LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.

Subscribe
Mastodon
Twitter
RSS

View LWKD on GitHub

Week Ending December 6, 2020

Developer News

As of 1.20 (out this week), Dockershim is deprecated in Kubernetes. Learn what this means for you in the blog and FAQ. Mostly, if you’re still using Docker as your container runtime on your Kubernetes clusters, it’s maybe time to think about gradually migrating to Containerd or CRI-O instead.

We also had a new security issue this week, CVE-2020-8554. The issue has the full details but a tl;dr is that in a multi-tenant environment, the externalIp feature of Services allows one tenant to intercept edge traffic bound for another tenant. There is no in-tree fix as removing the feature would violate our compatibility promises, however you can use a provided admission webhook or OPA policy to deny or restrict usage of the feature. The same issue can also happen with the status.loadBalancer.ingress.ip for LoadBalancer-type services, however access to that can be controlled using normal RBAC permissions. This does mean that a single-namespace Role/Binding of */*/* (all resources and verbs) is unsafe and should not be used in a multi-tenant environment.

Remember to register for the Contributor Celebration this week.

Release Schedule

Next Deadline: Release of 1.20.0 on Dec 8th

By the time you read this, 1.20 will probably have been released. Yay!

Patch updates for all versions, including 1.17, 1.18, and 1.19, will come out tommorrow.

#87461: kubelet: ensure static pod UIDs are unique

Static pods (things configured directly through manifests and the Kubelet rather than the API) use a hash of the pod specification to derive the object UUID. An unexpected edge case resulting from this is that non-control-plane static pods like kube-proxy would have the same UUID on every node because they used the same underlying pod definition. This somewhat defeated the point of the UU in UUID and could confuse some tools expecting actually unique data. This fix is likely to be held until 1.21 because it requires that all static pod UUIDs will change and all thus all static pods will be restarted during the upgrade. Anything using owner references against static pods should be checked for safety during this upgrade.

Other Projects

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.