Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending May 9, 2021
Developer News
CVE-2020-8562 could allow users to eavesdrop on control plane communications. However, to exploit this a user has to be authenticated and needs the permissions to create or edit Node and/or StorageClass objects, so this security issue is rated Low risk. It is not yet patched.
Gaby Moreno Cesar has stepped up as Chair of SIG-Usability. Deep Debroy has retired from SIG-Windows and Claudio Belu has been nominated to replace him.
The CNCF has renamed its teams “TAGs” (or Technical Advisory Groups) instead of “SIGs” which should cure some longstanding confusion between Kubernetes and CNCF teams.
Release Schedule
Next Deadline: Enhancements Freeze, May 13th
The 1.22 Enhancements team has pinged every SIG looking for trackable features, so if you missed that, please get yours in order, including a GitHub issue and merged KEP with all the frills. If you haven’t done one of these in a while, KEPs have gotten longer with more stuff, so take a look. Currently there are 40 listed enhancements from only 9 SIGs, so we’re sure that some of y’all are holding back. Get those filed!
Since the Release Cycle is underway, CI Signal Reports are a thing, so look there to see if you have any flaky tests that need looking after. Kudos to SIG-Network for getting 9 flaky test issues resolved.
Patch releases for all supported versions are due out on Wednesday. This will include the last patch for 1.18, so it’s time for 1.18 users to have an upgrade plan.
Featured PRs
#98028: add auto update for priority & fairness bootstrap configuration objects
When a fresh cluster boots for the first time, kube-apiserver automatically creates a number of objects to configure the API Priority and Fairness system. This initial config is a mix of required settings that should never be altered because they are critical for apiserver functionality, and suggested APF values that are a good default for most people but can be adjusted for special cases. One problem with all of this is that it only happens once, at first startup. We’ve recently adjusted the default APF configs and now have a better way to distribute those automatically.
The process has two halves. For required settings, kube-apiserver will update them every time it starts and then once a minute will re-apply if any changes are detected. For suggested settings, a new apf.kubernetes.io/autoupdate-spec annotation controls if apiserver attempts to keep it updated. It is set to "true" by default during bootstrapping, if you want to make changes ensure it is set to "false" and apiserver will defer to your judgement.
If you have previously customized any of the suggested settings specifically by deleting and recreating them (such that the object generation is still 1), make sure you apply apf.kubernetes.io/autoupdate-spec: false before upgrading or apiserver will assume control.
#96216: refactor: disable insecure serving in controller-manager
While the diff itself isn’t terribly fun, this PR may require action on your part. The old --port and --address flags to kube-controller-manager no longer have any effect and listening on unencrypted HTTP is no longer possible. The CLI options will remain in place (but non-functional) until 1.24 for compatibility. However, if you are scraping metrics from controller-manager and were taking an understandable-but-ill-advised shortcut and using unauthenticated connections on the insecure port, there is no time like the present to upgrade. Switching to HTTPS on port 10257 will get you in the front door, and for authentication it is using a similar pattern to kube-rbac-proxy expecting a ServiceAccount bearer token and running a SubjectAccessReview against a /metrics non-resource URL. Ports and protocols may also need to be updated for any custom container probes.
Other Merges
kubectl diffmasks Secrets- Allow adding tags to static public IPs
- Stop unconditionally installing Docker on Windows, and use GPT partitions
- The test for a service with endpoints now checks that the service works instead of just checking that the objects got created
- More tinkering with the lease controller to avoid deadlocks
- The Filesystem Resize code is moving to mount-utils (backported to 1.21)
- Structured logging gets a duration encoder, fixing a panic (backported to 1.19 & up)
- More work on a FakeClient interface for client-go
- Kubeadm starts setting some default seccomp profiles
kubectl wait --for=deletenow actually ignores not found results in all cases
Promotions
- Indexed Job to beta, including some new metrics and settings
Deprecated
- Flocker, StorageOS, and Quobyte volume plugins are deprecated and going to be removed from core Kubernetes; please migrate to the respective CSI driver as soon as you can; SIG-storage has make the CSI driver better at retaining migrated volumes
- CRIContainerLogRotation feature gate is removed since it’s GA now
- Kubeadm removes HyperKube image support in beta3
Version Updates
- golang to 1.15.12 in 1.19 and 1.20, and to 1.16.4 in 1.21 and 1.22.
- etcd to 3.4.13-3 in Kubeadm installs
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.