As of 1.20 (out this week), Dockershim is deprecated in Kubernetes. Learn what this means for you in the blog and FAQ. Mostly, if you’re still using Docker as your container runtime on your Kubernetes clusters, it’s maybe time to think about gradually migrating to Containerd or CRI-O instead.
We also had a new security issue this week, CVE-2020-8554. The issue has the full details but a tl;dr is that in a multi-tenant environment, the
externalIp feature of Services allows one tenant to intercept edge traffic bound for another tenant. There is no in-tree fix as removing the feature would violate our compatibility promises, however you can use a provided admission webhook or OPA policy to deny or restrict usage of the feature. The same issue can also happen with the
status.loadBalancer.ingress.ip for LoadBalancer-type services, however access to that can be controlled using normal RBAC permissions. This does mean that a single-namespace Role/Binding of
*/*/* (all resources and verbs) is unsafe and should not be used in a multi-tenant environment.
Next Deadline: Release of 1.20.0 on Dec 8th
By the time you read this, 1.20 will probably have been released. Yay!
Patch updates for all versions, including 1.17, 1.18, and 1.19, will come out tommorrow.
Static pods (things configured directly through manifests and the Kubelet rather than the API) use a hash of the pod specification to derive the object UUID. An unexpected edge case resulting from this is that non-control-plane static pods like
kube-proxy would have the same UUID on every node because they used the same underlying pod definition. This somewhat defeated the point of the
UU in UUID and could confuse some tools expecting actually unique data. This fix is likely to be held until 1.21 because it requires that all static pod UUIDs will change and all thus all static pods will be restarted during the upgrade. Anything using owner references against static pods should be checked for safety during this upgrade.
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.