Week Ending July 12, 2020

Developer News

Kubernetes is replacing the SIG quarterly reports in the Community Meeting with Annual Reports which will be more formal, but less frequent. This is an acknowledgement of the real schedule, and the fact that we have 37 SIGs/WGs/UGs now.

CVE-2020-8558 affects kube-proxy 1.18.3 and below, allowing users to reach localhost services across the local network. Please update your servers to the latest patch release to resolve the issue, or see the mailing list announcement for mitigations.

Third Time’s The Charm: we will be once again trying to move the official image repo from google-containers to k8s-artifacts-prod starting next Monday, July 20th.

And finally a reminder to be very careful copy-pasting code from StackOverflow. By default, StackOverflow code samples are licensed under Creative Commons Share-Alike, which is not compatible with our licensing due to the viral nature of the “Share-Alike” restrictions.

Release Schedule

Next Deadline: Complete Docs, July 16th

We are now in Code Freeze, and v1.19 release branch has been cut.

1.18.6, 1.17.9, and 1.16.13 are expected out this Wednesday.

Featured PRs

#92784: generic ephemeral inline volumes

A new ephemeral volume type has been added for pod templates. This works similarly to the volumeClaimTemplates field in StatefulSets, every pod will use the template to construct a unique PVC object which can provision arbitrary storage or anything else hooked in to a CSI plugin. When the pod is deleted, so is the PVC and the PV with it unless you change the reclaim policy. This pairs well with the existing ephemeral volume support in CSI, but it could also be used for more complex things in the future like a CSI-backed implementation of the emptyDir volume type, exposing non-traditional storage like network-attached memdisks, or “userspace” implementations of API volumes like downward or configMap.

#91637: Adding new EndpointSlice Mirroring Controller

Another step towards making the EndpointSlice transition seamless, handling manually-curated services. This is most common with operators, such as prometheus-operator’s kubelet service used for metrics discovery. With this new controller, any such endpoints will be automatically copied into a matching slice so they will work transparently without having the specifically support both systems. If you have any existing code that does already handle updating both Endponints and EndpointSlices in parallel, be sure to apply the endpointslice.kubernetes.io/skip-mirror label to prevent the automatic mirroring.

#92310: kubectl debug: support debugging nodes

The kubectl alpha debug command will now support node-level debugging by running a pod in the host OS namespaces. It will also automatically bind mount the host filesystem to /host/ for interactive use. This can hopefully replace most remaining uses of SSH for node debugging and maintenance as well as simplify those tasks on newer minimialist OSes like CoreOS and Bottlerocket which ship few debugging tools in the OS and already expect most interactive sessions to happen in a container anyway.

This is also joined by #90094 which adds a copy mode to the debug command, to copy an existing pod and then attach to the copy. This can help avoid production disruptions while trying to understand a failure.

Other Merges

• Scheduler will check storage capacity before adding pods with volume
• apiserver now nests tracing and shows the entire filter chain
• Seccomp supports version skew conversion to keep API and annotations in sync
• Error if an API upgrade response is anything other than 101 (possible compatibility breakage)
• No more leaking endpointSliceTracker
• kube-aggregator is the last component to get dynamic certificate reloading
• kubebuilder adds validation tags
• Custom resource schemas use standard ListMeta in API requests
• Respect terminationGracePeriodSeconds before terminating mirror pods
• Hide managedFields during kubectl edit
• kubectl --timeout works together with scale and autoscale
• Eviction a pod that’s already been deleted always works
• Let containers with configmap subpath volumes restart properly
• Containers can ignore resources by prefix
• The /logs API can be completely disabled, even for admins

Promotions

• CSI Migration for vSphere goes beta
• EndpointSliceProxying to beta

Deprecated

• Audit events for deprecated features get tagged as such
• kubeadm alpha kubelet config enable-dynamic is both deprecated and hard to say five times fast
• Kubeadm + CoreDNS + Federation is not a supported combination
• kubeadm alpha certs generate-csr replaces --csr-only and --csr-dir
• kubeadm --bootstrap-checkpoint-path goes poof

Version Updates

• cAdvisor to v0.37.0
• CoreDNS to v1.7.0
• Hyperkube may be going away, but in the meantime debian-hyperkube image to v1.1.1, backported

Diagram of the Week

Walter Fender created this diagram of Kubernetes module-level dependencies for the docs.

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.