RSS NOC Intelligence

<p>The Kubernetes project relies on transparency to empower cluster administrators and security researchers. One important way we do that is by publishing CVE records into the Common Vulnerabilities and Exposures database. As part of our ongoing effort to mature the official <a href="https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json">Kubernetes CVE Feed</a>, we have identified some dis

<p>Kubernetes v1.36 introduces <a href="https://kubernetes.io/docs/concepts/workloads/resource-managers/#pod-level-resource-managers">Pod-Level Resource Managers</a> as an alpha feature, bringing a more flexible and powerful resource management model to performance-sensitive workloads. This enhancement extends the kubelet's Topology, CPU, and Memory Managers to support pod-level resource specifications (<code>.spec.r

<p>If you've ever tried to enforce a security policy across a fleet of Kubernetes clusters, you've probably run into a frustrating chicken-and-egg problem. Your admission policies are API objects, which means they don't exist until someone creates them, and they can be deleted by anyone with the right permissions. There's always a window during cluster bootstrap where your policies aren't active yet, and there's no w

<p>Dynamic Resource Allocation (DRA) has fundamentally changed how platform administrators handle hardware accelerators and specialized resources in Kubernetes. In the v1.36 release, DRA continues to mature, bringing a wave of feature graduations, critical usability improvements, and new capabilities that extend the flexibility of DRA to native resources like memory and CPU, and support for ResourceClaims in PodGroup

<p>The <code>.spec.externalIPs</code> field for <a href="https://kubernetes.io/docs/concepts/services-networking/service/">Service</a> was an early attempt to provide cloud-load-balancer-like functionality for non-cloud clusters. Unfortunately, the API assumes that every user in the cluster is fully trusted, and in any situation where that is not the case, it enables various security exploits, as described in <a href

<p>Back in Kubernetes 1.28, we introduced the <code>Mixed Version Proxy (MVP)</code> as an Alpha feature (under the feature gate <code>UnknownVersionInteroperabilityProxy</code>) in a <a href="https://kubernetes.io/blog/2023/08/28/kubernetes-1-28-feature-mixed-version-proxy-alpha/">previous blog post</a>. The goal was simple but critical: make cluster upgrades safer by ensuring that requests for resources not yet kno

<p>Since its original implementation in the Linux kernel in 2018, <em>Pressure Stall Information</em> (PSI) has provided users with the high-fidelity signals needed to identify resource saturation before it becomes an outage. Unlike traditional utilization metrics, PSI tells the story of tasks stalled and time lost, all in nicely-packaged percentages of time across the CPU, memory, and I/O.</p> <p>With the recent rel

<p>Following the graduation of Pod-Level Resources to Beta in v1.34 and the General Availability (GA) of In-Place Pod Vertical Scaling in v1.35, the Kubernetes community is thrilled to announce that <strong>In-Place Pod-Level Resources Vertical Scaling has graduated to Beta in v1.36!</strong></p> <p>This feature is now enabled by default via the <code>InPlacePodLevelResourcesVerticalScaling</code> feature gate. It al

<p>In Kubernetes v1.36, <strong>Declarative Validation</strong> for Kubernetes native types has reached General Availability (GA).</p> <p>For users, this means more reliable, predictable, and better-documented APIs. By moving to a declarative model, the project also unlocks the future ability to publish validation rules via OpenAPI and integrate with ecosystem tools like Kubebuilder. For contributors and ecosystem de

<p>As Kubernetes clusters grow to tens of thousands of nodes, controllers that watch high-cardinality resources like Pods face a scaling wall. Every replica of a horizontally scaled controller receives the full stream of events from the API server, paying the CPU, memory, and network cost to deserialize everything, only to discard the objects it is not responsible for. Scaling out the controller does not reduce per-r

<p>AI/ML and batch workloads introduce unique scheduling challenges that go beyond simple Pod-by-Pod scheduling. In Kubernetes v1.35, we introduced the first tranche of <em>workload-aware scheduling</em> improvements, featuring the foundational Workload API alongside basic <em>gang scheduling</em> support built on a Pod-based framework, and an <em>opportunistic batching</em> feature to efficiently process identical P

<p>SIG-Etcd announces the availability of the <a href="https://github.com/etcd-io/etcd/releases/tag/v3.7.0-beta.0">first beta release of etcd v3.7.0</a>. This new version of the popular distributed database and key Kubernetes component includes the long-requested RangeStream feature, as well as a refactoring and cleanup of multiple legacy components and interfaces. v3.7 will deliver improved security, better operatio

<p>For many people, Kubernetes Dashboard was their first window into Kubernetes. It offered a simple visual way to see what was running in a cluster, inspect resources, and build confidence without relying on the command line. For years, it helped developers, students, and operators make sense of Kubernetes, and it served as an important onramp into the ecosystem.</p> <p>The Kubernetes Dashboard project has now been