×
Community Blog Kubernetes Releases (1.15 and 1.16) in Detail

Kubernetes Releases (1.15 and 1.16) in Detail

This topic provides an overview of Kubernetes releases from versions 1.15 and 1.16.

This post was put together by Alibaba Cloud's Container Service team. Post contributors include Zhang Xiaoyu, Huang Ke, Lu Jinda, Li Chuanyun, Chen Jun, and Gao Xianglin. Their nicknames at Alibaba, in the same order, are Zhongyuan, Zhitian, Guiji, Huanyun, Chenjun, and Chanming.

This topic provides an overview of Kubernetes releases from versions 1.15 and 1.16. The purpose of this article is to highlight that it is necessary to upgrade from version 1.14 to 1.16, as there have been significant updates, which will be described in detail throughout this article. Release version changes are grouped by feature.

As a quick overview, the release of version 1.15 had 25 enhancements, which included 2 moving to stable, 13 in beta form, and 10 in alpha. Versions 1.16 consisted of 31 enhancements, with 8 moving to stable, 8 in beta, and 15 in alpha.

Node

Version 1.15

  • The following deprecated kubelet security control parameters have been removed: AllowPrivileged, HostNetworkSources, HostPIDSources, and HostIPCSources. Access control parameters, such as PodSecurityPolicy, have added for enhanced security.
  • The deprecated kubelet startup parameter --allow-privileged has been removed. Relevant kubelet scripts need to be cleared accordingly.
  • The kubelet collects only nodes, container runtime, kubelet, pods, and cgroups metrics of containers.

Version 1.16

  • The following node labels will not be attached to new nodes: beta.kubernetes.io/metadata-proxy-ready, beta.kubernetes.io/metadata-proxy-ready, and beta.kubernetes.io/kube-proxy-ds-ready. They are replaced by the following labels:
  • node.kubernetes.io/masq-agent-ds-ready
  • node.kubernetes.io/kube-proxy-ds-ready
  • cloud.google.com/metadata-proxy-ready
  • The following function startup parameters of kubelet have been removed: HugePages, VolumeScheduling, CustomPodDNS, and PodReadinessGates.
  • --containerized, deprecated since version 1.14, is officially removed in version 1.16.
  • The node labels beta.kubernetes.io/os and beta.kubernetes.io/arch, deprecated since version 1.14, will be officially removed in version 1.18.
  • The cadvisor metric labels pod_name and container_name are replaced by pod and container, respectively. All Prometheus queries that match the pod_name and container_name labels must be updated.

Scheduler

Version 1.15

  • When the tolerations of a pod with QOS being a Best effort conflict, that is, they have the same keys and effects, the last toleration is used as the basis for scheduling.
  • The performance of PodAffinity is improved by about a factor of two.

Version 1.16

  • The scheduler uses the v1beta1 Event API. Tools that involve API changes need to be updated accordingly.
  • Pod spread constraints have been added in alpha. You can use these constraints to control how pods are spread across the cluster among failure-domains.

CRD

Version 1.16

  • Custom resources: CRDs are widely used as an extension to Kubernetes. CRDs have been available in beta since version 1.7. In version 1.16, CRDs are officially graduated to general availability (GA).
  • Admission webhook: Admission webhooks are widely used as an extension of Kubernetes. They have been available in beta since version 1.9. In version 1.16, admission webhooks are officially graduated to GA.
  • Overhauled metrics: Kubernetes widely uses a global metrics registry to register the metrics to be published. Through a metrics registry, metrics can be registered in a more transparent way. Previously, Kubernetes metrics were excluded from any stability requirements.
  • Volume Extension: Many enhancements related to volumes and volume modifications are available in this release. The support for volume resizing in the CSI specification is moving to beta, which allows any CSI spec volume plugin to be resizable.

API Server

Version 1.16

  • PodPriority is true by default, and the related feature gate will be deprecated in version 1.18.
  • The WatchBookmark feature is moving to beta and is enabled by default. This feature fixes the problem that resources need to be re-listed when the later watch request is received if the previous watch request of an event is not received for a long time.

API Changes

1. extensions/v1beta1, apps/v1beta1, and apps/v1beta2 APIs are not supported by default.

  • All resources under apps/v1beta1 and apps/v1beta2 are replaced by resources under apps/v1.
  • Resources under extensions/v1beta1, including daemonsets, deployments, and replicasets, are replaced by resources under apps/v1.
  • The resources networkpolicies under extensions/v1beta1 are replaced by http://networking.k8s.io/v1.
  • The resources podsecuritypolicies under extensions/v1beta1 are replaced by resources under policy/v1beta1.

The --runtime-config flag can be used to enable these resources temporarily. This flag is not recommended in this release. It is recommended after you switch to a more stable Scheme version:

  • apps/v1beta1=true
  • apps/v1beta2=true
  • extensions/v1beta1/daemonsets=true, extensions/v1beta1/deployments=true, extensions/v1beta1/replicasets=true, extensions/v1beta1/networkpolicies=true, extensions/v1beta1/podsecuritypolicies=true

The APIs for these resources will be completely deleted in version 1.18.

2. Aggregated discovery requests can time out now. Aggregated API servers must complete discovery calls within five seconds. The duration can be longer for other requests.

You can extend the timeout period to 30 seconds by using the feature gate EnableAggregatedDiscoveryTimeout=false. However, EnableAggregatedDiscoveryTimeout will be removed in version 1.17.

Storage

Version 1.15

Previously, you needed to combine PV and PVC to use CSI. With the inline CSI volume capability, you can declare a CSI volume that is closely related to a pod when defining the pod. Volumes are created as pods are created and destroyed as pods are destroyed.

You can create a PVC by cloning an existing PVC, including the volume specifications and data. PVC cloning is applicable to scenarios such as data migration and the establishment of simulated online environment. PVC cloning only supports CSI and does not support in-tree plug-ins and FlexVolume.

Kubelet used to regularly scan files to collect the usage of ephemeral-storage space. Project quotas is introduced in version 1.15. Project quota provides faster speed and higher accuracy than regular scanning. If a file is opened and then deleted, the scanning method cannot trace the file. The file still occupies space. Click to learn more.

In the future, you can also use the project quotas feature to forcibly limit the available space of each volume. I/O write operations are rejected after the space limit is reached. This prevents the entire pod from being evicted because the storage space of an unimportant container is full. Isolation is implemented in this way.

Feature Stability Changes

  • Online PVs capacity adjustment is moving to beta.

Online capacity adjustment allows you to implement capacity expansion without rebuilding pods.

  • Support for environment variables in subPath is moving to beta.

subPath allows multiple pods to use the sub-paths of the same volume. By using the subPathExpr parameter, you can use the Downward API environment variables to build a unique sub-path for each pod. For example, you can bind the sub-path of a volume to the same mount point of a pod based on the pod name (subPathExpr: $(POD_NAME)), thereby implementing data isolation between pods.

Version 1.16

  • CSI is supported on Windows. CSI is supported on Windows nodes in v1.16 and later.
  • PVC cloning is moving to beta.
  • Support for ephemeral inline CSI volumes is moving to beta.
  • Support for CSI volume resizing is moving to beta.

Network

Version 1.15

  • Transparent kube-proxy restarts when IPVS is used are now allowed. kube-proxy no longer automatically cleans up network rules during mode switching. Moreover, graceful termination for UDP traffic is disabled.
  • service.spec.externalName can end with a dot.
  • Some small bugs are fixed.

Version 1.16

IPv4/IPv6 Dual-stack (in Alpha)

IPv4 and IPv6 addresses can be allocated to pods and services, which is an important step for the transition to IPv6. Enabling IPv4 and IPv6 dual-stack in Kubernetes clusters provides the following functions:

  • Each pod is assigned an IPv4 address and an IPv6 address.
  • You can use services that support IPv4 or IPv6.
  • The outbound traffic of pods can be routed through IPv4 and IPv6 addresses.

EndpointSlice API (in Alpha)

In terms of implementation, a current service object corresponds to a Kubernetes Endpoints object and contains the information of all backend pods. As the number of backend pods increases, the Add, Update, and Delete operations of a single backend pod pose a big pressure on control components, such as apiserver, etcd, endpoints-controller, and kube-proxy.

Therefore, the EndpointSlice API is introduced so that backend pod information can be sliced and put into different EndpointSlices. A service contains multiple EndpointSlice objects, and an EndpointSlice object contains multiple endpoints, with a maximum of 100 endpoints by default. Each endpoint corresponds to a backend instance. This solution resolves performance problems and retains high scalability for providing other network features. For example, an endpoint can contain the topological location information, including region, zone, and hostname, of the backend instance, which can be used to help access the service through the nearest route.

Finalizer Protection for Service LoadBalancers in Beta

This feature ensures that the service resource objects will not be completely deleted before the relevant load balancer is deleted.

API Changes

  • NetworkPolicy: extensions/v1beta1 is deprecated and replaced by networking.k8s.io/v1 API.
  • Ingress: extensions/v1beta1 is deprecated and replaced by networking.k8s.io/v1beta1 API.
0 0 0
Share on

Alibaba Container Service

173 posts | 31 followers

You may also like

Comments

Alibaba Container Service

173 posts | 31 followers

Related Products

  • Edge Node Service

    An all-in-one service that provides elastic, stable, and widely distributed computing, network, and storage resources to help you deploy businesses on the edge nodes of Internet Service Providers (ISPs).

    Learn More
  • Container Service for Kubernetes

    Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.

    Learn More
  • OpenAPI Explorer

    OpenAPI Explorer allows you to call an API through its web interface or WebCLI, and view the entire process.

    Learn More
  • API Gateway

    API Gateway provides you with high-performance and high-availability API hosting services to deploy and release your APIs on Alibaba Cloud products.

    Learn More