CSI’s external-provisioner, external-snapshotter, and external-resizer sidecars have all been found to have a security issue with dereferencing PVCs, and have been patched. If you use any of these, update right away, or disable the features until you can.
We are now in Code Thaw.
Test-infra has added a kind/deprecation label so that PRs that deprecate or remove a feature or API will be tagged in a way that makes them easy to find (and summarize). Please start using it.
Next Deadline: Cherry Pick Deadline Dec. 2nd
We are now in Code Thaw since 1.17rc1 is released. This means your feature docs should already be complete, and you have until Monday to cherry-pick in any last-minute fixes. Fortunately, TestGrid is mostly green.
The next set of patch releases is due December 6th.
EndpointSlices have been promoted to beta but the feature gate has been disabled by default in v1.17, because the feature still has a lot of bugs and code churn, such as:
- Add DualStack support to kube-proxy with EndpointSlices
- Stop the controller from modifying shared objects
- Revertthe managed-by-setup annotation (breaking alpha compatibility)
- Grow EndpointSlice cache
The first major pass on service topology support has been merged! In short this means that a service can be configured so that when a pod connects to the service IP, rather than getting a random endpoint it will instead get a “local” backend, where “local” can be defined in terms of matching node labels. For example, a common usage might be:
kind: Service spec: topologyKeys: [kubernetes.io/hostname", "topology.kubernetes.io/zone", "*"]
Meaning the service proxy will first look for a backend on the same node, then the same availability zone, then anywhere in the cluster as it would currently. Unfortunately this new feature does depend on enabling the EndpointSlices system mentioned above, so it may not be immediately available for everyone. But still, this is a great feature to help make more resilient and performant infrastructures for everyone!
A strong first step towards improving the overload behavior of kube-apiserver, this PR adds a robust queuing management system. This will be further expanded to manage requests coming in so that we can get better prioritization of requests.
- CSI block volumes paths are changing to fix some longstanding arch issues; this means that if you use CSI Block Volumes, you will need to drain each node while upgrading to Kubernetes v1.17
kind/deprecationand associated code block for deprecation note to the PR template.
- Document supported OpenAPI formats for CRDs as of v1.16
- Add flags for disabling all the new beta features
- The DownwardAPI supports DualStack, also modifying the fields for PodIP addresses
- kube-controller-manager now allows multiple CIDR masks
- Kubenet adds support for IPv6 HostPorts, mainly to make sure that tools that vendor its code are dualstack-compatible
- Kubeadm fixed a proxy config panic, added default CIDR masks, reset warns you if it can’t delete folders, added a retry to all etcd calls
- Existing PVs will all use volume topology to make CSI migration work
- The kube-proxy image supports iptables nft mode
- Fix labels for headless service endpoints
- Stop double-validating API for Service Topology
kubectl --resource-versionrace condition
- Wait longer for kube-proxy to be ready on Windows
- Finish fixing CRD field OpenAPI validation
- Don’t lock Azure disks forever
- Make inline volume names unique in CSI Migrator
- Mirror pod owner references point to just the creating node, completing the Alpha phase of NodeRestrictions for pods
- Windows nodes get build information labels
- Allow scaling a custom resource without providing a version
- You can build providerless Kubernetes
- Revert “Ensure KUBE-MARK-DROP in kube-proxy”
- EndpointSlices to Beta
- CSIMigration to Beta, including CSIMigrationGCE and CSIMigrationAWS
- Service LoadBalancer finalizers to GA
- Deprecated proxy metrics, scheduler metrics, and APIserver metrics are removed
pkg/util/mountwas removed from k/k; use
Original Source: http://lwkd.info/2019/20191126