Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Week Ending May 9, 2021 #370

Open
github-actions bot opened this issue May 11, 2021 · 0 comments
Open

Week Ending May 9, 2021 #370

github-actions bot opened this issue May 11, 2021 · 0 comments
Labels
liens/Kubernetes Liens à propos de l'aktu

Comments

@github-actions
Copy link

Developer News

CVE-2020-8562 could allow users to eavesdrop on control plane communications. However, to exploit this a user has to be authenticated and needs the permissions to create or edit Node and/or StorageClass objects, so this security issue is rated Low risk. It is not yet patched.

Gaby Moreno Cesar has stepped up as Chair of SIG-Usability. Deep Debroy has retired from SIG-Windows and Claudio Belu has been nominated to replace him.

The CNCF has renamed its teams “TAGs” (or Technical Advisory Groups) instead of “SIGs” which should cure some longstanding confusion between Kubernetes and CNCF teams.

Release Schedule

Next Deadline: Enhancements Freeze, May 13th

The 1.22 Enhancements team has pinged every SIG looking for trackable features, so if you missed that, please get yours in order, including a GitHub issue and merged KEP with all the frills. If you haven’t done one of these in a while, KEPs have gotten longer with more stuff, so take a look. Currently there are 40 listed enhancements from only 9 SIGs, so we’re sure that some of y’all are holding back. Get those filed!

Since the Release Cycle is underway, CI Signal Reports are a thing, so look there to see if you have any flaky tests that need looking after. Kudos to SIG-Network for getting 9 flaky test issues resolved.

Patch releases for all supported versions are due out on Wednesday. This will include the last patch for 1.18, so it’s time for 1.18 users to have an upgrade plan.

Featured PRs

#98028: add auto update for priority & fairness bootstrap configuration objects

When a fresh cluster boots for the first time, kube-apiserver automatically creates a number of objects to configure the API Priority and Fairness system. This initial config is a mix of required settings that should never be altered because they are critical for apiserver functionality, and suggested APF values that are a good default for most people but can be adjusted for special cases. One problem with all of this is that it only happens once, at first startup. We’ve recently adjusted the default APF configs and now have a better way to distribute those automatically.

The process has two halves. For required settings, kube-apiserver will update them every time it starts and then once a minute will re-apply if any changes are detected. For suggested settings, a new apf.kubernetes.io/autoupdate-spec annotation controls if apiserver attempts to keep it updated. It is set to "true" by default during bootstrapping, if you want to make changes ensure it is set to "false" and apiserver will defer to your judgement.

If you have previously customized any of the suggested settings specifically by deleting and recreating them (such that the object generation is still 1), make sure you apply apf.kubernetes.io/autoupdate-spec: false before upgrading or apiserver will assume control.

#96216: refactor: disable insecure serving in controller-manager

While the diff itself isn’t terribly fun, this PR may require action on your part. The old --port and --address flags to kube-controller-manager no longer have any effect and listening on unencrypted HTTP is no longer possible. The CLI options will remain in place (but non-functional) until 1.24 for compatibility. However, if you are scraping metrics from controller-manager and were taking an understandable-but-ill-advised shortcut and using unauthenticated connections on the insecure port, there is no time like the present to upgrade. Switching to HTTPS on port 10257 will get you in the front door, and for authentication it is using a similar pattern to kube-rbac-proxy expecting a ServiceAccount bearer token and running a SubjectAccessReview against a /metrics non-resource URL. Ports and protocols may also need to be updated for any custom container probes.

Other Merges

Promotions

Deprecated

Version Updates

@github-actions github-actions bot added the liens/Kubernetes Liens à propos de l'aktu label May 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
liens/Kubernetes Liens à propos de l'aktu
Projects
None yet
Development

No branches or pull requests

0 participants