Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending August 4, 2019
Developer News
Are you a Kubernetes Contributor? Are you going to Kubecon San Diego? Consider submitting a session proposal for the 2019 Contributor Summit. Also for SIG Leads: SIG Session proposals are due August 16th.
Garden lets you build and test Kubernetes applications locally, but without Kubernetes running on your laptop.
LWKD now has a logo thanks to the talented designer at GraphArtgency. Don’t expect any branded swag from us, though.
Release Schedule
Next Deadline: 1.16.0-alpha.3, August 6th
There are currently 39 enhancements for 1.16, including 12 beta promotions and 10 GA promotions.
We are currently in the “lull” between Enhancements Freeze and Code Freeze, where folks are supposed to be working on finishing up their features (adding testing, etc.), and filing Exceptions for late-entry features. The 1.16 branch will be created August 13th, along with the release-1.16 test jobs. On the same date, the 1.12 test jobs will be shut down, completing the EOL of version 1.12.
The next patch updates for stable versions will be released sometime in mid-August (exact date TBD).
Featured PRs
#80231: Promote admissionreview to v1
Big congrats to SIG-ApiMachinery and all the other groups that have worked on getting the admission webhook system to GA status! There have been no schema changes as part of the promotion, but all parts of the system will now accept v1 objects and data. When sending back a v1 response, there is tighter response validation than beta, so check the PR before upgrading your code.
#80383: Add NormalizeScore extension point for scheduler framework.
This PR implements another extension point in the default scheduler to allow for plugins to change the final scores just before ranking. This is generally used for things like dynamic min or max scores, or other global-ish value modifications. This joins other scheduler extension points like “prebind”, “reserve”, and “post-filter” to tweak the scheduling process for large or complex clusters.
#80750: apiextensions: check request scope against CRD scope correctly
A fix for CVE-2019-11247, previously it was possible to access a cluster-scope resource through a namespace, assuming the user had permissions at the namespace level. This could allow unexpected access if the user had valid permissions in the namespace, but not in a ClusterRoleBinding as would generally be expected for cluster-scope resources. This fix has been cherry-picked and released as v1.13.9, v1.14.5, and v1.15.2. Upgrading is recommended for all users.
Other Merges
- Refactor how the
kubectl cpcommand works in order to partly patch security vulnerabilities CVE-2019-1002101 and CVE-2019-11246, preventing malicious directory browsing; backpatched to all active stable versions - Permit disabling compression for intra-control-plane communications
- Support ADFS auth on Azure
kubectl get configmapcounts binary keys correctly- Make override flags work with Bash completion
- Serialization of binary fields now uses the raw bytes instead of a nested map. Sounds obscure but touches a lot of code, so maybe take a look if you work on CRDs or cloud providers
- Stop trying to retrieve a public IP for VMSS nodes
- Stop masquerading localhost-to-localhost HostPort connections, which breaks DNS on some systems
- PVC errors propogate to pod events making it easier to debug why your pod won’t start
- kube-controller-manager defaults to 5 concurrent StatefulSet workers and adds worker number configuration
- Retry failed iscsi logouts until they work, dammit!
- Make systemd reserved cgroups work correctly
- Kubelet will look up node addresses in external cloud providers, if not given them
The Kubeadm team also dropped a bunch of fixes and changes this week, including discovering certificate-authority files, securing kube-scheduler, generating certs for etcd, not aborting reset on error, adding a timeout to discovery, and otherwise making `–discovery-file work as intended.
Version Updates
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.