The Wire · Showcase
KOPS HARDENS DEFAULTS, KUEUE SPLITS TEST SUITES, ADDON FAILURES NOW VISIBLE
By RepoJournal · Filed · About Kubernetes
KOps flipped authorization to RBAC by default [ref:14], surfaced hidden addon failures through readiness probes [ref:13], and unlocked Cilium's no-masquerade mode on ENI [ref:15], while test-infra split Kueue's multikueue testing into baseline and extended coverage [ref:10].
Three critical KOps changes ship this morning: authorization now defaults to RBAC instead of AlwaysAllow when omitted from cluster specs [2], closing a silent security gap between CLI and manifest-based cluster creation. More urgently, addon apply failures are no longer invisible. The channel controller now surfaces failures through a readiness probe on a system-node-critical pod, which means a rejected manifest halts rolling updates before workers rollover [1]. Cilium users on ENI IPAM get long-awaited flexibility: KOps removes its blanket prohibition on disableMasquerade, allowing upstream no-masquerade behavior for private-topology clusters and VPC endpoint setups [3]. On the testing side, test-infra merged VPA's NUMPROC configuration into the autoscaler repo [4], [5], reducing duplication, while Kueue's test suite splits into multikueue-baseline and multikueue-extended targets to isolate coverage [6]. Kubernetes core fixed a race condition in subPath directory creation [7] and marked the archived protoc-gen-validate as unwanted to keep dependency hygiene clean [8].
Action items
- → Review KOps cluster specs for explicit authorization fields; if omitted, they now default to RBAC instead of AlwaysAllow on next reconcile kubernetes/kops [plan]
- → Verify addon manifests are kubectl-valid; failed applies now block rolling updates via readiness probe kubernetes/kops [immediate]
- → If running Cilium ENI IPAM with masquerade disabled, test the validation removal in next KOps update kubernetes/kops [monitor]
- → Update test jobs for Kueue to reference new multikueue-baseline and multikueue-extended targets kubernetes/test-infra [plan]
References
- [1] channels: surface addon apply failures via a readiness probe ↗ kubernetes/kops
- [2] Default omitted authorization to RBAC instead of AlwaysAllow ↗ kubernetes/kops
- [3] cilium: allow disabling masquerade in ENI IPAM mode kubernetes/kops
- [4] Merge pull request #37142 from adrianmoisey/remove-vpa-numprocs kubernetes/test-infra
- [5] Remove VPA's NUMPROC settings kubernetes/test-infra
- [6] kueue : split multikueue into extended and baseline suite ↗ kubernetes/test-infra
- [7] Fix a race condition when creating subPath directories ↗ kubernetes/kubernetes
- [8] Mark github.com/envoyproxy/protoc-gen-validate as unwanted dependency kubernetes/kubernetes
FAQ
- What changed in Kubernetes on May 31, 2026?
- KOps flipped authorization to RBAC by default , surfaced hidden addon failures through readiness probes , and unlocked Cilium's no-masquerade mode on ENI , while test-infra split Kueue's multikueue testing into baseline and extended coverage .
- What should Kubernetes teams do about it?
- Review KOps cluster specs for explicit authorization fields; if omitted, they now default to RBAC instead of AlwaysAllow on next reconcile • Verify addon manifests are kubectl-valid; failed applies now block rolling updates via readiness probe • If running Cilium ENI IPAM with masquerade disabled, test the validation removal in next KOps update
- Which Kubernetes repositories shipped on May 31, 2026?
- kubernetes/kops, kubernetes/test-infra, kubernetes/kubernetes