Now that most Kubernetes components are using structured logging, SIG-Instrumentation would like to talk about contextual logging as a feature. Like structured logging, this will affect a lot of components across the project.
We had a storm of spam on the mailing lists last week, so many Kubernetes lists are now moderated-first-post. Be patient with the delay when you first join a list.
Next Deadline: PRR heads-ups due, January 27th
It’s Week 3 of 1.24! Your initial info to the Production Readiness team is due this week, and Enhancements Freeze will follow a week later.
Enjoy the relatively benign CI Signal Report for Week 3. Getting close to fixing all the tests that broke with the dockershim removal.
This is the last update for 1.20, so schedule that upgrade now, eh?
An unfortunate regression in 1.23 has lead to a behavior change with
x-kubernetes-preserve-unknown-fields on arrays. This will be resolved in 1.23.3 to be released shortly. If you make use of this feature in any of your operators or other out-of-tree controllers, it is recommended you hold off on upgrading until 1.23.3 is available.
As a workaround if you’ve already upgraded, you can set
x-kubernetes-preserve-unknown-fields on the array items as well as the array itself:
type: array x-kubernetes-preserve-unknown-fields: true items: type: object x-kubernetes-preserve-unknown-fields: true
Running containers (and everything else) with minimum privileges has always been an important best practice. With Linux, one part of that security hardening is dropping unneeded process capabilities. Most of our applications need none of capability flags and so a simple
drop: [ALL] does the trick. But when needing to keep one or two of them, while also running the process as a non-root user as well should be, things get more complicated. While there have been a number of complex workarounds involving build-time file capabilities, it hasn’t been as easy and data-driven as the rest of our security policy settings. Linux 4.3, released back in 2015, added a new feature to help mediate this called “ambient capabilities”. These are set at the process exec in a similar way to the normal capabilities but are preserved across a UID change (subject to some safety rules).
This PR starts the plumbing for supporting ambient capabilities in CRI and then in Kubernetes. Containerd already has a PR up to support the new CRI field and CRI-O will be adding it shortly. The exact implementation in the PodSpec side are still being discussed, please reach out to SIG-Security with any feedback.
A much smaller PR, this is great example of how easy it can be to upgrade a controller from using a merge patch to Server Side Apply. Moving to SSA gives improved field tracking, better integration with other API writers, and generally makes the controller benefit from all future bug fixes in SSA. If you’ve got a controller, in-tree or external, that hasn’t yet upgraded, now is a great time to think about it.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.