Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending November 3, 2019
Release Schedule
Next Deadline: Code Freeze, November 14th
Yes, we’re freezing two days before the Kubecon pageantry starts. After that, you need to cherry-pick to get into v1.17, so ideally finish up your work now.
The next patch release date is Nov. 13th, for all supported releases, which does not include v1.13, since it’s both EOL and removed from Testgrid.
Featured PRs
#84303: Dynamic SNI certificates
Starting with a simple but awesome change, the apiserver will now automatically reload its TLS certificates. This allows using fast-rotation certs with apiserver directly, either public CAs like LetsEncrypt or local CAs on even tighter loops. Fast-rotation certificates can help improve security by limiting the time frame of a leaked key. This also potentially allows for interesting experiments with low-overhead dynamic provisioning and shared hosting environments. This adds to changes last week for the primary serving certificate and dynamic reload of client certificates used for service-to-service authentication.
#83204: Enable strict serializer in kubelet
A permanent source of bugs in software is malformed configuration files and Kubernetes is no different. This PR enables “strict” mode when reading a Kubelet configuration file, meaning that unknown keys or bad syntax will be a fatal error rather than silently ignored. This may present eventual problems for some folks running mixed fleets on different Kubelet versions as you can no longer add a future configuration option and have it ignored on older versions, but only time will tell if this is a substantial problem.
#84123: Handle namespace deletion more gracefully in built-in controllers
Many core controllers treat API request errors as transient, normally they are and this helps ensure overall convergent operations. But in the specific case of namespace delete, often a lot of objects get caught in a retry loop for a while as the namespace is torn down. Now those retry loops will bail out if the error is specifically that the namespace is being deleted or no longer exists, as this is not going to be a transient error. This is specifically aimed at the e2e tests but will likely help in the same way with any other testing setup that involves creating and deleting namespaces rapidly.
#84113: Adds x-kubernetes-map-type annotation as a CRD API extension
And finally a new data topology helper for Server Side Apply to manage two common cases of maps in custom resources. The default granular mode separately tracks and merges each sub-key, as is usually desirable for configuration data or similar. The new atomic mode treats the entire map as a single field, so if any writer touches it, it owns every key. This new mode can be set through the ` x-kubernetes-map-type` annotation.
Other Merges
- The alpha Scheduler Policy API has been relocated in the API spec and the code base without changing its parameters or functionality (yet)
- Kubelet gets a metric for server cert age, and the Scheduler gets cache size
- Stop validating custom priority configs
- Use proxy ENV with Kubeadm & kube-proxy
- More on filesystems with block reconstruction
- If you’re using v1alpha1, kube-proxy config validation is laid-back
- Stop letting folks declare Scheduler policy configs multiple times
Promotions
- CSI Topology has graduated to GA
Deprecated
- The “mount containers” feature that never made it out of alpha is gone
- You can’t use
CFSSL_CA_PK_PASSWORDvar to sign kube certs; this undocumented misfeature has been disabled cleanup-ipvsflag is deprecated
Version Updates
- Azure SDK to v35.0
- Docker supported up to 19.03 in Kubeadm
- Default etcd to 3.4.3
- NodeProblemDetector is v0.8.0, mostly to reduce no-change report frequency to 5min
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.