The Kubernetes release schedule is changing, to 3 releases a year, starting with this year. Per the KEP and SIG-Release Meeting, we will be releasing new versions of Kubernetes on the following tentative schedule:
Moving to 3 releases a year is expected to make things easier on the SIGs and the release teams. If it doesn’t, we’ll revert back to quarterly releases in 2023.
Rogerio Bastos & Ari Lima discovered CVE-2021-25735, a security hole that allows bypassing some Admission Webhooks, now fixed in the latest update releases.
The Slack team has deployed an “inclusive language” Slack Bot, which is just there to remind you not to use exclusive language like “guys”. This is a bit of an experiment, so we’ll see how it goes.
SIG-CLI plans to overhaul kubectl exit codes and would like your feedback. Will this break your scripts, or fix them?
Next Deadline: 1.22 Release Cycle Begins this week
The 1.22 Release Team has been chosen, and work on the release will start this week. Expect calls for enhancements soon.
As part of the continued push towards a customizable service account JWT system, there is now a migration path towards changing the issuer field. While only the first configured issuer will be used for creating new JWTs, any of them will be accepted as valid when checking existing tokens. This allows for a smooth migration onto a non-default issuer string without downtime for pod tokens. If you haven’t checked out the token volume system, or have been putting off playing with it due to the complexities of the rollout, this may help and thus will unlock a powerful set of tools for pod identity validation.
Distributed tracing fans rejoice! Kube-APIServer will now make better use of the existing “audit ID” concept to be more like a span ID for tracing purposes. This allows for better correlation between tracing tools, error/access logs, and aggregated API requests. If you have existing log parsing for error analysis, probably add this field once it’s available for you.
node-high API priority level has been added to the standard configuration to ensure that even during an overload situation, kubelet status updates and heartbeats will (probably) get processed. This avoids some terrible priority inversion situation where an overload from too many pods starting up never ends as they keep getting rescheduled off “failed” nodes. If you have a customized API fairness configuration, check out this new addition and consider adding something equivalent to your infrastructure.
Promotion of the MemoryBackedVolumeSizing feature to beta (for setting quotas on EmptyDir) was reverted and taken out of 1.21. The feature promotion has been added back to 1.22; hopefully it passes tests this time.
kubectl drain --chunk-sizelets you drain nodes without overwhelming the client with huge resource lists
policy/v1API for Eviction
--extended-resources, and it will log flags for hollow nodes before each run
rest_client_rate_limiter_duration_secondsmetric now actually records data
kubeadm config userexpires certificates
Structured logging migration: linux volumes
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.