LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.

Subscribe
Twitter
RSS

View LWKD on GitHub

Week Ending June 27, 2021

Developer News

The Community Annual Report is out.

Release Schedule

Next Deadline: Code Freeze, July 8th

Code Freeze is staring in a little over a week, which means it’s time to merge those enhancements or punt them to 1.23. Also, don’t forget that Docs wants your placeholder PRs on July 9th. There’s just one open critical-urgent bug in 1.22 right now, so if you know the code, maybe help close it?

Cherry-picks for the next patch release are due July 12th.

#103099: PodSecurity admission

While PodSecurityPolicies are being deprecated, there is both demand and desire to provide some level of protection in Kubernetes itself for common use cases and patterns. So we have the new Pod Security system as a very partial replacement. The goal here is to start small so if your use case isn’t exactly covered, you can keep using an out-of-tree validation webhook or use a webhook and this together. I can’t cover the full cross-section of this new system so if you are interested in trying it, please do check out the KEP. But a basic summary:

There are three security profiles:

Unlike PSPs, these policies are baked in and cannot be changed by users, though they are versioned so updates can be released along Kubernetes itself. What these mean in concrete terms is each policy has a set of Pod fields and the values permitted for them. If you want to start experimenting with these now there are equivalent PSPs provided.

You configure which policies to use where based on labels on the Namespace object. Once configured, the policy will apply to all Pods (and PodTemplate-containing objects in core) in that Namespace. On each Namespace, there are three policy actions that can be configured:

You can (and probably will) use multiple of these at once to get the desired response behavior. You can also specify a ...-version label for each of the three actions which controls the version of the policy to use. Versions follow Kubernetes’ own versioning, with a default of latest which gives you the most current version of the policy.

tl;dr three pre-set security policies, configured using Namespace labels, enforce vs. log vs warn configured per Namespace.

Other Merges

Structured Log log: API registry logs

Promotions

Cleanups

Version Updates

Last Week In Kubernetes Development (LWKD) is a product of some members of the Kubernetes project, but is not an official publication of the Kubernetes project or the CNCF. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.