LWKD: Week Ending January 9, 2022
Developer News
Welcome to the 5th year of LWKD! LWKD is brought to you by Josh Berkus and Noah Kantrowitz of SIG-ContribEx. You can contribute through the git repo. As usual for the first issue of the year we’ll be summarizing the last 3 weeks or so of development over the holidays.
dev@kubernetes.io
is the new kubernetes-dev@googlegroups
: over the holidays, Paris Pittman and others moved us from the old Dev mailing list, to one hosted on the kubernetes.io domain. If you were subscribed to kubernetes-dev, you should be subscribed to the new dev@kubernetes.io mailing list now. Remember to post to the right place! This move will let us have a real community calendar again.
The draft charter for Batch WG is up for comment. Nick Turner is now co-chair of Cloud Provider SIG.
If you are using the fluentd-elasticsearch addon, you need to update to patch log4j.
Linus Arver is overhauling the Prow documentation and could maybe use your help.
Release Schedule
Next Deadline: PRR heads-ups due, January 27th
The 1.24 Release Cycle has begun, with a new crew of community members running the show. That means that the call for enhancements is open, and you have until February 3rd to finish your KEP and register it. As last cycle, the PRR Team has requested that any KEPs that require a PRR (most of them) get them a completed PRR questionnaire a week before the enhancements deadline, if possible.
In case you missed it due to holidays, 1.20.14, 1.21.8, 1.22.5, and 1.23.1 were released on December 15th. For those waiting for the first patch on 1.23, you can upgrade now. For those using 1.20, it’s almost EOL (one more update) and you should really upgrade.
Featured PRs
With the new cycle just kicking off, we’ve got some early bird KEPs targeting 1.24.
enhancements#3071: Reserve Service IP Ranges For Dynamic and Static IP Allocation
The ClusterIP
for a Service can be either automatically allocated from a dynamic range or manually specified in the ServiceSpec. While both of these options work fine on their own, mixing them in the same address space can risk collisions or other network sadness. This KEP outlines an improved address allocator that will better coexist with static IPs.
enhancements#3061: Add release artifact signing KEP
Hardly a week goes by these days without a software supply chain attack story in the news. To try and be better citizens of this modern landscape, we’re moving forward on signed release artifacts. This KEP mostly lays out the reasons and goals behind release signing so we have a clear target to aim towards. On the implementation side the expectation is still that we’ll be using sigstore
though some exact details of tooling are still being worked out. If you’re interested in helping with this, please contact SIG-Release. This will theoretically get us to SLSA Level 2, with a whole separate effort being started to get us to Level 3 but that is expected to be a much longer road.
Other Merges
kubectl rollout
has a label selector allowing batch upgrades/restarts- Since there’s no way it’s valid, reject proxy requests to 0.0.0.0
- New Metrics: webhooks failing open, end-to-end device mounting time
kubectl logs
defaults to the “first” container- Don’t let healthz bypass the ResponseWriter since that can cause a panic
- If a volume isn’t marked in-use, mount it immediately
kubectl config set-context
gets tab completion- Scheduler retains NumPDBViolations data
- ExternalName services don’t have a default for internalTrafficPolicy
- Make sure to flush the logs when kubelet exits
- Don’t release pinned CPUs until the pod exits
- Don’t let AppArmor validation prevent init containers from adding security profiles
We had a lot of fixes backported to all versions, so you can expect these to show up in next week’s update release:
- Creating a badly-formatted Secret won’t crash kubectl; backported
- Fix list paging issue that caused ResourceVersionMatch to fail; backported
- Speed up EndpointSlice controller metrics cache; backported
- Keep stale filehandles from hanging; backported
Also, Kubeadm is making a number of breaking changes in 1.24, including removing dockershim, switching to v1beta3 API, turning the configmap on by default, requiring a URL scheme for CRI, and letting ca.crt contain multiple certificates.
Promotions
Deprecated
Service.Spec.LoadBalancerIP
is deprecated because it doesn’t work with DualStack and it’s provider-dependent to boot- kube-scheduler removes insecure flags; use
--bind-address
and--secure-port
instead - Remove ImmutableEphemeralVolumes feature gate since it’s GA
- Remove RuntimeClass feature gate since it’s GA
Version Updates
- konnectivity network proxy to v0.0.27 to fix leak; backported
- klog to v2.40.1