Patch versions updates

* Move molecule youki to molecule_full

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Releng: galaxy version to 2.31.1

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

.github/workflows/auto-label-os.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@cb6e97157cbf851e3a393ff8d57c93a484cc323f
+        uses: stefanbuck/github-issue-parser@10dcc54158ba4c137713d9d69d70a2da63b6bda3
         id: issue-parser
         with:
           template-path: .github/ISSUE_TEMPLATE/bug-report.yaml

.github/workflows/upgrade-patch-versions.yml

@@ -14,7 +14,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         ref: ${{ inputs.branch }}
-    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+    - uses: actions/setup-python@v6
       with:
         python-version: '3.13'
         cache: 'pip'
@@ -22,7 +22,7 @@ jobs:
     - run: update-hashes
       env:
         API_KEY: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+    - uses: actions/cache@v5
       with:
         key: pre-commit-hook-propagate
         path: |

.gitlab-ci/kubevirt.yml

@@ -40,8 +40,8 @@ pr:
           - debian11-macvlan
           - debian12-cilium
           - debian13-cilium
-          - fedora42-kube-router
-          - fedora43-kube-router
+          - fedora39-kube-router
+          - fedora41-kube-router
           - fedora42-calico
           - rockylinux9-cilium
           - rockylinux10-cilium
@@ -56,7 +56,7 @@ pr:
           - ubuntu24-kube-router-sep
           - ubuntu24-kube-router-svc-proxy
           - ubuntu24-ha-separate-etcd
-          - fedora43-flannel-crio-collection-scale
+          - fedora40-flannel-crio-collection-scale
 
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
@@ -105,10 +105,10 @@ pr_full:
           - debian11-custom-cni
           - debian11-kubelet-csr-approver
           - debian12-custom-cni-helm
-          - fedora42-calico-swap-selinux
-          - fedora42-crio
-          - fedora43-calico-swap-selinux
-          - fedora43-crio
+          - fedora39-calico-swap-selinux
+          - fedora39-crio
+          - fedora41-calico-swap-selinux
+          - fedora41-crio
           - ubuntu24-calico-ha-wireguard
           - ubuntu24-flannel-ha
           - ubuntu24-flannel-ha-once
@@ -166,9 +166,9 @@ periodic:
           - debian11-calico-upgrade
           - debian11-calico-upgrade-once
           - debian12-cilium-svc-proxy
-          - fedora42-calico-selinux
-          - fedora43-calico-selinux
-          - fedora43-docker-calico
+          - fedora39-calico-selinux
+          - fedora40-docker-calico
+          - fedora41-calico-selinux
           - ubuntu24-calico-etcd-kubeadm-upgrade-ha
           - ubuntu24-calico-ha-recover
           - ubuntu24-calico-ha-recover-noquorum

.gitlab-ci/molecule.yml

@@ -52,5 +52,4 @@ molecule_full:
     - ROLE:
       # FIXME : tests below are perma-failing
       - container-engine/kata-containers
-      # FIXME: until youki release 0.6.1
       - container-engine/youki

.pre-commit-config.yaml

@@ -33,7 +33,6 @@ repos:
     hooks:
       - id: ansible-lint
         additional_dependencies:
-          - ansible-core>=2.18.0,<2.19.0
           - jmespath==1.0.1
           - netaddr==1.3.0
           - distlib
@@ -50,7 +49,7 @@ repos:
         name: Build and install kubernetes-sigs.kubespray Ansible collection
         language: python
         additional_dependencies:
-          - ansible-core>=2.18.0,<2.19.0
+          - ansible-core>=2.16.4
           - distlib
         entry: tests/scripts/collection-build-install.sh
         pass_filenames: false
@@ -92,7 +91,7 @@ repos:
         name: Update static files referencing default kubespray values
         language: python
         additional_dependencies:
-          - ansible-core>=2.18.0,<2.19.0
+          - ansible-core>=2.16.4
         entry: scripts/propagate_ansible_variables.yml
         pass_filenames: false
 

Dockerfile

@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.36.1/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.36.1/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.35.5/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.5/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

README.md

@@ -22,7 +22,7 @@ Ensure you have installed Docker then
 ```ShellSession
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
   --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.31.0 bash
+  quay.io/kubespray/kubespray:v2.30.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.36.1
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.5
   - [etcd](https://github.com/etcd-io/etcd) 3.6.11
   - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.3.1
-  - [cri-o](https://cri-o.io/) 1.36.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.2.4
+  - [cri-o](http://cri-o.io/) 1.35.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.9.1
   - [calico](https://github.com/projectcalico/calico) 3.31.5
-  - [cilium](https://github.com/cilium/cilium) 1.19.4
+  - [cilium](https://github.com/cilium/cilium) 1.19.3
   - [flannel](https://github.com/flannel-io/flannel) 0.28.4
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
@@ -127,7 +127,7 @@ Note:
   - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.14.2
+  - [coredns](https://github.com/coredns/coredns) 1.12.4
   - [argocd](https://argoproj.github.io/) 2.14.5
   - [helm](https://helm.sh/) 3.18.4
   - [metallb](https://metallb.universe.tf/) 0.13.9

docs/CNI/cilium.md

@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.19.4"
+cilium_version: "1.19.3"
 ```
 
 ## Add variable to config

docs/ansible/ansible.md

@@ -157,20 +157,20 @@ Example command to filter and apply only DNS configuration tasks and skip
 everything else related to host OS configuration and downloading images of containers:
 
 ```ShellSession
-ansible-playbook -i inventory/sample/inventory.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap_os
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap_os
 ```
 
 And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:
 
 ```ShellSession
-ansible-playbook -i inventory/sample/inventory.ini -e dns_mode='none' cluster.yml --tags resolvconf
+ansible-playbook -i inventory/sample/hosts.ini -e dns_mode='none' cluster.yml --tags resolvconf
 ```
 
 And this prepares all container images locally (at the ansible runner node) without installing
 or upgrading related stuff or trying to upload container to K8s cluster nodes:
 
 ```ShellSession
-ansible-playbook -i inventory/sample/inventory.ini cluster.yml \
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
     -e download_run_once=true -e download_localhost=true \
     --tags download --skip-tags upload,upgrade
 ```

docs/cloud_controllers/vsphere.md

@@ -62,7 +62,7 @@ Once the configuration is set, you can execute the playbook again to apply the n
 
 ```ShellSession
 cd kubespray
-ansible-playbook -i inventory/sample/inventory.ini -b -v cluster.yml
+ansible-playbook -i inventory/sample/hosts.ini -b -v cluster.yml
 ```
 
 You'll find some useful examples [here](https://github.com/kubernetes/cloud-provider-vsphere/blob/master/docs/book/tutorials/kubernetes-on-vsphere-with-kubeadm.md#sample-manifests-to-test-csi-driver-functionality) to test your configuration.
@@ -82,7 +82,7 @@ If you intend to leverage the [zone and region node labeling](https://kubernetes
 
 ### Kubespray configuration (deprecated)
 
-First you must define the cloud provider in `inventory/sample/group_vars/all/all.yml` and set it to `vsphere`.
+First you must define the cloud provider in `inventory/sample/group_vars/all.yml` and set it to `vsphere`.
 
 ```yml
 cloud_provider: vsphere
@@ -128,7 +128,7 @@ Once the configuration is set, you can execute the playbook again to apply the n
 
 ```ShellSession
 cd kubespray
-ansible-playbook -i inventory/sample/inventory.ini -b -v cluster.yml
+ansible-playbook -i inventory/sample/hosts.ini -b -v cluster.yml
 ```
 
 You'll find some useful examples [here](https://github.com/kubernetes/examples/tree/master/staging/volumes/vsphere) to test your configuration.

docs/cloud_providers/cloud.md

@@ -11,5 +11,5 @@ You can deploy instances in your cloud environment in several ways. Examples inc
 With ansible-playbook command
 
 ```ShellSession
-ansible-playbook -u smana -e ansible_ssh_user=admin -e cloud_provider=[aws|gce] -b --become-user=root -i inventory/sample/inventory.ini cluster.yml
+ansible-playbook -u smana -e ansible_ssh_user=admin -e cloud_provider=[aws|gce] -b --become-user=root -i inventory/single.cfg cluster.yml
 ```

docs/developers/ci.md

@@ -11,8 +11,10 @@ amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: |
 debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
-fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
-fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -29,8 +31,10 @@ amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
@@ -47,8 +51,10 @@ amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/getting_started/getting-started.md

@@ -15,15 +15,16 @@ and [details on the inventory structure expected by Kubespray](/docs/ansible/inv
 <your-favorite-editor> inventory/mycluster/inventory.ini
 
 # Review and change parameters under ``inventory/mycluster/group_vars``
-<your-favorite-editor> inventory/mycluster/group_vars/all/all.yml # for every node, including etcd
-<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml # for every node in the cluster (not etcd when it's separate)
-<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster/kube_control_plane.yml # for the control plane
+<your-favorite-editor> inventory/mycluster/group_vars/all.yml # for every node, including etcd
+<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster.yml # for every node in the cluster (not etcd when it's separate)
+<your-favorite-editor> inventory/mycluster/group_vars/kube_control_plane.yml # for the control plane
+<your-favorite-editor> inventory/myclsuter/group_vars/kube_node.yml # for worker nodes
 ```
 
 ## Installing the cluster
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini cluster.yml -b -v \
+ansible-playbook -i inventory/mycluster/ cluster.yml -b -v \
   --private-key=~/.ssh/private_key
 ```
 
@@ -35,7 +36,7 @@ You may want to add worker, control plane or etcd nodes to your existing cluster
 - Run the ansible-playbook command, substituting `cluster.yml` for `scale.yml`:
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini scale.yml -b -v \
+ansible-playbook -i inventory/mycluster/hosts.yml scale.yml -b -v \
   --private-key=~/.ssh/private_key
 ```
 
@@ -53,7 +54,7 @@ is not working, you can remove the node and install it again.
 Use `--extra-vars "node=<nodename>,<nodename2>"` to select the node(s) you want to delete.
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini remove-node.yml -b -v \
+ansible-playbook -i inventory/mycluster/hosts.yml remove-node.yml -b -v \
 --private-key=~/.ssh/private_key \
 --extra-vars "node=nodename,nodename2"
 ```
@@ -86,7 +87,7 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
 
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane
 host and can optionally be configured on your ansible host by setting
-`kubectl_localhost: true` and `kubeconfig_localhost: true` in `inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml`:
+`kubectl_localhost: true` and `kubeconfig_localhost: true` in the configuration:
 
 - If `kubectl_localhost` enabled, `kubectl` will download onto `/usr/local/bin/` and setup with bash completion. A helper script `inventory/mycluster/artifacts/kubectl.sh` also created for setup with below `admin.conf`.
 - If `kubeconfig_localhost` enabled `admin.conf` will appear in the `inventory/mycluster/artifacts/` directory after deployment.

docs/getting_started/setting-up-your-first-cluster.md

@@ -223,7 +223,7 @@ that controller-0, controller-1 and controller-2 in the `kube_control_plane` gro
 worker-0, worker-1 and worker-2 in the `kube_node` group. Add respective `ip` to the respective local VPC IP for each node.
 
 The main configuration for the cluster is stored in
-`inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml`. In this file we
+`inventory/mycluster/group_vars/k8s_cluster/k8s_cluster.yml`. In this file we
  will update the `supplementary_addresses_in_ssl_keys` with a list of the IP
  addresses of the controller nodes. In that way we can access the
   kubernetes API server as an administrator from outside the VPC network. You
@@ -240,7 +240,7 @@ the kubernetes cluster, just change the 'false' to 'true' for
 Now we will deploy the configuration:
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini -u $USERNAME -b -v --private-key=~/.ssh/id_rsa cluster.yml
+ansible-playbook -i inventory/mycluster/ -u $USERNAME -b -v --private-key=~/.ssh/id_rsa cluster.yml
 ```
 
 Ansible will now execute the playbook, this can take up to 20 minutes.
@@ -594,7 +594,7 @@ If you want to keep the VMs and just remove the cluster state, you can simply
  run another Ansible playbook:
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini -u $USERNAME -b -v --private-key=~/.ssh/id_rsa reset.yml
+ansible-playbook -i inventory/mycluster/ -u $USERNAME -b -v --private-key=~/.ssh/id_rsa reset.yml
 ```
 
 Resetting the cluster to the VMs original state usually takes about a couple

docs/ingress/kube-vip.md

@@ -86,12 +86,3 @@ kube_vip_leaseduration: 30
 kube_vip_renewdeadline: 20
 kube_vip_retryperiod: 4
 ```
-
-To expose [Prometheus metrics](https://kube-vip.io/docs/installation/flags/#environment-variables) from the kube-vip static pod, set `kube_vip_metrics_enabled`. `kube_vip_metrics_port` is an integer; the manifest sets `prometheus_server` to `:PORT` because kube-vip passes that value to Go's HTTP listen address (see [`servePrometheusHTTPServer` in kube-vip](https://github.com/kube-vip/kube-vip/blob/main/cmd/kube-vip.go)). The manifest `ports` entry uses the same number for tooling that reads the pod spec.
-
-Kubespray defaults `kube_vip_metrics_port` to `2112`, matching upstream kube-vip's `--prometheusHTTPServer` default. Override it if your scrape config expects another port.
-
-```yaml
-kube_vip_metrics_enabled: true
-# kube_vip_metrics_port: 2112
-```

docs/operations/upgrades.md

@@ -26,13 +26,13 @@ If you wanted to upgrade just kube_version from v1.18.10 to v1.19.7, you could
 deploy the following way:
 
 ```ShellSession
-ansible-playbook cluster.yml -i inventory/sample/inventory.ini -e kube_version=1.18.10 -e upgrade_cluster_setup=true
+ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=1.18.10 -e upgrade_cluster_setup=true
 ```
 
 And then repeat with 1.19.7 as kube_version:
 
 ```ShellSession
-ansible-playbook cluster.yml -i inventory/sample/inventory.ini -e kube_version=1.19.7 -e upgrade_cluster_setup=true
+ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=1.19.7 -e upgrade_cluster_setup=true
 ```
 
 The var ```-e upgrade_cluster_setup=true``` is needed to be set in order to migrate the deploys of e.g kube-apiserver inside the cluster immediately which is usually only done in the graceful upgrade. (Refer to [#4139](https://github.com/kubernetes-sigs/kubespray/issues/4139) and [#4736](https://github.com/kubernetes-sigs/kubespray/issues/4736))
@@ -46,7 +46,7 @@ existing cluster. That means there must be at least 1 kube_control_plane already
 deployed.
 
 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.19.7
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.19.7
 ```
 
 After a successful upgrade, the Server Version should be updated:
@@ -60,7 +60,7 @@ Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCom
 You can control how many nodes are upgraded at the same time by modifying the ansible variable named `serial`, as explained [here](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_strategies.html#setting-the-batch-size-with-serial). If you don't set this variable, it will upgrade the cluster nodes in batches of  20% of the available nodes. Setting `serial=1` would mean upgrade one node at a time.
 
 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 -e "serial=1"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 -e "serial=1"
 ```
 
 ### Pausing the upgrade
@@ -82,20 +82,20 @@ If you don't want to upgrade all nodes in one run, you can use `--limit` [patter
 Before using `--limit` run playbook `facts.yml` without the limit to refresh facts cache for all nodes:
 
 ```ShellSession
-ansible-playbook playbooks/facts.yml -b -i inventory/sample/inventory.ini
+ansible-playbook playbooks/facts.yml -b -i inventory/sample/hosts.ini
 ```
 
 After this upgrade control plane and etcd groups [#5147](https://github.com/kubernetes-sigs/kubespray/issues/5147):
 
 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "kube_control_plane:etcd"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "kube_control_plane:etcd"
 ```
 
 Now you can upgrade other nodes in any order and quantity:
 
 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "node4:node6:node7:node12"
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "node5*"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "node4:node6:node7:node12"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "node5*"
 ```
 
 ## Multiple upgrades
@@ -122,9 +122,9 @@ v2.24.0
 v2.22.0 -> v2.23.2 -> v2.24.0 : ✓
 v.22.0 -> v2.24.0 : ✕
 
-Assuming you don't explicitly define a kubernetes version in your group_vars/k8s_cluster/k8s-cluster.yml, you simply check out the next tag and run the upgrade-cluster.yml playbook
+Assuming you don't explicitly define a kubernetes version in your k8s_cluster.yml, you simply check out the next tag and run the upgrade-cluster.yml playbook
 
-* If you do define kubernetes version in your inventory (e.g. group_vars/k8s_cluster/k8s-cluster.yml) then either make sure to update it before running upgrade-cluster, or specify the new version you're upgrading to: `ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml -e kube_version=1.11.3`
+* If you do define kubernetes version in your inventory (e.g. group_vars/k8s_cluster.yml) then either make sure to update it before running upgrade-cluster, or specify the new version you're upgrading to: `ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml -e kube_version=1.11.3`
 
   Otherwise, the upgrade will leave your cluster at the same k8s version defined in your inventory vars.
 
@@ -155,7 +155,7 @@ HEAD is now at 05dabb7e Fix Bionic networking restart error #3430 (#3431)
 
 # NOTE: May need to `pip3 install -r requirements.txt` when upgrading.
 
-ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 
 ...
 
@@ -178,7 +178,7 @@ Some deprecations between versions that mean you can't just upgrade straight fro
 In this case, I set "kubeadm_enabled" to false, knowing that it is deprecated and removed by 2.9.0, to delay converting the cluster to kubeadm as long as I could.
 
 ```ShellSession
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -196,7 +196,7 @@ $ git checkout v2.8.1
 Previous HEAD position was 9051aa52 Fix ubuntu-contiv test failed (#3808)
 HEAD is now at 2ac1c756 More Feature/2.8 backports for 2.8.1 (#3911)
 
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -214,7 +214,7 @@ $ git checkout v2.8.2
 Previous HEAD position was 2ac1c756 More Feature/2.8 backports for 2.8.1 (#3911)
 HEAD is now at 4167807f Upgrade to 1.12.5 (#4066)
 
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -232,7 +232,7 @@ $ git checkout v2.8.3
 Previous HEAD position was 4167807f Upgrade to 1.12.5 (#4066)
 HEAD is now at ea41fc5e backport cve-2019-5736 to release-2.8 (#4234)
 
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -250,7 +250,7 @@ $ git checkout v2.8.4
 Previous HEAD position was ea41fc5e backport cve-2019-5736 to release-2.8 (#4234)
 HEAD is now at 3901480b go to k8s 1.12.7 (#4400)
 
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -268,7 +268,7 @@ $ git checkout v2.8.5
 Previous HEAD position was 3901480b go to k8s 1.12.7 (#4400)
 HEAD is now at 6f97687d Release 2.8 robust san handling (#4478)
 
-$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 ...
     "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -288,14 +288,14 @@ HEAD is now at a4e65c7c Upgrade to Ansible >2.7.0 (#4471)
 ```
 
 > **Warning**
-> IMPORTANT: Some variable formats changed in the group_vars/k8s_cluster/k8s-cluster.yml between 2.8.5 and 2.9.0
+> IMPORTANT: Some variable formats changed in the k8s_cluster.yml between 2.8.5 and 2.9.0
 
 If you do not keep your inventory copy up to date, **your upgrade will fail** and your first master will be left non-functional until fixed and re-run.
 
 It is at this point the cluster was upgraded from non-kubeadm to kubeadm as per the deprecation warning.
 
 ```ShellSession
-ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 
 ...
 
@@ -320,7 +320,7 @@ $ git checkout v2.10.0
 Previous HEAD position was a4e65c7c Upgrade to Ansible >2.7.0 (#4471)
 HEAD is now at dcd9c950 Add etcd role dependency on kube user to avoid etcd role failure when running scale.yml with a fresh node. (#3240) (#4479)
 
-ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
 
 ...
 
@@ -372,49 +372,49 @@ hosts.
 Upgrade docker:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=docker
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=docker
 ```
 
 Upgrade etcd:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=etcd
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
 ```
 
 Upgrade etcd without rotating etcd certs:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=etcd --limit=etcd --skip-tags=etcd-secrets
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limit=etcd --skip-tags=etcd-secrets
 ```
 
 Upgrade kubelet:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
 ```
 
 Upgrade Kubernetes master components:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=master
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
 ```
 
 Upgrade network plugins:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=network
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
 ```
 
 Upgrade all add-ons:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=apps
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
 ```
 
 Upgrade just helm (assuming `helm_enabled` is true):
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=helm
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
 ```
 
 ## Migrate from Docker to Containerd
@@ -430,7 +430,7 @@ As of Kubespray 2.18.0, containerd is already the default container engine. If y
 If you want to upgrade the APT or YUM packages while the nodes are cordoned, you can use:
 
 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e system_upgrade=true
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e system_upgrade=true
 ```
 
 Nodes will be rebooted when there are package upgrades (`system_upgrade_reboot: on-upgrade`).

docs/upgrades/migrate_docker2containerd.md

@@ -28,11 +28,11 @@ Everything done here requires full root access to every node.
 Before you begin, adjust your inventory:
 
 ```yaml
-# Filename: group_vars/k8s_cluster/k8s-cluster.yml
+# Filename: k8s_cluster/k8s-cluster.yml
 resolvconf_mode: host_resolvconf
 container_manager: containerd
 
-# Filename: group_vars/all/etcd.yml
+# Filename: etcd.yml
 etcd_deployment_type: host
 ```
 
@@ -66,7 +66,7 @@ apt-get install pigz
 ### 5) Run `cluster.yml` playbook with `--limit`
 
 ```commandline
-ansible-playbook -i inventory/sample/inventory.ini cluster.yml --limit=NODENAME
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml --limit=NODENAME
 ```
 
 This effectively reinstalls containerd and seems to place all config files in the right place. When this completes, kubelet will immediately pick up the new container engine and start spinning up DaemonSets and kube-system Pods.

galaxy.yml

@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.32.0
+version: 2.31.1
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -201,8 +201,6 @@ kube_vip_enabled: false
 # kube_vip_lb_fwdmethod: local
 # kube_vip_bgp_sourceip:
 # kube_vip_bgp_sourceif:
-# kube_vip_metrics_enabled: false
-# kube_vip_metrics_port: 2112
 
 # Node Feature Discovery
 node_feature_discovery_enabled: false

pipeline.Dockerfile

@@ -46,8 +46,8 @@ ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
     && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.36.1/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.36.1/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.35.5/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.35.5/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
@@ -55,5 +55,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
     && vagrant plugin install vagrant-libvirt \
     # Install Kubernetes collections
-    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes==35.0.0 \
-    && ansible-galaxy collection install kubernetes.core:==6.4.0
+    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
+    && ansible-galaxy collection install kubernetes.core

requirements.txt

@@ -1,6 +1,6 @@
 ansible==11.13.0
 # Needed for community.crypto module
-cryptography==48.0.0
+cryptography==46.0.7
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr

roles/container-engine/kata-containers/molecule/default/verify.yml

@@ -9,7 +9,7 @@
     failed_when: >
       version is failed or
       'kata-runtime' not in version.stdout
-  - name: Test version check
+  - name: Test version
     command: "/opt/kata/bin/kata-runtime check"
     register: check
     failed_when: >

roles/download/tasks/main.yml

@@ -2,7 +2,7 @@
 - name: Download | Prepare working directories and variables
   import_tasks: prep_download.yml
   when:
-    - not skip_downloads
+    - not skip_downloads | default(false)
   tags:
     - download
     - upload
@@ -10,7 +10,7 @@
 - name: Download | Get kubeadm binary and list of required images
   include_tasks: prep_kubeadm_images.yml
   when:
-    - not skip_downloads
+    - not skip_downloads | default(false)
     - ('kube_control_plane' in group_names)
   tags:
     - download
@@ -23,8 +23,8 @@
     download: "{{ download_defaults | combine(item.value) }}"
     include_file: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
   when:
-    - not skip_downloads
+    - not skip_downloads | default(false)
     - download.enabled
     - item.value.enabled
-    - (not download.container) or (download.container and download_container)
+    - (not (item.value.container | default(false))) or (item.value.container and download_container)
     - (download_run_once and inventory_hostname == download_delegate) or (group_names | intersect(download.groups) | length)

roles/etcd/tasks/check_certs.yml

@@ -13,8 +13,6 @@
     sync_certs: false
     gen_certs: false
     etcd_secret_changed: false
-    etcd_member_requires_sync: false
-    kubernetes_host_requires_sync: false
 
 - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts"
   stat:
@@ -130,7 +128,7 @@
   set_fact:
     sync_certs: true
   when:
-    - etcd_member_requires_sync or
-      kubernetes_host_requires_sync or
+    - etcd_member_requires_sync | default(false) or
+      kubernetes_host_requires_sync | default(false) or
       'gen_master_certs_True' in group_names or
       'gen_node_certs_True' in group_names

roles/etcd/tasks/gen_certs_script.yml

@@ -24,7 +24,7 @@
   run_once: true
   delegate_to: "{{ groups['etcd'][0] }}"
   when:
-    - gen_certs
+    - gen_certs | default(false)
     - inventory_hostname == groups['etcd'][0]
 
 - name: Gen_certs | copy certs generation script
@@ -43,7 +43,7 @@
     HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}"
   run_once: true
   delegate_to: "{{ groups['etcd'][0] }}"
-  when: gen_certs
+  when: gen_certs | default(false)
   notify: Set etcd_secret_changed
 
 - name: Gen_certs | run cert generation script for all clients
@@ -55,7 +55,7 @@
   when:
     - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
-    - gen_certs
+    - gen_certs | default(false)
   notify: Set etcd_secret_changed
 
 - name: Gen_certs | Gather etcd member/admin and kube_control_plane client certs from first etcd node
@@ -78,7 +78,7 @@
   delegate_to: "{{ groups['etcd'][0] }}"
   when:
     - ('etcd' in group_names)
-    - sync_certs
+    - sync_certs | default(false)
     - inventory_hostname != groups['etcd'][0]
   notify: Set etcd_secret_changed
 
@@ -92,7 +92,7 @@
   with_items: "{{ etcd_master_certs.results }}"
   when:
     - ('etcd' in group_names)
-    - sync_certs
+    - sync_certs | default(false)
     - inventory_hostname != groups['etcd'][0]
   loop_control:
     label: "{{ item.item }}"
@@ -134,7 +134,7 @@
   include_tasks: gen_nodes_certs_script.yml
   when:
     - ('kube_control_plane' in group_names) and
-        sync_certs and inventory_hostname not in groups['etcd']
+        sync_certs | default(false) and inventory_hostname not in groups['etcd']
 
 - name: Gen_certs | Generate etcd certs on nodes if needed
   include_tasks: gen_nodes_certs_script.yml
@@ -142,7 +142,7 @@
     - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - ('k8s_cluster' in group_names) and
-        sync_certs and inventory_hostname not in groups['etcd']
+        sync_certs | default(false) and inventory_hostname not in groups['etcd']
 
 # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
 # TODO: fix certs generation to have the same file everywhere

roles/etcd/tasks/main.yml

@@ -84,7 +84,7 @@
   when:
     - ('etcd' in group_names)
     - etcd_cluster_setup
-    - etcd_secret_changed
+    - etcd_secret_changed | default(false)
 
 - name: Restart etcd-events if certs changed
   command: /bin/true
@@ -92,7 +92,7 @@
   when:
     - ('etcd' in group_names)
     - etcd_events_cluster_setup
-    - etcd_secret_changed
+    - etcd_secret_changed | default(false)
 
 # After etcd cluster is assembled, make sure that
 # initial state of the cluster is in `existing`

roles/helm-apps/tasks/main.yml

@@ -1,11 +1,9 @@
 ---
 - name: Add Helm repositories
-  environment: "{{ proxy_env }}"
   kubernetes.core.helm_repository: "{{ helm_repository_defaults | combine(item) }}"  # noqa args[module]
   loop: "{{ repositories }}"
 
 - name: Update Helm repositories
-  environment: "{{ proxy_env }}"
   kubernetes.core.helm:
     state: absent
     binary_path: "{{ bin_dir }}/helm"
@@ -17,6 +15,5 @@
     - helm_update
 
 - name: Install Helm Applications
-  environment: "{{ proxy_env }}"
   kubernetes.core.helm: "{{ helm_defaults | combine(release_common_opts, item) }}"  # noqa args[module]
   loop: "{{ releases }}"

roles/kubernetes-apps/kubelet-csr-approver/meta/main.yml

@@ -4,7 +4,9 @@ dependencies:
     when:
       - inventory_hostname == groups['kube_control_plane'][0]
       - kubelet_csr_approver_enabled
-    environment: "{{ proxy_env }}"
+    environment:
+      http_proxy: "{{ http_proxy | default('') }}"
+      https_proxy: "{{ https_proxy | default('') }}"
     release_common_opts: {}
     releases:
       - name: kubelet-csr-approver

roles/kubernetes-apps/metallb/tasks/main.yml

@@ -3,8 +3,7 @@
   fail:
     msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132"
   when:
-    - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
-    - not kube_proxy_remove
+    - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp"
 
 - name: Kubernetes Apps | Check that the deprecated 'matallb_auto_assign' variable is not used anymore
   fail:

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -41,9 +41,6 @@ control_plane_health_retries: 60  # Default retries for apiserver, scheduler, co
 kube_controller_manager_leader_elect_lease_duration: 15s
 kube_controller_manager_leader_elect_renew_deadline: 10s
 
-# Controls whether or not the kube_controller_manager allocates subnets for the node object
-kube_controller_manager_allocate_node_cidrs: true
-
 # discovery_timeout modifies the discovery timeout
 discovery_timeout: 5m0s
 

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2

@@ -156,6 +156,8 @@ apiServer:
   - name: disable-admission-plugins
     value: "{{ kube_apiserver_disable_admission_plugins | join(',') }}"
 {% endif %}
+  - name: apiserver-count
+    value: "{{ kube_apiserver_count }}"
   - name: endpoint-reconciler-type
     value: lease
 {% if etcd_events_cluster_enabled %}
@@ -363,17 +365,7 @@ controllerManager:
 {% endif %}
   - name: service-cluster-ip-range
     value: "{{ kube_service_subnets }}"
-{% if not kube_controller_manager_allocate_node_cidrs
-  or kube_network_plugin is defined and (
-    (
-      kube_network_plugin == "calico" and
-      not calico_ipam_host_local
-    ) or (
-      kube_network_plugin == "cilium" and
-      cilium_ipam_mode == "cluster-pool"
-    )
-  )
-%}
+{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
   - name: allocate-node-cidrs
     value: "false"
 {% else %}

roles/kubernetes/node/defaults/main.yml

@@ -88,9 +88,6 @@ kube_vip_retryperiod: 1
 kube_vip_enable_node_labeling: false
 kube_vip_bgp_sourceip:
 kube_vip_bgp_sourceif:
-kube_vip_metrics_enabled: false
-# TCP port for kube-vip Prometheus metrics; manifest sets prometheus_server to :PORT (same as kube-vip upstream default, see cmd/kube-vip.go).
-kube_vip_metrics_port: 2112
 
 # Requests for load balancer app
 loadbalancer_apiserver_memory_requests: 32M

roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml

@@ -4,7 +4,6 @@
     msg: "kube-vip require kube_proxy_strict_arp = true, see https://github.com/kube-vip/kube-vip/blob/main/docs/kubernetes/arp/index.md"
   when:
     - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
-    - not kube_proxy_remove
     - kube_vip_arp_enabled
 
 - name: Kube-vip | Check mutually exclusive BGP source settings

roles/kubernetes/node/tasks/main.yml

@@ -114,9 +114,7 @@
     state: present
     persistent: present
   loop: "{{ kube_proxy_ipvs_modules }}"
-  when:
-    - kube_proxy_mode == 'ipvs'
-    - not kube_proxy_remove
+  when: kube_proxy_mode == 'ipvs'
   tags:
     - kube-proxy
 
@@ -132,7 +130,6 @@
     - nf_conntrack_ipv4
   when:
     - kube_proxy_mode == 'ipvs'
-    - not kube_proxy_remove
     - modprobe_conntrack_module is not defined or modprobe_conntrack_module is ansible.builtin.failed  # loop until first success
   tags:
     - kube-proxy
@@ -142,9 +139,7 @@
     name: "nf_tables"
     state: present
     persistent: present
-  when:
-    - kube_proxy_mode == 'nftables'
-    - not kube_proxy_remove
+  when: kube_proxy_mode == 'nftables'
   tags:
     - kube-proxy
 

roles/kubernetes/node/templates/loadbalancer/nginx.conf.j2

@@ -1,7 +1,7 @@
 error_log stderr notice;
 
 worker_processes 2;
-worker_rlimit_nofile 65535;
+worker_rlimit_nofile 130048;
 worker_shutdown_timeout 10s;
 
 events {

roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2

@@ -109,21 +109,11 @@ spec:
 {% if kube_vip_lb_fwdmethod %}
     - name: lb_fwdmethod
       value: {{ kube_vip_lb_fwdmethod | string | to_json }}
-{% endif %}
-{% if kube_vip_metrics_enabled %}
-    - name: prometheus_server
-      value: {{ (':' ~ (kube_vip_metrics_port | string)) | to_json }}
 {% endif %}
     image: {{ kube_vip_image_repo }}:{{ kube_vip_image_tag }}
     imagePullPolicy: {{ k8s_image_pull_policy }}
     name: kube-vip
     resources: {}
-{% if kube_vip_metrics_enabled %}
-    ports:
-    - name: metrics
-      containerPort: {{ kube_vip_metrics_port }}
-      protocol: TCP
-{% endif %}
 {% if kube_vip_lb_fwdmethod == "masquerade" %}
     securityContext:
       privileged: true

roles/kubernetes/preinstall/defaults/main.yml

@@ -8,9 +8,6 @@ cloud_resolver: []
 disable_host_nameservers: false
 # Kubespray sets this to true after clusterDNS is running to apply changes to the host resolv.conf
 dns_late: false
-# DNS resolver option timeout and retry attempts.
-dns_timeout: 2
-dns_attempts: 2
 
 # Set to true if your network does not support IPv6
 # This may be necessary for pulling Docker images from
@@ -107,7 +104,7 @@ redhat_os_family_extensions:
   - "UniontechOS"
 
 # Sets DNSStubListener=no, useful if you get "0.0.0.0:53: bind: address already in use"
-systemd_resolved_disable_stub_listener: "{{ ansible_facts['os_family'] in ['Flatcar', 'Flatcar Container Linux by Kinvolk'] }}"
+systemd_resolved_disable_stub_listener: "{{ ansible_os_family in ['Flatcar', 'Flatcar Container Linux by Kinvolk'] }}"
 
 # Used to disable File Access Policy Daemon service.
 # If service is enabled, the CNI plugin installation will fail

roles/kubernetes/preinstall/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Preinstall | apply resolvconf cloud-init
   command: /usr/bin/coreos-cloudinit --from-file {{ resolveconf_cloud_init_conf }}
-  when: ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
   listen: Preinstall | propagate resolvconf to k8s components
 
 - name: Preinstall | reload NetworkManager

roles/kubernetes/preinstall/tasks/0020-set_facts.yml

@@ -1,12 +1,9 @@
 ---
-- name: Normalize ansible_facts for redhat-family extensions
+- name: Set os_family fact for other redhat-based operating systems
   set_fact:
-    ansible_facts: >-
-      {{ ansible_facts | combine({
-           'os_family': 'RedHat',
-           'distribution_major_version': '8'
-         }) }}
-  when: ansible_facts['distribution'] in redhat_os_family_extensions
+    ansible_os_family: "RedHat"
+    ansible_distribution_major_version: "8"
+  when: ansible_distribution in redhat_os_family_extensions
   tags:
     - facts
 
@@ -89,12 +86,12 @@
       {%- if resolvconf | bool -%}/etc/resolvconf/resolv.conf.d/base{%- endif -%}
     head: >-
       {%- if resolvconf | bool -%}/etc/resolvconf/resolv.conf.d/head{%- endif -%}
-  when: ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and not is_fedora_coreos
+  when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and not is_fedora_coreos
 
 - name: Target temporary resolvconf cloud init file (Flatcar Container Linux by Kinvolk / Fedora CoreOS)
   set_fact:
     resolvconffile: /tmp/resolveconf_cloud_init_conf
-  when: ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos
 
 - name: Check if /etc/dhclient.conf exists
   stat:
@@ -125,12 +122,12 @@
 - name: Target dhclient hook file for Red Hat family
   set_fact:
     dhclienthookfile: /etc/dhcp/dhclient.d/zdnsupdate.sh
-  when: ansible_facts['os_family'] == "RedHat"
+  when: ansible_os_family == "RedHat"
 
 - name: Target dhclient hook file for Debian family
   set_fact:
     dhclienthookfile: /etc/dhcp/dhclient-exit-hooks.d/zdnsupdate
-  when: ansible_facts['os_family'] == "Debian"
+  when: ansible_os_family == "Debian"
 
 - name: Set etcd vars if using kubeadm mode
   set_fact:

roles/kubernetes/preinstall/tasks/0040-verify-settings.yml

@@ -15,25 +15,25 @@
     - not ignore_assert_errors
 - name: Stop if non systemd OS type
   assert:
-    that: ansible_facts['service_mgr'] == "systemd"
+    that: ansible_service_mgr == "systemd"
   when: not ignore_assert_errors
 
 - name: Stop if the os does not support
   assert:
-    that: (allow_unsupported_distribution_setup | default(false)) or ansible_facts['distribution'] in supported_os_distributions
-    msg: "{{ ansible_facts['distribution'] }} is not a known OS"
+    that: (allow_unsupported_distribution_setup | default(false)) or ansible_distribution in supported_os_distributions
+    msg: "{{ ansible_distribution }} is not a known OS"
   when: not ignore_assert_errors
 
 - name: Stop if memory is too small for control plane nodes
   assert:
-    that: ansible_facts['memtotal_mb'] >= minimal_master_memory_mb
+    that: ansible_memtotal_mb >= minimal_master_memory_mb
   when:
     - not ignore_assert_errors
     - ('kube_control_plane' in group_names)
 
 - name: Stop if memory is too small for nodes
   assert:
-    that: ansible_facts['memtotal_mb'] >= minimal_node_memory_mb
+    that: ansible_memtotal_mb >= minimal_node_memory_mb
   when:
     - not ignore_assert_errors
     - ('kube_node' in group_names)
@@ -47,8 +47,8 @@
 
 - name: Stop if ip var does not match local ips
   assert:
-    that: (ip in ansible_facts['all_ipv4_addresses']) or (ip in ansible_facts['all_ipv6_addresses'])
-    msg: "IPv4: '{{ ansible_facts['all_ipv4_addresses'] }}' and IPv6: '{{ ansible_facts['all_ipv6_addresses'] }}' do not contain '{{ ip }}'"
+    that: (ip in ansible_all_ipv4_addresses) or (ip in ansible_all_ipv6_addresses)
+    msg: "IPv4: '{{ ansible_all_ipv4_addresses }}' and IPv6: '{{ ansible_all_ipv6_addresses }}' do not contain '{{ ip }}'"
   when:
     - not ignore_assert_errors
     - ip is defined
@@ -63,17 +63,16 @@
 
 - name: Stop if kernel version is too low for cilium
   assert:
-    that: ansible_facts['kernel'].split('-')[0] is version('4.9.17', '>=')
+    that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
   when:
     - kube_network_plugin == 'cilium' or cilium_deploy_additionally
     - not ignore_assert_errors
 
 - name: Stop if kernel version is too low for nftables
   assert:
-    that: ansible_facts['kernel'].split('-')[0] is version('5.13', '>=')
+    that: ansible_kernel.split('-')[0] is version('5.13', '>=')
   when:
     - kube_proxy_mode == 'nftables'
-    - not kube_proxy_remove
     - not ignore_assert_errors
 
 - name: Stop if bad hostname
@@ -93,6 +92,6 @@
 
 - name: Stop if download_localhost is enabled for Flatcar Container Linux
   assert:
-    that: ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    that: ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
     msg: "download_run_once not supported for Flatcar Container Linux"
   when: download_run_once or download_force_cache

roles/kubernetes/preinstall/tasks/0060-resolvconf.yml

@@ -1,7 +1,7 @@
 ---
 - name: Create temporary resolveconf cloud init file
   command: cp -f /etc/resolv.conf "{{ resolvconffile }}"
-  when: ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Add domain/search/nameservers/options to resolv.conf
   blockinfile:
@@ -12,7 +12,7 @@
       {% for item in nameserverentries %}
       nameserver {{ item }}
       {% endfor %}
-      options ndots:{{ ndots }} timeout:{{ dns_timeout }} attempts:{{ dns_attempts }}
+      options ndots:{{ ndots }} timeout:{{ dns_timeout | default('2') }} attempts:{{ dns_attempts | default('2') }}
     state: present
     insertbefore: BOF
     create: true
@@ -45,7 +45,7 @@
 - name: Get temporary resolveconf cloud init file content
   command: cat {{ resolvconffile }}
   register: cloud_config
-  when: ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Persist resolvconf cloud init file
   template:
@@ -54,4 +54,4 @@
     owner: root
     mode: "0644"
   notify: Preinstall | propagate resolvconf to k8s components
-  when: ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml

@@ -32,7 +32,7 @@
     path: /etc/NetworkManager/conf.d/dns.conf
     section: global-dns
     option: options
-    value: "ndots:{{ ndots }},timeout:{{ dns_timeout }},attempts:{{ dns_attempts }}"
+    value: "ndots:{{ ndots }},timeout:{{ dns_timeout | default('2') }},attempts:{{ dns_attempts | default('2') }}"
     mode: '0600'
     backup: "{{ leave_etc_backup_files }}"
   notify: Preinstall | update resolvconf for networkmanager

roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

@@ -7,8 +7,8 @@
     get_checksum: false
     get_mime: false
   when:
-    - ansible_facts['os_family'] == "RedHat"
-    - "'Amazon' not in ansible_facts['distribution']"
+    - ansible_os_family == "RedHat"
+    - "'Amazon' not in ansible_distribution"
   register: slc
 
 - name: Set selinux policy
@@ -16,8 +16,8 @@
     policy: targeted
     state: "{{ preinstall_selinux_state }}"
   when:
-    - ansible_facts['os_family'] == "RedHat"
-    - "'Amazon' not in ansible_facts['distribution']"
+    - ansible_os_family == "RedHat"
+    - "'Amazon' not in ansible_distribution"
     - slc.stat.exists
   tags:
     - bootstrap_os
@@ -32,7 +32,7 @@
     mode: "0644"
   when:
     - disable_ipv6_dns
-    - ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap_os
 

roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml

@@ -15,7 +15,7 @@
       /etc/ntp.conf
       {%- elif ntp_package == "ntpsec" -%}
       /etc/ntpsec/ntp.conf
-      {%- elif ansible_facts['os_family'] in ['RedHat', 'Suse'] -%}
+      {%- elif ansible_os_family in ['RedHat', 'Suse'] -%}
       /etc/chrony.conf
       {%- else -%}
       /etc/chrony/chrony.conf
@@ -24,7 +24,7 @@
     ntp_service_name: >-
       {% if ntp_package == "chrony" -%}
       chronyd
-      {%- elif ansible_facts['os_family'] in ["Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse"] -%}
+      {%- elif ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse"] -%}
       ntpd
       {%- else -%}
       ntp
@@ -72,14 +72,14 @@
   when:
     - ntp_timezone
     - not is_fedora_coreos
-    - ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
 
 - name: Gather selinux facts
   ansible.builtin.setup:
     gather_subset: selinux
   when:
     - ntp_timezone
-    - ansible_facts['os_family'] == "RedHat"
+    - ansible_os_family == "RedHat"
 
 - name: Put SELinux in permissive mode, logging actions that would be blocked.
   ansible.posix.selinux:
@@ -87,7 +87,7 @@
     state: permissive
   when:
     - ntp_timezone
-    - ansible_facts['os_family'] == "RedHat"
+    - ansible_os_family == "RedHat"
     - ansible_facts.selinux.status == 'enabled'
     - ansible_facts.selinux.mode == 'enforcing'
 
@@ -103,5 +103,5 @@
     state: "{{ preinstall_selinux_state }}"
   when:
     - ntp_timezone
-    - ansible_facts['os_family'] == "RedHat"
+    - ansible_os_family == "RedHat"
     - ansible_facts.selinux.status == 'enabled'

roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml

@@ -26,7 +26,7 @@
     owner: root
     mode: "0755"
   notify: Preinstall | propagate resolvconf to k8s components
-  when: ansible_facts['os_family'] not in [ "RedHat", "Suse" ]
+  when: ansible_os_family not in [ "RedHat", "Suse" ]
 
 - name: Configure dhclient hooks for resolv.conf (RH-only)
   template:
@@ -35,4 +35,4 @@
     owner: root
     mode: "0755"
   notify: Preinstall | propagate resolvconf to k8s components
-  when: ansible_facts['os_family'] == "RedHat"
+  when: ansible_os_family == "RedHat"

roles/kubernetes/preinstall/tasks/main.yml

@@ -83,7 +83,7 @@
     - dns_mode != 'none'
     - resolvconf_mode == 'host_resolvconf'
     - dhclientconffile is defined
-    - ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap_os
     - resolvconf
@@ -94,7 +94,7 @@
     - dns_mode != 'none'
     - resolvconf_mode != 'host_resolvconf'
     - dhclientconffile is defined
-    - ansible_facts['os_family'] not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
   tags:
     - bootstrap_os
     - resolvconf

roles/kubernetes/preinstall/templates/dhclient_dnsupdate.sh.j2

@@ -6,7 +6,7 @@
 if [ $reason = "BOUND" ]; then
   if [ -n "$new_domain_search" -o -n "$new_domain_name_servers" ]; then
     RESOLV_CONF=$(cat /etc/resolv.conf | sed -r '/^options (timeout|attempts|ndots).*$/d')
-    OPTIONS="options timeout:{{ dns_timeout }} attempts:{{ dns_attempts }} ndots:{{ ndots }}"
+    OPTIONS="options timeout:{{ dns_timeout|default('2') }} attempts:{{ dns_attempts|default('2') }} ndots:{{ ndots }}"
 
     printf "%b\n" "$RESOLV_CONF\n$OPTIONS" > /etc/resolv.conf
   fi

roles/kubernetes/preinstall/templates/dhclient_dnsupdate_rh.sh.j2

@@ -6,7 +6,7 @@
 zdnsupdate_config() {
   if [ -n "$new_domain_search" -o -n "$new_domain_name_servers" ]; then
     RESOLV_CONF=$(cat /etc/resolv.conf | sed -r '/^options (timeout|attempts|ndots).*$/d')
-    OPTIONS="options timeout:{{ dns_timeout }} attempts:{{ dns_attempts }} ndots:{{ ndots }}"
+    OPTIONS="options timeout:{{ dns_timeout|default('2') }} attempts:{{ dns_attempts|default('2') }} ndots:{{ ndots }}"
 
     echo -e "$RESOLV_CONF\n$OPTIONS" > /etc/resolv.conf
   fi

roles/kubespray_defaults/defaults/main/download.yml

@@ -116,7 +116,7 @@ flannel_version: 0.28.4
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.19.4"
+cilium_version: "1.19.3"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -239,13 +239,13 @@ cilium_operator_image_tag: "v{{ cilium_version }}"
 cilium_hubble_relay_image_repo: "{{ quay_image_repo }}/cilium/hubble-relay"
 cilium_hubble_relay_image_tag: "v{{ cilium_version }}"
 cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen"
-cilium_hubble_certgen_image_tag: "v0.4.3"
+cilium_hubble_certgen_image_tag: "v0.2.4"
 cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui"
-cilium_hubble_ui_image_tag: "v0.13.5"
+cilium_hubble_ui_image_tag: "v0.13.3"
 cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
-cilium_hubble_ui_backend_image_tag: "v0.13.5"
+cilium_hubble_ui_backend_image_tag: "v0.13.3"
 cilium_hubble_envoy_image_repo: "{{ quay_image_repo }}/cilium/cilium-envoy"
-cilium_hubble_envoy_image_tag: "v1.37.2-1778236003-7c2f6580d32e50f1a6866c12122662856f54eec2"
+cilium_hubble_envoy_image_tag: "v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5"
 kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
 kube_ovn_container_image_tag: "v{{ kube_ovn_version }}"
 kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
@@ -263,17 +263,17 @@ kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
 kube_vip_image_tag: "v{{ kube_vip_version }}"
 nginx_image_repo: "{{ docker_image_repo }}/library/nginx"
-nginx_image_tag: 1.30.1-alpine
+nginx_image_tag: 1.28.2-alpine
 haproxy_image_repo: "{{ docker_image_repo }}/library/haproxy"
-haproxy_image_tag: 3.2.19-alpine
+haproxy_image_tag: 3.2.13-alpine
 
 # Coredns version should be supported by corefile-migration (or at least work with)
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
 
 coredns_supported_versions:
-  '1.36': 1.14.2
   '1.35': 1.12.4
   '1.34': 1.12.1
+  '1.33': 1.12.0
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -327,9 +327,9 @@ csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
 csi_livenessprobe_image_tag: "v2.11.0"
 
 snapshot_controller_supported_versions:
-  '1.36': "v7.0.2"
   '1.35': "v7.0.2"
   '1.34': "v7.0.2"
+  '1.33': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"
 

roles/kubespray_defaults/defaults/main/main.yml

@@ -33,10 +33,6 @@ kube_version_min_required: "{{ (kubelet_checksums['amd64'] | dict2items)[-1].key
 ## Kube Proxy mode One of ['ipvs', 'iptables', 'nftables']
 kube_proxy_mode: ipvs
 
-# When true, kubeadm skips the kube-proxy addon (for example Cilium kube-proxy replacement).
-# Node and package tasks that exist only for kube-proxy also honor this (IPVS/nftables modules, ipvsadm, strict_arp checks).
-kube_proxy_remove: false
-
 # Debugging option for the kubeadm config validate command
 # Set to false only for development and testing scenarios where validation is expected to fail (pre-release Kubernetes versions, etc.)
 kubeadm_config_validate_enabled: true
@@ -237,10 +233,6 @@ cilium_deploy_additionally: false
 #   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
 cilium_identity_allocation_mode: crd
 
-# The default IP address management mode is "Cluster Scope".
-# https://docs.cilium.io/en/stable/concepts/networking/ipam/
-cilium_ipam_mode: cluster-pool
-
 # Determines if calico_rr group exists
 peer_with_calico_rr: "{{ 'calico_rr' in groups and groups['calico_rr'] | length > 0 }}"
 
@@ -663,6 +655,7 @@ ssl_ca_dirs: |-
 # used for delegating tasks on a working control plane node
 first_kube_control_plane: "{{ groups['kube_control_plane'] | first }}"
 # Vars for pointing to kubernetes api endpoints
+kube_apiserver_count: "{{ groups['kube_control_plane'] | length }}"
 kube_apiserver_address: "{{ hostvars[inventory_hostname]['main_ip'] }}"
 kube_apiserver_access_address: "{{ hostvars[inventory_hostname]['main_access_ip'] }}"
 first_kube_control_plane_address: "{{ hostvars[groups['kube_control_plane'][0]]['main_access_ip'] }}"

roles/kubespray_defaults/vars/main/checksums.yml

@@ -1,23 +1,19 @@
 ---
 crictl_checksums:
   arm64:
-    1.36.0: sha256:68328594ccf780a80ae2b092d9f6ce484eec7cf540c275242e8fd954bfd95332
     1.35.0: sha256:519071de89b64c43e2a1661bb5489c6c3fd5e9e5fcef75e50e542b0c891f1118
     1.34.0: sha256:c31d252e203df5f4cf37f314bd3092eb79087e791631c1e607087c74b6d0423f
     1.33.0: sha256:e1f34918d77d5b4be85d48f5d713ca617698a371b049ea1486000a5e86ab1ff3
   amd64:
-    1.36.0: sha256:83855e114566a8a8c44c548d515670f51de3a5e1da8b2effb59870e2f10c25a3
     1.35.0: sha256:2e141e5b22cb189c40365a11807d69b76b9b3caced89fac2f4ec879408ce2177
     1.34.0: sha256:a8ff2a3edb37a98daf3aba7c3b284fe0aa5bff24166d896ab9ef64c8913c9f51
     1.33.0: sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f
   ppc64le:
-    1.36.0: sha256:43c696ef906f072f4733203809a0c9a5ec0902422ecbfa18bba92248ff1d3f20
     1.35.0: sha256:786522b14d684604c8b435312a310972bc1b460cddb1bb216a298098cd86b22e
     1.34.0: sha256:1da50181f2f6f6f6332b9dbc7d7cc020457ccd542620167953c0e288535acc93
     1.33.0: sha256:4224acfef4d1deba2ba456b7d93fa98feb0a96063ef66024375294f1de2b064f
 crio_archive_checksums:
   arm64:
-    1.36.0: sha256:b9d32392f2c7db6b72e917b8473e12f5d1b9da9d7d9f8d037ab9f19fab2f8ddd
     1.35.3: sha256:ba8a300eaa93224190bb3dabfcdf6bd264a0c5cbd6f86cec1bb9ff00a3727d32
     1.35.2: sha256:c51d0a78afa0b267fcadf49ad481f35cce3728a7d09ebd05db7c8fb8417f9ef0
     1.35.1: sha256:15fe5c7b87c985a3a78324227b920a01f3309fd1aa5eadfaa38fd48a4dd96d17
@@ -31,8 +27,20 @@ crio_archive_checksums:
     1.34.2: sha256:ac7530f7fc9d531a87bfdfcae9cf8bf81a8bbdb75e63a046ed96911aa7b68ebd
     1.34.1: sha256:41a71cab6a61ae429ec447d572fd1cdea0a7e33d62aaa58c3b07467665b50b9f
     1.34.0: sha256:3006658270477c5fb1e88e9124e40982d2ba7b34495fcc12f0fecd33bbab9a5a
+    1.33.12: sha256:b30556d67779e591b4ab449f100764cedfc18700a153d7f5ba648960d3960816
+    1.33.11: sha256:82e2c81f9aee981696304fc50e4dc79a54bf574aa857f62b7fe82ca773c30de5
+    1.33.10: sha256:1fb33599cccf590594b3a29ca1e3f45140bd25bdb836154dbcbd5eb3c4d21ace
+    1.33.9: sha256:bfcd534db3d1a9380dd7007d623e1eb3250ba64f7c4657e79e9e99b1d874f8f1
+    1.33.8: sha256:59c91726535dcadd0372df0c6aa8595e4d59590994b598b2d97ea2510b216359
+    1.33.7: sha256:af3ea22d3d6944c9a907c6c13d77e9fc4dbcf3972ffbde18dd6f37f1c2ffbd0d
+    1.33.6: sha256:6ee49e746d1a5be1a664a6f801c68b169cb181a9aaf12218eed121e2b151bfdb
+    1.33.5: sha256:ef1b5e2162b0f55722e0966db0cfe387f3ba7cb91d6a803f627121733132792d
+    1.33.4: sha256:6a04cb1ab2020508927d7237ff1174bb330211a1076683417b30642a9c8e4996
+    1.33.3: sha256:39cfbb196326952e554e0fb5f95ebcb6cc1735cf6d56a88b8ecd17d89fbc6c26
+    1.33.2: sha256:0a161cb1437a50fbdb04bf5ca11dbec8bfc567871d0597a5676737278a945a36
+    1.33.1: sha256:6bf135db438937f0ab7a533af64564a0fb1d2079a43723ce9255ecbf9556ae05
+    1.33.0: sha256:8a0dbee2879495d5b33e6fdeac32e5d86c356897bdcf3a94cd602851620ce8b5
   amd64:
-    1.36.0: sha256:7fc7a2cca25b4cf2de01660bc730fad92b6bcbecd47751e76be3d6ae545c56cd
     1.35.3: sha256:ab7362f76bf7c908c486a2f36d1587c98aeedb8f6ad4bd6731a708b9b44033f6
     1.35.2: sha256:d38771791f2bae086b24400a1e04cffed4eba6c8e9d30b03c625f8aea70921a9
     1.35.1: sha256:cd819546f01ae9dddd4a85b82f220518b37596053555a85e4b4a3d200a6e9354
@@ -46,8 +54,20 @@ crio_archive_checksums:
     1.34.2: sha256:3a0012938ed389e9270a208bb73b250062d5f1be5798472b1728403d55ddc1da
     1.34.1: sha256:22c1e4d68d9339aa58a1b0f1b40a8944102934a7505105abe461dc8a7e3de540
     1.34.0: sha256:5a8bc5c3b8072cb9bde1cf025d5597f75bf21018712c5b72d5cb0657948595c8
+    1.33.12: sha256:a1b0677be57fc803b61fefc31874af0fcedfa3e24b60d636a75e9150a351d657
+    1.33.11: sha256:95fd5623e0c904ed0e89164b83a7e6a4f2f6fa6b9a68e99377efc5fffb95f99c
+    1.33.10: sha256:1fcf2f23ef874b3df04957f15789fc14eeb34020550fe4307c9fc81fc0490acd
+    1.33.9: sha256:81c20a12866d9a7c08c6e381ed326141c917454b696a05b46ae27665fe3c5cfa
+    1.33.8: sha256:537adda39074377893f1f650a71b576ba487b3c4d2ee55e9b22f4e95fc188594
+    1.33.7: sha256:e2999436a272c77370241a4f962c80737698dd8c2400fe75e5c7cf2142c96001
+    1.33.6: sha256:4d0d446f73d9db6d5bf2c03ecdc39d9d702836886f4715886c15dc2f461cc810
+    1.33.5: sha256:b8883e51837ee7fd45c88c762f37ca4b96d80ec6a7b46ec989381089e762aa7f
+    1.33.4: sha256:8f6d14828659b85da7c83bad798d50c2f7e0311742615fb7ed305f77bab54e50
+    1.33.3: sha256:2ee843fd1bbdf32607015771a2e1320b46829f22516e559a49dc7c4e29bb756e
+    1.33.2: sha256:6e82739bbbeae12d571a277a88d85e8a0e23dbc87529414a91ee5f2e23792dcf
+    1.33.1: sha256:036063194028d24c75b9ce080e475ad97bacc955de796b7c895845294db8edbf
+    1.33.0: sha256:dad0cec9e09368b37b35ce824b0ef517a1b33365c4bb164fe82310c73c886f7e
   ppc64le:
-    1.36.0: sha256:0fbf8502f1e289316bc0cb19915c7765bd3cfce8fd880e19f9ba343e2c5ab3ea
     1.35.3: sha256:bd95d3aa3b41f173312bd1a0c8a4398c37d08d5a65d63f773f2f4635ccb769bc
     1.35.2: sha256:aff7a251a0a8f57c7ce4794d8d28465baa43e49990cd5c9d5958da22e958d5eb
     1.35.1: sha256:b4a23e9f70297f01da2840f94b82adf2ac67a4017e1d93f0c20526637df282ca
@@ -61,10 +81,21 @@ crio_archive_checksums:
     1.34.2: sha256:d4c3c9ba24b1b0eabf3c11ddec98801dda7a87b0529706e9ede18b8cc9e4182a
     1.34.1: sha256:cba0ac74e7202fe28cf8aa895b83f7a30d78b148666add78e19215259f629bb0
     1.34.0: sha256:e9e41d14439db0ca88cf2cd8533038203f379c25cd612f37635c17908e050ebf
+    1.33.12: sha256:feff9ad5d498aa0961a16a245a70e9281ce32d7c1f5974125e35ec89509df93b
+    1.33.11: sha256:1e1ae1b2b85663b581ccceb0dad3637b020f9662d9c41ebcc7159d7b65729836
+    1.33.10: sha256:da8933e5b90be44e818f2a3d165957897adac3570f42f73131d91edab0201ad5
+    1.33.9: sha256:c0a9e60800f66f85c70615128fec5a8358ffde0f715a4058163707dbcca8eb94
+    1.33.8: sha256:1d69c01512e8ebdd51fc70fc64473a31d492e8db095c0ee5d3ee58722048150c
+    1.33.7: sha256:076e7519bfff72a43fb1121ce836eee3cc1fec5bb5a59a11747c514e9d162d26
+    1.33.6: sha256:3643eefe295604288f5b652fb9c672a60f96dc803e63edaf9ee64ed4047a50dd
+    1.33.5: sha256:cf85062f39d755418da0ee4f869c7a4817bf95daee6e35df53010ad29be37c88
+    1.33.4: sha256:2b1594dad9af944e29ee74e788a8d28e1304e3f435f2efb61e5c38f20c2106f7
+    1.33.3: sha256:4293bc74f348db58adb0b0dd6affb918abee999cbaf0e42ea8a33427b8d278a5
+    1.33.2: sha256:8ed65404a57262a9f8eb75b61afa37fcec134472eb1a6d81f1889a74ff32c651
+    1.33.1: sha256:12646aca33f65fe335c27d3af582c599584d3f51185f01044e7ddd0668bb2b4c
+    1.33.0: sha256:b4fa46b25538d8145197f8bf2e935486392c0ca2a9fa609aedd02b9f106d37a6
 kubelet_checksums:
   arm64:
-    1.36.1: sha256:bf274dd3affbf2543d20465dee1f763f668f78c6fbd56197794f81337a49d687
-    1.36.0: sha256:049d95107361583e64f3ac9b8c9bdaf73fc7e512a838972b13b423a33ece87e9
     1.35.5: sha256:a100cfe89d7dd7a49a07164c6ccb78df02563483ef5b37330e1150e37e8868b3
     1.35.4: sha256:d710eef03bb4ad164bb77af9be5b11b44f874e2fc08153c7d383420d685f73e8
     1.35.3: sha256:58496a5d16d4316b18397735190d2d41e0c368169ecb458d91b09f4cd1e03c80
@@ -80,9 +111,20 @@ kubelet_checksums:
     1.34.2: sha256:3e31b1bee9ab32264a67af8a19679777cd372b1c3a04b5d7621289cf137b357c
     1.34.1: sha256:6a66bc08d6c637fcea50c19063cf49e708fde1630a7f1d4ceca069a45a87e6f1
     1.34.0: sha256:e45a7795391cd62ee226666039153832d3096c0f892266cd968936e18b2b40b0
+    1.33.12: sha256:947ee402632e055f803f1f0b3ab713f2766c10e54393ad75de15b0ade249aed3
+    1.33.11: sha256:047641f9094195384b4ade77c8ba2f0d3cee30a9f0ed6c9b649d387c7a5858ee
+    1.33.10: sha256:1e808ecedd61198887190bf472f1352004f97016b273fba827dd95f7efead806
+    1.33.9: sha256:c5719223cf378ac6bdd6a7ed79a75ba428bdc4468da70e641b2d4f73f70de6e0
+    1.33.8: sha256:e835f15be6d8b7b27b963a46c4a054f7663c26741f17e003bfcb8271350cf882
+    1.33.7: sha256:3035c44e0d429946d6b4b66c593d371cf5bbbfc85df39d7e2a03c422e4fe404a
+    1.33.6: sha256:7d8b7c63309cfe2da2331a1ae13cce070b9ba01e487099e7881a4281667c131d
+    1.33.5: sha256:c6ad0510c089d49244eede2638b4a4ff125258fd29a0649e7eef05c7f79c737f
+    1.33.4: sha256:623329b1a5f4858e3a5406d3947807b75144f4e71dde11ef1a71362c3a8619cc
+    1.33.3: sha256:3f69bb32debfaf25fce91aa5e7181e1e32f3550f3257b93c17dfb37bed621a9c
+    1.33.2: sha256:0fa15aca9b90fe7aef1ed3aad31edd1d9944a8c7aae34162963a6aaaf726e065
+    1.33.1: sha256:10540261c311ae005b9af514d83c02694e12614406a8524fd2d0bad75296f70d
+    1.33.0: sha256:ae5a4fc6d733fc28ff198e2d80334e21fcb5c34e76b411c50fff9cb25accf05a
   amd64:
-    1.36.1: sha256:7efa1780c73d9fb3a464002864e582eb2d15aa691e475eaae323093d08feae14
-    1.36.0: sha256:d857082946c28493e8fdc52227feabd962e0e0900b6c6e4f6510168043b79dd4
     1.35.5: sha256:4ba1f892bd52fdae7cd2abb1b1111054ff274c71f88af0a85fd9f1107e8d46c8
     1.35.4: sha256:983a6ba5a49823dcdd745c674e5e2416377dd27d6ad1b42d2befa0fb961a19f6
     1.35.3: sha256:28d570423eaad5f1f5658a646bd8c015c786c95d62ffaf14bf35fa0c4326fa05
@@ -98,9 +140,20 @@ kubelet_checksums:
     1.34.2: sha256:9c5e717b774ee9b9285ce47e7d2150c29e84837eb19a7eaa24b60b1543c9d58f
     1.34.1: sha256:5a72c596c253ea0b0e5bcc6f29903fd41d1d542a7cadf3700c165a2a041a8d82
     1.34.0: sha256:5c0d28cea2a3a5c91861dda088a29d56c1b027e184dae1d792686f0710750076
+    1.33.12: sha256:4cd11210b02c8b562c7404394ef5c026a5a2045fdf7d9715660f589c4b02a577
+    1.33.11: sha256:4a3d265ee760ee4490b55989e5c3d87deffefa86a6f100f2a7453d353a1ae255
+    1.33.10: sha256:ae9cc2e8603f53aedf922c989f3be262d443a6fb19f87e590b5edadbabbc9b07
+    1.33.9: sha256:d0cec9b15e1ba1b4e3595754aa2d5200d1c8c704892ac07afe5b04b44bdf288c
+    1.33.8: sha256:1caa69c5328cfa774218f75f0621a6f10a1b97e095af85015f468aeb8fdf956a
+    1.33.7: sha256:2cea40c8c6929330e799f8fc73233a4b61e63f208739669865e2a23a39c3a007
+    1.33.6: sha256:10cd08fe1f9169fd7520123bcdfff87e37b8a4e21c39481faa382f00355b6973
+    1.33.5: sha256:8f6106b970259486c5af5cbee404d4f23406d96d99dfb92a6965b299c2a4db0e
+    1.33.4: sha256:109bd2607b054a477ede31c55ae814eae8e75543126dc4cea40b04424d843489
+    1.33.3: sha256:37f9093ed2b4669cccf5474718e43ec412833e1267c84b01e662df2c4e5d7aaa
+    1.33.2: sha256:77fa5d29995653fe7e2855759a909caf6869c88092e2f147f0b84cbdba98c8f3
+    1.33.1: sha256:f7224648451dd4f9f2c4f79416f9874223c286ce41727788965fd0341ddb59c4
+    1.33.0: sha256:dd416d94850c342226d3dcdce838518b040ccea16548bfeaf2595934af88ef60
   ppc64le:
-    1.36.1: sha256:98b63a44b87fb78ceca06918b5a0b5d01ab581fb12fbed9a2f7e8998fca64e8a
-    1.36.0: sha256:761a1f6d3570fd4f25b151ec7570d061629320931c10e57f93f3924a490738eb
     1.35.5: sha256:96ead1e3161093f38627ebb02acfb9cb0b76e09f444dc134b5ae40ca9dbe5684
     1.35.4: sha256:2ad1490dd74092d3be53953b13bef36f6fd45d6ad5c05caeffb6afef67ac8ef7
     1.35.3: sha256:f4665d0ad4f43784d90037d67dcce17cc2b079e4d7b165b85a8a90fb1ddc1b51
@@ -116,10 +169,21 @@ kubelet_checksums:
     1.34.2: sha256:a195f278b9bac26803f1e26b0f608e0dce66aad033e8c043e8555775612530c9
     1.34.1: sha256:c4782dbf1987680e9b2baa3ecf5db9e66395772e82b251eb73a150fbfbe0b906
     1.34.0: sha256:ed663fa4ff3e305276dd889885303e07989dfab073e95ef2da931b975f6686e8
+    1.33.12: sha256:45e83745d10b1ee232a40f20f4bddbf53e43524ad6e6eee5898f2117b1dd25de
+    1.33.11: sha256:aec60ca95db4d98b7a7da7c24421628bf5e54b8347bf4d4ceb61d6b6f4352260
+    1.33.10: sha256:3275d6bf23bcb1a604238bde6c9d790052c6f9fa027bcac57d8c701d09c49e6b
+    1.33.9: sha256:2afd4985fa8ef88bbc8e40691b83ad44ccf8ae2e57a17297921f922b4aa6f438
+    1.33.8: sha256:392ed39b6c037bc5c510412c9b5cfd29238d31dd67d1a3cbae7ef4a274304c63
+    1.33.7: sha256:f96dd4272ca8eccf1f93fb5162323840b9286c5a42a5305fcc1b4d47889534d3
+    1.33.6: sha256:00ae91297503518efd237d40900af4de0067597ae4f2ab8250ddb629ffb6df05
+    1.33.5: sha256:1d785ead3f6709f66a105c629a020b9dfe6dff775fae42f7d147edec2d178351
+    1.33.4: sha256:5133077024e5a59ece48d2e6d0fdaeed5c4f90c5e781f25c89c984ee4da396a6
+    1.33.3: sha256:bb4123e09734348d4b553c031bfe7710adcffffe79ed9973a526e36d87aa19fe
+    1.33.2: sha256:be8412cb9bf30125e3a88ecb9bfca4df1ff5d4e650947c46222683071f1a17d7
+    1.33.1: sha256:c1bc01115a513eaec76d56dc52a52aeb05f866a6d07c55335c1fff56c868543d
+    1.33.0: sha256:6fa5abbc14d65b943b00fcfc8a6ac7eb39fd7e924271738c6f17e0b7e74c665b
 kubectl_checksums:
   arm:
-    1.36.1: sha256:0f5f7530e6ac3b887e01c963b5eea477cc6f590ec5e3a4e23a5485e6d9227761
-    1.36.0: sha256:bd1ab1f3d3cb7dec7c46799355e82717a6519fa83708752c2be88fe5c378681f
     1.35.5: sha256:7c3ad2c154975287027cbfaaeaeed83c2f5ec1d602e9b10646da204850d295df
     1.35.4: sha256:44093efefd9f776b352f634cea6c4e8fcf4e78378ffda7f31db23072cef97864
     1.35.3: sha256:9cec279039e5c95c79f939f7245d57cf3f65c799de8d76e68281479ace742f68
@@ -135,9 +199,20 @@ kubectl_checksums:
     1.34.2: sha256:18e03c1c6ab1dbff6d2a648bf944213f627369d1daeea5b43a7890181ab33abf
     1.34.1: sha256:ca6218ae8bf366bd8ccdcb440b756c67422a4e04936163845f74d8c056e786ee
     1.34.0: sha256:69d2ce88274caf9d9117b359cc27656fb6f9dd6517c266cfd93c6513043968b8
+    1.33.12: sha256:00c875a3bc836ebc45e94508ea7dfdfa168b58799c670aa6869cb49bb0a95a2a
+    1.33.11: sha256:59106c12ba63854c20d510357beeb4c915850c67118747f12cde64eebbc9d152
+    1.33.10: sha256:df63b4cb5ba17eaa8d72dc165e0f1bff0a56ccf348629f5ea18337215ae93f50
+    1.33.9: sha256:d6b8a351fb5f1409e2c50c52452884eca09e56cabdaae03cfaa40467661d3ecc
+    1.33.8: sha256:734dea07663751c8b45926c843e2c250f13473d65f396555a1ecfe0c9c502fa8
+    1.33.7: sha256:f6b9ac99f4efb406c5184d0a51d9ed896690c80155387007291309cbb8cdd847
+    1.33.6: sha256:89bcef827ac8662781740d092cff410744c0653d828b68cc14051294fcd717e6
+    1.33.5: sha256:5a3a416a85cfc9f7a348c0c0e6334b7449e00a57288ab5a57286ccf68a4d06af
+    1.33.4: sha256:eefd3864ce5440e0ba648b12d53ccffaad97f1c049781b1aa21af6a5278f035f
+    1.33.3: sha256:0124dba9e9091b872591cabcbaea7df07069cb132d38d95f3c7bc8d5b8b621a9
+    1.33.2: sha256:f3992382aa0ea21f71a976b6fd6a213781c9b58be60c42013950110cf2184f2a
+    1.33.1: sha256:6b1cd6e2bf05c6adaa76b952f9c4ea775f5255913974ccdb12145175d4809e93
+    1.33.0: sha256:bbb4b4906d483f62b0fc3a0aea3ddac942820984679ad11635b81ee881d69ab3
   arm64:
-    1.36.1: sha256:59f7ee8e477fae658447607dc3c8790ac17a1b016c01c622c12070e969e2d4e7
-    1.36.0: sha256:9f9d9c44a7b5264515ac9da5991584e2395bd50662e651132337e7b4d0c56f8f
     1.35.5: sha256:ac69e06fd6860d69786692f5af1c3a1208ed54f8366a4d97ab15c172e99765ee
     1.35.4: sha256:6a5a4cc4e396d7626a7a693a3044b51c75520f81db30fe6816c2554e53be336f
     1.35.3: sha256:6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14
@@ -153,9 +228,20 @@ kubectl_checksums:
     1.34.2: sha256:95df604e914941f3172a93fa8feeb1a1a50f4011dfbe0c01e01b660afc8f9b85
     1.34.1: sha256:420e6110e3ba7ee5a3927b5af868d18df17aae36b720529ffa4e9e945aa95450
     1.34.0: sha256:00b182d103a8a73da7a4d11e7526d0543dcf352f06cc63a1fde25ce9243f49a0
+    1.33.12: sha256:d1a1f7b86859108406e997430a59c95c72a77cc33cdc4faccd046407aff2cfac
+    1.33.11: sha256:75ba96c8cc1f74c67ef3890e43186c0f308ee71d71c8d517879fd703c922d903
+    1.33.10: sha256:e9494229893ccddc81065275c0e5f21167518ab939f0e95aecb649fb4b41c112
+    1.33.9: sha256:af4dc943a6f447ecb070340efe63c7f8ee2808e6c0bc42126efe7cde0cc1e69b
+    1.33.8: sha256:76e284669f1f6343bd9fe2a011757809c8c01cf51da9f85ee6ef4eb93c8393a8
+    1.33.7: sha256:fa7ee98fdb6fba92ae05b5e0cde0abd5972b2d9a4a084f7052a1fd0dce6bc1de
+    1.33.6: sha256:3ab32d945a67a6000ba332bf16382fc3646271da6b7d751608b320819e5b8f38
+    1.33.5: sha256:6db7c5d846c3b3ddfd39f3137a93fe96af3938860eefdbf2429805ee1656e381
+    1.33.4: sha256:76cd7a2aa59571519b68c3943521404cbce55dafb7d8866f8d0ea2995b396eef
+    1.33.3: sha256:3d514dbae5dc8c09f773df0ef0f5d449dfad05b3aca5c96b13565f886df345fd
+    1.33.2: sha256:54dc02c8365596eaa2b576fae4e3ac521db9130e26912385e1e431d156f8344d
+    1.33.1: sha256:d595d1a26b7444e0beb122e25750ee4524e74414bbde070b672b423139295ce6
+    1.33.0: sha256:48541d119455ac5bcc5043275ccda792371e0b112483aa0b29378439cf6322b9
   amd64:
-    1.36.1: sha256:629d3f410e09bf49b64ae7079f7f0bda1191efed311f7d37fdbab0ad5b0ec2b7
-    1.36.0: sha256:123d8c8844f46b1244c547fffb3c17180c0c26dac9890589fe7e67763298748e
     1.35.5: sha256:90f75ea6ecc9ea5633262e1c0b83a40560003b30fc94a04cb099404fcef0c224
     1.35.4: sha256:b529430df69a688fd61b64ad2299edb5fd71cb58be2a4779dba624c7d3510efd
     1.35.3: sha256:fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6
@@ -171,9 +257,20 @@ kubectl_checksums:
     1.34.2: sha256:9591f3d75e1581f3f7392e6ad119aab2f28ae7d6c6e083dc5d22469667f27253
     1.34.1: sha256:7721f265e18709862655affba5343e85e1980639395d5754473dafaadcaa69e3
     1.34.0: sha256:cfda68cba5848bc3b6c6135ae2f20ba2c78de20059f68789c090166d6abc3e2c
+    1.33.12: sha256:fe80ae4133b44fa2077db4af144e80765eb1b3b2eede55fbff6933c4374d8c6e
+    1.33.11: sha256:5d0ff87b99e4bbc38b9876b3172c414f8691008d291e36f89547318925ce7716
+    1.33.10: sha256:f156acb753ee4366789ab7a663916eb580e7ee1b9e449bc9b052181db524e3f5
+    1.33.9: sha256:9e33e3234c0842cd44a12c13e334b4ce930145ea84b855ce7cc0a7b6bc670c22
+    1.33.8: sha256:7f9c3faab7c9f9cc3f318d49eb88efc60eb3b3a7ce9eee5feb39b1280e108a29
+    1.33.7: sha256:471d94e208a89be62eb776700fc8206cbef11116a8de2dc06fc0086b0015375b
+    1.33.6: sha256:d25d9b63335c038333bed785e9c6c4b0e41d791a09cac5f3e8df9862c684afbe
+    1.33.5: sha256:6a12d6c39e4a611a3687ee24d8c733961bb4bae1ae975f5204400c0a6930c6fc
+    1.33.4: sha256:c2ba72c115d524b72aaee9aab8df8b876e1596889d2f3f27d68405262ce86ca1
+    1.33.3: sha256:2fcf65c64f352742dc253a25a7c95617c2aba79843d1b74e585c69fe4884afb0
+    1.33.2: sha256:33d0cdec6967817468f0a4a90f537dfef394dcf815d91966ca651cc118393eea
+    1.33.1: sha256:5de4e9f2266738fd112b721265a0c1cd7f4e5208b670f811861f699474a100a3
+    1.33.0: sha256:9efe8d3facb23e1618cba36fb1c4e15ac9dc3ed5a2c2e18109e4a66b2bac12dc
   ppc64le:
-    1.36.1: sha256:b6acc7be1bfd5f9a10cd6b03b8e6c25a96c0f9a127efa31932752d3ffe97d909
-    1.36.0: sha256:c0a8afcb7899202969000debabcf98013c902c42765537e96c52da0e31be3032
     1.35.5: sha256:152feec62929570afd0baf83aa4c75e0f1d7ef72aa643a2317a23c2763d6fcc0
     1.35.4: sha256:f342a732cd59cb390e1bbcae1262d07b5e700ff0e8447ced0ee2331ae6e39c70
     1.35.3: sha256:71bbea965f06679407e3b394103c83104d730510cdb5e1d1826359d789eeef7c
@@ -189,10 +286,21 @@ kubectl_checksums:
     1.34.2: sha256:49a985986a9add6c229c628bf2a83addebbdeeef40469fce2a54e51b6f1bb05b
     1.34.1: sha256:45499f0728b4a3428400db289edb444609d41787061f09b66f18028c0a73652f
     1.34.0: sha256:1773805a0c128f4d267b2e11f4c74cac287e9a07fffaecc3f7af6df9c8aaf82c
+    1.33.12: sha256:98c41d912f64d4c39fe634c3beb49622328ccf7be926f1bb7a03f86d65390be3
+    1.33.11: sha256:78ab0289917b1eac69b01a2da86385b3ccf2b99b56c93973daba4226a32a90f1
+    1.33.10: sha256:9ecb0ebd9bb289258ef07a7646e39be6b7e0afb2fde85f6fb075798b4685a8d6
+    1.33.9: sha256:0641f8f8a6153c13dc3ab90a86e242d095a218d30e13cf42c41000e9a7ccc9c3
+    1.33.8: sha256:aa079f403c80ba6017449c230733fed4e5d7b0a8700bd6590ee202161b8b12af
+    1.33.7: sha256:0807c38a1342ab8dea6435f33d5897a01527d348a968a5c4ca2929769f3d54f2
+    1.33.6: sha256:4b056b1749c619fab6a855247c3bd04123f2b61cf136ca6bddf69ff97a727e32
+    1.33.5: sha256:37e2204d371bbbb90fd693049a7a45b81991ca8bcc9b8baf041a7c9f23e9035c
+    1.33.4: sha256:fa61404b9c3d76f342f2ad05616753475739ab488e0beffd22942e0cb266cfa9
+    1.33.3: sha256:e0261727822c685f63902f7d78ddfcd112bfde4619692b6c1aae68d162245f67
+    1.33.2: sha256:d1cdf13cb786c1ee6d5bf6d85034f496aa2fee97b287028043eb14c5dc74993f
+    1.33.1: sha256:f922dd8f558dc616ebaa34908ceb7964ebb8caadd7c48699d0b791ffff2be1aa
+    1.33.0: sha256:580d076c891711ec37afaf5994f72a8aad9d45c25413e6e94648e988a5a9933a
 kubeadm_checksums:
   arm64:
-    1.36.1: sha256:82fa5119d6687f721cd80cb278bac08f54cc5d3fd0320c66cef9394d42e153a9
-    1.36.0: sha256:43d4ca3a9f8f49c2c2f6db2c056de1a00fa110a3dd5aa68a74fbc52e42d96c01
     1.35.5: sha256:24658203703a8bfa2813571881c1ba08f8cc4aff714a5b43bbf417af7d3cf229
     1.35.4: sha256:e8f6b5bee3e2c8b5965f4ae65c2ae04e3f9f426d2458a1e2f159e824d419d92c
     1.35.3: sha256:647a9821c37a27bcaf6d679a191732b686c01cecd0219d5e579129f0cfd62cef
@@ -208,9 +316,20 @@ kubeadm_checksums:
     1.34.2: sha256:065f7de266c59831676cc48b50f404fd18d1f6464502d53980957158e4cab3a7
     1.34.1: sha256:b0dc5cf091373caf87d069dc3678e661464837e4f10156f1436bd35a9a7db06b
     1.34.0: sha256:6b7108016bb2b74132f7494e200501d6522682c01759db91892051a052079c77
+    1.33.12: sha256:ff4dec51ebb2807ad416679da503c351f0ac240a5c8da38aebbc4ab6c10643c3
+    1.33.11: sha256:6b85e3ad2e3cf876eaff4bf8833170d991af4a6967f95572c89d43a3994891fc
+    1.33.10: sha256:c7d822a9517ccc6921f22447ad75d3f6edb88ca3a44e366057ad3cddc4e77922
+    1.33.9: sha256:d57594c581998d011b7c3ec77fde8b5a2d9e37885f21b749b423087715dc4511
+    1.33.8: sha256:b5248b51e66e4716261f2c926fe2f08a293795e6863099e7792b4d57dbb9109e
+    1.33.7: sha256:b24eeeff288f9565e11a2527e5aed42c21386596110537adb805a5a2a7b3e9ce
+    1.33.6: sha256:ef80c198ca15a0850660323655ebf5c32cc4ab00da7a5a59efe95e4bcf8503ab
+    1.33.5: sha256:b1c00657649e35771569d095e531d826bd19baf57bcb53cccf3f91d7d60b7808
+    1.33.4: sha256:ef471b454d68ee211e279ddeaebde6ee7a8e14b66ae58e0d0184e967c3595892
+    1.33.3: sha256:bf8ed3bc3952e04f29863c6910ae84b359fe7ac1e642ed4d742ceb396e62c6f2
+    1.33.2: sha256:21efc1ba54a1cf25ac68208b7dde2e67f6d0331259f432947d83e70b975ad4cc
+    1.33.1: sha256:5b3e3a1e18d43522fdee0e15be13a42cee316e07ddcf47ef718104836edebb3e
+    1.33.0: sha256:746c0ee45f4d32ec5046fb10d4354f145ba1ff0c997f9712d46036650ad26340
   amd64:
-    1.36.1: sha256:f35980333a4dae753807345ae359eca03f48f9945855e6a6a6708fe8b3b24038
-    1.36.0: sha256:f962dcee1f49a51368c3b383742144d99eacff77b2132cd0a540ed8c6b30fe81
     1.35.5: sha256:cbf71fbee3a3f60edf3fae4e50994f88a35b35cddf65d373d7955b58e8785397
     1.35.4: sha256:0c0497da793f8897c14e45340da919534b615294a1aab69dc1998896c0f11145
     1.35.3: sha256:a3fb4b3a214a807e2ef4c3fda3196c7f97dcf8152558de5a3c473c869bda0b07
@@ -226,9 +345,20 @@ kubeadm_checksums:
     1.34.2: sha256:6a2346006132f6e1ed0b5248e518098cf5abbce25bf11b8926fb1073091b83f4
     1.34.1: sha256:20654fd7c5155057af5c30b86c52c9ba169db6229eee6ac7abab4309df4172e7
     1.34.0: sha256:aecc23726768d1753fd417f6e7395cb1a350373295e8e9d9f80e95ed3618e38e
+    1.33.12: sha256:e48a37f0c2faa1d96cf2a577ff420d505e4fc0a4722e5e148fbc3cb5f593ee04
+    1.33.11: sha256:50b66a385ae5bf1ef69c596d07f387b553f0b62f0c48932e0aa14fdd44b1f006
+    1.33.10: sha256:e06fa8adac158ef8bb0bc05c0b64dcfab7abcd7950a27bb5c1b70d70ff98a874
+    1.33.9: sha256:9732cc2383e73f64275326e02a5595c792a94ee0ebf84cea37a32fcbf926e6e5
+    1.33.8: sha256:8259af514dc3655e8abec1a69b637f31cce2ecb940a80ae4a268e5287890f009
+    1.33.7: sha256:c10813d54f58ef33bbe6675f3d39c8bd401867743ebc729afdd043265040c31d
+    1.33.6: sha256:c1b84cb3482dd79e26629012f432541ccb505c17f5073aa1fdbca26b1e4909fd
+    1.33.5: sha256:6761219749c6c67a56a5668dfe65d669e0c1f34d4b280b72de6d74d47c601f1e
+    1.33.4: sha256:a109ebcb68e52d3dd605d92f92460c884dcc8b68aebe442404af19b6d9d778ec
+    1.33.3: sha256:baaa1f7621c9c239cd4ac3be5b7e427df329d7e1e15430db5f6ea5bb7a15a02b
+    1.33.2: sha256:5c623ec9a9b8584beba510da5c2b775c41cf51c0accdfb43af093bc084563845
+    1.33.1: sha256:9a481b0a5f1cee1e071bc9a0867ca0aad5524408c2580596c00767ba1a7df0bd
+    1.33.0: sha256:5a65cfec0648cabec124c41be8c61040baf2ba27a99f047db9ca08cac9344987
   ppc64le:
-    1.36.1: sha256:4278b80f58501b29040ec574ee5afd433e140d6f93c1697a465a9fdb215cb2bd
-    1.36.0: sha256:e621bf6a3115bea05c26e8d6ef9f7946a27437934e0244bbf59dc296bdf6459e
     1.35.5: sha256:26169d372ea165a01b33ad15259bf9d298ab1f66e326ab83ae0a942c6f3a43df
     1.35.4: sha256:3da9884894da6a6c1083f00c6a837b52084dca9275114694bdc387ba66bff474
     1.35.3: sha256:907fb03a83683e82b0d183675a0c6f0cd36b2cc3970bfe8fdb47098f67ce7828
@@ -244,6 +374,19 @@ kubeadm_checksums:
     1.34.2: sha256:bea4ed6d971523da794a802de15910b08c09e23bc4c850ee3b953c4bdb0b7976
     1.34.1: sha256:ddb6bd80bee0719924ae901672b99205226badab74fb13a9e1bb6d3de49fbb21
     1.34.0: sha256:7201ba36f44187f408a036c4a545e2a3cd12943b1297092687bb66c9a1a9fed6
+    1.33.12: sha256:1144e8dc38305f01699bcd33baa0bccb4272307ec6b8c4ac57742a082aab1da2
+    1.33.11: sha256:51c6db310ef120e80c02cb7a345085d50925944ae158de0087e8b22a9a3fe2bf
+    1.33.10: sha256:5f23294874bdd4097601f9068344ebfa5be4a8d4ce14380fe4f9b764a20f5bb9
+    1.33.9: sha256:b644b9947f3b79d0ff4c19389cf23f436bb5d6f23166ed3b4e0aee09775b3065
+    1.33.8: sha256:d618fa97b5782b57512e0a8ab9ed17af190236907af7bd3c9c0776d81c78273f
+    1.33.7: sha256:db2e20d0c20928ae7d68d7603020f8ffd89dcdac4fdc160ef83f1da663868bed
+    1.33.6: sha256:58aaec7b5066b6e3705e0493a2f51c7f101b17165ce714c4d52a2b53861c078b
+    1.33.5: sha256:b1e261109a4e22e0a417d10724bed7f71ba12c2acc167a55d89211e49c2e5eee
+    1.33.4: sha256:eb4f3b7a875ffe06aadd5b5ff7b3dccec125933b7ba6fcb5baed39c9c01220c4
+    1.33.3: sha256:d9f30f0eb538be98cd07603b945611b056be5e5871369b16e23090545ef8cdfa
+    1.33.2: sha256:1b818900ac7af72a14f50300d6c6ad600eecdc578c37b75fa488cc654ca08c25
+    1.33.1: sha256:a772834ba22478c9119f03ecca2a27a70234623d74ff1d7671ee85675a4e830b
+    1.33.0: sha256:26cb7ac57d522a59c84c4784b176097d23c7b4e61874fab84ae719d0e43ac0bc
 etcd_binary_checksums:
   arm64:
     3.6.11: sha256:5302f1a6157c34eb0568c75fba9d06da98353576df04399f08645bef634acd2d
@@ -999,7 +1142,6 @@ nerdctl_archive_checksums:
     1.7.1: sha256:799d35de7a182da35d850308c7f1787cd7321404348ff2d5ba64ad43b06b395a
     1.7.0: sha256:8b9e7cccbcc0a472685d1bc285f591f41005f8699e7265ea5438a3e06aefdcfd
   arm64:
-    2.3.0: sha256:7c53628e76cdb6bd7642f8aef7f838d413dd53957c6bbf5a78dc2208d58b81f1
     2.2.2: sha256:4e222d6be16d94052079a4773e04f21c82e07f9b5847163fed78396e6ad8eeb5
     2.2.1: sha256:abc83c9ac3d843c3442eedfb61c6456b8b59b1e4cd69f69598ca1582acc7c094
     2.2.0: sha256:37b353122e0785578d1680fb1d7be546f4c64d0a4aed7875d3a216b2c44be76d
@@ -1024,7 +1166,6 @@ nerdctl_archive_checksums:
     1.7.1: sha256:46affa0564bb74f595a817e7d5060140099d9cfd9e00e1272b4dbe8b0b85c655
     1.7.0: sha256:1255eea5bc2dbac9339d0a9acfb0651dda117504d52cd52b38cf3c2251db4f39
   amd64:
-    2.3.0: sha256:e81f6f999cce35ed998cf24b922855d37306bf2ff0e4c0df80492d82b0b58fd6
     2.2.2: sha256:6f637760fb2875e3454e97c3de7438fd17281b5996908cbd8ee1c872b0653cc8
     2.2.1: sha256:34144de7f12756aa4b9dc42a907fd95b0c5eb82a63566a650ca10c8abe7a26a0
     2.2.0: sha256:1b3390a832eaeaa1459cf42357da983205da2dd72300a015ad018b3499fc455e
@@ -1049,7 +1190,6 @@ nerdctl_archive_checksums:
     1.7.1: sha256:5fc0a6e8c3a71cbba95fbdb6833fb8a7cd8e78f53de10988362d4029c14b905a
     1.7.0: sha256:844c47b175a3d6bc8eaad0c51f23624a5ef10c09e55607803ec2bc846fb04df9
   ppc64le:
-    2.3.0: sha256:3f6f9d64095e13deb7d1c7a873b2e7bc60c09f77f274897e7191a0e01b8d319f
     2.2.2: sha256:afc4635fa900815857be72dc17fcbfe81a35251c7de9aac62187974c3e49328c
     2.2.1: sha256:05c3573e0468fbe6ccecce497b8129beec0fa1d8afadeba244e3d5ac63047fce
     2.2.0: sha256:cc9f55ffec892498bb27db1f6b0eef16b591ee4ce873b61f2fd9a9a30930c620
@@ -1075,8 +1215,6 @@ nerdctl_archive_checksums:
     1.7.0: sha256:e421ae655ff68461bad04b4a1a0ffe40c6f0fcfb0847d5730d66cd95a7fd10cd
 containerd_archive_checksums:
   arm64:
-    2.3.1: sha256:46a83603a850f3916ca7c942310daaf82ed17773a85b1d431e92d4a541e46d0d
-    2.3.0: sha256:06623dc8719b30d06303420f7eae91b0a9ade4e71243a4102f6375e585fb0a42
     2.2.4: sha256:d0897c8e27c96a7b7d4c73e9b278ea9f559dda619d497d88b323a528bd1412c3
     2.2.3: sha256:2942d72435b18610f7b69c1ddb74f99cef5c549425ff80d3e74f04e5e80db6a4
     2.2.2: sha256:cb102473d6e353beb604178879d51cc456da0cdf368d9437d8d404ed01baf674
@@ -1134,8 +1272,6 @@ containerd_archive_checksums:
     1.7.1: sha256:1f828dc063e3c24b0840b284c5635b5a11b1197d564c97f9e873b220bab2b41b
     1.7.0: sha256:e7e5be2d9c92e076f1e2e15c9f0a6e0609ddb75f7616999b843cba92d01e4da2
   amd64:
-    2.3.1: sha256:628448bd973610c656c1cbea8e88b32fafd85b23cc1aa4a3372eb7198478c054
-    2.3.0: sha256:4cb83e7100a5e73fcb626207d0b5bcfd1294e26aeddfe075dcfb38f375c5f887
     2.2.4: sha256:62e77f6294e432dca5b56ad7e7d6085b5bbb526ebba0a51d832714f9b04cfdfd
     2.2.3: sha256:ca26ef5138f17b847bbeeec36d4bf5e002b54d25858197a870c125d57f44d32f
     2.2.2: sha256:2c08c99cbde73b3388c6d5da68e0bcaebc70c9174f2b14d785695e4401b3ede0
@@ -1193,8 +1329,6 @@ containerd_archive_checksums:
     1.7.1: sha256:9504771bcb816d3b27fab37a6cf76928ee5e95a31eb41510a7d10ae726e01e85
     1.7.0: sha256:b068b05d58025dc9f2fc336674cac0e377a478930f29b48e068f97c783a423f0
   ppc64le:
-    2.3.1: sha256:cb5bcdb38c79fb78dc7b4e7c02d0c0e41b486446f646a49ed7e6c35c077d8d33
-    2.3.0: sha256:2cdb0f1e4fce22733fee6b6887b55ea2a963dfe7436259722db98aeb4f41e051
     2.2.4: sha256:66328e683a6fe7f7267a0ee611cb9a76b2b0a9b9d9535d9564cd84dae8f38dd7
     2.2.3: sha256:95889d141444ce5845255042c8757a5ca816e895cc884f8d345e9a6d5e99e130
     2.2.2: sha256:8f7a8190f2a635cd0e5580a131408a275ba277f7a04edffba4a4005960093987
@@ -1253,8 +1387,6 @@ containerd_archive_checksums:
     1.7.0: sha256:051e897d3ee5b8c8097f65be447fea2d29226b583ca5d9ed78e9aebcf4e69889
 containerd_static_archive_checksums:
   arm64:
-    2.3.1: sha256:2511a7f204fe04912acf95d6c59a65180be4491343fec79ce23b9166ac18aff3
-    2.3.0: sha256:07fe31f0e54d0b4a759ca207341bb22e2a78298f127757ad7b9a6529ef397f8b
     2.2.4: sha256:5f01ac0ad46caf685afee7614e36e406c48e73c1d84a71378dd4afe5d63a11d2
     2.2.3: sha256:b222c671503e7bdac671bb634463cffdea70d694d2420fcdc77b2b04df8c7864
     2.2.2: sha256:f22e03e12edd08dc49e139fec1fb0e0571950df0b6275577bbca718733acea9d
@@ -1312,8 +1444,6 @@ containerd_static_archive_checksums:
     1.7.1: sha256:f0435e7cda3c3abc40d3f27d403a8e24bd0b927a8a893a7e4dfaec5996fa9731
     1.7.0: sha256:6e648cd832f026e23eb6998191e618da7c1ec0c0373263d503ff464e0ae3977a
   amd64:
-    2.3.1: sha256:3e7da6f4eaab072e11fc2e88f5a2eaf6da6ffff2c6c2a8f262d3856df8e2be35
-    2.3.0: sha256:d372ee3b2d272514651d65a3cecc75433dbba4bd90ae73d90d193d24d9760325
     2.2.4: sha256:151f0cb3de61c77f89230e276761cb0f232f0e89d9c2efca3c172282d14193ef
     2.2.3: sha256:80326f17cc35de84f652a8a633a2f14086c1d828a48b62e96720b3c42059e49c
     2.2.2: sha256:5db46232ce716f85bf1e71497a9038c87e63030574bf03f9d09557802188ad27
@@ -1371,8 +1501,6 @@ containerd_static_archive_checksums:
     1.7.1: sha256:8b4e8ed8a650ea435aa71e115fa1a70701ab98bc1836b3ed33341af35bf85a3a
     1.7.0: sha256:64ad6428cc4aca486db3a6148682052955d1e3134b69f079edf686c21d123fcd
   ppc64le:
-    2.3.1: sha256:7d853a1216b0e836cfee0964b00ba116c06f71f1b1f5fae0d73dd1c21481b9c3
-    2.3.0: sha256:747101428337fd8afc996a98d23e45e7d64a1bf2dcb0dad74997356254732e85
     2.2.4: sha256:5352f7b6523d92e1d7d4a1b5288be5fe490620e104cb48623d6affab309005d6
     2.2.3: sha256:63e884ac7a25591ced974235396ed4ee98569506258672636ed55f60d4bcd66a
     2.2.2: sha256:7e3d541c578fe06bcdb36ee58140e6e36dc97e784a9228e31c3ce99937cbad10

roles/kubespray_defaults/vars/main/main.yml

@@ -7,15 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"
 
 pod_infra_supported_versions:
-  '1.36': '3.10.2'
   '1.35': '3.10.1'
   '1.34': '3.10.1'
+  '1.33': '3.10'
 
 etcd_supported_versions:
-  '1.36': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.7', '<'))[0] }}"
   '1.35': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.7', '<'))[0] }}"
   '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
-
+  '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants
 
 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"

roles/network_plugin/cilium/defaults/main.yml

@@ -171,6 +171,10 @@ cilium_hubble_peer_service_cluster_domain: "{{ dns_domain }}"
 
 cilium_gateway_api_enabled: false
 
+# The default IP address management mode is "Cluster Scope".
+# https://docs.cilium.io/en/stable/concepts/networking/ipam/
+cilium_ipam_mode: cluster-pool
+
 # Cluster Pod CIDRs use the kube_pods_subnet value by default.
 # If your node network is in the same range you will lose connectivity to other nodes.
 # Defaults to kube_pods_subnet if not set.

roles/network_plugin/cilium/tasks/check.yml

@@ -67,19 +67,3 @@
     that: "cilium_hubble_event_buffer_capacity in [1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 16383, 32767, 65535]"
     msg: "Error: cilium_hubble_event_buffer_capacity:{{ cilium_hubble_event_buffer_capacity }} is not a power of 2 minus 1 and it should be between 1 and 65535."
   when: cilium_hubble_event_buffer_capacity is defined
-
-# Cilium < 1.20 only supports Gateway API v1.4.1; v1.5+ standard channel drops
-# TLSRoute v1alpha2 (served=false) which makes cilium-operator CrashLoopBackOff.
-# Fix is in Cilium 1.20+ (cilium/cilium#45251) and will not be backported.
-- name: Stop if cilium_gateway_api_enabled is incompatible with the Gateway API CRD bundle
-  assert:
-    that:
-      - gateway_api_version is version('1.5.0', '<') or gateway_api_channel != 'standard'
-    msg: |
-      Cilium < 1.20 only supports Gateway API v1.4.1, see
-      https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/.
-      Pin gateway_api_version: '1.4.1', or set gateway_api_channel: 'experimental'.
-  when:
-    - cilium_gateway_api_enabled
-    - gateway_api_enabled
-    - cilium_version is version('1.20.0', '<')

roles/network_plugin/custom_cni/meta/main.yml

@@ -4,7 +4,9 @@ dependencies:
     when:
       - inventory_hostname == groups['kube_control_plane'][0]
       - custom_cni_chart_release_name | length > 0
-    environment: "{{ proxy_env }}"
+    environment:
+      http_proxy: "{{ http_proxy | default('') }}"
+      https_proxy: "{{ https_proxy | default('') }}"
     release_common_opts: {}
     releases:
       - name: "{{ custom_cni_chart_release_name }}"

roles/system_packages/vars/main.yml

@@ -65,7 +65,6 @@ pkgs:
     - "{{ ping_access_ip }}"
   ipvsadm:
     - "{{ kube_proxy_mode == 'ipvs' }}"
-    - "{{ not kube_proxy_remove }}"
     - "{{ 'k8s_cluster' in group_names }}"
   libseccomp:
     - "{{ ansible_os_family == 'RedHat' }}"
@@ -81,7 +80,6 @@ pkgs:
     - "{{ ansible_distribution_major_version == '12' }}"
   nftables:
     - "{{ kube_proxy_mode == 'nftables' }}"
-    - "{{ not kube_proxy_remove }}"
     - "{{ 'k8s_cluster' in group_names }}"
   nss:
     - "{{ ansible_os_family == 'RedHat' }}"

scripts/pipeline.Dockerfile.j2

@@ -55,5 +55,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
     && vagrant plugin install vagrant-libvirt \
     # Install Kubernetes collections
-    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes==35.0.0 \
-    && ansible-galaxy collection install kubernetes.core:==6.4.0
+    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
+    && ansible-galaxy collection install kubernetes.core

scripts/readme_versions.md.j2

@@ -3,7 +3,7 @@
   - [etcd](https://github.com/etcd-io/etcd) {{ etcd_version }}
   - [docker](https://www.docker.com/) {{ docker_version }}
   - [containerd](https://containerd.io/) {{ containerd_version }}
-  - [cri-o](https://cri-o.io/) {{ crio_version }} (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) {{ crio_version }} (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) {{ cni_version }}
   - [calico](https://github.com/projectcalico/calico) {{ calico_version }}

test-infra/image-builder/Makefile

@@ -2,27 +2,7 @@ deploy:
 	ansible-playbook -i hosts.ini -e docker_password=$(docker_password) cluster.yml
 
 validate:
-	ansible-playbook -i localhost, -c local \
-		-e images_dir=$(CURDIR)/.image-builder \
-		-e kubevirt_buildkit_output_dir=$(CURDIR)/.image-builder/buildkit-output \
-		-e '{"kubevirt_images_push": false, "kubevirt_container_builder": "buildkit", "kubevirt_images_target_host": "localhost"}' \
-		cluster.yml
+	ansible-playbook -i hosts.ini -e '{"kubevirt_images_push": false}' cluster.yml
 
 validate-single:
-	ansible-playbook -i localhost, -c local \
-		-e images_dir=$(CURDIR)/.image-builder \
-		-e kubevirt_buildkit_output_dir=$(CURDIR)/.image-builder/buildkit-output \
-		-e '{"kubevirt_images_push": false, "kubevirt_container_builder": "buildkit", "kubevirt_images_target_host": "localhost", "kubevirt_images_selected": ["$(image_name)"]}' \
-		cluster.yml
-
-validate-docker:
-	ansible-playbook -i localhost, -c local \
-		-e images_dir=$(CURDIR)/.image-builder \
-		-e '{"kubevirt_images_push": false, "kubevirt_container_builder": "docker", "kubevirt_images_target_host": "localhost"}' \
-		cluster.yml
-
-validate-single-docker:
-	ansible-playbook -i localhost, -c local \
-		-e images_dir=$(CURDIR)/.image-builder \
-		-e '{"kubevirt_images_push": false, "kubevirt_container_builder": "docker", "kubevirt_images_target_host": "localhost", "kubevirt_images_selected": ["$(image_name)"]}' \
-		cluster.yml
+	ansible-playbook -i hosts.ini -e '{"kubevirt_images_push": false, "kubevirt_images_selected": ["$(image_name)"]}' cluster.yml

test-infra/image-builder/README.md

@@ -65,8 +65,6 @@ cd test-infra/image-builder/
 make validate
 ```
 
-This validation path runs locally and uses BuildKit, so it does not depend on SSH access to the remote builder host or a Docker daemon.
-
 ### Build only for one image
 
 ```bash
@@ -78,4 +76,3 @@ make validate-single image_name=ubuntu-2404
 
 - `kubevirt_images_push` (default: `true`): when `false`, skip docker login/push/logout.
 - `kubevirt_images_selected` (default: `[]`): list of image keys to build. Empty list builds all images.
-- `kubevirt_container_builder` (default: `docker`): use `buildkit` for local CI validation without Docker daemon access.

test-infra/image-builder/cluster.yml

@@ -1,6 +1,6 @@
 ---
 - name: Build kubevirt images
-  hosts: "{{ kubevirt_images_target_host | default('image-builder') }}"
+  hosts: image-builder
   gather_facts: false
   roles:
     - kubevirt-images

test-infra/image-builder/roles/kubevirt-images/defaults/main.yml

@@ -6,8 +6,6 @@ docker_host: quay.io
 registry: quay.io/kubespray
 kubevirt_images_push: true
 kubevirt_images_selected: []
-kubevirt_container_builder: docker
-kubevirt_buildkit_output_dir: "{{ images_dir }}/buildkit-output"
 
 images:
   ubuntu-2004:
@@ -26,8 +24,8 @@ images:
 
   ubuntu-2404:
     filename: noble-server-cloudimg-amd64.img
-    url: https://cloud-images.ubuntu.com/noble/20260323/noble-server-cloudimg-amd64.img
-    checksum: sha256:6e7016f2c9f4d3c00f48789eb6b9043ba2172ccc1b6b1eaf3ed1e29dd3e52bb3
+    url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
+    checksum: sha256:0cf56a2b23b430c350311dbcb9221b64823a5f7a401b5cf6ab4821f2ffdabe76
     converted: false
     tag: "latest"
 
@@ -73,13 +71,6 @@ images:
     converted: true
     tag: "latest"
 
-  fedora-43:
-    filename: Fedora-Cloud-Base-Generic-43-1.6.x86_64.qcow2
-    url: https://download.fedoraproject.org/pub/fedora/linux/releases/43/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-43-1.6.x86_64.qcow2
-    checksum: sha256:846574c8a97cd2d8dc1f231062d73107cc85cbbbda56335e264a46e3a6c8ab2f
-    converted: true
-    tag: "latest"
-
   fedora-coreos:
     filename: fedora-coreos-32.20200601.3.0-openstack.x86_64.qcow2.xz
     url: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/32.20200601.3.0/x86_64/fedora-coreos-32.20200601.3.0-openstack.x86_64.qcow2.xz

test-infra/image-builder/roles/kubevirt-images/tasks/main.yml

@@ -10,63 +10,12 @@
           - kubevirt_images_selected | length == 0 or kubevirt_images_to_build | length > 0
         fail_msg: "No matching images found in `images` for `kubevirt_images_selected={{ kubevirt_images_selected }}`"
 
-    - name: Validate requested container builder
-      assert:
-        that:
-          - kubevirt_container_builder in ['docker', 'buildkit']
-        fail_msg: "Unsupported kubevirt_container_builder={{ kubevirt_container_builder }}"
-
-    - name: Validate BuildKit push mode
-      assert:
-        that:
-          - not (kubevirt_container_builder == 'buildkit' and kubevirt_images_push)
-        fail_msg: "BuildKit validation currently requires kubevirt_images_push=false"
-
-    - name: Check qemu-img availability
-      command: qemu-img --version
-      changed_when: false
-
-    - name: Check Docker availability
-      command: docker --version
-      changed_when: false
-      when: kubevirt_container_builder == 'docker'
-
-    - name: Detect BuildKit daemonless wrapper availability
-      shell: command -v buildctl-daemonless.sh
-      args:
-        executable: /bin/bash
-      register: kubevirt_buildctl_daemonless_available
-      changed_when: false
-      failed_when: false
-      when: kubevirt_container_builder == 'buildkit'
-
-    - name: Check BuildKit availability
-      shell: |
-        set -euo pipefail
-        if [ "{{ kubevirt_buildctl_daemonless_available.rc | default(1) }}" -eq 0 ]; then
-          buildctl-daemonless.sh --version
-        else
-          buildctl --version
-          buildkitd --version
-        fi
-      args:
-        executable: /bin/bash
-      changed_when: false
-      when: kubevirt_container_builder == 'buildkit'
-
     - name: Create image directory
       file:
         state: directory
         path: "{{ images_dir }}"
         mode: "0755"
 
-    - name: Create buildkit output directory
-      file:
-        state: directory
-        path: "{{ kubevirt_buildkit_output_dir }}"
-        mode: "0755"
-      when: kubevirt_container_builder == 'buildkit'
-
     - name: Download images files
       get_url:
         url: "{{ item.value.url }}"
@@ -107,95 +56,16 @@
     - name: Create docker images for each OS
       command: docker build -t {{ registry }}/vm-{{ item.key }}:{{ item.value.tag }} --build-arg cloud_image="{{ item.key }}.qcow2" {{ images_dir }}
       loop: "{{ kubevirt_images_to_build }}"
-      when: kubevirt_container_builder == 'docker'
-
-    - name: Create container images for each OS with BuildKit
-      shell: |
-        set -euo pipefail
-        IMAGE_REF="{{ registry }}/vm-{{ item.key }}:{{ item.value.tag }}"
-        OUTPUT_TAR="{{ kubevirt_buildkit_output_dir }}/vm-{{ item.key }}-{{ item.value.tag }}.tar"
-
-        # Rootless BuildKit is the CI path; root mode must not use rootless-only flags.
-        if [ "$(id -u)" -eq 0 ]; then
-          BUILDKITD_FLAGS="${BUILDKITD_FLAGS:-}"
-        else
-          BUILDKITD_FLAGS="${BUILDKITD_FLAGS:---rootless --oci-worker-no-process-sandbox --oci-worker-snapshotter=native}"
-        fi
-
-        run_buildkit() {
-        if [ "{{ kubevirt_buildctl_daemonless_available.rc | default(1) }}" -eq 0 ]; then
-          export BUILDKITD_FLAGS
-          buildctl-daemonless.sh build \
-            --frontend dockerfile.v0 \
-            --local context={{ images_dir }} \
-            --local dockerfile={{ images_dir }} \
-            --opt filename=Dockerfile \
-            --opt build-arg:cloud_image={{ item.key }}.qcow2 \
-            --output "{{ 'type=image,name=' ~ registry ~ '/vm-' ~ item.key ~ ':' ~ item.value.tag ~ ',push=true' if kubevirt_images_push else 'type=oci,dest=' ~ kubevirt_buildkit_output_dir ~ '/vm-' ~ item.key ~ '-' ~ item.value.tag ~ '.tar' }}"
-        else
-          BUILDKIT_ADDR="unix:///tmp/buildkitd-{{ item.key }}.sock"
-          buildkitd ${BUILDKITD_FLAGS} --addr "${BUILDKIT_ADDR}" >/tmp/buildkitd-{{ item.key }}.log 2>&1 &
-          buildkitd_pid=$!
-
-          cleanup() {
-            kill "${buildkitd_pid}" >/dev/null 2>&1 || true
-            wait "${buildkitd_pid}" >/dev/null 2>&1 || true
-          }
-          trap cleanup EXIT
-
-          for _ in $(seq 1 50); do
-            if buildctl --addr "${BUILDKIT_ADDR}" debug workers >/dev/null 2>&1; then
-              break
-            fi
-            sleep 0.2
-          done
-
-          buildctl --addr "${BUILDKIT_ADDR}" build \
-            --frontend dockerfile.v0 \
-            --local context={{ images_dir }} \
-            --local dockerfile={{ images_dir }} \
-            --opt filename=Dockerfile \
-            --opt build-arg:cloud_image={{ item.key }}.qcow2 \
-            --output "{{ 'type=image,name=' ~ registry ~ '/vm-' ~ item.key ~ ':' ~ item.value.tag ~ ',push=true' if kubevirt_images_push else 'type=oci,dest=' ~ kubevirt_buildkit_output_dir ~ '/vm-' ~ item.key ~ '-' ~ item.value.tag ~ '.tar' }}"
-        fi
-        }
-
-        if run_buildkit; then
-          exit 0
-        fi
-
-        echo "BuildKit failed in this environment; attempting Docker fallback for {{ item.key }}" >&2
-        if ! command -v docker >/dev/null 2>&1; then
-          echo "Docker fallback unavailable: docker command not found" >&2
-          exit 1
-        fi
-
-        docker build -t "${IMAGE_REF}" --build-arg cloud_image="{{ item.key }}.qcow2" {{ images_dir }}
-        {% if kubevirt_images_push %}
-        docker push "${IMAGE_REF}"
-        {% else %}
-        docker save -o "${OUTPUT_TAR}" "${IMAGE_REF}"
-        {% endif %}
-      args:
-        executable: /bin/bash
-      loop: "{{ kubevirt_images_to_build }}"
-      when: kubevirt_container_builder == 'buildkit'
 
     - name: Docker login
       command: docker login -u="{{ docker_user }}" -p="{{ docker_password }}" "{{ docker_host }}"
-      when:
-        - kubevirt_container_builder == 'docker'
-        - kubevirt_images_push
+      when: kubevirt_images_push
 
     - name: Docker push image
       command: docker push {{ registry }}/vm-{{ item.key }}:{{ item.value.tag }}
       loop: "{{ kubevirt_images_to_build }}"
-      when:
-        - kubevirt_container_builder == 'docker'
-        - kubevirt_images_push
+      when: kubevirt_images_push
 
     - name: Docker logout
-      command: docker logout "{{ docker_host }}"
-      when:
-        - kubevirt_container_builder == 'docker'
-        - kubevirt_images_push
+      command: docker logout -u="{{ docker_user }}" "{{ docker_host }}"
+      when: kubevirt_images_push

tests/files/fedora39-calico-selinux.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-42
+cloud_image: fedora-39
 
 # Kubespray settings
 auto_renew_certificates: true

tests/files/fedora39-calico-swap-selinux.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-42
+cloud_image: fedora-39
 
 # Kubespray settings
 auto_renew_certificates: true

tests/files/fedora39-crio.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-43
+cloud_image: fedora-39
 
 # Kubespray settings
 container_manager: crio

tests/files/fedora39-kube-router.yml

@@ -1,5 +1,5 @@
 ---
-cloud_image: fedora-43
+cloud_image: fedora-39
 cluster_layout:
   - node_groups: ['kube_control_plane', 'etcd', 'kube_node']
   - node_groups: ['kube_node']

tests/files/fedora40-docker-calico.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-43
+cloud_image: fedora-40
 
 # Kubespray settings
 auto_renew_certificates: true

tests/files/fedora40-flannel-crio-collection-scale.yml

@@ -1,5 +1,5 @@
 ---
-cloud_image: fedora-43
+cloud_image: fedora-40
 network_plugin: flannel
 container_manager: crio
 

tests/files/fedora41-calico-selinux.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-43
+cloud_image: fedora-41
 
 # Kubespray settings
 auto_renew_certificates: true

tests/files/fedora41-calico-swap-selinux.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-43
+cloud_image: fedora-41
 
 # Kubespray settings
 auto_renew_certificates: true

tests/files/fedora41-crio.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: fedora-42
+cloud_image: fedora-41
 
 # Kubespray settings
 container_manager: crio

tests/files/fedora41-kube-router.yml

@@ -1,5 +1,5 @@
 ---
-cloud_image: fedora-42
+cloud_image: fedora-41
 cluster_layout:
   - node_groups: ['kube_control_plane', 'etcd', 'kube_node']
   - node_groups: ['kube_node']