LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending March 5, 2023

Developer News

Reminder: k8s.gcr.io will be frozen on April 3rd. You need to update all components to target registry.k8s.io. Also, update your production clusters to pull from registry.k8s.io; this should work with both (updated) containerd and CRI-O now.

The Contributor Summit is looking for session suggestions. These can be sessions you’ll lead, or sessions you want to attend – please suggest!

Kubernetes has been invited to participate in the 2023 OpenInfra Project Team Gathering. If you’re interested – especially if you were going anyway – please tell Kendall Nelson. We particularly want folks who work on the OpenStack Cloud Provider.

Release Schedule

Next Deadline: Feature Blog Freeze, March 8th

By the time you read this, enhancement exceptions are closed, which means its on to deciding what we’ll feature in the blog. Time to do a write-up! Code Freeze and draft docs deadline are a week from now, March 15th. 1.27 Alpha 3 is out if you wanted to give it a spin.

The cherry-pick deadline for the next set of patch releases is this Friday.

#116054: KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy

CEL for admission control was added as an Alpha feature in 1.26. This allows writing complex admission control rules as CEL expressions in declarative resources rather than building and deploying webhooks. Admission webhooks have been a cornerstone of our flexibility and integration with third-party tools, however they are a lot of complexity to bite off for new users and the new CEL systems hopefully will take over for simpler, standalone cases where only small tweaks to the default rules are needed.

This PR adds some new, powerful capabilities to the system. Previously the expression context exposed information about the current request and the target resource, now you can dip back into authorization layer to check RBAC permissions in a dynamic way. Some places this could be useful would be using RBAC for per-field update permissions, allowing RBAC checks for specific objects without using the dreaded resourceNames system, or limiting access to procedurally sensitive fields like finalizers based on the requester identity without having to generate complex RBAC policies.

This was also joined this week by #115973 which allows emitting audit log events either as a primary action for failures or if you need more data, you can write one or more CEL expressions to provide detailed values which will get sent to the audit subsystem. This allows for both powerful debugging options while developing new policies as well as runtime analysis. Other CEL admission features include cost checking so you don’t accidental denial-of-service your own kube-apiserver with all these new features, and improved type checking. All together there’s a ton of new capabilities for CEL-based admission processing, hopefully further pushing webhooks into only the places they are needed most.

Other Merges

Testing Improvements: kms2 tests, more kms2 tests, kms2 test setup, check if in Windows VM, run go-vet in go linting, batch validation, aggregator tests, check for unknown pods, device manager revo



Version Updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.