Less Is More with Kubernetes 1.22

Kubernetes version 1.22 has been released, and with the new features, some old ones have been dropped — not just deprecated … but dropped.
There are 56 enhancements to this new release (which is up from 50 in Kubernetes 1.1 and 43 in 1.20). Of those 56 enhancements, there are 13 which have graduated to Stable, 24 features that have seen important improvements, and 16 features that are brand spanking new.
Hello! You need to pay attention to the release notes for Kubernetes v1.22. I know nobody likes reading release notes, but you gotta. In this version, multiple beta APIs will be *removed.* Not deprecated, removed. (a thread, sigh)
— Kat Cosgrove (@Dixie3Flatline) July 14, 2021
Let’s be clear, these are not deprecations but straight-up removals. So as of version 1.22, the betas of the following will be removed (in favor of their newer, stable counterparts):
- Ingress
- IngressClass
- Lease
- APIService
- CustomResourceDefinition
- ValidatingWebhookConfiguration
- MutatingWebhookConfiguration
- CertificateSigningRequest
- TokenReview
- SubjectAccessReview
The Ingress is of particular interest, as this is the more secure way to make it possible for containers to be accessed from outside the Kubernetes cluster. From 1.22 on, you’ll need to make sure to migrate and use the networking.k8s.io/v1 Ingress API (which has been available since v1.19). As well, you’ll want to know the related API IngressCLass, which is designed as a complement to Ingress.
An example of how you can use Ingress with v1 might looke like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 spec: rules: - host: hello-world.info http: paths: - path: / pathType: Prefix backend: service: name: web port: number: 8080 |
For more information on what has been removed from Kubernetes, as well as how to find the replacement functionality, make sure to read through the Deprecation Guide.
New Features
Now, let’s take a look at some of the more important enhancements that have made it into the new release.
Server-Side Apply
Server-Side Apply makes it easier for both users and controllers to manage resources via declarative configurations. This feature has finally moved to general availability and is a new field ownership and object merge algorithm. What this feature does is move the logic away from the kubectl apply
command and into the apiserver. Server-Side Apply also tracks a user’s field management (rather than a user’s last applied state. Field management is stored in an object’s metadata, using the managedFields field, like so:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
apiVersion: v1 kind: ConfigMap metadata: name: test-cm namespace: default labels: test-label: test managedFields: - manager: kubectl operation: Apply apiVersion: v1 time: "2010-10-10T0:00:00Z" fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:test-label: {} f:data: f:key: {} data: key: some value |
External Credential Providers
External credential providers provide a way of obtaining external client authentication credentials (such as bearer tokens or TLS client certificates). This feature has been in beta since Kubernetes 1.11 and finally graduates to Stable. This feature includes improved support for plugins that add interactive login flows and a number of bug fixes. To get started with this feature, visit the sample-exec-plugin code on GitHub for more information.
Etcd Is Now at Version 3.5.0
The Kubernetes backend storage mechanism, etcd, is now at version 3.5.0, which includes numerous security, performance, and monitoring improvements. Both structured logging and log rotation have been added. For more expensive requests, enhanced detailed tracking has been added, which provides a very useful signal to help developers understand the lifetime of a request spanning multiple etcd server components.
Cgroups V2 API
Kubernetes originally used version 1 of the cgroups API, which means the quality-of-service (QoS) class for a given Pod would only apply to CPU resources. Kubernetes v1.22 now includes an alpha version of the cgroups v2 API, which controls memory allocation and isolation. This should greatly improve workload and node availability, as well as improve the predictability of a container’s lifecycle.
Node System Swap Support
If you’ve ever deployed a Kubernetes cluster, you know one of the first things you must do is disable swap. For that, you open the /etc/fstab file with the command:
sudo nano /etc/fstab
And comment out the line starting with:
/swap.img
Once you’ve done that, you disable the current running instance with the command:
sudo swapoff -a
As of Kubernetes 1.22 alpha support has been added such that you can run nodes with swap memory enabled.
Rootless Mode Containers
Everyone knows running containers as a non-root user is a must for security. This is as no-brainer as it gets. But with version 1.22, the developers are taking this idea to new levels and allowing administrators to run the entire Kubernetes stack as a non-root user. In the end, this should go a very long way to help secure Kubernetes.
Features Graduated to Stable and Other Updates
Other Kubernetes features that have graduated to “stable” status, which means they are ready to use, include:
- Bound Service Account Token Volumes
- CSI Service Account Token
- Windows Support for CSI Plugins
- Warning mechanism for deprecated API use
- PodDisruptionBudget Eviction
There are also a few other miscellaneous feature updates, which include:
- A new alpha feature, PodSecurity admission, which replaces PodSecurityPolicy.
- The Memory Manager has moved to beta.
- A new API Server Tracing feature has been added as alpha.
- A new v1beta3 version of the kubeadm configuration format has been added.
- Generic data populators for PersistentVolumes are in alpha.
- The Kubernetes control plane will now always use the CronJobs v2 controller.
For a complete list of all the new additions, enhancements, bug fixes, and removals, check out the official Kubernetes 1.22 release notes.