September 11, 2024

LWKD: Week ending September 8, 2024

Week: 2024-09-08

Developer News

SIG-ContribEx is hosting the first monthly New Contributor Orientation. Held on the first Tuesday of each month, this 1-hour video session will help new contributors figure out "where do I get started?" The first one is at 8:30UTC and again at 15:30UTC on September 17th.

You have one more week to propose sessions for the Contributor Summit, including presentations, discussions, and SIG/Team meetings. The Unconference Topics issue is ready for your discussion ideas.

SIG-Node is thinking about dynamic batch workloads.

Tim Hockins wants your answers to silly Kubernetes questions.

Release Schedule

Next Deadline: Production Readiness Freeze, October 3

As of this Monday, the 1.32 release cycle is underway. The team and schedule will be final this Friday, and Release Lead Frederico Muñoz has shared what to expect. Major deadlines include:

• Enhancements freeze: Friday 11th October 2024
• Code & Test freeze: Friday 8th November 2024
• Docs freeze: Tuesday 26th November 2024
• Release day: Wednesday 11th December 2024

Patch releases for all supported versions are expected out this week.

KEP of the Week

KEP 4601: Authorize with Field and Label Selectors

This KEP extends Kubernetes authorization attributes to include field and label selectors for List, Watch, and DeleteCollection verbs, allowing authorizers to make more granular security decisions. This enables out-of-tree authorizers to experiment with restrictions based on selectors, improving per-node workload security. Additionally, field and label selectors will be added to webhook authorization types, Subject Access Reviews (SSAR, SAR, Local SAR), and the node authorizer (restricting by nodeName), and will be integrated into the CEL authorizer for more advanced policy evaluations.

This KEP is tracked for alpha release in v1.32.

Other Merges

• Accelerate responses for false negative access requests, speeding up workload startup
• Use FormatOnly in gengo, which also involved making hundreds of API names unique; if you haven't refreshed your repo copy after this merge, better do so
• Regular init containers do not use the Sidecar code path, preventing startup failures
• APIServer can offer UID headers
• kubeadm upgrade apply and kubeadm upgrade node can upgrade just the addons or other specific elements, or skip them
• Prevent InFlightPods from having more than one element
• Remove conntrack binary from kube-proxy
• Dynamic client-go won't panic when it sees an UnstructuredList
• Auto-restart init containers stuck in "created"
• tryRegisterWithAPIServer continues whether or not it can create a node
• New metrics: inflight_events for QueueingHints (but check for memory overflow)
• Test improvements: NodeAffinity integration, image volume sharing

Promotions

• AnonymousAuthConfigurableEndpoints to Beta

Subprojects and Dependency Updates

• minikube v1.34: Kubernetes 1.31 support, ARM 64 qemu, Volcano addon
• csi-driver-nfs v4.9.0: fix CVE-2024-5321
• csi-driver-host-path v1.15.0: external-resizer to v1.11.2
• csi-driver-smb v1.16.0: fix CVE-2024-5321
• cri-o v1.30.5: update of checks for internal repair feature & add a new crio check sub-command; also v1.29.8v1.28.10
• cloud-provider-openstack v1.31.0: occm add dnsPolicy feature
• kubespray v2.26.0: Make kubernetes v1.30.4 default
• python-client v31.0.0b1: DRA changes, leader elections, UserNamespaces