Last Week in Kubernetes Development: Week Ending December 6, 2020

Developer News

As of 1.20 (out this week), Dockershim is deprecated in Kubernetes. Learn what this means for you in the blog and FAQ. Mostly, if you’re still using Docker as your container runtime on your Kubernetes clusters, it’s maybe time to think about gradually migrating to Containerd or CRI-O instead.

We also had a new security issue this week, CVE-2020-8554. The issue has the full details but a tl;dr is that in a multi-tenant environment, the externalIp feature of Services allows one tenant to intercept edge traffic bound for another tenant. There is no in-tree fix as removing the feature would violate our compatibility promises, however you can use a provided admission webhook or OPA policy to deny or restrict usage of the feature. The same issue can also happen with the status.loadBalancer.ingress.ip for LoadBalancer-type services, however access to that can be controlled using normal RBAC permissions. This does mean that a single-namespace Role/Binding of */*/* (all resources and verbs) is unsafe and should not be used in a multi-tenant environment.

Remember to register for the Contributor Celebration this week.

Release Schedule

Next Deadline: Release of 1.20.0 on Dec 8th

By the time you read this, 1.20 will probably have been released. Yay!

Patch updates for all versions, including 1.17, 1.18, and 1.19, will come out tommorrow.

Featured PRs

#87461: kubelet: ensure static pod UIDs are unique

Static pods (things configured directly through manifests and the Kubelet rather than the API) use a hash of the pod specification to derive the object UUID. An unexpected edge case resulting from this is that non-control-plane static pods like kube-proxy would have the same UUID on every node because they used the same underlying pod definition. This somewhat defeated the point of the UU in UUID and could confuse some tools expecting actually unique data. This will be fixed in 1.20.1 and above, though as a one-time concern this does mean that all static pod UUIDs will change and all thus all static pods will be restarted during the upgrade. Anything using owner references against static pods should be checked for safety during this upgrade.

Other Projects

Original Source: