Two weeks ago, the Kubernetes project received its first update after its tenth birthday. If you take a closer look at the release notes, at first glance there are few groundbreaking innovations in Kubernetes v1.31 with the mascot “Elli” – and that’s a good thing.
The technology has become “grown up”, “mainstream” and “boring”, some would say – and that is precisely why more emphasis is now being placed on optimizations and details. We would like to highlight a few of these updates in Kubernetes v1.31 in this blog post.
New features and updates
In the Kubernetes project, new functions and extensions go through a certain life cycle before they are declared fully functional and secure: From alpha to beta to GA(generally available).
Depending on the progress, feature gates may need to be configured for the use of the respective features or similar.
Below we present our release highlights in Kubernetes v1.31, including their availability, further links, and how you can try them out as quickly as possible.
More precise label-based authorization
Status: alpha
Kubernetes Enhancement Proposal: #4601
Description: With label-based authorization, users of the Kubernetes API (e.g. administrators, Kubernetes’ Kubelet on the cluster nodes, etc.) can be restricted in their permissions.
For example, developers could only be granted access to Secrets be granted in the Namespaces assigned to them, or a Kubelet may be restricted in its view to local Pods.
Prerequisites: Activate the feature gate AuthorizeWithSelectors.
Restriction of anonymous API access
Status: alpha
Kubernetes Enhancement Proposal: #4633
Description: This feature allows you to configure and restrict the API endpoints that can be accessed anonymously. In this way, there is less risk of being compromised by unauthenticated users due to RBAC misconfiguration(s).
Prerequisites: Activate the feature gate AnonymousAuthConfigurableEndpoints.
Use of multiple service CIDRs
Status: beta
Kubernetes Enhancement Proposal: #1880
Documentation: Virtual IPs and Service Proxies [Kubernetes Docs]
Description: This feature in Kubernetes v1.31 makes it possible to manage service CIDRs using Kubernetes CRDs: IpAddress and ServiceCidr. This means that ServiceRanges can now be adapted without downtime , which is a big step forward compared to time-consuming reconfigurations in the past, especially for long-lived or simply very large clusters.
Prerequisites: Activate the feature gate MultiCIDRServiceAllocator.
nftables backend for kube-proxy
Status: beta
Kubernetes Enhancement Proposal: #4633
Documentation: nftables migration guide [Kubernetes Docs]
Description: nftables is the successor to iptables and promises better performance and greater scalability. In combination with kube-proxy, frequently changing service endpoints in particular benefit from this. However, the feature is not yet supported by all CNIs – it is advisable to consult the relevant documentation before making the switch.
Requirements: Linux Kernel >5 .13.
AppArmor Support
Status: stable
Kubernetes Enhancement Proposal: #24
Documentation: AppArmor Tutorial [Kubernetes Docs]
Description: From the low KEP ID you can see how long this feature has been waiting to finally be GA – and with Kubernetes v1.31 it finally is! It allows us to reference an AppArmor profile in the securityContext field of a Containers or Pods, which is then enforced by the ContainerRuntime. Before Kubernetes v1.31, this was only possible via annotations. Now there is the appArmorProfile.type field for this. It is recommended to migrate if possible.
Prerequisites: none
lastTransitionTime in Volumestatus
Status: stable
Kubernetes Enhancement Proposal: #3762
Documentation: Persistent Volumes [Kubernetes Docs]
Description: In the status of a PersistentVolumes, the time of the last status change is now recorded in the form of a timestamp in the .status.lastPhaseTransitionTime field. This is particularly useful for debugging and creating SLOs , e.g. for the duration between request and provision of a PersistentVolumes.
Prerequisites: none
You can find a complete list of all new features in Kubernetes v1.31 either in the release blog post or in the official release notes on GitHub.
Discontinuations and deprecations
As with every Kubernetes release, Kubernetes v1.31 also included a whole range of functions that were either discontinued or completely removed from the project.
For example, support for cgroups v1 has been moved to maintenance mode , which ultimately means that security vulnerabilities will continue to be patched reliably, but other bugs will be fixed on a “best effort” basis. The recommendation is to switch to cgroups v2 if you have not already done so.
Furthermore, Kubernetes v1.31 is finally cloud-agnostic.h. The last code snippets that were specific to a particular cloud provider such as AWS, Microsoft Azure or Google Cloud Platform in the codebase have been removed with this release.
The situation is similar with in-tree support for CephFS and CephRBD volumes: Here too, the implementation has been removed from the project. The recommended alternative is to use the corresponding CSI drivers.
We hope you enjoyed this brief overview of Kubernetes v1.31 and that you manage to upgrade to the new version before the next blog post in our Kubernetes releases series in a few months’ time.
To make sure you don’t miss these and other updates in the future, we would also like to recommend our newsletter – it summarizes everything we hear about cloud, Kubernetes and tech events once a month.
0 Comments