1_r/devopsish

Signing Artifacts - Feat. Notary, Sigstore, and Open Policy Containers (You Choose!, Ch. 3, Ep. 6)

Signing Artifacts - Choose Your Own Adventure: The Treacherous Trek to Security In this episode, we'll figure out which tool for ...

via YouTube https://www.youtube.com/watch?v=p4M-ZdBsA7o

Tutorial: Indentifying and mitigating vulnerabilities in your application stack

This video is about showcasing how any developer can use security scanners effectively to improve the security posture of their ...

via YouTube https://www.youtube.com/watch?v=B0unHu1C1uU

Week Ending February 04, 2024

http://lwkd.info/2024/20240206

Developer News

Just thought of a topic for the Contributor Summit but missed the CfP for planned sessions? Add your idea to the Unconference voting issue. Planned session confirmations will be sent out later this month.

Prow is moving out of it’s parents basement (i.e. k/test-infra) into its own repo.

Reminder: inactive org member cleanup

Release Schedule

Next Deadline: Enhancements Freeze, February 8th

Kubernetes v1.30.0-alpha.1 is live!

Enhancements freeze is now just a few days away. This is a final reminder is out! Prepare your KEPs for the Production Readiness Review. If you plan to implement any features, deprecations, or removals during the 1.30 release cycle, make sure to opt-in your KEP(s) before the Enhancements Freeze on February 8th.

Patch release cherry-pick deadline is February 9.

KEP of the Week

KEP-4192: Move Storage Version Migrator in-tree

Kubernetes heavily relies on consistently updating stored resource data for various maintenance tasks related to storage. This includes scenarios like transitioning from one storage schema version to another (for instance, moving from v1beta1 to v1) and updating encryption methods for data at rest. Currently, the common method for rewriting data involves issuing no-op update requests via kubectl get <resource> | kubectl replace -. However, this approach poses challenges, especially for resource-heavy entities like Kubernetes secrets, and requires automation due to the constantly growing number of resources needing migration.

During storage migration processes, conflicts during update requests can be safely ignored, and inconsistent continue tokens during paginated list operations are also deemed safe since the primary concern is rewriting data rather than how it’s rewritten. This proposal seeks to simplify storage migrations for users by abstracting away these complexities.

This KEP was first released in v1.29 and is currently tracked for beta in the upcoming v1.30 release.

Other Merges

--node-labels has been around for 28 releases, maybe it’s not alpha anymore

Code can traverse all waiting Pods in the scheduler, regardless of which profile they’re waiting in

Prevent race condition between kubelet and CSI external resizer

No more pods that can’t terminate because their volumes won’t unmap

Only try to reschedule failed storage pods if new PVs are available.

Clean up orphan subpaths, even if they’re not directories

nominalConcurrencyShares can be zero

Kubeadm: add more key encryption options, apply patches correctly to ConfigMap, check if node is control plane during upgrade

Relocated the ServiceAccount token audit annotation

Better CPU usage calculation on Windows

APIserver audit log records decode time

Make sure that ConfigMap and Secrets files get created despite a kubelet restart

Testing: NodeLogQuery for Windows

Promotions

CloudDualStackNodeIP is GA

LegacyServiceAccountTokenCleanUp is GA

Version Updates

Kernel Module Management to v2.0.1

Subprojects and Dependency Updates

containerd to v1.7.13 update runc to v1.1.12 addressing CVE-2024-21626

nerdctl to v1.7.3 update runc to v1.1.12 addressing CVE-2024-21626

etcd to v3.5.12 Add livez/readyz HTTP endpoints and v3.4.30

gRPC to v1.61.0fix aggregate cluster design and Add set min/max TLS version APIs to TLS credentials APIs for v1.59.4, v1.56.4, v1.49.4

kops to v1.28.4 update containerd to v1.7.13 & runc to v1.1.12 addressing CVE-2024-21626 and v1.27.3

kind to v0.21.0 patch CVE-2024-21626 and fix an issue with kind build node-image and docker 25.0.0+

kubebuilder to v3.14.0 Support k8s 1.29

via Last Week in Kubernetes Development http://lwkd.info/

February 06, 2024 at 05:00PM