Kubernetes / Security

Less Is More with Kubernetes 1.22

6 Aug 2021 10:02am, by

Kubernetes version 1.22 has been released, and with the new features, some old ones have been dropped — not just deprecated … but dropped.

There are 56 enhancements to this new release (which is up from 50 in Kubernetes 1.1 and 43 in 1.20). Of those 56 enhancements, there are 13 which have graduated to Stable, 24 features that have seen important improvements, and 16 features that are brand spanking new.

Let’s be clear, these are not deprecations but straight-up removals. So as of version 1.22, the betas of the following will be removed (in favor of their newer, stable counterparts):

  • Ingress
  • IngressClass
  • Lease
  • APIService
  • CustomResourceDefinition
  • ValidatingWebhookConfiguration
  • MutatingWebhookConfiguration
  • CertificateSigningRequest
  • TokenReview
  • SubjectAccessReview

The Ingress is of particular interest, as this is the more secure way to make it possible for containers to be accessed from outside the Kubernetes cluster. From 1.22 on, you’ll need to make sure to migrate and use the networking.k8s.io/v1 Ingress API (which has been available since v1.19). As well, you’ll want to know the related API IngressCLass, which is designed as a complement to Ingress.

An example of how you can use Ingress with v1 might looke like:

For more information on what has been removed from Kubernetes, as well as how to find the replacement functionality, make sure to read through the Deprecation Guide.

New Features

Now, let’s take a look at some of the more important enhancements that have made it into the new release.

Server-Side Apply

Server-Side Apply makes it easier for both users and controllers to manage resources via declarative configurations. This feature has finally moved to general availability and is a new field ownership and object merge algorithm.  What this feature does is move the logic away from the kubectl apply command and into the apiserver. Server-Side Apply also tracks a user’s field management (rather than a user’s last applied state. Field management is stored in an object’s metadata, using the managedFields field, like so:

External Credential Providers

External credential providers provide a way of obtaining external client authentication credentials (such as bearer tokens or TLS client certificates). This feature has been in beta since Kubernetes 1.11 and finally graduates to Stable. This feature includes improved support for plugins that add interactive login flows and a number of bug fixes. To get started with this feature, visit the sample-exec-plugin code on GitHub for more information.

Etcd Is Now at Version 3.5.0

The Kubernetes backend storage mechanism, etcd, is now at version 3.5.0, which includes numerous security, performance, and monitoring improvements. Both structured logging and log rotation have been added. For more expensive requests, enhanced detailed tracking has been added, which provides a very useful signal to help developers understand the lifetime of a request spanning multiple etcd server components.

Cgroups V2 API

Kubernetes originally used version 1 of the cgroups API, which means the quality-of-service (QoS) class for a given Pod would only apply to CPU resources. Kubernetes v1.22 now includes an alpha version of the cgroups v2 API, which controls memory allocation and isolation. This should greatly improve workload and node availability, as well as improve the predictability of a container’s lifecycle.

Node System Swap Support

If you’ve ever deployed a Kubernetes cluster, you know one of the first things you must do is disable swap. For that, you open the /etc/fstab file with the command:

sudo nano /etc/fstab

And comment out the line starting with:

/swap.img

Once you’ve done that, you disable the current running instance with the command:

sudo swapoff -a

As of Kubernetes 1.22 alpha support has been added such that you can run nodes with swap memory enabled.

Rootless Mode Containers

Everyone knows running containers as a non-root user is a must for security. This is as no-brainer as it gets. But with version 1.22, the developers are taking this idea to new levels and allowing administrators to run the entire Kubernetes stack as a non-root user. In the end, this should go a very long way to help secure Kubernetes.

Features Graduated to Stable and Other Updates

Other Kubernetes features that have graduated to “stable” status, which means they are ready to use, include:

  • Bound Service Account Token Volumes
  • CSI Service Account Token
  • Windows Support for CSI Plugins
  • Warning mechanism for deprecated API use
  • PodDisruptionBudget Eviction

There are also a few other miscellaneous feature updates, which include:

  • A new alpha feature, PodSecurity admission, which replaces PodSecurityPolicy.
  • The Memory Manager has moved to beta.
  • A new API Server Tracing feature has been added as alpha.
  • A new v1beta3 version of the kubeadm configuration format has been added.
  • Generic data populators for PersistentVolumes are in alpha.
  • The Kubernetes control plane will now always use the CronJobs v2 controller.

For a complete list of all the new additions, enhancements, bug fixes, and removals, check out the official Kubernetes 1.22 release notes.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE.

Feature image par Michal Jarmoluk de Pixabay

A newsletter digest of the week’s most important stories & analyses.