Kubernetes 1.7: Good news for those running scale-out databases on Kubernetes
© Shutterstock / Pikoso.kz
Kubernetes 1.7 focuses on three things: security, storage and extensibility features. There’s also a major feature that adds automated updates to StatefulSets and enhances updates for DaemonSets. Read on to find out what else is new.
Unlike 1.6, which focused on scale and automation, Kubernetes 1.7 concentrates on security, storage and extensibility features — this move is motivated by widespread production use of Kubernetes in the most demanding enterprise environments, according to the blog post announcing the new release.
Encrypted secrets, network policy for pod-to-pod communication, node authorizer to limit kubelet access and client / server TLS certificate rotation are among the security improvements in Kubernetes 1.7.
For users running scale-out databases on Kubernetes, there’s a major feature in 1.7 which adds automated updates to StatefulSets and enhances updates for DaemonSets. The good news for users continues: there’s now alpha support for local storage and a burst mode for scaling StatefulSets faster.
Power users rejoice! According to Aparna Sinha, Group Product Manager, Kubernetes Google and Ihor Dvoretskyi, Program Manager, Kubernetes Mirantis, API aggregation in Kubernetes 1.7 allows user-provided apiservers to be served along with the rest of the Kubernetes API at runtime. Support for extensible admission controllers, pluggable cloud providers, and container runtime interface (CRI) enhancements are among the highlights.
What’s new in Kubernetes 1.7?
- The Network Policy API has been promoted to stable. Network policy, implemented through a network plug-in, allows users to set and enforce rules governing which pods can communicate with each other.
- Node authorizer and admission control plugin —new additions— restrict kubelet’s access to secrets, pods and other objects based on its node.
- Encryption for Secrets, and other resources in etcd, is now available as alpha.
- Kubelet TLS bootstrapping now supports client and server certificate rotation.
- Audit logs stored by the API server are now more customizable and extensible with support for event filtering and webhooks. They also provide richer data for system audit.
- StatefulSet Updates, a new beta feature in this release, allows automated updates of stateful applications such as Kafka, Zookeeper and etcd, using a range of update strategies including rolling updates.
- StatefulSets also support faster scaling and startup for applications. Ordering through Pod Management Policy is no longer required, which can be considered a major performance boost.
- Local Storage (alpha) was one of most frequently requested features for stateful applications. Users can now access local storage volumes through the standard PVC/PV interface and via StorageClasses in StatefulSets.
- DaemonSets, which create one pod per node already have an update feature, and in 1.7 have added smart rollback and history capability.
- A new StorageOS Volume plugin provides highly-available cluster-wide persistent volumes from local or attached node storage.
- API aggregation at runtime allows power users to add Kubernetes-style pre-built, 3rd party or user-created APIs to their cluster. It is also the most powerful extensibility features in this release.
- Container Runtime Interface (CRI) has been enhanced with New RPC calls to retrieve container metrics from the runtime. Validation tests for the CRI have been published and Alpha integration with containerd 1.0, which supports basic pod lifecycle and image management is now available.
- Alpha support for external admission controllers was introduced as of 1.7. It offers two options for adding custom business logic to the API server for modifying objects as they are created and validating policy.
- Policy-based Federated Resource Placement —also introduced as Alpha— provides placement policies for the federated clusters, based on custom requirements such as regulation, pricing or performance.
No more Third Party Resource (TPR)
Third Party Resource (TPR) has been replaced with Custom Resource Definitions (CRD). The latter provides a cleaner API and resolves issues and corner cases that were raised during the beta period of TPR. Those who use the TPR beta feature are encouraged to migrate, as it is slated for removal by the community in Kubernetes 1.9.
For a complete list of changes visit the release notes.