Week Ending July 21, 2024

https://lwkd.info/2024/20240723

Developer News

CVE-2024-5321 allows unauthorized users on Windows to read container logs. Fixed in the latest patch releases.

You have one week to migrate the remaining jobs on the old cluster before they get deactivated. Notable bundles of unmigrated jobs belong to SIG-Storage (CSI driver tests), SIG-Cloud Provider (Azure), and the ClusterAPI subproject.

Test-Infra is eliminating last bits of Google-owned notification systems in favor of community-owned ones. This means you should use community Slack channels #testing-ops to raise issues with prow.k8s.i and CI infrastructure, and #sig-scalability for scale test issues. You can discuss CI failures not clearly related to issues with prow or the infra in #sig-testing and #release-ci-signal.

Release Schedule

Next Deadline: Code Freeze, July 24th

Code freeze is happening this week, at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024. Out of the 54 enhancements tracked after enhancements freeze, we have 32 KEPs tracked for code freeze as of this writing. If your KEP missed the code freeze deadline, you can file an exception request.

Patch releases 1.27.16, 1.28.12, 1.29.7 and 1.30.3, which were delayed to incorporate the fix for CVE-2024-5321 and a golang update. Update as soon as you can, particularly if you run Windows.

Featured PRs

126165: PSA: allow container_engine_t selinux type

This PR updates the Pod Security Standards to include the container_engine_t SELinux type, starting with version 1.31. This type is designed for running container engines like Podman and Docker within a container. The change enables running nested containers while still securing activity using SELinux.

KEP of the Week

KEP 4033: Discover cgroup Driver from CRI

This KEP introduces the ability for the container runtime to instruct Kubelet on which cgroup driver to use. Currently, both the Kubelet and the container runtime have configuration settings for selecting the cgroup driver (cgroupfs or systemd). With this enhancement, synchronization between the Kubelet and runtime settings is ensured, eliminating the possibility of misaligned cgroup driver configurations and promoting a single source of truth for the cgroup driver.

This KEP is tracked for beta release in the upcoming v1.31.

Other Merges

queueing_hint_execution_duration_seconds and event_handling_duration_seconds metrics implemented to improve observability of scheduler throughput

Ingress.spec.defaultBackend is now considered an atomic struct for server-side-apply

Unit tests added to validate that kube-proxy handles bad IPs and CIDRs correctly

New stream_tunnel_requests_total metric added to PortForward tunneling through WebSockets

syscall.ENODEV is now treated as a corrupted mount

Fix for kube-apiserver crashing due to CEL validation issues for CRDs

Improvements to ValidatingAdmissionPolicy metrics to count and time all validations

Fix for storage-version-migrator-controller to prevent failing migrations when resources are deleted when migration is in progress

Documentation fix for default value of procMount entry in Pod SecurityContext

–emulated-version flag added to kube-controller-manager to set emulation version

kubelet/stats: set INFO log level for stats not found in cadvisor memory cache error to reduce noise

AuthorizeWithSelectors feature added to include field and label selector information from requests in webhook authorization calls

kubelet implementation of ImageVolumeSource added

Access to swap for containers in high priority Pods restricted

DRA: kubelet made independent of the resource.k8s.io API version

kube-scheduler implements scheduling hints for the VolumeBinding plugin

Promotions

ValidatingAdmissionPolicy metrics to beta

JobSuccessPolicy to beta

StatefulSetStartOrdinal to GA

Deprecated

Deprecated context.StopCh cleaned up

CustomResourceValidationExpressions feature gate removed

Version Updates

knftables to v0.0.17

Subprojects and Dependency Updates

etcd to v3.5.15 support multiple values for allowed client and peer TLS identities

csi-driver-smb v1.15.0 make image.*.repository variables relative by default

containerd v1.7.20 support for dropping inheritable capabilities; also v1.6.34

kops v1.28.7 support definition of kube-controller-manager

kustomize v5.4.3 kustomize localize subcommand verifies the success of kustomize build when executed

kubespray v2.24.2 possibility to modify Service type with “ingress_nginx_service_type” property in addons

grpc v1.65.1 add signal handler to python interop client

via Last Week in Kubernetes Development https://lwkd.info/

July 23, 2024 at 07:00PM

awslabs/open-data-registry: A registry of publicly available datasets on AWS

Registry of Open Data on AWS A repository of publicly available datasets that are available for access from AWS resources. Note that datasets in this registry…

July 23, 2024 at 02:48PM

via Instapaper

7 Urgent Lessons From the CrowdStrike Disaster

Sitting here on my Linux desktop, with my Linux servers humming away in the background, the CrowdStrike crash didn’t affect me directly. Like pretty much…

July 23, 2024 at 01:02PM

via Instapaper

Data Deception: OSI's Open Source AI Fallacy

https://chrisshort.net/data-deception-osis-open-source-ai-fallacy/

The OSI's draft Open Source AI Definition could harm open source by allowing non-reproducible data, enabling openwashing and threatening transparency.

via ChrisShort.net https://chrisshort.net/

July 23, 2024 at 03:00AM

(12) Ode to an Outage | LinkedIn

July 22, 2024 at 11:56AM

via Instapaper

From Boring to Productive: Customize Your Shell Prompt with Starship

Discover how a simple, customizable Shell prompt can boost your productivity! This video explores the power of Starship, a lightning-fast and highly customizable Shell prompt. Learn how to set up Starship, apply various presets, and tailor it to fit your workflow. Whether you're using Zsh or another shell, we'll guide you through creating a prompt that provides essential information at a glance. From Git branches to Kubernetes clusters, see how Starship can transform your terminal experience.

StarshipShell #ProductivityHacks #CustomShellPrompt #TerminalTips

Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬ ➡ Transcript and commands: https://devopstoolkit.live/terminal/from-boring-to-productive-customize-your-shell-prompt-with-starship 🔗 Starship: https://starship.rs/

▬▬▬▬▬▬ 💰 Sponsorships 💰 ▬▬▬▬▬▬ If you are interested in sponsoring this channel, please use https://calendar.app.google/Q9eaDUHN8ibWBaA7A to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬ ➡ Twitter: https://twitter.com/vfarcic ➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬ 🎤 Podcast: https://www.devopsparadox.com/ 💬 Live streams: https://www.youtube.com/c/DevOpsParadox

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬ 00:00 Shell Prompts with Starship 02:17 Starship Presets 04:02 Starship Configuration 06:35 Starship In Action

via YouTube https://www.youtube.com/watch?v=VLzc1iSDe9A