Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending March 18, 2018
There was no LWKD issue last week due to 1.10 release prep. Which means you missed nothing, because we’re in code freeze, which means all of the merges are for 1.10 features and bug fixes. We’ll detail those from the last 2 weeks, below.
Community Meeting Summary
The Community Meeting demo this week was Kuberhealthy, a tool by Comcast to monitor the “health” of Kubernetes clusters using both passive monitoring and active probing, which is unfortunately not yet generally available. SIG Auth delivered an update covering their features for 1.10, specifically Pod Security Policies, Advanced Auditing, the TokenRequest API, and client-go authentication providers. As Auth is the security SIG, they are considering creating a bug bounty to find security issues in Kube. SIG Instrumentation introduced the External Metrics API for integrating 3rd party services, and plans to graduate the Metrics API and Custom Metrics API to beta and eventually GA, deprecating Heapster in the process. They are working on instrumentation API security with SIG-Auth, and thinking about a historical metrics API and Kubelet metrics.
Announcements: you can register for the Copenhagen Contributor Summit. Office Hours are on Wednesday, we need users and volunteers to attend.
Release Schedule
Version 1.10 release is delayed, due to the prior week’s security release and difficult scalability and downgrade compatibility issues. As such, Code Freeze will end later today (Monday), and the actual release is now planned for March 26th. We are looking for a new release lead (and other team members) for 1.11.
Merges for the last 2 weeks are all to finish features and fix bugs in 1.10. Only the most significant are included below. Excluded are the many fixes to tests in order to get the boards green, and the many cherry-picks to backport fixes.
About That Security Release
Versions of Kubernetes prior to 1.9.4/1.8.9/1.7.14 allowed hostile users to hack subpath volume mounts to access any file on the host system. Users on older versions should upgrade as soon as possible. However, upgrading users may need to manually disable hostPath volumes on their clusters. This has been followed by other tweaks to subpath volume permissions, so if you use subpaths, look out for additional required upgrades.
Feature Work
- Scheduling Daemonsets using the scheduler (instead of overriding it) is now committed, including the new unschedulable taint and will be alpha in 1.10.
- Logging deletion of Statefulset Pods was increased.
- The cache now uses Pod UIDs as keys instead of name/namespace.
Deprecated
- The deprecated –mode switch for GCE has been purged from the Kubernetes code. This was supposed to have been done a year ago, when we first got the deprecation warning. Ooops.
Version Updates
- Etcd was updated to 3.1.12, then rolled back to 3.1.11 then upgraded to 3.1.12 again as part of troubleshooting performance issues.
- cadvisor to 0.29.1
- fluentd-gcp-scaler to 0.2.0
- ingress glbc image to 1.0.0
Other Merges
- Fixed two race conditions endpoint deletion and pod deletion.
- Subpath volumes can be used with ConfigMap and Secrets again.
- Kubectl command completion now works with zsh.
- Prevented garbage collector stalls when the GC runs out of resources.
Graph of the Week
Zach Corleissen shared a graph of documentation pull request response times. Seeing this graph in DevStats helped alleviate SIG-Docs anxiety about their response times, but showing that it was still less than 4 days. Prow automation had helped a lot with this.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.