Kubernetes 1.25 Update Focuses on Security and Storage
This week, the Technical Oversight Committee (TOC) for Kubernetes released a Combiner update to the cloud-native platform that adds more than 40 enhancements.
The bulk of the enhancements delivered in Kubernetes 1.25 involve capabilities that were previously in beta to stable, which means they will soon find their way into curated distributions of the platform. Those capabilities include replacing the current PodSecurityPod module with a pod security admission module that is more accessible and ephemeral containers, which are designed to exist for a limited amount of time on a pod to make troubleshooting a cluster simpler.
Cici Huang, a software engineer at Google who served as the release team lead for Kubernetes 1.25, says the pod security admission capability is one of the most crucial elements of the release as the processes used to manage and secure Kubernetes clusters evolve and mature.
A local ephemeral storage capacity isolation feature that can be used to limit consumption of storage resources by a specific pod along with a container storage interface (CSI) feature, dubbed CSI Ephemeral Volume, and that allows volumes in a pod to be specified directly for ephemeral use cases, are also now stable.
Other capabilities graduating to stable include extending network policy to a range of specific ports and support for the cgroups v2 application programming interface (API) that is already used in some distributions of Kubernetes to constrain resource allocation.
The release also includes some capabilities that are moving from alpha to beta. A CRD validation expression language makes it possible to declare how custom resources are validated using the common expression language (CEL) and a promoted server-side unknown field validation feature that enables optionally triggering schema validation on the API server when unknown fields are detected have also been promoted.
In terms of alpha capabilities, a KMS v2alpha1 API adds performance, rotation and observability improvements, including encrypting data at rest.
With this release, the TOC is clearly addressing two areas that have tended to lag as Kubernetes has advanced: Storage and security. Initially, the expectation was that only stateless applications would be deployed on Kubernetes clusters, so storage management capabilities did not get much initial attention.
Security, too, always seemed to be an afterthought as the platform evolved. Although more recent updates to security capabilities have been coming steadily, early on the focus of Kubernetes release teams was primarily on performance and the stability of critical APIs.
It’s not clear whether these capabilities will drive further adoption of Kubernetes after they are incorporated into various distributions of the platform. However, as storage APIs become more robust, there will be greater opportunities to deploy a wider range of workloads on the platform. At the same time, enhanced security should help calm cybersecurity concerns as more organizations continue to focus on locking down their software supply chains.
In fact, the biggest Kubernetes issue now is not whether the platform will be employed to run workloads but, rather, how many will be used and at what level of scale.
