LWKD: Week Ending March 23, 2025
Week Ending March 23, 2025
Developer News
Five security vulnerabilities, one critical, in Ingress-Nginx that can result in arbitrary code execution (CVE-2025-24513, CVE-2025-24514,CVE-2025-1097, CVE-2025-1098,CVE-2025-1974) were reported to the SRC. In a default installation, this can compromise all Secrets on the cluster. Upgrade Ingress-Nginx to the latest version (v1.11.5 or v1.12.1) immediately. If unable to upgrade, some exploits will be disabled if you disable Validating Admission Controllers.
There is also a new low risk vulnerability in Kubernetes network policy enforcement: CVE-2024-7598; a long-term solution is being discussed in a KEP.
Siyuan Zhang has begun a discussion on Emulation Version changes coming over the next few releases.
Registration for the Kubecon London Maintainer Summit closes Thursday, don't miss it! Also, remember to sign up with your SIG for the Meet & Greet on April 3.
There will not be an LWKD issue next week because of KubeCon + CloudNativeCon EU. Happy KubeCon week to everyone attending!
Release Schedule
Next Deadline: Docs PRs ready for review, March 25
Code freeze is in effect for Kubernetes v1.33. Folks who have got their KEPs tracked (all 58) for the release, make sure to get your docs PRs ready for review soon!
Featured PRs
Container Stop Signals
This PR adds the initial implementation for the alpha release of custom container stop signals. A new container Lifecycle, StopSignal has been added with which users are able to define custom stop signals for their containers, overriding the default signal set in the image/container runtime. This PR adds StopSignal to container Lifecycle and also adds a StopSignal field to both ContainerConfig and ContainerStatus in the CRI API. Once the logic for using the custom stop signal has been added to the different container runtimes, the runtimes would also report the effective stop signal used by containers in their respective container statuses.
KEP of the Week
KEP 1790: Recovery from volume expansion failure
This KEP proposes allowing users to reduce a PersistentVolumeClaim (PVC) size after a failed expansion due to storage provider limitations. To prevent quota abuse, a new field, pvc.Status.AllocatedResources, ensures accurate tracking. Users can retry expansion with a smaller size, and quota calculations will use the maximum of pvc.Spec.Capacity and pvc.Status.AllocatedResources.
This KEP is tracked for beta in the ongoing release cycle.
Other Merges
- CPUManager feature gate removed after graduating to GA
- Separate container runtime filesystem e2e tests added
- DisableNodeKubeProxyVersion feature gate to be enabled by default
- HTTPS Proxy support for WebSockets
- Compressed and uncompressed kubelet log file permissions to be consistent
- ListFromCacheSnapshot feature gate added to allow apiserver to serve LISTs with exact RV and continuations from cache
- Integration tests for PreferSameZone/PreferSameNode
- Mutation of authn options removed by binding flag setters to a tracking bool in options
- InPlacePodVerticalScaling: Errors that occur during pod resize actuation will be surfaced in the PodResizeInProgress condition
- InPlace Pod Resize disabled for swap enabled containers that does not have memory ResizePolicy as RestartContainer
- New 'tolerance' field to HorizontalPodAutoscaler, overriding the cluster-wide default
- SchedulerPopFromBackoffQ beta feature gate to improve scheduling queue behavior by popping pods from the backoffQ when the activeQ is empty
- Dynamic Resource Allocation to support partitionable devices allocation with DRAPartitionableDevices feature gate
- More e2e tests added for the kubelet mappings functionality
- Pressure Stall Information (PSI) metrics added to node metrics
- Pod API updated to support hugepage resources at spec level for pod-level resources
- InPlacePodVerticalScaling E2E tests to run in the default PR-blocking jobs
- Bugfix for when pods did not correctly have a Pending phase after node reboot
- Topology labels to be copied from Node objects to Pods upon scheduling
- Feature gated test labeling implemented
Promotions
- SupplementalGroupsPolicy to beta
- CPUManagerPolicyOptions to GA
- NodeInclusionPolicyInPodTopologySpread to GA
- ProcMountType to beta
- PodLifecycleSleepActionAllowZero to beta
Deprecated
- InPlacePodVerticalScalingAllocatedStatus feature gate is deprecated
Shoutouts
- Nina Polshakova: Huge shoutout to the v1.33 Enhancements team for a seamless code and test freeze yesterday: @Dipesh, @Arka,@eunji, @Faeka Ansari, @Jenny Shu, and @lzung —amazing work! And props to Dipesh for accurately predicting the number of KEPs (58!) tracked at code freeze!