LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending February 20, 2022

Developer News

The monthly Community Meeting is back! Every 3rd Thursday of the month we’ll be meeting; subscribers to dev@kubernetes.io should have the calendar item. Contact Laura Santamaria if you’re available to help run it. Last week’s Community Meeting covered the Dockershim removal planning, the Reliability Bar proposal, and the last follow up on the move to dev@kubernetes.io. Video will be up soon, and next meeting is March 17th.

SIG-CLI is discussing whether we should implement robust file locking for kubeconfig, or phase out file locking entirely. Please reach out and add your use cases.

The job queueing API design has advanced over the last month.

Release Schedule

Next Deadline: Exceptions due, March 21st

We are currently in the feature development phase, where the listed enhancements are trying to finish all of their requirements. If your feature did not get listed, you have exactly four weeks to ask for an exception.

CI Signal is looking OK with four failing jobs and two flaky ones, which (considering dockershim) isn’t that bad. Still, if any of the failing/flaking tests are something you can help, with, please pitch in.

Patch updates were released last week after a short delay. This includes 1.23.4, 1.22.7, and 1.21.10. Version 1.20 is no longer being patched, please upgrade.

Release engineering is experimenting with automated fast-forward in Prow, which you can see mocked here. The idea is to eliminate a lot of the manual cherry-picking work. If it looks good, we’ll use it for 1.25.

#107880: Add command to request a bound service account token

Bound service account tokens have been around for a while, used in features like the serviceAccountToken volume type, but it will now be directly accessible to users more easily via a kubectl create token command. This command can create a normal (unbound) token and display it, but it can also take an audience, expiration time, or object binding (object bound tokens are valid only while that object exists). If you are currently using kubectl get secret to retrieve the current automatic tokens, look into switching to the new command once it is available.

Some examples from the documentation:

# Create a token only valid for 10 minutes.
$ kubectl create token myapp --expiration-seconds 600

# Create a token only valid while a certain deployment exists.
$ kubectl create token myapp --bound-object-kind Deployment --bound-object-name myapp-deployment

This PR also includes a number of changes to the TokenRequest API to make it more error resistent as well as granting the default admin and edit roles access to create tokens.

#107481: Remove dashboard cluster addon

The cluster addons system was the original “app store for Kubernetes”. In the years since, many others have come (and some have gone), but throughout the addons have remained. The Kubernetes dashboard project has reached a point where maintaining the addon is no longer worthwhile given the relative stability and uptake of other options. They continue to maintain and support their own install manifests and if you are migrating off the old addon, these are likely the easiest option.

More generally, if you are still making heavy use of the addons system, consider if any could be moved to more modern tools as this will not be the last addon to turned down.

Other Merges



Version Updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.