Kubernetes V1.21 will be released next month (V1.21.0 will be released on April 8). This article looks at the new features that come with the release to get you ready for next month’s update.

PodSecurityPolicy deprecated

PodSecurityPolicy (PSP) is a Beta feature that has been supported since Kubernetes 1.8 and is widely used for container security policy control. PodSecurityPolicy will be deprecated in V1.21 and removed from the code base in V1.25 due to its inflexible API, incomplete authentication model, and cumbersome configuration updates. Users already using PodSecurityPolicy are advised to migrate to Gatekeeper.

Immutable ConfigMap/Secret Goes to the stable version

When a cluster contains a large number of ConfigMaps and Secret, a large number of Watch events can dramatically increase the load on Kube-Apiserver and cause misconfigurations to spread too quickly across the cluster. In this case, setting immutable: true to ConfigMap and Secret, which do not need to be changed very often, avoids similar problems.

Note that when imMUTABLE: true is set, the ConfigMap and Secret contents need to be deleted and recreated when updated, and the pods that use them need to be deleted and recreated.

IPv4/IPv6 dual-stack support Beta

IPv4/IPv6 dual-stack support was reconfigured in V1.20 and will go into Beta in V1.21 (enabled by default), and kubeadm already supports creating IPv4/IPv6 dual-stack clusters. After this feature is enabled, Kubernetes Service and Pod will assign both IPv4 and IPv6 addresses.

Note that if CNI plug-ins and Cloud providers are used, CNI plug-ins and Cloud providers also need to support IPv4/IPv6 dual-stack.

CSIVolumeHealth Alpha and CSIStorageCapacity Beta

Starting with V1.21, Kubernetes supports Volume health checks (Alpha) for the CSI storage plug-in, which needs to implement an external health monitoring controller. When a Volume or Node becomes abnormal, the controller sends an exception event to the PVC that the Volume belongs to and to the PODS that use the PVC.

CSIStorageCapacity is used to track CSI storage capacity and ensure that pods are scheduled to nodes with sufficient storage capacity. This feature has been in Beta since V1.21 and is enabled by default. Note that using this feature requires the CSI driver to implement the corresponding interface.

TTL Controller Beta

The TTL controller is used to automatically clear finished PODS, such as Complete or Failed jobs. Pod after stop of TTL can. Spec. TtlSecondsAfterFinished to set.

Note that this feature requires that the time of all nodes in the cluster (including control nodes) be consistent, such as running the NTP service on all nodes.

GenericEphemeralVolume Beta

A Generic temporary volume is similar to the emptyDir volume, but is more flexible:

  • The storage can be local or network storage.
  • Volumes can be of a fixed size and PODS cannot be overused.
  • Volumes may have some initial data, depending on the driver and parameters.
  • When supported by the driver, typical operations on the volume (such as snapshot, clone, extension, etc.) are also supported.

Kubelet memory control policy Alpha

Memory control policy is an Alpha feature added by Kubelet in V1.21 to provide NUMA memory for pods. Kubelet added –memory-manager-policy to configure memory control policies. It supports two policies:

  • The default policy is None, which means that the memory control policy is disabled.
  • Static policy: Allocate NUMA memory for pods and ensure that Guaranteed Pods have enough memory reserved (Kubelet status is saved on/var/lib/kubelet/memory_manager_stateFile).

ServiceLoadBalancerClass Alpha

Previously, all services of the LoadBalancer type require Cloud Providers to configure load balancers on the Cloud, and only one Cloud Provider can run in the entire cluster. The new ServiceLoadBalancerClass feature in Kubernetes v1.21 allows multiple implementations of load balancers to run in a cluster, A Service can specify which implementation to use via spec.loadBalancerClass (similar to Ingress Controller).

PodDeletionCost Alpha

The PodDeletionCost feature added to Kubernetes V1.21 allows users to set which pods are deleted first. When using this feature need to add an annotation to Pod controller. Kubernetes. IO/Pod – deletion – cost, its value is to delete the cost of a Pod, the smaller the value is the priority to delete. When the annotation does not exist, it means that its deletion cost is 0.

Indexed Jobs Alpha

Typically, when a Job is used to run distributed tasks, users need a separate system to assign tasks between different worker pods of the Job. For example, set up a work queue and assign tasks to each Pod one by one. The new Kubernetes V1.21 Indexed Job assigns a numerical index to each task and exposes it to each Pod via the annotation Batch.kubernetes.io /job-completion-index. To use this, set completionMode: Indexed to the Job Spec.

TopologyAwareHints Alpha

Service Topology is deprecated in Kubernetes V1.21 and will be removed in V1.22. Kubernetes V1.21 added topology-aware hints to provide similar functionality. When this feature is enabled, the EndpointSlice controller populates the prompt fields on each Endpoint in EndpointSlice to assign them to an area. Components such as Kube-proxy can then use these prompts when configuring request routing.

Other new features to watch out for

  • The CronJob version is stable, and the existing users switch the API version toapiVersion: batch/v1.
  • Sysctls is in stable release, and users finally have a stable API to configure Sysctl.
  • With the Pod Disruption Support (PDB) entering the stable version, existing users switch the API version toapiVersion: policy/v1.
  • RootCAConfigMap is in a stable version, kube-Controller-Manager will publish a namespace named RootCAConfigMapkube-root-ca.crtConfigMap, ca.crt, can be used to validate Kubernetes API connections.
  • EndpointSlice entered the stable version, and the existing users changed the API version toapiVersion: discovery.k8s.io/v1.
  • ServiceAccountIssuerDiscovery into stable version, this feature enables the user to use the way of combining use of Kubernetes cluster (Identity Provider, identify the provider) and external systems (relying parties, the service account token distributed by the dependent party.
  • When CRIContainerLogRotation is stable, Kubelet will automatically rotate the logs for containerd and other CRI containers when they run.
  • Structured Logging is in Beta, and many component logs are recorded in JSON format, making it easy for third-party Logging systems to parse resource objects and attributes from logs.
  • With kube-Apiserver restarting, Watch cache will be restored more efficiently and better support large-scale clustering.
  • The CSIServiceAccountToken goes into Beta, enabling the CSI driver to obtain the Pod’s ServiceAccount token.
  • Let’s settle into Beta, Kubelet will inspect the status of the Node and the Node before closing to end its run on Pod (need to configure ShutdownGracePeriod and ShutdownGracePeriodCriticalPods) before use.
  • Network Policy supports port ranges (port and endPort). When there are a large number of ports, each port does not need to be listed separately.

Welcome to pay attention to chat cloud native public number, learn more cloud native knowledge.