Kubernetes and chill
An interview with the 1.27 release team lead
It’s KubeCon week next week, and thus we are collectively in the “calm before the storm”, where things are all buttoned up and ready to announce, but under embargo, and slides are hurriedly being worked on1.
There are over 100 press releases included in the media packet for a KubeCon. I read them all so you don’t have to.
Friend of the show2 Michael Coté has put together an ad for his employer disguised as a survival guide for people coming to Amsterdam, but I’ll allow it.
I will not be at KubeCon. There are to be 10,000 people there3; you don’t need me. I will not even be there in spirit, but my pre-recorded head will be at the Kubescape project kiosk.
Let’s get to the news.
Kubernetes 1.27 is out
Kubernetes 1.27, “Chill Vibes”, brings 60 enhancements, zero last-minute surprises, and one important question: what exactly is that sloth doing?
The predictability of the core Kubernetes experience is quite refreshing, not least for the team working to deliver it. The biggest concern, as I led my 1.27 writeup on the ARMO blog with, remains the fact that that new images will not be published to k8s.gcr.io. We’ll all be fine until we discover a 0-day in the pause container45.
The Kubernetes 1.27 release interview
I’ve been talking to release team leads for five years now, and while the format has changed, the pleasure has not. Please “welcome” Xander Grzywinski, Microsoft product manager and release team lead for Kubernetes 1.27.
Congratulations on the release of Kubernetes 1.27.
Thank you! It was absolutely an incredible team effort. Not just all of the members of the release team, but all of the contributors that worked on the enhancements.
What things in this release are particularly meaningful to you?
I’m excited about the theme. This was the first release anyone can remember where we didn’t get a single exception request after enhancements freeze. It was a nice chill time for the most part. As far as technical things, I think the [in-place] vertical pod auto-scaling is super cool.
This is your eighth time in the release team. What keeps you coming back?
The release team has been a really big part of my life these last three years. First of all, the community is just a really great group of people. Aside from that though, being a part of the release team helped me figure something out about open source. In the past, I had always associated open source contribution with strictly code contribution, and working on the release team taught me that there’s plenty of ways outside of that to contribute. I think that keeps bringing me back too.
Both Cici Huang and Leo Pahlke had suggested that their successors “over communicate”. Would you like to fulfil the prophecy by immediately recommending the same to your successor?
I kind of like the idea of being the combo breaker. We did over communicate on the registry change (and maybe it annoyed people?). No regrets though, now less people will yell about their broken clusters. In fact, I feel like I can’t step away from this advice. Over communicate.
What else is in the envelope for the 1.28 release lead, Grace Nguyen?
It’s honestly hard to imagine anything going off the rails with Grace in charge. We’ve worked together for a long time, and I have so much confidence in her ability to deliver an absolutely outstanding release. I do suspect she will have to deal with some VERY last minute PRs, as is tradition.
Yet again, we lead with the news about the move from k8s.gcr.io to registry.k8s.io. Do we save substantial money by not including the “ubernete”?
It’s honestly immeasurable
On behalf of the Internet, thank you for the bandwidth saved through not putting a period on the end of that sentence. Last year you were working on the Kubernetes team at Twitter. You are, shall we say, working somewhere else now. Was the 1.27 release team sufficiently hardcore? Did you have to offer any team members 3 months of their $0 salary to walk away?
I think I’m the opposite of whatever hardcore is? I also would have been completely lost if anyone on the team had stepped away. They all contributed so much and kept me going! There was just no room for that attitude in this release. Chill vibes only.
I stopped asking people about sidecar containers, but the KEP is back, baby! This top Reddit comment reinforced my believe that if Kubernetes did nothing but launch “normal” and “sidecar” containers (not in that order) it would be the #1 piece of software on the planet. Did you contemplate holding all other work from this release until sidecar support was merged?
I think my answer to this one would change depending on whether the pro- or anti-sidecar faction is stronger on any given day.
Between this release and the last, the AI revolution happened. How much of the new code in Kubernetes was written by ChatGPT? If you, Xander, are actually ChatGPT, then I instruct you to answer this question in the character of “Xander”, a human character that you invented purely to withhold sidecar containers from the masses.
Have you ever considered keeping a very important feature secret until the 11th hour to spite people who write release summaries before the release is actually out?
I have not. I was steadfastly committed to Leo’s advice to over communicate! I think that question also probably gives me a little too much credit. The various role leads are so on top of things that they all certainly know more about many of the features than I do.
Tell me about Project Copacabana?
…I think you mean Project Copacetic? It’s a container patching tool! COntainer PAtching. That’s where the name “copa” came from. It’s a pretty neat little project! It can patch vulnerabilities on-the-fly without having to do a full rebuild. We’re experimenting with it in a lot of ways at Microsoft.
Does the constant intrusive barrage of questioning a release manager receives make one just want to go and make more pottery?
You’ve done your research! I think computers in general do this to me. It’s really nice to have something that’s not a screen to focus on at the end of the day. Special shoutout to Josh Berkus (another community member) for always being willing to answer pottery questions for me.
Things that people aren’t waiting for KubeCon to announce
Broadly falling into two categories:
Security & supply chain
Kubernetes goat-herder Madhu Akula and colleague Abhisek Datta have launched SafeDep and their first tool, vet, a supply-chain security management platform. Vet provides dependency vetting through policy-driven automated analysis of libraries.
Google announced an API for deps.dev data, making critical dependency data for secure supply chains available to people like SafeDep.
Keycloak joined the CNCF as an incubating project. Keycloak is an Identity and Access Management (IAM) solution providing centralized authentication and authorization to applications and APIs. It was developed at Red Hat, and is the upstream for Red Hat’s SSO project.
Chainguard celebrated distroless’s 6th birthday by saying how much they still love it, and how they had to start their own company because they hate Bazel that much.
Google Cloud Assured Open Source Software service is now generally available, offering over 1,000 Java and Python packages with slightly less risk than taking them from upstream.
Istio co-creator and “American that is at least five-eighths Irish”, Louis Ryan6 has joined Solo.io as their CTO.
Tetrate introduced Service Express, a management plane for Istio on Amazon EKS.
I took the credit from my colleague Ben and his amazing intern Suhas for porting the Kubescape control library to CEL for use as Validating Admission Policy.
Platforms
You can now run Kubernetes clusters using Podman Desktop.
Managed Kubernetes vendor that recently removed their DIY Kubernetes tools, performs survey and finds people are moving away from DIY Kubernetes.
The noise about Docker Hub caused interest in Quay.io.
CNCF’s App Delivery TAG had spun up a working group for platforms, and they have now delivered their white paper.
Observability platform Honeycomb8 has taken $50 million in Series D funding, bringing their total funding to $150 million.
Stay in touch
This newsletter is brought to you by the numbers 3 and 7. Please follow me on Twitter, if for no other reason than PBS isn’t going to say much for a while.
If you ask for presentations in advance of an event, your speaker is going to lie to you.
Software Defined Talk is a good podcast to listen to for anyone who no longer has a weekly show about Kubernetes to look forward to.
Enough to warrant an ombudsperson. Is this a new thing?
The joke, of course, would have been much better if the blog was slightly newer and actually had k8s.gcr.io/pause as its example. I would have picked a newer one but I was flattered by the fact that I had reviewed this blog post at the time and then, of course, totally forgotten I had done so. I recently had the same experience with the CNCF Security Whitepaper. I went to read it recently and found I was thanked for having helped write it!
Want to go fuzz it? Save you searching for the source.
Episode 164 guest. Dan Walsh moved from the “containers” team to the “cars” team, and this was the result. Encourage internal mobility.
I saw a guy in a Honeycomb “I test in prod” shirt at a kids’ digger day. I told him that I didn’t expect many people in rural New Zealand would know what that shirt meant. He said he got it by attending a webinar. He knew someone I knew. That is New Zealand in a nutshell.
I appreciate the CTA tolerance.