Community Meeting Summary
Last week’s community meeting kicked off with a demo of Amazon EKS by Bryce Carman. This is set up with the control plane hosted by AWS and worker nodes under the control of the user. Carman spent some time on how network segregation and VPC works for EKS through a CNI plugin. Using the Heptio authenticator, you can log in from your desktop with your AWS IAM credentials.
Jordan Liggitt presented KEP 17. This KEP proposes a major restructuring of how component configuration works, both by moving configs from flags to a structured configuration file (as has been done with Kubelet), and by moving the config API types to their own repos, making it possible to include them in external code. Among other things, this will make interactive validation of configs possible. This change will affect everyone who works on Kubernetes or a plugin or client for it.
Liggitt continued with the update from SIG-Auth. They’re making it much easier to have multiple authorizors by cleaning up permissions and error messages. They plan to add Kubelet cert improvements to 1.12, as well as scoped service account tokens (not yet time-limited) and audit improvements. Frederic Brancyzk explained SIG-Instrumentaion’s current priorities, the biggest of which is the deprecation of Heapster. Other work includes adding new Node metrics, refactoring the Metrics Server, and enhanced configuration for the Prometheus adapter.
Next Deadline: Feature Freeze, July 31st.
SIGs should be listing features they expect to complete for 1.12 in the Features repo and the spreadsheet. After July 31st, features added to the release will need to go through the exception process.
A small change, but nice to have for a lot of common cases, this adds a
NewForConfigOrDie for the Go client library. This has already resulted in some code cleanup and will probably allow similar changes in other test scripts and other management tools.
In an effort to track, and eventually fix, inconsistent e2e tests there is now an API (
RecordFlakeIfError) for writing a flake-specific log entry if an e2e test failed unexpectedly.
In development for a long time and finally merged, this means the kubelet will scan for plugins in a given folder. This (hopefully) moves towards unifying the plugin management layers between device plugins, CNI plugins, etc.
--docker-disable-shared-pid kubelet flag has been removed in favor of the
ShareProcessNamespace pod API. If you’re using shared PID namespaces for any testing, make sure you update to the new system.
This fixes a small race condition when booting a new, tainted node. Fortunately an easy fix this time around, but a great reminder to be vigilant about concurrent operations whenever possible.
- Cleanup discovery and deletion of iSCSI block devices used as PVs
- Sidecar and dnsmasq-nanny images are now required by Kube-DNS, which is a good reason to upgrade to CoreDNS if you ask me
- Allow kubeadm to join a cluster using an existing cert
- Generate OpenAPI info without requiring a SecurityDefinition
- “Unbreak” ExecPlugin in kubelet config
- Kubelet serving certificate management is now beta
- Heapster is being deprecated in 1.12, as scheduled
kubectl execis now hidden, prior to removal
--cri-socket-pathoption has been renamed simply