You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVE-2020-8562 could allow users to eavesdrop on control plane communications. However, to exploit this a user has to be authenticated and needs the permissions to create or edit Node and/or StorageClass objects, so this security issue is rated Low risk. It is not yet patched.
The CNCF has renamed its teams “TAGs” (or Technical Advisory Groups) instead of “SIGs” which should cure some longstanding confusion between Kubernetes and CNCF teams.
Release Schedule
Next Deadline: Enhancements Freeze, May 13th
The 1.22 Enhancements team has pinged every SIG looking for trackable features, so if you missed that, please get yours in order, including a GitHub issue and merged KEP with all the frills. If you haven’t done one of these in a while, KEPs have gotten longer with more stuff, so take a look. Currently there are 40 listed enhancements from only 9 SIGs, so we’re sure that some of y’all are holding back. Get those filed!
Since the Release Cycle is underway, CI Signal Reports are a thing, so look there to see if you have any flaky tests that need looking after. Kudos to SIG-Network for getting 9 flaky test issues resolved.
Patch releases for all supported versions are due out on Wednesday. This will include the last patch for 1.18, so it’s time for 1.18 users to have an upgrade plan.
When a fresh cluster boots for the first time, kube-apiserver automatically creates a number of objects to configure the API Priority and Fairness system. This initial config is a mix of required settings that should never be altered because they are critical for apiserver functionality, and suggested APF values that are a good default for most people but can be adjusted for special cases. One problem with all of this is that it only happens once, at first startup. We’ve recently adjusted the default APF configs and now have a better way to distribute those automatically.
The process has two halves. For required settings, kube-apiserver will update them every time it starts and then once a minute will re-apply if any changes are detected. For suggested settings, a new apf.kubernetes.io/autoupdate-spec annotation controls if apiserver attempts to keep it updated. It is set to "true" by default during bootstrapping, if you want to make changes ensure it is set to "false" and apiserver will defer to your judgement.
If you have previously customized any of the suggested settings specifically by deleting and recreating them (such that the object generation is still 1), make sure you apply apf.kubernetes.io/autoupdate-spec: false before upgrading or apiserver will assume control.
While the diff itself isn’t terribly fun, this PR may require action on your part. The old --port and --address flags to kube-controller-manager no longer have any effect and listening on unencrypted HTTP is no longer possible. The CLI options will remain in place (but non-functional) until 1.24 for compatibility. However, if you are scraping metrics from controller-manager and were taking an understandable-but-ill-advised shortcut and using unauthenticated connections on the insecure port, there is no time like the present to upgrade. Switching to HTTPS on port 10257 will get you in the front door, and for authentication it is using a similar pattern to kube-rbac-proxy expecting a ServiceAccount bearer token and running a SubjectAccessReview against a /metrics non-resource URL. Ports and protocols may also need to be updated for any custom container probes.
Developer News
CVE-2020-8562 could allow users to eavesdrop on control plane communications. However, to exploit this a user has to be authenticated and needs the permissions to create or edit Node and/or StorageClass objects, so this security issue is rated Low risk. It is not yet patched.
Gaby Moreno Cesar has stepped up as Chair of SIG-Usability. Deep Debroy has retired from SIG-Windows and Claudio Belu has been nominated to replace him.
The CNCF has renamed its teams “TAGs” (or Technical Advisory Groups) instead of “SIGs” which should cure some longstanding confusion between Kubernetes and CNCF teams.
Release Schedule
Next Deadline: Enhancements Freeze, May 13th
The 1.22 Enhancements team has pinged every SIG looking for trackable features, so if you missed that, please get yours in order, including a GitHub issue and merged KEP with all the frills. If you haven’t done one of these in a while, KEPs have gotten longer with more stuff, so take a look. Currently there are 40 listed enhancements from only 9 SIGs, so we’re sure that some of y’all are holding back. Get those filed!
Since the Release Cycle is underway, CI Signal Reports are a thing, so look there to see if you have any flaky tests that need looking after. Kudos to SIG-Network for getting 9 flaky test issues resolved.
Patch releases for all supported versions are due out on Wednesday. This will include the last patch for 1.18, so it’s time for 1.18 users to have an upgrade plan.
Featured PRs
#98028: add auto update for priority & fairness bootstrap configuration objects
When a fresh cluster boots for the first time, kube-apiserver automatically creates a number of objects to configure the API Priority and Fairness system. This initial config is a mix of required settings that should never be altered because they are critical for apiserver functionality, and suggested APF values that are a good default for most people but can be adjusted for special cases. One problem with all of this is that it only happens once, at first startup. We’ve recently adjusted the default APF configs and now have a better way to distribute those automatically.
The process has two halves. For required settings, kube-apiserver will update them every time it starts and then once a minute will re-apply if any changes are detected. For suggested settings, a new
apf.kubernetes.io/autoupdate-spec
annotation controls if apiserver attempts to keep it updated. It is set to"true"
by default during bootstrapping, if you want to make changes ensure it is set to"false"
and apiserver will defer to your judgement.If you have previously customized any of the suggested settings specifically by deleting and recreating them (such that the object generation is still 1), make sure you apply
apf.kubernetes.io/autoupdate-spec: false
before upgrading or apiserver will assume control.#96216: refactor: disable insecure serving in controller-manager
While the diff itself isn’t terribly fun, this PR may require action on your part. The old
--port
and--address
flags to kube-controller-manager no longer have any effect and listening on unencrypted HTTP is no longer possible. The CLI options will remain in place (but non-functional) until 1.24 for compatibility. However, if you are scraping metrics from controller-manager and were taking an understandable-but-ill-advised shortcut and using unauthenticated connections on the insecure port, there is no time like the present to upgrade. Switching to HTTPS on port 10257 will get you in the front door, and for authentication it is using a similar pattern to kube-rbac-proxy expecting a ServiceAccount bearer token and running a SubjectAccessReview against a/metrics
non-resource URL. Ports and protocols may also need to be updated for any custom container probes.Other Merges
kubectl diff
masks Secretskubectl wait --for=delete
now actually ignores not found results in all casesPromotions
Deprecated
Version Updates
The text was updated successfully, but these errors were encountered: