October 18, 2023

LWKD: Week Ending October 15, 2023

Last Week in Kubernetes Development

Week ending October 15, 2023

Developer News

Ben, Arnaud, and Mahamed are replacing Aaron and Tim Hockin as SIG-K8s-Infra leadership.

Release Schedule

Next Deadline: Exception Requests Due, October 23rd

Patch releases, including a go version bump are expected out this Wednesday (October 18th). As a reminder, these will not be posted to the legacy package repos; you need to download from pkgs.k8s.io.

KEP of the Week

KEP 4191 - Kubelet support for image filesystem being split

This KEP proposes to make the kubelet aware of whether or not a container runtime splits the image filesystem. Typically when users deploy Kubernetes, the node and image filesystems are on the same disk. We can split the writeable layer where the container information is stored from the readable layer, where the images are stored. This can be useful since the images occupy a lot more disk space. In the current implementation, containers and images must be stored on the same disk. Garbage collection would only collect images/containers on the image filesystem. Currently if the container runtime separates the writable layers (containers) from the readable layers (images), the garbage collection doesn't account for this separation.

This KEP has been authored by Kevin Hannon and is tracked to be in alpha stage in the upcomign v1.29 release.

Other Merges

• Mitigate http2 denial-of-service attack (CVE-2023-44487 and CVE-2023-39325) by unauthenticated clients; backported

• Prevent 1.28 race condition crash with concurrent StatefulSet PVC creation

• ValidatingAdmissionPolicy gets typed variables
• DRA: avoid creating a scheduling deadlock between selected and potential nodes, drivers should work on both 1.27 and 1.28, and UnsuitableNodes should check unallocated claims
• You can multiply in Resource requests now; can quadratic equations be far behind?
• Add a sleep for your PreStop hook and your containers will pause before shutting down
• Containers are allowed to use tcp_keepalive_time syscall
• UDP conntrack timeouts are configurable
• Use cached pod QOSClass if set, instead of querying the system every lookup
• Habeas Corpus: OpenAPI v3 requires a RequestBody, and rename the metric while we're at it
• container_start_time_seconds actually shows seconds
• Kubeadm: remove alpha disclaimer for certs, adjust skew policy, stop accepting component config during upgrade plan, turn on CLI/config merging by default
• Kube-proxy reports healthz for dual-stack
• Don't use a UID for IPaddress objects, since they have to be unique
• Clean up some chronic logging errors

Promotions

• PodReadyToStartContainers to beta

Deprecated

• The removal of kubepkg and rapture is complete
• The alpha ClusterCIDR API has been removed since the related KEP isn't going ahead
• Remove GA'd feature gates: RetroactiveDefaultStorageClass, DownwardAPIHugePages, GPRCContainerProbe, JobTrackingWithFinalizers, and a whole bunch more

Version Updates

• golang to 1.20.10 in supported versions, and to 1.21.3 in 1.29
• distroless-iptables image to v0.4.1