You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Working on a 1.20 feature? Get your PRs merged by EOD Thursday, or get delayed
to 1.21. If you need to postpone, the Release Team can change your milestones.
After this, it’s all about getting tests to pass.
Patch releases 1.19.4, 1.18.11, and 1.17.14 are planned for Wednesday this week.
A relatively small fix, correctly checking for timeout errors during an exec probe, however this change pushes the dreaded Correct But A Compatibility Change button. All Kubernetes users are advised to review their usage of exec checks in readiness, liveness, and startup probes to see if you have a timeout set that will cause your checks to fail now. A default-true ExecProbeTimeout feature gate has been added to restore the old behavior, however it will only be maintained until 1.22 so proactive action is recommended.
As a follow up to the recent security issues with tokens being logged, we have a prototype for a data policy library, and a second PR adding an example log filter that uses it. The hope is this can prevent future data leakage by tagging data at the struct level. Currently this is implemented in a highly dynamic way using reflect, so if your subsystems will make heavy use of it you may want to do some performance testing. If you have any feedback about the current implementation or questions about how to integrate with it, please contact SIG-APIMachinery or respond on k-dev.
The heart of the new library is a datapolicy:"type" struct tag that will be used to mark struct fields that contain a certain type of sensitive data, such as datapolicy:"password" or datapolicy:"apikey". A final list of standard type names has not yet been created. The data policy library exposes a Validate() method which takes any value and returns an array of all the data policy labels on fields in that object, recursively validating sub-objects below the one passed in. The simplest use cases can check if len() > 0 and refuse to process or output the value, but specific types can be allowed by ignoring them in the array.
Other Merges
Add the api-extensions category to the API, for mutating admission configs, CRDs, and all the other customizable stuff
RootCAConfigMap is enabled by default, causing the controller to publish a configmap with APIserver connection certs to every namespace
Developer News
Kubectl is moving the last bits to staging repos,
which means that contributions to kubectl need to move there in the future.
In order to avoid accidental disclosure of private data,
the Data Management WG
is planning to add field tags across many APIs. Comment now
if you have any feedback.
We’re participating in the GitHub Kudos beta, so thank a contributor today!
Release Schedule
Next Deadline: CODE FREEZE November 12
Working on a 1.20 feature? Get your PRs merged by EOD Thursday, or get delayed
to 1.21. If you need to postpone, the Release Team can change your milestones.
After this, it’s all about getting tests to pass.
Patch releases 1.19.4, 1.18.11, and 1.17.14 are planned for Wednesday this week.
Featured PRs
#94115: kubelet: respect exec probe timeouts
A relatively small fix, correctly checking for timeout errors during an exec probe, however this change pushes the dreaded Correct But A Compatibility Change button. All Kubernetes users are advised to review their usage of
exec
checks in readiness, liveness, and startup probes to see if you have a timeout set that will cause your checks to fail now. A default-trueExecProbeTimeout
feature gate has been added to restore the old behavior, however it will only be maintained until 1.22 so proactive action is recommended.#96097: Introduce a simple datapolicy library
As a follow up to the recent security issues with tokens being logged, we have a prototype for a data policy library, and a second PR adding an example log filter that uses it. The hope is this can prevent future data leakage by tagging data at the struct level. Currently this is implemented in a highly dynamic way using
reflect
, so if your subsystems will make heavy use of it you may want to do some performance testing. If you have any feedback about the current implementation or questions about how to integrate with it, please contact SIG-APIMachinery or respond on k-dev.The heart of the new library is a
datapolicy:"type"
struct tag that will be used to mark struct fields that contain a certain type of sensitive data, such asdatapolicy:"password"
ordatapolicy:"apikey"
. A final list of standard type names has not yet been created. The data policy library exposes aValidate()
method which takes any value and returns an array of all the data policy labels on fields in that object, recursively validating sub-objects below the one passed in. The simplest use cases can check iflen() > 0
and refuse to process or output the value, but specific types can be allowed by ignoring them in the array.Other Merges
LoadBalancerIPMode
apply
, and if you try to copy a nonexistant file to a podserving
and ``terminating` conditions so you can distinguish between an endpoint that’s nonexistant and one that’s shutting downservice-account-extend-token-expiration
metric by defaultLoclaStorageCapacityIsolation
(backported)Promotions
kubectl debug
to beta, replacingkubectl alpha debug
(theEphemeralContainers
feature gate is still alpha status)Deprecated
--redirect-container-streaming
kubectl --delete-local-data
is deprecated in favor of--delete-emptydir-data
The text was updated successfully, but these errors were encountered: