Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending May 10, 2020
Developer News
The Amsterdam Contributor Summit has been cancelled, and will not be held as a virtual version either in order to limit “virtual conference fatigue.” The next contributor summit will be in Boston. The New Contributor Workshop is moving to an online-only version that should be ready sometime in July.
Kubernetes is looking to move to distroless containers for many components. This may break many Flexvolume drivers, which can rely on Linux utilities to work. Please participate in the SIG-Storage discussion if that includes your driver.
Release Schedule
Next Deadline: Enhancement Freeze, May 19th
Version 1.15.12, released last week, is the final patch for v1.15. If you’re still on 1.15, it’s time to upgrade or get support from a vendor. v1.16 will likely have extended support, but v1.15 does not.
Also, v1.19alpha3 is ready for your testing.
Featured PRs
#87746: Support compiling Kubelet w/o docker/docker
Another big step towards treating Docker like all other runtime plugins, there is now a dockerless build flag which can make a docker/docker-free Kubelet. The KEP goes into greater detail about the rationale, but the short of it is a desire to have a more unified flow within the Kubelet code to reduce the risks of differences in behavior, as well as generally having less code to maintain.
#90674: Switch core master base images (kube-apiserver, kube-scheduler) from debian to distroless
Minimal images! Or at least much more minimal. This week introduced a new go-runner tool which takes the place of the older bash scripts for log file management, and container images based on the Distroless project and go-runner. This reduces both container size and security surface area by a lot, and hopefully will improve logging performance too! Hopefully this experiment will be a success and the rest of the images will join them soon. As mentioned above, please join the SIG discussions if this change will impact you.
#90843: Add support for TLS 1.3 ciphers
And finally a small but mighty change, adding support for several TLS 1.3 ciphers for clients which can use them. This was identified by the Trail of Bits security audit as part of a larger request to improve our TLS by only supporting safe ciphers.
Other Merges
- Fork IPVS in order to fix an old kernel compatibility issue and yet have IPVS+docker still work
- Topology spreading has a maxSkew score config to better randomize node selection among desirable nodes
- Only resync load balancing pools if relevant fields change
- client-go’s rest.Config can override proxy configuration for multicluster managers
- “No nodes available” will count as unschedulable, not errors
kubeadm upgradepulls images during preflight checks instead of using a DaemonSet- Fix chronic Azure disk attach issue
- If a cloud node doesn’t exist, don’t check shutdown status
- cloud-controller-manager is moving to staging, which requires limiting imports from the k/k tree
- Make CSI migration actually work on Azure, backported
cloud.google.com/network-tierannotation is available by default
Version Updates
- debian base images to use debian-base:v2.1.0 and debian-iptables:v12.1.0, at least those not switched to distroless
- kube-cross to v1.12.17-2
- kube-dns to 1.15.10
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.