Week Ending June 2, 2019

We’re back! After a hiatus for conference travel, LWKD returns this week with your usual slushball of information about what’s happening in the land of cloud-natively hacking.

Security Alert: kubelet v1.13.6 and v1.14.2 have a security regression. You should downgrade to the prior patch release, set RunAsUser, or upgrade to the patch versions coming out later this week.

Developer News

If you are using TravisCI with your repo, you need to remove it, since Prow and Tide can’t interact with it anymore. This includes a long list of repos that are about to stop merging, so please fix. Further, merge commits will now be blocked from Kubernetes/Kubernetes.

On the nice side, Prow now checks your Github status before assigning reviews to you.

Several SIGs have started doing day-long cleanups where they go through their backlogs of issues and PRs to see what can be closed. See SIG mailing lists to join one.

Release Schedule

Next Deadline: All enhancements should have Docs patches ready to review today, June 4th. Beta.2 comes out June 5.

Version 1.15 is currently in Code Freeze. The upcoming release has 27 enhancements, one of which may not make it. CI Signal status is yellow, and 20 PRs are waiting to be merged, so please review and fix those tests!

There is now a separate repo for Release Notes tooling. If you have opinions about the Release Notes Website, please speak up via the survey.

Versions v1.14.3 and v1.13.7 will be released June 6th, and fix the reported security issue. Version 1.12.9 was released May 29th.

Featured PRs

#73447: Document how to build and deploy the sample-apiserver

Leading off with a documentation update! sample-apiserver is a small project which shows how to create a standalone API service, usually to use with kube-apiserver’s aggregation proxy mode. While Kubebuilder (and apiserver-builder) have mostly replaced it for practical uses, this project is still a great place to tinker with API concepts and learn the nuts and bolts of how an API server is put together. The new docs show how to compile things and how to deploy out to a cluster. If you’re interested in API internals, check it out.

#78262: Add Service Load Balancer finalizer support

While external load balancers have always been cleaned up eventually, it has previously been an asynchronous process. This PR uses the finalizer system to block the deletion of the Service object itself until the external resources are torn down fully. This both makes testing easier, it helps improve the behavior of any tools built around LoadBalancer services to more accurately report their state.

#77762: Adds staging directory for kubectl code

Long awaited but finally here, kubectl is getting its own staging repo: kubernetes/kubectl aka k8s.io/kubectl. For Kubectl plugins which need to pull in some of its utilities, this should help reduce the final executable size as well as streamline dependency management.

#74614: add non-preempting option to PriorityClasses

And finally a nice, advanced scheduling feature. This adds a preemptionPolicy field to both Pods and PriorityClasses which can be set to Never to ensure that no matter what other priorities are in use, the pod will never get preempted. Use with caution, but for services that really can’t be disrupted no matter what, this is a nice knob to have.

Other Merges

• Admission webhooks have an objectSelector to filter which objects the hook covers, and grok the name changes for objects
• HPA can scale on multiple metrics at the same time
• No more orphan LoadBalancers; get finalizer protection
• Kube-Proxy can be started before the CNI network is up
• CRDs get default values
• The kubelet gets a plugin manager
• Users can clone volumes using DataSource PersistentVolumeClaim if the driver supports it
• kubectl top gets configurable sorting
• Add topology for which Runtimes are available on which nodes
• The Route Controller rate-limits deletions
• Add quotas for ephemeral volumes if the FS supports it
• Dockershim needs its own special snowflake runtime handler because docker
• Make selecting topology-aware volumes on AWS more efficient
• CRD “scale” subresources can be either of two places
• Volumes migrated to CSI handle resizing
• Kubelet counter metrics get a start time
• No more graceful termination for UDP in IPVS
• CSI emphemeral volumes obey the PodSecurityPolicy
• The API supports deflate content
• Allow creating high-PriorityClass pods that don’t preempt running pods
• Only collect node metrics we care about

kubeadm changes:

• Rename HA flags by removing “experimental”
• All upgrading now happens via kubeadm upgrade node instead of earlier commands
• Generate secure random keys
• InitConfiguration stops embedding ClusterConfiguration

Windows changes:

• CRI detection
• Fix Windows container memory leak
• Respect Windows user HomeDir setting

Promotions

• resource quota scope selctors to GA
• StorageVersionHash to Beta
• NodeLocal DNS Cache to Beta
• Online Volume Expansion to Beta
• Device monitoring plugins to Beta

Deprecated

• KubeletPodResources didn’t work on Windows, so it’s disabled
• cadvisor JSON API endpoints are deprecated
• The kubectl scale test job is removed
• kube-proxy drops --cleanup-iptables
• kube-apiserver deprecates --enable-logs-handler
• kubectl exec drops the --pod flag
• transformer_failure_total metric deprecated in favor of transformation_operation_total

Version Updates

• Cluster API Provider for AWS to v0.3.0
• Revert CoreDNS in kubadm to 1.3.1 due to migration issues
• vmware/govmomi to v0.20.1

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.