LWKD: Week Ending September 18, 2022
Developer News
Two security reports this week: CVE-2022-3172, which allows aggregated API servers to misdirect traffic and steal credentials, and CVE-2021-25749, which can let users deploy Windows container workloads as Administrator. Both issues are fixed in the latest patch releases. Note that the patch for CVE-2022-3172 blocks all 300ish responses, so test after upgrading and be prepared to set --aggregator-reject-forwarding-redirect
if your API server uses redirects.
Votes for the 2022 Steering Election are due September 29th. Please vote now!
The Contributor Summit CfP is still open.
Release Schedule
Next Deadline: Production Readiness Review, September 29th
Have your draft KEPs ready for the PRR team by next Thursday, and final versions opted-in by October 6th. Current CI signal is green.
Patch releases for 1.25.1, 1.24.5, 1.23.11, and 1.22.14 came out last week. In addition to the above security issues, these patches fix a large number of bugs discovered during 1.25 Code Freeze and backported, as well as updating Go for all versions.
Featured PR
#111333: Add auth API to get self subject attributes
For a long time, the TokenReview
API under authentication/v1
has allowed getting the user details from a cluster JWT, such as a ServiceAccount token. This allowed checking the source of credentials from another party but not for yourself. The newly added SelfSubjectReview
provides this capability. This allows any user to confirm what user information kube-apiserver sees for them, both for debugging user configurations with the new kubectl auth whoami
or server-side plugin configuration issues. Check it out if you have any automated troubleshooting tools or self-diagnostic systems.
Other Merges
- P&F estimates list request cost right
- Don't automatically treat 304 API responses as internal
- Kubeadm allows RSA and ECDSA keys
- More corrections to PodTopologySpread math
- Allocate fewer schemas when using CRDs, but enforce list type validation
- Extend back-off delay for EndpointSlice controller
- Make taint logic consistent between Scheduler and PodTopologySpread
- Only call SetupDevice for BlockVolumes the first time we mount them
Testing cleanup: P&F concurrency test, add more HPA tests, node lifecycle manager integration, client-go transport generation, skip etcd test cleanup on Windows/ARM
Deprecated
- All GlusterFS code has been removed from core Kubernetes; with no working CSI driver, Gluster users will need to migrate data before upgrading to 1.26
- Feature gates DefaultPodTopologySpread, NonPreemptingPriority, PodAffinityNamespaceSelector, and PreferNominatedNode have been removed, since those features are GA
- Dial and GetCert client-go internal TLS backwards-compatibility fields have been removed
- Purge unused functions in
pkg/util/taints