Cloud-Native Apps

By Vladimir Vivien, Staff Engineer and Clint Kitson, Director Open Source Engineering

Kubernetes 1.10 is out! This release continues to move important features through the alpha, beta and stable feature gates. Speaking of milestones, did you notice that the CNCF Technical Oversight Committee voted for Kubernetes to graduate from incubating status, making it the first CNCF project to do so? This is no accident; the momentum of Kubernetes continues to build as it becomes more stable and production deployments increase.

Storage

Storage continues to play a crucial role in each release of Kubernetes. The implementation efforts of the Container Storage Interface (CSI) that started last quarter continue strong in this quarter, along with other notable achievements in the storage space. With each release storage is getting more extensible and feature rich, extending the reach and benefits of Kubernetes to more applications.

CSI Updates

There are many updates to the Container Storage Interface implementation, far too many to enumerate all of them here. Most importantly, CSI is now graduating from the alpha to the beta designation, which means it’s another step closer to stable. In addition to fixing general bugs from the last release, the work on CSI included the following updates for both internal and external components:

• Graduation of all components to beta
• Implementation of CSI spec version 0.2.0
• Credential support for volume creation-deletion operations

In addition, this quarter also saw the continuing development and adoption of various early implementations of CSI plugins from vendors such as Portworx, Google and Red Hat.

Local and Block Storage

CSI is not the only exciting thing happening in Kubernetes storage. This quarter saw the continuation of other crucial features related to local and block storage:

• Local persistent storage has moved to beta. This important feature allows provisioning of storage using locally attached disks.
• The work on local ephemeral storage continued with this release with the capacity isolation feature moving to beta.
• Refactoring of existing drivers to support block volumes has entered alpha with support for Ceph RBD, GCE, iSCSI, AWS, and Local.
• The block storage feature for locally attached volumes has also entered alpha in this release.

Other Storage Features Included in the Kubernetes 1.10 Release

• Volume file systems can now be resized to match volume size when requested.
• Preventing proper PV deletion when it is bound to either a pod or a PVC is now a beta feature.
• Topology–aware volume scheduling has been moved to beta, allowing storage to be scheduled using scheduler constraints like any other resource.
• Mount namespace propagation, a feature that makes it possible for a container to propagate its volume mount to its host, has graduated to beta.
• A critical security fix for using sub-paths and stopping a jailbreak’s vulnerability through local volumes is also in the release.

Node and Resource Management

There has been a flurry of activity in SIG-node and its interest groups to keep moving forward on improvements to existing features and introducing new ones.

• Dynamic kubelet configuration has graduated to beta. This feature makes it possible to update the configuration of a kubelet without restarting its service, allowing cluster configuration changes with no downtime.
• Support for a configurable shared process namespace has moved to alpha. This feature allows containers within the same pod to share a common process namespace (set through a PID). It enables signaling between processes running using a sidecar pattern for instance.

Programmability

Both API-Machinery and CLI SIGs have been hard at work introducing new features to facilitate the user-friendliness of the Kubernetes API. Work has continued on major features, including the following:

• A major accomplishment is that API-Aggregation has been designated stable. This means Kubernetes 1.10 can be extended with custom API servers with their own types in a production.
• As an alpha effort, kubectl get and kubectl describe have been refactored to start using server-side tabular representation of API resources. This change facilitates output of core and aggregated custom types by decoupling display logic from the client.

Security

The SIG-Auth has released several features to harden the security of deployed Kubernetes 1.10 clusters, including the following:

• A major effort, which is now in alpha, is the refactoring of client-go (the official Go client API) to externalize the authentication providers that are now in-tree. Having an extension point means that customizing authentication logic can live outside the client-go library.
• TokenRequest API is another effort being released as alpha. It improves the security of service tokens by creating tokens that are bound to an audience, will expire and bind to specific pods.
• Entering beta is the ability to limit access of a node to only API resources that are bound to that node, such as pods, secrets, configMaps and volume attachments.
• Pod security policy, which allows an administrator to decide the security contexts in which a pod can run, are released as beta in Kubernetes 1.10.

Stay tuned to the Cloud-Native Apps Blog for more around the Kubernetes 1.10 release, and be sure to follow us on Twitter (@cloudnativeapps).