Week Ending November 1, 2020

[github-actions]

Developer News

The Security committee has published a security advisory warning folks that, if verbose logging is enabled on versions older than the latest patch versions (1.19.3, 1.18.10, 1.17.13), you may inadvertently expose application and storage secrets. See CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, and CVE-2020-8566 for more details. And update to the latest patch version!

Also, if you are a US citizen, please take some time off from Kubernetes Nov. 3rd to vote.

Release Schedule

Next Deadlines: Docs Placeholders due Nov. 6

Initial Docs PRs for all tracked features are due this Friday; Code Freeze follows on Thursday, Nov. 12. At this point, you should be finishing up your feature work and fixing bugs and tests.

Cherry-picks for the next round of patch releases are also due this Friday, for a planned update release next Tuesday.

Featured PRs

#94636: Added config parameter for CPU threads

A quiet and unassuming PR, this gives us configurable parallelism for the scheduler. This allows for cranking it up when you want to optimize pod launch times, or dropping it down when you care more about consistent throughput. Both are important tuning options for large cluster operators! This can be set in your --config configuration file via parallelism: N.

#93258: mv TokenRequest and TokenRequestProjection to GA

This feature quietly moved to beta back in 1.12 but just in case you’ve been sleeping on it, now is a great time to check it out! The main way to interact with the new system is through a projected token volume:

  volumes:
  - name: vault-token
    projected:
      sources:
      - serviceAccountToken:
          path: vault-token
          expirationSeconds: 7200
          audience: vault

This offers a bunch of improvements over traditional Secret volume: you can specify an audience to limit what the token can be used for and an expiration time after which it will be renewed automatically (now with jitter to avoid a thundering herd). This also never writes the resulting token to a Secret which both reduces apiserver load and reduces the vectors for leaking the token. Tokens created through this system will also automatically be cleared when the owning pod is deleted. For anyone using Service Account tokens for service-to-service authentication, this offers a lot of benefits for very little work.

#95489: exec credential provider: wire in cluster info (superset of #91192)

As part of the continuing growth of exec credential provider, you can now configure things so that the full cluster info struct is seralized to JSON and exposed to an environment variable before invoking the exec plugin. This allows the plugin command to easily connect to the relevant cluster or see other configuration data about it without having to decode all the kubeconfig files like kubectl itself does. To enable this feature, add provideClusterInfo: true to the exec: configuration section. Do be careful that your command understands that this environment variable could potentially include slightly sensitive information like server certificates and the like.

Other Merges

• Dual-Stack Services are now a thing, which also breaks the previous dual-stack API; services will be single-stack by default in the future
• Horizontal Pod Autoscaling adds the ability to scale based on individual container resource usage , and counts pods correctly
• Disable watchcache for events, which wasn’t supposed to be turned on in the first place, and hurts performance
• Special priority for kubelet process on Windows
• runtime/default is the new docker/default for seccomp annotations; conversion will be automatically handled (backported)
• Don’t delete new PVs before the user can create a PVC for it
• Automatically create a ClusterIP field for services on read
• New metrics: apiserver\_request\_filter\_duration\_seconds, FSGroupPolicyChange time taken
• Enable --experimental-patches during kubeadm init
• SubjectAccessReview has a timeout
• HTTP probes get a default Accept: \*/\* header
• Reorganize our INPUT Iptables rules for performance
• EgressSelection type ControlPlane replaces master
• Auto-wipe dependent fields created for Services, a wonderful UX improvement by Tim Hockin
• Allow users to manually set compilation fields, enabling easy cross-compiling
• PDBs shouldn’t block eviction of unhealthy pods
• Add automated log compression to the APIserver
• Stop trying to run AppArmor on Windows, which does not work, no matter how loudly you shout at it
• IPVS checks if the right kernel modules are loaded

Promotions

• TokenRequest and TokenRequestProjection to GA, including adding a few default flags for the apiserver

Deprecated

• The APIserver insecure port, deprecated since 1.10, has been removed; the flags --address, --insecure-bind-address, --port, and --insecure-port will be nonfunctional in 1.20 and error out in 1.24
• The kubectl autoscale --generator flag is deprecated and nonfunctional in 1.20

Picture of the Week

This graph of the new metric apiserver\_request\_filter\_duration\_seconds shows the differences between filter execution time for different API filters.