This post was put together by Alibaba Cloud's Container Service team. Post contributors include Zhang Xiaoyu, Huang Ke, Lu Jinda, Li Chuanyun, Chen Jun, and Gao Xianglin. Their nicknames at Alibaba, in the same order, are Zhongyuan, Zhitian, Guiji, Huanyun, Chenjun, and Chanming.
This topic provides an overview of Kubernetes releases from versions 1.15 and 1.16. The purpose of this article is to highlight that it is necessary to upgrade from version 1.14 to 1.16, as there have been significant updates, which will be described in detail throughout this article. Release version changes are grouped by feature.
As a quick overview, the release of version 1.15 had 25 enhancements, which included 2 moving to stable, 13 in beta form, and 10 in alpha. Versions 1.16 consisted of 31 enhancements, with 8 moving to stable, 8 in beta, and 15 in alpha.
AllowPrivileged
, HostNetworkSources
, HostPIDSources
, and HostIPCSources
. Access control parameters, such as PodSecurityPolicy
, have added for enhanced security.--allow-privileged
has been removed. Relevant kubelet scripts need to be cleared accordingly.kubelet
, pods
, and cgroups metrics of containers.beta.kubernetes.io/metadata-proxy-ready
, beta.kubernetes.io/metadata-proxy-ready
, and beta.kubernetes.io/kube-proxy-ds-ready
. They are replaced by the following labels:node.kubernetes.io/masq-agent-ds-ready
node.kubernetes.io/kube-proxy-ds-ready
cloud.google.com/metadata-proxy-ready
HugePages
, VolumeScheduling
, CustomPodDNS
, and PodReadinessGates
.--containerized
, deprecated since version 1.14, is officially removed in version 1.16.beta.kubernetes.io/os
and beta.kubernetes.io/arch
, deprecated since version 1.14, will be officially removed in version 1.18.pod_name
and container_name
are replaced by pod
and container
, respectively. All Prometheus queries that match the pod_name
and container_name
labels must be updated.failure-domains
.true
by default, and the related feature gate will be deprecated in version 1.18.WatchBookmark
feature is moving to beta and is enabled by default. This feature fixes the problem that resources need to be re-listed when the later watch request is received if the previous watch request of an event is not received for a long time.1. extensions/v1beta1, apps/v1beta1, and apps/v1beta2 APIs are not supported by default.
apps/v1beta1
and apps/v1beta2
are replaced by resources under apps/v1
.extensions/v1beta1
, including daemonsets, deployments, and replicasets, are replaced by resources under apps/v1
.extensions/v1beta1
are replaced by http://networking.k8s.io/v1.extensions/v1beta1
are replaced by resources under policy/v1beta1
.The --runtime-config
flag can be used to enable these resources temporarily. This flag is not recommended in this release. It is recommended after you switch to a more stable Scheme version:
apps/v1beta1=true
apps/v1beta2=true
extensions/v1beta1/daemonsets=true
, extensions/v1beta1/deployments=true
, extensions/v1beta1/replicasets=true
, extensions/v1beta1/networkpolicies=true
, extensions/v1beta1/podsecuritypolicies=true
The APIs for these resources will be completely deleted in version 1.18.
2. Aggregated discovery requests can time out now. Aggregated API servers must complete discovery calls within five seconds. The duration can be longer for other requests.
You can extend the timeout period to 30 seconds by using the feature gate EnableAggregatedDiscoveryTimeout=false
. However, EnableAggregatedDiscoveryTimeout
will be removed in version 1.17.
Previously, you needed to combine PV and PVC to use CSI. With the inline CSI volume capability, you can declare a CSI volume that is closely related to a pod when defining the pod. Volumes are created as pods are created and destroyed as pods are destroyed.
You can create a PVC by cloning an existing PVC, including the volume specifications and data. PVC cloning is applicable to scenarios such as data migration and the establishment of simulated online environment. PVC cloning only supports CSI and does not support in-tree plug-ins and FlexVolume
.
Kubelet used to regularly scan files to collect the usage of ephemeral-storage space. Project quotas is introduced in version 1.15. Project quota provides faster speed and higher accuracy than regular scanning. If a file is opened and then deleted, the scanning method cannot trace the file. The file still occupies space. Click to learn more.
In the future, you can also use the project quotas feature to forcibly limit the available space of each volume. I/O write operations are rejected after the space limit is reached. This prevents the entire pod from being evicted because the storage space of an unimportant container is full. Isolation is implemented in this way.
Online capacity adjustment allows you to implement capacity expansion without rebuilding pods.
subPath allows multiple pods to use the sub-paths of the same volume. By using the subPathExpr
parameter, you can use the Downward API environment variables to build a unique sub-path for each pod. For example, you can bind the sub-path of a volume to the same mount point of a pod based on the pod name (subPathExpr: $(POD_NAME))
, thereby implementing data isolation between pods.
kube-proxy
no longer automatically cleans up network rules during mode switching. Moreover, graceful termination for UDP traffic is disabled.service.spec.externalName
can end with a dot.IPv4/IPv6 Dual-stack (in Alpha)
IPv4 and IPv6 addresses can be allocated to pods and services, which is an important step for the transition to IPv6. Enabling IPv4 and IPv6 dual-stack in Kubernetes clusters provides the following functions:
In terms of implementation, a current service object corresponds to a Kubernetes Endpoints object and contains the information of all backend pods. As the number of backend pods increases, the Add, Update, and Delete operations of a single backend pod pose a big pressure on control components, such as apiserver
, etcd
, endpoints-controller
, and kube-proxy
.
Therefore, the EndpointSlice API is introduced so that backend pod information can be sliced and put into different EndpointSlices. A service contains multiple EndpointSlice objects, and an EndpointSlice object contains multiple endpoints, with a maximum of 100 endpoints by default. Each endpoint corresponds to a backend instance. This solution resolves performance problems and retains high scalability for providing other network features. For example, an endpoint can contain the topological location information, including region, zone, and hostname, of the backend instance, which can be used to help access the service through the nearest route.
This feature ensures that the service resource objects will not be completely deleted before the relevant load balancer is deleted.
extensions/v1beta1
is deprecated and replaced by networking.k8s.io/v1
API.extensions/v1beta1
is deprecated and replaced by networking.k8s.io/v1beta1
API.The Core Components of Knative: Build, Serving, and Eventing
169 posts | 30 followers
FollowApache Flink Community China - November 8, 2023
Apache Flink Community - July 18, 2024
Apache Flink Community China - March 17, 2023
Apache Flink Community China - August 22, 2023
Apache Flink Community China - June 22, 2022
Alibaba Container Service - November 7, 2024
169 posts | 30 followers
FollowAn all-in-one service that provides elastic, stable, and widely distributed computing, network, and storage resources to help you deploy businesses on the edge nodes of Internet Service Providers (ISPs).
Learn MoreAlibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn MoreOpenAPI Explorer allows you to call an API through its web interface or WebCLI, and view the entire process.
Learn MoreAPI Gateway provides you with high-performance and high-availability API hosting services to deploy and release your APIs on Alibaba Cloud products.
Learn MoreMore Posts by Alibaba Container Service