Priyanka Saggu, Kubernetes v1.29 release lead, discusses the new features and enhancements of the release. The interview also covers address encryption in Kubernetes APIs, the trend of treating vendor-specific functionalities as plugins, and reflections on the past year of the podcast.
Kubernetes v1.29 introduces in-place update of port resources for dynamic modification, sidecar containers for convenient network and storage sharing, and KMS V2 improvements for increased security and control over secrets.
The Mandala theme in Kubernetes v1.29 represents the community-driven release process, while the NFTables QProxy Backend presents a potential successor to IP tables for configuring packet forwarding rules.
Kubernetes v1.29 addresses security concerns with the Legacy Service Account Token Cleanup and introduces the NFTables QProxy Backend as a successor to IP tables for enhanced networking capabilities.
Deep dives
Kubernetes 1.29 Release: Major Enhancements and Graduations
Kubernetes version 1.29 brings a variety of significant enhancements and feature graduations. One notable improvement is the in-place update of port resources, which allows for dynamic modification of resource allocation without restarting the port. This feature promotes efficient resource utilization. Additionally, the introduction of sidecar containers in Beta allows for convenient network and storage sharing within pods, enhancing capabilities for tasks like collecting logs and intercepting traffic. Another important update is the KMS V2 improvements, which focus on securing API data in ECD through address encryption. These enhancements provide increased control over secrets and improve security in Kubernetes deployments. These are just a few highlights of the 49 enhancements in this release, offering new alpha and stable features to explore and leverage in Kubernetes deployments.
Kubernetes 1.29 Release: Mandala Theme and NFTables QProxy Backend
Kubernetes version 1.29 introduces the Mandala theme, symbolizing the community-driven release process with its artwork representing the Kubernetes universe. Additionally, an alpha feature worth noting is the NFTables QProxy Backend, which allows for the use of NFTables as a backend for configuring packet forwarding rules. While still in alpha, this feature presents a potential successor to IP tables, aligning with the broader Linux ecosystem trend. These enhancements, along with others, make the upgrade to Kubernetes 1.29 a compelling choice for users seeking improved performance, extended functionality, and more secure deployments.
Kubernetes 1.29 Release: Legacy Service Account Token Cleanup and NFTables QProxy Backend
Kubernetes version 1.29 introduces the long-awaited Legacy Service Account Token Cleanup, addressing security concerns linked to unused service account tokens. This enhancement leverages label-based cleanup to gradually remove legacy tokens that are no longer in use, improving security by reducing the attack surface. Another important inclusion is the NFTables QProxy Backend, available as an alpha feature. This enables the use of NFTables as a powerful successor to IP tables, specifically on Linux nodes, potentially enhancing packet forwarding rules configuration. These feature updates, combined with numerous other enhancements, make Kubernetes 1.29 an upgrade worth considering for users searching for increased security and enhanced networking capabilities.
Improved Encryption Performance with KMS Version 2
KMS Version 2 introduces an envelope encryption scheme to enhance encryption performance. With this scheme, when a user requests to create or update a resource, the QBPS server generates data encryption keys (DEKs) and sends them to the KMS plugin. The KMS plugin then requests an encryption key (K) from an external KMS and uses it to encrypt the DEKs. QBPS server then uses the encrypted DEKs to encrypt the data, resulting in significantly improved encryption performance. The time taken to encrypt 12,000 secret objects decreased from around 160 milliseconds in KMS Version 1 to just 80 microseconds in KMS Version 2.
New Access Mode for Persistent Volumes: Read-Write One-Sport
A new access mode called Read-Write-One-Sport is being introduced for persistent volumes (PVs) and persistent volume claims (PVCs). This access mode restricts volume access to a single port within the entire cluster, instead of a single node like Read-Write-Once. This provides better control over the writer access to storage, making it particularly useful for stateful workloads that require single writer access. This access mode has been available since version 1.27, but it is officially graduating to stable status in version 1.29.
In this episode we interviewed Priyanka Saggu, Kubernetes v1.29 release lead and SIG ContribEx Tech Lead. We spoke about the release, the new features and enhancements, and more.
Do you have something cool to share? Some questions? Let us know:
In this episode we interviewed Priyanka Saggu, Kubernetes v1.29 release lead and SIG ContribEx Tech Lead. We spoke about the release, the new features and enhancements, and more.
Do you have something cool to share? Some questions? Let us know:
