Kubernetes 1.22 will be released on August 4th, so this article gives you a look at the new features that this release will bring to get you ready for the beta upgrade.
Remove a series of deprecated apis
One of the biggest changes in Kubernetes 1.22 is the removal of a number of deprecated apis, including:
- The Beta version of
ValidatingWebhookConfiguration和MutatingWebhookConfiguration(admissionregistration.k8s.io/v1beta1Should be moved toadmissionregistration.k8s.io/v1) - The Beta version of
CustomResourceDefinition(apiextensions.k8s.io/v1beta1Should be moved toapiextensions.k8s.io/v1) - The Beta version of
APIService(apiregistration.k8s.io/v1beta1Should be moved toapiregistration.k8s.io/v1) - The Beta version of
TokenReview(authentication.k8s.io/v1beta1Should be moved toauthentication.k8s.io/v1) - The Beta version of
SubjectAccessReview.LocalSubjectAccessReview.SelfSubjectAccessReview(authorization.k8s.io/v1beta1Should be moved toauthorization.k8s.io/v1) - The Beta version of
CertificateSigningRequest(certificates.k8s.io/v1beta1Should be moved tocertificates.k8s.io/v1) - The Beta version of
Lease(coordination.k8s.io/v1beta1Should be moved tocoordination.k8s.io/v1) - All beta
Ingress(extensions/v1beta1 和 networking.k8s.io/v1beta1Should be moved tonetworking.k8s.io/v1)
To avoid application outages, the migration of the API mentioned above should be completed before you upgrade the Kubernetes cluster. You can use the kubectl convert command to automatically convert the above API versions for you, such as:
kubectl convert -f ./legacy-ingress.yaml --output-version networking.k8s.io/v1
Copy the codeDetailed descriptions of these apis can be found in the Kubernetes API documentation and the official blog.
Kubernetes release cycle changes
Due to COVID-19, the release cycle of Kubernetes was officially reduced from 4 releases per year to 3 releases per year from 23 April 2021. For example, next year’s release schedule (i.e. 2022) will be:
| Week Number in Year | Release Number | Release Week |
|---|---|---|
| 1 | 1.24 | 1 (January 03) |
| 15 | 1.24 | 15 (April 12) |
| 17 | 1.25 | 1 (April 26) |
| 32 | 1.25 | 15 (August 09) |
| 34 | 1.26 | 1 (August 22 |
| 49 | 1.26 | 14 (December 06) |
Client-go credential plug-in GA
The client-go credential plug-in was in Beta from 1.11 to official GA 1.22. Many of the previous bugs have been fixed in this release, and the interactive login process has been improved. In addition, some cloud vendor credential plug-ins have been officially switched to separate implementations (e.g., Azure credential plug-ins have been switched to Kubelogin).
Pod Security Policy replacement
Pod Security Policy was deprecated in 1.21. Instead, 1.22 introduced the built-in Pod Security Admission controller and the new Pod Security Standards. Pod Security Standards apply at the namespace level and support three different policies, namely:
| Profile | Description |
|---|---|
| Privileged | An unrestricted policy that provides the widest possible level of permission. This policy allows known privileges to be upgraded. |
| Baseline | A minimally restrictive policy that prevents known privileges from escalating. Allows default (minimally specified)Pod configurations. |
| Restricted | Strictly restrict policies and follow current Pod hardening best practices. |
Refer to the Pod Security Standards documentation for detailed descriptions of these three policies.
Server-Side Apply GA
Server applications help users and controllers manage their resources through declarative configuration. Clients can send fully described targets to declaratively create and/or modify objects.
CSI sub-characteristic GA
CSI Windows and CSI Service Account Token in 1.22
- Since privileged containers are not supported, CSI Windows proxies the part of the Linux node that requires privileges through CSIProxy, allowing the CSI plug-in to be deployed to Windows nodes as a non-privileged container.
- The CSI Service Account Token enables the CSI plug-in to use the Service Account Token tied to a Pod instead of the more privileged key. It also provides control over republishing these volumes so that tokens can be refreshed.
Memory QoS (Alpha)
Before 1.22, due to Kubernetes’ use of the CGroups V1 API, Pod QoS was only available for CPU. Limit_in_bytes can be used to limit memory quotas and oOM_scores can be used to adjust the killing sequence of OOM events. As a result, Kubernetes cannot fully reserve memory for Guaranteed pods, and Burstable pods have a higher chance of being killed by the kernel when OOM occurs.
Kubernetes 1.22 introduces the CGroups V2 API to control memory allocation and isolation, and implements memory QoS with the help of memory.min and memory.high. The memory requested by the container to CGroups V2 is calculated as follows:
// Container
/cgroup2/kubepods/pod<UID>/<container-id>/memory.min=pod.spec.containers[i].resources.requests[memory]
/cgroup2/kubepods/pod<UID>/<container-id>/memory.high=(pod.spec.containers[i].resources.limits[memory]/node allocatable memory)*memory throttling factor // Burstable
// Pod
/cgroup2/kubepods/pod<UID>/memory.min=sum(pod.spec.containers[i].resources.requests[memory])
// QoS ancestor cgroup
/cgroup2/kubepods/burstable/memory.min=sum(pod[i].spec.containers[j].resources.requests[memory])
Copy the codeSeccomp Default Security Policy (Alpha)
Kubelet 1.22 added an Alpha feature for SeccompDefault to enable the Seccomp default policy. When the feature is enabled, RuntimeDefault is applied to all pods in the cluster as the default Seccomp policy (Unconfined by default when the feature is not enabled). This can be said to greatly improve the security of the entire cluster.
Windows Privileged Container (Alpha)
Since Kubernetes support for Windows, one of the biggest flaws of Windows nodes is that they don’t support privilege containers, As a result, many extensions and plug-ins that can be deployed with Daemonset on Linux nodes need to be managed outside of Kubernetes on Windows nodes (such as installing, configuring, and starting with host services via Powershell).
1.22 new Windows HostProcess container WindowsHostProcessContainers characteristics (open), officially make Windows container nodes also support the privilege. The HostProcess container can be used to deploy components such as network plug-ins, storage configurations, device plug-ins, and Kube-proxy on Windows nodes without the need for special agents or host services directly installed.
The HostProcess container needs to be enabled in the securityContext of the Pod Spec, for example:
spec:
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: "NT AUTHORITY\\Local service"
hostNetwork: true
containers:
- name: test
image: image1:latest
command:
- ping
- -t
- 127.0. 01.
nodeSelector:
"kubernetes.io/os": windows
Copy the codeNote: The Windows HostProcess container requires Windows nodes to run Containerd 1.5.4 or later.
Other significant features
In addition to the above features, the following features are worth paying special attention to:
- Etcd moved to 3.5.0 with many security, performance, monitoring, and development experience improvements;
- StreamingProxyRedirects is deprecated and disabled by default, will be removed as of 1.24
- Kubeadm supports the deployment of the control plane as a non-root user (RootlessControlPlane must be enabled).
- Kubelet supports running as a non-root user (Rootless kubelet).
- Pod Eviction support
policy/v1API (policy/v1beta1Deprecated in 1.22); - DynamicKubeletConfig is deprecated. This feature is disabled by default.
- When configuring
externalTrafficPolicy: LocalIf the Service ina node has only Terminating pods, kube-proxy will continue to forward requests to Terminating Pods (instead of dropping packets directly before). CertificateSigningRequest.certificates.k8s.ioAPI added support for expirationSeconds;- Node added support for Swap memory (Alpha);
- Added the ExpandedDNSConfig feature (Alpha) to extend MaxDNSSearchPaths to 32 and MaxDNSSearchListChars to 2048.
- MemoryManager, NetworkPolicyEndPort, PodDeletionCost, SuspendJob, ServiceLBNodePortControl, and ServiceLoadBalancerClass And a series of features into the Beta version, enabled by default.
Welcome to search and follow the official account of Cloud native on wechat to learn more about cloud native knowledge.