Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
At work, but not for production apps
I don’t use WebAssembly but expect to when the technology matures
I have no plans to use WebAssembly
No plans and I get mad whenever I see the buzzword

Kubernetes 1.29 ‘Mandala’ Tests Mutable Pod Resources

Soon, you will be able to adjust the amount of memory or CPU that a container may have on the fly, without restarting. Also, in-tree cloud providers and iptables get the boot.
Dec 18th, 2023 1:14pm by
Featued image for: Kubernetes 1.29 ‘Mandala’ Tests Mutable Pod Resources
Kubernetes logo courtesy of the Cloud Native Computing Foundation.

In with the new and out with the old! The final version of Kubernetes for 2023 was posted last week, and this release, version 1.29, comes with several new dynamic capabilities, as well as the dispatching of a few pokey legacies that were slowing things down.

On their way out are the remaining in-tree integrations with cloud providers, as well as reliance on the antiqued iptables. And on the new-ish side of things, users can start testing a technology that can right-size their containers to specific workload needs, and another to ensure service mesh sidecars stick around to the very end collecting all the operational lifecycle of an application.

Overall, v1.29 comes with 49 enhancements: Eleven are stable new features, 19 are fresh beta projects and 19 have graduated to Alpha.

On Friday, the Cloud Native Computing Foundation YouTube presentation to review the new release, nicknamed “Mandala” to represent the global effort, and reach of this project.

Here are a few of the highlights:

Vertical Pod Scaling

The sexiest new feature has to be the In-Place Update of Pod Resources (KEP-1287), a dynamic pod expansion capability. This will give operators the ability to adjust CPU and memory resource configurations on the fly.

Since the PodSpec’s Container Resources is immutable, hitherto the only way to change the memory or CPU resources is to restart the container — not a desirable option for cloud native workloads, and can be fatal for stateful batch programs.

“This has been a really long-awaited enhancement,” said Nina Polshakova, Kubernetes 1.29 enhancement lead, in the presentation.

If a pod is underpowered, more memory or CPU can be applied. Likewise, if it is using too many resources it can be slimmed down without being shut down altogether.

This feature is still in Alpha status and has been under development for a while. Version 1.29 is the first to support Windows containers.


Out with iptables, in with nftables

Typically, Kube-Proxy relies on Linux kernel iptables to keep all the rules around network packet forwarding, and this is becoming problematic for a number of reasons

The Linux community has long wanted to replace IPtables for a number of reasons. Making a single change to iptables would require a reload of an entire table. Also, each packet for each service would have to pass through all the filters, slowing even single actions. Plus, development on iptables has largely slowed, and kernel developers have moved their energies to nftables. K8s devs tried a number of workarounds, though none panned out.

It is deprecated in Red Hat Enterprise Linux and is no longer required for Debian.

Thanks to work from the SIG Network group. KubeProxy can now use the successor to iptables, nftables, which has been available since Linux Kernel 3.13 (KEP-3866).

The nftables for kube-proxy are still in alpha stage, and hence still under development, Polshakova said.


Sidecars Join the Party, etc.

The previous version of Kubernetes, v1.28, made sidecars a first-class citizen with their own designation and the ability to stay online for the full lifecycle of the pod. This new release moves that capability into beta mode, making it worth a look for future planning.

Other features called out in the presentation include:

  • ReadWriteOncePod persistent volume access node (KEP-2485) introduced in K8s v1.22, is now on by default. “This access mode allows you to restrict volume access to a single pod in a cluster, ensuring only one pod can write into a volume at a time,” explained Carole Valencia, v1.29 communications lead, in the presentation. This could be valuable to ensure sensitive workloads stay unmolested by third parties.
  • Reduction of secret-based account tokens (KEP-2799) feature gate. Service account-generated tokens are now no longer needed, as the process has been replaced by BoundServiceAccountTokenVolume (GA since 1.22), in which service account tokens would are obtained from the TokenRequest API.
  • New Resource and Monitoring Metrics from the Kublet (KEP 727) are now generally available, including those for better tracking performance and tracing, in a format that is suitable for Prometheus. This endpoint serves metrics for the cluster-level Resource Metrics API.
  • In-Tree Integrations of Cloud Providers (KEP 2395). Believe it or not, K8s v1.29 is the first to not have any in-tree integrations with specific cloud providers. The last three to go, as of this release, are those with Google Cloud, Microsoft Azure and VMware vSphere. If you are using one of these, be prepared for breaking changes.

Kubernetes by the Numbers

The release team, led by Priyanka Saggu, worked on 1.29 for 14 weeks (Sept. 6 to Dec. 5), managing contributions from 796 companies and 1,271 individuals, according to the CNCF K8s DevStats project.

Kubernetes 1.29 is available for download on GitHub, and can also be installed with kubeadm.

The full CNCF presentation can be enjoyed here:

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.