Two security reports this week: CVE-2022-3172, which allows aggregated API servers to misdirect traffic and steal credentials, and CVE-2021-25749, which can let users deploy Windows container workloads as Administrator. Both issues are fixed in the latest patch releases. Note that the patch for CVE-2022-3172 blocks all 300ish responses, so test after upgrading and be prepared to set
--aggregator-reject-forwarding-redirect if your API server uses redirects.
Votes for the 2022 Steering Election are due September 29th. Please vote now!
The Contributor Summit CfP is still open.
Next Deadline: Production Readiness Review, September 29th
Have your draft KEPs ready for the PRR team by next Thursday, and final versions opted-in by October 6th. Current CI signal is green.
Patch releases for 1.25.1, 1.24.5, 1.23.11, and 1.22.14 came out last week. In addition to the above security issues, these patches fix a large number of bugs discovered during 1.25 Code Freeze and backported, as well as updating Go for all versions.
For a long time, the
TokenReview API under
authentication/v1 has allowed getting the user details from a cluster JWT, such as a ServiceAccount token. This allowed checking the source of credentials from another party but not for yourself. The newly added
SelfSubjectReview provides this capability. This allows any user to confirm what user information kube-apiserver sees for them, both for debugging user configurations with the new
kubectl auth whoami or server-side plugin configuration issues. Check it out if you have any automated troubleshooting tools or self-diagnostic systems.
Testing cleanup: P&F concurrency test, add more HPA tests, node lifecycle manager integration, client-go transport generation, skip etcd test cleanup on Windows/ARM