In Kubernetes 1.31, by default kubectl now uses the WebSocket protocol instead of SPDY for streaming. This post describes what these changes mean for you and why these streaming APIs matter. Streaming APIs in Kubernetes In Kubernetes, specific endpoints that are exposed as an HTTP or RESTful interface are upgraded to streaming connections, which require…

Historically, configuring the correct cgroup driver has been a pain point for users running new Kubernetes clusters. On Linux systems, there are two different cgroup drivers: cgroupfs and systemd. In the past, both the kubelet and CRI implementation (like CRI-O or containerd) needed to be configured to use the same cgroup driver, or else the…

In Kubernetes v1.31, we are excited to introduce a significant enhancement to CPU management capabilities: the distribute-cpus-across-cores option for the CPUManager static policy. This feature is currently in alpha and hidden by default, marking a strategic shift aimed at optimizing CPU utilization and improving system performance across multi-core processors. Understanding the feature Traditionally, Kubernetes’ CPUManager…

Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Go to Source

Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Go to Source

azure-file-csi-driver discloses service account tokens in logs Go to Source

Incorrect permissions on Windows containers logs Go to Source

Ingress-nginx Annotation Validation Bypass Go to Source

VM images built with Image Builder and Proxmox provider use default credentials Go to Source

VM images built with Image Builder with some providers use default credentials during builds Go to Source