Kubernetes 1.22: What is the newly added and deprecated?

Kubernetes is at it again, and the Kubernetes version 1.22 is just released. And, there is a LOT to look out for in the new release.

There are 56 enhancements, of which 13 have graduated to Stable, 24 have seen significant improvements, and 16 are brand new. One thing to note is that multiple beta APIs are *removed.* Not deprecated, removed.

Key points to note in the Kubernetes 1.22 version

Here is what the professionals at Sysdig had to say:

#2579 Pod Security Policy replacement

After being deprecated in Kubernetes 1.21, we knew a replacement for Pod Security Policies was on the way, but we didn’t know it would look like. We are happy to learn that it will be an Admission Controller, reusing part of the existing infrastructure.

~ Alvaro Iradier – Software Engineer at Sysdig

#2033 Rootless mode containers

Not running containers as root is the No. 1 container security best practice. It’s reassuring that this measure is being taken to the extreme, allowing us to run the entire Kubernetes stack in the userspace. This is really gonna make Kubernetes more secure.

~ Alejandro Villanueva – Product Analyst at Sysdig

#2413 Seccomp by default

If one thing is clear after this Kubernetes release, it’s the shift to security first. Adding this extra layer of security by default will render many potential exploits pointless. Steps like this will absolutely change how people see Kubernetes.

~ Víctor Jiménez – Content Engineering Manager at Sysdig

#2400 Node swap support

One of those tiny details we like to see on every Kubernetes release, it won’t make headlines but will make lives much easier. The swap was a given for every developer. By being supported, there’s one thing less to worry about when using Kubernetes.

~ Michele Zuccala – Director of Open Source Engineering at Sysdig

#2254 #2570 Cgroupsv2

Same as with swap, it’s great to see support for more native Linux features. In this case, Cgroupsv2 enables more options for Memory QoS, which (in Kubernetes 1.22) will help avoid the performance throttling of workloads running in Kubernetes.

~ David de Torres – Manager of engineer at Sysdig

What API was removed in K8s 1.22 Release?

So, according to the new release of version 1.22, you will no longer be able to use:

• Beta versions of the ValidatingWebhookConfiguration and MutatingWebhookConfiguration API (the admissionregistration.k8s.io/v1beta1 API versions)
• The beta CustomResourceDefinition API (apiextensions.k8s.io/v1beta1)
• The beta APIService API (apiregistration.k8s.io/v1beta1)
• The beta TokenReview API (authentication.k8s.io/v1beta1)
• Beta API versions of SubjectAccessReview, LocalSubjectAccessReview, SelfSubjectAccessReview (API versions from authorization.k8s.io/v1beta1)
• The beta CertificateSigningRequest API (certificates.k8s.io/v1beta1)
• The beta Lease API (coordination.k8s.io/v1beta1)
• All beta Ingress APIs (the extensions/v1beta1 and networking.k8s.io/v1beta1 API versions)

To make it clear they are not deprecated, but removed. That means that you won’t be able to re-enable them with a feature flag. If you are using them, you’ll have to migrate to their stable versions.

The Ingress is of special interest, and we use it to access containers from outside the K8s cluster. But, how are we going to do this now? Luckily, there’s already something in place for that. The hostNetwork is what we need! For example, you could create an influxdb pod with a quick and easy manifest that looks something like this:

apiVersion: v1
kind: Pod
metadata:
  name: influxdb
spec:
  hostNetwork: true
  containers:
    - name: influxdb
      image: influxdb

With hostNetwork set to true, that Pod is accessible from outside the cluster. This is not only exponentially easier than using ingress, but it’s also more secure. Know more about what is removed from Kubernetes, and the replacement functionality, by reading the full guide here.

New Features in Kubernetes 1.22 version

Now. it is time to check out the new additions in Kubernetes new version.

Server-Side Apply

Server-Side Apply makes it easier for both users and controllers to manage resources via declarative configurations. This feature has finally moved to general availability and is a new field ownership and object merge algorithm.  What this feature does is move the logic away from the kubectl apply command and into the apiserver. Server-Side Apply also tracks a user’s field management (rather than a user’s last applied state. Field management is stored in an object’s metadata, using the managedFields field, like so:

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-cm
  namespace: default
  labels:
    test-label: test
  managedFields:
  - manager: kubectl
    operation: Apply
    apiVersion: v1
    time: "2010-10-10T0:00:00Z"
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          f:test-label: {}
      f:data:
        f:key: {}
data:
  key: some value

External Credential Providers

External credential providers provide a way of obtaining external client authentication credentials (such as bearer tokens or TLS client certificates). This feature has been in beta since Kubernetes 1.11 and finally graduates to Stable. This feature includes improved support for plugins that add interactive login flows and a number of bug fixes. To get started with this feature, visit the sample-exec-plugin code on GitHub for more information.

Etcd Is Now at Version 3.5.0

The Kubernetes backend storage mechanism, etcd, is now at version 3.5.0, including numerous security, performance, and monitoring improvements. Both structured logging and log rotation have been added. For more expensive requests, enhanced detailed tracking has been added, which provides a very useful signal to help developers understand the lifetime of a request spanning multiple etcd server components.

Cgroups V2 API

Kubernetes initially used version 1 of the cgroups API, which means the quality-of-service (QoS) class for a given Pod would only apply to CPU resources. Kubernetes v1.22 now includes an alpha version of the cgroups v2 API, which controls memory allocation and isolation. This should significantly improve workload and node availability, and enhance the predictability of a container’s lifecycle.

Node System Swap Support

If you’ve ever deployed a Kubernetes cluster, you know one of the first things you must do is disable swap. For that, you open the /etc/fstab file with the command:

sudo nano /etc/fstab

And comment out the line starting with:

/swap.img

Once you’ve done that, you disable the currently running instance with the command:

sudo swapoff -a

As of Kubernetes, 1.22, alpha support has been added such that you can run nodes with swap memory enabled.

Rootless Mode Containers

Everyone knows running containers as a non-root user is a must for security. This is a no-brainer as it gets. But with version 1.22, the developers are taking this idea to new levels and allowing administrators to run the entire Kubernetes stack as a non-root user. In the end, this should go a very long way to help secure Kubernetes.

Other changes in Kubernetes 1.22:

• QoS for memory resources is available as a beta feature. The cgroups v2 API can now be used to designate how memory is allocated and isolated for pods, making it easier to deploy multiple applications that might fight each other for memory usage.
• Better support for developing and running on Microsoft Windows. Some Kubernetes features for Windows are still alpha—e.g., privileged containers—but it’s now possible to run more of the early-support Kubernetes features on Windows by manually building the Windows kubelet and Kube-proxy binaries.
• Nodes can now run on systems where swap memory is activated if needed. (Alpha feature.) Kubernetes admins used to have to disable swap space before setting up Kubernetes.
• Default support, cluster-wide seccomp profiles are now available. (Alpha.)
• kubeadm can now be run as non-root if needed by running the control plane with lower privileges. (Alpha.) All other Kubernetes node components can be run experimentally as a non-root user as well.

Features Graduated to Stable and Other Updates in Kubernetes 1.22

Other Kubernetes features that have graduated to “stable” status, which means they are ready to use, include:

• Bound Service Account Token Volumes
• CSI Service Account Token
• Windows Support for CSI Plugins
• Warning mechanism for deprecated API use
• PodDisruptionBudget Eviction

Related Posts

• Kubernetes 1.22 Release Information
• How To Setup A Three Node Kubernetes Cluster For CKA: Step By Step
• Check out and Subscribe to our YouTube channel on “Docker & Kubernetes.”
• Certified Kubernetes Administrator (CKA) Certification Exam
• Certified Kubernetes Administrator (CKA) Certification: Step By Step Activity Guides

Join FREE Class

Discover the Power of Kubernetes, Docker & DevOps – Join Our Free Masterclass. Unlock the secrets of Kubernetes, Docker, and DevOps in our exclusive, no-cost masterclass. Take the first step towards building highly sought-after skills and securing lucrative job opportunities. Click on the below image to Register Our FREE Masterclass Now!