LWKD: Week Ending September 4, 2022
Developer News
Voting for the Steering Committee is open! Please vote by September 30th. If you need an eligibility exception, make sure to apply by September 16th.
If you want to be sure to get a Kubernetes contributor hoodie as part of your Contributor Summit swag, please register for the contributor summit by September 9th so we can order the right amounts.
See below about changes to the Enhancements process.
Release Schedule
Next Deadline: Release schedule & team completed, September 9th
The enhancements team is planning to use a GitHub project board to track enhancements. This will make the feature opt-in process different (and hopefully better): instead of adding your SIG’s features to a spreadsheet, SIG leads tag them with the label lead-opted-in
.
Cherry-picks for the next round of patch releases are due September 9th. This update will involve new golang versions, again.
Featured PRs
website#33992: Add a security checklist for clusters
SIG-Security and SIG-Docs have helped develop a “you should at least know about all these things” checklist for securing a production Kubernetes cluster. This is a great resource for helping new admins get up to speed or, perhaps, checking if you haven’t missed anything critical in this fast moving world of threat management. A highly recommended read for all.
website#35908: New Docs page for API Server Bypass Risks
A security two-for-one week! SIG-Security has also written up a guide for understanding the major attack surfaces of Kubernetes outside of kube-apiserver. Many of these will be well known to long-time contributors and users but they are easy to miss when designing a security posture and a refresher never hurt anyone.
Other Merges
- Event validation copes with split microseconds and won’t reject valid updates on close timing; backported
- Admins can disable anonymous auth while delegating
- Kubeadm cleans up tmp
- Don’t propagate
search .
from a host’sresolv.conf
into containers - Go dynamic client validates API path segments to catch names and namespaces containing
/
- Use microsecond precision in protobuf marshalling, to match the JSON and YAML behavior
Testing Overhaul: HPA scale-to-zero tests, better e2e failure output
Deprecated
- The removal of unused kubectl run flags was reverted because it didn’t follow the deprecation process; they’ll be actually removed in 1.27
- Remove the last insecure serving option from cloud provider config