v1.9.3

Changes since 1.9.2

• Our queue proxy shutdown now performs a graceful shutdown (#13829, @dprotaso)

🚨 Notable

• Min K8s Version is v1.24+ - see our release schedule for EOL dates

Knative Serving release v1.8.6

Changes since 1.8.5

• Queue Proxy now performs a graceful shutdown (#13836, @dprotaso)

v1.9.2

Changes since 1.9.1

Rebuilt with go1.19.6 to address CVEs

• https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved

🚨 Notable

• Min K8s Version is v1.24+ - see our release schedule for EOL dates

v1.8.5

Changes since 1.8.4

Rebuilt with go1.19.6 to address CVEs

• https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved

v1.9.1

Changes since 1.9.0

Bumped dependencies to address CVEs

• https://pkg.go.dev/vuln/GO-2023-1571
• https://pkg.go.dev/vuln/GO-2023-1495
• https://pkg.go.dev/vuln/GO-2022-1144

🚨 Notable

• Min K8s Version is v1.24+ - see our release schedule for EOL dates

v1.8.4

tags: Release Notes Serving

Changes since 1.8.3

Bumped dependencies to address CVEs

• https://pkg.go.dev/vuln/GO-2023-1571
• https://pkg.go.dev/vuln/GO-2023-1495
• https://pkg.go.dev/vuln/GO-2022-1144

Changes since 1.8.2

• Rebuilt with go1.19.4 - see CVE details https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Changes since 1.8.1

• Bump apiVersion of the webhook's HorizontalPodAutoscaler to autoscaling/v2 (#13521, @psschwei)

Changes since 1.8.0

• Upgrade HPA webhook to autoscaling/v2 API version (#13411, @psschwei)
• We reverted #13376 - SettingSeccompProfile to RunTimeDefault on the queue-proxy sidecar. This seems to break older OpenShift versions and GKE workloads running on gVisor. We will make this option configurable in the future.
  • See gVisor/GKE issue (google/gvisor#8248, https://issuetracker.google.com/issues/260968397) to allow this value
• Scaling to zero now works when target-burst-capacity is zero. (#13503, @dprotaso)
• Fix a nil pointer panic in the queue proxy when draining (knative/pkg#2645, @dprotaso)

Changelog since 1.7

🚨 Breaking or Notable

• Uses the cluster domain suffix svc.cluster.local as the default domain. As routes using the cluster domain suffix are not exposed through Ingress, users will need to configure DNS in order to expose their services (most users probably already are). (#13259, @psschwei)
• Upgrade HorizontalPodAutoscaler to autoscaling/v2 API version (#13337, @nader-ziada)
• Services may now set seccompProfile in SecurityContext to allow users to comply with the restricted Pod Security Standards best-practice (#13401, @evankanderson)
• Bump min-version to k8s 1.23, so removing kind 1.22 testing (#13357, @nader-ziada)
• Increase the outbound context deadline in reconcilers to 30s (from 10s) to match the maximum K8s webhook timeout. (#13323, @mattmoor)

💫 New Features & Changes

• Add timeout handling in Activator when processing a request for a revision (#13261, @nader-ziada)
• EmptyDir volumes feature flag is now enabled by default (#13405, @dprotaso)
• Save data from perf tests to create a dashboard. (#13192, @nader-ziada)

Bug or Regression

• Knative services can now specify securityContext.allowPrivilegeEscalation (#13395, @mattmoor)
• ConfigMap config-defaults property revision-response-start-timeout-seconds now defaults to revision-timeout-seconds. This should unblock upgrades who set revision-timeout-seconds lower than the default value of 300 (#13255, @dprotaso)
• Fix LatestReadyRevision semantics so it only advances forward. When a Revision fails the Configuration & Route will no longer fall back to older revision. The exception is when you rollback to a Revision that is explicitly named. (#13239, @dprotaso)

Dependencies

Added

• github.com/armon/go-socks5: e753329
• github.com/cyberdelia/templates: ca7fffd
• github.com/deepmap/oapi-codegen: v1.8.2
• github.com/emicklei/go-restful/v3: v3.8.0
• github.com/go-chi/chi/v5: v5.0.0
• github.com/google/gnostic: v0.5.7-v3refs
• github.com/influxdata/influxdb-client-go/v2: v2.9.0
• github.com/influxdata/line-protocol: 2487e72
• github.com/labstack/echo/v4: v4.2.1
• github.com/labstack/gommon: v0.3.0
• github.com/matryer/moq: 6cfb055
• github.com/onsi/ginkgo/v2: v2.1.6
• github.com/valyala/fasttemplate: v1.2.1

Changed

• github.com/Azure/go-autorest/autorest/adal: v0.9.18 → v0.9.20
• github.com/Azure/go-autorest/autorest/mocks: v0.4.1 → v0.4.2
• github.com/Azure/go-autorest/autorest: v0.11.24 → v0.11.27
• github.com/antlr/antlr4/runtime/Go/antlr: b48c857 → f25a4f6
• github.com/cloudevents/sdk-go/v2: v2.4.1 → v2.12.0
• github.com/cockroachdb/datadriven: bf6692d → 80d97fb
• github.com/creack/pty: v1.1.11 → v1.1.9
• github.com/envoyproxy/go-control-plane: cf90f65 → 49ff273
• github.com/go-logr/logr: v1.2.2 → v1.2.3
• github.com/google/cel-go: v0.9.0 → v0.12.5
• github.com/google/go-cmp: v0.5.7 → v0.5.8
• github.com/onsi/gomega: v1.16.0 → v1.20.1
• github.com/prometheus/client_golang: v1.11.1 → v1.12.1
• github.com/spf13/cobra: v1.3.0 → v1.4.0
• github.com/stretchr/testify: v1.7.0 → v1.8.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• go.etcd.io/etcd/api/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/client/pkg/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/client/v2: v2.305.0 → v2.305.4
• go.etcd.io/etcd/client/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/pkg/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/raft/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/server/v3: v3.5.0 → v3.5.4
• golang.org/x/crypto: 8634188 → 3147a52
• golang.org/x/mod: v0.5.1 → 86c51ed
• golang.org/x/net: 27dd868 → a158d28
• golang.org/x/sys: 4e6760a → 8c9f86f
• golang.org/x/tools: v0.1.9 → v0.1.12
• google.golang.org/genproto: 1ac2ace → c8bf987
• google.golang.org/grpc: v1.44.0 → v1.47.0
• google.golang.org/protobuf: v1.27.1 → v1.28.0
• k8s.io/api: v0.23.9 → v0.25.2
• k8s.io/apiextensions-apiserver: v0.23.9 → v0.25.2
• k8s.io/apimachinery: v0.23.9 → v0.25.2
• k8s.io/apiserver: v0.23.9 → v0.25.2
• k8s.io/client-go: v0.23.9 → v0.25.2
• k8s.io/code-generator: v0.23.9 → v0.25.2
• k8s.io/component-base: v0.23.9 → v0.25.2
• k8s.io/kube-openapi: 4241196 → 67bda5d
• k8s.io/utils: 3a6ce19 → ee6ede2
• knative.dev/caching: 9df7bb7 → ce26e92
• knative.dev/control-protocol: f18dbde → 3e2f878
• knative.dev/hack: 8d1e4cc → 3fdc50b
• knative.dev/networking: e51df7c → 58f3e62
• knative.dev/pkg: 4a03844 → 714b763
• knative.dev/reconciler-test: 177f826 → 090970c
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.30 → v0.0.32
• sigs.k8s.io/json: 9f7c6b3 → f223a00
• sigs.k8s.io/structured-merge-diff/v4: v4.2.1 → v4.2.3

Removed

• github.com/Azure/go-ansiterm: d185dfc
• github.com/blang/semver: v3.5.1+incompatible
• github.com/certifi/gocertifi: 2c3bb06
• github.com/cockroachdb/errors: v1.2.4
• github.com/cockroachdb/logtags: eb05cc2
• github.com/coreos/go-oidc: v2.1.0+incompatible
• github.com/emicklei/go-restful: v2.9.5+incompatible
• github.com/getsentry/raven-go: v0.2.0
• github.com/go-logr/zapr: v1.2.0
• github.com/google/cel-spec: v0.6.0
• github.com/moby/term: 9d4ed18
• github.com/pquerna/cachecontrol: 0dec1b3
• go.opentelemetry.io/otel/oteltest: v0.20.0
• gopkg.in/square/go-jose.v2: v2.2.2

v1.9.0

Release notes for Serving 1.9

tags: Release Notes Serving

Changelog since 1.8

🚨 Breaking or Notable

• Min K8s Version is v1.24+ - see our release schedule for EOL dates

💫 New Features & Changes

• Knative will now warn (but not error) when creating or updating a PodSpec
  where containers have additional privilege due to unset SecurityContext values.
  Explicitly setting these values to any setting, including high-privilege ones,
  will disable this warning.

  These fields are:

  • runAsNonRoot (empty means false)
  • allowPrivilegeEscalation (empty means true)
  • seccompProfile.type (empty string means Unconfined)
  • capabilities.drop (default maintains privileges, use ALL to drop unneeded linux capabilities) (#13399, @evankanderson)

• Adds the secure-pod-defaults feature, which is defaulted to Disabled in
  this release.

  When enabled, containers described by users will have best-practice
  SecurityContext features enabled unless insecure settings are specifically
  requested. (#13398, @evankanderson)

• Work around for cert-manager not allowing us to create certs for 64+ bytes name ksvc (#13569, @KauzClay)

• Autoscaler now runs a single leader election go routine (#13585, @dprotaso)

Small fixes

• Add app label to Service selector for webhook and domainmapping-webhook. (#13265, @a7i)
• Upgrade tests now stream logs from user and system namespace. The logs are printed on failure. (#13587, @mgencur)

Bug or Regression

• Changes to Pod or Revision-level defaults during Knative upgrades will no longer be attempted (and failed) when supplying your own Revision name. (#13565, @evankanderson)

Dependencies

Added

Nothing has changed.

Changed

• go.uber.org/goleak: v1.1.12 → v1.2.0
• k8s.io/api: v0.25.2 → v0.25.4
• k8s.io/apiextensions-apiserver: v0.25.2 → v0.25.4
• k8s.io/apimachinery: v0.25.2 → v0.25.4
• k8s.io/apiserver: v0.25.2 → v0.25.4
• k8s.io/client-go: v0.25.2 → v0.25.4
• k8s.io/code-generator: v0.25.2 → v0.25.4
• k8s.io/component-base: v0.25.2 → v0.25.4
• k8s.io/gengo: 397b4ae → fad74ee
• k8s.io/klog/v2: 0990e81 → 9ae4992
• k8s.io/utils: ee6ede2 → 8e77b1f
• knative.dev/caching: ce26e92 → 7a31fde
• knative.dev/control-protocol: 3e2f878 → cffe208
• knative.dev/hack: 3fdc50b → c7cfcb0
• knative.dev/networking: 58f3e62 → db2bcbe
• knative.dev/pkg: b78020c → 247510c
• knative.dev/reconciler-test: 090970c → 894bc70
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.32 → v0.0.33

Removed

Nothing has changed.

Serving v1.8.3

tags: Release Notes Serving

Changes since 1.8.2

• Rebuilt with go1.19.4 - see CVE details https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Changes since 1.8.1

• Bump apiVersion of the webhook's HorizontalPodAutoscaler to autoscaling/v2 (#13521, @psschwei)

Changes since 1.8.0

• Upgrade HPA webhook to autoscaling/v2 API version (#13411, @psschwei)
• We reverted #13376 - SettingSeccompProfile to RunTimeDefault on the queue-proxy sidecar. This seems to break older OpenShift versions and GKE workloads running on gVisor. We will make this option configurable in the future.
  • See gVisor/GKE issue (google/gvisor#8248, https://issuetracker.google.com/issues/260968397) to allow this value
• Scaling to zero now works when target-burst-capacity is zero. (#13503, @dprotaso)
• Fix a nil pointer panic in the queue proxy when draining (knative/pkg#2645, @dprotaso)

Changelog since 1.7

🚨 Breaking or Notable

• Uses the cluster domain suffix svc.cluster.local as the default domain. As routes using the cluster domain suffix are not exposed through Ingress, users will need to configure DNS in order to expose their services (most users probably already are). (#13259, @psschwei)
• Upgrade HorizontalPodAutoscaler to autoscaling/v2 API version (#13337, @nader-ziada)
• Services may now set seccompProfile in SecurityContext to allow users to comply with the restricted Pod Security Standards best-practice (#13401, @evankanderson)
• Bump min-version to k8s 1.23, so removing kind 1.22 testing (#13357, @nader-ziada)
• Increase the outbound context deadline in reconcilers to 30s (from 10s) to match the maximum K8s webhook timeout. (#13323, @mattmoor)

💫 New Features & Changes

• Add timeout handling in Activator when processing a request for a revision (#13261, @nader-ziada)
• EmptyDir volumes feature flag is now enabled by default (#13405, @dprotaso)
• Save data from perf tests to create a dashboard. (#13192, @nader-ziada)

Bug or Regression

• Knative services can now specify securityContext.allowPrivilegeEscalation (#13395, @mattmoor)
• ConfigMap config-defaults property revision-response-start-timeout-seconds now defaults to revision-timeout-seconds. This should unblock upgrades who set revision-timeout-seconds lower than the default value of 300 (#13255, @dprotaso)
• Fix LatestReadyRevision semantics so it only advances forward. When a Revision fails the Configuration & Route will no longer fall back to older revision. The exception is when you rollback to a Revision that is explicitly named. (#13239, @dprotaso)

Dependencies

Added

• github.com/armon/go-socks5: e753329
• github.com/cyberdelia/templates: ca7fffd
• github.com/deepmap/oapi-codegen: v1.8.2
• github.com/emicklei/go-restful/v3: v3.8.0
• github.com/go-chi/chi/v5: v5.0.0
• github.com/google/gnostic: v0.5.7-v3refs
• github.com/influxdata/influxdb-client-go/v2: v2.9.0
• github.com/influxdata/line-protocol: 2487e72
• github.com/labstack/echo/v4: v4.2.1
• github.com/labstack/gommon: v0.3.0
• github.com/matryer/moq: 6cfb055
• github.com/onsi/ginkgo/v2: v2.1.6
• github.com/valyala/fasttemplate: v1.2.1

Changed

• github.com/Azure/go-autorest/autorest/adal: v0.9.18 → v0.9.20
• github.com/Azure/go-autorest/autorest/mocks: v0.4.1 → v0.4.2
• github.com/Azure/go-autorest/autorest: v0.11.24 → v0.11.27
• github.com/antlr/antlr4/runtime/Go/antlr: b48c857 → f25a4f6
• github.com/cloudevents/sdk-go/v2: v2.4.1 → v2.12.0
• github.com/cockroachdb/datadriven: bf6692d → 80d97fb
• github.com/creack/pty: v1.1.11 → v1.1.9
• github.com/envoyproxy/go-control-plane: cf90f65 → 49ff273
• github.com/go-logr/logr: v1.2.2 → v1.2.3
• github.com/google/cel-go: v0.9.0 → v0.12.5
• github.com/google/go-cmp: v0.5.7 → v0.5.8
• github.com/onsi/gomega: v1.16.0 → v1.20.1
• github.com/prometheus/client_golang: v1.11.1 → v1.12.1
• github.com/spf13/cobra: v1.3.0 → v1.4.0
• github.com/stretchr/testify: v1.7.0 → v1.8.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• go.etcd.io/etcd/api/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/client/pkg/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/client/v2: v2.305.0 → v2.305.4
• go.etcd.io/etcd/client/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/pkg/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/raft/v3: v3.5.0 → v3.5.4
• go.etcd.io/etcd/server/v3: v3.5.0 → v3.5.4
• golang.org/x/crypto: 8634188 → 3147a52
• golang.org/x/mod: v0.5.1 → 86c51ed
• golang.org/x/net: 27dd868 → a158d28
• golang.org/x/sys: 4e6760a → 8c9f86f
• golang.org/x/tools: v0.1.9 → v0.1.12
• google.golang.org/genproto: 1ac2ace → c8bf987
• google.golang.org/grpc: v1.44.0 → v1.47.0
• google.golang.org/protobuf: v1.27.1 → v1.28.0
• k8s.io/api: v0.23.9 → v0.25.2
• k8s.io/apiextensions-apiserver: v0.23.9 → v0.25.2
• k8s.io/apimachinery: v0.23.9 → v0.25.2
• k8s.io/apiserver: v0.23.9 → v0.25.2
• k8s.io/client-go: v0.23.9 → v0.25.2
• k8s.io/code-generator: v0.23.9 → v0.25.2
• k8s.io/component-base: v0.23.9 → v0.25.2
• k8s.io/kube-openapi: 4241196 → 67bda5d
• k8s.io/utils: 3a6ce19 → ee6ede2
• knative.dev/caching: 9df7bb7 → ce26e92
• knative.dev/control-protocol: f18dbde → 3e2f878
• knative.dev/hack: 8d1e4cc → 3fdc50b
• knative.dev/networking: e51df7c → 58f3e62
• knative.dev/pkg: 4a03844 → 714b763
• knative.dev/reconciler-test: 177f826 → 090970c
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.30 → v0.0.32
• sigs.k8s.io/json: 9f7c6b3 → f223a00
• sigs.k8s.io/structured-merge-diff/v4: v4.2.1 → v4.2.3

Removed

• github.com/Azure/go-ansiterm: d185dfc
• github.com/blang/semver: v3.5.1+incompatible
• github.com/certifi/gocertifi: 2c3bb06
• github.com/cockroachdb/errors: v1.2.4
• github.com/cockroachdb/logtags: eb05cc2
• github.com/coreos/go-oidc: v2.1.0+incompatible
• github.com/emicklei/go-restful: v2.9.5+incompatible
• github.com/getsentry/raven-go: v0.2.0
• github.com/go-logr/zapr: v1.2.0
• github.com/google/cel-spec: v0.6.0
• github.com/moby/term: 9d4ed18
• github.com/pquerna/cachecontrol: 0dec1b3
• go.opentelemetry.io/otel/oteltest: v0.20.0
• gopkg.in/square/go-jose.v2: v2.2.2

Serving v1.7.4

Changes since 1.7.3

• Rebuilt with go1.19.4 - see CVE details https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Changes since 1.7.2

• Scaling to zero now works when target-burst-capacity is zero. (#13503, @dprotaso)
• Fix a nil pointer panic in the queue proxy when draining (knative/pkg#2645, @dprotaso)

Changes since 1.6

🚨 Notable

Prior RevisionSpec.TimeoutSeconds would cause a request to timeout if the user container returned no response in the allotted time. This would allow for apps to return some data and then remain open forever indefinitely. This prior behaviour was not conformant to the Knative Serving API specification.

In this release we've fixed this behaviour and provided additional knobs to allow users greater control of various timings.

• Revision timeouts now has three knobs for users to control (#12970, @nader-ziada)
  • TimeoutSeconds represents the max duration a request can take
  • ResponseStartTimeoutSeconds is the timeout allowed before a request starts responding
  • IdleTimeoutSeconds is the max duration a request can remain open without getting any data.

💫 New Features & Changes

• Adds a autoscaling.knative.dev/activation-scale annotation that allows the user to set a minimum number of replicas when not scaled to zero. Note that the initial target scale for a revision is still handled by initial-scale; activation-scale will only apply on subsequent scales from zero. (#13161, @psschwei)

🐞Bug Fixes

• Allow upgrades if you revision-timeout-seconds in the ConfigMap config-defaults is configured below 300 (@dprotaso)
• Readiness probes no longer fail if the user container is restarted (due to a liveness probe failure) (#13229, @dprotaso)

🧹 Cleanup

• Building Knative Serving requires go v1.18 (#13169, @psschwei)
• Build commit SHA is no longer under kodata in our containers it is now embedded in the binary since we build with go1.18. Use go version -m [binary] to get the same information (#13130, @dprotaso)

Dependencies

Added

Nothing has changed.

Changed

• golang.org/x/sync: 036812b → 886fb93
• k8s.io/api: v0.23.8 → v0.23.9
• k8s.io/apiextensions-apiserver: v0.23.8 → v0.23.9
• k8s.io/apimachinery: v0.23.8 → v0.23.9
• k8s.io/apiserver: v0.23.8 → v0.23.9
• k8s.io/client-go: v0.23.8 → v0.23.9
• k8s.io/code-generator: v0.23.8 → v0.23.9
• k8s.io/component-base: v0.23.8 → v0.23.9
• k8s.io/gengo: 4627b89 → 397b4ae
• k8s.io/klog/v2: 43cc75f → 0990e81
• knative.dev/caching: 9c3c19f → 9df7bb7
• knative.dev/control-protocol: 827b25d → f18dbde
• knative.dev/hack: 65c463a → 8d1e4cc
• knative.dev/networking: f087178 → e51df7c
• knative.dev/pkg: e60d250 → 4a03844
• knative.dev/reconciler-test: f05db88 → 177f826

Removed

Nothing has changed.

Serving v1.6.3

Changes since 1.6.2

• Rebuilt with go1.19.4 - see CVE details https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Changes since 1.6.1

• Scaling to zero now works when target-burst-capacity is zero. (#13503, @dprotaso)

Changes since 1.5

Features

• API conformance no longer checks for scaling to zero in the presence of runtime probes (#13025, @mattmoor)
• CRD schemas have been updated and x-kubernetes-preserve-unknown-fields is now only specified for attributes behind feature flags (#13095, @dprotaso)
• HTTPRedirect feature is marked as stable. (#13084, @nak3)
• Our webhooks no longer reject unknown fields since they're pruned by the K8s API server (#13111, @dprotaso)
• Remove internal Prometheus stat reporter from queue-proxy (#12961, @nader-ziada)

Dependencies

Added

• github.com/cloudevents/sdk-go/v2: v2.4.1
• knative.dev/control-protocol: 827b25d
• knative.dev/reconciler-test: f05db88

Changed

• gopkg.in/yaml.v3: 496545a → v3.0.1
• k8s.io/api: v0.23.5 → v0.23.8
• k8s.io/apiextensions-apiserver: v0.23.4 → v0.23.8
• k8s.io/apimachinery: v0.23.5 → v0.23.8
• k8s.io/apiserver: v0.23.4 → v0.23.8
• k8s.io/client-go: v0.23.5 → v0.23.8
• k8s.io/code-generator: v0.23.5 → v0.23.8
• k8s.io/component-base: v0.23.4 → v0.23.8
• knative.dev/caching: c7b5b7d → 9c3c19f
• knative.dev/hack: 12d3e2a → 65c463a
• knative.dev/networking: 22d1b93 → f087178
• knative.dev/pkg: 19adf79 → e60d250
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.27 → v0.0.30

Removed

Nothing has changed.