The Cloud Native Computing Foundation (CNCF), which is responsible for overseeing the open-source Kubernetes container orchestration platform, has delivered updates that simultaneously harden existing APIs while introducing new ones as a set of experimental alpha technologies.
Eric Chiang, software engineer at CoreOS who co-leads the Kubernetes auth special interest group, says four additional features have now attained stable status, while seven features have moved from alpha to beta status. Another 19 APIs have been made available as alpha projects that might one day find their way into curated versions of Kubernetes, he says.
The most important additions to Kubernetes 1.7, says Chiang, are:
Custom resource definitions (CRDs): Now in beta, CRDs replace a Third Party Resources feature that had been available as an alpha project. Chiang says CRD is an extremely important feature because it allows for the creation of custom objects within applications managing resources on Kubernetes.
API aggregation: Available in beta, API Aggregation enables Kubernetes to defer requests and response to another server. Whereas CRDs are a lightweight way of having the Kubernetes allocate scratch space for custom resources, aggregation is a pluggable way to customize Kubernetes’ API handling including specialized resource validation, or ACL filtering not available for normal resources.
Local persistent storage: Local persistent storage is now an alpha feature that allows users to request from a StorageClass that their Pods be executed on nodes with locally attached storage. This method will be a more reliable model of storing local persistent data as compared to hostPath.
Limit node access to API server: The API server can now prevent a node from reading resources, such as secrets, that are not needed by pods scheduled to it. This feature complements ongoing kubelet TLS bootstrapping work, a mechanism for delivering unique credentials for each node that is a requirement for node restriction.
Encryption of secrets at rest: Alpha support for encrypting API resources, including secrets, at rest has been added. This allows the API server to symmetrically encrypt data.
Other enhancements include a container runtime interface (CRI) that now supports remote procedure calls (RPCs), the elevation of a network policy API from beta to stable, audit log enhancements, a beta release of a stateful updates feature that automatically updates stateful applications, and an ability to add custom business logic to an API Server.
Chiang says CNCF is making a concerted effort to provide a hardened version of Kubernetes that can be deployed in production environments, while clearly continuing to innovate around beta and alpha features. CNCF has declared that any API which is beta or stable will be backwards-compatible forever, he says.
Any IT organization attempting to keep pace with the rate of Kubernetes innovation is going to be hard-pressed. There are a few organizations with the engineering resources to download and deploy raw Kubernetes bits. But most enterprise IT organizations are going to implement a version of Kubernetes that has been curated by a vendor in much the same way most of them today implement a distribution of Linux.