CVE-2020-8562 could allow users to eavesdrop on control plane communications. However, to exploit this a user has to be authenticated and needs the permissions to create or edit Node and/or StorageClass objects, so this security issue is rated Low risk. It is not yet patched.
The CNCF has renamed its teams “TAGs” (or Technical Advisory Groups) instead of “SIGs” which should cure some longstanding confusion between Kubernetes and CNCF teams.
Next Deadline: Enhancements Freeze, May 13th
The 1.22 Enhancements team has pinged every SIG looking for trackable features, so if you missed that, please get yours in order, including a GitHub issue and merged KEP with all the frills. If you haven’t done one of these in a while, KEPs have gotten longer with more stuff, so take a look. Currently there are 40 listed enhancements from only 9 SIGs, so we’re sure that some of y’all are holding back. Get those filed!
Since the Release Cycle is underway, CI Signal Reports are a thing, so look there to see if you have any flaky tests that need looking after. Kudos to SIG-Network for getting 9 flaky test issues resolved.
Patch releases for all supported versions are due out on Wednesday. This will include the last patch for 1.18, so it’s time for 1.18 users to have an upgrade plan.
When a fresh cluster boots for the first time, kube-apiserver automatically creates a number of objects to configure the API Priority and Fairness system. This initial config is a mix of required settings that should never be altered because they are critical for apiserver functionality, and suggested APF values that are a good default for most people but can be adjusted for special cases. One problem with all of this is that it only happens once, at first startup. We’ve recently adjusted the default APF configs and now have a better way to distribute those automatically.
The process has two halves. For required settings, kube-apiserver will update them every time it starts and then once a minute will re-apply if any changes are detected. For suggested settings, a new
apf.kubernetes.io/autoupdate-spec annotation controls if apiserver attempts to keep it updated. It is set to
"true" by default during bootstrapping, if you want to make changes ensure it is set to
"false" and apiserver will defer to your judgement.
If you have previously customized any of the suggested settings specifically by deleting and recreating them (such that the object generation is still 1), make sure you apply
apf.kubernetes.io/autoupdate-spec: false before upgrading or apiserver will assume control.
While the diff itself isn’t terribly fun, this PR may require action on your part. The old
--address flags to kube-controller-manager no longer have any effect and listening on unencrypted HTTP is no longer possible. The CLI options will remain in place (but non-functional) until 1.24 for compatibility. However, if you are scraping metrics from controller-manager and were taking an understandable-but-ill-advised shortcut and using unauthenticated connections on the insecure port, there is no time like the present to upgrade. Switching to HTTPS on port 10257 will get you in the front door, and for authentication it is using a similar pattern to kube-rbac-proxy expecting a ServiceAccount bearer token and running a SubjectAccessReview against a
/metrics non-resource URL. Ports and protocols may also need to be updated for any custom container probes.
kubectl diffmasks Secrets
kubectl wait --for=deletenow actually ignores not found results in all cases
Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.