LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending April 14, 2021

Developer News

The Kubernetes release schedule is changing, to 3 releases a year, starting with this year. Per the KEP and SIG-Release Meeting, we will be releasing new versions of Kubernetes on the following tentative schedule:

Moving to 3 releases a year is expected to make things easier on the SIGs and the release teams. If it doesn’t, we’ll revert back to quarterly releases in 2023.

Rogerio Bastos & Ari Lima discovered CVE-2021-25735, a security hole that allows bypassing some Admission Webhooks, now fixed in the latest update releases.

The Slack team has deployed an “inclusive language” Slack Bot, which is just there to remind you not to use exclusive language like “guys”. This is a bit of an experiment, so we’ll see how it goes.

SIG-CLI plans to overhaul kubectl exit codes and would like your feedback. Will this break your scripts, or fix them?

Release Schedule

Next Deadline: 1.22 Release Cycle Begins this week

The 1.22 Release Team has been chosen, and work on the release will start this week. Expect calls for enhancements soon.

1.20.6, 1.19.10, and 1.18.18 are available. Among other things, these fix CVE-2021-25735, so install real soon if you use Admission Webhooks.

#101155: allow multiple of –service-account-issuer

As part of the continued push towards a customizable service account JWT system, there is now a migration path towards changing the issuer field. While only the first configured issuer will be used for creating new JWTs, any of them will be accepted as valid when checking existing tokens. This allows for a smooth migration onto a non-default issuer string without downtime for pod tokens. If you haven’t checked out the token volume system, or have been putting off playing with it due to the complexities of the rollout, this may help and thus will unlock a powerful set of tools for pod identity validation.

#99237: Use the audit ID of a request for better correlation

Distributed tracing fans rejoice! Kube-APIServer will now make better use of the existing “audit ID” concept to be more like a span ID for tracing purposes. This allows for better correlation between tracing tools, error/access logs, and aggregated API requests. If you have existing log parsing for error analysis, probably add this field once it’s available for you.

#101151: Add “node-high” priority-level

This new node-high API priority level has been added to the standard configuration to ensure that even during an overload situation, kubelet status updates and heartbeats will (probably) get processed. This avoids some terrible priority inversion situation where an overload from too many pods starting up never ends as they keep getting rescheduled off “failed” nodes. If you have a customized API fairness configuration, check out this new addition and consider adding something equivalent to your infrastructure.

#101048: Revert Revert

Promotion of the MemoryBackedVolumeSizing feature to beta (for setting quotas on EmptyDir) was reverted and taken out of 1.21. The feature promotion has been added back to 1.22; hopefully it passes tests this time.

Other Merges

Structured logging migration: linux volumes



Version Updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.