v0.27.0

Changes by Kind

Breaking Change

• Release artifacts for ppc64le are no longer published (#3211, @embik)

Security

• Fix impersonation for non-system users (GHSA-c7xh-gjv4-4jgv) (#3206, @mjudeikis)
• Add additional authorizer to APIExport Virtual Workspace that queries APIBinding for authorization decisions (GHSA-w2rr-38wv-8rrp / CVE-2025-29922) (#3338, @embik)

API Change

• Expose the kcp e2e test framework through the SDK. (#3327, @sttts)
• Updated dependencies to be in line with Kubernetes v1.31.6 (#3307, @gman0)

Feature

• Pass through original identity of controllers accessing a logical cluster through the APIExport virtual workspace. To get the required permissions, a warrant mechanism is added through user extra fields that attaches secondary user identities purely used for authorization. (#3156, @sttts)
• Make APIExportEndpointSlices consumer aware (#3256, @mjudeikis)
• Add workspace phase reporter reconciler (#3183, @mjudeikis)
• Add the Unavailable phase to the API (#3183, @mjudeikis)
• Implement exclusion of Unavailable workspaces from serving via proxy to avoid serving something which is not supposed to be served. (#3183, @mjudeikis)
• Add OpenAPI v3 schema support to the Virtual Workspace framework (#3246, @xmudrii)
• Add --accept-permission-claim and --reject-permission-claim flag to kubectl kcp bind apiexport (#3334, @mjudeikis)
• Add original user/groups information as extra to the impersonating client used by virtual workspace. (#3155, @turkenh)
• Add support for external webhook authorization. (#3198, @xrstf)
• Add user info support for scopes through the extra key authentication.kcp.io/scopes: cluster:<name>,... to contain a user in a certain cluster. Multiple extra values are conjunctive, i.e. their intersection is the allowed scope. (#3235, @sttts)
• Enable structured authentication configuration from a file with —authentication-config flag. (#3295, @cnvergence)
• Enhance local development experience for VirtualWorkspaces, adding --mappings-file option for local dev (#3199, @mjudeikis)
• Provide --authorization-order flag that allows kcp administrator to tune the authorizer behaviour and rearrange the order. (#3281, @cnvergence)
• Provide a feature gate GlobalServiceAccount that enables cross-workspace ServiceAccount authorization (requires --service-account-lookup=false in sharded environments). (#3328, @cnvergence)
• Replicate APIExportEndpointSlices to cache server (#3277, @mjudeikis)

Bug or Regression

• Fix critical race condition between APIBindings and CRDs potentially allowing the same resource to be bound by multiple bindings or CRDs, leading to data loss or inconsistent state. (#3251, @sttts)
• Fix external modifications to annotations being reverted by admission webhook (#3229, @ntnn)
• Add additional validation for impersonation to prevent groups and extras privileged impersonations. (#3243, @mjudeikis)
• Fix regression in DeepCopy generator (#3188, @mjudeikis)
• Purposefully crash if leader election was won but controllers failed to install, allowing another instance to take leadership (#3196, @embik)
• Update kcp start options to print to stdout (#3237, @jmcshane)

Other (Cleanup or Flake)

• Add wget to final image (#3240, @mjudeikis)
• Build apigen binary on releases (#3326, @mjudeikis)
• Crd-puller will generate files with 0644 permissions instead of 0777. (#3319, @xrstf)
• Update golangci-lint to 1.26.2, remove dependency on standalone staticcheck binary (#3208, @xrstf)
• kcp is built with Go 1.23.7 (#3331, @embik)
• kcp is built with Go 1.22.10 (#3212, @embik)
• kcp is built with Go 1.22.9 (#3200, @embik)

Dependencies

Added

• github.com/kcp-dev/embeddedetcd: v1.0.2

Changed

• github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
• github.com/go-openapi/jsonreference: v0.20.2 → v0.21.0
• github.com/go-openapi/swag: v0.22.4 → v0.23.0
• github.com/google/gnostic-models: v0.6.8 → v0.6.9
• github.com/kcp-dev/apimachinery/v2: a9eb975 → 431177b
• github.com/kcp-dev/client-go: f5949d8 → 3dea338
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/api: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiextensions-apiserver: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apimachinery: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/apiserver: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cli-runtime: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/client-go: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cloud-provider: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cluster-bootstrap: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/code-generator: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-base: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/component-helpers: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/controller-manager: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-api: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/cri-client: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/csi-translation-lib: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/dynamic-resource-allocation: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/endpointslice: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kms: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-aggregator: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-controller-manager: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-proxy: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kube-scheduler: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubectl: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/kubelet: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/metrics: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/mount-utils: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/pod-security-admission: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes/staging/src/k8s.io/sample-apiserver: ab5c3a6 → 0011b8c
• github.com/kcp-dev/kubernetes: ab5c3a6 → 0011b8c
• github.com/mailru/easyjson: v0.7.7 → v0.9.0
• github.com/spf13/pflag: d5e0c06 → v1.0.6
• golang.org/x/crypto: v0.24.0 → v0.35.0
• golang.org/x/mod: v0.17.0 → v0.23.0
• golang.org/x/net: v0.26.0 → v0.36.0
• golang.org/x/sync: v0.7.0 → v0.11.0
• golang.org/x/sys: v0.21.0 → v0.30.0
• golang.org/x/telemetry: f48c80b → bda5523
• golang.org/x/term: v0.21.0 → v0.29.0
• golang.org/x/text: v0.16.0 → v0.22.0
• golang.org/x/tools: e35e4cc → v0.30.0
• google.golang.org/protobuf: v1.34.2 → v1.36.5

Removed

• github.com/kr/pty: v1.1.1