Next Deadline: Code Freeze, November 14th
Yes, we’re freezing two days before the Kubecon pageantry starts. After that, you need to cherry-pick to get into v1.17, so ideally finish up your work now.
The next patch release date is Nov. 13th, for all supported releases, which does not include v1.13, since it’s both EOL and removed from Testgrid.
Starting with a simple but awesome change, the apiserver will now automatically reload its TLS certificates. This allows using fast-rotation certs with apiserver directly, either public CAs like LetsEncrypt or local CAs on even tighter loops. Fast-rotation certificates can help improve security by limiting the time frame of a leaked key. This also potentially allows for interesting experiments with low-overhead dynamic provisioning and shared hosting environments. This adds to changes last week for the primary serving certificate and dynamic reload of client certificates used for service-to-service authentication.
A permanent source of bugs in software is malformed configuration files and Kubernetes is no different. This PR enables “strict” mode when reading a Kubelet configuration file, meaning that unknown keys or bad syntax will be a fatal error rather than silently ignored. This may present eventual problems for some folks running mixed fleets on different Kubelet versions as you can no longer add a future configuration option and have it ignored on older versions, but only time will tell if this is a substantial problem.
Many core controllers treat API request errors as transient, normally they are and this helps ensure overall convergent operations. But in the specific case of namespace delete, often a lot of objects get caught in a retry loop for a while as the namespace is torn down. Now those retry loops will bail out if the error is specifically that the namespace is being deleted or no longer exists, as this is not going to be a transient error. This is specifically aimed at the e2e tests but will likely help in the same way with any other testing setup that involves creating and deleting namespaces rapidly.
And finally a new data topology helper for Server Side Apply to manage two common cases of maps in custom resources. The default
granular mode separately tracks and merges each sub-key, as is usually desirable for configuration data or similar. The new
atomic mode treats the entire map as a single field, so if any writer touches it, it owns every key. This new mode can be set through the ` x-kubernetes-map-type` annotation.
- The alpha Scheduler Policy API has been relocated in the API spec and the code base without changing its parameters or functionality (yet)
- Kubelet gets a metric for server cert age, and the Scheduler gets cache size
- Stop validating custom priority configs
- Use proxy ENV with Kubeadm & kube-proxy
- More on filesystems with block reconstruction
- If you’re using v1alpha1, kube-proxy config validation is laid-back
- Stop letting folks declare Scheduler policy configs multiple times
- CSI Topology has graduated to GA
- The “mount containers” feature that never made it out of alpha is gone
- You can’t use
CFSSL_CA_PK_PASSWORDvar to sign kube certs; this undocumented misfeature has been disabled
cleanup-ipvsflag is deprecated
- Azure SDK to v35.0
- Docker supported up to 19.03 in Kubeadm
- Default etcd to 3.4.3
- NodeProblemDetector is v0.8.0, mostly to reduce no-change report frequency to 5min
Original Source: http://lwkd.info/2019/20191104