LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending July 19, 2020

Developer News

There was a patch release this week that patched two security holes. Update at the next reasonable maintenance window – see below for details.

Kubernetes has decided to start removing inactive contributors from Github org membership.

The switch from google-containers to k8s-artifacts-prod namespaces for Kubernetes’ official containers began Monday. Hopefully we’ve fixed all the obstacles.

SIG-Multicluster wants you to choose what a multiple-cluster thing should be called.

SIG Leads need to complete unconsious bias training by August 31st.

Release Schedule

Next Deadline: Code Thaw (postponed)

As of the time of writing there are 19 critical fix PRs open against 1.19, mostly failing or flaky tests. In light of this, the release team has decided to hold off on code thaw until CI signal for master looks better. If you have an open PR against 1.19 or a CI signal fix in general, please get them sorted as soon as possible. Similarly for reviewers and approvers, please take some time this week to make sure fixes are unblocked.

The target release date is in about 5 weeks and the whole team would like to ensure that we don’t end up leaving build issues to the last minute, possibly destabilizing both the 1.19 releaes and master development.

1.18.6, 1.17.9, and 1.16.13 were released July 15th. In addition to bug fixes, these updates patch a privilege escalation security hole, and a DDOS security hole. While both holes require a combination of circumstances, infra hosts should plan to update very soon.

#90187: Implement server-side apply upgrade and downgrade

One way server-side apply improved over kubectl apply is that it allows tracking multiple sets of applies fields, each tied to an owner. Also, as a core feature, it promoted this tracking data from an annotation to a new ObjectMeta.ManagedFields struct member so it would be easier to work with and wouldn’t require clients to do multiple rounds of parsing themselves. But this does mean that the old apply and the new apply are not directly interchangable. To make the feature easier to adopt, the API server will now automatically read an existing last-applied-configuration annotation if no ManagedFields exists, and it will set the annotation when performing a server-side apply so that existing client-side apply workflows can interoperate with it.

#90949: Add seccomp least privilege for kuberuntime

With the newly GA’d seccomp support from a few weeks ago, a persistent thorn was that container policies needed a few extra permissions to allow the pod sandbox pause container to operate. This has been fixed by setting up the pod sandbox container with its own policy. In addition to hardening things by default, this means if you don’t use any of the following syscalls, you can potentially remove them from your profiles in the future:

This was also patched for the dockershim runtime as well.

Other Merges

Version Updates

Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.