The Security committee has published a security advisory warning folks that, if verbose logging is enabled on versions older than the latest patch versions (1.19.3, 1.18.10, 1.17.13), you may inadvertently expose application and storage secrets. See CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, and CVE-2020-8566 for more details. And update to the latest patch version!
Also, if you are a US citizen, please take some time off from Kubernetes Nov. 3rd to vote.
Next Deadlines: Docs Placeholders due Nov. 6
Initial Docs PRs for all tracked features are due this Friday; Code Freeze follows on Thursday, Nov. 12. At this point, you should be finishing up your feature work and fixing bugs and tests.
Cherry-picks for the next round of patch releases are also due this Friday, for a planned update release next Tuesday.
A quiet and unassuming PR, this gives us configurable parallelism for the scheduler. This allows for cranking it up when you want to optimize pod launch times, or dropping it down when you care more about consistent throughput. Both are important tuning options for large cluster operators! This can be set in your
--config configuration file via
This feature quietly moved to beta back in 1.12 but just in case you’ve been sleeping on it, now is a great time to check it out! The main way to interact with the new system is through a projected token volume:
volumes: - name: vault-token projected: sources: - serviceAccountToken: path: vault-token expirationSeconds: 7200 audience: vault
This offers a bunch of improvements over traditional Secret volume: you can specify an audience to limit what the token can be used for and an expiration time after which it will be renewed automatically (now with jitter to avoid a thundering herd). This also never writes the resulting token to a Secret which both reduces apiserver load and reduces the vectors for leaking the token. Tokens created through this system will also automatically be cleared when the owning pod is deleted. For anyone using Service Account tokens for service-to-service authentication, this offers a lot of benefits for very little work.
As part of the continuing growth of exec credential provider, you can now configure things so that the full cluster info struct is seralized to JSON and exposed to an environment variable before invoking the exec plugin. This allows the plugin command to easily connect to the relevant cluster or see other configuration data about it without having to decode all the kubeconfig files like kubectl itself does. To enable this feature, add
provideClusterInfo: true to the
exec: configuration section. Do be careful that your command understands that this environment variable could potentially include slightly sensitive information like server certificates and the like.
runtime/defaultis the new
docker/defaultfor seccomp annotations; conversion will be automatically handled (backported)
apiserver_request_filter_duration_seconds, FSGroupPolicyChange time taken
--experimental-patchesduring kubeadm init
TokenRequestProjectionto GA, including adding a few default flags for the apiserver
--insecure-portwill be nonfunctional in 1.20 and error out in 1.24
kubectl autoscale --generatorflag is deprecated and nonfunctional in 1.20
This graph of the new metric
apiserver_request_filter_duration_seconds shows the differences between filter execution time for different API filters.
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.