Kubernetes 1.25 release recap

The Kubernetes release 1.25 is set to the stable version on the 23rd of August. Detailed release notes are published on the official docs.

Important links are located at the bottom.

In this article overview of the major topics, deprecations, and removals will be listed, and compiled description from the official documentation will be listed also.

Major topics quick overview:

  • PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable
  • Ephemeral Containers Graduate to Stable
  • Support for cgroups v2 Graduates to Stable
  • Windows support improved
  • Moved container registry service from k8s.gcr.io to registry.k8s.io
  • Promoted SeccompDefault to Beta
  • Promoted endPort in Network Policy to Stable
  • Promoted Local Ephemeral Storage Capacity Isolation to Stable
  • Promoted core CSI Migration to Stable
  • Promoted CSI Ephemeral Volume to Stable
  • Promoted Server Side Unknown Field Validation to Beta
  • Introduced KMS v2

Deprecation removals quick overview - will no longer be served in v1.25:

  • The batch/v1beta1 API version of CronJob
  • The discovery.k8s.io/v1beta1 API version of EndpointSlice
  • The events.k8s.io/v1beta1 API version of Event
  • The autoscaling/v2beta1 API version of HorizontalPodAutoscaler
  • The policy/v1beta1 API version of PodDisruptionBudget
  • The PodSecurityPolicy in the policy/v1beta1 API version
  • The RuntimeClass in the node.k8s.io/v1beta1 API version

Major topics

Pod Security Admission

(Removed)
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/

(Stable)
As a stable feature, Kubernetes offers a built-in Pod Security admission controller, the successor to PodSecurityPolicies. Pod security restrictions are applied at the namespace level when pods are created.

Reference: https://kubernetes.io/docs/concepts/security/pod-security-admission/

Ephemeral Containers

(Stable)
Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn't include debugging utilities.

In particular, distroless images enable you to deploy minimal container images that reduce attack surface and exposure to bugs and vulnerabilities. Since distroless images do not include a shell or any debugging utilities, it's difficult to troubleshoot distroless images using kubectl exec alone.

When using ephemeral containers, it's helpful to enable process namespace sharing so you can view processes in other containers.

Reference: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/

Local Ephemeral Storage Capacity Isolation

(Stable)
The Local Ephemeral Storage Capacity Isolation feature moved to GA. This was introduced as alpha in 1.8, moved to beta in 1.10, and it is now a stable feature. It provides support for capacity isolation of local ephemeral storage between pods, such as EmptyDir, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit.


Reference: https://github.com/kubernetes/sig-release/blob/master/releases/release-1.25/release-notes/release-notes-draft.md#promoted-local-ephemeral-storage-capacity-isolation-to-stable

Network Policy endPort

(Stable)
When writing a NetworkPolicy, you can target a range of ports instead of a single port.

This is achievable with the usage of the endPort field, as the following example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: multi-port-egress
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 32000
      endPort: 32768

CSI Ephemeral Volume

A great introduction is given in the Git repo itself.

User stories

  • As a storage provider, I want to use the CSI API to develop drivers that can mount ephemeral volumes that follow the lifecycles of pods where they are embedded. This feature would allow me to create drivers that work similarly to how the in-tree Secrets or ConfigMaps driver works. My ephemeral CSI driver should allow me to inject arbitrary data into a pod using a volume mount point inside the pod.
  • As a user, I want to be able to define pod specs with embedded ephemeral CSI volumes that are created/mounted when the pod is deployed and are deleted when the pod goes away.

A pod spec with an ephemeral inline CSI volume. Note that because the volume is expected to be ephemeral, the volumeHandle is not provided. Instead, a CSI-generated ID will be submitted to the driver.

apiVersion: v1
kind: Pod
metadata:
  name: some-pod
spec:
  containers:
    ...
  volumes:
    - name: vol
      csi:
        driver: some-csi-driver.example.com
        # Passed as NodePublishVolumeRequest.volume_context,
        # valid options depend on the driver.
        volumeAttributes:
          foo: bar

Reference: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/596-csi-inline-volumes

Deprecations

Watch out for the listed resources - if you use them, an update should be done.

CronJob

The batch/v1beta1 API version of CronJob is removed.

Action needed: Migrate manifests and API clients to use the batch/v1 API version, available since v1.21.

EndpointSlice

The discovery.k8s.io/v1beta1 API version of EndpointSlice is removed.

Action needed: Migrate manifests and API clients to use the discovery.k8s.io/v1 API version, available since v1.21.

Event

The events.k8s.io/v1beta1 API version of Event is removed.

Action needed: Migrate manifests and API clients to use the events.k8s.io/v1 API version, available since v1.19.

Autoscaling

The autoscaling/v2beta1 API version of HorizontalPodAutoscaler is removed.

Action needed: Migrate manifests and API clients to use the autoscaling/v2 API version, available since v1.23.

PodDisruptionBudget

The policy/v1beta1 API version of PodDisruptionBudget is removed.

Action needed: Migrate manifests and API clients to use the policy/v1 API version, available since v1.21.

An empty spec.selector ({}) written to a policy/v1 PodDisruptionBudget selects all pods in the namespace (in policy/v1beta1 an empty spec.selector selected no pods). An unset spec.selector selects no pods in either API version.

PodSecurityPolicy

The PodSecurityPolicy in the policy/v1beta1 API version is removed.

Action needed: PodSecurityPolicy in the policy/v1beta1 API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.

Migrate to Pod Security Admission or a 3rd party admission webhook. For a migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller. For more information on the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future.

RuntimeClass

The RuntimeClass in the node.k8s.io/v1beta1 API version is removed.

Action needed: Migrate manifests and API clients to use the node.k8s.io/v1 API version, available since v1.20.

Important links:


Thank you for reading!

If you liked this article and want to get informed when the new ones get published, hit the Subscribe button so you can get new articles directly in your mail. Also if you have something to say leave a comment.

Subscribe

Subscribe to qdnqn

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
qdnqn@example.com
Subscribe
Join other 14 members. Unsubscribe whenever you want.