Stay up-to-date on Kubernetes development in 15 minutes a week.
The Security committee has published a security advisory warning folks that, if verbose logging is enabled on versions older than the latest patch versions (1.19.3, 1.18.10, 1.17.13), you may inadvertently expose application and storage secrets. See CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, and CVE-2020-8566 for more details. And update to the latest patch version!
Also, if you are a US citizen, please take some time off from Kubernetes Nov. 3rd to vote.
Next Deadlines: Docs Placeholders due Nov. 6
Initial Docs PRs for all tracked features are due this Friday; Code Freeze follows on Thursday, Nov. 12. At this point, you should be finishing up your feature work and fixing bugs and tests.
Cherry-picks for the next round of patch releases are also due this Friday, for a planned update release next Tuesday.
A quiet and unassuming PR, this gives us configurable parallelism for the scheduler. This allows for cranking it up when you want to optimize pod launch times, or dropping it down when you care more about consistent throughput. Both are important tuning options for large cluster operators! This can be set in your --config
configuration file via parallelism: N
.
This feature quietly moved to beta back in 1.12 but just in case you’ve been sleeping on it, now is a great time to check it out! The main way to interact with the new system is through a projected token volume:
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault
This offers a bunch of improvements over traditional Secret volume: you can specify an audience to limit what the token can be used for and an expiration time after which it will be renewed automatically (now with jitter to avoid a thundering herd). This also never writes the resulting token to a Secret which both reduces apiserver load and reduces the vectors for leaking the token. Tokens created through this system will also automatically be cleared when the owning pod is deleted. For anyone using Service Account tokens for service-to-service authentication, this offers a lot of benefits for very little work.
As part of the continuing growth of exec credential provider, you can now configure things so that the full cluster info struct is seralized to JSON and exposed to an environment variable before invoking the exec plugin. This allows the plugin command to easily connect to the relevant cluster or see other configuration data about it without having to decode all the kubeconfig files like kubectl itself does. To enable this feature, add provideClusterInfo: true
to the exec:
configuration section. Do be careful that your command understands that this environment variable could potentially include slightly sensitive information like server certificates and the like.
runtime/default
is the new docker/default
for seccomp annotations; conversion will be automatically handled (backported)apiserver_request_filter_duration_seconds
, FSGroupPolicyChange time taken--experimental-patches
during kubeadm initAccept: */*
headerControlPlane
replaces master
TokenRequest
and TokenRequestProjection
to GA, including adding a few default flags for the apiserver--address
, --insecure-bind-address
, --port
, and --insecure-port
will be nonfunctional in 1.20 and error out in 1.24kubectl autoscale --generator
flag is deprecated and nonfunctional in 1.20This graph of the new metric apiserver_request_filter_duration_seconds
shows the differences between filter execution time for different API filters.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.