Weekly GitHub Report for Kubernetes: October 13, 2025 - October 20, 2025 (12:04:41)
Weekly GitHub Report for Kubernetes
Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.
Table of Contents
I. News
1.1 Recent Version Releases:
The current version of this repository is v1.32.3
1.2 Version Information:
The Kubernetes 1.32 release, announced on March 11, 2025, introduces several key updates and improvements detailed in the official CHANGELOG, with additional binary downloads available. This version continues to enhance Kubernetes' functionality and stability, reflecting ongoing development trends in the platform.
II. Issues
2.1 Top 5 Active Issues:
We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.
-
DRA: standardize parameter resource.kubernetes.io/pciAddress for the example pcie address of devices: This issue requests the standardization of the parameter
resource.kubernetes.io/pciAddressto provide a reliable and consistent way to obtain the exact PCI address of DRA devices, which is necessary for components like Kubevirt to configure devices properly. The discussion also explores whether to include a helper function to retrieve and validate this PCI address, similar to the existing helper forpcieRoot, with consensus leaning towards adding such a function as part of the feature implementation.- The comments show agreement on the importance of standardizing the PCI address parameter for device management, with suggestions to include a helper function for validation and retrieval. The issue was clarified as a feature request rather than a bug, and the implementation was accepted and prioritized accordingly.
- Number of comments this week: 10
-
logger.V(4).Error() still prints logs when log level is set to 0: This issue reports that the function
logger.V(4).Error()continues to output logs even when the log level is set to 0, which contradicts the expected behavior where such verbose logs should be suppressed. The problem arises because theV()method is intended for informational logs with verbosity levels, while error logs are treated differently, and the current implementation does not properly check the log level before printing error logs at verbosity 4.- The comments clarify that
V()is designed for info-level logs and not errors, reflecting a design inherited from glog and maintained in klog, where error logs do not respect verbosity levels in the same way. It is suggested that error logs usinglogger.V(4).Error()should be replaced with info logs likelogger.V(4).Infofor contextual logging, and that controlling noisy error logs requires local handling since the logging libraries do not provide built-in primitives for suppressing frequent error messages based on verbosity. - Number of comments this week: 9
- The comments clarify that
-
DRA: plugin can not pass a mount for a pod with hostUsers: false: This issue describes a problem where the DRA plugin cannot correctly pass mount points for pods configured with
hostUsers: falsebecause the plugin lacks awareness of the user namespace mappings (UidMappingsandGidMappings) that Kubernetes applies to mounts in such pods. This results in permission denied errors when accessing mounted directories inside containers, and the discussion explores potential solutions involving extending the Container Device Interface (CDI) to support injecting these ID mappings properly to avoid permission issues.- The comments focus on identifying the root cause as the DRA plugin not having pod user namespace context and relying on CDI for mount configuration, which currently does not support UID/GID mappings. Contributors discuss possible fixes by enhancing CDI to inject these mappings, share test results showing improved behavior with updated CDI, and consider complexities around multiple containers with different mappings, ultimately suggesting that handling this in CDI is the appropriate approach.
- Number of comments this week: 8
-
ci-kubernetes-e2e-kind-rootlessfailing before running tests, since 2025-10-15:hack/lib/golang.sh: line 572: go_version[2]: unbound variable: This issue describes a failure in theci-kubernetes-e2e-kind-rootlessjob that occurs before any tests run, caused by a compilation error related to an unbound variable in thegolang.shscript and permission denied errors when trying to create directories in the Go module cache. The problem appears to be linked to rootless Docker usage and possibly a recent regression introduced by a specific pull request, with ongoing discussion about ownership and responsibility for fixing the rootless build environment.- The comments identify the root cause as permission issues with the mounted source directory in a rootless Docker setup, discuss the infrequency of the job runs and commit accuracy, clarify that the rootless CI is mainly maintained by a single contributor, and share related issues and a pull request aimed at resolving the problem.
- Number of comments this week: 7
-
Some goroutine leaks in staging/src/k8s.io/client-go/tools/cache: This issue reports goroutine leaks detected in the client-go tools/cache package during testing, specifically caused by the lack of proper context cancellation or shutdown in the test setup. The reporter provides detailed blocking positions and a reproduction method using goleak, expecting no goroutine leaks to occur.
- The comments clarify that the detected goroutine leaks are likely due to the test not cancelling the context properly rather than a bug in the main code. It is noted that context cancellation support has improved over time, and updating the test to properly cancel contexts should prevent these leaks, indicating the issue is with the test implementation rather than the production code.
- Number of comments this week: 6
2.2 Top 5 Stale Issues:
We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.
- Zone-aware down scaling behavior: This issue describes a problem with the horizontal pod autoscaler (HPA) scale-in behavior in Kubernetes where the expected zone-aware distribution of pods, governed by topology spread constraints with a maxSkew of 1, is not maintained. Specifically, during scale-in events, pods become unevenly distributed across availability zones, resulting in one zone having significantly fewer pods and causing high CPU usage on the remaining pod in that zone, contrary to the intended balanced spread.
- apimachinery's unstructured converter panics if the destination struct contains private fields: This issue describes a panic occurring in the apimachinery's DefaultUnstructuredConverter when it attempts to convert an unstructured object into a destination struct that contains private (non-exported) fields. The reporter expects the converter to safely ignore these private fields instead of panicking, as this problem arises particularly with protobuf-generated gRPC structs that include private fields for internal state management.
- Integration tests for kubelet image credential provider: This issue proposes adding integration tests for the kubelet image credential provider, similar to the existing tests for client-go credential plugins. It suggests that since there are already integration tests for pod certificate functionality, implementing tests for the kubelet credential plugins would be a logical and beneficial extension.
- conversion-gen generates code that leads to panics when fields are accessed after conversion: This issue describes a bug in the conversion-gen tool where it generates incorrect conversion code for structs that have changed field types between API versions, specifically causing unsafe pointer conversions instead of properly calling the conversion functions. As a result, accessing certain fields like
ExclusiveMaximumafter conversion leads to runtime panics, highlighting the need for conversion-gen to produce safe and correct code to prevent such crashes. - Failure cluster [ff7a6495...] TestProgressNotify fails when etcd in k/k upgraded to 3.6.2: This issue describes a failure in the TestProgressNotify test that occurs when the etcd component in the Kubernetes project is upgraded to version 3.6.2. The test times out after 30 seconds waiting on a result channel, with error logs indicating that the embedded etcd server fails to set up serving due to closed network connections and server shutdowns.
2.3 Open Issues
This section lists, groups, and then summarizes issues that were created within the last week in the repository.
Issues Opened This Week: 29
Summarized Issues:
- Goroutine Leaks in Tests: Multiple issues report goroutine leaks during testing in Kubernetes components caused by blocking operations or improper context cancellation, leading to lingering goroutines detected by goleak. These leaks primarily affect test reliability and do not necessarily impact the main program's functionality.
- issues/134563, issues/134565
- Flaky and Failing Tests: Several tests intermittently fail or consistently fail due to timeouts, resource quota updates, or pod startup latency exceeding thresholds, impacting test stability and reliability. These flakes and failures require fixes to improve test robustness and accuracy.
- issues/134566, issues/134620, issues/134704
- DRA Plugin Issues: The DRA plugin faces problems including flaky Windows test failures due to socket binding errors and permission denied errors caused by incorrect user namespace UID/GID mappings on mounts. These issues affect plugin reliability and pod mount permissions.
- issues/134570, issues/134604
- Resource Allocation and Pod Scheduling Delays: Problems in resource checks during container resizing and serial processing of PVCs in StatefulSets cause incorrect resource allocation and significant pod scheduling delays. Proposed concurrency improvements and resource availability checks aim to resolve these inefficiencies.
- issues/134581, issues/134610
- Kubectl Command Behavior and Enhancements: Issues include inconsistent output behavior of
kubectl apply --dry-run=clientand enhancement requests forkubectl get storageclassto clarify default StorageClass usage. These affect user experience and command predictability. - issues/134568, issues/134640
- API and Feature Gate Testing Limitations: Testing multiple API servers with different feature gate configurations in a single process is problematic due to shared global feature gates, leading to disabled tests and the need for fixes or removal.
- issues/134606
- LoadBalancer and Network Health Issues: The kube-proxy
/healthzendpoint does not accurately reflect node network health, causing ineffective LoadBalancer health checks, and LoadBalancer services cannot access sidecar container named ports unlike ClusterIP services. These issues impact network reliability and service accessibility. - issues/134648, issues/134651
- Concurrency and Race Conditions in Resource Updates: Updates to HorizontalPodAutoscaler resources on AWS EKS fail due to version conflicts from concurrent modifications, raising concerns about race conditions and the need for further investigation.
- issues/134666
- Build and Compilation Failures: The
ci-kubernetes-e2e-kind-rootlessjob fails due to permission denied errors during rootless Docker builds, causing compilation errors and preventing successful image builds. - issues/134669
- API Linter and Deprecated Code Fixes: Tracking and fixing deprecated usage such as
newTLSConfigCopy.NameToCertificateand implementing Kube API Linter rules are ongoing efforts to maintain code quality and prevent linter failures. - issues/134671, issues/134672
- Cgroup Driver Reporting Mismatch: When using containerd with SystemdCgroup enabled and an unset cgroupDriver in kubelet config, the node's configz endpoint incorrectly reports the cgroupDriver as "cgroupfs" instead of "systemd," causing confusion between logs and API responses.
- issues/134673
- OpenAPI 3.1 Adoption Considerations: The potential adoption of OpenAPI 3.1 in Kubernetes is discussed due to its improved schema validation, JSON Schema compatibility, and enhanced CRD structural schema validation capabilities over OpenAPI 3.0.
- issues/134684
- JWT Authenticator Health Check Enhancement: A proposal to add a
/readyzendpoint for stricter JWT authenticator health checks aims to verify provider initialization and/jwksendpoint accessibility, improving token authentication reliability behind a feature gate. - issues/134689
- Metrics Infrastructure for Kubernetes Components: Multiple issues propose adding metrics for the reflector, informer event handlers, and queue, as well as enabling informer metrics in components, to enhance instrumentation and monitoring capabilities in Kubernetes.
- issues/134696, issues/134697, issues/134698, issues/134699, issues/134700
- PowerShell Kubectl Completion Script Issue: The PowerShell kubectl completion example incorrectly invokes the completion script without quoting the path, causing the completion setup to run in a child scope and fail to persist, requiring a fix to dot-source the script with a quoted path.
- issues/134705
2.4 Closed Issues
This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.
Issues Closed This Week: 9
Summarized Issues:
- Kubernetes CI Test Failures and Job Issues: Several issues report failing tests in various Kubernetes CI jobs caused by different underlying problems such as installation errors, missing binaries, and configuration mismatches. These failures affect multiple CI workflows including conformance tests, node tests, and presubmit jobs, leading to job failures and the need for reverts or fixes.
- issues/134557, issues/134561, issues/134616, issues/134622, issues/134694
- Container Metrics and Resource Usage Reporting: There are issues related to missing container filesystem and block I/O metrics in cgroup v1 environments and under-reporting of API Priority and Fairness watch resource usage. These problems cause timeouts in tests and inaccurate CPU cost estimations, impacting system monitoring and resource protection.
- issues/134571, issues/134580
- Application Accessibility and Deployment Documentation: One issue highlights an application running in pods on a Kind Kubernetes cluster becoming inaccessible externally after an EC2 instance type change and restart. Another issue points out the lack of reference documentation for deploying Huawei Ascend 920 GPUs on Kubernetes, indicating gaps in deployment support and guidance.
- issues/134551, issues/134609
2.5 Issue Discussion Insights
This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.
Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.
III. Pull Requests
3.1 Open Pull Requests
This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.
Pull Requests Opened This Week: 66
Key Open Pull Requests
1. [release 1.33] Automated cherry pick of #133929: scheduler/volumebinding: passive assume cache: This pull request is an automated cherry pick of #133929 to release-1.33 that introduces a passive AssumeCache implementation for the scheduler's VolumeBinding plugin to resolve race conditions by maintaining an up-to-date, simplified cache that passively records assumed states without duplicating informer objects, improving scheduling reliability and memory efficiency.
- URL: pull/134682
- Merged: No
2. [release 1.34] Automated cherry pick of #133929: scheduler/volumebinding: passive assume cache #134682: This pull request is an automated cherry-pick of a change to the Kubernetes scheduler's VolumeBinding plugin that introduces a simpler, passive AssumeCache to resolve race conditions by passively recording assumed states without copying all informer objects, improving cache consistency and memory usage.
- URL: pull/134683
- Merged: No
3. Enable Declarative Validation for storage: This pull request enables declarative validation for storage in the Kubernetes project by upgrading tags to declarative tags, adding related tests, and modifying strategy and storage migration code to support this new validation approach.
- URL: pull/134653
- Merged: No
Other Open Pull Requests
- E2E Testing Framework Improvements: Multiple pull requests focus on enhancing the Kubernetes end-to-end testing framework by simplifying Ginkgo wrapper usage, unifying and streamlining test labels, fixing duplicate and conflicting test registrations, and improving the visibility and documentation of feature gate dependencies. These changes collectively improve test readability, maintainability, and filtering capabilities.
- Workload and Pod Specification Enhancements: Updates include introducing a new Workload API with a WorkloadReference field in Pod specs to improve workload management, and enabling updates to container resource allocations on suspended jobs while preserving immutability of other pod template fields. These features add flexibility and future extensibility to workload and job management in Kubernetes.
- EventedPLEG and Pod State Improvements: A set of commits address various issues in EventedPLEG such as pod hanging, panics under node resource pressure, slow pod resizing, and enhance pod state determination using real-time container events. These fixes improve pod lifecycle stability and responsiveness under resource constraints.
- API and Feature Gate Updates: Several pull requests add or modify feature gates and API behaviors, including adding numeric comparison operators to Tolerations, introducing a strict condition uniqueness feature gate for CSR updates, promoting KubeletInUserNamespace to beta, removing deprecated feature gates, and locking VolumeAttributesClass gate to enabled by default. These changes refine API capabilities and clean up feature gate management.
- Authorization and Security Enhancements: A new synthetic "create" permission check for pod subresource WebSocket upgrades is implemented with a Beta feature gate, requiring updated permissions for SPDY and WebSocket API requests. This improves security by enforcing stricter authorization controls on pod subresource access.
- Resource and Device Management Fixes: Updates include fixing allocation logic in DRAConsumableCapacity for multiple devices and reallocations, migrating validation of ResourceClaim device tolerations and taint effects to declarative validation, and adding configurable concurrency options for the ResourceClaim controller. These changes enhance resource management reliability and configurability.
- Pod Startup and Condition Reporting Improvements: A callback mechanism is added to update the PodReadyToStartContainers condition immediately after pod sandbox creation and network setup, reducing the time the condition remains false and improving pod startup status reporting. This feature is gated and tested for backward compatibility.
- Validation and API Field Tagging Enhancements: Efforts include enforcing explicit +optional or +required tags on all API fields in the apiserverinternal group, migrating validation logic to declarative validation for better maintainability, and introducing a new fully qualified name format for device constraints with improved error reporting. These changes improve API consistency and validation accuracy.
- pull/134675, pull/134602, [pull/134584](https://github.com/pull/134584]
- Performance and Test Reliability Improvements: Performance optimizations are made to the ValidatingAdmissionPolicy for multiple policy bindings, and VolumeGroupSnapshot tests are refined to improve integration with CI systems, enhancing overall test reliability and system efficiency.
- Documentation and Usability Updates: Documentation is added for several Kubernetes OpenAPI extensions to improve user understanding, and the PowerShell completion example is updated to handle user environments with spaces in the home directory by dot-sourcing and quoting the script path. These updates enhance usability and developer experience.
- Crash Fixes and Bug Resolutions: A crash in kubelet caused by static pods referencing PersistentVolumeClaims is fixed by adding early validation to prevent nil pointer dereferences, improving system stability.
- etcd Client Reliability Enhancements: An outlier detection feature is introduced for the etcd client, including dependency and configuration updates to improve client behavior and reliability.
3.2 Closed Pull Requests
This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.
Pull Requests Closed This Week: 56
Key Closed Pull Requests
1. feat(validation): add k8s:update & migrate ResourceClaimStatus maxItem validation to declarative: This pull request introduces a new +k8s:update tag to enable declarative validation rules specifically for resource updates, migrates the immutability validation of ResourceClaimStatus.Allocation and several list size validations in Device Resource Allocation (DRA) status fields (ReservedFor, Results, and Config) from manual code to declarative annotations using +k8s:update and +k8s:maxItems, thereby simplifying and standardizing validation logic within Kubernetes API types.
- URL: pull/134558
- Merged: Yes
2. additional build simplification, drop rsync requirement: This pull request simplifies the Kubernetes build process by removing the dependency on rsync, cleaning up unused shell scripts and environment variables, and switching to using pre-built kube-cross images instead of building custom build images.
- URL: pull/134656
- Merged: Yes
3. go 1.25.2/1.24.8 related fixes: This pull request addresses several bugs related to IP/port joining for IPv6, invalid email and DNS Subject Alternative Name (SAN) generation in certificates during tests and kubeadm scenarios, and includes fixes to kubeadm preflight checks along with adding integration tests to ensure acceptance of certificates with previously invalid SANs continues to work.
- URL: pull/134588
- Merged: Yes
Other Closed Pull Requests
- Kubeadm preflight checks and invalid SAN certificate fixes: Multiple pull requests address issues in kubeadm preflight checks that caused hostname construction failures in IPv6 setups. They also remove invalid SAN certificate construction and add integration tests for handling invalid SAN certificates to improve reliability.
- Golangci-lint tooling updates for Go 1.24 compatibility: These pull requests manually cherry-pick lint tooling changes to update golangci-lint for compatibility with Go 1.24. They include temporary suppressions of known lint issues to ensure linting passes without extensive code changes.
- Kubernetes project dependency and image bumps to Go 1.24.8/1.24.9 and distroless iptables: Several pull requests update dependencies, container images, and versions to use Go 1.24.8 or 1.24.9 along with distroless iptables. They also update setcap and the debian-base image to bookworm-v1.0.6 for improved stability and security.
- Kubernetes project update to Go 1.25.3 and related images: One pull request updates the Kubernetes project dependencies, container images, and versions to use Go 1.25.3 with distroless iptables, including updates to the debian-base image and setcap utility.
- Build process improvements and environment variable fixes: Pull requests improve the build process by making the .go-version file independent of kube-cross and refactoring build variable setup into a reusable function. Another fixes an issue where building node images inside the kube-cross container ignored the KUBE_GIT_VERSION_FILE environment variable, preventing incorrect version suffixes.
- Removal of deprecated storage.k8s.io/v1alpha1 VolumeAttributesClass API: One pull request removes support for the storage.k8s.io/v1alpha1 VolumeAttributesClass API, which is no longer served starting in Kubernetes version 1.35, as part of cleanup efforts.
- Local build symlink setup adjustment: A pull request ensures that the _output/bin symlink is only created during local builds with the default output subpath, preventing its creation in dockerized builds to maintain compatibility.
- Feature exposure and test additions in client-go: One pull request exposes the IsWatchListSemanticsUnSupported feature in the client-go/typed/fake package, enabling detection of unsupported watch list semantics and including related tests and code generation updates.
- Topology Manager policy promotion to GA: A pull request promotes the Topology Manager policy option max-allowable-numa-nodes to General Availability (GA) status as part of KEP 4622, addressing limitations and marking its graduation to stable release.
- Windows reboot node e2e test skip: One pull request skips the failing Windows reboot node end-to-end test case, with plans to rework and re-enable it once the graceful shutdown feature is enabled by default.
- Code cleanup in kuberuntime-container: A pull request cleans up redundant if branches by using a more concise if statement when the status.state is ContainerStateRunning, improving code readability.
- Revert kubeup environment parameter changes due to CI failures: One pull request reverts previous changes to kubeup environment parameters after subsequent CI failures caused by a fix to a master build issue, aiming to restore stability in continuous integration tests.
- Fix for GCE job failures related to containerd/runc version logic: A pull request fixes broken Google Compute Engine jobs by modifying logic that hardcoded containerd/runc versions to only apply on Ubuntu systems, preventing incorrect evaluations on other OSes.
3.3 Pull Request Discussion Insights
This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.
Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.
IV. Contributors
4.1 Contributors
Active Contributors:
We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.
If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.
| Contributor | Commits | Pull Requests | Issues | Comments |
|---|---|---|---|---|
| BenTheElder | 35 | 10 | 4 | 60 |
| liggitt | 46 | 14 | 0 | 42 |
| yongruilin | 79 | 6 | 1 | 15 |
| pohly | 21 | 7 | 9 | 63 |
| aaron-prindle | 50 | 12 | 2 | 29 |
| macsko | 19 | 7 | 10 | 39 |
| lalitc375 | 32 | 11 | 0 | 13 |
| thockin | 52 | 1 | 0 | 3 |
| p0lyn0mial | 37 | 10 | 0 | 4 |
| aojea | 2 | 1 | 0 | 35 |