Week Ending September 1, 2019

Developer News

Steering Committee elections are coming up! First, contributors should make sure they are listed as a voter. If you want to nominate yourself or others, you need to do so by Sept. 11th.

Because of security holes, Kubernetes developers are currently discussing removing the kubectl cp command. This resulted in one fix and is likely to become a KEP soon; in the meantime it provides an illustration of how we decide on security vs. functionality.

If you identify as part of an under-represented minority contributor, you can request priority access registration for the Contributor Summit in San Diego.

Release Schedule

Next Deadline: Draft Docs Sept. 3; final, complete docs Sept. 9th

We are currently in Code Freeze until Sept. 10th, or however long it takes to get a clear CI signal (so fix those test failures as fast as you can).

Featured PRs

#77807: Add startupProbe to health checks

This PR implements the slow startup KEP, adding a new health check probe specifically for just the startup phase of containers. This is intended to allow for setting a different liveness probe timeout (or totally different check) to be used only during startup. If you have a container that takes a lot of time to initialize, this can help improve stability.

#77354: Use CRD validation field in server-side apply

Server-side apply moves the logic about merging the desired and current states of an object from kubectl to apiserver. Part of this has been an effort to improve that merge behavior when there is more than one applier that wants to own certain fields in an object. This PR improves the merge logic by using the new structural schema validation data to tell when a field should have special keyed-array-like behavior or other similar common cases in our APIs.

#81048: EndpointSlice Controller

The next phase of implementing the new endpoint management API, EndpointSlices now has a controller. The overall idea of EndpointSlices is to split up large Endpoint objects (i.e. those with a ton of Target pods) into multiple Endpoints referenced from an EndpointSlice. This two-layer API substantially multiplies the maximum number of targets for a single service without blowing up Etcd performance. Along with a controller, we also got API discovery, kubectl support, and support for reading from the new API in kube-proxy. The new system is still an experiment, but it looks promising for operating at ludicrous scale. If you have any code that reads from endpoints, for example an Ingress controller, you might want to start working out the changes you’ll have to make for the new API.

IPv6 Fixes

With a bunch of IPv6 code going into 1.16, Code Freeze prompted a blast of PRs:

• Phase 2 implementation of dual stack
• Dual stack services added to IPVS proxier
• Dual stack loadbalancing on Azure
• Make IPVS work with iptables rules for both IPv4 and IPv6
• Kubeadm fixes IPv6-compliant HTTPProxy check

Metrics

• Let’s move all the metrics onto the Metrics Stability Framework: kube-proxy, controller-manager, scheduler, kubelet, kube-apiserver
• Standardize some older kubelet metrics
• Add failure & error count metrics for auth
• Overhaul how webhook rejections get logged and counted

Kubectl

• kubectl cp won’t copy symbolic links due to exploits and issues
• kubectl get --ignore-not-found continues after error
• kubectl shows PodOverhead info in node display
• kubectl wait honors --all-namespaces

Other Merges

• Discovery requests have a timeout, defaulting to 5s; use EnableAggregatedDiscoveryTimeout=false to disable
• Webhook client auth needs to specify and match any non-default ports
• Apparently we need an UnschedulableAndUnresolvable status code for the Scheduler Framework, otherwise known as the “workload DOA” code
• Start enforcing nbf (not-before) in ID tokens
• kubelet PluginWatcher works on Windows, as do vSphere volumes
• Windows RunAsUserName gets testing
• Add some new exclude endpoints to keep users from abusing node-role labels
• ServiceAccount tokens have JWTs too
• Extend RequestedToCapacityRatio function to help users bin-pack their servers
• Give users visibility into why that namespace can’t be deleted
• The APIServer uses only http/1.1 to communicate with webhooks because of issues with http/2, and has no-caching headers
• kube-apiserver gets /livez endpoint to compliment existing readyz endpoint; next, jayz endpoint

Promotions

• Windows GMSA support to beta
• Ephemeral CSI Volumes to beta
• Four CRD Feature Gates go GA and get permanent defaults
• Server-side Apply to beta
• VolumePVCDataSource to beta
• Service Load Balancer Finalizer to beta
• Volume Expansion to beta

Deprecated

• Remove kubectl log, deprecated 4 years ago (!); use logs instead

Version Updates

• NPD to 0.7.1
• CoreDNS to 1.6.2
• cAdvisor godeps to v0.34.0

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.