Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending July 14, 2024
Developer News
Maintainer session proposals for Kubecon are due this Sunday. Write one for your SIG now. Don’t miss the deadline!
The Contributor Summit is looking for contributors to design the swag and the award. Also, proposals for the Summit are still open.
Subprojects kpng and etcdadm are being archived. If you still use etcd-manager, it’s in a new repo owned by SIG-Etcd.
CVE-2024-5321 has been reported against Kubernetes clusters running Windows. This vulnerability lets users with incorrect permissions read and modify container logs.
Release Schedule
Next Deadline: Code Freeze, July 24th
Code freeze is happening in a week! If your KEP is opted in for the v1.31 release, make sure to get your PRs merged in time before the deadline.
Kubernetes v1.27.16, v1.28.12, v1.29.7 and v1.30.3 patch releases are now live!
Featured PR
#125868: Add –for=create option to kubectl wait
After a few false starts, we are trying again to support a “wait for create” mechanism for kubectl wait. The new --for option will allow pluggable wait conditions beyond the original “wait for delete” and new “wait for create” (or really “wait for exists”). This can already help streamline shell scripts, and talk to SIG-CLI if you’re interested in proposing additional modes!
KEP of the Week
4633: Only allow Anonymous Auth for configured endpoints
Allowing anonymous authentication against all or most Kubernetes endpoints can be a huge security hole if you make simple mistakes with RBAC. This KEP implements a way to disable anonymous auth for all endpoints except a specificed list (usually healthz, readyz, and livez). This will close a lot of runtime security holes.
4633 was introduced by Vinayak Goyal in May, and is expected to be Alpha in 1.31.
Other Merges
- You can delay terminal Job conditions until all pods are terminal
- Node.Status.Features.SupplementalGroupsPolicy helps implement fine-grained SupplementalGroups control
- e2e tests added for kubelet support for split image filesystem
- Bug fix for when PodIP field is temporarily removed for a terminal pod
- Dynamic client’s
Listmethod now supports API streaming - kube-scheduler implements scheduling hints for the VolumeRestriction plugin
- Bug fix in the API server where empty collections of ValidatingAdmissionPolicies did not have an
itemsfield - TopologyManager policy option ‘max-allowable-numa-nodes’ added to configures maxAllowableNUMANodes for kubelet
- New static policy option SpreadPhysicalCPUsPreferredOption to spread cpus across physical cpus
- kube-proxy: Linux and Windows sections adhering to the v1alpha2 specifications added
- PodIP.IP and HostIP.IP are required fields, fixing a regression
- omitempty for optional Job Pod Failure Policy fields
- UserNamespaces field added to NodeRuntimeHandlerFeatures to support the
ProcMountTypeoption. - Kubelet on Windows to stop using wmic to query for UUIDs
- Improvements to lock utilization in scheduling queue to increase scheduling throughput when there are many gated pods
Promotions
- JobPodFailurePolicy to GA
- PersistentVolumeLastPhaseTransitionTime to GA
- KubeletCgroupDriverFromCRI to beta
- ElasticIndexedJob to GA
Subprojects and Dependency Updates
- Prometheus v2.53.1: Bug-fix for remote write dropping samples when the sending flow stalled for longer than it takes to write one WAL segment
- kubernetes/cloud-provider-openstack v2.30.2: Openstack Cloud Controller Manager Helm Chart
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.