LWKD: Week Ending February 20, 2022

Developer News

The monthly Community Meeting is back! Every 3rd Thursday of the month we’ll be meeting; subscribers to dev@kubernetes.io should have the calendar item. Contact Laura Santamaria if you’re available to help run it. Last week’s Community Meeting covered the Dockershim removal planning, the Reliability Bar proposal, and the last follow up on the move to dev@kubernetes.io. Video will be up soon, and next meeting is March 17th.

SIG-CLI is discussing whether we should implement robust file locking for kubeconfig, or phase out file locking entirely. Please reach out and add your use cases.

The job queueing API design has advanced over the last month.

Release Schedule

Next Deadline: Exceptions due, March 21st

We are currently in the feature development phase, where the listed enhancements are trying to finish all of their requirements. If your feature did not get listed, you have exactly four weeks to ask for an exception.

CI Signal is looking OK with four failing jobs and two flaky ones, which (considering dockershim) isn’t that bad. Still, if any of the failing/flaking tests are something you can help, with, please pitch in.

Patch updates were released last week after a short delay. This includes 1.23.4, 1.22.7, and 1.21.10. Version 1.20 is no longer being patched, please upgrade.

Release engineering is experimenting with automated fast-forward in Prow, which you can see mocked here. The idea is to eliminate a lot of the manual cherry-picking work. If it looks good, we’ll use it for 1.25.

Featured PRs

#107880: Add command to request a bound service account token

Bound service account tokens have been around for a while, used in features like the serviceAccountToken volume type, but it will now be directly accessible to users more easily via a kubectl create token command. This command can create a normal (unbound) token and display it, but it can also take an audience, expiration time, or object binding (object bound tokens are valid only while that object exists). If you are currently using kubectl get secret to retrieve the current automatic tokens, look into switching to the new command once it is available.

Some examples from the documentation:

# Create a token only valid for 10 minutes.
$ kubectl create token myapp --expiration-seconds 600
eyJ...

# Create a token only valid while a certain deployment exists.
$ kubectl create token myapp --bound-object-kind Deployment --bound-object-name myapp-deployment
eyJ...

This PR also includes a number of changes to the TokenRequest API to make it more error resistent as well as granting the default admin and edit roles access to create tokens.

#107481: Remove dashboard cluster addon

The cluster addons system was the original “app store for Kubernetes”. In the years since, many others have come (and some have gone), but throughout the addons have remained. The Kubernetes dashboard project has reached a point where maintaining the addon is no longer worthwhile given the relative stability and uptake of other options. They continue to maintain and support their own install manifests and if you are migrating off the old addon, these are likely the easiest option.

More generally, if you are still making heavy use of the addons system, consider if any could be moved to more modern tools as this will not be the last addon to turned down.

Other Merges

• kubeadm is removing the word “master” from labels and taints; this may require kubeadm cluster admins to take some migration steps. UnversionedKubeletConfigMap is true by default, and fixing config parsing
• Oops! We changed v1beta1 API PodDisruptionBudget patch merges as well as v1 API ones, which is not how things are supposed to work, so Liggit reverted it
• Only dump stack traces to klog with --v=99
• Keep partial EndpointSlice updates from dropping nodes
• TopologyManager NUMA allocations with more than two nodes work correctly
• cri-tools crictl supports ARM64
• The scheduler extender logs errors
• kubectl describe ingress includes Class name
• Don’t bother setting route_localnet in kube-proxy if nobody asked for a loopback
• Add an e2e test specifically for CVE-2021-29923
• kubectl config delete-user has command completions
• Stop exposing the whole URI for some latency duration metrics
• CSIMigrationAzureFile is on by default because your Azure storage is about to migrate

Promotions

• PodAffinityNamespaceSelector to GA
• SuspendJob to GA

Deprecated

• The dashboard cluster addon has been removed
• Use the Endpoint Lease reconciler by default in apiserver, and deprecate the --master-count flag
• --pod-infra-container-image kubelet flag is deprecated since it’s only used for dockershim
• Feature gate SetHostnameAsFQDN is removed due to being GA
• tolerate-unready-endpoints annotation is removed, use Service.spec.publishNotReadyAddresses instead
• selfLink is removed from its remaining legacy spots in apiserver, it has been unpopulated since 1.20

Version Updates

• go to 1.16.14 in 1.21 and 1.22
• go to 1.17.7 in 1.23 and 1.24, except that we’re testing out go 1.18rc1 for 1.24 as well
• Python Client v22.6.0 is now available
• node-feature-discovery 0.4.1 is out