diff --git a/content/en/docs/reference/_index.md b/content/en/docs/reference/_index.md
index 5be7d4c4b8..a708d75634 100644
--- a/content/en/docs/reference/_index.md
+++ b/content/en/docs/reference/_index.md
@@ -79,7 +79,6 @@ operator to use or manage a cluster.
* [kube-apiserver configuration (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/) and
* [kube-apiserver configuration (v1beta1)](/docs/reference/config-api/apiserver-config.v1beta1/) and
[kube-apiserver configuration (v1)](/docs/reference/config-api/apiserver-config.v1/)
-* [kube-apiserver encryption (v1)](/docs/reference/config-api/apiserver-encryption.v1/)
* [kube-apiserver event rate limit (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/)
* [kubelet configuration (v1alpha1)](/docs/reference/config-api/kubelet-config.v1alpha1/) and
[kubelet configuration (v1beta1)](/docs/reference/config-api/kubelet-config.v1beta1/)
diff --git a/content/en/docs/reference/config-api/apiserver-admission.v1.md b/content/en/docs/reference/config-api/apiserver-admission.v1.md
index 3deb8521b7..62e8c0f62d 100644
--- a/content/en/docs/reference/config-api/apiserver-admission.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-admission.v1.md
@@ -152,7 +152,7 @@ requested. e.g. a patch can result in either a CREATE or UPDATE Operation.</p>
</td>
</tr>
<tr><td><code>userInfo</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
</td>
<td>
<p>UserInfo is information about the requesting user</p>
@@ -226,7 +226,7 @@ This must be copied over from the corresponding AdmissionRequest.</p>
</td>
</tr>
<tr><td><code>status</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#status-v1-meta"><code>meta/v1.Status</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#status-v1-meta"><code>meta/v1.Status</code></a>
</td>
<td>
<p>Result contains extra details into why an admission request was denied.
diff --git a/content/en/docs/reference/config-api/apiserver-audit.v1.md b/content/en/docs/reference/config-api/apiserver-audit.v1.md
index 7f9314292b..ec070999ae 100644
--- a/content/en/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-audit.v1.md
@@ -71,14 +71,14 @@ For non-resource requests, this is the lower-cased HTTP method.</p>
</td>
</tr>
<tr><td><code>user</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
</td>
<td>
<p>Authenticated user information.</p>
</td>
</tr>
<tr><td><code>impersonatedUser</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#userinfo-v1-authentication-k8s-io"><code>authentication/v1.UserInfo</code></a>
</td>
<td>
<p>Impersonated user information.</p>
@@ -116,7 +116,7 @@ Does not apply for List-type requests, or non-resource requests.</p>
</td>
</tr>
<tr><td><code>responseStatus</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#status-v1-meta"><code>meta/v1.Status</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#status-v1-meta"><code>meta/v1.Status</code></a>
</td>
<td>
<p>The response status, populated even when the ResponseObject is not a Status type.
@@ -144,14 +144,14 @@ at Response Level.</p>
</td>
</tr>
<tr><td><code>requestReceivedTimestamp</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#microtime-v1-meta"><code>meta/v1.MicroTime</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#microtime-v1-meta"><code>meta/v1.MicroTime</code></a>
</td>
<td>
<p>Time the request reached the apiserver.</p>
</td>
</tr>
<tr><td><code>stageTimestamp</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#microtime-v1-meta"><code>meta/v1.MicroTime</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#microtime-v1-meta"><code>meta/v1.MicroTime</code></a>
</td>
<td>
<p>Time the request reached current audit stage.</p>
@@ -188,7 +188,7 @@ should be short. Annotations are included in the Metadata level.</p>
<tr><td><code>metadata</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta"><code>meta/v1.ListMeta</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta"><code>meta/v1.ListMeta</code></a>
</td>
<td>
<span class="text-muted">No description provided.</span></td>
@@ -223,7 +223,7 @@ categories are logged.</p>
<tr><td><code>metadata</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
</td>
<td>
<p>ObjectMeta is included for interoperability with API infrastructure.</p>
@@ -278,7 +278,7 @@ in a rule will override the global default.</p>
<tr><td><code>metadata</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta"><code>meta/v1.ListMeta</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta"><code>meta/v1.ListMeta</code></a>
</td>
<td>
<span class="text-muted">No description provided.</span></td>
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1.md b/content/en/docs/reference/config-api/apiserver-config.v1.md
index c133724ec7..6653a2d72a 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1.md
@@ -11,6 +11,7 @@ auto_generated: true
- [AdmissionConfiguration](#apiserver-config-k8s-io-v1-AdmissionConfiguration)
+- [EncryptionConfiguration](#apiserver-config-k8s-io-v1-EncryptionConfiguration)
## `AdmissionConfiguration` {#apiserver-config-k8s-io-v1-AdmissionConfiguration}
@@ -38,6 +39,96 @@ auto_generated: true
</tbody>
</table>
+## `EncryptionConfiguration` {#apiserver-config-k8s-io-v1-EncryptionConfiguration}
+
+
+
+<p>EncryptionConfiguration stores the complete configuration for encryption providers.
+It also allows the use of wildcards to specify the resources that should be encrypted.
+Use '<em>.<!-- raw HTML omitted -->' to encrypt all resources within a group or '</em>.<em>' to encrypt all resources.
+'</em>.' can be used to encrypt all resource in the core group. '<em>.</em>' will encrypt all
+resources, even custom resources that are added after API server start.
+Use of wildcards that overlap within the same resource list or across multiple
+entries are not allowed since part of the configuration would be ineffective.
+Resource lists are processed in order, with earlier lists taking precedence.</p>
+<p>Example:</p>
+<pre><code>kind: EncryptionConfiguration
+apiVersion: apiserver.config.k8s.io/v1
+resources:
+- resources:
+ - events
+ providers:
+ - identity: {} # do not encrypt events even though *.* is specified below
+- resources:
+ - secrets
+ - configmaps
+ - pandas.awesome.bears.example
+ providers:
+ - aescbc:
+ keys:
+ - name: key1
+ secret: c2VjcmV0IGlzIHNlY3VyZQ==
+- resources:
+ - '*.apps'
+ providers:
+ - aescbc:
+ keys:
+ - name: key2
+ secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
+- resources:
+ - '*.*'
+ providers:
+ - aescbc:
+ keys:
+ - name: key3
+ secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==</code></pre>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.config.k8s.io/v1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>EncryptionConfiguration</code></td></tr>
+
+
+<tr><td><code>resources</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-ResourceConfiguration"><code>[]ResourceConfiguration</code></a>
+</td>
+<td>
+ <p>resources is a list containing resources, and their corresponding encryption providers.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `AESConfiguration` {#apiserver-config-k8s-io-v1-AESConfiguration}
+
+
+**Appears in:**
+
+- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
+
+
+<p>AESConfiguration contains the API configuration for an AES transformer.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>keys</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
+</td>
+<td>
+ <p>keys is a list of keys to be used for creating the AES transformer.
+Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
## `AdmissionPluginConfiguration` {#apiserver-config-k8s-io-v1-AdmissionPluginConfiguration}
@@ -80,4 +171,226 @@ configuration. If present, it will be used instead of the path to the configurat
</tr>
</tbody>
</table>
+
+## `IdentityConfiguration` {#apiserver-config-k8s-io-v1-IdentityConfiguration}
+
+
+**Appears in:**
+
+- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
+
+
+<p>IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.</p>
+
+
+
+
+## `KMSConfiguration` {#apiserver-config-k8s-io-v1-KMSConfiguration}
+
+
+**Appears in:**
+
+- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
+
+
+<p>KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>apiVersion</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>apiVersion of KeyManagementService</p>
+</td>
+</tr>
+<tr><td><code>name</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>name is the name of the KMS plugin to be used.</p>
+</td>
+</tr>
+<tr><td><code>cachesize</code><br/>
+<code>int32</code>
+</td>
+<td>
+ <p>cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
+Set to a negative value to disable caching. This field is only allowed for KMS v1 providers.</p>
+</td>
+</tr>
+<tr><td><code>endpoint</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".</p>
+</td>
+</tr>
+<tr><td><code>timeout</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p>timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `Key` {#apiserver-config-k8s-io-v1-Key}
+
+
+**Appears in:**
+
+- [AESConfiguration](#apiserver-config-k8s-io-v1-AESConfiguration)
+
+- [SecretboxConfiguration](#apiserver-config-k8s-io-v1-SecretboxConfiguration)
+
+
+<p>Key contains name and secret of the provided key for a transformer.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>name</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>name is the name of the key to be used while storing data to disk.</p>
+</td>
+</tr>
+<tr><td><code>secret</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>secret is the actual key, encoded in base64.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ProviderConfiguration` {#apiserver-config-k8s-io-v1-ProviderConfiguration}
+
+
+**Appears in:**
+
+- [ResourceConfiguration](#apiserver-config-k8s-io-v1-ResourceConfiguration)
+
+
+<p>ProviderConfiguration stores the provided configuration for an encryption provider.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>aesgcm</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
+</td>
+<td>
+ <p>aesgcm is the configuration for the AES-GCM transformer.</p>
+</td>
+</tr>
+<tr><td><code>aescbc</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
+</td>
+<td>
+ <p>aescbc is the configuration for the AES-CBC transformer.</p>
+</td>
+</tr>
+<tr><td><code>secretbox</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-SecretboxConfiguration"><code>SecretboxConfiguration</code></a>
+</td>
+<td>
+ <p>secretbox is the configuration for the Secretbox based transformer.</p>
+</td>
+</tr>
+<tr><td><code>identity</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-IdentityConfiguration"><code>IdentityConfiguration</code></a>
+</td>
+<td>
+ <p>identity is the (empty) configuration for the identity transformer.</p>
+</td>
+</tr>
+<tr><td><code>kms</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-KMSConfiguration"><code>KMSConfiguration</code></a>
+</td>
+<td>
+ <p>kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ResourceConfiguration` {#apiserver-config-k8s-io-v1-ResourceConfiguration}
+
+
+**Appears in:**
+
+- [EncryptionConfiguration](#apiserver-config-k8s-io-v1-EncryptionConfiguration)
+
+
+<p>ResourceConfiguration stores per resource configuration.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>resources</code> <B>[Required]</B><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p>resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from <code>resource</code> or <code>resource.group</code> of the group/version/resource.
+eg: pandas.awesome.bears.example is a custom resource with 'group': awesome.bears.example, 'resource': pandas.
+Use '<em>.</em>' to encrypt all resources and '<em>.<!-- raw HTML omitted -->' to encrypt all resources in a specific group.
+eg: '</em>.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
+eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).</p>
+</td>
+</tr>
+<tr><td><code>providers</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-ProviderConfiguration"><code>[]ProviderConfiguration</code></a>
+</td>
+<td>
+ <p>providers is a list of transformers to be used for reading and writing the resources to disk.
+eg: aesgcm, aescbc, secretbox, identity, kms.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `SecretboxConfiguration` {#apiserver-config-k8s-io-v1-SecretboxConfiguration}
+
+
+**Appears in:**
+
+- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
+
+
+<p>SecretboxConfiguration contains the API configuration for an Secretbox transformer.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>keys</code> <B>[Required]</B><br/>
+<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
+</td>
+<td>
+ <p>keys is a list of keys to be used for creating the Secretbox transformer.
+Each key has to be 32 bytes long.</p>
+</td>
+</tr>
+</tbody>
+</table>
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
index 4207670760..11986c4099 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
@@ -114,6 +114,13 @@ The specific position of JWT authenticators in relation to other
authenticators is neither defined nor stable across releases. Since
each JWT authenticator must have a unique issuer URL, at most one
JWT authenticator will attempt to cryptographically validate the token.</p>
+<p>The minimum valid JWT payload must contain the following claims:
+{
+"iss": "https://issuer.example.com",
+"aud": ["audience"],
+"exp": 1234567890,
+"<!-- raw HTML omitted -->": "username"
+}</p>
</td>
</tr>
</tbody>
@@ -238,6 +245,20 @@ configuration. If present, it will be used instead of the path to the configurat
</tbody>
</table>
+## `AudienceMatchPolicyType` {#apiserver-k8s-io-v1alpha1-AudienceMatchPolicyType}
+
+(Alias of `string`)
+
+**Appears in:**
+
+- [Issuer](#apiserver-k8s-io-v1alpha1-Issuer)
+
+
+<p>AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy</p>
+
+
+
+
## `AuthorizerConfiguration` {#apiserver-k8s-io-v1alpha1-AuthorizerConfiguration}
@@ -308,7 +329,11 @@ Must not be defined when Type!=Webhook</p>
<p>username represents an option for the username attribute.
The claim's value must be a singular string.
Same as the --oidc-username-claim and --oidc-username-prefix flags.
-If username.expression is set, the expression must produce a string value.</p>
+If username.expression is set, the expression must produce a string value.
+If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
+username.expression or extra[<em>].valueExpression or claimValidationRules[</em>].expression.
+An example claim validation rule expression that matches the validation automatically
+applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'.</p>
<p>In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
@@ -406,7 +431,7 @@ Mutually exclusive with expression.</p>
<ul>
<li>'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
-Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.</li>
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
</ul>
<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
<p>Mutually exclusive with claim.</p>
@@ -462,7 +487,7 @@ Must produce a boolean.</p>
<ul>
<li>'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
-Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Must return true for the validation to pass.</li>
</ul>
<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
@@ -574,7 +599,8 @@ The "master" egress selector is deprecated in favor of "controlpl
key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
subdomain as defined by RFC 1123. All characters trailing the first "/" must
be valid HTTP Path characters as defined by RFC 3986.
-key must be lowercase.</p>
+key must be lowercase.
+Required to be unique.</p>
</td>
</tr>
<tr><td><code>valueExpression</code> <B>[Required]</B><br/>
@@ -589,7 +615,7 @@ Empty string values contained within a string array are filtered out.</p>
<ul>
<li>'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
-Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.</li>
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
</ul>
<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
</td>
@@ -605,7 +631,7 @@ Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.<
- [JWTAuthenticator](#apiserver-k8s-io-v1alpha1-JWTAuthenticator)
-<p>Issuer provides the configuration for a external provider specific settings.</p>
+<p>Issuer provides the configuration for an external provider's specific settings.</p>
<table class="table">
@@ -620,8 +646,35 @@ Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.<
<p>url points to the issuer URL in a format https://url or https://url/path.
This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
Same value as the --oidc-issuer-url flag.
-Used to fetch discovery information unless overridden by discoveryURL.
-Required to be unique.
+Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL.
+Required to be unique across all JWT authenticators.
+Note that egress selection configuration is not used for this network connection.</p>
+</td>
+</tr>
+<tr><td><code>discoveryURL</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>discoveryURL, if specified, overrides the URL used to fetch discovery
+information instead of using "{url}/.well-known/openid-configuration".
+The exact value specified is used, so "/.well-known/openid-configuration"
+must be included in discoveryURL if needed.</p>
+<p>The "issuer" field in the fetched discovery information must match the "issuer.url" field
+in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT.
+This is for scenarios where the well-known and jwks endpoints are hosted at a different
+location than the issuer (such as locally in the cluster).</p>
+<p>Example:
+A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace'
+and discovery information is available at '/.well-known/openid-configuration'.
+discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration"
+certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate
+must be set to 'oidc.oidc-namespace'.</p>
+<p>curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field)
+{
+issuer: "https://oidc.example.com" (.url field)
+}</p>
+<p>discoveryURL must be different from url.
+Required to be unique across all JWT authenticators.
Note that egress selection configuration is not used for this network connection.</p>
</td>
</tr>
@@ -645,6 +698,29 @@ Same value as the --oidc-client-id flag (though this field supports an array).
Required to be non-empty.</p>
</td>
</tr>
+<tr><td><code>audienceMatchPolicy</code><br/>
+<a href="#apiserver-k8s-io-v1alpha1-AudienceMatchPolicyType"><code>AudienceMatchPolicyType</code></a>
+</td>
+<td>
+ <p>audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
+Allowed values are:</p>
+<ol>
+<li>"MatchAny" when multiple audiences are specified and</li>
+<li>empty (or unset) or "MatchAny" when a single audience is specified.</li>
+</ol>
+<ul>
+<li>
+<p>MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
+For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).</p>
+</li>
+<li>
+<p>"": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).</p>
+</li>
+</ul>
+<p>For more nuanced audience validation, use claimValidationRules.
+example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.</p>
+</td>
+</tr>
</tbody>
</table>
@@ -740,7 +816,7 @@ Mutually exclusive with expression.</p>
<ul>
<li>'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
-Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.</li>
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
</ul>
<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
<p>Mutually exclusive with claim and prefix.</p>
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1beta1.md b/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
index 06dfaab722..2709684462 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
@@ -10,6 +10,8 @@ auto_generated: true
## Resource Types
+- [AuthenticationConfiguration](#apiserver-k8s-io-v1beta1-AuthenticationConfiguration)
+- [AuthorizationConfiguration](#apiserver-k8s-io-v1beta1-AuthorizationConfiguration)
- [EgressSelectorConfiguration](#apiserver-k8s-io-v1beta1-EgressSelectorConfiguration)
- [TracingConfiguration](#apiserver-k8s-io-v1beta1-TracingConfiguration)
@@ -58,6 +60,74 @@ rate, but otherwise never samples.</p>
</table>
+## `AuthenticationConfiguration` {#apiserver-k8s-io-v1beta1-AuthenticationConfiguration}
+
+
+
+<p>AuthenticationConfiguration provides versioned configuration for authentication.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.k8s.io/v1beta1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>AuthenticationConfiguration</code></td></tr>
+
+
+<tr><td><code>jwt</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-JWTAuthenticator"><code>[]JWTAuthenticator</code></a>
+</td>
+<td>
+ <p>jwt is a list of authenticator to authenticate Kubernetes users using
+JWT compliant tokens. The authenticator will attempt to parse a raw ID token,
+verify it's been signed by the configured issuer. The public key to verify the
+signature is discovered from the issuer's public endpoint using OIDC discovery.
+For an incoming token, each JWT authenticator will be attempted in
+the order in which it is specified in this list. Note however that
+other authenticators may run before or after the JWT authenticators.
+The specific position of JWT authenticators in relation to other
+authenticators is neither defined nor stable across releases. Since
+each JWT authenticator must have a unique issuer URL, at most one
+JWT authenticator will attempt to cryptographically validate the token.</p>
+<p>The minimum valid JWT payload must contain the following claims:
+{
+"iss": "https://issuer.example.com",
+"aud": ["audience"],
+"exp": 1234567890,
+"<!-- raw HTML omitted -->": "username"
+}</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `AuthorizationConfiguration` {#apiserver-k8s-io-v1beta1-AuthorizationConfiguration}
+
+
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.k8s.io/v1beta1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>AuthorizationConfiguration</code></td></tr>
+
+
+<tr><td><code>authorizers</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-AuthorizerConfiguration"><code>[]AuthorizerConfiguration</code></a>
+</td>
+<td>
+ <p>Authorizers is an ordered list of authorizers to
+authorize requests against.
+This is similar to the --authorization-modes kube-apiserver flag
+Must be at least one.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
## `EgressSelectorConfiguration` {#apiserver-k8s-io-v1beta1-EgressSelectorConfiguration}
@@ -108,6 +178,267 @@ rate, but otherwise never samples.</p>
</tbody>
</table>
+## `AudienceMatchPolicyType` {#apiserver-k8s-io-v1beta1-AudienceMatchPolicyType}
+
+(Alias of `string`)
+
+**Appears in:**
+
+- [Issuer](#apiserver-k8s-io-v1beta1-Issuer)
+
+
+<p>AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy</p>
+
+
+
+
+## `AuthorizerConfiguration` {#apiserver-k8s-io-v1beta1-AuthorizerConfiguration}
+
+
+**Appears in:**
+
+- [AuthorizationConfiguration](#apiserver-k8s-io-v1beta1-AuthorizationConfiguration)
+
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>type</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>Type refers to the type of the authorizer
+"Webhook" is supported in the generic API server
+Other API servers may support additional authorizer
+types like Node, RBAC, ABAC, etc.</p>
+</td>
+</tr>
+<tr><td><code>name</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>Name used to describe the webhook
+This is explicitly used in monitoring machinery for metrics
+Note: Names must be DNS1123 labels like <code>myauthorizername</code> or
+subdomains like <code>myauthorizer.example.domain</code>
+Required, with no default</p>
+</td>
+</tr>
+<tr><td><code>webhook</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-WebhookConfiguration"><code>WebhookConfiguration</code></a>
+</td>
+<td>
+ <p>Webhook defines the configuration for a Webhook authorizer
+Must be defined when Type=Webhook
+Must not be defined when Type!=Webhook</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ClaimMappings` {#apiserver-k8s-io-v1beta1-ClaimMappings}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1beta1-JWTAuthenticator)
+
+
+<p>ClaimMappings provides the configuration for claim mapping</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>username</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-PrefixedClaimOrExpression"><code>PrefixedClaimOrExpression</code></a>
+</td>
+<td>
+ <p>username represents an option for the username attribute.
+The claim's value must be a singular string.
+Same as the --oidc-username-claim and --oidc-username-prefix flags.
+If username.expression is set, the expression must produce a string value.
+If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
+username.expression or extra[<em>].valueExpression or claimValidationRules[</em>].expression.
+An example claim validation rule expression that matches the validation automatically
+applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'.</p>
+<p>In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
+the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
+For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
+For prefix:
+(1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
+set username.prefix=""
+(2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
+behavior using authentication config, set username.prefix="<!-- raw HTML omitted -->#"
+(3) --oidc-username-prefix="<!-- raw HTML omitted -->". For the same behavior using authentication config, set username.prefix="<!-- raw HTML omitted -->"</p>
+</td>
+</tr>
+<tr><td><code>groups</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-PrefixedClaimOrExpression"><code>PrefixedClaimOrExpression</code></a>
+</td>
+<td>
+ <p>groups represents an option for the groups attribute.
+The claim's value must be a string or string array claim.
+If groups.claim is set, the prefix must be specified (and can be the empty string).
+If groups.expression is set, the expression must produce a string or string array value.
+"", [], and null values are treated as the group mapping not being present.</p>
+</td>
+</tr>
+<tr><td><code>uid</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-ClaimOrExpression"><code>ClaimOrExpression</code></a>
+</td>
+<td>
+ <p>uid represents an option for the uid attribute.
+Claim must be a singular string claim.
+If uid.expression is set, the expression must produce a string value.</p>
+</td>
+</tr>
+<tr><td><code>extra</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-ExtraMapping"><code>[]ExtraMapping</code></a>
+</td>
+<td>
+ <p>extra represents an option for the extra attribute.
+expression must produce a string or string array value.
+If the value is empty, the extra mapping will not be present.</p>
+<p>hard-coded extra key/value</p>
+<ul>
+<li>key: "foo"
+valueExpression: "'bar'"
+This will result in an extra attribute - foo: ["bar"]</li>
+</ul>
+<p>hard-coded key, value copying claim value</p>
+<ul>
+<li>key: "foo"
+valueExpression: "claims.some_claim"
+This will result in an extra attribute - foo: [value of some_claim]</li>
+</ul>
+<p>hard-coded key, value derived from claim value</p>
+<ul>
+<li>key: "admin"
+valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
+This will result in:</li>
+<li>if is_admin claim is present and true, extra attribute - admin: ["true"]</li>
+<li>if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ClaimOrExpression` {#apiserver-k8s-io-v1beta1-ClaimOrExpression}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1beta1-ClaimMappings)
+
+
+<p>ClaimOrExpression provides the configuration for a single claim or expression.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>claim</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>claim is the JWT claim to use.
+Either claim or expression must be set.
+Mutually exclusive with expression.</p>
+</td>
+</tr>
+<tr><td><code>expression</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>expression represents the expression which will be evaluated by CEL.</p>
+<p>CEL expressions have access to the contents of the token claims, organized into CEL variable:</p>
+<ul>
+<li>'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
+</ul>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+<p>Mutually exclusive with claim.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ClaimValidationRule` {#apiserver-k8s-io-v1beta1-ClaimValidationRule}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1beta1-JWTAuthenticator)
+
+
+<p>ClaimValidationRule provides the configuration for a single claim validation rule.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>claim</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>claim is the name of a required claim.
+Same as --oidc-required-claim flag.
+Only string claim keys are supported.
+Mutually exclusive with expression and message.</p>
+</td>
+</tr>
+<tr><td><code>requiredValue</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>requiredValue is the value of a required claim.
+Same as --oidc-required-claim flag.
+Only string claim values are supported.
+If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
+Mutually exclusive with expression and message.</p>
+</td>
+</tr>
+<tr><td><code>expression</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>expression represents the expression which will be evaluated by CEL.
+Must produce a boolean.</p>
+<p>CEL expressions have access to the contents of the token claims, organized into CEL variable:</p>
+<ul>
+<li>'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+Must return true for the validation to pass.</li>
+</ul>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+<p>Mutually exclusive with claim and requiredValue.</p>
+</td>
+</tr>
+<tr><td><code>message</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>message customizes the returned error message when expression returns false.
+message is a literal string.
+Mutually exclusive with claim and requiredValue.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
## `Connection` {#apiserver-k8s-io-v1beta1-Connection}
@@ -177,6 +508,256 @@ The "master" egress selector is deprecated in favor of "controlpl
</tbody>
</table>
+## `ExtraMapping` {#apiserver-k8s-io-v1beta1-ExtraMapping}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1beta1-ClaimMappings)
+
+
+<p>ExtraMapping provides the configuration for a single extra mapping.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>key</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>key is a string to use as the extra attribute key.
+key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+subdomain as defined by RFC 1123. All characters trailing the first "/" must
+be valid HTTP Path characters as defined by RFC 3986.
+key must be lowercase.
+Required to be unique.</p>
+</td>
+</tr>
+<tr><td><code>valueExpression</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>valueExpression is a CEL expression to extract extra attribute value.
+valueExpression must produce a string or string array value.
+"", [], and null values are treated as the extra mapping not being present.
+Empty string values contained within a string array are filtered out.</p>
+<p>CEL expressions have access to the contents of the token claims, organized into CEL variable:</p>
+<ul>
+<li>'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
+</ul>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `Issuer` {#apiserver-k8s-io-v1beta1-Issuer}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1beta1-JWTAuthenticator)
+
+
+<p>Issuer provides the configuration for an external provider's specific settings.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>url</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>url points to the issuer URL in a format https://url or https://url/path.
+This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
+Same value as the --oidc-issuer-url flag.
+Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL.
+Required to be unique across all JWT authenticators.
+Note that egress selection configuration is not used for this network connection.</p>
+</td>
+</tr>
+<tr><td><code>discoveryURL</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>discoveryURL, if specified, overrides the URL used to fetch discovery
+information instead of using "{url}/.well-known/openid-configuration".
+The exact value specified is used, so "/.well-known/openid-configuration"
+must be included in discoveryURL if needed.</p>
+<p>The "issuer" field in the fetched discovery information must match the "issuer.url" field
+in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT.
+This is for scenarios where the well-known and jwks endpoints are hosted at a different
+location than the issuer (such as locally in the cluster).</p>
+<p>Example:
+A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace'
+and discovery information is available at '/.well-known/openid-configuration'.
+discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration"
+certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate
+must be set to 'oidc.oidc-namespace'.</p>
+<p>curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field)
+{
+issuer: "https://oidc.example.com" (.url field)
+}</p>
+<p>discoveryURL must be different from url.
+Required to be unique across all JWT authenticators.
+Note that egress selection configuration is not used for this network connection.</p>
+</td>
+</tr>
+<tr><td><code>certificateAuthority</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>certificateAuthority contains PEM-encoded certificate authority certificates
+used to validate the connection when fetching discovery information.
+If unset, the system verifier is used.
+Same value as the content of the file referenced by the --oidc-ca-file flag.</p>
+</td>
+</tr>
+<tr><td><code>audiences</code> <B>[Required]</B><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p>audiences is the set of acceptable audiences the JWT must be issued to.
+At least one of the entries must match the "aud" claim in presented JWTs.
+Same value as the --oidc-client-id flag (though this field supports an array).
+Required to be non-empty.</p>
+</td>
+</tr>
+<tr><td><code>audienceMatchPolicy</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-AudienceMatchPolicyType"><code>AudienceMatchPolicyType</code></a>
+</td>
+<td>
+ <p>audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
+Allowed values are:</p>
+<ol>
+<li>"MatchAny" when multiple audiences are specified and</li>
+<li>empty (or unset) or "MatchAny" when a single audience is specified.</li>
+</ol>
+<ul>
+<li>
+<p>MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
+For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).</p>
+</li>
+<li>
+<p>"": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).</p>
+</li>
+</ul>
+<p>For more nuanced audience validation, use claimValidationRules.
+example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `JWTAuthenticator` {#apiserver-k8s-io-v1beta1-JWTAuthenticator}
+
+
+**Appears in:**
+
+- [AuthenticationConfiguration](#apiserver-k8s-io-v1beta1-AuthenticationConfiguration)
+
+
+<p>JWTAuthenticator provides the configuration for a single JWT authenticator.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>issuer</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-Issuer"><code>Issuer</code></a>
+</td>
+<td>
+ <p>issuer contains the basic OIDC provider connection options.</p>
+</td>
+</tr>
+<tr><td><code>claimValidationRules</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-ClaimValidationRule"><code>[]ClaimValidationRule</code></a>
+</td>
+<td>
+ <p>claimValidationRules are rules that are applied to validate token claims to authenticate users.</p>
+</td>
+</tr>
+<tr><td><code>claimMappings</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-ClaimMappings"><code>ClaimMappings</code></a>
+</td>
+<td>
+ <p>claimMappings points claims of a token to be treated as user attributes.</p>
+</td>
+</tr>
+<tr><td><code>userValidationRules</code><br/>
+<a href="#apiserver-k8s-io-v1beta1-UserValidationRule"><code>[]UserValidationRule</code></a>
+</td>
+<td>
+ <p>userValidationRules are rules that are applied to final user before completing authentication.
+These allow invariants to be applied to incoming identities such as preventing the
+use of the system: prefix that is commonly used by Kubernetes components.
+The validation rules are logically ANDed together and must all return true for the validation to pass.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `PrefixedClaimOrExpression` {#apiserver-k8s-io-v1beta1-PrefixedClaimOrExpression}
+
+
+**Appears in:**
+
+- [ClaimMappings](#apiserver-k8s-io-v1beta1-ClaimMappings)
+
+
+<p>PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>claim</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>claim is the JWT claim to use.
+Mutually exclusive with expression.</p>
+</td>
+</tr>
+<tr><td><code>prefix</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>prefix is prepended to claim's value to prevent clashes with existing names.
+prefix needs to be set if claim is set and can be the empty string.
+Mutually exclusive with expression.</p>
+</td>
+</tr>
+<tr><td><code>expression</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>expression represents the expression which will be evaluated by CEL.</p>
+<p>CEL expressions have access to the contents of the token claims, organized into CEL variable:</p>
+<ul>
+<li>'claims' is a map of claim names to claim values.
+For example, a variable named 'sub' can be accessed as 'claims.sub'.
+Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.</li>
+</ul>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+<p>Mutually exclusive with claim and prefix.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
## `ProtocolType` {#apiserver-k8s-io-v1beta1-ProtocolType}
(Alias of `string`)
@@ -334,4 +915,224 @@ This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server
</tr>
</tbody>
</table>
+
+## `UserValidationRule` {#apiserver-k8s-io-v1beta1-UserValidationRule}
+
+
+**Appears in:**
+
+- [JWTAuthenticator](#apiserver-k8s-io-v1beta1-JWTAuthenticator)
+
+
+<p>UserValidationRule provides the configuration for a single user info validation rule.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>expression</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>expression represents the expression which will be evaluated by CEL.
+Must return true for the validation to pass.</p>
+<p>CEL expressions have access to the contents of UserInfo, organized into CEL variable:</p>
+<ul>
+<li>'user' - authentication.k8s.io/v1, Kind=UserInfo object
+Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
+API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io</li>
+</ul>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+</td>
+</tr>
+<tr><td><code>message</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>message customizes the returned error message when rule returns false.
+message is a literal string.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `WebhookConfiguration` {#apiserver-k8s-io-v1beta1-WebhookConfiguration}
+
+
+**Appears in:**
+
+- [AuthorizerConfiguration](#apiserver-k8s-io-v1beta1-AuthorizerConfiguration)
+
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>authorizedTTL</code> <B>[Required]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p>The duration to cache 'authorized' responses from the webhook
+authorizer.
+Same as setting <code>--authorization-webhook-cache-authorized-ttl</code> flag
+Default: 5m0s</p>
+</td>
+</tr>
+<tr><td><code>unauthorizedTTL</code> <B>[Required]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p>The duration to cache 'unauthorized' responses from the webhook
+authorizer.
+Same as setting <code>--authorization-webhook-cache-unauthorized-ttl</code> flag
+Default: 30s</p>
+</td>
+</tr>
+<tr><td><code>timeout</code> <B>[Required]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p>Timeout for the webhook request
+Maximum allowed value is 30s.
+Required, no default value.</p>
+</td>
+</tr>
+<tr><td><code>subjectAccessReviewVersion</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>The API version of the authorization.k8s.io SubjectAccessReview to
+send to and expect from the webhook.
+Same as setting <code>--authorization-webhook-version</code> flag
+Valid values: v1beta1, v1
+Required, no default value</p>
+</td>
+</tr>
+<tr><td><code>matchConditionSubjectAccessReviewVersion</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview
+version the CEL expressions are evaluated against
+Valid values: v1
+Required, no default value</p>
+</td>
+</tr>
+<tr><td><code>failurePolicy</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>Controls the authorization decision when a webhook request fails to
+complete or returns a malformed response or errors evaluating
+matchConditions.
+Valid values:</p>
+<ul>
+<li>NoOpinion: continue to subsequent authorizers to see if one of
+them allows the request</li>
+<li>Deny: reject the request without consulting subsequent authorizers
+Required, with no default.</li>
+</ul>
+</td>
+</tr>
+<tr><td><code>connectionInfo</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-WebhookConnectionInfo"><code>WebhookConnectionInfo</code></a>
+</td>
+<td>
+ <p>ConnectionInfo defines how we talk to the webhook</p>
+</td>
+</tr>
+<tr><td><code>matchConditions</code> <B>[Required]</B><br/>
+<a href="#apiserver-k8s-io-v1beta1-WebhookMatchCondition"><code>[]WebhookMatchCondition</code></a>
+</td>
+<td>
+ <p>matchConditions is a list of conditions that must be met for a request to be sent to this
+webhook. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.</p>
+<p>The exact matching logic is (in order):</p>
+<ol>
+<li>If at least one matchCondition evaluates to FALSE, then the webhook is skipped.</li>
+<li>If ALL matchConditions evaluate to TRUE, then the webhook is called.</li>
+<li>If at least one matchCondition evaluates to an error (but none are FALSE):
+<ul>
+<li>If failurePolicy=Deny, then the webhook rejects the request</li>
+<li>If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped</li>
+</ul>
+</li>
+</ol>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `WebhookConnectionInfo` {#apiserver-k8s-io-v1beta1-WebhookConnectionInfo}
+
+
+**Appears in:**
+
+- [WebhookConfiguration](#apiserver-k8s-io-v1beta1-WebhookConfiguration)
+
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>type</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>Controls how the webhook should communicate with the server.
+Valid values:</p>
+<ul>
+<li>KubeConfigFile: use the file specified in kubeConfigFile to locate the
+server.</li>
+<li>InClusterConfig: use the in-cluster configuration to call the
+SubjectAccessReview API hosted by kube-apiserver. This mode is not
+allowed for kube-apiserver.</li>
+</ul>
+</td>
+</tr>
+<tr><td><code>kubeConfigFile</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>Path to KubeConfigFile for connection info
+Required, if connectionInfo.Type is KubeConfig</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `WebhookMatchCondition` {#apiserver-k8s-io-v1beta1-WebhookMatchCondition}
+
+
+**Appears in:**
+
+- [WebhookConfiguration](#apiserver-k8s-io-v1beta1-WebhookConfiguration)
+
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>expression</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p>expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+CEL expressions have access to the contents of the SubjectAccessReview in v1 version.
+If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
+the contents would be converted to the v1 version before evaluating the CEL expression.</p>
+<p>Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/</p>
+</td>
+</tr>
+</tbody>
+</table>
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-encryption.v1.md b/content/en/docs/reference/config-api/apiserver-encryption.v1.md
deleted file mode 100644
index 30d42277e6..0000000000
--- a/content/en/docs/reference/config-api/apiserver-encryption.v1.md
+++ /dev/null
@@ -1,327 +0,0 @@
----
-title: kube-apiserver Encryption Configuration (v1)
-content_type: tool-reference
-package: apiserver.config.k8s.io/v1
-auto_generated: true
----
-<p>Package v1 is the v1 version of the API.</p>
-
-
-## Resource Types
-
-
-- [EncryptionConfiguration](#apiserver-config-k8s-io-v1-EncryptionConfiguration)
-
-
-## `EncryptionConfiguration` {#apiserver-config-k8s-io-v1-EncryptionConfiguration}
-
-
-
-<p>EncryptionConfiguration stores the complete configuration for encryption providers.
-It also allows the use of wildcards to specify the resources that should be encrypted.
-Use '<em>.<!-- raw HTML omitted -->' to encrypt all resources within a group or '</em>.<em>' to encrypt all resources.
-'</em>.' can be used to encrypt all resource in the core group. '<em>.</em>' will encrypt all
-resources, even custom resources that are added after API server start.
-Use of wildcards that overlap within the same resource list or across multiple
-entries are not allowed since part of the configuration would be ineffective.
-Resource lists are processed in order, with earlier lists taking precedence.</p>
-<p>Example:</p>
-<pre><code>kind: EncryptionConfiguration
-apiVersion: apiserver.config.k8s.io/v1
-resources:
-- resources:
- - events
- providers:
- - identity: {} # do not encrypt events even though *.* is specified below
-- resources:
- - secrets
- - configmaps
- - pandas.awesome.bears.example
- providers:
- - aescbc:
- keys:
- - name: key1
- secret: c2VjcmV0IGlzIHNlY3VyZQ==
-- resources:
- - '*.apps'
- providers:
- - aescbc:
- keys:
- - name: key2
- secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
-- resources:
- - '*.*'
- providers:
- - aescbc:
- keys:
- - name: key3
- secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==</code></pre>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-<tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.config.k8s.io/v1</code></td></tr>
-<tr><td><code>kind</code><br/>string</td><td><code>EncryptionConfiguration</code></td></tr>
-
-
-<tr><td><code>resources</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-ResourceConfiguration"><code>[]ResourceConfiguration</code></a>
-</td>
-<td>
- <p>resources is a list containing resources, and their corresponding encryption providers.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `AESConfiguration` {#apiserver-config-k8s-io-v1-AESConfiguration}
-
-
-**Appears in:**
-
-- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
-
-
-<p>AESConfiguration contains the API configuration for an AES transformer.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>keys</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
-</td>
-<td>
- <p>keys is a list of keys to be used for creating the AES transformer.
-Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `IdentityConfiguration` {#apiserver-config-k8s-io-v1-IdentityConfiguration}
-
-
-**Appears in:**
-
-- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
-
-
-<p>IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.</p>
-
-
-
-
-## `KMSConfiguration` {#apiserver-config-k8s-io-v1-KMSConfiguration}
-
-
-**Appears in:**
-
-- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
-
-
-<p>KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>apiVersion</code><br/>
-<code>string</code>
-</td>
-<td>
- <p>apiVersion of KeyManagementService</p>
-</td>
-</tr>
-<tr><td><code>name</code> <B>[Required]</B><br/>
-<code>string</code>
-</td>
-<td>
- <p>name is the name of the KMS plugin to be used.</p>
-</td>
-</tr>
-<tr><td><code>cachesize</code><br/>
-<code>int32</code>
-</td>
-<td>
- <p>cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
-Set to a negative value to disable caching. This field is only allowed for KMS v1 providers.</p>
-</td>
-</tr>
-<tr><td><code>endpoint</code> <B>[Required]</B><br/>
-<code>string</code>
-</td>
-<td>
- <p>endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".</p>
-</td>
-</tr>
-<tr><td><code>timeout</code><br/>
-<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
- <p>timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `Key` {#apiserver-config-k8s-io-v1-Key}
-
-
-**Appears in:**
-
-- [AESConfiguration](#apiserver-config-k8s-io-v1-AESConfiguration)
-
-- [SecretboxConfiguration](#apiserver-config-k8s-io-v1-SecretboxConfiguration)
-
-
-<p>Key contains name and secret of the provided key for a transformer.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>name</code> <B>[Required]</B><br/>
-<code>string</code>
-</td>
-<td>
- <p>name is the name of the key to be used while storing data to disk.</p>
-</td>
-</tr>
-<tr><td><code>secret</code> <B>[Required]</B><br/>
-<code>string</code>
-</td>
-<td>
- <p>secret is the actual key, encoded in base64.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ProviderConfiguration` {#apiserver-config-k8s-io-v1-ProviderConfiguration}
-
-
-**Appears in:**
-
-- [ResourceConfiguration](#apiserver-config-k8s-io-v1-ResourceConfiguration)
-
-
-<p>ProviderConfiguration stores the provided configuration for an encryption provider.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>aesgcm</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
-</td>
-<td>
- <p>aesgcm is the configuration for the AES-GCM transformer.</p>
-</td>
-</tr>
-<tr><td><code>aescbc</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
-</td>
-<td>
- <p>aescbc is the configuration for the AES-CBC transformer.</p>
-</td>
-</tr>
-<tr><td><code>secretbox</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-SecretboxConfiguration"><code>SecretboxConfiguration</code></a>
-</td>
-<td>
- <p>secretbox is the configuration for the Secretbox based transformer.</p>
-</td>
-</tr>
-<tr><td><code>identity</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-IdentityConfiguration"><code>IdentityConfiguration</code></a>
-</td>
-<td>
- <p>identity is the (empty) configuration for the identity transformer.</p>
-</td>
-</tr>
-<tr><td><code>kms</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-KMSConfiguration"><code>KMSConfiguration</code></a>
-</td>
-<td>
- <p>kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ResourceConfiguration` {#apiserver-config-k8s-io-v1-ResourceConfiguration}
-
-
-**Appears in:**
-
-- [EncryptionConfiguration](#apiserver-config-k8s-io-v1-EncryptionConfiguration)
-
-
-<p>ResourceConfiguration stores per resource configuration.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>resources</code> <B>[Required]</B><br/>
-<code>[]string</code>
-</td>
-<td>
- <p>resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from <code>resource</code> or <code>resource.group</code> of the group/version/resource.
-eg: pandas.awesome.bears.example is a custom resource with 'group': awesome.bears.example, 'resource': pandas.
-Use '<em>.</em>' to encrypt all resources and '<em>.<!-- raw HTML omitted -->' to encrypt all resources in a specific group.
-eg: '</em>.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
-eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).</p>
-</td>
-</tr>
-<tr><td><code>providers</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-ProviderConfiguration"><code>[]ProviderConfiguration</code></a>
-</td>
-<td>
- <p>providers is a list of transformers to be used for reading and writing the resources to disk.
-eg: aesgcm, aescbc, secretbox, identity, kms.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
-## `SecretboxConfiguration` {#apiserver-config-k8s-io-v1-SecretboxConfiguration}
-
-
-**Appears in:**
-
-- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
-
-
-<p>SecretboxConfiguration contains the API configuration for an Secretbox transformer.</p>
-
-
-<table class="table">
-<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
-<tbody>
-
-
-<tr><td><code>keys</code> <B>[Required]</B><br/>
-<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
-</td>
-<td>
- <p>keys is a list of keys to be used for creating the Secretbox transformer.
-Each key has to be 32 bytes long.</p>
-</td>
-</tr>
-</tbody>
-</table>
-
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/client-authentication.v1.md b/content/en/docs/reference/config-api/client-authentication.v1.md
index e49be08c93..5b0f460be5 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1.md
@@ -205,7 +205,7 @@ itself should at least be protected via file permissions.</p>
<tr><td><code>expirationTimestamp</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta"><code>meta/v1.Time</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta"><code>meta/v1.Time</code></a>
</td>
<td>
<p>ExpirationTimestamp indicates a time when the provided credentials expire.</p>
diff --git a/content/en/docs/reference/config-api/client-authentication.v1beta1.md b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
index cd60d94c56..e787539df7 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1beta1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
@@ -205,7 +205,7 @@ itself should at least be protected via file permissions.</p>
<tr><td><code>expirationTimestamp</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta"><code>meta/v1.Time</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta"><code>meta/v1.Time</code></a>
</td>
<td>
<p>ExpirationTimestamp indicates a time when the provided credentials expire.</p>
diff --git a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
index d03ab74796..c93f3bcb4a 100644
--- a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -28,7 +28,7 @@ auto_generated: true
<tr><td><code>metadata</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
</td>
<td>
<p>Standard object's metadata.
diff --git a/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md b/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
index d63e35f68a..6988671969 100644
--- a/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
@@ -769,7 +769,16 @@ This flag enables or disables reconcile. Is false by default, and thus enabled.
</td>
<td>
<p>ReconcilerSyncLoopPeriod is the amount of time the reconciler sync states loop
-wait between successive executions. Is set to 5 sec by default.</p>
+wait between successive executions. Is set to 60 sec by default.</p>
+</td>
+</tr>
+<tr><td><code>disableForceDetachOnTimeout</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+ <p>DisableForceDetachOnTimeout disables force detach when the maximum unmount
+time is exceeded. Is false by default, and thus force detach on unmount is
+enabled.</p>
</td>
</tr>
</tbody>
diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
index 886523e82e..428f43f43d 100644
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
+++ b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
@@ -396,7 +396,7 @@ Defaults to false.</p>
<tr><td><code>addedAffinity</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#nodeaffinity-v1-core"><code>core/v1.NodeAffinity</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#nodeaffinity-v1-core"><code>core/v1.NodeAffinity</code></a>
</td>
<td>
<p>AddedAffinity is applied to all Pods additionally to the NodeAffinity
@@ -495,7 +495,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "m
<tr><td><code>defaultConstraints</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core"><code>[]core/v1.TopologySpreadConstraint</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#topologyspreadconstraint-v1-core"><code>[]core/v1.TopologySpreadConstraint</code></a>
</td>
<td>
<p>DefaultConstraints defines topology spread constraints to be applied to
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
index bb4cec5650..2bca31da93 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
@@ -307,7 +307,7 @@ for, so other administrators can know its purpose.</p>
</td>
</tr>
<tr><td><code>expires</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta"><code>meta/v1.Time</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta"><code>meta/v1.Time</code></a>
</td>
<td>
<p><code>expires</code> specifies the timestamp when this token expires. Defaults to being set
@@ -1038,7 +1038,7 @@ file from which to load cluster information.</p>
</td>
</tr>
<tr><td><code>pathType</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
</td>
<td>
<p><code>pathType</code> is the type of the <code>hostPath</code>.</p>
@@ -1262,7 +1262,7 @@ This information will be annotated to the Node API object, for later re-use.</p>
</td>
</tr>
<tr><td><code>taints</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#taint-v1-core"><code>[]core/v1.Taint</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#taint-v1-core"><code>[]core/v1.Taint</code></a>
</td>
<td>
<p><code>taints</code> specifies the taints the Node API object should be registered with.
@@ -1294,7 +1294,7 @@ Value <code>all</code> ignores errors from all checks.</p>
</td>
</tr>
<tr><td><code>imagePullPolicy</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
</td>
<td>
<p><code>imagePullPolicy</code> specifies the policy for image pulling during kubeadm "init" and
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
index 9a4026bdcb..67ed2f8fb4 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta4.md
@@ -10,8 +10,7 @@ This version improves on the v1beta3 format by fixing some minor issues and addi
<p>A list of changes since v1beta3:</p>
<ul>
<li>TODO https://github.com/kubernetes/kubeadm/issues/2890</li>
-<li>Support custom environment variables in control plane components under
-<code>ClusterConfiguration</code>.
+<li>Support custom environment variables in control plane components under <code>ClusterConfiguration</code>.
Use <code>APIServer.ExtraEnvs</code>, <code>ControllerManager.ExtraEnvs</code>, <code>Scheduler.ExtraEnvs</code>,
<code>Etcd.Local.ExtraEnvs</code>.</li>
<li>The <code>ResetConfiguration</code> API type is now supported in v1beta4.
@@ -21,12 +20,20 @@ Users are able to reset a node by passing a <code>--config</code> file to <code>
that support duplicates. The change applies to <code>ClusterConfiguration</code> - <code>APIServer.ExtraArgs</code>,
<code>ControllerManager.ExtraArgs</code>, <code>Scheduler.ExtraArgs</code>. Also to <code>NodeRegistrationOptions.KubeletExtraArgs</code>.</li>
<li>Add <code>ClusterConfiguration.EncryptionAlgorithm</code> that can be used to set the asymmetric
-encryption algorithm used for this cluster's keys and certificates. Can be <code>"RSA"</code>
-(default algorithm, key size is 2048) or <code>"ECDSA"</code> (uses the P-256 elliptic curve).</li>
+encryption algorithm used for this cluster's keys and certificates. Can be one of
+<code>"RSA-2048"</code> (default), <code>"RSA-3072"</code>, <code>"RSA-4096"</code> or <code>"ECDSA-P256"</code>.</li>
<li>Add <code>ClusterConfiguration.DNS.Disabled</code> and <code>ClusterConfiguration.Proxy.Disabled</code>
that can be used to disable the CoreDNS and kube-proxy addons during cluster
initialization. Skipping the related addons phases, during cluster creation will
set the same fields to <code>false</code>.</li>
+<li>Add the <code>NodeRegistration.ImagePullSerial</code> field in 'InitConfiguration<code>and</code>JoinConfiguration`, which
+can be used to control if kubeadm pulls images serially or in parallel.</li>
+<li>The UpgradeConfiguration kubeadm API is now supported in v1beta4 when passing
+<code>--config</code> to <code>kubeadm upgrade</code> subcommands. Usage of component configuration for <code>kubelet</code> and <code>kube-proxy</code>,
+InitConfiguration and ClusterConfiguration is deprecated and will be ignored when passing <code>--config</code> to
+<code>upgrade</code> subcommands.</li>
+<li>Add a <code>Timeouts</code> structure to <code>InitConfiguration</code>, <code>JoinConfiguration</code>, <code>ResetConfiguration</code> and <code>UpgradeConfiguration</code>
+that can be used to configure various timeouts.</li>
</ul>
<h1>Migration from old kubeadm config versions</h1>
<ul>
@@ -300,6 +307,7 @@ node only (e.g. the node ip).</p>
- [InitConfiguration](#kubeadm-k8s-io-v1beta4-InitConfiguration)
- [JoinConfiguration](#kubeadm-k8s-io-v1beta4-JoinConfiguration)
- [ResetConfiguration](#kubeadm-k8s-io-v1beta4-ResetConfiguration)
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
@@ -347,7 +355,7 @@ for, so other administrators can know its purpose.</p>
</td>
</tr>
<tr><td><code>expires</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta"><code>meta/v1.Time</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta"><code>meta/v1.Time</code></a>
</td>
<td>
<p><code>expires</code> specifies the timestamp when this token expires. Defaults to being set
@@ -730,7 +738,7 @@ during the reset process.</p>
<code>string</code>
</td>
<td>
- <p><code> certificatesDir</code> specifies the directory where the certificates are stored.
+ <p><code>certificatesDir</code> specifies the directory where the certificates are stored.
If specified, it will be cleaned during the reset process.</p>
</td>
</tr>
@@ -779,6 +787,59 @@ The list of phases can be obtained with the <code>kubeadm reset phase --help</co
</tbody>
</table>
+## `UpgradeConfiguration` {#kubeadm-k8s-io-v1beta4-UpgradeConfiguration}
+
+
+
+<p>UpgradeConfiguration contains a list of options that are specific to <code>kubeadm upgrade</code> subcommands.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>kubeadm.k8s.io/v1beta4</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>UpgradeConfiguration</code></td></tr>
+
+
+<tr><td><code>apply</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-UpgradeApplyConfiguration"><code>UpgradeApplyConfiguration</code></a>
+</td>
+<td>
+ <p><code>apply</code> holds a list of options that are specific to the <code>kubeadm upgrade apply</code> command.</p>
+</td>
+</tr>
+<tr><td><code>diff</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-UpgradeDiffConfiguration"><code>UpgradeDiffConfiguration</code></a>
+</td>
+<td>
+ <p><code>diff</code> holds a list of options that are specific to the <code>kubeadm upgrade diff</code> command.</p>
+</td>
+</tr>
+<tr><td><code>node</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-UpgradeNodeConfiguration"><code>UpgradeNodeConfiguration</code></a>
+</td>
+<td>
+ <p><code>node</code> holds a list of options that are specific to the <code>kubeadm upgrade node</code> command.</p>
+</td>
+</tr>
+<tr><td><code>plan</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-UpgradePlanConfiguration"><code>UpgradePlanConfiguration</code></a>
+</td>
+<td>
+ <p><code>plan</code> holds a list of options that are specific to the <code>kubeadm upgrade plan</code> command.</p>
+</td>
+</tr>
+<tr><td><code>timeouts</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-Timeouts"><code>Timeouts</code></a>
+</td>
+<td>
+ <p><code>timeouts</code> holds various timeouts that apply to kubeadm commands.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
## `APIEndpoint` {#kubeadm-k8s-io-v1beta4-APIEndpoint}
@@ -1113,7 +1174,7 @@ does not contain any other authentication information.</p>
<tr><td><code>EnvVar</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core"><code>core/v1.EnvVar</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#envvar-v1-core"><code>core/v1.EnvVar</code></a>
</td>
<td>(Members of <code>EnvVar</code> are embedded into this type.)
<span class="text-muted">No description provided.</span></td>
@@ -1280,7 +1341,7 @@ file from which to load cluster information.</p>
</td>
</tr>
<tr><td><code>pathType</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
</td>
<td>
<p><code>pathType</code> is the type of the <code>hostPath</code>.</p>
@@ -1515,7 +1576,7 @@ This information will be annotated to the Node API object, for later re-use.</p>
</td>
</tr>
<tr><td><code>taints</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#taint-v1-core"><code>[]core/v1.Taint</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#taint-v1-core"><code>[]core/v1.Taint</code></a>
</td>
<td>
<p><code>taints</code> specifies the taints the Node API object should be registered with.
@@ -1548,7 +1609,7 @@ Value 'all' ignores errors from all checks.</p>
</td>
</tr>
<tr><td><code>imagePullPolicy</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
</td>
<td>
<p><code>imagePullPolicy</code> specifies the policy for image pulling during kubeadm <code>init</code> and
@@ -1570,6 +1631,10 @@ images if not present on the host.</p>
- [JoinConfiguration](#kubeadm-k8s-io-v1beta4-JoinConfiguration)
+- [UpgradeApplyConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeApplyConfiguration)
+
+- [UpgradeNodeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeNodeConfiguration)
+
<p>Patches contains options related to applying patches to components deployed by kubeadm.</p>
@@ -1622,4 +1687,352 @@ first alpha-numerically.</p>
</tr>
</tbody>
</table>
+
+## `Timeouts` {#kubeadm-k8s-io-v1beta4-Timeouts}
+
+
+**Appears in:**
+
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
+
+
+<p>Timeouts holds various timeouts that apply to kubeadm commands.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>controlPlaneComponentHealthCheck</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>controlPlaneComponentHealthCheck</code> is the amount of time to wait for a control plane
+component, such as the API server, to be healthy during <code>kubeadm init</code> and <code>kubeadm join</code>.
+Default: 4m</p>
+</td>
+</tr>
+<tr><td><code>kubeletHealthCheck</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>kubeletHealthCheck</code> is the amount of time to wait for the kubelet to be healthy
+during <code>kubeadm init</code> and <code>kubeadm join</code>.
+Default: 4m</p>
+</td>
+</tr>
+<tr><td><code>kubernetesAPICall</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>kubernetesAPICall</code> is the amount of time to wait for the kubeadm client to complete a request to
+the API server. This applies to all types of methods (GET, POST, etc).
+Default: 1m</p>
+</td>
+</tr>
+<tr><td><code>etcdAPICall</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>etcdAPICall</code> is the amount of time to wait for the kubeadm etcd client to complete a request to
+the etcd cluster.
+Default: 2m</p>
+</td>
+</tr>
+<tr><td><code>tlsBootstrap</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>tlsBootstrap</code> is the amount of time to wait for the kubelet to complete TLS bootstrap
+for a joining node.
+Default: 5m</p>
+</td>
+</tr>
+<tr><td><code>discovery</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>discovery</code> is the amount of time to wait for kubeadm to validate the API server identity
+for a joining node.
+Default: 5m</p>
+</td>
+</tr>
+<tr><td><code>upgradeManifests</code> <B>[Required]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p><code>upgradeManifests</code> is the timeout for upgradring static Pod manifests
+Default: 5m</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `UpgradeApplyConfiguration` {#kubeadm-k8s-io-v1beta4-UpgradeApplyConfiguration}
+
+
+**Appears in:**
+
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
+
+
+<p>UpgradeApplyConfiguration contains a list of configurable options which are specific to the "kubeadm upgrade apply" command.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>kubernetesVersion</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p><code>kubernetesVersion</code> is the target version of the control plane.</p>
+</td>
+</tr>
+<tr><td><code>allowExperimentalUpgrades</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>allowExperimentalUpgrades</code> instructs kubeadm to show unstable versions of Kubernetes as an upgrade
+alternative and allows upgrading to an alpha/beta/release candidate version of Kubernetes.
+Default: false</p>
+</td>
+</tr>
+<tr><td><code>allowRCUpgrades</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p>Enable <code>allowRCUpgrades</code> will show release candidate versions of Kubernetes as an upgrade alternative and
+allows upgrading to a release candidate version of Kubernetes.</p>
+</td>
+</tr>
+<tr><td><code>certificateRenewal</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>certificateRenewal</code> instructs kubeadm to execute certificate renewal during upgrades.
+Defaults to true.</p>
+</td>
+</tr>
+<tr><td><code>dryRun</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>dryRun</code> tells if the dry run mode is enabled, don't apply any change if it is and just output
+what would be done.</p>
+</td>
+</tr>
+<tr><td><code>etcdUpgrade</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>etcdUpgrade</code> instructs kubeadm to execute etcd upgrade during upgrades.
+Defaults to true.</p>
+</td>
+</tr>
+<tr><td><code>forceUpgrade</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>forceUpgrade</code> flag instructs kubeadm to upgrade the cluster without prompting for confirmation.</p>
+</td>
+</tr>
+<tr><td><code>ignorePreflightErrors</code><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p><code>ignorePreflightErrors</code> provides a slice of pre-flight errors to be ignored during the upgrade process,
+e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
+</td>
+</tr>
+<tr><td><code>patches</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-Patches"><code>Patches</code></a>
+</td>
+<td>
+ <p><code>patches</code> contains options related to applying patches to components deployed by kubeadm during "kubeadm upgrade".</p>
+</td>
+</tr>
+<tr><td><code>printConfig</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>printConfig</code> specifies whether the configuration file that will be used in the upgrade should be printed or not.</p>
+</td>
+</tr>
+<tr><td><code>SkipPhases</code> <B>[Required]</B><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p><code>skipPhases</code> is a list of phases to skip during command execution.
+NOTE: This field is currently ignored for "kubeadm upgrade apply", but in the future it will be supported.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `UpgradeDiffConfiguration` {#kubeadm-k8s-io-v1beta4-UpgradeDiffConfiguration}
+
+
+**Appears in:**
+
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
+
+
+<p>UpgradeDiffConfiguration contains a list of configurable options which are specific to the "kubeadm upgrade diff" command.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>kubernetesVersion</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p><code>kubernetesVersion</code> is the target version of the control plane.</p>
+</td>
+</tr>
+<tr><td><code>contextLines</code><br/>
+<code>int</code>
+</td>
+<td>
+ <p><code>diffContextLines</code> is the number of lines of context in the diff.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `UpgradeNodeConfiguration` {#kubeadm-k8s-io-v1beta4-UpgradeNodeConfiguration}
+
+
+**Appears in:**
+
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
+
+
+<p>UpgradeNodeConfiguration contains a list of configurable options which are specific to the "kubeadm upgrade node" command.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>certificateRenewal</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>certificateRenewal</code> instructs kubeadm to execute certificate renewal during upgrades.
+Defaults to true.</p>
+</td>
+</tr>
+<tr><td><code>dryRun</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>dryRun</code> tells if the dry run mode is enabled, don't apply any change if it is and just output what would be done.</p>
+</td>
+</tr>
+<tr><td><code>etcdUpgrade</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>etcdUpgrade</code> instructs kubeadm to execute etcd upgrade during upgrades.
+Defaults to true.</p>
+</td>
+</tr>
+<tr><td><code>ignorePreflightErrors</code><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p><code>ignorePreflightErrors</code> provides a slice of pre-flight errors to be ignored during the upgrade process,
+e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
+</td>
+</tr>
+<tr><td><code>skipPhases</code><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p><code>skipPhases</code> is a list of phases to skip during command execution.
+The list of phases can be obtained with the <code>kubeadm upgrade node phase --help</code> command.</p>
+</td>
+</tr>
+<tr><td><code>patches</code><br/>
+<a href="#kubeadm-k8s-io-v1beta4-Patches"><code>Patches</code></a>
+</td>
+<td>
+ <p><code>patches</code> contains options related to applying patches to components deployed by kubeadm during <code>kubeadm upgrade</code>.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `UpgradePlanConfiguration` {#kubeadm-k8s-io-v1beta4-UpgradePlanConfiguration}
+
+
+**Appears in:**
+
+- [UpgradeConfiguration](#kubeadm-k8s-io-v1beta4-UpgradeConfiguration)
+
+
+<p>UpgradePlanConfiguration contains a list of configurable options which are specific to the "kubeadm upgrade plan" command.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>kubernetesVersion</code> <B>[Required]</B><br/>
+<code>string</code>
+</td>
+<td>
+ <p><code>kubernetesVersion</code> is the target version of the control plane.</p>
+</td>
+</tr>
+<tr><td><code>allowExperimentalUpgrades</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>allowExperimentalUpgrades</code> instructs kubeadm to show unstable versions of Kubernetes as an upgrade
+alternative and allows upgrading to an alpha/beta/release candidate version of Kubernetes.
+Default: false</p>
+</td>
+</tr>
+<tr><td><code>allowRCUpgrades</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p>Enable <code>allowRCUpgrades</code> will show release candidate versions of Kubernetes as an upgrade alternative and
+allows upgrading to a release candidate version of Kubernetes.</p>
+</td>
+</tr>
+<tr><td><code>dryRun</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>dryRun</code> tells if the dry run mode is enabled, don't apply any change if it is and just output what would be done.</p>
+</td>
+</tr>
+<tr><td><code>ignorePreflightErrors</code><br/>
+<code>[]string</code>
+</td>
+<td>
+ <p><code>ignorePreflightErrors</code> provides a slice of pre-flight errors to be ignored during the upgrade process,
+e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
+</td>
+</tr>
+<tr><td><code>printConfig</code><br/>
+<code>bool</code>
+</td>
+<td>
+ <p><code>printConfig</code> specifies whether the configuration file that will be used in the upgrade should be printed or not.</p>
+</td>
+</tr>
+</tbody>
+</table>
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
index 2975657ccf..fccaa0770f 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -32,6 +32,14 @@ auto_generated: true
<tbody>
+<tr><td><code>text</code> <B>[Required]</B><br/>
+<a href="#TextOptions"><code>TextOptions</code></a>
+</td>
+<td>
+ <p>[Alpha] Text contains options for logging format "text".
+Only available when the LoggingAlphaOptions feature gate is enabled.</p>
+</td>
+</tr>
<tr><td><code>json</code> <B>[Required]</B><br/>
<a href="#JSONOptions"><code>JSONOptions</code></a>
</td>
@@ -59,24 +67,11 @@ Only available when the LoggingAlphaOptions feature gate is enabled.</p>
<tbody>
-<tr><td><code>splitStream</code> <B>[Required]</B><br/>
-<code>bool</code>
-</td>
-<td>
- <p>[Alpha] SplitStream redirects error messages to stderr while
-info messages go to stdout, with buffering. The default is to write
-both to stdout, without buffering. Only available when
-the LoggingAlphaOptions feature gate is enabled.</p>
-</td>
-</tr>
-<tr><td><code>infoBufferSize</code> <B>[Required]</B><br/>
-<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
-</td>
-<td>
- <p>[Alpha] InfoBufferSize sets the size of the info stream when
-using split streams. The default is zero, which disables buffering.
-Only available when the LoggingAlphaOptions feature gate is enabled.</p>
+<tr><td><code>OutputRoutingOptions</code> <B>[Required]</B><br/>
+<a href="#OutputRoutingOptions"><code>OutputRoutingOptions</code></a>
</td>
+<td>(Members of <code>OutputRoutingOptions</code> are embedded into this type.)
+ <span class="text-muted">No description provided.</span></td>
</tr>
</tbody>
</table>
@@ -186,6 +181,71 @@ certain global defaults.</p>
</tbody>
</table>
+## `OutputRoutingOptions` {#OutputRoutingOptions}
+
+
+**Appears in:**
+
+- [JSONOptions](#JSONOptions)
+
+- [TextOptions](#TextOptions)
+
+
+<p>OutputRoutingOptions contains options that are supported by both "text" and "json".</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>splitStream</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+ <p>[Alpha] SplitStream redirects error messages to stderr while
+info messages go to stdout, with buffering. The default is to write
+both to stdout, without buffering. Only available when
+the LoggingAlphaOptions feature gate is enabled.</p>
+</td>
+</tr>
+<tr><td><code>infoBufferSize</code> <B>[Required]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
+</td>
+<td>
+ <p>[Alpha] InfoBufferSize sets the size of the info stream when
+using split streams. The default is zero, which disables buffering.
+Only available when the LoggingAlphaOptions feature gate is enabled.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `TextOptions` {#TextOptions}
+
+
+**Appears in:**
+
+- [FormatOptions](#FormatOptions)
+
+
+<p>TextOptions contains options for logging format "text".</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>OutputRoutingOptions</code> <B>[Required]</B><br/>
+<a href="#OutputRoutingOptions"><code>OutputRoutingOptions</code></a>
+</td>
+<td>(Members of <code>OutputRoutingOptions</code> are embedded into this type.)
+ <span class="text-muted">No description provided.</span></td>
+</tr>
+</tbody>
+</table>
+
## `TimeOrMetaDuration` {#TimeOrMetaDuration}
@@ -352,6 +412,16 @@ run, or the path to a single static pod file.
Default: ""</p>
</td>
</tr>
+<tr><td><code>podLogsDir</code><br/>
+<code>string</code>
+</td>
+<td>
+ <p>podLogsDir is a custom root directory path kubelet will use to place pod's log files.
+Default: "/var/log/pods/"
+Note: it is not recommended to use the temp folder as a log directory as it may cause
+unexpected behavior in many places.</p>
+</td>
+</tr>
<tr><td><code>syncFrequency</code><br/>
<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
@@ -449,7 +519,7 @@ Default: ""</p>
<td>
<p>tlsCipherSuites is the list of allowed cipher suites for the server.
Note that TLS 1.3 ciphersuites are not configurable.
-Values are from tls package constants (https://pkg.go.dev/crypto/tls#pkg-constants).
+Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
Default: nil</p>
</td>
</tr>
@@ -458,7 +528,7 @@ Default: nil</p>
</td>
<td>
<p>tlsMinVersion is the minimum TLS version supported.
-Values are from tls package constants (https://pkg.go.dev/crypto/tls#pkg-constants).
+Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
Default: ""</p>
</td>
</tr>
@@ -1176,6 +1246,27 @@ be present for a container.
Default: 5</p>
</td>
</tr>
+<tr><td><code>containerLogMaxWorkers</code><br/>
+<code>int32</code>
+</td>
+<td>
+ <p>ContainerLogMaxWorkers specifies the maximum number of concurrent workers to spawn
+for performing the log rotate operations. Set this count to 1 for disabling the
+concurrent log rotation workflows
+Default: 1</p>
+</td>
+</tr>
+<tr><td><code>containerLogMonitorInterval</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+ <p>ContainerLogMonitorInterval specifies the duration at which the container logs are monitored
+for performing the log rotate operation. This defaults to 10 * time.Seconds. But can be
+customized to a smaller value based on the log generation rate and the size required to be
+rotated against
+Default: 10s</p>
+</td>
+</tr>
<tr><td><code>configMapAndSecretChangeDetectionStrategy</code><br/>
<a href="#kubelet-config-k8s-io-v1beta1-ResourceChangeDetectionStrategy"><code>ResourceChangeDetectionStrategy</code></a>
</td>
@@ -1458,7 +1549,7 @@ Default: 0.9</p>
</td>
</tr>
<tr><td><code>registerWithTaints</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#taint-v1-core"><code>[]core/v1.Taint</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#taint-v1-core"><code>[]core/v1.Taint</code></a>
</td>
<td>
<p>registerWithTaints are an array of taints to add to a node object when
@@ -1538,7 +1629,7 @@ It exists in the kubeletconfig API group because it is classified as a versioned
<tr><td><code>source</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#nodeconfigsource-v1-core"><code>core/v1.NodeConfigSource</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#nodeconfigsource-v1-core"><code>core/v1.NodeConfigSource</code></a>
</td>
<td>
<p>source is the source that we are serializing.</p>
@@ -1899,7 +1990,7 @@ and groups corresponding to the Organization in the client certificate.</p>
<span class="text-muted">No description provided.</span></td>
</tr>
<tr><td><code>limits</code> <B>[Required]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcelist-v1-core"><code>core/v1.ResourceList</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#resourcelist-v1-core"><code>core/v1.ResourceList</code></a>
</td>
<td>
<span class="text-muted">No description provided.</span></td>
@@ -1926,8 +2017,8 @@ and groups corresponding to the Organization in the client certificate.</p>
</td>
<td>
<p>swapBehavior configures swap memory available to container workloads. May be one of
-"", "LimitedSwap": workload combined memory and swap usage cannot exceed pod memory limit
-"UnlimitedSwap": workloads can use unlimited swap, up to the allocatable limit.</p>
+"", "NoSwap": workloads can not use swap, default option.
+"LimitedSwap": workload swap usage is limited. The swap limit is proportionate to the container's memory request.</p>
</td>
</tr>
</tbody>
diff --git a/content/en/docs/tasks/administer-cluster/decrypt-data.md b/content/en/docs/tasks/administer-cluster/decrypt-data.md
index 2bf9b11f56..0278125cc3 100644
--- a/content/en/docs/tasks/administer-cluster/decrypt-data.md
+++ b/content/en/docs/tasks/administer-cluster/decrypt-data.md
@@ -163,4 +163,4 @@ Make sure that you use the same encryption configuration on each control plane h
## {{% heading "whatsnext" %}}
-* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).
+* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-config.v1/).
diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md
index 6e7a05ef09..78d92d7fbc 100644
--- a/content/en/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md
@@ -715,4 +715,4 @@ To allow automatic reloading, configure the API server to run with:
## {{% heading "whatsnext" %}}
* Read about [decrypting data that are already stored at rest](/docs/tasks/administer-cluster/decrypt-data/)
-* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).
+* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-config.v1/).