Reminder: k8s.gcr.io will be frozen on April 3rd. You need to update all components to target registry.k8s.io. Also, update your production clusters to pull from registry.k8s.io; this should work with both (updated) containerd and CRI-O now.
The Contributor Summit is looking for session suggestions. These can be sessions you’ll lead, or sessions you want to attend – please suggest!
Kubernetes has been invited to participate in the 2023 OpenInfra Project Team Gathering. If you’re interested – especially if you were going anyway – please tell Kendall Nelson. We particularly want folks who work on the OpenStack Cloud Provider.
Next Deadline: Feature Blog Freeze, March 8th
By the time you read this, enhancement exceptions are closed, which means its on to deciding what we’ll feature in the blog. Time to do a write-up! Code Freeze and draft docs deadline are a week from now, March 15th. 1.27 Alpha 3 is out if you wanted to give it a spin.
The cherry-pick deadline for the next set of patch releases is this Friday.
CEL for admission control was added as an Alpha feature in 1.26. This allows writing complex admission control rules as CEL expressions in declarative resources rather than building and deploying webhooks. Admission webhooks have been a cornerstone of our flexibility and integration with third-party tools, however they are a lot of complexity to bite off for new users and the new CEL systems hopefully will take over for simpler, standalone cases where only small tweaks to the default rules are needed.
This PR adds some new, powerful capabilities to the system. Previously the expression context exposed information about the current request and the target resource, now you can dip back into authorization layer to check RBAC permissions in a dynamic way. Some places this could be useful would be using RBAC for per-field update permissions, allowing RBAC checks for specific objects without using the dreaded
resourceNames system, or limiting access to procedurally sensitive fields like
finalizers based on the requester identity without having to generate complex RBAC policies.
This was also joined this week by #115973 which allows emitting audit log events either as a primary action for failures or if you need more data, you can write one or more CEL expressions to provide detailed values which will get sent to the audit subsystem. This allows for both powerful debugging options while developing new policies as well as runtime analysis. Other CEL admission features include cost checking so you don’t accidental denial-of-service your own kube-apiserver with all these new features, and improved type checking. All together there’s a ton of new capabilities for CEL-based admission processing, hopefully further pushing webhooks into only the places they are needed most.