Description
Developer News
There was a patch release this week that patched two security holes. Update at the next reasonable maintenance window – see below for details.
Kubernetes has decided to start removing inactive contributors from Github org membership.
The switch from google-containers to k8s-artifacts-prod namespaces for Kubernetes’ official containers began Monday. Hopefully we’ve fixed all the obstacles.
SIG-Multicluster wants you to choose what a multiple-cluster thing should be called.
SIG Leads need to complete unconsious bias training by August 31st.
Release Schedule
Next Deadline: Code Thaw (postponed)
As of the time of writing there are 19 critical fix PRs open against 1.19, mostly failing or flaky tests. In light of this, the release team has decided to hold off on code thaw until CI signal for master looks better. If you have an open PR against 1.19 or a CI signal fix in general, please get them sorted as soon as possible. Similarly for reviewers and approvers, please take some time this week to make sure fixes are unblocked.
The target release date is in about 5 weeks and the whole team would like to ensure that we don’t end up leaving build issues to the last minute, possibly destabilizing both the 1.19 releaes and master development.
1.18.6, 1.17.9, and 1.16.13 were released July 15th. In addition to bug fixes, these updates patch a privilege escalation security hole, and a DDOS security hole. While both holes require a combination of circumstances, infra hosts should plan to update very soon.
Featured PRs
#90187: Implement server-side apply upgrade and downgrade
One way server-side apply improved over kubectl apply is that it allows tracking multiple sets of applies fields, each tied to an owner. Also, as a core feature, it promoted this tracking data from an annotation to a new ObjectMeta.ManagedFields struct member so it would be easier to work with and wouldn’t require clients to do multiple rounds of parsing themselves. But this does mean that the old apply and the new apply are not directly interchangable. To make the feature easier to adopt, the API server will now automatically read an existing last-applied-configuration annotation if no ManagedFields exists, and it will set the annotation when performing a server-side apply so that existing client-side apply workflows can interoperate with it.
#90949: Add seccomp least privilege for kuberuntime
With the newly GA’d seccomp support from a few weeks ago, a persistent thorn was that container policies needed a few extra permissions to allow the pod sandbox pause container to operate. This has been fixed by setting up the pod sandbox container with its own policy. In addition to hardening things by default, this means if you don’t use any of the following syscalls, you can potentially remove them from your profiles in the future:
- capget
- capset
- chdir
- epoll_ctl
- epoll_pwait
- fchown
- fcntl
- fstat
- fstatfs
- getcwd
- getdents64
- getgid
- getppid
- getuid
- lstat
- newfstatat
- openat
- pause
- prctl
- read
- readlink
- rt_sigprocmask
- set_tid_address
- setgid
- setgroups
- setuid
- statfs
- wait4
This was also patched for the dockershim runtime as well.
Other Merges
- CSI drivers can say if they allow volume permissions and owner modifications using the
SupportsFsGroupfield - kube-controller-manager allows distinct different certificate signers and keys
- Windows gets theoretical GPU access
- New APIserver metrics:
apiserver\_current\_inflight\_request\_measuresandwindowed\_request\_stats - If the volume is in use, stop trying to expand it
- Mount Azure disks faster
- Dual-stack bugs fixed
Version Updates
- Golang to v1.13.14 in 1.16, 1.17, 1.18, and to v1.14.6 in 1.19
- Default etcd to 3.4.9
- CoreDNS to v1.7.0
- cAdvisor to v0.37.0