shahar1 opened a new pull request, #69025: URL: https://github.com/apache/airflow/pull/69025
`apache-airflow-providers-cncf-kubernetes` 10.18.0 widened the kubernetes client bound to allow 36.x (#68041). Client 36.x breaks authentication to the cluster: tasks fail with a **401 Unauthorized** once the auth token rotates, because a copied `Configuration` no longer shares the refreshed token ([kubernetes-client/python#1946](https://github.com/kubernetes-client/python/issues/1946)). This was caught while testing the google (GKE) provider, and downgrading the provider to 10.17.1 (client 35.x) is the reported workaround. This is the same 36.x `Configuration` change behind the in-cluster pickling crash (#68827). 35.x is the last known-good line, so this restores the previous `<36` cap for both `kubernetes` and `kubernetes_asyncio` until the provider auth paths are made robust to the 36.x semantics and validated against an expiring token. Full kubernetes 36.x support (cncf + google auth fixes + a token-rotation regression test) is tracked in #69023, and the cap site in `pyproject.toml` links to it. related: #69023 related: #68827 --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.8) Generated-by: Claude Code (Opus 4.8) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
