Releases · knative/serving

v1.21.2

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

We've introduce secure-pod-defaults in an earlier release and included a new setting AllowRootBounded in v1.20 that offers a better security posture for your workloads but balances the compatibility with images that require/expect you to run as root.

For 1.21 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.22) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.22.

For more information see the documentation and reach out if you foresee issues in your testing.

What's Changed

[release-1.21] feat: use knative.dev/pkg/network/tls for configurable TLS by @Fedosin in #16482

Full Changelog: knative-v1.21.1...knative-v1.21.2

v1.21.1

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

For 1.21 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.22) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.22.

For more information see the documentation and reach out if you foresee issues in your testing.

What's Changed

[release-1.21] Rebuilt prior release with v1.25.7 in #16408

Full Changelog: knative-v1.21.0...knative-v1.21.1

v1.20.3

v1.19.9

v1.21.0

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

For 1.21 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.22) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.22.

For more information see the documentation and reach out if you foresee issues in your testing.

💫 New Features & Changes

You can now set the new feature pod-is-always-schedulable to true in the config-deployment ConfigMap. As a result, Knative will not mark revisions as Unschedulable when a Pod is not scheduled. This makes sense if you want to omit this transient state in clusters that have cluster-autoscaling set up, and you can guarantee that all Pods will be eventually scheduled. (#16146, @SaschaSchwarze0)
Activator probe timeout and frequency are now configurable via PROBE_TIMEOUT and PROBE_FREQUENCY environment variables. (#16250, @bindrad)
Add terminationGracePeriodSeconds support for user and sidecar container probes (#16255, @flomedja)
Added support for OpenTelemetry W3C Trace Context (traceparent header) in request logging, while maintaining backward compatibility with Zipkin B3 format. (#16168, @SomilJain0112)
Allow activator to be out of the request path when system-internal-tls is enabled (#16183, @linkvt)
Allow adjusting Revision min/max scale annotations (#16186, @dprotaso)
Allow unreachable revisions with initialScale > 1 to scale to 0 (#16327, @aviralgarg05)
Include two new activator metrics (kn.activator.stats.conn.reachable, kn.activator.stats.conn.errors) that reflect the stats reporter connection status (#16318, @prashanthjos)

🐞Bug Fixes

Preserve deployment and template annotations and labels during reconcile (#16199, @linkvt)
Fall back to HTTP1 on failed HTTP2 health probes (e.g. on connection error or non-readiness) (#16205, @linkvt)
Fix a rare data race in revision backend manager creating revision watchers during shutdown (#16225, @linkvt)
Fix flaky HTTPS e2e tests by waiting for HTTPS endpoint to be Ready. (#16230, @linkvt)
Fix metric names to match the original design document kn.queueproxy.app.duration becomes kn.serving.invocation.duration and kn.queueproxy.depth becomes kn.serving.queue.depth (#16290, @dprotaso)
Fix request log output corruption when using invalid log templates (#16242, @linkvt)
Fixed duplicate ACME challenge paths when Services with traffic tags use HTTP-01 challenges for TLS certificates. (#16259, @linkvt)
Services can no longer route traffic to revisions belonging to different services; attempting to do so will result in Ready=False with reason RevisionNotOwned. (#16294, @linkvt)
Services with invalid networking.knative.dev/* annotations on the revision template now fail immediately with a clear error instead of getting stuck. (#16296, @linkvt)
Switch to async metric instrumentation to avoid unbounded memory growth (#16300, @dprotaso)
fix sub-second precision metric reporting (#16358, @dprotaso)

New Contributors

@SomilJain0112 made their first contribution in #16168
@linkvt made their first contribution in #16230
@bindrad made their first contribution in #16250
@prashanthjos made their first contribution in #16318
@aviralgarg05 made their first contribution in #16327

Dependencies

Added

github.com/CloudyKit/fastprinter: 33d98a0
github.com/CloudyKit/jet/v6: v6.2.0
github.com/Joker/jade: v1.1.3
github.com/RaveNoX/go-jsoncommentstrip: v1.0.0
github.com/Shopify/goreferrer: 8cddb4f
github.com/andybalholm/brotli: v1.0.5
github.com/apapsch/go-jsonmerge/v2: v2.0.0
github.com/aymerick/douceur: v0.2.0
github.com/bmatcuk/doublestar: v1.1.1
github.com/bytedance/sonic: v1.10.0-rc3
github.com/chenzhuoyu/base64x: 296ad89
github.com/chenzhuoyu/iasm: v0.9.0
github.com/fatih/structs: v1.1.0
github.com/flosch/pongo2/v4: v4.0.2
github.com/gabriel-vasile/mimetype: v1.4.2
github.com/gin-contrib/sse: v0.1.0
github.com/gin-gonic/gin: v1.9.1
github.com/go-playground/locales: v0.14.1
github.com/go-playground/universal-translator: v0.18.1
github.com/go-playground/validator/v10: v10.14.1
github.com/goccy/go-json: v0.10.2
github.com/gomarkdown/markdown: 531d2d7
github.com/gorilla/css: v1.0.0
github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.0.1
github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.3.0
github.com/iris-contrib/schema: v0.0.6
github.com/juju/gnuflag: 2ce1bb7
github.com/kataras/blocks: v0.0.7
github.com/kataras/golog: v0.1.9
github.com/kataras/iris/v12: v12.2.5
github.com/kataras/pio: v0.0.12
github.com/kataras/sitemap: v0.0.6
github.com/kataras/tunnel: v0.0.4
github.com/klauspost/cpuid/v2: v2.2.5
github.com/leodido/go-urn: v1.2.4
github.com/mailgun/raymond/v2: v2.0.48
github.com/microcosm-cc/bluemonday: v1.0.25
github.com/oapi-codegen/runtime: v1.0.0
github.com/pelletier/go-toml/v2: v2.0.9
github.com/schollz/closestmatch: v2.1.0+incompatible
github.com/spkg/bom: 59b7046
github.com/tdewolff/minify/v2: v2.12.8
github.com/tdewolff/parse/v2: v2.6.7
github.com/twitchyliquid64/golang-asm: v0.15.1
github.com/ugorji/go/codec: v1.2.11
github.com/vmihailenco/msgpack/v5: v5.3.5
github.com/vmihailenco/tagparser/v2: v2.0.0
github.com/yosssi/ace: v0.0.5
go.etcd.io/raft/v3: v3.6.0
golang.org/x/arch: v0.4.0
sigs.k8s.io/structured-merge-diff/v6: v6.3.0

Changed

cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
github.com/BurntSushi/toml: v0.3.1 → v1.3.2
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
github.com/alecthomas/units: b94a6e3 → 0f3dac3
github.com/cncf/xds/go: 2ac532f → 0feb691
github.com/emicklei/go-restful/v3: v3.12.1 → v3.12.2
github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
github.com/fsnotify/fsnotify: v1.7.0 → v1.9.0...

🚨 Breaking or Notable Changes

Metrics and Tracing

In v1.19 we've dropped support for OpenCensus (which has been deprecated for a while) in favour of OpenTelemetry. This is a breaking change and details are documented here in the design document. and the website (https://knative.dev/docs/serving/observability/metrics/collecting-metrics/)

Secure Pod Defaults (#16042, @nader-ziada)

We've introduce secure-pod-defaults in an earlier release but this release includes a new setting AllowRootBounded that offers a better security posture for your workloads but balances the compatibility with images that require/expect you to run as root.

For v1.20 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.21) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.21.

What's Changed

[release-1.20] fix sub-second precision metric reporting by @knative-prow-robot in #16359

Full Changelog: knative-v1.20.1...knative-v1.20.2

v1.20.1

🚨 Breaking or Notable Changes

Metrics and Tracing

Secure Pod Defaults (#16042, @nader-ziada)

For v1.20 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.21) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.21.

What's Changed

[release-1.20] Fix Serving Metric Names to match Design Document by @knative-prow-robot in #16293
[release-1.20] Make autoscaler instrument async so we can remove metric attributes when revisions go away by @knative-prow-robot in #16302
[release-1.20] Preserve deployment and its template labels and annotations by @knative-prow-robot in #16303
[release-1.20] Suppress 'default value insecure' warning when secure-pod-defaults is enabled. by @knative-prow-robot in #16220
[release-1.20] Upgrade to latest dependencies by @knative-automation in #16319

Full Changelog: knative-v1.20.0...knative-v1.20.1

v1.19.8

v1.20.0

🚨 Breaking or Notable Changes

Metrics and Tracing

Secure Pod Defaults (#16042, @nader-ziada)

For v1.20 release the secure-pod-defaults default will remain disabled but in a future release (most likely v1.21) we will switch this default to AllowRootBounded.

If you're unsure whether your workloads will support this new setting you should explicitly set this option to disabled prior to upgrading to v1.21.

For more information see the documentation and reach out if you foresee issues in your testing.

💫 New Features & Changes

Create a new value for secure-pod-defaults: AllowRootBounded
- when AllowRootBounded, defaults SeccompProfile and Capabilities if nil
- when enabled sets RunAsNonRoot to true if not already specified (#16042, @nader-ziada)
Made it possible to configure the httputil.ReverseProxy or add http.Handlers to queue-proxy in out-of-tree builds. (#16097, @mbaynton)
Podspec-dryrun feature flag has been removed. Dry run validation will now occur when a user opts into it using kubectl apply --dry-run=server (#16008, @Alexander-Kita)
Add distinct logging for timeout types by @thiagomedina in #16109
drop unnecessary 'kn.activator.proxy' metric/span attribute by @dprotaso in #16045
bump Istio to v1.27 and Contour to v1.33 by @dprotaso in #16099
Keep queue-proxy admin server on HTTP for PreStop hooks by @Fedosin in #16163

🐞Bug Fixes

Fix min-scale transition by @dprotaso in #16094
Add initialize conditions to MakePA to avoid potential race conditions by @nader-ziada in #16037
For orphaned certificates if we have an issue listing just log the error by @dprotaso in #16096
Fix queue proxy user metrics port by @dprotaso in #16018
drop unused metrics domain env var by @dprotaso in #16019
fix otelhttp setup in activator by @dprotaso in #16044
Drop probe tracing in queue-proxy by @dprotaso in #16048
Adjust queue proxy metric attributes by @dprotaso in #16049
Serving Metric Tweaks by @dprotaso in #16062
Fix: PodAutoscaler not reconciled due to missing class annotation by @nader-ziada in #16141

New Contributors

@Alexander-Kita made their first contribution in #16008
@mbaynton made their first contribution in #16097
@thiagomedina made their first contribution in #16109
@ali-a-a made their first contribution in #16201

Dependencies

Added

github.com/prometheus/otlptranslator: v1.0.0
golang.org/x/tools/go/expect: v0.1.1-deprecated
golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated

Changed

cel.dev/expr: v0.23.0 → v0.24.0
cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.27.0 → v1.29.0
github.com/cenkalti/backoff/v5: v5.0.2 → v5.0.3
github.com/census-instrumentation/opencensus-proto: v0.4.1 → v0.2.1
github.com/cncf/xds/go: ae57f3c → 2ac532f
github.com/go-jose/go-jose/v4: v4.0.5 → v4.1.1
github.com/golang/glog: v1.2.4 → v1.2.5
github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.1 → v2.27.2
github.com/prometheus/client_golang: v1.22.0 → v1.23.2
github.com/prometheus/common: v0.65.0 → v0.66.1
github.com/prometheus/procfs: v0.16.1 → v0.17.0
github.com/spf13/pflag: v1.0.6 → v1.0.10
github.com/stretchr/testify: v1.10.0 → v1.11.1
go.opentelemetry.io/contrib/detectors/gcp: v1.35.0 → v1.36.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.62.0 → v0.63.0
go.opentelemetry.io/contrib/instrumentation/runtime: v0.62.0 → v0.63.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/exporters/prometheus: v0.59.0 → v0.60.0
go.opentelemetry.io/otel/exporters/stdout/stdouttrace: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
go.opentelemetry.io/otel: v1.37.0 → v1.38.0
go.opentelemetry.io/proto/otlp: v1.7.0 → v1.7.1
go.yaml.in/yaml/v3: v3.0.3 → v3.0.4
golang.org/x/crypto: v0.39.0 → v0.43.0
golang.org/x/mod: v0.25.0 → v0.29.0
golang.org/x/net: v0.41.0 → v0.46.0
golang.org/x/sync: v0.15.0 → v0.17.0
golang.org/x/sys: v0.33.0 → v0.37.0
golang.org/x/telemetry: bda5523 → 078029d
golang.org/x/term: v0.32.0 → v0.36.0
golang.org/x/text: v0.26.0 → v0.30.0
golang.org/x/tools: v0.34.0 → v0.38.0
gonum.org/v1/gonum: 3f7ecaa → v0.16.0
google.golang.org/genproto/googleapis/api: 513f239 → c5933d9
google.golang.org/genproto/googleapis/rpc: 513f239 → c5933d9
google.golang.org/grpc: v1.73.0 → v1.75.0
google.golang.org/protobuf: v1.36.6 → v1.36.8
k8s.io/api: v0.33.1 → v0.33.5
k8s.io/apiextensions-apiserver: v0.33.1 → v0.33.5
k8s.io/apimachinery: v0.33.1 → v0.33.5
k8s.io/apiserver: v0.33.1 → v0.33.5
k8s.io/client-go: v0.33.1 → v0.33.5
k8s.io/code-generator: v0.33.1 → v0.33.5
k8s.io/component-base: v0.33.1 → v0.33.5
k8s.io/kms: v0.33.1 → v0.33.5
knative.dev/caching: fd36b19 → 09d3ca0
knative.dev/hack: 70d4b00 → 4fae780
knative.dev/networking: edb1a4a → 0bde191
knative.dev/pkg: 19d3cc2 → 7bf6feb
sigs.k8s.io/yaml: v1.5.0 → v1.6.0

Removed

contrib.go.opencensus.io/exporter/ocagent: 05415f1
contrib.go.opencensus.io/exporter/prometheus: v0.4.2
contrib.go.opencensus.io/exporter/zipkin: v0.1.2
github.com/go-kit/log: v0.2.1
github.com/go-logfmt/logfmt: v0.5.1
github.com/openzipkin/zipkin-go: v0.4.3
github.com/prometheus/statsd_exporter: v0.22.7

Full Changelog: knative-v1.19.0...knative-v1.20.0

v1.21.2

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

What's Changed

v1.21.1

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

What's Changed

v1.20.3

v1.19.9

v1.21.0

🚨 Breaking or Notable Changes

Secure Pod Defaults (#16042, @nader-ziada)

💫 New Features & Changes

🐞Bug Fixes

New Contributors

Dependencies

v1.20.2

🚨 Breaking or Notable Changes

Metrics and Tracing

Secure Pod Defaults (#16042, @nader-ziada)

What's Changed

v1.20.1

🚨 Breaking or Notable Changes

Metrics and Tracing

Secure Pod Defaults (#16042, @nader-ziada)

What's Changed

v1.19.8

v1.20.0

🚨 Breaking or Notable Changes

Metrics and Tracing

Secure Pod Defaults (#16042, @nader-ziada)

💫 New Features & Changes

🐞Bug Fixes

New Contributors

Dependencies

v1.19.7