July 17, 2024

LWKD: Week Ending July 17, 2024

Week: 2024-07-14

Developer News

Maintainer session proposals for Kubecon are due this Sunday. Write one for your SIG now. Don't miss the deadline!

The Contributor Summit is looking for contributors to design the swag and the award. Also, proposals for the Summit are still open.

Subprojects kpng and etcdadm are being archived. If you still use etcd-manager, it's in a new repo owned by SIG-Etcd.

CVE-2024-5321 has been reported against Kubernetes clusters running Windows. This vulnerability lets users with incorrect permissions read and modify container logs.

Release Schedule

Next Deadline: Code Freeze, July 24th

Code freeze is happening in a week! If your KEP is opted in for the v1.31 release, make sure to get your PRs merged in time before the deadline.

Kubernetes v1.27.16, v1.28.12, v1.29.7 and v1.30.3 patch releases are now live!

Featured PR

#125868: Add --for=create option to kubectl wait

After a few false starts, we are trying again to support a "wait for create" mechanism for kubectl wait. The new --for option will allow pluggable wait conditions beyond the original "wait for delete" and new "wait for create" (or really "wait for exists"). This can already help streamline shell scripts, and talk to SIG-CLI if you're interested in proposing additional modes!

KEP of the Week

4633: Only allow Anonymous Auth for configured endpoints

Allowing anonymous authentication against all or most Kubernetes endpoints can be a huge security hole if you make simple mistakes with RBAC. This KEP implements a way to disable anonymous auth for all endpoints except a specificed list (usually healthz, readyz, and livez). This will close a lot of runtime security holes.

4633 was introduced by Vinayak Goyal in May, and is expected to be Alpha in 1.31.

Other Merges

• You can delay terminal Job conditions until all pods are terminal
• Node.Status.Features.SupplementalGroupsPolicy helps implement fine-grained SupplementalGroups control
• e2e tests added for kubelet support for split image filesystem
• Bug fix for when PodIP field is temporarily removed for a terminal pod
• Dynamic client's List method now supports API streaming
• kube-scheduler implements scheduling hints for the VolumeRestriction plugin
• Bug fix in the API server where empty collections of ValidatingAdmissionPolicies did not have an items field
• TopologyManager policy option 'max-allowable-numa-nodes' added to configures maxAllowableNUMANodes for kubelet
• New static policy option SpreadPhysicalCPUsPreferredOption to spread cpus across physical cpus
• kube-proxy: Linux and Windows sections adhering to the v1alpha2 specifications added
• PodIP.IP and HostIP.IP are required fields, fixing a regression
• omitempty for optional Job Pod Failure Policy fields
• UserNamespaces field added to NodeRuntimeHandlerFeatures to support the ProcMountType option.
• Kubelet on Windows to stop using wmic to query for UUIDs
• Improvements to lock utilization in scheduling queue to increase scheduling throughput when there are many gated pods

Promotions

• JobPodFailurePolicy to GA
• PersistentVolumeLastPhaseTransitionTime to GA
• KubeletCgroupDriverFromCRI to beta
• ElasticIndexedJob to GA

Subprojects and Dependency Updates

• Prometheus v2.53.1: Bug-fix for remote write dropping samples when the sending flow stalled for longer than it takes to write one WAL segment
• kubernetes/cloud-provider-openstack v2.30.2: Openstack Cloud Controller Manager Helm Chart