Kubernetes version 1.25: Everything you need to know

Kubernetes has released its new version, 1.25, on Tuesday, August 23, 2022, which includes 40 new enhancements in various areas as well as numerous bug fixes, comparable to the 45 and 46 in Kubernetes 1.23 and 1.24, respectively. Thirty-three of the 40 improvements are moving up to Stable, ten already-existing features are getting better, fifteen are brand-new, and two are deprecated features.

In this blog post we will discuss what’s new and what are the things added or removed in the latest Kubernetes version.

API Machinery

The API machinery group has two new and shiny enhancements.

CRD Validation Expression Language (graduation to beta)
Retriable and Non-Retriable Pod Failures for Jobs (alpha release)

CRD Validation Expression Language (graduation to beta)

Custom resources are the main point of extension in Kubernetes for creating and managing new resources in the Kubernetes API. CRD validation using expression language will enter beta with the upcoming release. Instead of deploying and managing webhooks for validation, validation rules can now be added to the CRD schema and managed alongside the resource specification.

Retriable and Non-Retriable Pod Failures for Jobs (alpha release)

In Kubernetes, job resources are used to run one-time tasks. In terms of failure handling, the Kubernetes job API is limited. With this new alpha feature, there is a new field in the job specification called podFailurePolicy.

Apps in Kubernetes 1.25

The Apps SIG(special interest group) is concerned with the deployment and management of complex applications in Kubernetes. There are two significant improvements in this area in the 1.25 release.

Add minReadySeconds to StatefulSets (graduation to stable)

minReadySeconds is a new (but stable) field in StatefulSet resources that ensures the workload is ready after the pods are made available. These extra buffer seconds are useful when containers start, but it takes time for the application to be ready to accept requests.

TimeZone Support in CronJob (graduation to beta)

CronJob instances are generated according to the schedule specified in the resource specification. However, the newly created resources’ time zone is determined by the location of the controller manager. You get a new field, spec.timeZone, with the new enhancement, where you can use a valid timezone from the tz database.

Kubernetes 1.25 Auth

From the authorization, authentication, and cluster security policy area, we have one critical depreciation and one new alpha release.

KMS v2 Improvements

Kubernetes stores all of its data in etcd by default, and it is not encrypted. As a result, Kubernetes provides external mechanisms such as Key Management Service (KMS) providers to securely store data in etcd. The new v2alpha1 enhancement focuses on automating key rotation in KMS. Furthermore, it improves KMS plugin health checks and the observability of operations between the API server and KMS.

Learn more about KMS v2 Improvements

Removal of PodSecurityPolicy

PodSecurityPolicy is completely removed in Kubernetes 1.25, following its depreciation in the 1.21 version. The solution for defining rules on a pod’s capabilities was PodSecurityPolicy, but it became complex and confusing over time. Kubernetes has instead implemented Pod Security Admission controllers with a clear migration path.

Learn more about Pod Security Standards(PSS)

Network in Kubernetes 1.25

Reserve Service IP Ranges for Dynamic and Static IP Allocation (graduation to beta)

Service resources in Kubernetes expose applications both inside and outside the cluster. There are two ways to select an IP address for a service resource: Kubernetes assigns a random IP address from a configured range, or the user statically specifies an IP address from the same range. You can avoid collisions when assigning IP addresses to services in Kubernetes by dividing the IP range using the ServiceIPStaticSubrange field, which has graduated to beta.

NetworkPolicy Port Range (graduation to stable)

With the current Kubernetes API, you must specify each port individually in ingress and egress network policies. The new (and now stable) feature adds a field called endPort that allows you to easily declare a port range. For example, you can apply the following rule from port 32000 to 32768:

spec:
  egress:
  - ports:
    - protocol: TCP
      port: 32000
    endPort: 32768

Kubernetes 1.25 Nodes

In the node area, there are three general availability (GA) graduations, one beta, and one alpha release in the 1.25 release.

Ephemeral Containers (graduation to stable)

Debugging a distributed living system is always difficult because it is difficult to connect, send requests, and inspect the results. You can add a container to a running pod using ephemeral containers. Ephemeral containers are useful for quickly spinning a debugger container because the application container images are minimal without any shell, curl, or debugging tool.

cgroups v2 (graduation to stable)

cgroups is a key Linux kernel feature for organising and managing container resources on nodes. All container runtimes were built using cgroup v1 in the early days of Kubernetes, but cgroups v2 support has now graduated to general availability. Container workloads will work more securely, including rootless containers, and more reliably with the latest kernel functionalities, thanks to cgroups v2.

Add Configurable Grace Period to Probes (graduation to stable)

In addition to the terminationGracePeriodSeconds on the pod level, there is a new field called terminationGracePeriodSeconds that is now stable in liveness probes. How long Kubernetes will hold off on killing a container during a regular shutdown or after a failed liveness probe depends on the separation of these fields.

seccomp by Default (graduation to beta)

Since the 1.22 release, Kubernetes has allowed users to define seccomp profiles to increase container security. Seccomp, which is enabled by default, adds a security layer to stop CVEs and 0-days. As of the 1.25 release, this feature is now in beta.

Add CPUManager Policy Option to Align CPUs by Socket Instead of NUMA Node (alpha release)

There are more NUMA (non-uniform memory access) nodes per socket with the new CPU architectures. Align-by-socket is a new CPUManager policy option that has been added by the new alpha feature. As a result, socket boundaries rather than NUMA boundaries will be used to determine where CPUs are aligned.

Security in Kubernetes 1.25

Version 1.25 has one crucial security-related improvement.

Auto-Refreshing Official CVE Feed (alpha release)

Since Kubernetes is one of the most active open-source repositories, there are a lot of issues and PRs that are difficult to filter in terms of CVEs. With the aid of automation, the new alpha feature makes sure that issues and PRs are labelled. As platform providers, end users, or maintainers, you will be able to list CVEs with the pertinent information using this new methodology.

Respect PodTopologySpread After Rolling Upgrades (alpha release)

To specify restrictions on how pods are distributed across the cluster, such as per region, zone, node, or any other user-defined topology, PodTopologySpread is a component of the pod API. Assume, for example, that you have a 20-node cluster and an auto-scaling application with a minimum and maximum capacity of 2 and 15. You wouldn’t want both instances to run on the same node—or availability zone—when at least two are active. These restrictions are advantageous because they increase availability in the event of cluster failures. Kubernetes will now adhere to the spread constraints during the rolling-upgrade phase with the 1.25 release.

Kubernetes 1.25 Storage

There are two essential general availability graduations and one alpha release available from the storage area.

Local Ephemeral Storage Capacity Isolation (graduation to stable)

Pods use emptyDir mounts and temporary storage for caching and writing their logs. Without any isolation, each pod on the node makes “best effort” use of the same temporary storage pool. In other words, pods are unaware of the amount of space allocated to or remaining on the node. Pods can reserve their own storage from the ephemeral pool using the storage capacity isolation feature, which will be generally available in the upcoming release.

In-Tree Storage Plugin to CSI Driver Migration (graduation to stable)

Version 1.25 marks the transition of the in-tree plugins to the external CSI plugins. Several volume plugins must be removed and depreciated as part of this crucial step:

Depreciation: GlusterFS, Portworx
Removal: The Flocker, Quobyte, and StorageOS
Migration to CSI plugin: AWS EBS, GCE PD, vSphere

Retroactive Default StorageClass Assignment (alpha release)

The cluster administrator configures the default storage class primarily during cluster creation. But you should also alter the cluster’s default storage class when the underlying storage provider or operational needs change. The new alpha feature‘s primary goal is to retroactively modify Kubernetes’ behaviour for PVCs without any storage classes.

Conclusion

The goal of Kubernetes 1.25 is to increase flexibility, dependability, and security. Make sure your infrastructure is quickly upgraded and that you are prepared for the most recent changes in the release.

Related/References

Join FREE Masterclass

To know about what is the Roles and Responsibilities of Kubernetes administrator, why you should learn Docker and Kubernetes, Job opportunities for Kubernetes administrator in the market, and what to study Including Hands-On labs you must perform to clear Certified Kubernetes Administrator (CKA) certification exam by registering for our FREE Masterclass.

The post Kubernetes version 1.25: Everything you need to know appeared first on Cloud Training Program.