“K8S Ecology Weekly” mainly contains some recommended weekly information related to K8S ecology that I have contacted. Welcome to subscribe to “K8S Ecology” on Zhihu.

Kubernetes V1.22 was officially released today, the second official release of 2021. There are 53 enhancements in this release, of which 13 are stable, 24 are beta, and 16 are alpha. Of course, there are also three features marked as obsolete.

In April of this year, Kubernetes changed its release tempo from every three months to every four months, and this is the first long cycle release to use this pace. Let’s take a look at some of the notable changes.

The Server side Apply feature reaches GA

The main goal of the server-side Apply feature is to move the logic from Kubectl Apply to Kube-apiserver, which fixes many of the ownership conflict issues currently encountered.

Do you remember in the previous “K8S Ecology Weekly” I told you about the new.meta. ManagedFields in Kubernetes? This feature is currently used by server-side Apply to track changes to object fields.

The benefit of this feature is that you can do declarative configuration directly through the API, rather than relying on specific Kubectl apply commands, such as using curl.

The usage of this function is as follows:

kubectl apply --server-side [--dry-run=server]
Copy the code

An alternative to Pod Security Policy

The PodSecurity Admission Controller is an alternative to PodSecurity Policies that was deprecated in Kubernets V1.21.

The Admission Controller can enable Pod Security Standards at the namespace level in the following three modes:

  • Enforce: Pod that violates policy will be rejected;
  • Audit: Pod that violates the policy will have audit comments added, but otherwise allowed;
  • Warn: A Pod that violates the policy will trigger a warning to the user.

The following configuration files can be used to control:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    defaults:  # Defaults applied when a mode label is not set.
      enforce:         <default enforce policy level>
      enforce-version: <default enforce policy version>
      audit:         <default audit policy level>
      audit-version: <default audit policy version>
      warn:          <default warn policy level>
      warn-version:  <default warn policy version>
    exemptions:
      usernames:         [ <array of authenticated usernames to exempt> ]
      runtimeClassNames: [ <array of runtime class names to exempt> ]
      namespaces:        [ <array of namespaces to exempt> ]
Copy the code

The Node swap support

This feature is now in Alpha.

Although swap isn’t fast enough, there are many scenarios where it can be used, especially for Java and Node applications.

There has been a discussion on the Kubernetes issue list for about five years about whether to enable swap support. Currently this feature, once turned on, is specific to the entire Node and is not specific to a Pod.

You can enable this feature by doing the following:

  • Enable swap in Node.
  • Open kubeletNodeMemorySwapFeatures;
  • Set up the--fail-on-swap=false
  • Optional added to Kubelet configurationMemorySwap.SwapBehavior=UnlimitedSwap

More information can be found at github.com/kubernetes/…

External client credential provider tools

This feature allows client-Go to authenticate using external tools such as LDAP, Kerberos, OAuth2, SAML, and so on. This feature was introduced with v1.10.

To use this feature, you need to configure it as a field under the User field in the Kubeconfig configuration file. Such as:

apiVersion: v1
kind: Config
users:
- name: my-user
  user:
    exec:
      command: "example-client-go-exec-plugin"
      apiVersion: "client.authentication.k8s.io/v1beta1"

      env:
      - name: "FOO"
        value: "bar"

      args:
      - "arg1"
      - "arg2"
      
      provideClusterInfo: true
clusters:
...
Copy the code

Configure the available client-go-exec plugin in the user.exec field. There is also a sample project available at github.com/ankeesler/s…

Indexable Job API

The indexable Job API added in Kubernetes V1.21 makes it easier to schedule concurrent jobs. You can use an environment variable to let a Pod in a Job know its index:

[...].  spec: subdomain: my-job-svc containers: - name: task image: registry.example.com/processing-image command: ["./process", "--index", "$JOB_COMPLETION_INDEX", "--hosts-pattern", "my-job-{{.id}}.my-job-svc"]Copy the code

Add the Suspend field to the Job API

Since V1.21, jobs can be temporarily suspended by setting the.spec.suspend=true field. Can be more convenient to control, similar to Argo Workflow, you can also suspend a workflow operation.

Validity of the CSR

Through increase in CertificateSigningRequestSpec ExpirationSeconds acceptable minimum value is 600 (10 minutes), so that it can be very good control of its validity. Now the default is 1 year.

QoS of memory resources

Previously, Kubernetes was using cGroups V1, and QoS for Pod is actually only applicable to CPU resources. Kubernetes V1.22 provides an alpha feature by introducing CGroups V2 that allows QoS to be provided for memory resources as well. (If I remember correctly, it seems to be the KEP submitted by Tencent Cloud team)

Before the other notable changes, please refer to the release of each issue “K8S ecological weekly” and “K8S ecological weekly | Kubernetes v1.22.0 – beta. 0 release”

Of course, you can also quickly experience Kubernetes V1.22 with KIND using the following command:

Kind the create cluster - image = kindest/node: v1.22.0 @ sha256: b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047Copy the code

Welcome to subscribe to my article public account [MoeLove]