If you are running Kubernetes in production, you might be interested in the latest release of the popular container orchestration platform. Kubernetes v1.27, which was announced on April 11, 2023, brings several enhancements and security updates that can improve your cluster performance, reliability and security.
This blog post will cover some of the most important aspects of the new release, and explain how they can benefit your Kubernetes workloads.
Freeze k8s.gcr.io image registry
One of the major changes in v1.27 is the freezing of the old image registry, k8s.gcr.io, which has been replaced by registry.k8s.io. This means that no further images for Kubernetes and related sub-projects will be published to the old registry, and you will need to update your manifests and Helm charts to use the new one.
The new registry is fully controlled by the community, and offers a more dynamic and scalable backend that can handle the growing demand for Kubernetes images. It also supports multiple mirrors across different providers, which can improve the availability and performance of image downloads.
If you are using tooling that relies on downloading Kubernetes images, make sure to update them to use registry.k8s.io as well. If you need to allow-list domains or IPs in your environment, you might want to mirror images to a location under your control.
Seccomp by default
Another security-related update in v1.27 is the graduation of seccomp by default to stable. Seccomp, or secure computing mode, is a Linux feature that allows you to restrict the system calls that a process can access. By enabling seccomp by default, you can reduce the attack surface of your containers and prevent them from exploiting kernel vulnerabilities.
To use seccomp by default, you need to enable it on each node by setting the --seccomp-default flag on the kubelet. You can also customize the seccomp profile for each pod or container using annotations or fields in the pod spec. For more details on how to use seccomp in Kubernetes, check out this documentation.
Pod scheduling readiness
Pod scheduling readiness is a new feature that allows you to specify conditions that a pod must meet before it is considered ready for scheduling. This can help you avoid wasting resources on pods that are not yet ready to serve traffic, or that depend on other pods or services.
To use pod scheduling readiness, you need to add schedulingGates to your pod spec as a list of strings. Each string represents a condition that must be true for the pod to be scheduled. The pod status will show as SchedulingGated until all the conditions are met.
For example, you can use pod scheduling readiness to ensure that a pod has a valid service account token before it is scheduled, or that it has acquired a lease from an external service. You can also use custom conditions based on your own logic.
Other enhancements
There are many other enhancements in v1.27 that won't be covered in detail here, but you might want to check out:
- The alpha support for cross-namespace storage data sources, which allows you to create PVCs from existing PVCs or snapshots in different namespaces.
- The beta support for eviction policy for unhealthy pods guarded by PodDisruptionBudgets, which allows you to evict pods that are not ready or have failed probes even if they are protected by a PDB.
- The retroactive default StorageClass feature, which allows you to set a default StorageClass for existing PVCs that don't have one specified.
- The alpha support for IPv6 dual-stack services, which allows you to create services with both IPv4 and IPv6 addresses.
- The alpha support for topology-aware service routing, which allows you to route service traffic based on node labels and topology keys.
- The alpha support for graceful node shutdown, which allows you to trigger pod termination and eviction when a node is shutting down.
- The alpha support for CSI volume health monitoring, which allows you to monitor the health status of CSI volumes and trigger alerts or actions based on it.
Conclusion
Kubernetes v1.27 is a chill release that brings many improvements and security updates for Kubernetes users. If you are running Kubernetes in production, you should consider upgrading to v1.27 as soon as possible to take advantage of these features.
To learn more about Kubernetes v1.27, you can read the official release notes or watch the release webinar. You can also join the Kubernetes community on Slack or GitHub to share your feedback and questions.
Image credits: Sysdig
Top comments (0)