Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending April 14, 2024
Developer News
CVE-2024-3177, rated Low, was discovered in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Release Schedule
Next Deadline: Release Day, April 17th
Kubernetes v1.30.0-rc.2 is live!
Kubernetes v1.30 is scheduled to be released today. To accommodate this, patch releases v1.27.13, v1.28.9 and v1.29.4 have been cut one day early.
KEP of the Week
KEP 3141:Prevent unauthorised volume mode conversion during volume restore
The KEP proposes preventing unauthorized volume mode conversion when creating PVCs from VolumeSnapshots in Kubernetes. It introduces modifications to the VolumeSnapshotContent API spec, control flows of snapshot-controller and external-provisioner, and an annotation name snapshot.storage.kubernetes.io/allow-volume-mode-change on VolumeSnapshotContent resources. These changes mitigate security vulnerabilities while allowing authorized use cases, such as backup processes, to proceed efficiently. This addresses potential exploitation by malicious users and aims to prevent kernel vulnerability, particularly in scenarios involving potential future CVEs affecting filesystems.
This KEP is tracked to graduate to stable in the upcoming v1.30 release.
Subprojects and Dependency Updates
- containerd/nerdctl v2.0.0-beta.4 Faster and more stable nerdctl pull, nerdctl push, nerdctl build, etc.
- grpc v1.63.0-pre1 released with refinements, improvements, and bug fixes.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.