December 14, 2021

LWKD: Week Ending December 12, 2021

Developer News

Lots of news for you this week, starting with the 1.23 release(release notes). SLSA compliance, Dual Stack, FlexVolume deprecation, PodSecurity API and more. Note that the new version of cri-tools is not yet available, which means that some people should wait to upgrade.

Second, this will be the last LWKD in 2021. Publication will resume in January.

The Contributor Celebration is this week.

The kubernetes-dev mailing list will be moving to an @kubernetes.io address over the next few weeks, partly in order to fix the community calendar. You should not need to do anything immediately except change your personal address book entry. In 2022, we will be asking document owners to switch document sharing to the new list.

Aldo Culquicondor wants to create a Batch Working Group. SIG-Release will be closing discussion on the SLSA KEP and signing KEP on Dec. 17th, so get your questions in now.

Release Schedule

Next Deadline: 1.24 cycle begins, January 10, 2022

The final patch releases of 2021 are expected out Wednesday December 15th.

Featured PRs

#97252: Completely remove in-tree dockershim from kubelet

Hopefully the removal of Dockershim is not, in general, news to anyone reading this but the day has come. Some will celebrate, a few might mourn for the pain of upgrading, but regardless Dockershim is no more. If you haven’t already responded to the SIG-Node survey maybe give that a look, otherwise just get all your Containerds ready and look forward to a cleaner future. Big congratulations to everyone who helped get this done over the years.

#106852: Remove support for Endpoints and ConfigMaps lock from leader election

client-go has long had a helper library for managing leader/primary elections, used mostly in controller managers so several replicas can be running for redundancy but most controllers are disabled for secondary instances. Originally this supported two modes, endpoints and configmaps, each using their respective API types to create a singleton lock. Back in 1.14, we added a Leases API to more specifically address things like node heartbeats and leader locks. Along with the new API, a leases lock mode was added. The goal was to move everyone towards the Leases API as it has substantially better performance for both the client and server. While this relatively minor project got a bit lost between other tasks, the day has finally come to force everyone onto bigger and better things.

For migration purposes you can use endpointsleases and configmapsleases and do a rolling upgrade to the new API, and those lock modes are still present.

Other Merges

• Revert to prior graceful shutdown behavior of setting pods to “failed because user app breakage; the new behavior will be rolled out with feature gates instead
• Kubeadm: don’t require CA key for checking, but do validate etcd certs
• Metrics: Windows has kube-proxy metrics,new APF metric apiserver_flowcontrol_work_estimate_seats_samples, evictions_total is the new evictions_number
• Kubelet config validation tests got overhauled
• kubectl diff gets a prune command to mirror what kubectl apply --prune does

Deprecated

• SIG-Instrumentation proposes to remove the alpha Dynamic Log Sanitization feature in 1.24
• --address and --port deprecated and insecure options will be removed from the controller-manager and the apiserver in 1.24
• client-go’s leader elections won’t let you use an Endpoint or ConfigMap-based lock
• k8s.io/apimachinery/util/clock is being replaced with k8s.io/utils/clock
• NamespaceDefaultLabelName feature gate is removed since it’s GA
• ReallyCrashForTesting is finally, blessedly, gone

Version Updates

• Golang updated: 1.16.12 in 1.21 & 1.22, 1.17.5 in 1.23, and update golang.org/x/net to match
• Metrics Server to v0.5.2