The first Kubernetes release of 2021, Kubernetes 1.21: Power to the Community, is finally here! This release brings many new features, improvements, and fixes. Speaking of numbers, 51 enhancements are included in this release, specifically:
- 13 enhancements have graduated beta features to stable
- 16 enhancements have graduated alpha features to beta
- 20 enhancements have introduced new alpha-level features
- 2 features have been deprecated
In this blog post, we’ll highlight the most notable improvements of this release and let you know when and how you can benefit from them as a Kubermatic user. For a complete overview on all of the changes, we recommend you check out the official release announcement and the 1.21 changelog.
Pod Security Policy Deprecation
The Pod Security Policy (PSP) feature is deprecated in Kubernetes 1.21 release. You can continue using Pod Security Policies until the feature is entirely removed with Kubernetes 1.25 release (tentatively planned for mid-2022).
Pod Security Policies have been a popular approach for securing Kubernetes clusters. Other tools, like Open Policy Agent (OPA), have provided more options for implementing fine-grained access control. Extending and improving Pod Security Policies wasn’t possible, without introducing breaking changes, so it was decided to remove this feature. The Pod Security Policies will be replaced with a new, built-in feature, which will offer more flexibility in the future.
Check out the official FAQ for more information about the removal of the PSP feature and its planned replacement. If you’re using Pod Security Policies as part of the Kubermatic Kubernetes Platform (KKP) or Kubermatic KubeOne, stay tuned for the migration guide and recommendations. For KKP, we have already introduced OPA support in the latest release (2.16).
Graceful Node Shutdown Graduating to Beta
The Graceful Node Shutdown feature has graduated to Beta and will be enabled by default, starting with Kubernetes 1.21. This feature allows Pods to gracefully terminate during a node shutdown.
Previously, all Pods would be terminated without a grace period, which would allow them to finish their work and terminate safely. This can cause various errors for other workloads and users, like requests being dropped and services becoming unavailable.
The Graceful Node Shutdown feature alerts kubelet if the node is being shut down, so it can evict Pods. This is very useful in combination with Preemptible VMs or Spot instances, which can be terminated at any time. It gives kubelet a chance to terminate Pods and get them rescheduled to another node automatically, even if the instance is being terminated by the provider.
Immutable ConfigMaps and Secrets Are Now Stable
Support for immutable ConfigMaps and Secret has graduated to stable with this release. This feature allows you to create ConfigMaps and Secrets that cannot be changed after creation. This is ensured by the Kubernetes API server, if
immutable is set to
true on a ConfigMap or a Secret, such as:
apiVersion: v1 kind: Secret metadata: ... data: ... immutable: true
If you want to change an immutable ConfigMap or Secret, you will need to create a new ConfigMap or Secret to do so. If there are Pods using the old object, you’ll have to create new ones for that as well. This is useful in scenarios where you want to disallow/prevent any further changes to the application configuration, once the application has started.
Kubectl User Experience Improvements
This release includes several user experience improvements in kubectl. Starting with this release,
kubectl get -o yaml will not show the managed fields, which makes reading and parsing the output much easier. Additionally, there’s a new annotation,
kubectl.kubernetes.io/default-container, which can be applied to pods in order to preselect the default container for kubectl commands.
There’s a lot of ongoing work to structure logs for all Kubernetes components. Structured logs ensure that log messages will be standardized across all components. It’ll also be possible to have logs in the JSON format. Many components have already been migrated to the structured logging in Kubernetes 1.21 release, and it’s expected that the remaining components will migrate in the Kubernetes 1.22 release.
Kubernetes 1.21 Support in Kubermatic Products
At Kubermatic, we are very committed to always support the latest Kubernetes version, to provide our users with access to the latest Kubernetes improvements and features as quickly as possible. Kubermatic Kubernetes Platform 2.17, planned for mid April, will support Kubernetes 1.21. Starting with the 1.2 release, already available, Kubermatic KubeOne supports Kubernetes 1.21.