Update Helm release descheduler to v0.35.1

[renovate]

This PR contains the following updates:

Package	Update	Change
descheduler	minor	0.34.0 → 0.35.1

---

Release Notes

kubernetes-sigs/descheduler (descheduler)

v0.35.1: Descheduler v0.35.1

Compare Source

What's Changed

• fix(ci): pin helm-unittest plugin version and bump chart-testing-action by @​a7i in #​1834
• [v0.35.0] update helm chart by @​a7i in #​1835
• Automated cherry pick of #​1836: Synchronize helm clusterrole RBAC with base yaml
  #​1826: Add init containers support to Helm chart
  #​1838: Change icon URL in Chart.yaml
  #​1842: fix: resolve detected data races
  #​1847: fix(ci): upgrade codeql-action to v4 and clean up security
  #​1848: update go dependencies
  #​1844: Extend PodLifeTime with condition, exit code, owner kind, by @​a7i in #​1850

Full Changelog: kubernetes-sigs/descheduler@v0.35.0...v0.35.1

v0.35.0: Descheduler v0.35.0

Compare Source

What's Changed

• feat: enable pod protection based on storage classes by @​ricardomaraschini in #​1752
• fix: pod resource calculation to consider native sidecars by @​a7i in #​1771
• docs: fix incorrect gracePeriodSeconds default in README.md by @​petersalas in #​1773
• docs: fix README.md link to kubernetes bot commands by @​Sycrosity in #​1772
• Fix "Current requires cgo or $USER set in environment" error by @​abelfodil in #​1764
• refactor(TestPodLifeTime): remove ineffective owner references assignments by @​ingvagabund in #​1781
• refactor(TestPodLifeTime): have a pod fully created through BuildTestPod without any edits by @​ingvagabund in #​1782
• refactor(TestPodLifeTime): consolidations, simplifications and node instance for each unit test by @​ingvagabund in #​1783
• refactor(TestPodLifeTime): inline pod creation in each unit test to avoid accidental pod spec updates by @​ingvagabund in #​1784
• refactor(TestPodLifeTime): update unit test names and simplify pod creation by @​ingvagabund in #​1785
• feat(TestPodLifeTime): check only expected pods are evicted by @​ingvagabund in #​1787
• feat(PodLifeTime): document the plugin with details that can be used for reasoning during reviews and design discussions by @​ingvagabund in #​1789
• refactor(TestPodLifeTime): split the unit tests into smaller semantically close groups by @​ingvagabund in #​1790
• refactor(TestFindDuplicatePods): have a pod fully created through BuildTestPod without any edits by @​ingvagabund in #​1791
• refactor(TestFindDuplicatePods): reduce duplicates and inline by @​ingvagabund in #​1792
• refactor(TestRemoveDuplicates): reduce test code duplication by @​ingvagabund in #​1793
• refactor(TestRemovePodsHavingTooManyRestarts): inline object creation by @​ingvagabund in #​1794
• refactor(TestPodAntiAffinity): inline object creation by @​ingvagabund in #​1795
• refactor(TestRemovePodsViolatingNodeAffinity): inline object creation by @​ingvagabund in #​1796
• refactor(TestDeletePodsViolatingNodeTaints): inline object creation by @​ingvagabund in #​1797
• doc: introduce contributing guidelines specific to the project by @​ingvagabund in #​1798
• refactor(TestDefaultEvictor): de-dup code and use helpers by @​ingvagabund in #​1803
• refactor(plugins): simplify the way pods are created by @​ingvagabund in #​1804
• fix(TestReadyNodesWithNodeSelector): make sure nodeLister.List always returns a non-empty list so the lister is always tested by @​ingvagabund in #​1800
• refactor(pkg/framework/profile): dedup unit test code by @​ingvagabund in #​1806
• doc(Design Decisions FAQ): Why doesn't the framework provide helpers for registering and retrieving indexers for plugins by @​ingvagabund in #​1807
• feat(profile): inject a plugin instance ID to each built plugin by @​ingvagabund in #​1808
• feat: register a node indexer for the global node selector instead of listing nodes with the selector by @​ingvagabund in #​1802
• chore(pkg/descheduler): make TestPodEvictorReset table driven by @​ingvagabund in #​1810
• refactor(pkg/operator): replace informerResource with a kubeClientSandbox by @​ingvagabund in #​1811
• refactor(pkg/descheduler): more handlers and dropping unused code by @​ingvagabund in #​1813
• refactor(pkg/descheduler): create fake shared informer factory only once by @​ingvagabund in #​1812
• fix(kubeClientSandbox): do not wait for pods in the fake indexers if they are already deleted by @​ingvagabund in #​1814
• test(pkg/descheduler): test a prometheus client update propagates to a plugin profile handle by @​ingvagabund in #​1816
• Add namespace label selector by @​W1seKappa in #​1786
• tests: Prom client testing by @​ingvagabund in #​1818
• Deduplicate descheduler initialization code so unit tests test more of the production code by @​ingvagabund in #​1819
• test(token reconciling): have tests initialize the prom client reconciling through the descheduler's bootstraping entry too by @​ingvagabund in #​1820
• refactor(promClientController): split it into two prom client controllers by @​ingvagabund in #​1821
• feat(pkg/descheduler): create profiles outside the descheduling cycle by @​ingvagabund in #​1815
• refactor: move prometheus client controller related code under a seperate file by @​ingvagabund in #​1823
• Update go dependecies to fix vulnerabilities by @​sammedsingalkar09 in #​1822
• chore: extend the list of supported Go versions by @​ingvagabund in #​1828
• bump(golangci-lint): update and migrate by @​ingvagabund in #​1829
• [v0.35.0] bump to kubernetes 1.35 deps by @​a7i in #​1827
• chore: upgrade github.com/gomarkdown/markdown to latest version by @​a7i in #​1831
• [v0.35.0] update docs and manifests by @​a7i in #​1832
• Change annotations condition to deploymentAnnotations for Deployment object annotations by @​davidandreoletti in #​1830

New Contributors

• @​petersalas made their first contribution in #​1773
• @​Sycrosity made their first contribution in #​1772
• @​abelfodil made their first contribution in #​1764
• @​W1seKappa made their first contribution in #​1786
• @​sammedsingalkar09 made their first contribution in #​1822
• @​davidandreoletti made their first contribution in #​1830

Full Changelog: kubernetes-sigs/descheduler@v0.34.0...v0.35.0

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

descheduler (helm) 0.34.0 -> 0.35.1

Risk: 🟢 Safe

The Deep Dive

Update Scope

Helm chart descheduler updating from 0.34.0 to 0.35.1 (minor + patch). This updates both the chart scaffolding and the descheduler app image from v0.34.0 to v0.35.1 — there is no kustomize image override, so the deployed container version changes. The only file modified is kubernetes/descheduler/Chart.yaml (version pin bump). Rendered Helm templates will be regenerated by CI.

Performance & Stability

• Node indexer optimization — replaces listing nodes with a global node selector by registering a node indexer, improving performance for node lookups (#1802)
• Data race fix — resolves detected data races in unit testing, improving runtime stability (#1842, cherry-picked into v0.35.1)
• Profiles created outside descheduling cycle — reduces per-cycle overhead by building profiles once rather than on every run (#1815)

Features & UX

• Storage class pod protection (#1752) — protects pods using specific storage classes from eviction. Not configured — requires podProtections.extraEnabled: [PodsWithPVC] in DefaultEvictor args. To enable, add podProtections config to DefaultEvictor plugin args in values.yaml.
• Namespace label selector (#1786) — filters pods by namespace labels in DefaultEvictor. Not configured — requires namespaceLabelSelector in DefaultEvictor args.
• PodLifeTime extensions (#1844, cherry-picked into v0.35.1) — adds conditions, exitCodes, ownerKinds, and transition-time filters. Not configured — current PodLifeTime config uses only maxPodLifeTimeSeconds and states, which remain unchanged. To enable, add fields under the PodLifeTime args in values.yaml: conditions (array of {type, status, reason, minTimeSinceLastTransitionSeconds}), exitCodes (array of integers), or ownerKinds with include/exclude lists.
• Init containers Helm support (#1826) — adds initContainers field to Helm values. Not configured — opt-in via initContainers in values.yaml.

Security

This update resolves pre-existing Go module vulnerabilities bundled in the descheduler binary. The modules updated in #1822 include golang.org/x/crypto (v0.38.0 → v0.47.0) and golang.org/x/net (v0.40.0 → v0.49.0).

golang.org/x/net (fixed in v0.45.0): CVE-2025-47911 (quadratic parsing complexity in x/net/html) and CVE-2025-58190 (infinite parsing loop in x/net/html). Not affected — both are in the x/net/html package; the descheduler does not parse HTML.

golang.org/x/crypto (fixed in v0.45.0): CVE-2025-58181 (unbounded memory consumption in x/crypto/ssh), GHSA-f6x5-jh6r-wrfv (panic in x/crypto/ssh/agent), and GO-2025-4135 (DoS in x/crypto/ssh/agent). Not affected — all are in the x/crypto/ssh package; the descheduler does not use SSH.

All five CVEs are pre-existing (present in v0.34.0) and resolved by v0.35.1. None are in code paths used by the descheduler, so they do not affect the risk assessment.

Key Fixes

• RBAC sync for PVC permissions (#1836, cherry-picked into v0.35.1) — The v0.35.0 app introduced a PVC informer (for storage class protection) but the Helm chart's ClusterRole was missing persistentvolumeclaims get/watch/list permissions. Without this fix, v0.35.0 logged permission errors: persistentvolumeclaims is forbidden. The v0.35.1 chart adds these RBAC rules. The current deployment's ClusterRole will gain PVC permissions after re-rendering — this is expected and harmless.
• Native sidecar resource calculation (#1771) — fixes pod resource calculation to properly account for Kubernetes native sidecar containers, which could have caused incorrect eviction decisions on pods with init containers using restartPolicy: Always.

Newer Versions

v0.35.1 is the latest release (released 2026-03-09). No newer versions exist.

Hazards & Risks

None identified. All new features (storage class protection, namespace label selector, PodLifeTime extensions, init containers) are opt-in and require explicit configuration to activate. The user's existing config keys (maxPodLifeTimeSeconds, states, podRestartThreshold, evictLocalStoragePods, metricsUtilization) are unchanged in behavior. The only structural change to deployed manifests is the addition of PVC RBAC permissions in the ClusterRole, which prevents log errors from the PVC informer introduced in v0.35.0.

Sources

• Descheduler v0.35.0 release
• Descheduler v0.35.1 release
• PR #1836 — RBAC sync for PVC permissions
• PR #1752 — Storage class pod protection
• PR #1771 — Native sidecar resource calculation fix
• PR #1842 — Data race fix
• PR #1844 — PodLifeTime extensions
• PR #1786 — Namespace label selector
• Helm chart diff (0.34.0 to 0.35.1)
• PR #1822 — Go dependency security updates
• OSV — golang.org/x/net vulnerabilities
• OSV — golang.org/x/crypto vulnerabilities

---

🟢 Verdict: Safe

Straightforward minor update with no breaking changes. All new features are opt-in, the RBAC fix for PVC permissions is needed and ships automatically, and the user's existing config requires no modifications.

[claytono]

Closing — v0.35.1 does not fix the LowNodeUtilization Prometheus regression (upstream issue kubernetes-sigs/descheduler#1840 still open). Local tracker: #1647. Will re-evaluate when upstream lands a fix.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.35.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.