►
From YouTube: Kubernetes v1.25 Release
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
welcome
everyone
to
a
special
edition
of
cncf
live
webinar
kubernetes
1.25
release,
I'm
Libby,
Schultz
and
I'm
excited
to
be
moderating.
Today's
webinar
I'm
going
to
read
our
code
of
conduct
and
then
I'll
hand
over
to
Kat
Cosgrove
kubernetes
1.25
release
team
also
Communications
lead
at
palumi
Corporation
CeCe
Huang
kubernetes
1.25
release
team
lead
with
Google
and
Priyanka
sagu
kubernetes
1.25
release
team
enhancements
lead
with
VMware
a
few
housekeeping
items
before
we
get
started
during
the
webinar.
You
are
not
able
to
speak
as
an
attendee,
but
there
is
a
q.
A
Please
excuse
the
dog
feel
free
to
drop
your
questions
there
and
we'll
get
to
as
many
as
we
can.
At
the
end.
This
is
an
official
webinar
of
the
cncf
and,
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct
and
please
be
respectful
of
all
of
your
fellow
participants
and
presenters.
Please
also
note
that
the
recording
and
slides
will
be
posted
later
today
to
the
cncf
online
programs
page
at
community.cncf.io
under
online
programs.
A
C
You
Libby,
let
me
get
these
slides
going
we
okay.
Today,
we
are
going
to
talk
about.
What's
new
in
kubernetes,
1.25
came
out
just
a
little
bit
ago,
as
already
introduced.
We
are
me
cat,
Cosgrove,
Cece
and
Priyanka
from
the
release
team.
I
was
the
communications
lead.
Cece
was
our
fearless
release,
lead
and
Priyanka
was
our
equally
Fearless
enhancements
lead
because
the
enhancements
team
sounds
very
dramatic.
C
It's
a
it's
a
ton
of
it's
a
ton
of
work,
so
much
work
goes
into
getting
a
kubernetes
release
out
and
we're
always
very
proud
to
execute
it.
Well,
and
this
one
went
flawlessly
so
our
agenda
for
the
day
we're
going
to
talk
about
a
little
bit
of
a
sneak
peek
on
release.
1.26
first
then
go
into
the
highlights
from
one
to
five
and
the
specific
updates
from
each
Sig,
followed
by
a
q.
C
A
if
you
have
questions
while
we're
going
through
this
feel
free
to
drop
them
in
the
chat
if
I
can
make
it
work
within
the
flow
of
the
talk.
I
will
ask
it
of
the
presenters
while
we're
doing
this,
but
otherwise
we
will
get
to
it
in
the
end.
As
time
allows
so,
starting
with
the
126
release,
sneak
peek
one
two
six
release
has
started.
The
start
date
was
Monday,
September
5th
enhancements
freeze
is
coming
up
soon:
ish
Friday
the
7th
of
October.
C
So
if
you,
our
NSA
working
on
one
of
these
enhancements,
just
know
that
it
is
coming
up,
code
freeze
will
be
the
9th
of
November
and
our
Target
release
date.
Is
the
6th
of
December
always
worth
highlighting
that
release
dates
are
kind
of
a
moving
Target.
A
lot
of
things
go
into
getting
a
kubernetes
release
out.
So
we
do
we
aim
for
that.
But
you
know
things
can
happen,
but
we
are
doing
our
absolute
best
and
the
kubernetes
release.
C
D
Hi
everyone
so,
as
a
release,
lead
I
got
this
special
benefit
of
picking
up
the
SIM
for
the
correct
release.
So
combiner
is
here:
we
go
for
kubernetes
125,
and
this
comes
from
Transformers.
Obviously,
and
my
song
was
really
like
generous
to
share
his
favorite
toys
with
me,
so
that
I
could
borrow
it
as
the
same
and
when
I
think
about
combiners.
It
can
represent
that
kubernetes
project
itself
is
made
up
of
many
individual
components
and
also
the
community
is
built
and
maintained
by
many
individuals
as
well,
which
join
Force.
D
C
B
Hey
hello,
everyone,
so
this
release,
we
had
a
total
of
40
enhancements
track
during
the
cycle.
Out
of
them,
13
were
graduated
to
GA
or
went
stable,
10
graduated
to
Beta
And.
We
had
15
new
introduced,
newly
introduced
Alpha
features,
and
we
also
had
two
deprecations
this
cycle.
Just
for
a
note,
Alpha
features
are
the
new
features
and
if
you
want
to
try
them
out,
you
would
need
to
enable
the
feature
flag.
B
C
C
And
we've
got
some
major
themes
to
talk
about
quite
a
lot
of
them.
This
release.
We
have
three
slides
of
of
major
themes,
but
there
were
a
lot
of
big
important
impactful
and
very
cool
changes
here.
So
CeCe
did
you
want
to
take
these.
D
Oh
sure,
let's
start
with
the
meter,
Sims
I
know
this
really
is
we
have
like
so
many
major
Sims.
So
that's
because
we
have
so
many
amazing
features
we
launched
delivered
to
the
users.
D
Let's
begin
with
the
first
one,
the
participated
policy
is
removed,
so
the
I
I'll
give
the
brief
introduction
on
each
of
the
major
Sims,
and
it
will
definitely
talk
about
the
details
in
later.
So
please
be
patient
and
the
first
one
is
the
part
security
policy
possibility.
Policy
was
initially
deprecated
in
way.
121
and
visiting
this
release
is
being
removed
and,
together
with
the
replacement
parts,
create
admission
graduates
to
stable
in
this
release
as
well.
D
The
possibility
animation,
which
is
also
a
building
animation
controller-
that
evaluates
Port
specifications
against
the
predefined
product
security
standards
by
simply
just
adding
a
label
to
the
namespace
and
the
next
one.
Excuse
me
the
next
one
would
be
the
informal
containers
which
also
graduates
to
stable
in
this
release.
D
As
everyone
know,
the
informal
containers
which
is
a
special
type
of
container
that
runs
temporarily
in
an
existing
Port
we,
this
is
particularly
useful
for
troubleshooting.
Then
you
need
to
examine
another
container,
but
it
cannot
use
Cube
cuddle
excuse
because
of
that
container
has
crashed,
always
image
likes
debugging
utilities,
especially
useful
for
destroyless
images.
Obviously-
and
this
feature
graduates
to
Beta
in
123
I
believe
so
now,
it's
being
stable
and
the
next
one
I'm
going
to
talk
about
is
the
support
for
the
c
groups.
D
We
too,
which
is
also
graduates
to
stable
in
125
and
is
actually,
as
everyone
knows,
is
a
Linux
kernel
feature
and
is
being
announced
stable
for
a
couple
years
by
Linux,
I.
Think,
and
there
is
some
distribution
now
defaulting
to
this
API
kubernetes
Master,
supported
to
continuously
operating
on
those
distributions.
So
no
worry
c
groups.
We
want
to
still
continue
to
be
supported
and
this
enhancement
pulls
us
in
a
position
to
be
ready
for
its
eventually
deprecation
or
replacement,
and
the
next
one
I'm
going
to
talk
about
is
the
Windows
support.
D
As
everyone
know,
kubernetes
keep
supporting
continuous
effort
on
the
Windows
support
and
it
is
in
this
release.
We
added
a
support
for
the
performance
dashboards
for
Windows.
We
added
the
unit
test
the
supports
for
Windows.
We
added
the
conformance
test,
the
supported
for
Windows,
and
also
they
have
a
new
GitHub
repo
for
Windows
operational
Readiness,
which
we
will
introduce
later
maybe
and
the
next
one
is
the
container
registry
movement.
D
In
this
release.
They
formally
moved
our
container
registry
service
from
kubernetes.gcr.io
to
registry.kubernetes.io.
This
is
an
effort
of
spreading
the
load
and
cost
across
Cloud
providers
and
users
who
have
the
order
registry
in
their
configurations
needed
to
make
the
necessary
switch.
But
no
worry.
We
will
continue
to
support
the
old
registry
for
quite
some
time,
but
you
should
think
about
migration.
D
If
you
need
it
and
we
have
more
come
the
next
slides,
we
have
the
promote
second
default
to
Beta
in
this
release,
and
this
one
is
just
providing
a
native
way
to
specify
second
profiles
for
workloads,
which
is
enabled
by
default
now
and
second,
as
a
layer
of
security
that
could
help
registering
restricting
allow
set
of
this
course
to
a
smaller
set,
which
can
help
to
make
kubernetes
more
secure
and
the
next
one
is
the
end
port
end
port
in
network
policy,
whereas
also
graduating
to
stable
in
this
release,
and
this
one
provides
the
support
of
the
endpoint
field,
which
could
be
specified
a
range
of
ports
to
apply
a
network
policy
instead
of
targeting
a
single
port
previously,
and
the
coming
one
would
be
the
local
informal
storage
capacity
isolation.
D
It's
also
moved
to
GA
in
125,
and
this
was
introduced
as
Alpha
in
one
eight
and
beta
in
one
term.
It's
now
a
stable
feature.
It
provides
support
for
capacity
isolation
for
local
informal
storage
between
ports,
so
that
a
port
can
be
hard
Limited
in
its
consumptions
of
shared
resources
and
the
next
one
is
the
CSI.
Migration
by
migration
is
an
ongoing
effort.
D
We've
been
talking
about
it
for
a
couple
releases
now,
which
is
lead
by
six
storage,
and
the
goal
is
just
to
move
the
entry
volume
plugins
to
Output
tree
CSI
drivers
and
eventually
remove
the
entry
volume
plugins.
So
the
core
CSI
migration
feature
moved
to
GA
Industries,
the
CSI
migration
for
gcepd
and
AWS
EBS
also
moved
to
G
in
this
release
the
CSI
migration,
for
which
Fair
remains
in
beta,
but
it's
on
by
default
and
the
CSI
migration
for
Port
Works
moved
to
Beta,
but
is
off
by
default
now.
D
So
the
next
one
would
be
the
CSI
informal
volume
which
allows
the
CSI
volume
to
be
specified
directly
in
the
port
specification
for
informal
use
cases,
and
this
feature
initially
introduced
in
115
as
an
alpha
feature,
and
now
it's
moved
to
stable.
D
So
thanks
for
moving,
we
have
the
final
slices
for
the
major
Sims,
which
is
exciting
for
the
crd
validation
expression,
language
also
promoted
to
Beta.
This
one
introduced
the
expression
language,
the
common
expression,
language
called
cell,
which
make
it
possible
to
declare
whole
customer
resources,
are
validate
using
the
cell
and
validate
the
customer
resource
based
on
the
validation
rules
you
specified
and
the
next
one
is
the
server
side,
annual
field
validation
to
Beta.
D
This.
This
feature
is
now
turned
on
by
default,
which
is
allows
an
optionally
triggering
schema,
validation
on
the
API
server
that
errors
when
I
know
fields
are
detected,
and
this
is
the
last
puzzle
of
removal
of
the
cloud
client
side
of
annotation.
So
hopefully,
after
this
feature,
we
could
safely
remove
the
client-side
implementation
and
the
next
one
is
the
KMS
we
tube
API.
D
So
in
the
1.25
release,
they
introduced
the
KMS
on
way
to
Alpha
One
API,
which
targeted
to
address
all
the
shortcomings
from
the
rewind
API,
try.
They
are
trying
to
add
a
performance
rotation
and
a
observability
improvements,
so
no
user
action
is
required
now
and
the
previously
encryption
we
is
continuous
to
be
supported
and
allowed,
and
the
last
one
is
the
cube.
Proxy
images
are
now
based
on
digitalized
images.
So
in
previous
release,
as
we
all
know,
Cube
proxy
container
images
are
built
using
deben
as
a
base
image.
D
Now,
starting
with
this
release,
I
switched
to
use
visualize,
and
this
change
reduce
the
image
size
by
almost
15
and
decreased
the
number
of
installed
packages
and
files
to
only
those
strictly
required
for
cube
proxy
to
do
its
job
yeah.
That's
it
hope
you
enjoy
all
the
features.
C
It's
a
lot
of
a
lot
of
major
themes.
That
is,
that
is
the
end
of
the
major
themes.
But
now
we
are
diving
into
these
Sig
updates,
of
which
there
are
also
many,
because
this
is
all
of
the
actual
enhancements.
We
are
going
to
take
these
in
chunks
because
there
are
quite
a
lot
of
them
and
we
don't
want
anybody
to
get
too
tired.
I
will
introduce
each
Sig
as
we
go,
though.
C
First
up
we
are
going
to
be
talking
about
the
enhancements
from
Sig
API
Machinery,
API
Machinery
covers
all
aspects
of
the
API
server:
API
registration,
Discovery,
generic
API,
crud,
semantics,
admission,
control,
encoding
decoding
on
and
on
and
on
it's
a
a
fairly
a
fairly
large
Sig.
So
we're
gonna
try
to
go
through
these
pretty
quickly
by
the
way,
because
we
only
have
another
like
43
minutes
and
there's
like
40
enhancements.
So
here
we
go
API
Machinery
Priyanka.
Were
you
doing
these
or
Cece.
D
I
can
take
this
one.
This
is
my
own
fig
okay,
so
thank
you
for
our
patience.
I'll
make
sure
I
quickly
go
through
this
and
the
first
one
I
mentioned
in
the
major
Sim
as
well,
which
is
the
crd
validation,
expression,
language,
which
we
were
using
comma
expression,
language
called
cell
for
the
crd
validation
and
by
introducing
a
new
field
called
x,
dash,
kubernetes,
dash
validations.
You
can
specify
the
validation
rules
and
it
work
out
other
customer
stores.
We
all
got
validated,
which
is
simple
and
easy.
D
D
So
now,
like
the
it
allows
the
removal
of
the
client-side
validation
from
cucardo,
and
it
triggers
the
schema
validation
of
the
API
server.
That
errors
when
I
know
feels
that
detected
so
now,
but
never
a
client
sends
a
community
object,
create
update
or
patch
request
to
the
server
server
will
validate
that
no
extra
fields
are
present
or
invalid.
C
D
We
can
go
through
the
details.
The
first
features
brought
up
by
music
apps
will
be
the
demsets
support,
Max
search,
as
we
all
know,
demosets
allow
the
two
update
strategy
on
delayed
and
rolling
update.
D
So
this
feature
is
now
demon,
says
now
supports,
search
during
a
rolling
update,
so
which
is
part
of
the
effort
of
minimize
the
downtime
on
those,
and
this
Max
search
field
allows
a
demoset
workload
to
run
more
than
one
port
on
a
note
during
a
drawing
update
which
hopefully
will
minimize
the
downtime
as
it
is
supposed
to.
Thank
you.
D
The
next
one
would
be
the
mini
ready
seconds
for
statefulness,
sorry
for
the
state
forces,
so
the
mini
ready
seconds
field
now
ensures
that
the
status
workload
is
ready
for
a
given
number
of
seconds
before
calling
the
port
available.
D
So
the
goal
is
to
adding
those
optional
field
to
State
full
sets
which
hopefully
would
Pro,
which
hopefully
will
provide
the
buffer
time
to
prevent
killing
pores
in
rotation
before
new
posts
showing
up
and
the
next
one.
Thank
you.
So
much
is
the
time
zone
support
in
Chrome
job.
D
As
we
all
know,
the
corn
job
creates
jobs
based
on
the
schedule
specified
by
the
authors,
but
the
time
loan
used
during
the
creation
depends
on
where
Cube
controller
manager
is
running,
and
this
feature
aims
to
extend
the
crown
job
resource
visibility
for
the
user
to
define
the
time
zone
when
a
job
should
be
created.
D
D
So
this
feature
extends
kubernetes
to
configure
a
job
policy
for
handling
Port
failures
and
in
particular
they
the
extension
allows
determining
some
of
the
port
failures
as
caused
by
infrastructure
errors
or
the
software
bugs,
and
so
on
so
forth.
C
Next
up,
we
have
Sig
off;
it
just
covers
improvements
to
kubernetes
authorization,
authentication
and
cluster
security
policy.
D
Yeah
I
can
go
through
it
since
I
already
mentioned
it
in
the
major.
C
D
It's
the
first
thing
we
mentioned
in
the
major
Sim,
which
is
the
participated
policy
removal
and
the
replacement
of
the
port
security
animation
got
graduated
to
stable
as
well,
and
the
new
particle
create
animation
is
also
a
building
animation
controller
which,
like
you,
help
you
to
evaluate
the
Pod
specification
against
the
predefined
part
security
standards,
and
you
could
do
so
by
simply
just
adding
labels
to
the
namespace.
D
That's
it
and
the
next
one
would
be
the
K
Management
Service
on
way2
API,
which
also
be
mentioned
in
the
major
CM.
So.
D
C
Lot
of
them,
so
hopefully
we'll
still
have
one
of
your
questions,
I
think
we
will
sure
so
anyway,
next
API.
B
C
Yeah
yeah
Sig
network
is
up,
Sig
network
is
responsible
for
the
components,
interfaces
and
apis
which
expose
networking
capabilities
to
kubernetes
users
and
workloads.
Sig
Network
also
provides
some
of
the
reference
implementations
of
these
apis,
for
example,
Cube
proxy.
As
a
reference
implementation
of
the
service
API
yeah.
D
I
I
will
cover
this
one,
okay,
so
the
yeah,
so
there
are
like
full,
exciting
features
coming
from
Sig
Network
as
well.
So
the
first
one
is
the
network
policy
to
support
portal
ranges
which
is
graduating
to
stable
as
well,
and
now
the
network
policy
provides
that
support
and
Port
field
now,
which
can
use
the
to
specify
a
range
of
ports
instead
of
a
single
port.
D
This
continuously
cluster
umsiders,
and
this
one
is
interesting
because
previously,
when
kubernetes
known
IPM
controller
allocate
IP
ranges
for
Port
ciders
for
nose,
it
uses
a
single
range
allocated
to
the
cluster
and
each
node
get
a
range
above
fix
the
size
from
the
overall
cluster
sliders.
But
now,
within
this
feature,
it
enables
user
to
dynamically,
allocate
more
IP
ranges
for
Port,
which
is
great,
and
the
next
one
is
the
reserve
service.
Ip
ranges
for
dynamic
and
aesthetic
IP
allocation,
which
is
graduating
to
Beta,
And
I.
D
Remember
a
lot
of
people
are
excited
about
this
feature
to
offer
in
the
previous
release
as
well.
So,
as
we
all
know,
the
service
or
service
cluster
IP
can
be
assigned
in
two
ways:
either
dynamically
or
statically.
So
this
feature
will
allow
you
to
use
a
different
IP
allocation
strategy
for
services
which
hopefully
will
reduce
the
risk
of
correlation
and
the
last
one
from
the
network
would
be
cleaning
up.
D
Ip
tables
chain
ownership,
and
we
know
that
some
kubernetes
components
create
IP
tables
chains
and
the
rules
as
part
of
their
operations.
These
chains
were
never
intended
to
be
part
of
adding
kubernetes
API
guarantees,
but
some
external
components
nonetheless
make
use
of
some
of
them.
D
So
as
part
of
the
we
won
25
release,
Sig
Network
make
it
make
this
declaration
explicitly
that
the
IP
tables
change
that
kubernetes
creates
are
intended
only
for
kubernetes
own
internal
use
and
third-party
components
should
not
assume
that
kubernetes
will
create
any
specific
IP
table
chains
or
that
those
chains
will
contain
any
specific
rules
if
they
do
exist.
D
So,
as
a
result,
if,
like
you,
have
components
which,
like
do
use
those
kind
of
table
chains,
please
start
thinking
about
migration.
D
I
know
as
a
result
of
the
coming
up,
Cube
cumulate
no
longer
and
it's
really
crazy
table
chains
after
the
Doctrine
removal
and
the
cube
proxy
creates
all
of
the
IP
table
chains.
It
needs
yeah.
C
Next
up,
we
have
the
absolute
largest
section
of
enhancements
from
a
single
seg
node
Sig
node
is
responsible
for
the
components
that
support
the
controlled
interaction
between
pods
and
host
resources.
They
focus
on
the
life
cycle
of
PODS
that
are
scheduled
to
a
node
enabling
a
broad
set
of
workload,
types,
including
workloads
with
Hardware,
specific
or
performance
sensitive
requirements,
and
they
maintain
isolation.
Boundaries
between
pods
on
a
node
as
well
as
the
Pod
and
the
post.
Priyanka
has
the
dubious
honor
of
taking
on
this
long
list
of
enhancements.
B
Hey,
thank
you
God.
So,
let's
start
with
ephemeral's
container
this
cycle,
it
is
going
to
stable
so
as
kubernetes
gains
in
popularity.
It's
becoming
the
case
that
anybody
troubleshooting
an
application,
is
not
necessarily
the
person
who
have
built
it
so
operational,
staffs
and
support
organizations
do
want
the
ability
to
attach
and
automatic
debugging
environment
to
the
port.
So
this
feature
adds
to
kubernetes
a
mechanism
to
run
a
container
with
a
temporary
duration
that
executes
within
namespace
of
an
existing
code.
B
B
This
feature
adds
support
to
use
username
spaces
and
board,
so
the
goal
is
to
support
username
spaces
and
kubernetes
to
be
able
to
run
processes
in
board
the
different
user
and
group
IDs
than
in
the
host.
So
specifically,
it
would
be
helpful
if
any
process
any
process
that
is
running
as
a
privileged
process
in
the
board
should
run
as
an
unprivileged
process
in
the
host.
So
this
feature
will
allow
us
to
do
that.
B
Next,
we
have
quotas
for
ephemeral,
storage.
This
one
is
a
beta
in
this
release.
This
feature
applies
to
the
use
of
quotas
for
ephemeral,
storage,
metrics
Gathering.
The
mechanism
proposed,
as
part
of
this
feature,
is
to
utilize
file
system
project
quotas
to
provide
monitoring
of
resource
consumption
and
optionally,
informants
enforcement
of
limits,
project
quota,
initially
in
xfs
and
more
recently,
ported
to
exe4fs
or
offer
kernel
based
means
of
monitoring
and
restricting
file
system
consumption
and
that
can
be
applied
to
one
or
more
directors.
B
Next
up
we
have
forensic
container
checkpointing.
This
is
another
Alpha
from
Sig
node.
The
goal
of
this
feature
is
to
provide
an
interface
to
trigger
a
container
checkpoint
for
forensic
analysis.
So
what
is
container
checkminding?
B
It's
a
means
to
provide
the
functionality
to
take
a
snapshot
of
the
running
container,
and
then
we
can
move
or
transfer
the
checkpointed
container
to
another
node,
and
the
original
container
will
never
know
that
it
was
check,
pointed
next
up.
We
have
liveness
probe
gray
Spirits,
it's
a
beta,
liveness
prob,
currently
use
a
dominating
grace
period
seconds
filled
on
both
normal
shutdown
and
when
probes
fail
s.
B
Hence,
if
a
long
termination
period
is
set
and
a
liveness
problem
fails,
a
workload
will
never
be
prompted
promptly
restarted,
because
it
will
wait
for
the
full
termination
period.
This
feature
proposes:
adding
a
new
field
to
probs
that
is
prob
dot
termination
grace
period.
Second,
when
that
this
field
is
set,
it
will
override
the
previous
domination
grace
period
seconds
for
liveness
for
startup
domination
and
will
be
ignored
for
Readiness
props.
It
also
maintains
the
current
behavior,
if
desired,
while
providing
configuration
to
address
this
unintended
Behavior.
B
Next
up,
we
have
c
groups.
We
do.
This
feature
adds
support
for
c
groups.
We
do
to
the
cubelet.
Finally,
so
the
new
kernel
c
groups-
V2
API,
was
declared
stable
more
than
two
years
ago
and
newer
features
in
the
kernel,
such
as
PSI
already
depends
c
groups
version.
Two
some
distros
are
already
using
c
groups
version
2
by
default
and
that
prevented
kubernetes
from
working
on
those
distros,
as
it
required
to
run
as
kubernet
is
required
to
run
with
C
group
version.
B
One
so
introduction
of
this
feature
helps
us
with
that
next
one
we
have
enable
second
by
default.
This
is
a
beta
feature,
so
kubernetes
provides
a
native
way
now
to
specify
second
profiles
for
workload
which
is
disabled
by
default.
Today,
second
adds
a
layer
of
security
that
could
help
prevent
CVS
or
zero
days
if
enabled
by
default.
So
if
you
are
enabling
second
by
default,
we
make
implicitly
kubernetes
more
secure
next
up,
we
have
Port
conditions
for
starting
and
completion
of
sandbox
creation.
B
It's
a
alpha
in
this
release,
so
conclusion
of
the
creation
of
any
board
sandbox
is
marked
by
the
presence
of
sandbox
with
networking
configured
this
feature
proposal
surface
a
new
board
condition
called
Port
has
Network
it's
introduced
as
a
field
that
indicate
the
successful
completion
of
code
sandbox
creation,
including
concluding
with
configuration
of
networking
for
the
port
from
cubelet.
So
it
will
benefit
cluster
operators,
especially
of
multi-tenant
clusters,
who
are
responsible
for
configuration
and
operational
aspects
of
the
various
components
that
play
a
role
in
ports
and
books.
B
Creations
such
as
CSI
plugins,
CRI,
runtime
Etc.
Next
up
we
have
cubelet
open,
Telemetry
tracing.
This
is
another
Alpha.
This
cap
is
to
enhance
the
cubelet
to
allow
tracing,
grpc
and
HTTP
API
requests.
The
cubelet
is
the
integration
point
of
a
node's
operating
system
and
kubernetes
and
can
make
use
of
distributed
tracing
to
improve
the
ease
of
fuse
and
enable
easier
analysis
of
Trace
data,
which
is
unstructured
data,
providing
the
detail
necessary
to
debug
requests
across
service
boundaries.
B
Next
up,
we
have
ADD
CPU
manager
policy
option
to
align
CPUs
by
socket
another
Alpha
from
signode,
so
starting
with
kubernetes
122,
a
new
CPU
manager
flag
has
facilitated
the
use
of
CPU
manager
policy
options.
These
options,
these
policy
options,
allows
user
to
customize
their
behavior
based
on
workload
requirements
without
having
to
introduce
an
entirely
new
policy.
With
this
feature,
a
new
CPU
manager
policy
option
is
introduced.
So
so
now
you
can.
There
is
a
new
policy
that
ensures
that
all
CPUs
on
a
socket
are
considered
to
be
allowed.
C
Going
six
scheduling
is
responsible
for
the
components
that
make
pod
placement
decisions.
Do
you
want
me
to
take
care
through
windows,
for
you,
Priyanka.
B
So
the
first
one
in
six
scheduling
is
scheduler
component
config
API,
it's
a
stable
one,
so
the
cube
schedule
configuration
API
actually
was
in
Alpha
and
beta
stages
for
several
releases
and
it
finally
graduated
to
GA
this
release
cycle.
So
with
this
feature,
you
can
customize
the
behavior
of
the
cube
scheduler
by
writing
a
configuration
file
and
passing
its
pass
path
as
a
command
line
argument.
For
example,
you
do
something
like
Cube
scheduler,
followed
by
the
config
flag
and
the
name
of
the
configuration
file.
B
B
Next,
up
from
six
scheduling,
we
have
main
domains
and
Port
topology
spread
it's
a
beta
feature
from
six
scheduling.
With
this
skip,
a
new
failed
main
domains
is
introduced
to
the
old
spec
dot.
Topology
spread
constraints
to
limit
the
minimum
number
of
topology
domains
mean
domains
can
be
used
only
when
the
condition
when
unsatisfied
equals
do
not
schedule
satisfies
next
up.
We
have
take
things
tolerations
into
consideration
when
calculating
code.
B
Topology
spreads
Q
So,
currently,
when
calculating
poor
topology
spreads
Q
tainted
nodes
are
treated
the
same
as
any
other
regular
nodes
which
may
lead
to
unexpected
pending
boards,
as
the
skew
constraint
can
only
be
satisfied
when
the
tinted
node.
So
this
feature
introduced
two
new
fields.
For
us,
one
of
them
is
node
Affinity
policy
and
another
one
is
node
Dane's
policy
that
will
provide
an
option
for
us
as
end
users
to
specify
whether
to
respect
things
or
tolerations
or
not
when
calculating
Port.
Topology
spreads
Q,
and
this
was
a
alpha.
B
Next
up,
we
have
respect
for
topology,
spread
after
rolling
upgrades.
This
is
another
Alpha,
so
the
code
topology
spread
feature
allows
users
to
define
the
group
of
ports
over
which
spreading
is
applied
using
a
label
selector
field.
This
means
user
users
should
know
the
exact
label
key
and
value
when
defining
the
Portsmith.
With
this
feature,
a
complementary
New
Field
is
attached
to
label
selector
called
match
level
keys
in
topology
spread
constraint,
which
represent
a
set
of
label
Keys.
B
C
Right
next
up
is
Sig
security.
Six
security
covers
horizontal
security
initiatives
for
the
kubernetes
project,
including
regular
security
audits,
the
vulnerability
management
process,
cross-cutting
security,
documentation
and
security.
Community
Management
security
has
a
lot
of
their
plates.
Folks.
B
So
we
have
only
one
enhancements,
one
feature
coming
from
six
security,
this
cycle
and
it's
a
very
important
one,
Auto
refreshing
official
CV
feed.
It's
Alpha,
this
cycle
So.
Currently
it's
not
possible
to
filter
for
issues
or
PR's
that
are
related
to
CVS
announced
by
kubernetes.
With
this
skip,
we
are
introducing
this
Con.
B
We
are
addressing
this
concern
by
labeling
these
issues
or
PRS
with
the
new
label
called
official
CV
feed
and
using
the
pro
Automation
and
what
it
will
do
is
it
will
create
a
periodically
Auto,
refreshing
machine,
readable
list
of
official
kubernetes
CVS.
The
CV
feed
will
allow
end
users
to
programmatically
fetch
the
list
of
CVS
and
allow
them
to
get
the
latest
information
from
kubernetes
community.
C
Pretty
cool
all
right
now,
it's
time
for
safe
storage,
Sig
storage
is
responsible
for
ensuring
that
different
types
of
file
and
block
storage
are
available
wherever
a
container
is
scheduled.
A
storage
capacity
management,
influencing
scheduling
of
containers
based
on
storage
and
generic
operations
on
storage,
like
snapshotting
Etc
I,
will
take
this
one,
so
Priyanka
can
have
some
water
and
rest
her
voice.
C
All
right.
First
up
is
local
ephemeral,
storage
capacity.
Isolation
in
addition
to
persistent
storage,
pods
and
containers,
may
require
ephemeral
or
transient
local
storage
for
Scratch
space.
Caching
and
logs
ephemeral
storage
is
unstructured
and
shared
the
the
space,
not
the
data
between
all
pods
running
on
a
node.
In
addition
to
other
uses
by
the
system.
Local
storage
capacity,
isolation
as
a
feature
provides
support
for
capacity.
Isolation
of
shared
storage
between
pods
such
that
a
pod
can
be
hard
Limited
in
its
consumption
of
shared
Resources
by
evicting
pods.
C
It
is
going
to
allow
driver
developers
to
create
new
types
of
CSI
drivers,
such
as
ephemeral
volume,
drivers,
which
can
be
used
to
inject
arbitrary
states
such
as
configuration
Secrets
or
similar
information
directly
inside
of
the
pods,
using
a
mounted
volume
yet
another
stable.
We
have
so
many
stable
graduations
this
time,
it's
really
rad.
This
is
CSI
migration
for
the
core,
AWS
and
GCE.
C
The
CSI
migration
for
vsphere
by
the
way
remains
in
beta,
but
it
is
on
by
default,
and
the
CSI
migration
for
Port
Works
has
moved
up
to
Beta,
but
is
off
by
default,
as
we
mentioned
in
the
major
themes
section
if
the
CSI
migration
is
working
properly
by
the
way
kubernetes
end
users
should
not
notice
the
difference
at
all.
Here,
a
new
Alpha
feature
speed
up
SE
Linux
volume
relabeling
using
mounts.
C
This
feature
tries
to
speed
up
the
way
that
volumes,
inclusive
of
persistent
volumes
are
made
available
to
pods
on
systems
with
SC
Linux
in
enforcing
mode.
Currently,
this
includes
recursive
relabeling
of
all
files
on
a
volume
before
a
container
can
be
started
which
is
pretty
slow
if
the
volume
is
large.
So
this
feature
uses
the
mount
option:
flag.
O
context
is
XYZ
to
set
SC
Linux
context
of
all
files
on
a
volume
without
recursive
walking
through
the
volume
you
got,
another
Alpha
node
expands
secret
for
CSI
driver.
C
This
feature
adds
a
way
to
add
a
node
expand
secret
to
the
CSI,
persistent
volume
source,
and
so
here
we're
enabling
the
CSI
client
to
send
it
out
as
part
of
the
node
expand
volume
request
to
the
CSI
drivers
for
making
use
of
it
in
various
node
operations
and
a
deprecation.
C
So
we
have
deprecated
the
Gloucester
FS
entry
driver.
Cluster
FS
was
one
of
the
first
Dynamic
provisioners,
which
made
it
into
the
kubernetes
release
back
in
1.4
and
then
when
CSI
plugins
and
drivers
started
to
appear,
gluster
FS
is
CSI
driver
came
with
it.
However,
this
project
isn't
maintained.
President
hasn't
been
maintained.
In
years
we
did
discuss
the
possibility
of
migration
to
a
compatible
CSI
driver.
C
The
discussion
should
be
linked
from
that
feature.kids.io
link
on
the
slide,
but
ultimately
we
decided
that
it
was
best
to
deprecate
it.
This
enhancement,
Begins
the
deprecation
process
of
cluster
FS,
plug-in
from
entry
drivers
and,
lastly,
I
think
we
might.
This
might
be
the
last
one
is
Sig
Windows
Sig
Windows
focuses
on
supporting
Windows,
node
and
scheduling
and
windows
containers
on
kubernetes
and
Priyanka.
Did
you
want
to
take
this
one.
B
I'm
on
a
delay
now,
so,
if
you
can
hear
me
well,
I
can
take
this.
Oh.
B
You
okay,
so
we
have
one
feature
coming
from
Sig
windows:
it's
identify
boards
OS
during
API
server
admission,
so
identifying
the
OS
of
the
boards
during
the
API
server
admission
is
very
crucial
so
that
we
can
apply
appropriate
security
constraints
to
the
board
in
the
Epson
some
admission,
plugins
May
apply
unnecessary
security
conference
to
the
board
or
in
the
worst
case,
don't
apply
them
at
all.
This
feature
adds
a
new
fill
to
the
board,
spec
called
OS
to
identify
the
OS
of
the
container
specified
in
the
port.
B
C
Thank
you
yeah.
So
that's
that's
a
lot
of
enhancements
to
go
through.
Thank
the
both
of
you
for
your
help
with
that.
I
will
talk
about
the
release,
Team
Shadow
program,
some
here
and
again.
If
you
all
have
questions
drop
them
in
the
chat,
I
think
we
we
are
going
to
have
a
few
minutes,
although
not
too
terribly
much
times.
We
do
only
have
an
hour,
but
first
we're
going
to
talk
about
the
release,
Team
Shadow
program.
C
So
with
every
kubernetes
release,
there
is
a
new
kubernetes
release
team
made
up
of
community
members
who
handle
like
the
day-to-day
Logistics
of
the
release
itself,
and
it
is
quite
a
lot
of
work.
So
it's
broken
up
into
seven
different
roles.
Each
role
is
one
lead
and
usually
four
Shadows,
but
sometimes
that
number
varies
a
little
bit
and
the
point
of
the
Shadow
program
is
to
train
New
Leads
cover
for
leads,
because
the
leads
can't
like
we
can't
be
there.
C
Every
single
minute
of
every
single
day
share
knowledge
about
the
release
process,
help
contributors,
broaden
their
areas
of
knowledge
and
participation,
and
just
like
over
time
throughout
each
release
cycle,
gradually
improve
the
state
of
a
given
release
team
most
release
leads
do
like
make
make
changes
after
they
serve
their
time,
and
some
of
those
changes
are
solicited
from
their
Shadows.
C
It's
very
it's
very
cool,
it's
very
fun,
so
the
application
process
usually
goes
out
towards
the
end
of
One
release
and
this
like
kind
of
Gap
area
or
there's
like
there's,
there's
actually
only
like
two
weeks
between
a
release
where
we're
not
we're
not
doing
anything
other
than
putting
together
the
the
shadow
program,
we've
already
selected,
the
shadows
for
the
upcoming
release
version.
C
One
two:
six,
both
Priyanka
and
I,
are
release
lead
Shadows
for
one
two,
six
CC,
you
are
a
branch
manager
associate
right,
so
we're
all
on
the
next
release
team
too,
but
the
release
cycle
generally
lasts
around
four
months.
The
one
at
the
end
of
the
year
can
be
a
little
bit
shorter
because
of
the
holidays.
We
can
compress
things
a
little
bit
and
the
workloads
do
kind
of
like
ebb
and
flow.
Some
teams
are
more
busy
than
others
at
certain
times.
Like
I
know.
C
On
the
on
the
comms
team,
we
were
always
very
little
to
do
at
the
beginning
of
the
release
cycle,
but
at
the
end
it
was
very,
very
busy
and
for
me
as
the
lead,
it
was.
Maybe
you
know
like
10
15
20
hours
of
work
a
week
at
the
end
of
the
release
cycle
and
enhancements.
I
assume
is
considerably
busier
at
the
beginning
of
the
release.
Is
that
is
that
true,
Priyanka
yeah
yeah?
C
So
it
depends
on
the
team,
but
it's
it's
like
that,
a
lot
it
Ebbs
and
flows
based
on
which
team
you're
on,
but
regardless
there
are
enough
people
on
each
team
that
know
no
one
person
is
particularly
overloaded.
The
lead
does
take
the
the
bulk
of
the
work,
but
if
you
are
interested,
we
would
love
to
see
you
apply
for
a
shadow
position
in
a
future
release.
If
you
go
to
the
release
team,
Shadows,
GitHub
repo,
there
will
be
a
bunch
of
information
on
the
different
roles
there.
C
Handbooks
for
all
of
the
different
sections
that
make
up
the
release
themes,
you
can
get
an
idea
of
what
the
responsibilities
are
before
you
apply
but,
like
we
said
earlier
in
the
beginning
of
this
webinar,
the
target
release
date
for
kubernetes
version.
1.26
is
December
6th,
so
you
can
expect
like
sometime
mid-December
or
yeah
mid-December,
to
see
the
application
for
the
shadow
program
for
1.27
to
go
out.
C
So
if
you
would,
we
would
love
to
have
you
and
you
can
request
to
shadow
more
than
one
thing:
you're
only
going
to
get
picked
for
one,
but
you
can
you
can
try
for
several
teams
and
that's
all
we
have
for
you
out
of
the
slides.
Does
anybody
have
any
questions
for
us?
C
C
D
Yeah
for
three
groups:
no
yeah-
this
is
needed.
C
For
rootless
kubernetes
for
Docker
builds
and
kubernetes
do
we
need
to
run
the
cubelets
as
non-rude.
B
C
Yeah,
so
we
should
we
also
it's
important
note
for
this
release
that
we
had
more
feature
blogs,
which
are
deep
Dives
on
like
the
specifics
of
a
feature
than
any
other
kubernetes
release
before
by
far
we
ended
up
with
like
19
or
something
because
some
came
in
after
so
it's
I've.
Looked
at
how
long
ago,
did
you
look
at
the
blog
Richard
because
they
are?
There
are
so
many
relief
blogs
that
we
schedule
them
out
for
like
three
days
a
week.
D
I
think
there
is
a
reference
for
that
kind
of
question.
It's
that
regarded
regarding
the
username
space
feature,
which
is
still
offer
right.
So
if
you
run
yeah,
that
is
a
pretty
good
reference
and
if
you
want
to
run
as
a
road
Place
mode,
but
remember
this
feature
is
in
Alpha,
so
you
have
to
turn
on
the
feature
case
and
kubernetes
will
not
guarantee
it's
bug
free
or
anything
yeah.
It's
basically
run
at
your
own
risk.
D
C
C
Somebody
says
a
thing
to
note
when
using
c
groups
V2
is
that
jdk
less
than
15
does
not
properly
deduce
available.
Resources
anymore
noted,
correct.
D
Yes,
yeah
in
order
to
use
the
group's
way
too,
there
are
like
specific
requirements
such
as,
like
OS
distribution
requirements
of
enabling
for
sure,
and
the
kernel
version
has
to
be
5.8,
I,
think
and
later,
and
also
you
have
like
I
think
also
the
requirement
for
container
the
cro.
If
you
use
animal
term,
has
a
specific
conversion
requirement
as
well.
Yeah.
D
And
like
we
have
the
most
future
blogs
in
this
release,
I
guess
it's
way
more
than
previous
releases
I
think
it's.
C
D
C
C
Did
we
had
so
many
amazing
features
and
I
was
luckily
lucky
to
have
a
team
of
comms
Shadows
who
just
really
really
hustled
with
the
sigs
to
get
get
people
to
write
stuff
about
their
features?
So
it's
it's
a
very
pleasant
cycle.
We
had
no.
We
had
no
major
delays.
C
Yeah
it
was,
it
was
tight.
Well,
if
there
are
no
more
questions,
I
guess
we
can
grab.
A
It
up
give
everybody
one
more
minute
and
see
if
any
flow
in,
but
in
the
meantime
thank
you
all.
So
much
I
really
enjoyed
your
talk
today.
This
will
be
like
I
mentioned.
The
recording
will
be
available
on
our
online
programs,
YouTube
playlist,
as
well
as
through
your
registration
link,
and
you
can
also
find
it
on
the
cncf
website,
so
get
out
there
and
start
working
with
all
the
tools
and
I
think
y'all.
Let
them
know
where
to
reach
you.
A
There
so
it
doesn't
look
like
any
other
questions
are
popping
up,
so
I
really
deal
with
that.
Thank
you
all
so
much
and
everyone
thanks.
B
A
Joining
us
and
we'll
see
y'all
again
next
week,
bye.