Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending October 4, 2020
Developer News
Just a few hours left to vote in then Steering Committee election, so do it now.
kubernetes-incubator is finally gone. RIP, incubator. You were there when we needed you.
Jorge Castro reminded folks about some housekeeping for mailing lists. Rodrigo Campos wants to collect all sidecar container use-cases, so add yours.
Hacktoberfest caused some noise on a few repositories, but Digital Ocean has tried to improve things going forward. This does now mean that for PRs to be counted towards Hacktoberfest, your repository must opt-in by tagging itself with the hacktoberfest topic. For a repository under Kubernetes’ administration, you will need to reach out to the github-admin team to request they add it. For your own repos, you can click the gear icon next to the About section in the right-hand sidebar of the main repository overview page.
Release Schedule
Next Deadline: Enhancements Freeze, Oct. 6
Your Enhancement specs for 1.20 are due Tuesday. While there is an exception process, it helps everyone if you can get them in on time.
Fixes for the next patch releases need to be cherry-picked and merged by October 9.
Featured PRs
As it’s been a quiet week in feature development, we’re going to shake things up and feature a trio of interesting KEPs accepted this week. As always, a KEP is not a guarantee the feature will be implemented or ever reach GA.
enhancements#1899: KEP: hardened exec requests
One of the lessons learned during the ToB security audit was we have a number of internal APIs potentially vulnerable to server-side request forgery (SSRF). While the immediately dangerous have already been dealt with, the exec API in the Kubelet itself could use some improvements. This KEP lays out a plan to simplify the underlying exec APIs, remove options and endpoints never used by kube-apiserver, and generally lock things down to only the expected usage. Put together, this should dramatically reduce the risk of future exploits involving these APIs.
enhancements#1928: Create KEP for built-in Defaulting
This KEP seeks to unify the declarative defaulting behavior between in-tree types and custom resources. More specifically all tools will use // +default=someYAMLvalue to generate the defaulting, either in code or in OpenAPI specifications. This brings us one step closer to CRDs being on equal footing with in-tree types and controllers, which in turn will make it easier to migrate niche or deprecated functionality out of k/k.
enhancements#: Add node shutdown KEP
Anyone running Kubernetes in the cloud has experienced a “cloud oops” where a machine shuts down unexpectedly, usually due to unplanned hardware maintenance or other adverse events. One side effect of unexpected shutdowns is that pods never get to run their PreStop handlers or otherwise gracefully terminate the container processes. This KEP proposes using the systemd “Inhibitor Lock” API to let the kubelet be notified of an impending shutdown so it can stop all pods cleanly before the shutdown continues. This may not cover ever case, espcially anyone not using systemd, but it’s a great start and will address the vast majority of users.
Other Merges
- Switch
kubectl clusterinfoto using “control plane” instead of potentially offensive terms; the Naming WG is getting to work - Azure: drop storage even if the node has been deleted, let multiple services share an IP
- Don’t mess up the scheduler cache when a node is deleted before its pods
- Namespace objects get created the same whether you use POST or PATCH
- Let user proceed with missing ca.key files during
kubectl join - Make the EndPointSlice Controller mirror service labels, and backport an endpoints patch to all releases
- Have the same default pull policy for emphemeral containers, and don’t block ephemeral containers on admission webhooks
- ServerSide Apply treats LabelSelectors as a single unit when editing
- New metrics:
network_plugin_operations_totalandnetwork_plugin_operations_errors_total
Deprecated
- kubeadm’s alpha self-hosting support didn’t work out
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.