Week Ending April 3, 2022

[github-actions]

Developer News

Etcd 3.5.X has a significant data corruption issue, and is not recommended for production use. If you have not yet upgraded to Etcd 3.5, please wait for 3.5.3. If you have upgraded, you need to restart etcd with the --experimental-initial-corrupt-check flag. Kubeadm supports this flag.

The Steering Committee is considering archiving SIG Service Catalog due to inactivity. If you use minibroker, service-catalog, or go-open-service-broker projects, please speak up on the linked issues about what you think should be done with that project.

Kubernetes Contributor Summit EU will be held on May 16th at the Fira in Valencia. Registration and additional details coming soon.

Release Schedule

Next Deadline: Doc PRs ready for review, April 5th

The first release candidate for 1.24 has been postponed to next week due to a certificate validation error we need to wait for go 1.18.1 to be fixed. As such, RC 0 will be released next Monday.

There’s plenty to do this week while you wait for RC 0, though. First, your draft documentation on your enhancements is due Tuesday. At the same time, the Release Notes team will be drafting the notes, and asking you questions. And the Release Blog will be finalized Wednesday.

The following test jobs are still flaky, and could easily cause the final release to be delayed, so look into them if you can: skew-cluster-latest, gce-ingress, kind-master-parallel, and ci-kubernetes-unit. Check the CI work board to collaborate.

The cherry pick deadline for the next set of patch releases is April 8th.

Featured PRs

#108745: feat: prepare KMS data encryption for migration to AES-GCM

This PR paves the way for using AES-GCM instead of AES-CBC for our at-rest encryption. CBC mode, while overall very safe, is vulnerable to certain types of padding oracle attacks (leaking information through the data padding required by the algorithm). GCM represents a substantial upgrade and will help test the way forward to newer, non-AES options. For 1.24 only the read half of things is implemented. For now this will do nothing but will allow for smooth upgrades and downgrades once 1.25 comes out later this year. If you have any management tools that assume CBC is the default mode, now is a good time to start preparing for the future.

#108995: contextual logging

Building on the bones of our structured logging, we now have the core of a contextual logging framework. The general idea is that rather than a single global logger instance that’s initialized once at program startup, we can generate many sub-loggers and bind them to the Context structs already flowing through the code. These bound loggers can embed default structured logging key-value data which allows a more natural flow of those around a codebase. The feature is flagged off in Kubernetes as a whole but you can enable it for specific daemons with klog.EnableContextualLogging(true). Give it a try and give feedback to WG Structured Logging or SIG Instrumentation.

Other Merges

Since this is CodeFreeze week, we have quite a few new feature pushes:

• ClusterCIDRConfig becomes an alpha API, supporting multiple CIDRs
• Read-Write-Many (RWX) volumes will automatically expand on all linked nodes
• CronJobs support timezones
• ProxyTerminatingEndpoints work for all traffic types
• Network Policy has a Status sub-struct
• StatefulSets have a MaxUnavailable setting for faster rollouts.

Of course, not all features made it into 1.24:

• ServerSideFieldValidation was reverted to Alpha for 1.24
• The status.hostIPs field for Pods was merged and then reverted due to CPU usage issues in scalability tests

And the fixes never stop:

• We’ve cleaned up API fields that aren’t really Enums, including one for certificates
• availableReplicas field of StatefulSetStatus is optional again
• Priority & fairness estimates delegated API costs better
• client-go will give the user an error if reset-and-retry fails, and count indexed values correctly with concurrent changes
• Scheduler optimizes CycleState for read-many
• kube-scheduler won’t nominate pods to cache if they’re already scheduled
• More cleanup of iptables rules
• Kubelet checks taint/toleration before accepting pods, and Windows permissions better
• New metrics: field_validation_request_duration_seconds, sync_proxy_rules_no_endpoints_total, kubelet_volume_stats_health_abnormal

Promotions

• OpenAPI v3 is Beta, enabled by default, and supported in client-go
• Leader Migration to GA, v1 API
• AzureDisk CSI migration to GA
• JobReadyPods to Beta

Deprecated

• cloud provider removes “insecure serving” mode
• in-tree vSphere less than v7 is deprecated
• deployment-controller-sync-period option goes away for kube-controller-manager
• kubectl exposedrops generator and container-port flags

Version Updates

• runc to 1.1.1
• cadvisor to 0.44.0
• kustomize to v4.5.4
• node-feature-discovery is v0.11