Last Week in Kubernetes Development: Week Ending November 3, 2019

Release Schedule

Next Deadline: Code Freeze, November 14th

Yes, we’re freezing two days before the Kubecon pageantry starts. After that, you need to cherry-pick to get into v1.17, so ideally finish up your work now.

The next patch release date is Nov. 13th, for all supported releases, which does not include v1.13, since it’s both EOL and removed from Testgrid.

Featured PRs

#84303: Dynamic SNI certificates

Starting with a simple but awesome change, the apiserver will now automatically reload its TLS certificates. This allows using fast-rotation certs with apiserver directly, either public CAs like LetsEncrypt or local CAs on even tighter loops. Fast-rotation certificates can help improve security by limiting the time frame of a leaked key. This also potentially allows for interesting experiments with low-overhead dynamic provisioning and shared hosting environments. This adds to changes last week for the primary serving certificate and dynamic reload of client certificates used for service-to-service authentication.

#83204: Enable strict serializer in kubelet

A permanent source of bugs in software is malformed configuration files and Kubernetes is no different. This PR enables “strict” mode when reading a Kubelet configuration file, meaning that unknown keys or bad syntax will be a fatal error rather than silently ignored. This may present eventual problems for some folks running mixed fleets on different Kubelet versions as you can no longer add a future configuration option and have it ignored on older versions, but only time will tell if this is a substantial problem.

#84123: Handle namespace deletion more gracefully in built-in controllers

Many core controllers treat API request errors as transient, normally they are and this helps ensure overall convergent operations. But in the specific case of namespace delete, often a lot of objects get caught in a retry loop for a while as the namespace is torn down. Now those retry loops will bail out if the error is specifically that the namespace is being deleted or no longer exists, as this is not going to be a transient error. This is specifically aimed at the e2e tests but will likely help in the same way with any other testing setup that involves creating and deleting namespaces rapidly.

#84113: Adds x-kubernetes-map-type annotation as a CRD API extension

And finally a new data topology helper for Server Side Apply to manage two common cases of maps in custom resources. The default granular mode separately tracks and merges each sub-key, as is usually desirable for configuration data or similar. The new atomic mode treats the entire map as a single field, so if any writer touches it, it owns every key. This new mode can be set through the ` x-kubernetes-map-type` annotation.

Other Merges

Promotions

Deprecated

Version Updates

Original Source: http://lwkd.info/2019/20191104