build(deps): Update kubernetes requirement from >=29.0.0 to >=36.0.1 in /tools/k8s_readonly_server

[dependabot]

Updates the requirements on kubernetes to permit the latest version.

Release notes

Sourced from kubernetes's releases.

Kubernetes Python Client v36.0.1 Stable Release

Getting started:

pip install --pre --upgrade kubernetes

Or from source, download attached zip file, then

unzip client-python-v36.0.1.zip
cd client-python-v36.0.1
python setup-release.py install

Then follow examples in https://github.com/kubernetes-client/python/tree/release-36.0/examples

Changelog: https://github.com/kubernetes-client/python/blob/release-36.0/CHANGELOG.md

Changelog

Sourced from kubernetes's changelog.

v36.0.1

Kubernetes API Version: v1.36.1

Bug or Regression

• Fix load_incluster_config() and load_kube_config() (sync and async, with a static token) so requests carry an Authorization header on kubernetes-client/python v36+. Without this fix, in-cluster pods upgrading to v36 silently send unauthenticated requests and the apiserver rejects them as system:anonymous. (#2585, @​Jmacek)

Deprecation

• Support new exec v5 websocket subprotocol (#2486, @​aojea)

v36.0.0

Kubernetes API Version: v1.36.1

v36.0.0b1

Kubernetes API Version: v1.36.1

Deprecation

• Support new exec v5 websocket subprotocol (#2486, @​aojea)

v36.0.0a3

Kubernetes API Version: v1.36.0

v36.0.0a2

Kubernetes API Version: v1.36.0

v36.0.0a1

Kubernetes API Version: v1.36.0

API Change

• ACTION REQUIRED: DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (beta in v1.36). Schedulers and controllers must be granted update/patch on resourceclaims/binding. DRA drivers must be granted associated-node:update or arbitrary-node:update (or patch equivalents) on resourceclaims/driver, restricted by their specific resourceNames. (kubernetes/kubernetes#134947, @​aojea) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Scheduling and Testing]
• ACTION REQUIRED: Removed the integrated support for flex-volumes in kubeadm. Users were advised to migrate away from flex-volumes as recommended by SIG Storage since v1.22. If kubeadm users wish to continue using the feature, they need a custom image for the KCM that is not based on distroless, pass the KCM flag --flex-volume-plugin-dir, and mount the directory /usr/libexec/kubernetes/kubelet-plugins/volume/exec in the KCM static pod using kubeadm's extraVolumes mechanism before upgrading to v1.36. Previously, kubeadm automatically did the mounting if the user passed the flag. (kubernetes/kubernetes#136423, @​neolit123) [SIG Cluster Lifecycle]
• ACTION REQUIRED: Renamed metric etcd_bookmark_counts to etcd_bookmark_total. If you are using custom monitoring dashboards or alerting rules based on the etcd_bookmark_counts metric, update them to use the new etcd_bookmark_total metric. (kubernetes/kubernetes#136483, @​petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
• Added SchedulingConstraints to express topology-aware scheduling (TAS) constraints for PodGroup scheduling behind the TopologyAwareWorkloadScheduling feature gate. Added the TopologyPlacement plugin implementing the PlacementGenerate extension point to take constraints into consideration during PodGroup scheduling. (kubernetes/kubernetes#137271, @​brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
• Added DisruptionMode, PriorityClassName, and Priority fields to the Workload and PodGroup APIs to support workload-aware preemption when the WorkloadAwarePreemption feature gate is enabled. (kubernetes/kubernetes#136589, @​tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
• Added ImageVolumeWithDigest which includes the digest of image volumes in the container status. (kubernetes/kubernetes#132807, @​iholder101) [SIG API Machinery, Apps, Node and Testing]
• Added MemoryReservationPolicy cgroup v2 MemoryQoS support to KubeletConfiguration for memory.min protection. (kubernetes/kubernetes#137584, @​QiWang19) [SIG Node and Storage]
• Added spec.stubPKCS10Request to the Pod Certificates beta API to improve compatibility with existing certificate authority implementations that expect a PKCS#10 certificate signing request. spec.pkixPublicKey and spec.proofOfPossession were deprecated in favor of this field. (kubernetes/kubernetes#136729, @​ahmedtd) [SIG API Machinery, Auth, Node and Testing]
• Added a deletion protection mechanism for PodGroup objects. (kubernetes/kubernetes#137641, @​helayoty) [SIG API Machinery, Apps, Auth, Scheduling and Storage]
• Added alpha support (behind the PersistentVolumeClaimUnusedSinceTime feature gate) for tracking PersistentVolumeClaim unused status via a new Unused condition on PersistentVolumeClaimStatus. When enabled, the PVC protection controller sets Unused=True with a lastTransitionTime when no non-terminal Pods reference the PersistentVolumeClaim. (kubernetes/kubernetes#137862, @​gnufied) [SIG Apps, Auth, Storage and Testing]
• Added alpha support for manifest-based admission control configuration (KEP-5793). When the ManifestBasedAdmissionControlConfig feature gate is enabled, admission webhooks and CEL-based policies can be loaded from static manifest files on disk via the staticManifestsDir field in AdmissionConfiguration. These policies are active from API server startup, survive etcd unavailability, and can protect API-based admission resources from modification. (kubernetes/kubernetes#137346, @​aramase) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
• Added an admission plugin that validates PodGroup resources reference an existing Workload and match the declared PodGroupTemplate spec. (kubernetes/kubernetes#137464, @​helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
• Added list-type support for attributes in DRA (KEP-5491). The DRAListTypeAttributes feature gate (disabled by default) activates the following enhancements:
  • DRA drivers can use list-type fields (bools/ints/strings/versions) for device attributes in ResourceSlice. The number of attribute values, including scalars and lists, per single device is limited to 48.

... (truncated)

Commits

• a05fe9e Merge pull request #2599 from yliaog/automated-release-of-36.0.1-upstream-rel...
• 33827fa updated compatibility matrix and maintenance status
• 8836c4c generated client change
• 6d26b4d update version constants for 36.0.1 release
• fbd5882 update changelog with release notes from master branch
• aa03876 generated client change
• 449e548 generated client change
• 049a490 generated client change
• 5c4e530 generated client change
• fe0ddbc generated client change
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)