LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending November 1, 2020

Developer News

The Security committee has published a security advisory warning folks that, if verbose logging is enabled on versions older than the latest patch versions (1.19.3, 1.18.10, 1.17.13), you may inadvertently expose application and storage secrets. See CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, and CVE-2020-8566 for more details. And update to the latest patch version!

Also, if you are a US citizen, please take some time off from Kubernetes Nov. 3rd to vote.

Release Schedule

Next Deadlines: Docs Placeholders due Nov. 6

Initial Docs PRs for all tracked features are due this Friday; Code Freeze follows on Thursday, Nov. 12. At this point, you should be finishing up your feature work and fixing bugs and tests.

Cherry-picks for the next round of patch releases are also due this Friday, for a planned update release next Tuesday.

#94636: Added config parameter for CPU threads

A quiet and unassuming PR, this gives us configurable parallelism for the scheduler. This allows for cranking it up when you want to optimize pod launch times, or dropping it down when you care more about consistent throughput. Both are important tuning options for large cluster operators! This can be set in your --config configuration file via parallelism: N.

#93258: mv TokenRequest and TokenRequestProjection to GA

This feature quietly moved to beta back in 1.12 but just in case you’ve been sleeping on it, now is a great time to check it out! The main way to interact with the new system is through a projected token volume:

  - name: vault-token
      - serviceAccountToken:
          path: vault-token
          expirationSeconds: 7200
          audience: vault

This offers a bunch of improvements over traditional Secret volume: you can specify an audience to limit what the token can be used for and an expiration time after which it will be renewed automatically (now with jitter to avoid a thundering herd). This also never writes the resulting token to a Secret which both reduces apiserver load and reduces the vectors for leaking the token. Tokens created through this system will also automatically be cleared when the owning pod is deleted. For anyone using Service Account tokens for service-to-service authentication, this offers a lot of benefits for very little work.

#95489: exec credential provider: wire in cluster info (superset of #91192)

As part of the continuing growth of exec credential provider, you can now configure things so that the full cluster info struct is seralized to JSON and exposed to an environment variable before invoking the exec plugin. This allows the plugin command to easily connect to the relevant cluster or see other configuration data about it without having to decode all the kubeconfig files like kubectl itself does. To enable this feature, add provideClusterInfo: true to the exec: configuration section. Do be careful that your command understands that this environment variable could potentially include slightly sensitive information like server certificates and the like.

Other Merges



Picture of the Week

Graph of 99th percentile of filter execution time for four API filters

This graph of the new metric apiserver_request_filter_duration_seconds shows the differences between filter execution time for different API filters.

Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.