LWKD: Week Ending March 5, 2023
Developer News
Reminder: k8s.gcr.io will be frozen on April 3rd. You need to update all components to target registry.k8s.io. Also, update your production clusters to pull from registry.k8s.io; this should work with both (updated) containerd and CRI-O now.
The Contributor Summit is looking for session suggestions. These can be sessions you’ll lead, or sessions you want to attend – please suggest!
Kubernetes has been invited to participate in the 2023 OpenInfra Project Team Gathering. If you’re interested – especially if you were going anyway – please tell Kendall Nelson. We particularly want folks who work on the OpenStack Cloud Provider.
Release Schedule
Next Deadline: Feature Blog Freeze, March 8th
By the time you read this, enhancement exceptions are closed, which means its on to deciding what we’ll feature in the blog. Time to do a write-up! Code Freeze and draft docs deadline are a week from now, March 15th. 1.27 Alpha 3 is out if you wanted to give it a spin.
The cherry-pick deadline for the next set of patch releases is this Friday.
Featured PRs
#116054: KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy
CEL for admission control was added as an Alpha feature in 1.26. This allows writing complex admission control rules as CEL expressions in declarative resources rather than building and deploying webhooks. Admission webhooks have been a cornerstone of our flexibility and integration with third-party tools, however they are a lot of complexity to bite off for new users and the new CEL systems hopefully will take over for simpler, standalone cases where only small tweaks to the default rules are needed.
This PR adds some new, powerful capabilities to the system. Previously the expression context exposed information about the current request and the target resource, now you can dip back into authorization layer to check RBAC permissions in a dynamic way. Some places this could be useful would be using RBAC for per-field update permissions, allowing RBAC checks for specific objects without using the dreaded resourceNames system, or limiting access to procedurally sensitive fields like finalizers based on the requester identity without having to generate complex RBAC policies.
This was also joined this week by #115973 which allows emitting audit log events either as a primary action for failures or if you need more data, you can write one or more CEL expressions to provide detailed values which will get sent to the audit subsystem. This allows for both powerful debugging options while developing new policies as well as runtime analysis. Other CEL admission features include cost checking so you don’t accidental denial-of-service your own kube-apiserver with all these new features, and improved type checking. All together there’s a ton of new capabilities for CEL-based admission processing, hopefully further pushing webhooks into only the places they are needed most.
Other Merges
- Limit the number of concurrent image pulls by the kubelet
- Watch-list streaming has an API
- Shutting down Informers will wait for goroutines
- Clean up code/explain links to obsolete user-guide URLs
- The OpenAPI v3 upgrade PR that was reverted last week has been de-reverted, which lets us use the OpenAPI v3 QueryParamVerifier
- Don’t set default storage class if there is a legacy storageclass
- Make sure to include labels when using pruning v2
- Add some volume reconstruction metrics and plugin eval metrics
- Stop tolerating 403s and 404s
- If PDB finds an unmanaged pod, create warning events
- You can run benchstat interactively for quick performance tests
- Replace deprecated type pointers in kubelet
- Check for healthy devices during node recovery
- Really allocate a full core when we say we are
- Automatically re-create PVCs for StatefulSet pods where possible
- Speed up FormatMap by 4x
Testing Improvements: kms2 tests, more kms2 tests, kms2 test setup, check if in Windows VM, run go-vet in go linting, batch validation, aggregator tests, check for unknown pods, device manager revo
Promotions
Deprecated
- The long-deprecated in-tree AWS Cloud Provider is removed, including EBS; start using the external cloud provider and CSI driver
- Remove very old superseded IPv6DualStack feature gate from controller-manager