Next Deadline: Code Freeze, November 14th
Yes, we’re freezing two days before the Kubecon pageantry starts. After that, you need to cherry-pick to get into v1.17, so ideally finish up your work now.
The next patch release date is Nov. 13th, for all supported releases, which does not include v1.13, since it’s both EOL and removed from Testgrid.
Starting with a simple but awesome change, the apiserver will now automatically reload its TLS certificates. This allows using fast-rotation certs with apiserver directly, either public CAs like LetsEncrypt or local CAs on even tighter loops. Fast-rotation certificates can help improve security by limiting the time frame of a leaked key. This also potentially allows for interesting experiments with low-overhead dynamic provisioning and shared hosting environments. This adds to changes last week for the primary serving certificate and dynamic reload of client certificates used for service-to-service authentication.
A permanent source of bugs in software is malformed configuration files and Kubernetes is no different. This PR enables “strict” mode when reading a Kubelet configuration file, meaning that unknown keys or bad syntax will be a fatal error rather than silently ignored. This may present eventual problems for some folks running mixed fleets on different Kubelet versions as you can no longer add a future configuration option and have it ignored on older versions, but only time will tell if this is a substantial problem.
Many core controllers treat API request errors as transient, normally they are and this helps ensure overall convergent operations. But in the specific case of namespace delete, often a lot of objects get caught in a retry loop for a while as the namespace is torn down. Now those retry loops will bail out if the error is specifically that the namespace is being deleted or no longer exists, as this is not going to be a transient error. This is specifically aimed at the e2e tests but will likely help in the same way with any other testing setup that involves creating and deleting namespaces rapidly.
And finally a new data topology helper for Server Side Apply to manage two common cases of maps in custom resources. The default
granular mode separately tracks and merges each sub-key, as is usually desirable for configuration data or similar. The new
atomic mode treats the entire map as a single field, so if any writer touches it, it owns every key. This new mode can be set through the ` x-kubernetes-map-type` annotation.
CFSSL_CA_PK_PASSWORDvar to sign kube certs; this undocumented misfeature has been disabled
cleanup-ipvsflag is deprecated
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.