Major Changes In Kubernetes version 1.25
Kubernetes version 1.25 was released on August 23, 2022. It came with many bug fixes and 40 new enhancements in different areas among which 13 are reaching to a stability level, 15 are completely new features, 10 are existing features and 2 features are condemned.
In this blog, I’ll discuss what was removed and Major changes in Kubernetes version 1.25.
Following is the list of new enhancements in version 1.25
Graduations to Stable
This release includes a total of thirteen enhancements promoted to stable:
- Ephemeral Containers
- Local Ephemeral Storage resource Management
- CSI Ephemeral Volumes
- CSI Migration-Core
- CSI Migration-AWS
- CSI Migration-GCE
- DaemonSets Support MaxSurge
- cgroups version 2
- Pod Security Admission
- Add minReadySeconds to Statefulsets
- Identify windows pods at API admission level authoritatively
- Network Policy Port Range
- Graduate the kube-schedular ComponentConfig to GA
- Deprecations and Removals
Two features were deprecated or removed from Kubernetes with this release.
- Pod Security Policy is removed
- GlusterFS plugin deprecated from available in-tree drivers
Forget about Pod Security Policy. Instead! Use Pod Security Admission.
In Kubernetes version 1.21, pod security policy was deprecated and now in version 1.25, it has been removed. For it’s replacement, Pod Security Admission has been introduced and it is moving towards stability with the release of this version.
Now you must be thinking about the reason behind Pod Security policy’s removal. PSP has served Kubernetes for a long time but it was complex and confusing for everyone who tried to use it. Another issue is in increase in security risks as it is quite handy to apply restrictive permissions on a granular level and you can only apply PSPs at the time of submitting a request for a new pod to the cluster. You cannot apply it on the already running pods in the cluster.
Pod Security Admission analyze pods and decides the admission or rejection of features in the pod against the Pod Security Controls. On Pod Security Context, it sets the restrictions according to the three levels of pod security standards (privileged, baseline, and restricted) and the restrictions are applied at the namespace level. It also allows you to define a set of labels which you can use to define the Pod Security Standard levels you want to use for a namespace. Moreover, you can create more pods by defining exemptions for Pod Security Enforcement.
Ephemeral Containers (upgrading to stable)
Ephemeral containers are short-term containers that exists within an existing pod. They are used to inspect or troubleshoot another container or a running pod. For instance, distroless images are difficult to troubleshoot or debug using only kubectl exec as these images do not have any debugging utilities. In this situation, ephemeral containers would be best to debug these images.
Support for cgroups v2 upgraded to stable
Pods and containers need resource management, and to enforce it, kubelet and underlaying containers are required to interact with cgroup. Linux has two versions of cgroup API, v1 and v2.
Cgroup version 2 API is a unified control system which came up with the improved resource management capabilities. It has the following advantages over cgroup v1.
o Simple yet unified architecture.
o New features
o Improved resource management.
In Kubernetes, some distributions are dependent on cgroup API and Kubernetes need to support it to continue those distributions. Kubernetes for now is also supporting cgroup version 1 for more enhancements. Once the need for version 1 is over, Kubernetes will deprecate it or replace it while the support for cgroups v2 graduates to stable in Kubernetes version 1.25.
For any product, the company's goal of introducing a new version of their product is to provide users with flexibility, security, compatibility and new features. Kubernetes went with the same goal and presented version 1.25 of Kubernetes. Make sure to upgrade your systems for further changes.
PodSecurityPolicy is Dead, Long Live...? | Appvia
TL;DR PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April…
Pod Security Admission
An overview of the Pod Security Admission Controller, which can enforce the Pod Security Standards. FEATURE STATE…
PodSecurityPolicy Deprecation: Past, Present, and Future
Author: Tabitha Sable (Kubernetes SIG Security) PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be…
Kubernetes v1.25: Combiner
Authors: Kubernetes 1.25 Release Team Announcing the release of Kubernetes v1.25! This release includes a total of 40…