LWKD: Week Ending January 29, 2023
Developer News
Filip Krepinsky would like to make controller names more consistent. Also, changes to issue triage are getting closer to being merged.
We are now skipping some failing Windows unit tests because nobody has stepped forward to fix them. Windows remains poorly tested as a platform. If you’re interested in helping out, please contact SIG-Windows.
Release Schedule
Next Deadline: PRR Freeze, February 2nd
It’s almost production readiness review (PRR) time! The PRR team has recruited some shadows in order to spread the load of review. They’ll have an office hours on Tuesday at 11:30am PST. Enhancements Freeze comes a week after, on February 10th.
Featured PRs
#114418: Reserve Nodeport Ranges For Dynamic And Static Port Allocation
NodePort services use high ports on every node to allow out-of-cluster clients to talk to in-cluster services without the complexity of external load balancers. These are often invaluable when building infrastructure with existing stuff that will remain outside of Kubernetes but needs to interact with newer code. NodePorts have always supported a static allocation mode to allow pre-defining which port to use on each node, however this has been somewhat complicated by the parallel use of a dynamic allocator. This left a race condition where a manually specified port might already be in use by the time that Service object is applied. While rare, this could throw a big wrench in the works when bringing up a new cluster or service. KEP 3682 fixes this by prioritizing dynamic allocation from the top of the port range, allowing the bottom of the range to be safely used for static things. Other than feature gate, this is fully automatic and requires no configuration, just update your future static NodePorts to increment from the start of your port range and you’ll have one less weird random failure every now and then.
#112809: apiserver: fix cve for CORS
One of the underlying libraries used in kube-apiserver, go-restful, had a CVE disclosed last June in its CORS security. While go-restful fixed the issue by removing support for (most) regular expressions in their CORS filter, our compatibility requirements led to us introducing a parallel implementation of the same functionality. Unfortunately our implementation also fell victim to the same bug as upstream and this has now been corrected. If you use the --cors-allowed-origins configuration option, you will be forced to use a safe regexp, one with a leading ^ and trailing $. This does mean a minor speedbump while upgrading so check your configs and add the anchors now to save yourself some trouble.
Other Merges
- You can pass command-line flags to logging
- Add a linger option of 1s for GRPC probes
- Don’t panic when allocating Services to dynamic ClusterIPs with certain IP masks; backported
- Don’t panic while checking NodeVolumeLimits, either
update-codegencan be run on machines with no docker- Comparing complex types in the API has caused some bugs so it’s not going to be allowed anymore
- Delete collection times out at 60s
- Allow using a typed informer for ValidatingAdmissionPolicy
- Now that we have only one CRI, validate that we can connect to it
- Delete more unused fucntions
- Linter will check if API docs match fields
- KMS2 cache expires
Test Cleanup: polling probe connectivity, node/storage test refactor, runtime class handler, log client-go test retries
Promotions
Version Updates
- etcd to v3.5.7; fixes some known data corruption bugs, so please update
- gomega to v1.26.0