Last Week in Kubernetes Development: Week Ending April 5, 2020

Developer News

CJ Cullen reported CVE-2019-11254 a denial-of-service vulnerability in Kubernetes. Maliciously crafted YAML can cause the Kube-APIserver to lock up. Upgrade to the latest patch release of 1.15-1.17 to fix this – but maybe make sure that only authorized users can send API requests, regardless?

Kevin Weismueller has proposed creating an API Expression Working Group, with the goal of codifying the structure of our API objects. In the meantime, WG Resource Management is shutting down.

Kubernetes is no longer permitting merges of PRs that themselves contain merge commits on the main repos. We’ve also added a kind/regression label to all Kubernetes namespace repos, in order to distiguish regression issues from other kinds of bugs.

Release Schedule

Next Deadline: Release schedule published, this week

Patch Releases: v1.17.3, v1.16.7, and v1.15.10 were released last week to patch a security hole. Since that’s now public, update as soon as you can.

Merges

Deprecated

  • beta.kubernetes.io/os endpoint, deprecated in 1.14 and scheduled for removal in 1.18, will actually get removed in 1.19
  • The first draft version of the scheduler config API, kubescheduler.config.k8s.io/v1alpha1, was removed in prep for scheduler config going beta

Version Updates

Original Source: http://lwkd.info/2020/20200406