Merge pull request #132269 from dims/update-to-latest-github.com/modern-go/reflect2

Update to latest github.com/modern-go/reflect2 Kubernetes-commit: d55b119d34883bbad2a3436dcb6c62339d963031
Update to latest github.com/modern-go/reflect2
2025-06-12 20:48:08 +00:00 · 2025-06-12 11:20:39 -04:00 · 2025-06-12 00:37:31 +00:00 · 2025-06-11 16:46:03 -04:00 · 2025-06-10 20:39:56 +00:00 · 2025-06-10 10:50:54 -04:00
33 changed files with 818 additions and 204 deletions
--- a/config/v1/doc.go
+++ b/config/v1/doc.go
@ -18,4 +18,4 @@ limitations under the License.
 // +k8s:openapi-gen=true
 // +groupName=kubelet.config.k8s.io

-package v1 // import "k8s.io/kubelet/config/v1"
+package v1
--- a/config/v1/types.go
+++ b/config/v1/types.go
@ -32,7 +32,7 @@ type CredentialProviderConfig struct {
 	// Multiple providers may match against a single image, in which case credentials
 	// from all providers will be returned to the kubelet. If multiple providers are called
 	// for a single image, the results are combined. If providers return overlapping
-	// auth keys, the value from the provider earlier in this list is used.
+	// auth keys, the value from the provider earlier in this list is attempted first.
 	Providers []CredentialProvider `json:"providers"`
 }

@ -42,6 +42,7 @@ type CredentialProvider struct {
 	// name is the required name of the credential provider. It must match the name of the
 	// provider executable as seen by the kubelet. The executable must be in the kubelet's
 	// bin directory (set by the --image-credential-provider-bin-dir flag).
+	// Required to be unique across all providers.
 	Name string `json:"name"`

 	// matchImages is a required list of strings used to match against images in order to
@ -87,6 +88,69 @@ type CredentialProvider struct {
 	// to pass argument to the plugin.
 	// +optional
 	Env []ExecEnvVar `json:"env,omitempty"`
+
+	// tokenAttributes is the configuration for the service account token that will be passed to the plugin.
+	// The credential provider opts in to using service account tokens for image pull by setting this field.
+	// When this field is set, kubelet will generate a service account token bound to the pod for which the
+	// image is being pulled and pass to the plugin as part of CredentialProviderRequest along with other
+	// attributes required by the plugin.
+	//
+	// The service account metadata and token attributes will be used as a dimension to cache
+	// the credentials in kubelet. The cache key is generated by combining the service account metadata
+	// (namespace, name, UID, and annotations key+value for the keys defined in
+	// serviceAccountTokenAttribute.requiredServiceAccountAnnotationKeys and serviceAccountTokenAttribute.optionalServiceAccountAnnotationKeys).
+	// The pod metadata (namespace, name, UID) that are in the service account token are not used as a dimension
+	// to cache the credentials in kubelet. This means workloads that are using the same service account
+	// could end up using the same credentials for image pull. For plugins that don't want this behavior, or
+	// plugins that operate in pass-through mode; i.e., they return the service account token as-is, they
+	// can set the credentialProviderResponse.cacheDuration to 0. This will disable the caching of
+	// credentials in kubelet and the plugin will be invoked for every image pull. This does result in
+	// token generation overhead for every image pull, but it is the only way to ensure that the
+	// credentials are not shared across pods (even if they are using the same service account).
+	// +optional
+	TokenAttributes *ServiceAccountTokenAttributes `json:"tokenAttributes,omitempty"`
+}
+
+// ServiceAccountTokenAttributes is the configuration for the service account token that will be passed to the plugin.
+type ServiceAccountTokenAttributes struct {
+	// serviceAccountTokenAudience is the intended audience for the projected service account token.
+	// +required
+	ServiceAccountTokenAudience string `json:"serviceAccountTokenAudience"`
+
+	// requireServiceAccount indicates whether the plugin requires the pod to have a service account.
+	// If set to true, kubelet will only invoke the plugin if the pod has a service account.
+	// If set to false, kubelet will invoke the plugin even if the pod does not have a service account
+	// and will not include a token in the CredentialProviderRequest in that scenario. This is useful for plugins that
+	// are used to pull images for pods without service accounts (e.g., static pods).
+	// +required
+	RequireServiceAccount *bool `json:"requireServiceAccount"`
+
+	// requiredServiceAccountAnnotationKeys is the list of annotation keys that the plugin is interested in
+	// and that are required to be present in the service account.
+	// The keys defined in this list will be extracted from the corresponding service account and passed
+	// to the plugin as part of the CredentialProviderRequest. If any of the keys defined in this list
+	// are not present in the service account, kubelet will not invoke the plugin and will return an error.
+	// This field is optional and may be empty. Plugins may use this field to extract
+	// additional information required to fetch credentials or allow workloads to opt in to
+	// using service account tokens for image pull.
+	// If non-empty, requireServiceAccount must be set to true.
+	// Keys in this list must be unique.
+	// This list needs to be mutually exclusive with optionalServiceAccountAnnotationKeys.
+	// +optional
+	// +listType=set
+	RequiredServiceAccountAnnotationKeys []string `json:"requiredServiceAccountAnnotationKeys,omitempty"`
+
+	// optionalServiceAccountAnnotationKeys is the list of annotation keys that the plugin is interested in
+	// and that are optional to be present in the service account.
+	// The keys defined in this list will be extracted from the corresponding service account and passed
+	// to the plugin as part of the CredentialProviderRequest. The plugin is responsible for validating
+	// the existence of annotations and their values.
+	// This field is optional and may be empty. Plugins may use this field to extract
+	// additional information required to fetch credentials.
+	// Keys in this list must be unique.
+	// +optional
+	// +listType=set
+	OptionalServiceAccountAnnotationKeys []string `json:"optionalServiceAccountAnnotationKeys,omitempty"`
 }

 // ExecEnvVar is used for setting environment variables when executing an exec-based
--- a/config/v1/zz_generated.deepcopy.go
+++ b/config/v1/zz_generated.deepcopy.go
@ -49,6 +49,11 @@ func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) {
 		*out = make([]ExecEnvVar, len(*in))
 		copy(*out, *in)
 	}
+	if in.TokenAttributes != nil {
+		in, out := &in.TokenAttributes, &out.TokenAttributes
+		*out = new(ServiceAccountTokenAttributes)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }

@ -109,3 +114,34 @@ func (in *ExecEnvVar) DeepCopy() *ExecEnvVar {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountTokenAttributes) DeepCopyInto(out *ServiceAccountTokenAttributes) {
+	*out = *in
+	if in.RequireServiceAccount != nil {
+		in, out := &in.RequireServiceAccount, &out.RequireServiceAccount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequiredServiceAccountAnnotationKeys != nil {
+		in, out := &in.RequiredServiceAccountAnnotationKeys, &out.RequiredServiceAccountAnnotationKeys
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.OptionalServiceAccountAnnotationKeys != nil {
+		in, out := &in.OptionalServiceAccountAnnotationKeys, &out.OptionalServiceAccountAnnotationKeys
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountTokenAttributes.
+func (in *ServiceAccountTokenAttributes) DeepCopy() *ServiceAccountTokenAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountTokenAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/config/v1alpha1/doc.go
+++ b/config/v1alpha1/doc.go
@ -18,4 +18,4 @@ limitations under the License.
 // +k8s:openapi-gen=true
 // +groupName=kubelet.config.k8s.io

-package v1alpha1 // import "k8s.io/kubelet/config/v1alpha1"
+package v1alpha1
--- a/config/v1alpha1/register.go
+++ b/config/v1alpha1/register.go
@ -38,6 +38,8 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialProviderConfig{},
+		&ImagePullIntent{},
+		&ImagePulledRecord{},
 	)
 	return nil
 }
--- a/config/v1alpha1/types.go
+++ b/config/v1alpha1/types.go
@ -32,7 +32,7 @@ type CredentialProviderConfig struct {
 	// Multiple providers may match against a single image, in which case credentials
 	// from all providers will be returned to the kubelet. If multiple providers are called
 	// for a single image, the results are combined. If providers return overlapping
-	// auth keys, the value from the provider earlier in this list is used.
+	// auth keys, the value from the provider earlier in this list is attempted first.
 	Providers []CredentialProvider `json:"providers"`
 }

@ -42,6 +42,7 @@ type CredentialProvider struct {
 	// name is the required name of the credential provider. It must match the name of the
 	// provider executable as seen by the kubelet. The executable must be in the kubelet's
 	// bin directory (set by the --image-credential-provider-bin-dir flag).
+	// Required to be unique across all providers.
 	Name string `json:"name"`

 	// matchImages is a required list of strings used to match against images in order to
@ -95,3 +96,75 @@ type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
+
+// ImagePullIntent is a record of the kubelet attempting to pull an image.
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ImagePullIntent struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Image is the image spec from a Container's `image` field.
+	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+	// characters like ':' and '/'.
+	Image string `json:"image"`
+}
+
+// ImagePullRecord is a record of an image that was pulled by the kubelet.
+//
+// If there are no records in the `kubernetesSecrets` field and both `nodeWideCredentials`
+// and `anonymous` are `false`, credentials must be re-checked the next time an
+// image represented by this record is being requested.
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ImagePulledRecord struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// LastUpdatedTime is the time of the last update to this record
+	LastUpdatedTime metav1.Time `json:"lastUpdatedTime"`
+
+	// ImageRef is a reference to the image represented by this file as received
+	// from the CRI.
+	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+	// characters like ':' and '/'.
+	ImageRef string `json:"imageRef"`
+
+	// CredentialMapping maps `image` to the set of credentials that it was
+	// previously pulled with.
+	// `image` in this case is the content of a pod's container `image` field that's
+	// got its tag/digest removed.
+	//
+	// Example:
+	//   Container requests the `hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2` image:
+	//     "credentialMapping": {
+	//       "hello-world": { "nodePodsAccessible": true }
+	//     }
+	CredentialMapping map[string]ImagePullCredentials `json:"credentialMapping,omitempty"`
+}
+
+// ImagePullCredentials describe credentials that can be used to pull an image.
+type ImagePullCredentials struct {
+	// KuberneteSecretCoordinates is an index of coordinates of all the kubernetes
+	// secrets that were used to pull the image.
+	// +optional
+	// +listType=set
+	KubernetesSecrets []ImagePullSecret `json:"kubernetesSecrets"`
+
+	// NodePodsAccessible is a flag denoting the pull credentials are accessible
+	// by all the pods on the node, or that no credentials are needed for the pull.
+	//
+	// If true, it is mutually exclusive with the `kubernetesSecrets` field.
+	// +optional
+	NodePodsAccessible bool `json:"nodePodsAccessible,omitempty"`
+}
+
+// ImagePullSecret is a representation of a Kubernetes secret object coordinates along
+// with a credential hash of the pull secret credentials this object contains.
+type ImagePullSecret struct {
+	UID       string `json:"uid"`
+	Namespace string `json:"namespace"`
+	Name      string `json:"name"`
+
+	// CredentialHash is a SHA-256 retrieved by hashing the image pull credentials
+	// content of the secret specified by the UID/Namespace/Name coordinates.
+	CredentialHash string `json:"credentialHash"`
+}
--- a/config/v1alpha1/zz_generated.deepcopy.go
+++ b/config/v1alpha1/zz_generated.deepcopy.go
@ -109,3 +109,98 @@ func (in *ExecEnvVar) DeepCopy() *ExecEnvVar {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullCredentials) DeepCopyInto(out *ImagePullCredentials) {
+	*out = *in
+	if in.KubernetesSecrets != nil {
+		in, out := &in.KubernetesSecrets, &out.KubernetesSecrets
+		*out = make([]ImagePullSecret, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullCredentials.
+func (in *ImagePullCredentials) DeepCopy() *ImagePullCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullIntent) DeepCopyInto(out *ImagePullIntent) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullIntent.
+func (in *ImagePullIntent) DeepCopy() *ImagePullIntent {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullIntent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePullIntent) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullSecret) DeepCopyInto(out *ImagePullSecret) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullSecret.
+func (in *ImagePullSecret) DeepCopy() *ImagePullSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePulledRecord) DeepCopyInto(out *ImagePulledRecord) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.LastUpdatedTime.DeepCopyInto(&out.LastUpdatedTime)
+	if in.CredentialMapping != nil {
+		in, out := &in.CredentialMapping, &out.CredentialMapping
+		*out = make(map[string]ImagePullCredentials, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePulledRecord.
+func (in *ImagePulledRecord) DeepCopy() *ImagePulledRecord {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePulledRecord)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePulledRecord) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
--- a/config/v1beta1/doc.go
+++ b/config/v1beta1/doc.go
@ -18,4 +18,4 @@ limitations under the License.
 // +k8s:openapi-gen=true
 // +groupName=kubelet.config.k8s.io

-package v1beta1 // import "k8s.io/kubelet/config/v1beta1"
+package v1beta1
--- a/config/v1beta1/types.go
+++ b/config/v1beta1/types.go
@ -83,6 +83,25 @@ const (
 	StaticMemoryManagerPolicy = "Static"
 )

+// ImagePullCredentialsVerificationPolicy is an enum for the policy that is enforced
+// when pod is requesting an image that appears on the system
+type ImagePullCredentialsVerificationPolicy string
+
+const (
+	// NeverVerify will never require credential verification for images that
+	// already exist on the node
+	NeverVerify ImagePullCredentialsVerificationPolicy = "NeverVerify"
+	// NeverVerifyPreloadedImages does not require credential verification for images
+	// pulled outside the kubelet process
+	NeverVerifyPreloadedImages ImagePullCredentialsVerificationPolicy = "NeverVerifyPreloadedImages"
+	// NeverVerifyAllowlistedImages does not require credential verification for
+	// a list of images that were pulled outside the kubelet process
+	NeverVerifyAllowlistedImages ImagePullCredentialsVerificationPolicy = "NeverVerifyAllowlistedImages"
+	// AlwaysVerify requires credential verification for accessing any image on the
+	// node irregardless how it was pulled
+	AlwaysVerify ImagePullCredentialsVerificationPolicy = "AlwaysVerify"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

 // KubeletConfiguration contains the configuration for the Kubelet
@ -210,6 +229,28 @@ type KubeletConfiguration struct {
 	// Default: 10
 	// +optional
 	RegistryBurst int32 `json:"registryBurst,omitempty"`
+	// imagePullCredentialsVerificationPolicy determines how credentials should be
+	// verified when pod requests an image that is already present on the node:
+	//   - NeverVerify
+	//       - anyone on a node can use any image present on the node
+	//   - NeverVerifyPreloadedImages
+	//       - images that were pulled to the node by something else than the kubelet
+	//         can be used without reverifying pull credentials
+	//   - NeverVerifyAllowlistedImages
+	//       - like "NeverVerifyPreloadedImages" but only node images from
+	//         `preloadedImagesVerificationAllowlist` don't require reverification
+	//   - AlwaysVerify
+	//       - all images require credential reverification
+	// +optional
+	ImagePullCredentialsVerificationPolicy ImagePullCredentialsVerificationPolicy `json:"imagePullCredentialsVerificationPolicy,omitempty"`
+	// preloadedImagesVerificationAllowlist specifies a list of images that are
+	// exempted from credential reverification for the "NeverVerifyAllowlistedImages"
+	// `imagePullCredentialsVerificationPolicy`.
+	// The list accepts a full path segment wildcard suffix "/*".
+	// Only use image specs without an image tag or digest.
+	// +optional
+	// +listType=set
+	PreloadedImagesVerificationAllowlist []string `json:"preloadedImagesVerificationAllowlist,omitempty"`
 	// eventRecordQPS is the maximum event creations per second. If 0, there
 	// is no limit enforced. The value cannot be a negative number.
 	// Default: 50
@ -350,7 +391,6 @@ type KubeletConfiguration struct {
 	// +optional
 	CgroupDriver string `json:"cgroupDriver,omitempty"`
 	// cpuManagerPolicy is the name of the policy to use.
-	// Requires the CPUManager feature gate to be enabled.
 	// Default: "None"
 	// +optional
 	CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"`
@ -365,12 +405,10 @@ type KubeletConfiguration struct {
 	SingleProcessOOMKill *bool `json:"singleProcessOOMKill,omitempty"`
 	// cpuManagerPolicyOptions is a set of key=value which 	allows to set extra options
 	// to fine tune the behaviour of the cpu manager policies.
-	// Requires  both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled.
 	// Default: nil
 	// +optional
 	CPUManagerPolicyOptions map[string]string `json:"cpuManagerPolicyOptions,omitempty"`
 	// cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager.
-	// Requires the CPUManager feature gate to be enabled.
 	// Default: "10s"
 	// +optional
 	CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"`
@ -530,6 +568,7 @@ type KubeletConfiguration struct {
 	EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"`
 	// evictionPressureTransitionPeriod is the duration for which the kubelet has to wait
 	// before transitioning out of an eviction pressure condition.
+	// A duration of 0s will be converted to the default value of 5m
 	// Default: "5m"
 	// +optional
 	EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"`
@ -546,6 +585,16 @@ type KubeletConfiguration struct {
 	// Default: nil
 	// +optional
 	EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"`
+	// mergeDefaultEvictionSettings indicates that defaults for the evictionHard, evictionSoft, evictionSoftGracePeriod, and evictionMinimumReclaim
+	// fields should be merged into values specified for those fields in this configuration.
+	// Signals specified in this configuration take precedence.
+	// Signals not specified in this configuration inherit their defaults.
+	// If false, and if any signal is specified in this configuration then other signals that
+	// are not specified in this configuration will be set to 0.
+	// It applies to merging the fields for which the default exists, and currently only evictionHard has default values.
+	// Default: false
+	// +optional
+	MergeDefaultEvictionSettings *bool `json:"mergeDefaultEvictionSettings,omitempty"`
 	// podsPerCore is the maximum number of pods per core. Cannot exceed maxPods.
 	// The value must be a non-negative integer.
 	// If 0, there is no limit on the number of Pods.
@ -726,6 +775,8 @@ type KubeletConfiguration struct {
 	EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"`
 	// enableSystemLogQuery enables the node log query feature on the /logs endpoint.
 	// EnableSystemLogHandler has to be enabled in addition for this feature to work.
+	// Enabling this feature has security implications. The recommendation is to enable it on a need basis for debugging
+	// purposes and disabling otherwise.
 	// Default: false
 	// +featureGate=NodeLogQuery
 	// +optional
@ -870,6 +921,11 @@ type KubeletConfiguration struct {
 	// Default: false
 	// +optional
 	FailCgroupV1 *bool `json:"failCgroupV1,omitempty"`
+
+	// UserNamespaces contains User Namespace configurations.
+	// +featureGate=UserNamespacesSupport
+	// +optional
+	UserNamespaces *UserNamespaces `json:"userNamespaces,omitempty"`
 }

 type KubeletAuthorizationMode string
@ -1001,7 +1057,7 @@ type CredentialProviderConfig struct {
 	// Multiple providers may match against a single image, in which case credentials
 	// from all providers will be returned to the kubelet. If multiple providers are called
 	// for a single image, the results are combined. If providers return overlapping
-	// auth keys, the value from the provider earlier in this list is used.
+	// auth keys, the value from the provider earlier in this list is attempted first.
 	Providers []CredentialProvider `json:"providers"`
 }

@ -1011,6 +1067,7 @@ type CredentialProvider struct {
 	// name is the required name of the credential provider. It must match the name of the
 	// provider executable as seen by the kubelet. The executable must be in the kubelet's
 	// bin directory (set by the --image-credential-provider-bin-dir flag).
+	// Required to be unique across all providers.
 	Name string `json:"name"`

 	// matchImages is a required list of strings used to match against images in order to
@ -1064,3 +1121,17 @@ type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
+
+// UserNamespaces contains User Namespace configurations.
+type UserNamespaces struct {
+	// IDsPerPod is the mapping length of UIDs and GIDs.
+	// The length must be a multiple of 65536, and must be less than 1<<32.
+	// On non-linux such as windows, only null / absent is allowed.
+	//
+	// Changing the value may require recreating all containers on the node.
+	//
+	// Default: 65536
+	// +featureGate=UserNamespacesSupport
+	// +optional
+	IDsPerPod *int64 `json:"idsPerPod,omitempty"`
+}
--- a/config/v1beta1/zz_generated.deepcopy.go
+++ b/config/v1beta1/zz_generated.deepcopy.go
@ -229,6 +229,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) {
 		*out = new(int32)
 		**out = **in
 	}
+	if in.PreloadedImagesVerificationAllowlist != nil {
+		in, out := &in.PreloadedImagesVerificationAllowlist, &out.PreloadedImagesVerificationAllowlist
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.EventRecordQPS != nil {
 		in, out := &in.EventRecordQPS, &out.EventRecordQPS
 		*out = new(int32)
@ -372,6 +377,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) {
 			(*out)[key] = val
 		}
 	}
+	if in.MergeDefaultEvictionSettings != nil {
+		in, out := &in.MergeDefaultEvictionSettings, &out.MergeDefaultEvictionSettings
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EnableControllerAttachDetach != nil {
 		in, out := &in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach
 		*out = new(bool)
@ -517,6 +527,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.UserNamespaces != nil {
+		in, out := &in.UserNamespaces, &out.UserNamespaces
+		*out = new(UserNamespaces)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }

@ -674,3 +689,24 @@ func (in *ShutdownGracePeriodByPodPriority) DeepCopy() *ShutdownGracePeriodByPod
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserNamespaces) DeepCopyInto(out *UserNamespaces) {
+	*out = *in
+	if in.IDsPerPod != nil {
+		in, out := &in.IDsPerPod, &out.IDsPerPod
+		*out = new(int64)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserNamespaces.
+func (in *UserNamespaces) DeepCopy() *UserNamespaces {
+	if in == nil {
+		return nil
+	}
+	out := new(UserNamespaces)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/doc.go
+++ b/doc.go
@ -14,4 +14,4 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package kubelet // import "k8s.io/kubelet"
+package kubelet
--- a/go.mod
+++ b/go.mod
@ -2,64 +2,64 @@

 module k8s.io/kubelet

-go 1.23.0
+go 1.24.0

-godebug default=go1.23
+godebug default=go1.24

 require (
 	github.com/emicklei/go-restful/v3 v3.11.0
 	github.com/gogo/protobuf v1.3.2
-	github.com/stretchr/testify v1.9.0
-	google.golang.org/grpc v1.65.0
-	k8s.io/api v0.0.0-20241108114318-6cc44b8953ae
-	k8s.io/apimachinery v0.0.0-20241108022104-96b97de8d6ba
-	k8s.io/apiserver v0.0.0-20241108130139-3423727e46ef
-	k8s.io/client-go v0.0.0-20241108175443-37045084c2aa
-	k8s.io/component-base v0.0.0-20241108211412-55c45bc78189
-	k8s.io/cri-api v0.0.0-20241107034520-f9fb3fa09445
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/goleak v1.3.0
+	google.golang.org/grpc v1.72.1
+	k8s.io/api v0.0.0-20250612195650-7efafe3627c8
+	k8s.io/apimachinery v0.0.0-20250612195403-e0270fe44c97
+	k8s.io/apiserver v0.0.0-20250612202325-89f1e0c9f7d8
+	k8s.io/client-go v0.0.0-20250612200049-4e82e684120e
+	k8s.io/component-base v0.0.0-20250612201519-d0c00e6471f7
+	k8s.io/cri-api v0.0.0-20250527182550-7d025a3cd8e3
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 )

 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/term v0.25.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/protobuf v1.35.1 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -6,44 +6,38 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@ -52,10 +46,14 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
@ -63,46 +61,56 @@ github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVO
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
-github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@ -112,42 +120,40 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 h1:2035KHhUv+EpyB+hWgJnaWKJOdX1E95w2S8Rr4uWKTs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
-google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
-google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@ -157,27 +163,30 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20241108114318-6cc44b8953ae h1:XX7vEVBchw0xx4YJZ6OyPxOq3e5hX2PTZ5wu8dw0vco=
-k8s.io/api v0.0.0-20241108114318-6cc44b8953ae/go.mod h1:jw6pQTESH9mdZL2vOK3twojvpPxipl5TpLZpPyl5ZYU=
-k8s.io/apimachinery v0.0.0-20241108022104-96b97de8d6ba h1:ghB5Iygt6Ge8UyIwW7C1kJx4kP7AUTCL9Qg6GCsUUOY=
-k8s.io/apimachinery v0.0.0-20241108022104-96b97de8d6ba/go.mod h1:HqhdaJUgQqky29T1V0o2yFkt/pZqLFIDyn9Zi/8rxoY=
-k8s.io/apiserver v0.0.0-20241108130139-3423727e46ef h1:UW3dV3TMUzXorcaKhgq1jhq+aLv1ji2T2410tn34hEc=
-k8s.io/apiserver v0.0.0-20241108130139-3423727e46ef/go.mod h1:hCAQocw78k5SHhJB9536jyiiaHDidMVbRjRipU0ywuw=
-k8s.io/client-go v0.0.0-20241108175443-37045084c2aa h1:iY+s3vejL9yeoJGLOjh314JZtg76ZOjiIETKAnlTUfs=
-k8s.io/client-go v0.0.0-20241108175443-37045084c2aa/go.mod h1:DojZKPG2ohOKreFao9yo2wFG1IL9OXebT+Q9ytnREY8=
-k8s.io/component-base v0.0.0-20241108211412-55c45bc78189 h1:RnPIwV9hWuBPXAn69ozUt99OuP/KDuJTIoxYlaJRt4Q=
-k8s.io/component-base v0.0.0-20241108211412-55c45bc78189/go.mod h1:MPazwHX0pvEjtMIsAy4TYw3vrMHUVe1sy4D1o1Xbcwc=
-k8s.io/cri-api v0.0.0-20241107034520-f9fb3fa09445 h1:viGJ8xNMuoQl10Bto+w2IJieDd3pPZKQIQ98PgbwXog=
-k8s.io/cri-api v0.0.0-20241107034520-f9fb3fa09445/go.mod h1:5WOp91NVV2mzTQRp732avavhFFItsWsQy8jO7DPv8d8=
+k8s.io/api v0.0.0-20250612195650-7efafe3627c8 h1:K1AnJQBQTKLy2C/up2YSFuuQ+OBucYGcDCBO2cafjlQ=
+k8s.io/api v0.0.0-20250612195650-7efafe3627c8/go.mod h1:+9QbMyXTXctHAXg3fdhJbuZgyzhYgprCn43M5NqoJzw=
+k8s.io/apimachinery v0.0.0-20250612195403-e0270fe44c97 h1:h2og30eGCCk1GOEZK6+LNhhlydDcWY3wJaWDIs05xR8=
+k8s.io/apimachinery v0.0.0-20250612195403-e0270fe44c97/go.mod h1:EZ7eIfFAwky7ktmG4Pu9XWxBxFG++4dxPDOM0GL3abw=
+k8s.io/apiserver v0.0.0-20250612202325-89f1e0c9f7d8 h1:ParTrAI+8gMCqiYjD9B33XZxNnODITRKi0I/rJCJmTY=
+k8s.io/apiserver v0.0.0-20250612202325-89f1e0c9f7d8/go.mod h1:h9Mz8g41T/MRlrcxnfKoj9omNrKtKvdaDRhX34SVi5A=
+k8s.io/client-go v0.0.0-20250612200049-4e82e684120e h1:xoSxEgTvcAD7YG46B6RN1yZx5KhF0YKNe4SSoY+qSQA=
+k8s.io/client-go v0.0.0-20250612200049-4e82e684120e/go.mod h1:hktzpPyrdfB1WrXOvdnDayNSrngzEwWjiwTGqq6Zjns=
+k8s.io/component-base v0.0.0-20250612201519-d0c00e6471f7 h1:PmR3IJeL8qbnqdH70lmCLxZjHFr+Cbz5v6VY6ZFlMsI=
+k8s.io/component-base v0.0.0-20250612201519-d0c00e6471f7/go.mod h1:eMJvxKozNu3AbHhH6mWUJbzNhElacCbAilLeMjxIW5k=
+k8s.io/cri-api v0.0.0-20250527182550-7d025a3cd8e3 h1:r4SV0gc6fVMJPOUEhuyAt8FG1RD4iSzEQQtuztQDA9o=
+k8s.io/cri-api v0.0.0-20250527182550-7d025a3cd8e3/go.mod h1:+Caj3ZVbxtl8aq+J8bhiQCeDcYPYBFE1IFInuxO3fLk=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
--- a/pkg/apis/credentialprovider/doc.go
+++ b/pkg/apis/credentialprovider/doc.go
@ -17,4 +17,4 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +groupName=credentialprovider.kubelet.k8s.io

-package credentialprovider // import "k8s.io/kubelet/pkg/apis/credentialprovider"
+package credentialprovider
--- a/pkg/apis/credentialprovider/types.go
+++ b/pkg/apis/credentialprovider/types.go
@ -32,6 +32,17 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential provider configuration.
+	ServiceAccountToken string
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string
 }

 type PluginCacheKeyType string
--- a/pkg/apis/credentialprovider/v1/doc.go
+++ b/pkg/apis/credentialprovider/v1/doc.go
@ -19,4 +19,4 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=credentialprovider.kubelet.k8s.io

-package v1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
+package v1
--- a/pkg/apis/credentialprovider/v1/types.go
+++ b/pkg/apis/credentialprovider/v1/types.go
@ -32,6 +32,18 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string `json:"image"`
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential
+	// provider configuration.
+	ServiceAccountToken string `json:"serviceAccountToken,omitempty" datapolicy:"token"`
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string `json:"serviceAccountAnnotations,omitempty"`
 }

 type PluginCacheKeyType string
--- a/pkg/apis/credentialprovider/v1/zz_generated.conversion.go
+++ b/pkg/apis/credentialprovider/v1/zz_generated.conversion.go
@ -94,6 +94,8 @@ func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovid

 func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	out.ServiceAccountToken = in.ServiceAccountToken
+	out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
 	return nil
 }

@ -104,6 +106,8 @@ func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProvid

 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	out.ServiceAccountToken = in.ServiceAccountToken
+	out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
 	return nil
 }

--- a/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go
@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
 func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
+	if in.ServiceAccountAnnotations != nil {
+		in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

--- a/pkg/apis/credentialprovider/v1alpha1/conversion.go
+++ b/pkg/apis/credentialprovider/v1alpha1/conversion.go
@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
+}
--- a/pkg/apis/credentialprovider/v1alpha1/doc.go
+++ b/pkg/apis/credentialprovider/v1alpha1/doc.go
@ -19,4 +19,4 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=credentialprovider.kubelet.k8s.io

-package v1alpha1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1"
+package v1alpha1
--- a/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go
@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
 	}); err != nil {
@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }

@ -104,14 +104,11 @@ func Convert_v1alpha1_CredentialProviderRequest_To_credentialprovider_Credential

 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
+	// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
 	return nil
 }

-// Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest is an autogenerated conversion function.
-func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
-	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
-}
-
 func autoConvert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
 	out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
 	out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
--- a/pkg/apis/credentialprovider/v1beta1/conversion.go
+++ b/pkg/apis/credentialprovider/v1beta1/conversion.go
@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
+}
--- a/pkg/apis/credentialprovider/v1beta1/doc.go
+++ b/pkg/apis/credentialprovider/v1beta1/doc.go
@ -19,4 +19,4 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=credentialprovider.kubelet.k8s.io

-package v1beta1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1"
+package v1beta1
--- a/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go
@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
 	}); err != nil {
@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }

@ -104,14 +104,11 @@ func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialP

 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
+	// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
 	return nil
 }

-// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function.
-func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
-	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
-}
-
 func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
 	out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
 	out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
--- a/pkg/apis/credentialprovider/zz_generated.deepcopy.go
+++ b/pkg/apis/credentialprovider/zz_generated.deepcopy.go
@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
 func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
+	if in.ServiceAccountAnnotations != nil {
+		in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

--- a/pkg/apis/dra/v1beta1/api.pb.go
+++ b/pkg/apis/dra/v1beta1/api.pb.go
@ -485,58 +485,59 @@ func (m *Claim) GetName() string {
 }

 func init() {
-	proto.RegisterType((*NodePrepareResourcesRequest)(nil), "v1beta1.NodePrepareResourcesRequest")
-	proto.RegisterType((*NodePrepareResourcesResponse)(nil), "v1beta1.NodePrepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodePrepareResourceResponse)(nil), "v1beta1.NodePrepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodePrepareResourceResponse)(nil), "v1beta1.NodePrepareResourceResponse")
-	proto.RegisterType((*Device)(nil), "v1beta1.Device")
-	proto.RegisterType((*NodeUnprepareResourcesRequest)(nil), "v1beta1.NodeUnprepareResourcesRequest")
-	proto.RegisterType((*NodeUnprepareResourcesResponse)(nil), "v1beta1.NodeUnprepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodeUnprepareResourceResponse)(nil), "v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodeUnprepareResourceResponse)(nil), "v1beta1.NodeUnprepareResourceResponse")
-	proto.RegisterType((*Claim)(nil), "v1beta1.Claim")
+	proto.RegisterType((*NodePrepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesRequest")
+	proto.RegisterType((*NodePrepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse")
+	proto.RegisterMapType((map[string]*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.ClaimsEntry")
+	proto.RegisterType((*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourceResponse")
+	proto.RegisterType((*Device)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.Device")
+	proto.RegisterType((*NodeUnprepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesRequest")
+	proto.RegisterType((*NodeUnprepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse")
+	proto.RegisterMapType((map[string]*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry")
+	proto.RegisterType((*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourceResponse")
+	proto.RegisterType((*Claim)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.Claim")
 }

 func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) }

 var fileDescriptor_00212fb1f9d3bf1c = []byte{
-	// 566 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0xcd, 0x6e, 0xd3, 0x40,
-	0x10, 0xce, 0x36, 0x4d, 0x82, 0x27, 0xa1, 0x54, 0xab, 0x0a, 0x85, 0xb4, 0x38, 0x91, 0x5b, 0x42,
-	0x38, 0x10, 0x2b, 0xa9, 0x40, 0x55, 0xc5, 0xa5, 0x69, 0x2a, 0x14, 0x21, 0x55, 0xd5, 0x8a, 0x5e,
-	0x38, 0x10, 0x39, 0xf6, 0x12, 0x56, 0xf9, 0x59, 0xe3, 0xb5, 0x23, 0xf5, 0xc6, 0x23, 0xf0, 0x0e,
-	0xbc, 0x4c, 0xc5, 0xa9, 0x47, 0x4e, 0x85, 0x9a, 0x17, 0x41, 0xde, 0x75, 0x42, 0x5a, 0x39, 0x49,
-	0x25, 0x6e, 0x9e, 0x6f, 0x66, 0xbe, 0x6f, 0x77, 0xbe, 0x59, 0x83, 0x66, 0xb9, 0xac, 0xee, 0x7a,
-	0xdc, 0xe7, 0x38, 0x37, 0x69, 0xf4, 0xa8, 0x6f, 0x35, 0x4a, 0x2f, 0xfb, 0xcc, 0xff, 0x1c, 0xf4,
-	0xea, 0x36, 0x1f, 0x99, 0x7d, 0xde, 0xe7, 0xa6, 0xcc, 0xf7, 0x82, 0x4f, 0x32, 0x92, 0x81, 0xfc,
-	0x52, 0x7d, 0xc6, 0x09, 0x6c, 0x9f, 0x72, 0x87, 0x9e, 0x79, 0xd4, 0xb5, 0x3c, 0x4a, 0xa8, 0xe0,
-	0x81, 0x67, 0x53, 0x41, 0xe8, 0x97, 0x80, 0x0a, 0x1f, 0x57, 0x21, 0x6b, 0x0f, 0x2d, 0x36, 0x12,
-	0x45, 0x54, 0x49, 0xd7, 0xf2, 0xcd, 0x8d, 0x7a, 0xac, 0x53, 0x3f, 0x8e, 0x60, 0x12, 0x67, 0x8d,
-	0x1f, 0x08, 0x76, 0x92, 0x79, 0x84, 0xcb, 0xc7, 0x82, 0xe2, 0xce, 0x1d, 0xa2, 0xc6, 0x8c, 0x68,
-	0x59, 0x9b, 0x52, 0x11, 0x27, 0x63, 0xdf, 0xbb, 0x98, 0x6a, 0x95, 0xba, 0x90, 0x9f, 0x83, 0xf1,
-	0x26, 0xa4, 0x07, 0xf4, 0xa2, 0x88, 0x2a, 0xa8, 0xa6, 0x91, 0xe8, 0x13, 0x1f, 0x42, 0x66, 0x62,
-	0x0d, 0x03, 0x5a, 0x5c, 0xab, 0xa0, 0x5a, 0xbe, 0xb9, 0xb7, 0x4c, 0x6a, 0xaa, 0x44, 0x54, 0xcb,
-	0xe1, 0xda, 0x01, 0x32, 0x3e, 0x26, 0xce, 0x64, 0x76, 0x95, 0x17, 0x90, 0x73, 0xe8, 0x84, 0xd9,
-	0x74, 0x7a, 0x97, 0x47, 0x33, 0x81, 0xb6, 0xc4, 0xc9, 0x34, 0x8f, 0xb7, 0x20, 0x43, 0x3d, 0x8f,
-	0x7b, 0xf2, 0x24, 0x1a, 0x51, 0x81, 0xf1, 0x1d, 0x41, 0x56, 0x55, 0xe2, 0x5d, 0x78, 0xe8, 0xa9,
-	0x51, 0x77, 0xc7, 0xd6, 0x28, 0x66, 0xd4, 0x48, 0x21, 0x06, 0x4f, 0x23, 0x0c, 0x6f, 0x83, 0xe6,
-	0x72, 0x3e, 0x94, 0x15, 0x31, 0xd3, 0x83, 0x08, 0x88, 0xb2, 0xb8, 0x0c, 0x79, 0xa5, 0xa6, 0xd2,
-	0x69, 0x99, 0x06, 0x05, 0xc9, 0x82, 0xd7, 0xb0, 0x61, 0x3b, 0xac, 0x1b, 0x17, 0x31, 0x47, 0x14,
-	0xd7, 0x23, 0x8d, 0xd6, 0x66, 0x78, 0x5d, 0x2e, 0x1c, 0xb7, 0x3b, 0xea, 0x24, 0x9d, 0xb6, 0x20,
-	0x05, 0xdb, 0x61, 0x71, 0xe4, 0x08, 0xe3, 0x2d, 0x3c, 0x8d, 0xa6, 0x70, 0x3e, 0x76, 0xff, 0x73,
-	0x37, 0xae, 0x10, 0xe8, 0x8b, 0x98, 0xe2, 0x91, 0xbe, 0xbb, 0x43, 0xb5, 0x7f, 0xcb, 0xb2, 0xc5,
-	0x8d, 0x89, 0xfb, 0x61, 0xad, 0xda, 0x8f, 0x37, 0xb7, 0xf7, 0xa3, 0xba, 0x5c, 0x2c, 0x69, 0x43,
-	0x5e, 0x2d, 0x98, 0xcd, 0xec, 0x42, 0x33, 0xe3, 0xd1, 0xbc, 0xf1, 0xef, 0x21, 0x23, 0x4f, 0x86,
-	0x77, 0x40, 0x93, 0x76, 0xbb, 0x96, 0x4d, 0xe3, 0x92, 0x7f, 0x00, 0x7e, 0x02, 0xe9, 0x80, 0x39,
-	0xca, 0xe9, 0x56, 0x2e, 0xbc, 0x2e, 0xa7, 0xcf, 0x3b, 0x6d, 0x12, 0x61, 0x18, 0xc3, 0xfa, 0x9c,
-	0xcd, 0xf2, 0xbb, 0xf9, 0x0b, 0x81, 0xd6, 0x26, 0x47, 0x67, 0xc3, 0xa0, 0xcf, 0xc6, 0x98, 0xc2,
-	0x56, 0xd2, 0x8b, 0xc2, 0x7b, 0x2b, 0x1e, 0x9c, 0xf4, 0xb4, 0xf4, 0xec, 0x5e, 0xcf, 0xd2, 0x48,
-	0xe1, 0x01, 0x3c, 0x4e, 0xb6, 0x06, 0x57, 0x57, 0x7a, 0xa7, 0xa4, 0x9e, 0xdf, 0xd3, 0x63, 0x23,
-	0xd5, 0x3a, 0xba, 0xbc, 0xd1, 0xd1, 0xcf, 0x1b, 0x3d, 0xf5, 0x35, 0xd4, 0xd1, 0x65, 0xa8, 0xa3,
-	0xab, 0x50, 0x47, 0xbf, 0x43, 0x1d, 0x7d, 0xfb, 0xa3, 0xa7, 0x3e, 0xec, 0x0e, 0x0e, 0x44, 0x9d,
-	0x71, 0x73, 0x10, 0xf4, 0xe8, 0x90, 0xfa, 0xa6, 0x3b, 0xe8, 0x9b, 0x96, 0xcb, 0x84, 0xe9, 0x78,
-	0x96, 0x19, 0x6b, 0xf4, 0xb2, 0xf2, 0x77, 0xb7, 0xff, 0x37, 0x00, 0x00, 0xff, 0xff, 0x2a, 0x02,
-	0xca, 0xce, 0x33, 0x05, 0x00, 0x00,
+	// 591 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x4d, 0x6f, 0xd3, 0x40,
+	0x10, 0xcd, 0x26, 0x6d, 0x8a, 0x27, 0x01, 0x55, 0xab, 0x0a, 0x85, 0xb4, 0x38, 0x91, 0x7b, 0x89,
+	0x40, 0xd8, 0x6a, 0x10, 0xa8, 0xe2, 0xd4, 0x38, 0xe9, 0x21, 0x07, 0x4a, 0x65, 0x51, 0x84, 0xb8,
+	0x54, 0x8e, 0xbd, 0x18, 0x2b, 0x1f, 0x6b, 0xbc, 0x76, 0xa4, 0x82, 0x90, 0x10, 0x27, 0x8e, 0xfc,
+	0x01, 0x4e, 0xfd, 0x33, 0x3d, 0xc2, 0x8d, 0x53, 0x45, 0xcd, 0x1f, 0x41, 0xde, 0xdd, 0x84, 0x50,
+	0x39, 0x10, 0x35, 0x70, 0xdb, 0x79, 0x3b, 0x33, 0xef, 0x79, 0xf6, 0x79, 0x17, 0x14, 0x3b, 0xf0,
+	0xf5, 0x20, 0xa4, 0x11, 0xc5, 0xdb, 0xfd, 0x5d, 0xa6, 0xfb, 0x54, 0xef, 0xc7, 0x3d, 0x32, 0x20,
+	0x91, 0x1e, 0xf4, 0x3d, 0xdd, 0x0e, 0x7c, 0xa6, 0xbb, 0xa1, 0xad, 0x8f, 0x77, 0x7a, 0x24, 0xb2,
+	0x77, 0xaa, 0xf7, 0x3c, 0x3f, 0x7a, 0x15, 0xf7, 0x74, 0x87, 0x0e, 0x0d, 0x8f, 0x7a, 0xd4, 0xe0,
+	0xb5, 0xbd, 0xf8, 0x25, 0x8f, 0x78, 0xc0, 0x57, 0xa2, 0xa7, 0x66, 0xc3, 0xe6, 0x01, 0x75, 0xc9,
+	0x61, 0x48, 0x02, 0x3b, 0x24, 0x16, 0x61, 0x34, 0x0e, 0x1d, 0xc2, 0x2c, 0xf2, 0x3a, 0x26, 0x2c,
+	0xc2, 0x26, 0x14, 0x9d, 0x81, 0xed, 0x0f, 0x59, 0x05, 0xd5, 0x0b, 0x8d, 0x52, 0xf3, 0x8e, 0xbe,
+	0x80, 0x06, 0xbd, 0x9d, 0x96, 0x58, 0xb2, 0x52, 0xfb, 0x90, 0x87, 0xad, 0x6c, 0x0e, 0x16, 0xd0,
+	0x11, 0x23, 0x98, 0x5c, 0x22, 0x79, 0xbc, 0x10, 0xc9, 0x9f, 0x5a, 0x0a, 0x05, 0x6c, 0x7f, 0x14,
+	0x85, 0x27, 0x13, 0x1d, 0xd5, 0xb7, 0x50, 0x9a, 0x81, 0xf1, 0x3a, 0x14, 0xfa, 0xe4, 0xa4, 0x82,
+	0xea, 0xa8, 0xa1, 0x58, 0xe9, 0x12, 0x3f, 0x83, 0xd5, 0xb1, 0x3d, 0x88, 0x49, 0x25, 0x5f, 0x47,
+	0x8d, 0x52, 0x73, 0xef, 0xaa, 0x32, 0x26, 0x2a, 0x2c, 0xd1, 0xee, 0x51, 0x7e, 0x17, 0x69, 0x6f,
+	0x32, 0xe7, 0x3c, 0x1d, 0xc1, 0x3e, 0xac, 0xb9, 0x64, 0xec, 0x3b, 0x64, 0x32, 0x83, 0xbb, 0x0b,
+	0x91, 0x77, 0x78, 0x8d, 0x35, 0xa9, 0xc5, 0x1b, 0xb0, 0x4a, 0xc2, 0x90, 0x86, 0xfc, 0x0b, 0x14,
+	0x4b, 0x04, 0xda, 0x29, 0x82, 0xa2, 0xc8, 0xc4, 0xdb, 0x70, 0x3d, 0x14, 0x47, 0x7b, 0x3c, 0xb2,
+	0x87, 0x92, 0x4d, 0xb1, 0xca, 0x12, 0x3c, 0x48, 0x31, 0xbc, 0x09, 0x4a, 0x40, 0xe9, 0x80, 0x67,
+	0xc8, 0x4e, 0xd7, 0x52, 0x20, 0xdd, 0xc5, 0x35, 0x28, 0x09, 0x36, 0xb1, 0x5d, 0xe0, 0xdb, 0x20,
+	0x20, 0x9e, 0xf0, 0x10, 0x6e, 0x38, 0xae, 0x7f, 0x2c, 0x93, 0x7c, 0x97, 0x55, 0x56, 0x52, 0x0e,
+	0x73, 0x3d, 0x39, 0xaf, 0x95, 0xdb, 0x9d, 0xae, 0x50, 0xd2, 0xed, 0x30, 0xab, 0xec, 0xb8, 0xbe,
+	0x8c, 0x5c, 0xa6, 0x39, 0x70, 0x3b, 0x9d, 0xd0, 0xd1, 0x28, 0xf8, 0x8f, 0x5e, 0xfc, 0x98, 0x07,
+	0x75, 0x1e, 0x8b, 0x3c, 0x0a, 0xef, 0x12, 0xcd, 0x93, 0x85, 0x6d, 0x30, 0xbf, 0x69, 0xa6, 0x1f,
+	0xdf, 0xfd, 0xcd, 0x8f, 0xcf, 0x7f, 0xf7, 0xa3, 0x79, 0x75, 0x21, 0x59, 0x8e, 0x7c, 0x30, 0x67,
+	0xde, 0xd3, 0x41, 0x4c, 0xcd, 0x84, 0x66, 0xcd, 0xf4, 0x14, 0x56, 0xb9, 0x6a, 0xbc, 0x05, 0x0a,
+	0xb7, 0x50, 0x60, 0x3b, 0x44, 0xa6, 0xfc, 0x02, 0xf0, 0x2d, 0x28, 0xc4, 0xbe, 0x2b, 0xdc, 0x63,
+	0xae, 0x25, 0xe7, 0xb5, 0xc2, 0x51, 0xb7, 0x63, 0xa5, 0x18, 0xc6, 0xb0, 0x32, 0x63, 0x1d, 0xbe,
+	0x6e, 0x7e, 0xcd, 0x83, 0xd2, 0xb1, 0x5a, 0x87, 0x83, 0xd8, 0xf3, 0x47, 0xf8, 0x33, 0x82, 0x8d,
+	0xac, 0xdf, 0x1b, 0xef, 0x2d, 0x71, 0x33, 0x70, 0x13, 0x55, 0x5b, 0x4b, 0xdf, 0x2d, 0x5a, 0x0e,
+	0x9f, 0x22, 0xb8, 0x99, 0x7d, 0xe0, 0xd8, 0x5c, 0xca, 0x2d, 0x42, 0x63, 0xfb, 0x1f, 0x38, 0x4e,
+	0xcb, 0x99, 0xad, 0xb3, 0x0b, 0x15, 0x7d, 0xbb, 0x50, 0x73, 0xef, 0x13, 0x15, 0x9d, 0x25, 0x2a,
+	0xfa, 0x92, 0xa8, 0xe8, 0x7b, 0xa2, 0xa2, 0x4f, 0x3f, 0xd4, 0xdc, 0x0b, 0xf9, 0x98, 0x18, 0x92,
+	0xc3, 0x08, 0xfa, 0x9e, 0x91, 0x72, 0x18, 0x6e, 0x68, 0x1b, 0x92, 0xa3, 0x57, 0xe4, 0x8f, 0xc4,
+	0xfd, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xda, 0x25, 0x38, 0x7d, 0x85, 0x06, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
@ -571,7 +572,7 @@ func NewDRAPluginClient(cc *grpc.ClientConn) DRAPluginClient {

 func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error) {
 	out := new(NodePrepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/v1beta1.DRAPlugin/NodePrepareResources", in, out, opts...)
+	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodePrepareResources", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@ -580,7 +581,7 @@ func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrep

 func (c *dRAPluginClient) NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error) {
 	out := new(NodeUnprepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/v1beta1.DRAPlugin/NodeUnprepareResources", in, out, opts...)
+	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodeUnprepareResources", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@ -624,7 +625,7 @@ func _DRAPlugin_NodePrepareResources_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/v1beta1.DRAPlugin/NodePrepareResources",
+		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodePrepareResources",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DRAPluginServer).NodePrepareResources(ctx, req.(*NodePrepareResourcesRequest))
@ -642,7 +643,7 @@ func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Cont
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/v1beta1.DRAPlugin/NodeUnprepareResources",
+		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodeUnprepareResources",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, req.(*NodeUnprepareResourcesRequest))
@ -651,7 +652,7 @@ func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Cont
 }

 var _DRAPlugin_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "v1beta1.DRAPlugin",
+	ServiceName: "k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin",
 	HandlerType: (*DRAPluginServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
--- a/pkg/apis/dra/v1beta1/api.proto
+++ b/pkg/apis/dra/v1beta1/api.proto
@ -18,7 +18,7 @@ limitations under the License.

 syntax = "proto3";

-package v1beta1;
+package k8s.io.kubelet.pkg.apis.dra.v1beta1;
 option go_package = "k8s.io/kubelet/pkg/apis/dra/v1beta1";

 import "github.com/gogo/protobuf/gogoproto/gogo.proto";
--- a/pkg/apis/stats/v1alpha1/types.go
+++ b/pkg/apis/stats/v1alpha1/types.go
@ -46,6 +46,9 @@ type NodeStats struct {
 	// Stats pertaining to memory (RAM) resources.
 	// +optional
 	Memory *MemoryStats `json:"memory,omitempty"`
+	// Stats pertaining to IO resources.
+	// +optional
+	IO *IOStats `json:"io,omitempty"`
 	// Stats pertaining to network resources.
 	// +optional
 	Network *NetworkStats `json:"network,omitempty"`
@ -127,6 +130,9 @@ type PodStats struct {
 	// Stats pertaining to memory (RAM) resources consumed by pod cgroup (which includes all containers' resource usage and pod overhead).
 	// +optional
 	Memory *MemoryStats `json:"memory,omitempty"`
+	// Stats pertaining to IO resources consumed by pod cgroup (which includes all containers' resource usage and pod overhead).
+	// +optional
+	IO *IOStats `json:"io,omitempty"`
 	// Stats pertaining to network resources.
 	// +optional
 	Network *NetworkStats `json:"network,omitempty"`
@ -159,6 +165,9 @@ type ContainerStats struct {
 	// Stats pertaining to memory (RAM) resources.
 	// +optional
 	Memory *MemoryStats `json:"memory,omitempty"`
+	// Stats pertaining to IO resources.
+	// +optional
+	IO *IOStats `json:"io,omitempty"`
 	// Metrics for Accelerators. Each Accelerator corresponds to one element in the array.
 	Accelerators []AcceleratorStats `json:"accelerators,omitempty"`
 	// Stats pertaining to container rootfs usage of filesystem resources.
@ -225,6 +234,9 @@ type CPUStats struct {
 	// Cumulative CPU usage (sum of all cores) since object creation.
 	// +optional
 	UsageCoreNanoSeconds *uint64 `json:"usageCoreNanoSeconds,omitempty"`
+	// CPU PSI stats.
+	// +optional
+	PSI *PSIStats `json:"psi,omitempty"`
 }

 // MemoryStats contains data about memory usage.
@ -252,6 +264,39 @@ type MemoryStats struct {
 	// Cumulative number of major page faults.
 	// +optional
 	MajorPageFaults *uint64 `json:"majorPageFaults,omitempty"`
+	// Memory PSI stats.
+	// +optional
+	PSI *PSIStats `json:"psi,omitempty"`
+}
+
+// IOStats contains data about IO usage.
+type IOStats struct {
+	// The time at which these stats were updated.
+	Time metav1.Time `json:"time"`
+	// IO PSI stats.
+	// +optional
+	PSI *PSIStats `json:"psi,omitempty"`
+}
+
+// PSI statistics for an individual resource.
+type PSIStats struct {
+	// PSI data for all tasks in the cgroup.
+	Full PSIData `json:"full"`
+	// PSI data for some tasks in the cgroup.
+	Some PSIData `json:"some"`
+}
+
+// PSI data for an individual resource.
+type PSIData struct {
+	// Total time duration for tasks in the cgroup have waited due to congestion.
+	// Unit: nanoseconds.
+	Total uint64 `json:"total"`
+	// The average (in %) tasks have waited due to congestion over a 10 second window.
+	Avg10 float64 `json:"avg10"`
+	// The average (in %) tasks have waited due to congestion over a 60 second window.
+	Avg60 float64 `json:"avg60"`
+	// The average (in %) tasks have waited due to congestion over a 300 second window.
+	Avg300 float64 `json:"avg300"`
 }

 // SwapStats contains data about memory usage
--- a/pkg/cri/streaming/remotecommand/doc.go
+++ b/pkg/cri/streaming/remotecommand/doc.go
@ -15,4 +15,4 @@ limitations under the License.
 */

 // Package remotecommand contains functions related to executing commands in and attaching to pods.
-package remotecommand // import "k8s.io/kubelet/pkg/cri/streaming/remotecommand"
+package remotecommand
--- a/pkg/cri/streaming/remotecommand/httpstream.go
+++ b/pkg/cri/streaming/remotecommand/httpstream.go
@ -17,6 +17,7 @@ limitations under the License.
 package remotecommand

 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -116,7 +117,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp

 	if ctx.resizeStream != nil {
 		ctx.resizeChan = make(chan remotecommand.TerminalSize)
-		go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
+		go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
 	}

 	return ctx, true
@ -409,7 +410,7 @@ WaitForStreams:
 // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
 func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }

-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+func handleResizeEvents(reqctx context.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
 	defer runtime.HandleCrash()
 	defer close(channel)

@ -419,7 +420,12 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
 		if err := decoder.Decode(&size); err != nil {
 			break
 		}
-		channel <- size
+		select {
+		case channel <- size:
+		case <-reqctx.Done():
+			// To prevent go routine leak.
+			return
+		}
 	}
 }

--- a/pkg/cri/streaming/remotecommand/httpstream_test.go
+++ b/pkg/cri/streaming/remotecommand/httpstream_test.go
@ -0,0 +1,82 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remotecommand
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.uber.org/goleak"
+
+	"k8s.io/client-go/tools/remotecommand"
+)
+
+func TestHandleResizeEvents(t *testing.T) {
+	var testTerminalSize remotecommand.TerminalSize
+	rawTerminalSize, err := json.Marshal(&testTerminalSize)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name             string
+		resizeStreamData []byte
+		cancelContext    bool
+		readFromChannel  bool
+	}{
+		{
+			name:             "data attempted to be sent on the channel; channel not read; context canceled",
+			resizeStreamData: rawTerminalSize,
+			cancelContext:    true,
+		},
+		{
+			name:             "data attempted to be sent on the channel; channel read; context not canceled",
+			resizeStreamData: rawTerminalSize,
+			readFromChannel:  true,
+		},
+		{
+			name:          "no data attempted to be sent on the channel; context canceled",
+			cancelContext: true,
+		},
+		{
+			name: "no data attempted to be sent on the channel; context not canceled",
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			connCtx := connectionContext{
+				resizeStream: io.NopCloser(bytes.NewReader(testCase.resizeStreamData)),
+				resizeChan:   make(chan remotecommand.TerminalSize),
+			}
+
+			go handleResizeEvents(ctx, connCtx.resizeStream, connCtx.resizeChan)
+			if testCase.readFromChannel {
+				gotTerminalSize := <-connCtx.resizeChan
+				require.Equal(t, gotTerminalSize, testTerminalSize)
+			}
+			if testCase.cancelContext {
+				cancel()
+			}
+
+			goleak.VerifyNone(t)
+			cancel()
+		})
+	}
+}
--- a/pkg/cri/streaming/server_test.go
+++ b/pkg/cri/streaming/server_test.go
@ -348,7 +348,10 @@ func runRemoteCommandTest(t *testing.T, commandType string) {
 	go func() {
 		defer wg.Done()
 		exec, err := remotecommand.NewSPDYExecutor(&restclient.Config{}, "POST", reqURL)
-		require.NoError(t, err)
+		if err != nil {
+			t.Errorf("unexpected error %v", err)
+			return
+		}

 		opts := remotecommand.StreamOptions{
 			Stdin:  stdinR,
@ -356,7 +359,9 @@ func runRemoteCommandTest(t *testing.T, commandType string) {
 			Stderr: stderrW,
 			Tty:    false,
 		}
-		require.NoError(t, exec.StreamWithContext(context.Background(), opts))
+		if err = exec.StreamWithContext(context.Background(), opts); err != nil {
+			t.Errorf("unexpected error %v", err)
+		}
 	}()

 	go func() {