Kubernetes 1.19 is released. This version offers the Ingress API as a stable version, supports TLS 1.3 and marks the beginning of an extended one-year support period

With modern web services, users expect apps to be available 24/7, and developers plan to release new versions of these apps several times a day. Containerization helps software packages achieve these goals by allowing applications to be published and updated quickly and easily with no downtime. With Kubernetes, you can make sure these containerized applications run where and when you want them and find the resources and tools they need to get the job done. Kubernetes is a production-ready open source platform that is based on Google’s collective experience in container orchestration and the best ideas from the community.

Although the release of the latest version of Kubernetes has been slightly delayed, the team behind its development rolled out Kubernetes version 1.19 with several updates that improve the production readiness of Kubernetes. These improvements include the availability of ingress and seccomp functions in a stable version, security improvements such as support for TLS 1.3, and other functional improvements.

Finally, we came to Kubernetes 1.19, the second release for 2020, and by far the longest release cycle, lasting a total of 20 weeks. It consists of 34 improvements: 10 improvements are made in the stable version, 15 improvements in the beta version and 9 improvements in the alpha version.

Version 1.19 was very different from a regular version due to COVID-19, the protests of George Floyd and several other global events that we experienced as a release team. Because of these events, we decided to adjust our schedule and give SIGs, workgroups, and contributors more time to get things done. The extra time also allowed people to take the time to focus on their lives outside of the Kubernetes project and make sure their mental wellbeing was in the right place.

Contributors are at the heart of Kubernetes, not the other way around. The Kubernetes Code of Conduct requires people to be great to one another, and despite the turmoil in our world, we have only seen the greatness and humility of the community.

Although the Kubernetes team has released four updates a year in the past, only three will be released this year due to the pandemic conditions. Version 1.19 will probably be the last update of this calendar year.

Ingress and seccomp

Ingress

Ingress was originally introduced as a beta API in Kubernetes version 1.1. An ingress is a Kubernetes object that manages external access to services in a cluster, usually HTTP traffic. An ingress can provide load balancing, TLS termination, and name-based virtual hosting. Ingress (or an internetwork), the Kubernetes v1.1 add-on, exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. The routing of the traffic is controlled by rules that are defined in the Ingress resource.

An ingress can be configured to give services externally accessible URLs, load balanced traffic, SSL / TLS termination, and name-based virtual hosting. An ingress controller is responsible for running the ingress, usually with a load balancer. However, it can also configure your peripheral router or additional interfaces to manage the data traffic.

An ingress controller must be used for the ingress resource to work. Kubernetes currently supports and maintains GCE / GKE (Google Cloud Engine / Google Kubernetes Engine) and Nginx controllers.

Version 1.19 updates Ingress to a stable version and adds v1 to the Network API. This update makes important changes to Ingress v1 objects, including schema and validation changes.

Seccomp

seccomp (Security Computing Mode) is also available as a stable version in Kubernetes version 1.19. seccomp is a security feature for the Linux kernel that limits the number of system calls that applications can make. It was first introduced as a Kubernetes feature in version 1.3, but it had some limitations. Previously, when applying Seccomp profiles to pods, a comment about a PodSecurityPolicy was required.

In this version, seccomp introduces a new seccompProfile field that is added to the pod and container object securityContext. To ensure the backward compatibility of Kubelet, Seccomp profiles are applied in the order of their priority:

Container-specific field. Container-specific note. Control on the pod scale. Note on the pod scale.

The pod sandbox container is now also configured with a separate runtime / standard seccomp profile in this update.

The support period for Kubernetes has been increased to one year

A survey conducted by the Long Term Support (LTS) working group in early 2019 found that a significant proportion of Kubernetes end users are not upgrading during the current 9 month support period. These and other survey responses suggest that 30% of users could keep their deployments on supported versions if the patch support period were extended to 12-14 months. The team estimated that extending this support period would allow more than 80% of users to use supported versions instead of the current 50-60%.

An annual support period provides the element that end users seem to want and is more in line with typical annual planning cycles. Starting with Kubernetes version 1.19, the support window will be extended by one year.

Monitoring of storage capacity

Traditionally, the Kubernetes scheduler is based on the assumption that additional persistent storage is available across the cluster and has infinite capacity. Topology constraints related to the first point, but until now pod planning has always been done regardless of the remaining storage capacity insufficient to start a new pod.

Capacity Tracking, a new Alpha feature, addresses this issue by adding an API for a CSI driver to report capacity and using this information in the Kubernetes scheduler when selecting a node (individual computer) virtually or physically in a Kubernetes cluster) for a pod. This feature serves as a stepping stone to support dynamic provisioning for local volumes and other types of volumes with limited capacity.

Generic volume volumes

Kubernetes offers volume plugins whose lifecycle is tied to a pod and which can be used as a workspace (e.g. the built-in volume type Emptydir) or to load certain data into a pod (e.g. the built-in configuration and) Secret Media Types or CSI Online Media – A secret is an object that contains a small amount of sensitive information (such as a password, token, or key).

With the new Alpha feature of Generic Inferred Volumes, any existing storage driver that supports dynamic provisioning can be used as an inferred volume with the pod-bound volume lifecycle. It can be used to provide a different memory than the root disk, e.g. B. persistent storage or a separate local volume on this node. All StorageClass settings for volume provisioning are supported. All features supported by PersistentVolumeClaims are supported, e.g. B. Capacity tracking, snapshots and recovery, and volume resizing.

Monitoring of CSI volume health

The alpha version of CSI Health Monitor is released with Kubernetes 1.19. This feature allows CSI drivers to share abnormal volume conditions of the underlying storage systems with Kubernetes so that they can be reported as events on PVCs or Pods. This feature serves as a stepping stone for the programmatic detection and resolution of individual volume health issues through Kubernetes.

Support for TLS 1.3

As per the recommendations gathered during last year’s security audit, Kubernetes version 1.19 provides support for new TLS 1.3 ciphers that can be used with the Orchestrator.

Node Debug Overview

Kubernetes 1.19 introduces the kubectl alpha debugging command, which is now available in alpha. This command creates and runs a new pod in the host operating system namespaces to debug the nodes. Users can now check a running pod without having to restart it. In addition, users no longer have to enter the container themselves to check systems or initiate operations such as debugging utilities or initial network requests from the Pod’s network namespace. This improvement removes the SSH dependency for node maintenance and debugging.

Other changes and impairments

For the sake of inclusiveness, Kubernetes 1.19 also includes changes in terminology that is used to reflect a broader language, such as replacing the whitelist with an allow list.

An additional change has been made to the pod topology distribution, which automatically creates topologies and applies better differentiation between nodes and zones to achieve more balanced results between constraints. This feature was released in beta version 1.18 to create simple definitions for complex pod layouts. In addition, the “Immutable secrets and configuration cards” function, which was also introduced in version 1.18, will be included in the beta version in version 1.19.

Hyberkube is now out of date and will no longer be built by the Kubernetes project in the future. Some older versions of Beta APIs are also deprecated in version 1.19. They should be removed in version 1.22, which can become an annoying version for many users.

