Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending July 21, 2024
Developer News
CVE-2024-5321 allows unauthorized users on Windows to read container logs. Fixed in the latest patch releases.
You have one week to migrate the remaining jobs on the old cluster before they get deactivated. Notable bundles of unmigrated jobs belong to SIG-Storage (CSI driver tests), SIG-Cloud Provider (Azure), and the ClusterAPI subproject.
Test-Infra is eliminating last bits of Google-owned notification systems in favor of community-owned ones. This means you should use community Slack channels #testing-ops to raise issues with prow.k8s.i and CI infrastructure, and #sig-scalability for scale test issues. You can discuss CI failures not clearly related to issues with prow or the infra in #sig-testing and #release-ci-signal.
Release Schedule
Next Deadline: Code Freeze, July 24th
Code freeze is happening this week, at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024. Out of the 54 enhancements tracked after enhancements freeze, we have 32 KEPs tracked for code freeze as of this writing. If your KEP missed the code freeze deadline, you can file an exception request.
Patch releases 1.27.16, 1.28.12, 1.29.7 and 1.30.3, which were delayed to incorporate the fix for CVE-2024-5321 and a golang update. Update as soon as you can, particularly if you run Windows.
Featured PRs
#126165: PSA: allow container_engine_t selinux type
This PR updates the Pod Security Standards to include the container_engine_t SELinux type, starting with version 1.31. This type is designed for running container engines like Podman and Docker within a container. The change enables running nested containers while still securing activity using SELinux.
KEP of the Week
KEP 4033: Discover cgroup Driver from CRI
This KEP introduces the ability for the container runtime to instruct Kubelet on which cgroup driver to use. Currently, both the Kubelet and the container runtime have configuration settings for selecting the cgroup driver (cgroupfs or systemd). With this enhancement, synchronization between the Kubelet and runtime settings is ensured, eliminating the possibility of misaligned cgroup driver configurations and promoting a single source of truth for the cgroup driver.
This KEP is tracked for beta release in the upcoming v1.31.
Other Merges
- queueing_hint_execution_duration_seconds and event_handling_duration_seconds metrics implemented to improve observability of scheduler throughput
- Ingress.spec.defaultBackend is now considered an atomic struct for server-side-apply
- Unit tests added to validate that kube-proxy handles bad IPs and CIDRs correctly
- New stream_tunnel_requests_total metric added to PortForward tunneling through WebSockets
- syscall.ENODEV is now treated as a corrupted mount
- Fix for kube-apiserver crashing due to CEL validation issues for CRDs
- Improvements to ValidatingAdmissionPolicy metrics to count and time all validations
- Fix for storage-version-migrator-controller to prevent failing migrations when resources are deleted when migration is in progress
- Documentation fix for default value of procMount entry in Pod SecurityContext
- –emulated-version flag added to kube-controller-manager to set emulation version
- kubelet/stats: set INFO log level for stats not found in cadvisor memory cache error to reduce noise
- AuthorizeWithSelectors feature added to include field and label selector information from requests in webhook authorization calls
- kubelet implementation of ImageVolumeSource added
- Access to swap for containers in high priority Pods restricted
- DRA: kubelet made independent of the resource.k8s.io API version
- kube-scheduler implements scheduling hints for the VolumeBinding plugin
Promotions
- ValidatingAdmissionPolicy metrics to beta
- JobSuccessPolicy to beta
- StatefulSetStartOrdinal to GA
Deprecated
- Deprecated context.StopCh cleaned up
- CustomResourceValidationExpressions feature gate removed
Version Updates
Subprojects and Dependency Updates
- etcd to v3.5.15 support multiple values for allowed client and peer TLS identities
- csi-driver-smb v1.15.0 make image.*.repository variables relative by default
- containerd v1.7.20 support for dropping inheritable capabilities; also v1.6.34
- kops v1.28.7 support definition of kube-controller-manager
- kustomize v5.4.3
kustomize localizesubcommand verifies the success ofkustomize buildwhen executed - kubespray v2.24.2 possibility to modify Service type with “ingress_nginx_service_type” property in addons
- grpc v1.65.1 add signal handler to python interop client
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.