Pull Kubernetes v1.33.5

.go-version

@@ -1 +1 @@
-1.24.4
+1.24.6

build/build-image/cross/VERSION

@@ -1 +1 @@
-v1.33.0-go1.24.4-bullseye.0
+v1.33.0-go1.24.6-bullseye.0

build/common.sh

@@ -97,8 +97,8 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
 readonly KUBE_CONTAINER_RSYNC_PORT=8730
 
 # These are the default versions (image tags) for their respective base images.
-readonly __default_distroless_iptables_version=v0.7.6
-readonly __default_go_runner_version=v2.4.0-go1.24.4-bookworm.0
+readonly __default_distroless_iptables_version=v0.7.8
+readonly __default_go_runner_version=v2.4.0-go1.24.6-bookworm.0
 readonly __default_setcap_version=bookworm-v1.0.4
 
 # These are the base images for the Docker-wrapped binaries.

build/dependencies.yaml

@@ -116,7 +116,7 @@ dependencies:
 
   # Golang
   - name: "golang: upstream version"
-    version: 1.24.4
+    version: 1.24.6
     refPaths:
     - path: .go-version
     - path: build/build-image/cross/VERSION
@@ -139,7 +139,7 @@ dependencies:
       match: minimum_go_version=go([0-9]+\.[0-9]+)
 
   - name: "registry.k8s.io/kube-cross: dependents"
-    version: v1.33.0-go1.24.4-bullseye.0
+    version: v1.33.0-go1.24.6-bullseye.0
     refPaths:
     - path: build/build-image/cross/VERSION
 
@@ -177,15 +177,15 @@ dependencies:
       match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
 
   - name: "registry.k8s.io/distroless-iptables: dependents"
-    version: v0.7.6
+    version: v0.7.8
     refPaths:
     - path: build/common.sh
       match: __default_distroless_iptables_version=
     - path: test/utils/image/manifest.go
       match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
 
   - name: "registry.k8s.io/go-runner: dependents"
-    version: v2.4.0-go1.24.4-bookworm.0
+    version: v2.4.0-go1.24.6-bookworm.0
     refPaths:
     - path: build/common.sh
       match: __default_go_runner_version=

cmd/kubeadm/app/util/config/initconfiguration.go

@@ -381,6 +381,11 @@ func documentMapToInitConfiguration(gvkmap kubeadmapi.DocumentMap, allowDeprecat
 	// If ClusterConfiguration was given, populate it in the InitConfiguration struct
 	if clustercfg != nil {
 		initcfg.ClusterConfiguration = *clustercfg
+
+		// TODO: Workaround for missing v1beta3 ClusterConfiguration timeout conversion. Remove this conversion once the v1beta3 is removed
+		if clustercfg.APIServer.TimeoutForControlPlane.Duration != 0 && clustercfg.APIServer.TimeoutForControlPlane.Duration != kubeadmconstants.ControlPlaneComponentHealthCheckTimeout {
+			initcfg.Timeouts.ControlPlaneComponentHealthCheck.Duration = clustercfg.APIServer.TimeoutForControlPlane.Duration
+		}
 	} else {
 		// Populate the internal InitConfiguration.ClusterConfiguration with defaults
 		extclustercfg := &kubeadmapiv1.ClusterConfiguration{}

pkg/controller/volume/selinuxwarning/cache/volumecache_test.go

@@ -345,7 +345,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			expectedConflicts: []Conflict{},
 		},
 		{
-			name:        "existing volume in a new pod with existing policy and new incomparable label (missing categories)",
+			name:        "existing volume in a new pod with existing policy and new comparable label (missing categories)",
 			initialPods: existingPods,
 			podToAdd: podWithVolume{
 				podNamespace: "testns",
@@ -354,7 +354,16 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				label:        "system_u:system_r:label7",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
-			expectedConflicts: []Conflict{},
+			expectedConflicts: []Conflict{
+				{
+					PropertyName:       "SELinuxLabel",
+					EventReason:        "SELinuxLabelConflict",
+					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
+					PropertyValue:      "system_u:system_r:label7",
+					OtherPod:           cache.ObjectName{Namespace: "ns7", Name: "pod7"},
+					OtherPropertyValue: "::label7:c0,c1",
+				},
+			},
 		},
 		{
 			name:        "existing volume in a new pod with existing policy and new incomparable label (missing everything)",
@@ -368,6 +377,27 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			},
 			expectedConflicts: []Conflict{},
 		},
+		{
+			name:        "existing volume in a new pod with existing policy and new comparable label (missing everything but categories)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol8",
+				label:        "system_u:system_r:label8:c0,c1",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{
+				{
+					PropertyName:       "SELinuxLabel",
+					EventReason:        "SELinuxLabelConflict",
+					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
+					PropertyValue:      "system_u:system_r:label8:c0,c1",
+					OtherPod:           cache.ObjectName{Namespace: "ns8", Name: "pod8"},
+					OtherPropertyValue: "",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/controller/volume/selinuxwarning/translator/selinux_translator.go

@@ -60,12 +60,15 @@ func (c *ControllerSELinuxTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinux
 // Conflicts returns true if two SELinux labels conflict.
 // These labels must be generated by SELinuxOptionsToFileLabel above
 // (the function expects strict nr. of elements in the labels).
-// Since this translator cannot default missing components,
-// the missing components are treated as incomparable and they do not
-// conflict with anything.
+// Since this translator cannot default missing label components from the operating system,
+// the first three components can be empty. In this case, the empty components don't lead to a
+// conflict when compared to a real SELinux label and this function returns false (as no
+// conflict can be detected).
+// The last component (level) is always compared, as it is not defaulted by the operating system.
 // Example: "system_u:system_r:container_t:s0:c1,c2" *does not* conflict with ":::s0:c1,c2",
-// because the node that will run such a Pod may expand "":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2".
-// However, "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99".
+// because the node that will run such a Pod may expand ":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2".
+// However: "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99".
+// And ":::s0:c1,c2" *does* conflict with "" or ":::", because it's never defaulted by the OS.
 func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool {
 	partsA := strings.SplitN(labelA, ":", 4)
 	partsB := strings.SplitN(labelB, ":", 4)
@@ -82,16 +85,20 @@ func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool {
 		if partsA[i] == partsB[i] {
 			continue
 		}
+		if i == 3 {
+			// The last component must always match
+			return true
+		}
+		// i<3, empty parts are incomparable
 		if partsA[i] == "" {
-			// incomparable part, no conflict
 			continue
 		}
 		if partsB[i] == "" {
-			// incomparable part, no conflict
 			continue
 		}
 		// Parts are not equal and neither of them is "" -> conflict
 		return true
 	}
+
 	return false
 }

pkg/controller/volume/selinuxwarning/translator/selinux_translator_test.go

@@ -93,26 +93,32 @@ func TestLabelsConflict(t *testing.T) {
 			conflict: false,
 		},
 		{
-			name:     "empty string  don't conflict with anything",
+			name:     "empty strings don't conflict with anything except the level",
 			a:        "",
 			b:        "system_u:system_r:container_t",
 			conflict: false,
 		},
+		{
+			name:     "empty string conflicts with level",
+			a:        "",
+			b:        "system_u:system_r:container_t:s0:c1,c2",
+			conflict: true,
+		},
 		{
 			name:     "empty parts don't conflict with anything",
-			a:        ":::::::::::::",
+			a:        ":::",
 			b:        "system_u:system_r:container_t",
 			conflict: false,
 		},
 		{
 			name:     "different lengths don't conflict if the common parts are the same",
-			a:        "system_u:system_r:container_t:c0,c2",
-			b:        "system_u:system_r:container_t",
+			a:        "system_u:system_r:container_t:",
+			b:        "system_u:system_r",
 			conflict: false,
 		},
 		{
 			name:     "different lengths conflict if the common parts differ",
-			a:        "system_u:system_r:conflict_t:c0,c2",
+			a:        "system_u:system_r:conflict_t:",
 			b:        "system_u:system_r:container_t",
 			conflict: true,
 		},
@@ -125,9 +131,15 @@ func TestLabelsConflict(t *testing.T) {
 		{
 			name:     "non-conflicting empty parts",
 			a:        "system_u::container_t",
-			b:        ":system_r::c0,c2",
+			b:        ":system_r::",
 			conflict: false,
 		},
+		{
+			name:     "empty level conflicts with non-empty level",
+			a:        ":::s0:c1,c2",
+			b:        "",
+			conflict: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {

pkg/securitycontext/util.go

@@ -17,6 +17,10 @@ limitations under the License.
 package securitycontext
 
 import (
+	"fmt"
+	"os"
+	"sync"
+
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -188,21 +192,32 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
 
 var (
 	// These *must* be kept in sync with moby/moby.
-	// https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L124
-	// @jessfraz will watch changes to those files upstream.
-	defaultMaskedPaths = []string{
-		"/proc/asound",
-		"/proc/acpi",
-		"/proc/kcore",
-		"/proc/keys",
-		"/proc/latency_stats",
-		"/proc/timer_list",
-		"/proc/timer_stats",
-		"/proc/sched_debug",
-		"/proc/scsi",
-		"/sys/firmware",
-		"/sys/devices/virtual/powercap",
-	}
+	// https://github.com/moby/moby/blob/ecb03c4cdae6f323150fc11b303dcc5dc4d82416/oci/defaults.go#L190-L218
+	defaultMaskedPaths = sync.OnceValue(func() []string {
+		maskedPaths := []string{
+			"/proc/asound",
+			"/proc/acpi",
+			"/proc/interrupts",
+			"/proc/kcore",
+			"/proc/keys",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/proc/scsi",
+			"/sys/firmware",
+			"/sys/devices/virtual/powercap",
+		}
+
+		for _, cpu := range possibleCPUs() {
+			path := fmt.Sprintf("/sys/devices/system/cpu/cpu%d/thermal_throttle", cpu)
+			if _, err := os.Stat(path); err == nil {
+				maskedPaths = append(maskedPaths, path)
+			}
+		}
+
+		return maskedPaths
+	})
 	defaultReadonlyPaths = []string{
 		"/proc/bus",
 		"/proc/fs",
@@ -221,7 +236,7 @@ func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string {
 	}
 
 	// Otherwise, add the default masked paths to the runtime security context.
-	return defaultMaskedPaths
+	return defaultMaskedPaths()
 }
 
 // ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default

pkg/securitycontext/util_darwin.go

@@ -0,0 +1,21 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+func possibleCPUs() []int {
+	return nil
+}

pkg/securitycontext/util_linux.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+// possibleCPUs returns the number of possible CPUs on this host.
+func possibleCPUs() (cpus []int) {
+	if ncpu := possibleCPUsParsed(); ncpu != nil {
+		return ncpu
+	}
+
+	for i := range runtime.NumCPU() {
+		cpus = append(cpus, i)
+	}
+
+	return cpus
+}
+
+// possibleCPUsParsed is parsing the amount of possible CPUs on this host from
+// /sys/devices.
+var possibleCPUsParsed = sync.OnceValue(func() (cpus []int) {
+	data, err := os.ReadFile("/sys/devices/system/cpu/possible")
+	if err != nil {
+		return nil
+	}
+
+	ranges := strings.Split(strings.TrimSpace(string(data)), ",")
+
+	for _, r := range ranges {
+		if rStart, rEnd, ok := strings.Cut(r, "-"); !ok {
+			cpu, err := strconv.Atoi(rStart)
+			if err != nil {
+				return nil
+			}
+			cpus = append(cpus, cpu)
+		} else {
+			var start, end int
+			start, err := strconv.Atoi(rStart)
+			if err != nil {
+				return nil
+			}
+			end, err = strconv.Atoi(rEnd)
+			if err != nil {
+				return nil
+			}
+			for i := start; i <= end; i++ {
+				cpus = append(cpus, i)
+			}
+		}
+	}
+
+	return cpus
+})

pkg/securitycontext/util_test.go

@@ -73,11 +73,11 @@ func TestConvertToRuntimeMaskedPaths(t *testing.T) {
 	}{
 		"procMount nil": {
 			pm:     nil,
-			expect: defaultMaskedPaths,
+			expect: defaultMaskedPaths(),
 		},
 		"procMount default": {
 			pm:     &dPM,
-			expect: defaultMaskedPaths,
+			expect: defaultMaskedPaths(),
 		},
 		"procMount unmasked": {
 			pm:     &uPM,