LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending January 29, 2023

Developer News

Filip Krepinsky would like to make controller names more consistent. Also, changes to issue triage are getting closer to being merged.

We are now skipping some failing Windows unit tests because nobody has stepped forward to fix them. Windows remains poorly tested as a platform. If you’re interested in helping out, please contact SIG-Windows.

Release Schedule

Next Deadline: PRR Freeze, February 2nd

It’s almost production readiness review (PRR) time! The PRR team has recruited some shadows in order to spread the load of review. They’ll have an office hours on Tuesday at 11:30am PST. Enhancements Freeze comes a week after, on February 10th.

#114418: Reserve Nodeport Ranges For Dynamic And Static Port Allocation

NodePort services use high ports on every node to allow out-of-cluster clients to talk to in-cluster services without the complexity of external load balancers. These are often invaluable when building infrastructure with existing stuff that will remain outside of Kubernetes but needs to interact with newer code. NodePorts have always supported a static allocation mode to allow pre-defining which port to use on each node, however this has been somewhat complicated by the parallel use of a dynamic allocator. This left a race condition where a manually specified port might already be in use by the time that Service object is applied. While rare, this could throw a big wrench in the works when bringing up a new cluster or service. KEP 3682 fixes this by prioritizing dynamic allocation from the top of the port range, allowing the bottom of the range to be safely used for static things. Other than feature gate, this is fully automatic and requires no configuration, just update your future static NodePorts to increment from the start of your port range and you’ll have one less weird random failure every now and then.

#112809: apiserver: fix cve for CORS

One of the underlying libraries used in kube-apiserver, go-restful, had a CVE disclosed last June in its CORS security. While go-restful fixed the issue by removing support for (most) regular expressions in their CORS filter, our compatibility requirements led to us introducing a parallel implementation of the same functionality. Unfortunately our implementation also fell victim to the same bug as upstream and this has now been corrected. If you use the --cors-allowed-origins configuration option, you will be forced to use a safe regexp, one with a leading ^ and trailing $. This does mean a minor speedbump while upgrading so check your configs and add the anchors now to save yourself some trouble.

Other Merges

Test Cleanup: polling probe connectivity, node/storage test refactor, runtime class handler, log client-go test retries


Version Updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.