What's New in Kubernetes 1.17

Kubernetes 1.17 Features and Enhancements

Kubernetes 1.17 is here, and includes new features, fixes, and improvements. In this post, we will focus on several new features that Kubernetes 1.17 offers, including the Topology Aware Service routing, the Pod shared PID Namespace, scalability improvements by a new endpoint API, and more.

Pod Shared PID Namespace

Kubernetes popularized the concept of Pods, wherein containers share resources, such as Linux namespaces. One example is the shared network namespace, which means all containers in a Pod share network interfaces, configurations, and port pools. One namespace that was not natively shared between containers in a Pod is the Process Namespace, whereas each container "sees" its own process tree that starts with PID 1. A recently accepted proposal allows containers to share PID namespaces. Sharing PIDs is especially useful for processes across containers that must signal each other (such as the kill command).

Pod Shared PID namespace was available as a beta feature, and is now graduating to GA.

Topology Aware Service Routing

Kubernetes Services abstract away Pods by giving multiple Pod instances the same name and address. To achieve that, the Service implements a simple form of load balancing between the available Pod Endpoints. The load balancer does not consider the physical location of endpoints and can lead to less optimal routing across services in different nodes, zones, or regions. Topology Aware Service routing uses network topology metadata, for example, hostname, cloud region, and cloud zone to make routing decisions. Using Topology Aware Service Routing, you can optimize service-to-service network utilization, improve performance, and reduce costs by avoiding traversing cloud cost domains.

Topology Aware Service Routing will be available as an alpha feature.

Scalability Improvements by New Endpoints API

Kubernetes uses the Endpoint entity to mediate between Pods and Services. Currently, an Endpoint object contains all the individual endpoints of a service. Every operation that involves the Endpoint reading or writing requires recalculating the entire set of endpoints.

In Kubernetes 1.17 the new EndpointSlice API replaces the current Endpoints resource and provides improved support for very large Endpoint objects. The new API provides better support for larger and more complex clusters. The new API also enables other features, such as Topology Aware Service Routing and IPv4/IPv6 dual stack support, that are included in this release.

Incremental Improvements to IPv4/IPv6 Dual Stack

Previously, Kubernetes did not concurrently support IPv4 and IPv6. Kubernetes 1.17 makes some headway toward to that effort. If you are interested in IPv4/IPv6 duality, check out the Kubernetes 1.17 release notes and look for improvements in dual stack support.

Kubernetes CSI Improvements

Container Storage Interface (CSI) is the refactoring of storage related components in Kubernetes into an out-of-tree, pluggable, and modular architecture. CSI is maturing and this release continues the process. Volume Snapshot API is graduating to beta, as well as the migration of the existing storage plugin code to CSI drivers. CSI Topology support, an important feature that makes the Kubernetes volume provisioner aware of physical concepts such as cloud zones, is now GA.

Defaulting and Pruning for Custom Resources

Custom Resource Definitions, CRDs, are a popular way to extend Kubernetes and build cloud native applications. When defining a CRD, the developer defines a schema that the end-user will use when creating a resource of that kind. If the user did not follow the schema, the data will still be persisted in etcd. As well as being a confusing behavior, it also poses potential security risks. Pruning is a new feature that makes sure that no user defined data is persisted to etcd, unless it is defined by the CRD schema. Defaulting allows the CRD developer to define default values for CRD fields as an OpenAPI schema definition, improving the user experience.

These and other exciting features are included with this new release of Kubernetes. Get ready to upgrade your clusters.

Subscribe to the Aqua blog to keep up to date with the Kubernetes ecosystem.

 

 

Picture of Itay Shakury

Itay Shakury

Itay Shakury is an Open Source Engineer at Aqua Security where he works on Kubernetes security related open source projects. Itay's background is a mix of software architecture, product management, and technology evangelism in the Cloud Native computing space. Itay is also a CNCF Ambassador and is leading the CNCF Tel Aviv meetup group.

Kubernetes Security