June 1, 2023

LWKD: Week Ending May 28, 2023

Last Week in Kubernetes Development

Week ending May 28, 2023

Visit www.lwkd.info

Developer News

Please take the Production Readiness Survey if you are a cluster operator.

Security Vuln: If you are using secrets-store-CSI-driver with Token Requests enabled, you are exposed to CVE-2023-2878. Please disable them and/or upgrade to v1.3.3 soon.

SIG-Testing has disabled Gubernator, the old test log viewer, after discovering a security issue. Please use Prow View instead.

Sean Sullivan has stepped down from SIG-CLI, and Natasha Sarkar and Eddie Zaneski are stepping up to leadership. Brady Pratt has been nominated as SIG-Testing chair, and Steve Kuznetsov is retiring. Finally, WG-Reliability is dissolving, having done a great job of getting Kubernetes more stable.

Release Schedule

Next Deadline: PRR Freeze, June 8th

Please opt-in your enhancements before June 8th to get PRReview. Final enhancement freeze is a week later.

Featured PRs

LegacyServiceAccountTokenCleanUp alpha #115554

Bound service account tokens went GA in 1.22, and are the current and more secure way to allocate service tokens. However, automated generation of the older secret-based tokens is still enabled, and production clusters will have a lot of old tokens still stored. KEP 2799 cleans this up, ending auto-generation of old tokens. This PR implements a purge of of the old tokens if enabled using the LegacyServiceAccountTokenCleanUp feature gate. By 1.30 or so, expect it to be on by default.

Other Merges

• PV recycler can scrub volumes with large numbers of files
• Client-go: use reflector cache memory more efficiently
• List and Watch both share the same backoff manager
• Annotate pods that are disrupted to make way for a critical pod, so that we know whether to retry them
• kubeadm can validate configurations, inits much faster and will warn, not error for deprecations
• Prevent APIservice objects from being deleted at server start
• Fix code block indentation in kubectl --help
• Cloud Providers don't have to have providerID to still work with load balancers
• restricted debug profile works now
• Contextual Logging Migration: scheduler interface

Promotions

• ServiceNodePortStaticSubrange to beta
• LegacyServiceAccountTokenTracking to GA
• ExpandedDNSConfig to GA
• podresources to GA

Deprecated

• kube-batch is archived
• Remove the deprecated azure-file in-tree storage

Version Updates

• Kubespray is v2.22