LWKD: Week Ending April 24
Last Week In Kubernetes Development
Week Ending April 24, 2022
Developer News
Our contributors have spent a lot of time discussing improving general Kubernetes stability and reliability lately. Project leaders are implementing several changes in how new enhancements will be handled:
- Expanding Test Plan section of the KEP template
- Enhancements may be blocked if they touch a poorly tested or unstable part of the code
- No more submitting tests in a "follow-up PR"
- Authors need to check async tests for race conditions
Also, the triage-bot will stop closing high Priority, accepted bugs that become stale, so that we don't lose track of them.
The Contributor Summit has a rough schedule now. This will include a Steering Committee AMA, three hours of Unconference sessions, a full day Documentation Sprint, and several SIG/team meetings (sign up here). The Contributor Social that evening will include board games (bring yours!) and a Kubernetes trivia contest. Register now. Masks and COVID immunization will be required.
Release Schedule
Next Deadline: Release, May 3rd
1.24 RC 1 is available for your testing pleasure.
We are currently in Test Freeze and Code Freeze as the Release Team works with all contributors to get 1.24 stabilized for final release after the incorporation of golang 1.18.1. If you get a reminder from the team to look at/fix something, please respond ASAP as any delay can result in a release delay.
On TestGrid, the following blocking test jobs continue to be flaky: gce-cos-k8sbeta-default, gce-cos-k8s-beta-ingress, gce-cos-k8sbeta-reboot, kind-1.24-parallel, kind-ipv6-1.24-parallel, and ci-kubernetes-unit-1.24. Flaky jobs mean that we can't easily tell whether something is broken or not, so won't you pick a test job and dive in? See the CI Project Board for ongoing work.
Featured PRs
ingress-nginx#8456: Implement object deep inspector
Ingress-nginx released v1.2.0 this week, fixing two security issues: CVE-2021-25745 and CVE-2021-25746. Both are variants on using a malicious Ingress object to exfiltrate sensitive data from inside the Ingress Controller Pod, such as the Service Account credentials. This PR introduces both a fix for the two specific issues as well as a general framework for improved object validation within ingress-nginx. If upgrading isn't an option, you can also use the annotation-value-word-blocklist
configuration option to block the malicious Ingresses. If you permit low-privilege users to create arbitrary Ingresses, you should patch or mitigate these vulnerabilities as soon as possible.
Other Merges
- In-tree GCE persistent data tests have been disabled since folks are supposed to have migrated to CSI a while ago
Version Updates
- etcd 3.5.4 fixes the data corruption issue and makes it safe (and recommended) to use etcd 3.5 for your Kubernetes clusters
- cadvisor to 0.44.1
- containerd to 1.6.2 on Windows