-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #343 from kubernetes-sigs/20240414
Publish 04/14 issue
- Loading branch information
Showing
1 changed file
with
31 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
layout: post | ||
title: Week Ending April 14, 2024 | ||
date: 2024-04-17 14:4g5:00 -0000 | ||
slug: 2024-01-16-update | ||
--- | ||
|
||
## Developer News | ||
|
||
[CVE-2024-3177](https://groups.google.com/a/kubernetes.io/g/dev/c/TjHVWbZu9Cs), rated Low, was discovered in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. | ||
|
||
## Release Schedule | ||
|
||
**Next Deadline: Release Day, April 17th** | ||
|
||
[Kubernetes v1.30.0-rc.2 is live!](https://groups.google.com/a/kubernetes.io/g/dev/c/PDfskMmnwpw) | ||
|
||
Kubernetes v1.30 is scheduled to be released today. To accommodate this, patch releases [v1.27.13](https://github.com/kubernetes/kubernetes/releases/tag/v1.27.13), [v1.28.9](https://github.com/kubernetes/kubernetes/releases/tag/v1.28.9) and [v1.29.4](https://github.com/kubernetes/kubernetes/releases/tag/v1.29.4) have been [cut one day early](https://groups.google.com/a/kubernetes.io/g/dev/c/TCroZRkWjco). | ||
|
||
## KEP of the Week | ||
|
||
### [KEP 3141:Prevent unauthorised volume mode conversion during volume restore](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3141-prevent-volume-mode-conversion) | ||
|
||
The KEP proposes preventing unauthorized volume mode conversion when creating PVCs from `VolumeSnapshots` in Kubernetes. It introduces modifications to the `VolumeSnapshotContent` API spec, control flows of snapshot-controller and external-provisioner, and an annotation name `snapshot.storage.kubernetes.io/allow-volume-mode-change` on `VolumeSnapshotContent` resources. These changes mitigate security vulnerabilities while allowing authorized use cases, such as backup processes, to proceed efficiently. This addresses potential exploitation by malicious users and aims to prevent kernel vulnerability, particularly in scenarios involving potential future CVEs affecting filesystems. | ||
|
||
This KEP is tracked to graduate to stable in the upcoming v1.30 release. | ||
|
||
## Subprojects and Dependency Updates | ||
|
||
* [containerd/nerdctl v2.0.0-beta.4](https://github.com/containerd/nerdctl/releases/tag/v2.0.0-beta.4) Faster and more stable nerdctl pull, nerdctl push, nerdctl build, etc. | ||
* [grpc v1.63.0-pre1](https://github.com/grpc/grpc/releases/tag/v1.63.0-pre1) released with refinements, improvements, and bug fixes. |