Week Ending May 28, 2023

Developer News

Please take the Production Readiness Survey if you are a cluster operator.

Security Vuln: If you are using secrets-store-CSI-driver with Token Requests enabled, you are exposed to CVE-2023-2878. Please disable them and/or upgrade to v1.3.3 soon.

SIG-Testing has disabled Gubernator, the old test log viewer, after discovering a security issue. Please use Prow View instead.

Sean Sullivan has stepped down from SIG-CLI, and Natasha Sarkar and Eddie Zaneski are stepping up to leadership. Brady Pratt has been nominated as SIG-Testing chair, and Steve Kuznetsov is retiring. Finally, WG-Reliability is dissolving, having done a great job of getting Kubernetes more stable.

Release Schedule

Next Deadline: PRR Freeze, June 8th

Please opt-in your enhancements before June 8th to get PRReview. Final enhancement freeze is a week later.

Featured PRs

LegacyServiceAccountTokenCleanUp alpha #115554

Bound service account tokens went GA in 1.22, and are the current and more secure way to allocate service tokens. However, automated generation of the older secret-based tokens is still enabled, and production clusters will have a lot of old tokens still stored. KEP 2799 cleans this up, ending auto-generation of old tokens. This PR implements a purge of of the old tokens if enabled using the LegacyServiceAccountTokenCleanUp feature gate. By 1.30 or so, expect it to be on by default.

Other Merges

• PV recycler can scrub volumes with large numbers of files
• Client-go: use reflector cache memory more efficiently
• List and Watch both share the same backoff manager
• Annotate pods that are disrupted to make way for a critical pod, so that we know whether to retry them
• kubeadm can validate configurations, inits much faster and will warn, not error for deprecations
• Prevent APIservice objects from being deleted at server start
• Fix code block indentation in kubectl --help
• Cloud Providers don’t have to have providerID to still work with load balancers
• restricted debug profile works now
• Contextual Logging Migration: scheduler interface

Promotions

• ServiceNodePortStaticSubrange to beta
• LegacyServiceAccountTokenTracking to GA
• ExpandedDNSConfig to GA
• podresources to GA

Deprecated

• kube-batch is archived
• Remove the deprecated azure-file in-tree storage

Version Updates

• Kubespray is v2.22

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.