LWKD: Week Ending April 14, 2024
Last Week In Kubernetes Development
Week ending 2024-04-14
Developer News
CVE-2024-3177, rated Low, was discovered in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Release Schedule
Next Deadline: Release Day, April 17th
Kubernetes v1.30.0-rc.2 is live!
Kubernetes v1.30 is scheduled to be released today. To accommodate this, patch releases v1.27.13, v1.28.9 and v1.29.4 have been cut one day early.
KEP of the Week
KEP 3141: Prevent unauthorised volume mode conversion during volume restore
The KEP proposes preventing unauthorized volume mode conversion when creating PVCs from VolumeSnapshots in Kubernetes. It introduces modifications to the VolumeSnapshotContent API spec, control flows of snapshot-controller and external-provisioner, and an annotation name snapshot.storage.kubernetes.io/allow-volume-mode-change on VolumeSnapshotContent resources. These changes mitigate security vulnerabilities while allowing authorized use cases, such as backup processes, to proceed efficiently. This addresses potential exploitation by malicious users and aims to prevent kernel vulnerability, particularly in scenarios involving potential future CVEs affecting filesystems.
This KEP is tracked to graduate to stable in the upcoming v1.30 release.
Subprojects and Dependency Updates
* containerd/nerdctl v2.0.0-beta.4 Faster and more stable nerdctl pull, nerdctl push, nerdctl build, etc.
* grpc v1.63.0-pre1 released with refinements, improvements, and bug fixes.