K8S Ecological Weekly | Kubernetes v1.22.0 is officially released, the new features at a glance!

The content of "K8S Ecological Weekly" mainly contains some recommended weekly information related to the K8S ecology that I came into contact with. Welcome to subscribe to the column "k8s ecology" .

Kubernetes v1.22 has been officially released today, this is the second officially released version in 2021. This version contains a total of 53 enhanced updates, of which 13 are stable, 24 are beta and 16 are alpha. Of course, there are also 3 features marked as obsolete.

From April this year, the release rhythm of Kubernetes has been changed from the original version every 3 months to a version every 4 months. This is also the first long-term version to apply this rhythm. Let's take a look at the notable changes!

Server-side Apply features reach GA

Server-side Apply The main goal of this feature is to kubectl apply to kube-apiserver, which can fix many of the current problems related to ownership conflicts.

Remember in the previous "K8S Ecological Weekly" I introduced you the new .meta.managedFields ? Server-side Apply currently uses this feature to track changes to object fields.

At the same time, the advantage of this feature is that you can directly complete the declarative configuration operation through the API, without relying on a specific kubectl apply command, such as directly through curl .

The usage of this function is as follows:

kubectl apply --server-side [--dry-run=server]

Alternatives to Pod Security Policy

PodSecurity Admission Controller is in Kubernets v1.21 was discarded Security Policies Pod alternatives.

This admission controller can enable Pod Security Standards according to the namespace level, and can have the following three modes:

• enforce : Pods that violate the policy will be rejected;
• audit : Pod that violates the policy will be added with audit comments, but it is allowed under other circumstances;
• warn : Pods that violate the policy will trigger a user-oriented warning;

It can be controlled through the following configuration files:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    defaults:  # Defaults applied when a mode label is not set.
      enforce:         <default enforce policy level>
      enforce-version: <default enforce policy version>
      audit:         <default audit policy level>
      audit-version: <default audit policy version>
      warn:          <default warn policy level>
      warn-version:  <default warn policy version>
    exemptions:
      usernames:         [ <array of authenticated usernames to exempt> ]
      runtimeClassNames: [ <array of runtime class names to exempt> ]
      namespaces:        [ <array of namespaces to exempt> ]

Node swap support

This feature is now in Alpha phase.

Although swap is not fast enough, there are many scenarios where it is needed, especially some Java and Node applications.

In the Kubernetes issue list, there is a discussion that has existed for about 5 years, which is about whether to enable swap support. At present, once this feature is turned on, it is for the entire Node and cannot be accurate to a certain Pod.

You can enable this feature by following the steps below:

• Enable swap in Node;
• Turn on the NodeMemorySwap feature of kubelet;
• Set --fail-on-swap=false
• Optional to add 0610cb0bde0c81 to the configuration of MemorySwap.SwapBehavior=UnlimitedSwap

For more information, please refer to: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2400-node-swap

External client credential provision tool

This feature allows client-go to use external tools for authentication, such as LDAP, Kerberos, OAuth2, SAML, etc. This feature was introduced since v1.10.

To use this feature, you need to configure it as a field under the user field in the kubeconfig configuration file. for example:

apiVersion: v1
kind: Config
users:
- name: my-user
  user:
    exec:
      command: "example-client-go-exec-plugin"
      apiVersion: "client.authentication.k8s.io/v1beta1"

      env:
      - name: "FOO"
        value: "bar"

      args:
      - "arg1"
      - "arg2"
      
      provideClusterInfo: true
clusters:
...

Configure the available client-go-exec plugin under the user.exec Now there is also a sample project for reference https://github.com/ankeesler/sample-exec-plugin

Indexable Job API

The indexable Job API added in Kubernetes v1.21 makes it easier to schedule parallelized Jobs. You can let the Pod in the job know its index through environment variables in the following way:

[...]
    spec:
      subdomain: my-job-svc
      containers:
      - name: task
        image: registry.example.com/processing-image
        command: ["./process",  "--index", "$JOB_COMPLETION_INDEX", "--hosts-pattern", "my-job-{{.id}}.my-job-svc"]

Added suspend field to Job API

Since v1.21, Job can be temporarily suspended .spec.suspend=true It can be more convenient to control, similar to Argo workflow, you can also suspend a workflow.

CSR validity period

By ExpirationSeconds CertificateSigningRequestSpec , the acceptable minimum value is 600 (10 minutes), so that the validity period can be well controlled. The default is now 1 year.

QoS of memory resources

Before Kubernetes was using cgroups v1, the QoS for Pod actually only applied to CPU resources. Kubernetes v1.22 introduced cgroups v2 to provide an alpha feature, allowing QoS to be provided for memory resources. (If you remember correctly, it looks like a KEP submitted by the Tencent Cloud team)

For other notable changes, please refer to the "K8S Ecological Weekly" and "K8S Ecological Weekly | Kubernetes v1.22.0-beta.0 Release"

Of course, you can also use KIND to quickly experience Kubernetes v1.22 using the following commands:

kind create cluster --image=kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047

Welcome to subscribe to my article public account【MoeLove】