Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Kubernetes 1.7 Released with Security Hardening, StatefulSet Updates and Extensibility Features

Kubernetes 1.7 Released with Security Hardening, StatefulSet Updates and Extensibility Features

Kubernetes 1.7 has been released with a focus on delivering features for security, storage and extensibility, and includes a Network Policy API, automated upgrade strategies for StatefulSets, and an extensible API aggregation layer. The previous Kubernetes 1.6 release focused on scale and automation, and this latest release is clearly attempting to further lay the foundations for the adoption of Kubernetes within enterprise organisations. It is worth noting that many of the headline features released in 1.7 are documented as alpha or beta, although core cluster orchestration functionality is stable.

New security features include: the Network Policy API has been promoted to stable, which when implemented through a network plug-in allows users to set and enforce rules governing which pods can communicate with each other (much like existing network/cloud ACLs); the node authorizer and admission control plugin are new beta additions that restrict a kubelet’s access to the Kubernetes API operations that control secrets, pods and other objects based on its node; encryption for Secrets and other resources stored within etcd is now available as alpha; Kubelet TLS bootstrapping, available as alpha, now supports client and server certificate rotation; and audit logs stored by the API server are now more customisable and extensible.

Features focusing on storage and managing stateful workloads includes: StatefulSet Updates is a new beta feature available in version 1.7 which allows the automated updates of stateful applications using a range of update strategies including rolling updates, canary and phased roll outs; Local persistent volumes, released in alpha, allows users access to local storage volumes through the standard PersistentVolumeClaims/PersistentVolume interface and via StorageClasses in StatefulSets; DaemonSets, which ensure the execution and running of a specific pod exactly once per node, now have an added rollback and history capability; and a new StorageOS Volume plugin provides highly-available cluster-wide persistent volumes from local or attached node storage.

In regards to extensibility, an API aggregation layer has been added in beta, allowing users to add Kubernetes-style pre-built, user-defined or 3rd party APIs to their cluster. Examples include adding the incubating Open Service Broker API compliant service-catalog. On a related topic, the Third Party Resource (TPR) has been replaced with Custom Resource Definitions (CRD) which provides a cleaner API, and resolves issues and corner cases that were raised during the beta period of TPR. CoreOS have published a blog post containing more details on the differences, and have also provided a walkthrough of creating a CRD. The TPR beta feature is scheduled for removal by the community in Kubernetes 1.8. The Container Runtime Interface (CRI) has also been enhanced with New RPC calls to retrieve container metrics from the runtime. Validation tests for the CRI have been published and Alpha integration with containerd, which supports basic pod lifecycle and image management, is now available. Additional information on the CRI can be found in an existing Kubernetes blog post.

The commercial Google Cloud Platform (GCP) Container Engine (GKE) offers the latest release of Kubernetes 1.7, and has provided additional integration between the open source Kubernetes release and their platform, including: HTTP re-encryption through Google Cloud Load Balancing (GCLB) allowing customers to use HTTPS from the GCLB to their service backends; GA Support for all private IP (RFC-1918) addresses, allowing users to create clusters and access resources in all private IP ranges; exposing services by internal load balancing is provided in beta, allowing Kubernetes and non-Kubernetes services to access one another on a private network (although support for accessing Internal Load Balancers over Cloud VPN is currently in alpha); GKE now supports running NVIDIA K80 GPUs in alpha clusters for users experimenting with machine learning; auto-repair beta keeps cluster healthy by proactively monitoring for unhealthy nodes and repairs them automatically without user involvement; and GCP-optimized enhancements to facilitate cluster autoscaling at the underlying infrastructure level.

Additional information on the Kubernetes 1.7 release can be found on the Kubernetes blog, and in the GitHub Kubernetes 1.7 release notes.

Rate this Article