Next Deadline: Test Freeze and Docs Due, July 25th
We are now in Code Freeze, with 41 tracked Enhancements, and on target for an August 15th release. Tuesday is the big day for all the code freeze activities, with a halt to test changes (except bug fixes), documentation ready for review, RC0 released, and the 1.28 release branched. Comms and the SIG Leads will also decide the major themes of the 1.28 release, and release notes will start working on their draft. Mickey Boxell, Release Lead Shadow, says that even though we’re past the deadline for Feature Blog items, if you have something really good, opt-in and contact the release team.
CEL-based admission policies have, for a while now, supported binding time parameters. This allows using a single policy but vary specific values for specific targets, such as “all deployments starting with
web- must have at least 4 replicas, but deployments starting with
worker- must have at least 2”. Params could be specified inline on the policy binding or set via a reference to another object. This
paramRef system allowed using custom resources so the parameters themselves could be validated and kept to a schema. This has all worked great but one fairly common use case which hasn’t so far been easy is setting per-namespace params. The new
namespaceParamRef mode adds this, allowing you to point at an object relative to the target rather than in the same namespace as the policy. In concrete terms this allows things like “PVCs in each namespace can only request up to N bytes” where
N is set for each namespace separately. It could also allow for namespace-level admins to tweak the parameters for their application without having control over the policy as a whole.
This is also a milestone PR as it is the last feature from KEP-3488’s “phase 2” and with it completed the CEL for Admission Control feature has been advanced to Beta status. Big congrats to everyone who has helped this system over the last year it has been in development!
If there is one thing we nerds like it’s consistency, and as T extends towards infinity it seems like all software supports a
.d/ config folder pattern. And now it’s kubelet’s turn with
--config-dir=/etc/kubelet.conf.d, or any other path you want. As with other
.d/ patterns, this allows layering a configuration out of multiple fragments, loaded in lexical order (usually meaning a pattern of files named
0001-something.yaml and so on). This is a big win for deployment tools, distributors, and anything which wants to interact with kubelet configs in a modular way. As an alpha feature, using this requires setting
$KUBELET_CONFIG_DROPIN_DIR_ALPHA in the environment for now but check it out if you can!
This KEP provides an alternative to webhooks as a form of validating admission control. The KEP introduces a
ValidatingAdmissionPolicy kind to the
admissionregistration.k8s.io group. The
ValidatingAdmissionPolicy object would define an admission control policy where you can use CEL expressions to validate admission policy and how it is configured.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.