Main highlights include:
- Support for Windows nodes (graduating from Beta to Stable)
- Several kubectl improvements (updated plugin mechanism, kustomize Integration, new documentation website)
- Persistent Local Volumes, which makes locally attached (non-network attached) storage available as a persistent volume source (graduating to GA)
This release is also graduating many additional Kubernetes features, that are critical for the maturity, stability and manageability of the platform, making it the de-facto container orchestration leader.
Examples of this include:
- PID limitation (graduating from Alpha to Beta). Since Pids are a fundamental resource on Linux hosts. It is trivial to hit the task limit without hitting any other resource limits and cause instability to a host machine. Administrators require mechanisms to ensure that user pods cannot induce pid exhaustion that prevents host daemons (runtime, kubelet, etc) from running. In addition, it is important to ensure that pids are limited among pods in order to ensure they have limited impact to other workloads on the node.
- Pod priority and preemption (graduating from Beta to Stable)
- Pod Readiness Extensibility (via readinessGates) to allow custom conditions for pod readiness status tests.
- Default RBAC discovery hardening – default RBAC policy no longer grants access to discovery and permission-checking APIs (used by kubectl auth can-i) to unauthenticated users.
- API migration – NetworkPolicy resources will be served from networking.k8s.io/v1 starting v1.16 (instead of extensions/v1beta1), yet another indication of the importance and maturity of the K8S network policies.
Using Alcide Security Advisor, you can now leverage these capabilities to ensure that your cluster, nodes and pods are configured correctly and securely. Alcide kube-advisor is a scanning tool for DevSecOps that audits your Kubernetes cluster, nodes and pods configuration to make sure your cluster is tuned and runs according to security best practices and internal guidelines.
For example, you can create your own custom policy to validate all new pods are configured with PID limitation. This validation can be bundled into your CI/CD pipeline to ensure each build meets this requirement, or run continuously on your K8S cluster to ensure this configuration remains unchanged.
Another example relates to network policies. Seeking optimal micro-segmentation within your cluster, you can easily enforce a policy to ensure all pods are assigned with K8S network policies.
If you’d like to embed network policies into your pod resource, you can also choose to leverage Alcide Embedded Policies. These policies use rich and simple syntax to allow whitelisting rules to allow access to/from K8S services and external DNS addresses.