We are now skipping some failing Windows unit tests because nobody has stepped forward to fix them. Windows remains poorly tested as a platform. If you’re interested in helping out, please contact SIG-Windows.
Next Deadline: PRR Freeze, February 2nd
It’s almost production readiness review (PRR) time! The PRR team has recruited some shadows in order to spread the load of review. They’ll have an office hours on Tuesday at 11:30am PST. Enhancements Freeze comes a week after, on February 10th.
NodePort services use high ports on every node to allow out-of-cluster clients to talk to in-cluster services without the complexity of external load balancers. These are often invaluable when building infrastructure with existing stuff that will remain outside of Kubernetes but needs to interact with newer code. NodePorts have always supported a static allocation mode to allow pre-defining which port to use on each node, however this has been somewhat complicated by the parallel use of a dynamic allocator. This left a race condition where a manually specified port might already be in use by the time that Service object is applied. While rare, this could throw a big wrench in the works when bringing up a new cluster or service. KEP 3682 fixes this by prioritizing dynamic allocation from the top of the port range, allowing the bottom of the range to be safely used for static things. Other than feature gate, this is fully automatic and requires no configuration, just update your future static NodePorts to increment from the start of your port range and you’ll have one less weird random failure every now and then.
One of the underlying libraries used in kube-apiserver, go-restful, had a CVE disclosed last June in its CORS security. While go-restful fixed the issue by removing support for (most) regular expressions in their CORS filter, our compatibility requirements led to us introducing a parallel implementation of the same functionality. Unfortunately our implementation also fell victim to the same bug as upstream and this has now been corrected. If you use the
--cors-allowed-origins configuration option, you will be forced to use a safe regexp, one with a leading
^ and trailing
$. This does mean a minor speedbump while upgrading so check your configs and add the anchors now to save yourself some trouble.
update-codegencan be run on machines with no docker