Kubernetes Weekly Community Meeting Notes

August 22, 2019

August 29, 2019

  • Moderators: Dawn Foster [Pivotal/ContribEx]
  • Note Taker: Craig Peters [Microsoft/SIG-x]
    • Subscribe to this thread to get these notes in your inbox
  • [ 0:00 ]** Release Updates**
    • Current Release Development Cycle [Lachlan Evenson - Release Manager]
    • 1.16 Upcoming Milestones
      • 8/29 - 1.16 Code Freeze - label your PRs appropriately! The backlog is big and you don’t want to miss the train
      • 9/3 - Docs PRs ready for review - next Tuesday
      • 9/4 - 1.16.0-beta.2
    • Patch Release Updates.
    • Reminder these pending dates are announced on:
  • [ 0:00 ]** Demo **-- Ignite [@luxas] - confirmed
    • Slides
    • Simplified firecracker UX using the GitOps management model
    • Questions
      • Use of Virtual Kubelet vs CRI (easier development and UX), and
      • Difference from kata + kubevirt (full VMs instead of containers)
  • [ 0:00 ] SIG Updates
  • [ 0:00 ] :mega:Announcements :mega:

September 5, 2019

Thanks to @markyjackson for helping on Jenkins credential issue and sharing his thoughts on Jenkins automation

September 12, 2019

bentheelder:fire: - shoutout to @liggitt for reviewing all of the things

1 Like

September 26, 2019

  • Moderators: Tim Pepper [VMware/SIG Release]
  • Note Taker: Lachlan Evenson [Microsoft/SIG PM]
    • Subscribe to this thread to get these notes in your inbox
  • [ 0:01 ] Demo – Octant: A web-based, highly extensible platform for developers to better understand the complexity of Kubernetes cluster [Bryan Liles, @bryanl; Wayne Witzel, @wwitzel3]
    • Web-based, but runs local, using your credentials (simplifies security)
    • Demo application troubleshooting via the Octant UI
      • Web app working
      • Kubectl apply updated app
      • Web app no longer working
      • Use Octact to determine the cause
    • Introduces the concept of “Application” which is a set of consistent labels “app.kubernetes.io/name:httpbin”
    • Visualization of dependency graph between Kubernetes resources. Detects that the Ingress is pointing to an invalid backend
    • Drill down into service via the visualization graph and we notice that are no endpoints.
    • Determine that it’s a bad selector and update and check that the graph is green again.
    • If you’re on a Mac you can install via brew install octant

[ 0:14 ] Release Updates

  • 1.17 Release Development Cycle [Guinevere Saenger - Release Manager]
    • Week 1
    • Shadow selection happening (application deadline yesterday)
    • Please be aware that this is a short release
    • Enhancements freeze 10/15 5pm Pacific
  • Patch Release Updates
    • UPCOMING RELEASE SCHEDULE link
    • Patch Release Cherry-picks deadline Target date
    • 1.16.2 2019-10-11 2019-10-15
    • 1.16.1 2019-09-27 2019-10-02
    • 1.15.5 2019-10-11 2019-10-15
    • 1.14.8 2019-10-11 2019-10-15
    • 1.13.12 2019-10-11 2019-10-15 (final release of 1.13)
    • …as always subject to change for critical-urgent security issues

[ 0:17 ] Contributor Tip of the Week [Bob Killen]

[ 0:19 ] SIG Updates

[ 0:43 ] :mega:Announcements :mega:

1 Like

October 3, 2019

  • Moderators: Jonas Rosland [VMware/SIG Contribex]
  • Note Taker: First Last [Company/SIG]
    • Subscribe to this thread to get these notes in your inbox
  • [ 0:00 ]** Steering Committee Election Results **[Dims]
    • The following candidates will be joining @dims, @tstclair, and @spiffxp on the Steering Committee (in github handle order):
      • Christoph Blecker (@cblecker), Red Hat
      • Derek Carr (@derekwaynecarr), Red Hat
      • Nikhita Raghunath (@nikhita), Loodse
      • Paris Pittman (@parispittman), Google
    • See the blog post for more information
  • [ 0:00 ]** Release Updates**
    • Current Release Development Cycle [Guinevere Saenger - Release Manager]
      • We’re in Week 2! Shadow selection is 99% complete - congratulations and thanks to all of our hardworking team members
      • Enhancements Freeze is 15 October!
      • 1.17.0-alpha-1 was released yesterday
      • Next alpha scheduled for 15 October
    • Patch Release Updates
      • 1.16.1 released 1 October
      • Next patch releases scheduled for 15 October
      • y.x
  • [ 0:00 ] **Contributor Tip of the Week **[First Last]
    • A fun graph, contribex info, CI tips, etc.
    • [Link to a chart, a guide, a tool, etc]
    • Reach out to #sig-contribex in slack if there is no tip on the agenda yet. Backlog is pinned to the chat.
  • [ 0:00 ] SIG Updates
  • [ 0:00 ] :mega:Announcements :mega:
    • **:clap: **Shoutouts this week (Check in #shoutouts on slack) :clap:
    • tpepper:
      • shoutout to @nikhita for a PR description and commit messages in https://github.com/kubernetes/kubernetes/pull/82410 which makes a potentially daunting code review MUCH easier, and to @liggitt for similarly making the cherry-pick review MUCH easier with a stellar PR description text. Super time saving when there’s a diffstat of “+2,537 −59” but the “why” text focuses the reviewer in on two key lines of code and the associated bugs tracking the problem report.
    • jdetiber:
      • Shoutout to @dims for building out the e2e conformance tests using Cluster API and the GCP Provider

October 10, 2019

  • Moderators: Marky Jackson [ Sysdig/SIG Contribex]
  • Note Taker: Bob Killen
  • [ 0:00 ]** Release Updates**
    • Current Release Development Cycle [Guinevere Saenger - Release Manager]
      • We’re in Week 3…
      • Enhancement Freeze is next Tuesday (Oct. 15). Enhancements must be in by 5PM PT.
      • 1.17.0-alpha.2 scheduled release Tuesday Oct.15
    • Patch Release Updates
      • 1.16.1 released 1 October
      • Next patch releases (all branches) scheduled for 15 October
      • LAST release of 1.13.x
  • [ 0:00 ]** SIG Updates**
    • WG Security Audit [Jay Beale]
      • Slides: https://docs.google.com/presentation/d/1yKjbvFqU0xp3wq0wY9Qu99WNA8FRGDGkaH5nHoCKxVM/edit#slide=id.g401c104a3c_0_0
      • What we did last cycle
        • Led the first in a series of Kubernetes security audits
          • Choose vendors
          • Gave direction to focus effort
          • Participated in the threat modeling work that will be used for future releases of Kubernetes
          • Performed technical editing on the report
          • Worked on producing reusable artifacts
        • Complementary efforts to the bug bounty program
        • Threat model breakdown
          • Focus on 8 critical components
            • Kube-apiserver
            • Etcd
            • Kube-scheduler
            • Kube-controller-manager
            • Cloud-controller-manager
            • Kubelet
            • Kube-proxy
            • Container Runtime Interface
        • Threat model highlighted recommendations
          • Provide auditing information in a unified fashion to allow a trace of the user’s actions through the system
          • Warn users who configure a security control that will not be enforced
            • Network policies and pod security policies can silently fail.
          • Require transport encryption w/cert verification
            • Multiple components use http
            • Multiple components elect not to verify cert validity
          • Prevent node compromises from leading to cluster-compromises
            • Host access gives access to cli arguments, logs etc
          • Separate privilege levels among controllers
        • Vulnerability research during cycle
          • Discovered 37 vulnerabilities
        • Vulnerability highlights
          • Non authenticated HTTPS connections
          • Cert revocation unsupported
          • PSP Bypass (hostPath va PVs)
          • TOCTOU Race condition in Kubelet
          • Kubectl cp directory traversal
          • System logs containing secrets
        • Recommendation Highlights
          • Replace the many cases of logic reimplementation with central libraries
          • Ease security configuration (particularly defaults)
          • Improve code documentation around external dependencies
          • Continue development of security features
        • Security Audit report [link from report in k/community]
      • Next cycle:
        • Plan next security audit
        • Move towards more secure defaults
    • SIG Testing [fejta]
      • https://docs.google.com/document/d/1uTcLhxM2HwDgtGOiIvlFfRWzQDTvii6qd_XASAubHlk/edit?ts=5d9e6825
      • Last Cycle
        • Testgrid configs now live alongside their associated prow jobs
        • Automated the creation of jobs for the test-infra release team role
        • Deployed new and improved monitoring/alerting stack (monitoring.prow.k8s.io)
        • Reusable verify checks in bazel rules
        • KinD
          • Smaller images from providerless kubernetes builds
          • Release blocking IPv4 and IPv6 test coverage
          • Provides 75% of pull-kubernetes-e2e-gce coverage without any cloud resources
        • TestGrid partially open sourced
      • Next Cycle
        • Establish test-infra SLOs
        • Improve test-infra alerting to better detect and recover from outages
        • Make KinD a blocking presubmit in k/k
        • Automate image pushing on merge with a git-ops based promotion to prod method (working with #wg-k8s-infra)
        • Help repos with preexisting bazel rules adopt reusable verify checks.
        • Move prow out of test-ifnra into its own repo
        • Enable in repo prowjob configurations
      • How these upcoming changes affect you
        • Help define more reusable verify checks
        • Start thinking about how/whether your sig can move cloud provider dependencies out of k/k testing to release blocking postsubmits
    • [ 0:00 ] :mega:Announcements :mega:
      • Announcement Foo #1
      • **:clap: **Shoutouts this week (Check in #shoutouts on slack) :clap:
        • @jdetiber** **gave a shout to @dims for building out the e2e conformance tests using Cluster API and the GCP Provider
        • @mrbobbytables gave a shoutout to the other Steering Election committee officials @briangrant @castrojo @ihor.dvoretskyi for putting in the work to make this year’s election possible!
        • @ihor.dvoretskyi gave a huge SHOUTOUT to @mrbobbytables - another election official!
        • @cblecker gave a** **shout out to @bentheelder and @krzyzacy for late night debugging on GCE test infra failures