LWKD: Week Ending August 7, 2022
Developer News
Starting sometime in October, k8s.gcr.io will begin to 302 redirect to registry.k8s.io, in order to ensure that old releases pull from the new, lower hosting-cost and higher performance, registry.
With 1.24 stable on Go 1.18, Kubernetes contributors are officially allowed to use Go Generics, although you should avoid them in any backportable bug fixes until 1.24 is EOL in late 2023.
Release Schedule
Next Deadline: Docs ready Aug 9th; Test Freeze Aug 10th
We are in Code Freeze, and trying to wrap up 1.25. This means that tests are frozen (no changes except to resolve CI bugs) starting this Wednesday. You should also have your docs ready for review by Tuesday. The first beta is released.
This Friday (8/12) is the cherry pick deadline for the next batch of patch updates to 1.22, 1.23 and 1.24.
Featured PRs
#111090: Add support for user namespaces phase 1 (KEP 127)
Containers are great in many ways but the major runtimes for Kubernetes (Docker, Containerd, CRI-O, etc) have all had the issue that user ID 0 inside the container was the same as user ID 0 outside the container. In a perfect world, this shouldn’t ever matter as the kernel should be checking everything against all the other dozen security subsystems we call “containers”, but we don’t live in that world and so it has forever been a best practice to avoid the use of UID 0 (or other meaningful UIDs) in our Pod specs. With this PR we have the first phase of our fix, user namespace remapping. For this phase, only Pods with either no volumes or “stateless” volumes: configmap
, secret
, downwardAPI
, emptyDir
, or projected
. If you enable the UserNamespacesStatelessPodsSupport
feature gate and set hostUsers: True
in the PodSpec, the containers will be run in a mapper user namespace. In practical terms this means user 65535 in one container will not be able to read files or kill processes owned by user 65535 in another container, or you can provide “root-ish” access in more limited contexts such as a VPN daemon which has to be privileged calls but not mess with other containers.
#111113: Support handling of pod failures with respect to the configured rules
Job objects have slowly grown from an infrequently used feature to the core runtime for CI tools, machine learning pipelines, and lots more. With that has come a growth from “please run this container once or something” to wanting more detailed control over the whole lifecycle. This PR adds a new podFailurePolicy
substruct in JobSpec to configure the behavior both with respect to exit codes and Kubernetes-specific events like resource evictions. Combined with the new deletion reason tracking in Pods, this gives the Job system very fine-grained control over failure behaviors for both advanced use cases and old-fashioned simple use cases in high-churn environments.
Other Merges
- CRI API adds structs to allow in-place vertical pod scaling
- Add KMS v2alpha1 API, including v2 version for KMS providers
- Support multiple CIDRs
- Make sure a job really failed before JobTrackingWithFinalizers calls it failed; backported
- Remove the schedulability predicate from the service controller again because it still breaks load balancers
- Deleting UIDs won’t leak memory
- Key encipherment validation is optional for 1.25, but it won’t always be
- ObjectReference struct becomes
granular
- Reconfigure cloud LoadBalancers less often
- Relabel SELinux volumes faster
- The kubelet gains support for OpenTelemetry tracing
- KMS at-rest encryption is using AES-GCM instead of AES-CBC, providing authenticated encryption
Test Reliability: APIService lifecycle, scheduler tests
Promotions
- Local storage capacity isolation is GA
- CSIInlineVolume is GA
- CSIMigrationAWS is GA
- DisableAcceleratorUsageMetrics is GA
- CronJobTimeZone is Beta
Deprecated
- In-tree StorageOS volume support is removed; migrate to the CSI plugin
- In-tree Quobyte volume support is removed; migrate to the CSI plugin
- In-tree Flocker volume support is removed; as it is no longer maintained no migration path is available
- kube-apiserver’s
--service-account-api-audiences
flag is removed - Some alpha seccomp annotations will no longer work
- In-tree GlusterFS support is deprecated; no migration path is available at this time
- Deprecated beta node labels (e.g.
failure-domain.beta.kubernetes.io/zone
) will result in a warning in more places
Version Updates
- With the rc2 issues fixed, golang is now 1.19 for 1.25 and later. Please update your env appropriately
- golang to 1.18.5 in 1.24, and to 1.17.13 in 1.23
- cAdvisor to 0.45.0
- kustomize to 4.5.7
- structured-merge-diff to 4.2.3