Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending February 23, 2020
Meeting Summary
At February’s monthly meeting we heard from SIGs Windows, Auth, and Multicluster.
SIG Windows is graduating Active Directory and runAsUserName support. Kubeadm on Windows will soon be beta. The SIG wants to move from Docker to CRI-ContainerD, and is also working on CSI support. However, the main work for v1.18 will be on scaling since there are issues with both HPA and CPU limits. SIG-Windows could use some help fixing the Windows jobs on Testgrid.
SIG Auth recently adopted the “secrets store” CSI driver from Storage, and are trying to improve the Certs API and auth performance. They’d like to overhaul PodSecurityPolicy, and the new GA ServiceTokenSupport is causing issues with legacy tokens and needs to be retrofitted. Auth could use help testing the various features with different auth clients.
SIG Multicluster just needs more contributor involvement, period. Kubefed needs some new maintainers, so if you depend on it consider stepping up. There’s also a new Multicluster API proposal they’re looking for feedback on.
Release Schedule
Next Deadline: Code Freeze, March 5th
Yes, Code Freeze is coming! Please finish up your v1.18 PRs and get started on documentation, since first draft docs are due March 9th.
Next patch releases are planned for March 12th, making the cherry-pick deadline March 9th (yes, the same day docs are due), so next week is gonna be busy.
Featured Merges
Adding AppProtocol to Service and Endpoints Ports
This new field, part of the AppProtocol KEP, will allow application builders to meaningfully specify the exact protocol used by their services. While Service protocol allows specifying TCP, UDP or SCTP, this will allow things like “postgresql://”
Add –dry-run=server|client|none to more kubectl commands
Julian Modesto has been adding the option for server-side dry runs to every command that supports a dry run, which is very helpful for testing anything that involves a CRD.
Add Schedulings Profiles to kubescheduler.config.k8s.io/v1alpha2
Together with 88285, this PR implements a major feature of the alpha Scheduling Framework: Scheduling Profiles. These allow users to create multiple workload-specific profiles.
UDS + GRPC Support for Network Proxy
SIG API Machinery is working on moving from the hackish approach of SSH Tunnels for container proxies to a full-blown network proxy delegation setup. Jeffrey Ying’s PR builds the USD and GRPC support into this.
Add namespace targeting mode to CRI and kubelet
PR makes the PID namespaces feature useful by having ephemeral containers run in the same PID namespace as the pod’s main containers. At least, for docker; other container runtimes need to implement this.
Other Merges
- Now you can have multiple sizes of Huge Pages with your kubernetes, and some usage stats to go with them
- kubeadm supports clusters with traffic encrypted with ECDSA keys
- kubelets can show hidden metrics, and by “hidden” we mean “deprecated”
- Support cross-tenant network resources in Azure
- Make
kubeadm upgradework again in single-node clusters - Add init-container log to cluster dump info
- Change when PermitPlugins run in Scheduling
- CSI Block Volumes get a directory janitor
- New kubelet_evictions metric
- Overhaul kube-proxy’s local traffic detection and add
--detect-localflag
Promotions
Deprecated
- CloudProviderBackoffMode removed from Azure provider, and deprecate the service annotation
azure-load-balancer-disable-tcp-reset - Remove
kubectl rolling-update, deprecated since 2018 - Deprecate
ClusterStatusdependency in Kubeadm, but without any plans for removal
Version Updates
- golang.org/x/crypto to v0.0.0-20200220183623-bac4c82f6975 to fix CVE-2020-9283
- CoreDNS to 1.6.7 in kubeadm clusters
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.