The monthly Community Meeting is back! Every 3rd Thursday of the month we’ll be meeting; subscribers to firstname.lastname@example.org should have the calendar item. Contact Laura Santamaria if you’re available to help run it. Last week’s Community Meeting covered the Dockershim removal planning, the Reliability Bar proposal, and the last follow up on the move to email@example.com. Video will be up soon, and next meeting is March 17th.
SIG-CLI is discussing whether we should implement robust file locking for kubeconfig, or phase out file locking entirely. Please reach out and add your use cases.
The job queueing API design has advanced over the last month.
Next Deadline: Exceptions due, March 21st
We are currently in the feature development phase, where the listed enhancements are trying to finish all of their requirements. If your feature did not get listed, you have exactly four weeks to ask for an exception.
CI Signal is looking OK with four failing jobs and two flaky ones, which (considering dockershim) isn’t that bad. Still, if any of the failing/flaking tests are something you can help, with, please pitch in.
Patch updates were released last week after a short delay. This includes 1.23.4, 1.22.7, and 1.21.10. Version 1.20 is no longer being patched, please upgrade.
Release engineering is experimenting with automated fast-forward in Prow, which you can see mocked here. The idea is to eliminate a lot of the manual cherry-picking work. If it looks good, we’ll use it for 1.25.
Bound service account tokens have been around for a while, used in features like the serviceAccountToken volume type, but it will now be directly accessible to users more easily via a
kubectl create token command. This command can create a normal (unbound) token and display it, but it can also take an audience, expiration time, or object binding (object bound tokens are valid only while that object exists). If you are currently using
kubectl get secret to retrieve the current automatic tokens, look into switching to the new command once it is available.
Some examples from the documentation:
# Create a token only valid for 10 minutes. $ kubectl create token myapp --expiration-seconds 600 eyJ... # Create a token only valid while a certain deployment exists. $ kubectl create token myapp --bound-object-kind Deployment --bound-object-name myapp-deployment eyJ...
This PR also includes a number of changes to the TokenRequest API to make it more error resistent as well as granting the default
edit roles access to create tokens.
The cluster addons system was the original “app store for Kubernetes”. In the years since, many others have come (and some have gone), but throughout the addons have remained. The Kubernetes dashboard project has reached a point where maintaining the addon is no longer worthwhile given the relative stability and uptake of other options. They continue to maintain and support their own install manifests and if you are migrating off the old addon, these are likely the easiest option.
More generally, if you are still making heavy use of the addons system, consider if any could be moved to more modern tools as this will not be the last addon to turned down.
kubectl describe ingressincludes Class name
kubectl config delete-userhas command completions
--pod-infra-container-imagekubelet flag is deprecated since it’s only used for dockershim
SetHostnameAsFQDNis removed due to being GA
tolerate-unready-endpointsannotation is removed, use