Contributor Summit Europe is looking for volunteers.
Next Deadline: Draft Doc PRs and Major Themes due, Nov. 14
This PR fixes a bug where the “system:masters” group was being used in the apiserve-kubelet-client certificate specification. This group is too privileged and should be used less frequently. It also changes the group to “kubeadm:cluster-admins” which is a less privileged group. This group is still able to perform all of the necessary tasks, but it does not have the same level of access as the “system:masters” group.
Furthermore, It also adds a test to ensure that the “kubeadm:cluster-admins” group is always present when the certificate is updated or regenerated. This will help to prevent the problem of the certificate being updated to use the “system:masters” group if the “kubeadm:cluster-admins” group is not present.
This KEP adds support for Kubernetes nodes to use swap memory on Linux. Kubernetes didn’t support swap memory before this KEP since accounting for pod memory utilization becomes difficult when swap is involved. This KEP proposes to add support to swap so that kubelet can run with swap on, when running on Linux systems with swap memory provisioned. By default the swap would be set to 0 for all Kubernetes workloads. The KEP also proposes configurations options to set swap utilization for entire nodes. The authors also recommend using encrypted swap for security, since there is a chance for Kubernetes secrets to get swapped out to the disk. Enabling encryption for swap needs to be done from OS configuration and is outside the scope of the kubelet.
This KEP is currently in alpha state and was first released in
v1.22. Getting it to Beta has been slow because of multiple performance issues and bugs; if you know Linux memory management, consider helping out.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.