LWKD: Week Ending November 5, 2023
Developer News
After a bit of a hiatus, WG-LTS has been restarted and is running a survey about the upgrade experience to gather information from the community as they decide what the needs of an LTS version of Kubernetes would be in the current environment.
Release Schedule
Next Deadline: Test Freeze, November 15th
Code freeze continues, with much of the release team at KubeCon NA updates have been low. Please continue to assist with any requests to clear broken or flaky tests so we can keep things on schedule.
Featured PR
#113374: Implement ClusterTrustBundlePEM projected volume
Previously called PEMTrustAnchors, this feature adds a dedicated way to manage TLS certificate bundles and distribute them to workloads. It comes in two parts, a ClusterTrustBundle resource type and a clusterTrustBundle projected volume source. The ClusterTrustBundle allows creating a cluster-scoped (i.e. non-namespaced) home for a certificate or chain of certificates, with a signer name and the usual metadata labels. These can then be referenced in a projected volume mount, either directly by name or via label selector if you want to automate the handling of multiple trust roots or root rotations.
Projected volumes are a type of virtual volume source that can map multiple types of metadata into a single mount folder inside a pod. Currently they support the downwardApi to get information about the Pod itself, serviceAccountToken for accessing specialized bound tokens, as well as configMap and secret with their usual support. The new clusterTrustBundle type collects one or more ClusterTrustBundle objects, combines their PEM data, and exposes it into the requested path.
While not included in this PR, discussions have already started around how to extend this concept to a namespaced TrustBundle type in the future.
KEP of the Week
KEP 727 - Kubelet Resource Metrics Endpoint
This KEP adds a new metrics endpoint to the kubelet, which serves metrics required by the cluster-level Resource Metrics API. This KEP proposes adding a /metrics/resource endpoint in the kubelet which exposes metrics in the Prometheus text exposition format. This would provide the minimum set of metrics required to serve the Resource Metrics API.
This KEP is targeting the stable milestone in the upcoming v1.29 release.
Other Merges
- kube-proxy gains an nftables backend
- Ratcheting CEL validation can opt-in to running at create in addition to update
- A new
ServiceCIDRtype to dynamically reconfigure the IP ranges used for services - Support new CRI APIs for per-plugin image cleanup
- Fix VPA jamming when used with non-standard resources