Improvements: There is a need for enhanced CI-level static analysis to ensure Declarative Validation markers are consistently applied and tested across API versions, as well as improvements to the validation-gen tool to reduce redundant branching and improve code readability. These enhancements aim to prevent inconsistent validation behavior and improve code quality.
  • issues/138009, issues/138057

• Feature and API Enhancements: Proposals include enabling autoscaling for custom resources without pods by using custom metrics and scale subresource status, adding CEL expression support for iterating over all containers in pods, and modifying OpportunisticBatching to skip execution when NodeName is set. These changes seek to increase flexibility and efficiency in Kubernetes features.
  • issues/138019, issues/138065, issues/138084

• Security and Platform-Specific Issues: Enabling UserNamespacesHostNetworkSupport=true on Fedora CoreOS 43 disables SELinux and causes systemd failures when running pods with hostNetwork=true and hostUsers=false, requiring node restarts to restore SELinux enforcing mode. Additionally, initializing the Kubernetes fake client causes runtime errors on Windows but not Linux, indicating platform-specific client-go scheme issues.
  • issues/138020, issues/138055

• Code Quality and Refactoring Requests: There is a request to refactor the pkg/volume/emptydir directory setup and medium-specific mount layering to clarify responsibilities, ensure consistent call patterns, add focused unit tests, and improve test coverage without affecting user-facing functionality. This aims to improve maintainability and reliability of volume handling code.
  • issues/138054

• Undocumented Panic Behavior in API Machinery: The function runtime.Scheme.AddKnownTypeWithName contains multiple undocumented panic calls, making it unclear to callers that it can crash when given an empty version string or when registering different types under the same GroupVersionKind. This lack of documentation can lead to unexpected runtime failures.
  • issues/138028

• Pod Naming Collisions Between Controllers: A rare name collision can occur between ReplicaSet and StatefulSet controllers because ReplicaSet pods have auto-generated numeric suffixes that may overlap with StatefulSet pod ordinals when both use the same base name. This causes conflicts in pod identification and management.
  • issues/138038

• Scheduler Performance Bottleneck: Handling ResourceClaim events triggers an expensive full scan of all unschedulable pods under a lock, causing high CPU usage and blocking queue operations. Optimizing this by requeuing only pods owning the ResourceClaims instead of scanning the entire unschedulable pod pool is proposed to improve scheduler performance.
  • issues/138095

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 7

Summarized Issues:

• Scheduling and ResourceClaim Conflicts: The DRA scheduler plugin encounters an endless loop and fails to schedule two Pods in a gang when both share the same ResourceClaim, preventing successful gang scheduling. This issue highlights a critical problem in resource allocation and scheduling logic that disrupts pod deployment.
• issues/137617

• Test Failures in CI and E2E Suites: Multiple test failures have been reported including flaking in the DumpClusterLogs test due to duplicate metric collection causing internal server errors, failing HostnameOverride tests on Windows nodes due to unexpected flag errors and output mismatches, and EmptyDir volume tests failing to support memory-backed volumes correctly. These issues indicate instability and regressions in testing environments affecting reliability and feature validation.
• issues/137724, issues/137758, issues/137763, (https://github.com/issues/137758), (https://github.com/issues/137763)

• Security Vulnerability in kubectl: A high severity vulnerability (CVE-2026-25679) was found in kubectl v1.35.3 caused by the use of an outdated Go standard library version (v1.25.7). This vulnerability has been fixed in later Go versions, and an update is requested to resolve pipeline failures and improve security posture.
• issues/138040

• Kubelet Configuration and Timeout Failures: There has been a significant increase in failures in CPUManager and TopologyManager CI jobs due to timeout errors when accessing the /configz endpoint during kubelet configuration tests. This points to potential issues in kubelet responsiveness or configuration handling under test conditions.
• issues/138058

• Kube-proxy iptables Synchronization Confusion: The iptables.minSyncPeriod setting in kube-proxy measures the minimum sync period from the start of one sync to the start of the next, which contradicts the documented expectation of measuring from the completion of the previous sync. This discrepancy causes confusion about whether the implementation or documentation should be corrected.
• issues/138073

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 68

Key Open Pull Requests

1. leaderelection: add fast path for coordinated lease renewal: This pull request introduces an optimistic fast path to the tryCoordinatedRenew function in the leaderelection component, allowing the leader to renew its lease with a single UPDATE operation on the happy path while falling back to the existing GET+UPDATE slow path if conflicts occur, and also refactors the slow path for improved clarity and efficiency.

• URL: pull/138064

• Associated Commits: 73b74, 3c71f, b141f, 02a9c, efdcb

2. Migrate StatefulSet.Spec.Selector to declarative immutable validation: This pull request migrates the immutable field validation of StatefulSet.Spec.Selector from an imperative approach to a declarative one using the +k8s:immutable tag across multiple API versions (apps/v1, v1beta1, and v1beta2), integrates this declarative validation into the StatefulSet strategy with migration checks, updates related validation tests, and aligns with the broader KEP-5073 effort to transition Kubernetes validation logic to a declarative model.

• URL: pull/138080

• Associated Commits: 7c88f, 9af50, 69761, 1c583, c7a29

3. Use computed requeue durations in CLE controller: This pull request improves the CLE controller by replacing its fixed 5-second unconditional requeue interval with dynamically computed requeue durations based on actual lease expiry times and election states, thereby reducing redundant polling and optimizing controller responsiveness.

• URL: pull/138068

• Associated Commits: 0cb8f, 316cc, d4e56, f4799

Other Open Pull Requests

• Immutable field validation migration: Multiple pull requests migrate immutable field validations from imperative ValidateImmutableField calls to declarative +k8s:immutable or related tags as part of the KEP-5073 effort. These include updates for Deployment.Spec.Selector, ReplicaSet.Spec.Selector, PersistentVolume.Spec.VolumeMode, Secret.Type, and Node.Spec.ProviderID, integrating declarative validation into strategy validation methods and adding equivalence tests to ensure correctness.
  • pull/138078, pull/138081, pull/138079, pull/138082

• Kube-proxy UDP conntrack and EndpointSlice improvements: Two pull requests enhance kube-proxy's handling of UDP flows by preserving conntrack entries for terminating or non-ready but running pods. This is achieved by adding a Processing field to EndpointConditions and modifying conntrack cleanup logic to allow active UDP connections to complete gracefully.
  • pull/138092, pull/138092

• Code cleanup and removal of obsolete components: Several pull requests remove deprecated or unused code, including no-op cloud provider controller registrations, the --concurrent-service-syncs flag, v1beta1 REST storage registration in the resource API group, and legacy leader election annotation checks in endpoints controllers. These changes simplify the codebase and remove dead code following recent Kubernetes version updates.
  • pull/138002, pull/138031, pull/138060

• Test flakiness fixes and improvements: Multiple pull requests address flakiness in tests such as the Horizontal Pod Autoscaler reconciliation_duration unit test and the RunTestDelayedWatchDelivery test across different release branches. Improvements include replacing one-time metric reads with polling and cherry-picking fixes to stable release branches to improve test reliability.
  • pull/138059, pull/137997, pull/137998, pull/138042

• Validation-gen tool enhancements: One pull request improves the validation-gen tool by adding type-aware integer parsing functions that validate minimum and maximum tag values against the actual integer type bit width. This prevents silent overflows and compile errors caused by out-of-range values for signed and unsigned integers during code generation.
  • pull/138047

• Bug fixes in networking and resource parsing: Several pull requests fix bugs including Windows Server L2Bridge network endpoint duplication causing DNS timeouts, a bug in resource.MustParse misrouting large integer quantities through slower parsing paths, and a nil pointer panic in kubelet's pod resize action when cgroupsPerQOS is disabled. These fixes improve stability and correctness in networking and resource handling.
  • pull/138000, pull/138076, pull/137999

• Leader election and concurrency improvements: One pull request addresses a race condition in leader election by adding a retry mechanism for the release() function on conflict errors caused by inflight renew() operations and context cancellations. This ensures the release operation retries once within the existing timeout context to improve robustness.
  • pull/137988

• Metrics stability promotion: A pull request promotes component-base metrics rest_client_requests_total and rest_client_request_duration_seconds from Alpha to Beta stability, updating documentation and the stable metrics list accordingly.
  • pull/138093

• OWNERS file schema checking: One pull request adds a schema checker for OWNERS files and integrates it into the quick-verify process to detect malformed OWNERS and OWNERS_ALIASES files earlier, improving repository maintenance and code review workflows.
  • pull/137990

• CNI and SELinux version updates: A pull request updates CNI plugins to version 1.9.1 to address CVE-2025-67499 and bumps the SELinux version to 1.13, enhancing security and compatibility.
  • pull/137991

• Miscellaneous minor fixes: Minor fixes include correcting typos in variable names and error messages to improve code readability and log clarity, and improving Kubelet configuration safety in e2e_node tests by restoring configuration after changes and aborting early on failure to save CI resources.
  • pull/138007, pull/138043

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 23

Key Closed Pull Requests

1. Add workload aware preemption: This pull request implements workload aware preemption based on KEP-5710, enabling the scheduler to preempt pods at the pod group level rather than individually when the WorkloadAwarePreemption feature gate is enabled and scheduling a pod group fails.

• URL: pull/137606

• Associated Commits: 96d6d, a99a9, 7e3a4, 108f9, 3b9ae, db228, 92bee, ae769, 234b9

• Associated Commits: 96d6d, a99a9, 7e3a4, 108f9, 3b9ae, db228, 92bee, ae769, 234b9

2. [WIP] KEP-5729: DRA: ResourceClaim Support for Workloads: This pull request implements the initial features of KEP-5729 to add ResourceClaim support for workloads in Kubernetes, including adding a feature gate and updating the Pod API to reference PodGroup claims, while noting that several key components such as scheduler updates and lifecycle management remain incomplete.

• URL: pull/136989

• Associated Commits: 23c28, 387fe, f2477, 50d5b, 8806e

• Associated Commits: 23c28, 387fe, f2477, 50d5b, 8806e

3. Feature/payment: This pull request proposes adding new features related to payment processing, including test data, descriptive updates, logging modifications, and header logic enhancements, although it has not been merged.

• URL: pull/138033

• Associated Commits: 8a468, 1e67e, ee00e, 81814

• Associated Commits: 8a468, 1e67e, ee00e, 81814

Other Closed Pull Requests

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.

Access Last Week's Newsletter:

• Link