1_r/devopsish

1_r/devopsish

54549 bookmarks
Custom sorting
Kubernetes v1.32: Penelope
Kubernetes v1.32: Penelope

Kubernetes v1.32: Penelope

https://kubernetes.io/blog/2024/12/11/kubernetes-v1-32-release/

Editors: Matteo Bianchi, Edith Puclla, William Rizzo, Ryota Sawada, Rashan Smith

Announcing the release of Kubernetes v1.32: Penelope!

In line with previous releases, the release of Kubernetes v1.32 introduces new stable, beta, and alpha features. The consistent delivery of high-quality releases underscores the strength of our development cycle and the vibrant support from our community. This release consists of 44 enhancements in total. Of those enhancements, 13 have graduated to Stable, 12 are entering Beta, and 19 have entered in Alpha.

Release theme and logo

The Kubernetes v1.32 Release Theme is "Penelope".

If Kubernetes is Ancient Greek for "pilot", in this release we start from that origin and reflect on the last 10 years of Kubernetes and our accomplishments: each release cycle is a journey, and just like Penelope, in "The Odyssey",

weaved for 10 years -- each night removing parts of what she had done during the day -- so does each release add new features and removes others, albeit here with a much clearer purpose of constantly improving Kubernetes. With v1.32 being the last release in the year Kubernetes marks it's first decade anniversary, we wanted to honour all of those that have been part of the global Kubernetes crew that roams the cloud-native seas through perils and challanges: may we continue to weave the future of Kubernetes together.

Updates to recent key features

A note on DRA enhancements

In this release, like the previous one, the Kubernetes project continues proposing a number of enhancements to the Dynamic Resource Allocation (DRA), a key component of the Kubernetes resource management system. These enhancements aim to improve the flexibility and efficiency of resource allocation for workloads that require specialized hardware, such as GPUs, FPGAs and network adapters. These features are particularly useful for use-cases such as machine learning or high-performance computing applications. The core part enabling DRA Structured parameter support got promoted to beta.

Quality of life improvements on nodes and sidecar containers update

SIG Node has the following highlights that go beyond KEPs:

The systemd watchdog capability is now used to restart the kubelet when its health check fails, while also limiting the maximum number of restarts within a given time period. This enhances the reliability of the kubelet. For more details, see pull request #127566.

In cases when an image pull back-off error is encountered, the message displayed in the Pod status has been improved to be more human-friendly and to indicate details about why the Pod is in this condition. When an image pull back-off occurs, the error is appended to the status.containerStatuses[*].state.waiting.message field in the Pod specification with an ImagePullBackOff value in the reason field. This change provides you with more context and helps you to identify the root cause of the issue. For more details, see pull request

127918.

The sidecar containers feature is targeting graduation to Stable in v1.33. To view the remaining work items and feedback from users, see comments in the issue

753.

Highlights of features graduating to Stable

This is a selection of some of the improvements that are now stable following the v1.32 release.

Custom Resource field selectors

Custom resource field selector allows developers to add field selectors to custom resources, mirroring the functionality available for built-in Kubernetes objects. This allows for more efficient and precise filtering of custom resources, promoting better API design practices.

This work was done as a part of KEP #4358, by SIG API Machinery.

Support to size memory backed volumes

This feature makes it possible to dynamically size memory-backed volumes based on Pod resource limits, improving the workload's portability and overall node resource utilization.

This work was done as a part of KEP #1967, by SIG Node.

Bound service account token improvement

The inclusion of the node name in the service account token claims allows users to use such information during authorization and admission (ValidatingAdmissionPolicy). Furthermore this improvement keeps service account credentials from being a privilege escalation path for nodes.

This work was done as part of KEP #4193 by SIG Auth.

Structured authorization configuration

Multiple authorizers can be configured in the API server to allow for structured authorization decisions, with support for CEL match conditions in webhooks. This work was done as part of KEP #3221 by SIG Auth.

Auto remove PVCs created by StatefulSet

PersistentVolumeClaims (PVCs) created by StatefulSets get automatically deleted when no longer needed, while ensuring data persistence during StatefulSet updates and node maintenance. This feature simplifies storage management for StatefulSets and reduces the risk of orphaned PVCs.

This work was done as part of KEP #1847 by SIG Apps.

Highlights of features graduating to Beta

This is a selection of some of the improvements that are now beta following the v1.32 release.

Job API managed-by mechanism

The managedBy field for Jobs was promoted to beta in the v1.32 release. This feature enables external controllers (like Kueue) to manage Job synchronization, offering greater flexibility and integration with advanced workload management systems.

This work was done as a part of KEP #4368, by SIG Apps.

Only allow anonymous auth for configured endpoints

This feature lets admins specify which endpoints are allowed for anonymous requests. For example, the admin can choose to only allow anonymous access to health endpoints like /healthz, /livez, and /readyz while making sure preventing anonymous access to other cluster endpoints or resources even if a user misconfigures RBAC.

This work was done as a part of KEP #4633, by SIG Auth.

Per-plugin callback functions for accurate requeueing in kube-scheduler enhancements

This feature enhances scheduling throughput with more efficient scheduling retry decisions by per-plugin callback functions (QueueingHint). All plugins now have QueueingHints.

This work was done as a part of KEP #4247, by SIG Scheduling.

Recover from volume expansion failure

This feature lets users recover from volume expansion failure by retrying with a smaller size. This enhancement ensures that volume expansion is more resilient and reliable, reducing the risk of data loss or corruption during the process.

This work was done as a part of KEP #1790, by SIG Storage.

Volume group snapshot

This feature introduces a VolumeGroupSnapshot API, which lets users take a snapshot of multiple volumes together, ensuring data consistency across the volumes.

This work was done as a part of KEP #3476, by SIG Storage.

Structured parameter support

The core part of Dynamic Resource Allocation (DRA), the structured parameter support, got promoted to beta. This allows the kube-scheduler and Cluster Autoscaler to simulate claim allocation directly, without needing a third-party driver. These components can now predict whether resource requests can be fulfilled based on the cluster's current state without actually committing to the allocation. By eliminating the need for a third-party driver to validate or test allocations, this feature improves planning and decision-making for resource distribution, making the scheduling and scaling processes more efficient.

This work was done as a part of KEP #4381, by WG Device Management (a cross functional team containing SIG Node, SIG Scheduling and SIG Autoscaling).

Label and field selector authorization

Label and field selectors can be used in authorization decisions. The node authorizer automatically takes advantage of this to limit nodes to list or watch their pods only. Webhook authorizers can be updated to limit requests based on the label or field selector used.

This work was done as part of KEP #4601 by SIG Auth.

Highlights of new features in Alpha

This is a selection of key improvements introduced as alpha features in the v1.32 release.

Asynchronous preemption in the Kubernetes Scheduler

The Kubernetes scheduler has been enhanced with Asynchronous Preemption, a feature that improves scheduling throughput by handling preemption operations asynchronously. Preemption ensures higher-priority pods get the resources they need by evicting lower-priority ones, but this process previously involved heavy operations like API calls to delete pods, slowing down the scheduler. With this enhancement, such tasks are now processed in parallel, allowing the scheduler to continue scheduling other pods without delays. This improvement is particularly beneficial in clusters with high Pod churn or frequent scheduling failures, ensuring a more efficient and resilient scheduling process.

This work was done as a part of KEP #4832 by SIG Scheduling.

Mutating admission policies using CEL expressions

This feature leverages CEL's object instantiation and JSON Patch strategies, combined with Server Side Apply’s merge algorithms. It simplifies policy definition, reduces mutation conflicts, and enhances admission control performance while laying a foundation for more robust, extensible policy frameworks in Kubernetes.

The Kubernetes API server now supports Common Expression Language (CEL)-based Mutating Admission Policies, providing a lightweight, efficient alternative to mutating admission webhooks. With this enhancement, administrators can use CEL to declare mutations like setting labels, defaulting fields, or injecting sidecars with simple, declarative expressions. This approach reduces operational complexity, eliminates the need for webhooks, and integrates directly with the kube-apiserver, offering faster and more reliable in-process mutation handling.

This work was done as a part of KEP #3962 by SIG API Machinery.

Pod-level resource specifications

This enhancement sim

·kubernetes.io·
Kubernetes v1.32: Penelope
What the EU’s new software legislation means for developers
What the EU’s new software legislation means for developers
The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.
·github.blog·
What the EU’s new software legislation means for developers
Tech predictions for 2025 and beyond
Tech predictions for 2025 and beyond
We've entered an era of unprecedented societal challenges and rapid technological advancements. Harnessing technology for good has become both an ethical imperative and a profitable endeavor. These are the areas where I see technology shaping society in 2025 and beyond—and it all starts with mission-driven work.
Proem
·allthingsdistributed.com·
Tech predictions for 2025 and beyond
The 6 Mistakes You’re Going to Make as a New Manager
The 6 Mistakes You’re Going to Make as a New Manager
Transitioning from an individual contributor to a manager is tough but rewarding. The key is to delegate, find new sources of fulfillment, focus on quality over quantity, maintain proper engagement…
·terriblesoftware.org·
The 6 Mistakes You’re Going to Make as a New Manager
Last Week in Kubernetes Development - Week Ending December 8 2024
Last Week in Kubernetes Development - Week Ending December 8 2024

Week Ending December 8, 2024

https://lwkd.info/2024/20241210

Developer News

Marko Mudrinic was nominated as TL of SIG K8s-Infra, and Mario Fahlandt to co-chair SIG-ContribEx.

Release Schedule

It’s 1.32 Release Week! Just to make sure you noticed the release team put out an extra Release Candidate (also to fix two release blocking issues). With that, here’s a little taste of the new/alpha features in 1.32 according to the Enhancements Board:

Mutating Admission Policies based on CEL

Allow splitting stdout and stderr in container log stream

Resource limits at the pod level

The Topology scheduler knows about shared L3 caches

Statusz page and Flagz page for all core components

Fine-grained Node API authorizations

Supporting external signers for service account tokens

Windows gets CPU and Memory affinity

CBOR data format as a JSON alternative

Of course, there are tons more enhancements, and 30 features are graduating to Beta or Stable. Find out more, and download and try, when Kubernetes 1.32 comes out tommorrow.

In the meantime, we have a bunch of patch releases; 1.29.12, 1.30.8, 1.31.4 are now available, mainly containing a golang update.

Shoutouts

See the 2024 Kuberentes Contributor Award Recipients.

SIG Node wants to shoutout people who contributed extra time and effort for the 1.32 release coordination. SIG Node is a leader on number of KEPs proposed and merged every release and we were addressing feedback from previous releases by introducing a new (currently informal) role - KEPs wranglers. Please join me in thanking the wranglers: @Adrian Reber, @fromani, @haircommander, @Kevin Hannon, @Sohan, @Sreeram Venkitesh. And the approvers: @dawnchen, @derekwaynecarr, @klueska, @mrunalp, @Sergey Kanzhelev, @tallclair, @yujuhong

Ben gives a heartfelt thank you to @neolit123 for all of your help and contributions over the years. #kubeadm, #kind and more owe you a great debt. Thank you!

via Last Week in Kubernetes Development https://lwkd.info/

December 10, 2024 at 05:00PM

·lwkd.info·
Last Week in Kubernetes Development - Week Ending December 8 2024
MC LR Router and GoCast unpatched vulnerabilities
MC LR Router and GoCast unpatched vulnerabilities
Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service.  These vulnerabilities have not been patched at time of this posting.  For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.
·blog.talosintelligence.com·
MC LR Router and GoCast unpatched vulnerabilities
Your lying virtual eyes
Your lying virtual eyes
Well, who you gonna believe, me or your own eyes? – Chico Marx (dressed as Groucho), from Duck Soup: In the ACM Queue article Above the Line, Below the Line, the late safety researcher Richar…
·surfingcomplexity.blog·
Your lying virtual eyes
Ep02 - Ask Me Anything about DevOps, Cloud, Kubernetes, Platform Engineering,... w/Scott Rosenberg
Ep02 - Ask Me Anything about DevOps, Cloud, Kubernetes, Platform Engineering,... w/Scott Rosenberg

Ask Me Anything about DevOps, Cloud, Kubernetes, Platform Engineering,... with Scott Rosenberg

There are no restrictions in this AMA session. You can ask anything about DevOps, Cloud, Kubernetes, Platform Engineering, containers, or anything else. We'll have a special guest Scott Rosenberg to help us out.

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬ ➡ BlueSky: https://vfarcic.bsky.social ➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬ 🎤 Podcast: https://www.devopsparadox.com/ 💬 Live streams: https://www.youtube.com/c/DevOpsParadox

via YouTube https://www.youtube.com/watch?v=jbVDksQo8KI

·youtube.com·
Ep02 - Ask Me Anything about DevOps, Cloud, Kubernetes, Platform Engineering,... w/Scott Rosenberg
Exploring multi-tenancy for my Kubernetes learning platform with Stefan Roman
Exploring multi-tenancy for my Kubernetes learning platform with Stefan Roman

Exploring multi-tenancy for my Kubernetes learning platform, with Stefan Roman

https://kube.fm/multi-tenancy-stefan

Stefan Roman shares his experience building Labs4Grabs, a platform that gives students root access to Kubernetes clusters. He discusses the journey from evaluating simple namespace-based isolation to implementing full VM-based isolation with KubeVirt.

You will learn:

Why namespace isolation isn't sufficient for untrusted users and the limitations of tools like vCluster when running privileged workloads.

How to use KubeVirt to achieve complete workload isolation and the trade-offs.

Practical approaches to implementing network security with NetworkPolicies and managing resource allocation across multiple student environments.

Follow Stefan's journey from simple to complex isolation strategies, focusing on the technical decisions and trade-offs he encountered.

Sponsor

This episode is sponsored by Kusari — gain complete visibility into your software components and secure your supply chain through comprehensive tracking and analysis.

More info

Find all the links and info for this episode here: https://kube.fm/multi-tenancy-stefan

Interested in sponsoring an episode? Learn more.

via KubeFM https://kube.fm

December 10, 2024 at 05:00AM

·kube.fm·
Exploring multi-tenancy for my Kubernetes learning platform with Stefan Roman
Webb telescope confirms the universe is expanding at an unexpected rate
Webb telescope confirms the universe is expanding at an unexpected rate
Fresh corroboration of the perplexing observation that the universe is expanding more rapidly than expected has scientists pondering the cause - perhaps some unknown factor involving the mysterious cosmic components dark energy and dark matter.
·apple.news·
Webb telescope confirms the universe is expanding at an unexpected rate
Us agencies brief house chinese salt typhoon telecom hacking 2024 12 09
Us agencies brief house chinese salt typhoon telecom hacking 2024 12 09
U.S. government agencies will hold a classified briefing for the House of Representatives on Tuesday on China's alleged efforts known as Salt Typhoon to infiltrate American telecommunications companies and steal data about U.S. calls, officials said on Monday.
·reuters.com·
Us agencies brief house chinese salt typhoon telecom hacking 2024 12 09
The Biggest Shell Programs in the World
The Biggest Shell Programs in the World
Oils is our upgrade path from bash to a better language and runtime. It's also for Python and JavaScript users who avoid shell! - oils-for-unix/oils
·github.com·
The Biggest Shell Programs in the World
MacStories Selects 2024: Recognizing the Best Apps of the Year
MacStories Selects 2024: Recognizing the Best Apps of the Year
John: 2024 was a big year for apps, but it was also different from most. More often than not, app innovation is driven by new Apple APIs; that wasn’t the case this year. Instead, it was other trends that shaped the apps we love. Artificial intelligence played a big role, with some apps adopting it
·macstories.net·
MacStories Selects 2024: Recognizing the Best Apps of the Year
Master Kubernetes Backups with Velero: Step-by-Step Guide
Master Kubernetes Backups with Velero: Step-by-Step Guide

Master Kubernetes Backups with Velero: Step-by-Step Guide

In this video, we delve into creating and restoring backups in Kubernetes using Velero, the leading open-source solution. Learn how to safeguard your clusters, ensure data integrity, and prepare for disaster recovery. We'll walk you through setting up Velero, scheduling automated backups, and performing on-demand backups. Plus, see how to restore your cluster from a backup in case of a catastrophic failure. This guide is perfect for anyone looking to enhance their Kubernetes resilience and ensure their critical data is always protected.

KubernetesBackup #Velero #Backup

Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬ ➡ Transcript and commands: https://devopstoolkit.live/kubernetes/master-kubernetes-backups-with-velero-step-by-step-guide 🔗 Velero: https://velero.io

▬▬▬▬▬▬ 💰 Sponsorships 💰 ▬▬▬▬▬▬ If you are interested in sponsoring this channel, please visit https://devopstoolkit.live/sponsor for more information. Alternatively, feel free to contact me over Twitter or LinkedIn (see below).

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬ ➡ BlueSky: https://vfarcic.bsky.social ➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬ 🎤 Podcast: https://www.devopsparadox.com/ 💬 Live streams: https://www.youtube.com/c/DevOpsParadox

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬ 00:00 Kubernetes Backups with Velero 02:16 Create and Schedule Backups with Velero 09:39 Restore Backups with Velero

via YouTube https://www.youtube.com/watch?v=OzoC-wGfBnw

·youtube.com·
Master Kubernetes Backups with Velero: Step-by-Step Guide
How to test Kubernetes autoscaling
How to test Kubernetes autoscaling
Autoscaling has become increasingly popular with the increased use and further development of cloud...
·dev.to·
How to test Kubernetes autoscaling
The Keyboard IS the Computer! (Pi 500)
The Keyboard IS the Computer! (Pi 500)
Raspberry Pi just launched the Pi 500 and a new Monitor. A big feature is missing, but maybe there are some clues as to why hidden inside... Mentioned in this video: - Raspberry Pi 500: https://www.raspberrypi.com/products/raspberry-pi-500/ - Raspberry Pi Monitor: https://www.raspberrypi.com/products/raspberry-pi-monitor/ - Level2Jeff Pi 500 Teardown: https://www.youtube.com/watch?v=omYWRb1dLA4 - Level2Jeff Pi Monitor Teardown: https://www.youtube.com/watch?v=CnBu1wuoWew - sbc-reviews Pi 500 test data: https://github.com/geerlingguy/sbc-reviews/issues/60 - Dual display desk clamp mount: https://amzn.to/4f6riOU (affiliate link) - 3D printed Xbox One Controller stand: https://www.printables.com/model/862581-xbox-one-controller-stand/ Raspberry Pi sent the Pi 500 and Monitors seen in this video for review. They did not pay for this video, nor have any say in the contents. See my sponsorship policies: https://github.com/geerlingguy/youtube?tab=readme-ov-file#sponsorships Support me on Patreon: https://www.patreon.com/geerlingguy Sponsor me on GitHub: https://github.com/sponsors/geerlingguy Merch: https://www.redshirtjeff.com 2nd Channel: https://www.youtube.com/@GeerlingEngineering 3rd Channel: https://www.youtube.com/@Level2Jeff Contents: 00:00 - Pi 500 is here 00:59 - External features and ports 01:40 - Pi 400 comparison and pricing 02:14 - Mini teardown and a missing feature 03:59 - Fanless (passive) cooling performance 05:35 - Dream Pi Dev Workstation 07:09 - Steam Link and casual gaming 07:55 - A hidden RP2040 for HID! 08:27 - Jeff keeps harping on the missing M.2 09:00 - Laptop? Pro model? 09:23 - Good first computer, wanted upgrades
·youtube.com·
The Keyboard IS the Computer! (Pi 500)
Taking on the Tyranny of the Tech Bros
Taking on the Tyranny of the Tech Bros
Coalitions between feminist movements, minorities, and labor activists will help keep the Silicon Valley moguls in check.
·wired.com·
Taking on the Tyranny of the Tech Bros