The Security committee has published a security advisory warning folks that, if verbose logging is enabled on versions older than the latest patch versions (1.19.3, 1.18.10, 1.17.13), you may inadvertently expose application and storage secrets. See CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, and CVE-2020-8566 for more details. And update to the latest patch version!
Also, if you are a US citizen, please take some time off from Kubernetes Nov. 3rd to vote.
Next Deadlines: Docs Placeholders due Nov. 6
Initial Docs PRs for all tracked features are due this Friday; Code Freeze follows on Thursday, Nov. 12. At this point, you should be finishing up your feature work and fixing bugs and tests.
Cherry-picks for the next round of patch releases are also due this Friday, for a planned update release next Tuesday.
A quiet and unassuming PR, this gives us configurable parallelism for the scheduler. This allows for cranking it up when you want to optimize pod launch times, or dropping it down when you care more about consistent throughput. Both are important tuning options for large cluster operators! This can be set in your
--config configuration file via
This feature quietly moved to beta back in 1.12 but just in case you’ve been sleeping on it, now is a great time to check it out! The main way to interact with the new system is through a projected token volume:
volumes: - name: vault-token projected: sources: - serviceAccountToken: path: vault-token expirationSeconds: 7200 audience: vault
This offers a bunch of improvements over traditional Secret volume: you can specify an audience to limit what the token can be used for and an expiration time after which it will be renewed automatically (now with jitter to avoid a thundering herd). This also never writes the resulting token to a Secret which both reduces apiserver load and reduces the vectors for leaking the token. Tokens created through this system will also automatically be cleared when the owning pod is deleted. For anyone using Service Account tokens for service-to-service authentication, this offers a lot of benefits for very little work.
As part of the continuing growth of exec credential provider, you can now configure things so that the full cluster info struct is seralized to JSON and exposed to an environment variable before invoking the exec plugin. This allows the plugin command to easily connect to the relevant cluster or see other configuration data about it without having to decode all the kubeconfig files like kubectl itself does. To enable this feature, add
provideClusterInfo: true to the
exec: configuration section. Do be careful that your command understands that this environment variable could potentially include slightly sensitive information like server certificates and the like.
- Dual-Stack Services are now a thing, which also breaks the previous dual-stack API; services will be single-stack by default in the future
- Horizontal Pod Autoscaling adds the ability to scale based on individual container resource usage , and counts pods correctly
- Disable watchcache for events, which wasn’t supposed to be turned on in the first place, and hurts performance
- Special priority for kubelet process on Windows
runtime/defaultis the new
docker/defaultfor seccomp annotations; conversion will be automatically handled (backported)
- Don’t delete new PVs before the user can create a PVC for it
- Automatically create a ClusterIP field for services on read
- New metrics:
apiserver_request_filter_duration_seconds, FSGroupPolicyChange time taken
--experimental-patchesduring kubeadm init
- SubjectAccessReview has a timeout
- HTTP probes get a default
- Reorganize our INPUT Iptables rules for performance
- EgressSelection type
- Auto-wipe dependent fields created for Services, a wonderful UX improvement by Tim Hockin
- Allow users to manually set compilation fields, enabling easy cross-compiling
- PDBs shouldn’t block eviction of unhealthy pods
- Add automated log compression to the APIserver
- Stop trying to run AppArmor on Windows, which does not work, no matter how loudly you shout at it
- IPVS checks if the right kernel modules are loaded
TokenRequestProjectionto GA, including adding a few default flags for the apiserver
- The APIserver insecure port, deprecated since 1.10, has been removed; the flags
--insecure-portwill be nonfunctional in 1.20 and error out in 1.24
kubectl autoscale --generatorflag is deprecated and nonfunctional in 1.20
Picture of the Week
This graph of the new metric
apiserver_request_filter_duration_seconds shows the differences between filter execution time for different API filters.
Original Source: http://lwkd.info/2020/20201102