Just a few hours left to vote in then Steering Committee election, so do it now.
kubernetes-incubator is finally gone. RIP, incubator. You were there when we needed you.
Hacktoberfest caused some noise on a few repositories, but Digital Ocean has tried to improve things going forward. This does now mean that for PRs to be counted towards Hacktoberfest, your repository must opt-in by tagging itself with the
hacktoberfest topic. For a repository under Kubernetes’ administration, you will need to reach out to the github-admin team to request they add it. For your own repos, you can click the gear icon next to the About section in the right-hand sidebar of the main repository overview page.
Next Deadline: Enhancements Freeze, Oct. 6
Fixes for the next patch releases need to be cherry-picked and merged by October 9.
As it’s been a quiet week in feature development, we’re going to shake things up and feature a trio of interesting KEPs accepted this week. As always, a KEP is not a guarantee the feature will be implemented or ever reach GA.
One of the lessons learned during the ToB security audit was we have a number of internal APIs potentially vulnerable to server-side request forgery (SSRF). While the immediately dangerous have already been dealt with, the exec API in the Kubelet itself could use some improvements. This KEP lays out a plan to simplify the underlying exec APIs, remove options and endpoints never used by kube-apiserver, and generally lock things down to only the expected usage. Put together, this should dramatically reduce the risk of future exploits involving these APIs.
This KEP seeks to unify the declarative defaulting behavior between in-tree types and custom resources. More specifically all tools will use
// +default=someYAMLvalue to generate the defaulting, either in code or in OpenAPI specifications. This brings us one step closer to CRDs being on equal footing with in-tree types and controllers, which in turn will make it easier to migrate niche or deprecated functionality out of k/k.
Anyone running Kubernetes in the cloud has experienced a “cloud oops” where a machine shuts down unexpectedly, usually due to unplanned hardware maintenance or other adverse events. One side effect of unexpected shutdowns is that pods never get to run their PreStop handlers or otherwise gracefully terminate the container processes. This KEP proposes using the systemd “Inhibitor Lock” API to let the kubelet be notified of an impending shutdown so it can stop all pods cleanly before the shutdown continues. This may not cover ever case, espcially anyone not using systemd, but it’s a great start and will address the vast majority of users.
kubectl clusterinfoto using “control plane” instead of potentially offensive terms; the Naming WG is getting to work
- Azure: drop storage even if the node has been deleted, let multiple services share an IP
- Don’t mess up the scheduler cache when a node is deleted before its pods
- Namespace objects get created the same whether you use POST or PATCH
- Let user proceed with missing ca.key files during
- Make the EndPointSlice Controller mirror service labels, and backport an endpoints patch to all releases
- Have the same default pull policy for emphemeral containers, and don’t block ephemeral containers on admission webhooks
- ServerSide Apply treats LabelSelectors as a single unit when editing
- New metrics:
- kubeadm’s alpha self-hosting support didn’t work out
Original Source: http://lwkd.info/2020/20201005