February 27, 2025

LWKD: Week Ending February 23, 2025

Week Ending February 23, 2025

Developer News

Unconference proposals are open for the Maintainer Summit EU. Also, remember to register.

The SIG Meet & Greet at KubeCon EU will on April 3, 12:15pm to 2:15pm BST at the Project Pavilion. Sign up if your SIG will have representation.

Maciek Pytel is stepping down from SIG-Autoscaling chair, and has proposed Kuba Tużnik to replace him.

Release Schedule

Next Deadline: Placeholder PRs for Docs, Feb 27

Yes, this means you should be starting your documentation process for those opt-in features. Also, final call for Enhancement Exceptions is March 3.

KEP of the Week

KEP 4633: Only allow anonymous auth for configured endpoints

This KEP proposes allowing anonymous authentication only for specified endpoints while disabling it elsewhere. Kubernetes permits anonymous requests by default, but fully disabling them (--anonymous-auth=false) can break unauthenticated health checks (healthz, livez, readyz). Misconfigurations, like binding system:anonymous to powerful roles, pose security risks. This proposal enhances security by minimizing misconfigurations while preserving essential functionality.

Other Merges

• Watch added to controller roles that include List but do not include Watch

• Move GetCurrentResourceVersion to storage.Interface

• Rename CacheProxy to CacheDelegator

• Fix to allow ImageVolume for Restricted PSA profiles

• E2E tests for Pod exec to use websockets instead of SPDY

• Cleanup for failing tests

• Fix for in-place Pod resize E2E tests after forbidding memory limit decrease

• Remove Flagz feature-gate check before populating serverRunOptions.Flagz

• Framework util function GetPodList to return errors for upstream handling

• test apiserver to use default API groups ensuring tests are realistic as possible

• Fix SelfSubjectReview test to decouple beta and GA types

• DRA added dedicated integration tests

• backoffQ in scheduler split into backoffQ and errorBackoffQ

• Fix for sweep and fix stat, lstat, evalsymlink usage for go1.23 on Windows

• Metadata management for Pods updated to populate .metadata.generation on writes

• CPU footprint of node cpumanager cfs quota testcases reduced to avoid false negatives reds on CI

• Controllers that write out IP address or CIDR values to API objects to ensure that they always write values in canonical form

• Fix for the ResourceQuota admission plugin not respecting any scope changes during updates

• reflect.DeepEqual replaced with cmp.Diff in pkg/scheduler tests

• queueinghint added for volumeattachment deletion

• Fixed an issue in register-gen where imports were missing

• Canonicalization of NetworkDeviceData IPs now required

Promotions

• AnyVolumeDataSource to GA

Version Updates

• Latest etcd image v3.6.0-rc.1 bumped

Subprojects and Dependency Updates

• Python client v32.0.1: server side apply, decimal to quantity conversion, cluster info