LWKD: Week Ending July 23, 2023
Last Week in Kubernetes Development
Week ending July 23, 2023
Our apologies for this late issue. Our newsletter platform what having technical issues, which have been fixed.
Developer News
The Long Term Support WG is approved and will be meeting soon; if you expect to participate, fill out the Doodle for meeting times. Also, join the mailing list.
Release Schedule
Next Deadline: Test Freeze and Docs Due, July 25th
We are now in Code Freeze, with 41 tracked Enhancements, and on target for an August 15th release. Tuesday is the big day for all the code freeze activities, with a halt to test changes (except bug fixes), documentation ready for review, RC0 released, and the 1.28 release branched. Comms and the SIG Leads will also decide the major themes of the 1.28 release, and release notes will start working on their draft. Mickey Boxell, Release Lead Shadow, says that even though we're past the deadline for Feature Blog items, if you have something really good, opt-in and contact the release team.
Patch releases 1.27.4, 1.26.7, 1.25.12, 1.24.16 came out last week. This includes a Go version bump. This is the last update for 1.24.
Featured PRs
#119215: KEP-3488: Per namespace policy params
CEL-based admission policies have, for a while now, supported binding time parameters. This allows using a single policy but vary specific values for specific targets, such as "all deployments starting with web- must have at least 4 replicas, but deployments starting with worker- must have at least 2". Params could be specified inline on the policy binding or set via a reference to another object. This paramRef system allowed using custom resources so the parameters themselves could be validated and kept to a schema. This has all worked great but one fairly common use case which hasn't so far been easy is setting per-namespace params. The new namespaceParamRef mode adds this, allowing you to point at an object relative to the target rather than in the same namespace as the policy. In concrete terms this allows things like "PVCs in each namespace can only request up to N bytes" where N is set for each namespace separately. It could also allow for namespace-level admins to tweak the parameters for their application without having control over the policy as a whole.
This is also a milestone PR as it is the last feature from KEP-3488's "phase 2" and with it completed the CEL for Admission Control feature has been advanced to Beta status. Big congrats to everyone who has helped this system over the last year it has been in development!
#119390: cmd/kubelet: implement drop-in configuration directory for kubelet
If there is one thing we nerds like it's consistency, and as T extends towards infinity it seems like all software supports a .d/ config folder pattern. And now it's kubelet's turn with --config-dir=/etc/kubelet.conf.d, or any other path you want. As with other .d/ patterns, this allows layering a configuration out of multiple fragments, loaded in lexical order (usually meaning a pattern of files named 0001-something.yaml and so on). This is a big win for deployment tools, distributors, and anything which wants to interact with kubelet configs in a modular way. As an alpha feature, using this requires setting $KUBELET_CONFIG_DROPIN_DIR_ALPHA in the environment for now but check it out if you can!
Featured KEP
KEP 3488 - CEL for Admission Control
This KEP provides an alternative to webhooks as a form of validating admission control. The KEP introduces a ValidatingAdmissionPolicy kind to the admissionregistration.k8s.io group. The ValidatingAdmissionPolicy object would define an admission control policy where you can use CEL expressions to validate admission policy and how it is configured.
Other Merges
- The Job API takes a podReplacementPolicy, including Terminating field, which permits waiting to create new pods only after the old ones are fully terminated
- Replace counter-based key generation in KMS2 with seed-based for better security; will become default in 1.29
- If the APIserver can't serve a request because of version skew, proxy it to another (to support mixed-version and upgrading clusters)
- Refactor APIserver's JSON parser and add some tests
- Make the "lazy OpenAPI aggregator" even lazier
- CEL CRD validation includes reason and fieldPath values to show to the user
- Add LastPhaseTransitionTime field to PVs
- The Conformance image has switched back to Debian from Distroless due to failing tests
- Fixed two flaky tests: CEL Reason, XValidation