“K8S Ecology Weekly” mainly contains some recommended weekly information related to K8S ecology that I have come into contact with. Welcome to subscribe zhihu column “K8S Ecology”.

CoreDNS v1.7.0 release

CoreDNS released version 1.7.0 this week, which is backward incompatible. It mainly includes the following aspects:

  • # 3776Better metrics names, they’ve changed a lot of metrics names, Dashborad and things like that. Such as:coredns_request_block_count_total -> coredns_dns_blocked_requests_total
  • # 3794 federationThe plugin has been removed (v1 Kubernetes Federation);
  • fromkubernetesSome code has been removed from the plug-in, so it won’t be built as an external plug-in;
  • # 3534The newdns64Plug-in, from external to built-in plug-in, which provides DNS64 IPv6 address translation mechanism;
  • # 3737 plugin/kubernetes: Removes the expiredresyncperiodupstreamOptions;

These are the notable changes in this release, see ReleaseNote for more details

Helm v3.2.4 release

This is a security update, mainly to fix a bug that affected all Helm V3 versions prior to V3.2.4. The vulnerability number is CVE-2020-4053

The specific scope of this vulnerability is that when a Plugin is installed remotely via HTTP, a file directory traversal attack can occur. An attacker may include a relative path in the malicious plug-in to copy the attack file outside the intended file directory.

This is a very common attack, and I described a similar vulnerability that exploits this type of file directory traversal in a previous K8S Ecology Weekly article.

The correction method is also very simple, for the decompression operation of the file, determine whether there is a relative path, if there is, then throw an exception (here is mainly to warn users that there may be malicious behavior in the content of the installation).

Interested in this version of friends, you can directly download the use.

Istio v1.6.3 release

This week Istio released V1.6.3, with the following major changes:

  • # 24264Fixed istio crash message asproto.Message is *client.QuotaSpecBinding, not *client.QuotaSpecBindingThe problem;
  • # 24365)Fixed aSidecarInjectionSpecCRD,.Values.globalreadingimagePullSecret;
  • # 24469) 当 gateway.runAsRootWhen opened, fromPodSecurityContextRemove invalid configurations;

For more information about this release, refer to its ReleaseNote.

Rook v1.3.6 release

Rook has submitted an application to graduate from the CNCF hosting program, and it may take some time to graduate.

Let’s take a look at this update to Rook V1.3.6:

  • #5603 upgraded CSI driver to V2.1.2
  • #5309 Fixed an issue where OSD PVC size does not increase when template size increases;
  • #5595 changed the name of SVC port. The main requirement was to integrate Rook with Istio. Kiali required that port names must have a protocol prefix. ;
  • #5606 Fixed an issue where the number of OSD nodes in a small cluster (e.g., 3 OSD nodes) was not accurate when OSD nodes were updated.

For more details on this release, refer to its ReleaseNote

Progress in the upstream

  • # 90569 kubectl runAdd one--privilegedThe parameters;
  • # 91952 为 kubeadm joinAdded a retry loop, default write timeout is 40 s, read timeout is 15s;

Please feel free to subscribe to my official account [MoeLove]