Week Ending March 5, 2023

Developer News

Reminder: k8s.gcr.io will be frozen on April 3rd. You need to update all components to target registry.k8s.io. Also, update your production clusters to pull from registry.k8s.io; this should work with both (updated) containerd and CRI-O now.

The Contributor Summit is looking for session suggestions. These can be sessions you’ll lead, or sessions you want to attend – please suggest!

Kubernetes has been invited to participate in the 2023 OpenInfra Project Team Gathering. If you’re interested – especially if you were going anyway – please tell Kendall Nelson. We particularly want folks who work on the OpenStack Cloud Provider.

Release Schedule

Next Deadline: Feature Blog Freeze, March 8th

By the time you read this, enhancement exceptions are closed, which means its on to deciding what we’ll feature in the blog. Time to do a write-up! Code Freeze and draft docs deadline are a week from now, March 15th. 1.27 Alpha 3 is out if you wanted to give it a spin.

The cherry-pick deadline for the next set of patch releases is this Friday.

Featured PRs

#116054: KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy

CEL for admission control was added as an Alpha feature in 1.26. This allows writing complex admission control rules as CEL expressions in declarative resources rather than building and deploying webhooks. Admission webhooks have been a cornerstone of our flexibility and integration with third-party tools, however they are a lot of complexity to bite off for new users and the new CEL systems hopefully will take over for simpler, standalone cases where only small tweaks to the default rules are needed.

This PR adds some new, powerful capabilities to the system. Previously the expression context exposed information about the current request and the target resource, now you can dip back into authorization layer to check RBAC permissions in a dynamic way. Some places this could be useful would be using RBAC for per-field update permissions, allowing RBAC checks for specific objects without using the dreaded resourceNames system, or limiting access to procedurally sensitive fields like finalizers based on the requester identity without having to generate complex RBAC policies.

This was also joined this week by #115973 which allows emitting audit log events either as a primary action for failures or if you need more data, you can write one or more CEL expressions to provide detailed values which will get sent to the audit subsystem. This allows for both powerful debugging options while developing new policies as well as runtime analysis. Other CEL admission features include cost checking so you don’t accidental denial-of-service your own kube-apiserver with all these new features, and improved type checking. All together there’s a ton of new capabilities for CEL-based admission processing, hopefully further pushing webhooks into only the places they are needed most.

Other Merges

• Limit the number of concurrent image pulls by the kubelet
• Watch-list streaming has an API
• Shutting down Informers will wait for goroutines
• Clean up code/explain links to obsolete user-guide URLs
• The OpenAPI v3 upgrade PR that was reverted last week has been de-reverted, which lets us use the OpenAPI v3 QueryParamVerifier
• Don’t set default storage class if there is a legacy storageclass
• Make sure to include labels when using pruning v2
• Add some volume reconstruction metrics and plugin eval metrics
• Stop tolerating 403s and 404s
• If PDB finds an unmanaged pod, create warning events
• You can run benchstat interactively for quick performance tests
• Replace deprecated type pointers in kubelet
• Check for healthy devices during node recovery
• Really allocate a full core when we say we are
• Automatically re-create PVCs for StatefulSet pods where possible
• Speed up FormatMap by 4x

Testing Improvements: kms2 tests, more kms2 tests, kms2 test setup, check if in Windows VM, run go-vet in go linting, batch validation, aggregator tests, check for unknown pods, device manager revo

Promotions

• PodTopology matchLabelKeys to beta
• GRPCContainerProbe to GA

Deprecated

• The long-deprecated in-tree AWS Cloud Provider is removed, including EBS; start using the external cloud provider and CSI driver
• Remove very old superseded IPv6DualStack feature gate from controller-manager

Version Updates

• etcd to 3.5.7
• klog to v2.90.0
• Update kube-openapi
• go-jose to v2.6.0

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.