LWKD: title: Week Ending August 27, 2023
Developer News
Voting has begun for the Kubernetes Steering election; cast your ballot on the election site, which also tells you if you're eligible or not. If you're not, and should be, then request an exception. With 11 candidates for four seats, this will be a tough one, so give yourself some time.
CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893 were reported for Kubernetes on Windows, and are patched in the current update releases. These are high-risk security issues, and all Windows users should upgrade as soon as possible.
The #kubernetes-contributors Slack channel has been split into #kubernetes-new-contributors and #kubernetes-org-members. The former will be the channel for introductions, getting started and mentorship requests, whereas org-members will be for established contributor communications.
The SIG-Contribex mailing list will be migrated to a project-controlled Google Group on September 1. This is the first of many mailing list migrations.
Han Kang started a discussion on replumbing Kubernetes for safer upgrades.
Release Schedule
Next Deadline: 1.29 Begins, September 5th
We are in the interval between releases, but if you wanted to be part of the 1.29 release team, there is still time to apply.
Patch releases 1.28.1, 1.27.5, 1.26.8, 1.25.13 came out last week. These include important security patches for Kubernetes on Windows. 1.24 is now EOL, and users of 1.24 need to upgrade or look at their ecosystem support options.
Featured PR
#119592: Add additional utilities to kubectl image
The registry.k8s.io/kubectl container image is one of the release artifacts put out with every version of Kubernetes. Like our other images, it has been built as minimally as possible, using the distroless base image and only containing the kubectl binary and files required for it to run. While this minimalism makes sense for our daemon images, is the same true for a CLI tool? This PR swaps out the base image to a minimal debian and installs a suite of basic CLI support tools including bash, sed, awk, grep, diff, and jq. However concerns have been raised that the improved UX isn't worth the greater risk to users due to those extra tools needing security updates, a task we aren't well set up for. A revert has been proposed pending feedback from the relevant SIGs. If you have thoughts one way or the other about this change, now is the time to make them known!
KEP of the Week
KEP-4006: Transition from SPDY to WebSockets
Currently the communication involving bi-directional streaming between Kubernetes clients and the API server is done through SPDY/3.1 protocol. These include several kubectl commands like kubectl exec, kubectl cp (built on top of kubectl exec primitives), kubectl port-forward and kubectl attach. This KEP transitions the bi-directional communication protocol used from SPDY to WebSockets, since SPDY was deprecated in 2015. WebSockets on the other hand is a standardized protocol and provides compatibility with software and programming languages.
As of now, the bidirectional streaming is initiated from the Kubernetes clients, proxied by the API server and kubelet, and terminated in the container runtime. This KEP proposes to modify kubectl to request a WebSocket connection, and to modify the API server proxy to translate the kubectl WebSocket data stream into to a SPDY upstream connection. This way everything upstream the API server need not be changed in the initial implementation. This KEP is in alpha in v1.28.
Other Merges
- onPodConditions is optional in Job FailurePolicy, not required; backported
- CEL replace() estimates the cost of '' as correctly low
- More backfilling
--image-repositoryin kubeadm commands - PodSchedulingContext node lists are an atomic list
- Some nice new code docs around how x509 communication works inside Kubernetes
- Node taint manager reports APIversions
Testing Updates: PV and PVC Endpoints
Promotions
Deprecated
- v1beta3 API of KubeSchedulerConfiguration is deprecated and will be removed in 1.29
Version Updates
Subprojects and Dependency Updates
- cloud-provider-azure adds node non-graceful shutdown feature by adding
node.kubernetes.io/out-of-servicetaint when nodes are shutdown so that the pods can be forcefully deleted - aws-ebs-csi-driver adds opentelemetry tracing of gRPC calls. The feature is currently behind a feature flag