LWKD logo

Last Week in Kubernetes Development

Stay up-to-date on Kubernetes development in 15 minutes a week.


View LWKD on GitHub

Week Ending April 14, 2024

Developer News

CVE-2024-3177, rated Low, was discovered in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Release Schedule

Next Deadline: Release Day, April 17th

Kubernetes v1.30.0-rc.2 is live!

Kubernetes v1.30 is scheduled to be released today. To accommodate this, patch releases v1.27.13, v1.28.9 and v1.29.4 have been cut one day early.

KEP of the Week

KEP 3141:Prevent unauthorised volume mode conversion during volume restore

The KEP proposes preventing unauthorized volume mode conversion when creating PVCs from VolumeSnapshots in Kubernetes. It introduces modifications to the VolumeSnapshotContent API spec, control flows of snapshot-controller and external-provisioner, and an annotation name snapshot.storage.kubernetes.io/allow-volume-mode-change on VolumeSnapshotContent resources. These changes mitigate security vulnerabilities while allowing authorized use cases, such as backup processes, to proceed efficiently. This addresses potential exploitation by malicious users and aims to prevent kernel vulnerability, particularly in scenarios involving potential future CVEs affecting filesystems.

This KEP is tracked to graduate to stable in the upcoming v1.30 release.

Subprojects and Dependency Updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.