Kube Cuteing Release : Unveiling cuteness overloaded with kubernetes 1.30

Kuberentes has released 1.30 last week which is called Uwubernetes ( :UwU: (◠‿◠) and kubernetes)

There are 45 enhancements in this release : 17 Stable, 18 Beta, 10 Alpha. Lets learn about changes in the area of Security, Networking, Storage, Logging/Observability and Others.

Networking:

Topology Aware Hints ( :stable:🏠): Helps to hint using specificendPoints by EndPointSlice producer which can be beneficial in many ways, like keeping the traffic within zone, or hinting the traffic toward specific zone with more resources etc. These can help in improved performance and save cost by avoiding cross zone communication.

Kuberenetes aware of LB Behavior ( :stable:🏠): This gives the option to cloud controller manager (or controller managing LB) to choose the behavior for kube-proxy for all svc from : Bind LB external IP to the node and bypass LB ( default) or not bind the IP. New field is added status.loadBalancer.ingress[].ipMode: VIP | Proxy

Efforts to support dual stack, status.hostIPs ( plural) field added ( :stable:🏠): This is to help for the case where a pod can have multiple IPs ( IPv6 and v4). This is added in addition to existing field hostIP .

Traffic Distribution for Services ( ⍶ ) : trafficDistribution field in the services’ spec gives option to define a way to distribute traffic to endpoints.

kubectl port-forward can be enabled over web-socket. exec, cp, and attach over WebSockets are now enabled by default (:β):

Improved reliability for ingress connections (β): This will help to graceful shutdown of nodes and not terminate all the connection abruptly when the nodes are terminating.

Storage:

Robust VolumeManager reconstruction after kubelet restart: This enhancement helps kubelet to learn about how existing volumes are mounted during kubelet startup which makes reconstruct and cleanup of volume more robust.

StorageVersionMigration is now a built-in API , earlier it was a CRD

PV(PersistentVolume) Controller would not assign a default StorageClass to Persistent Volume Claims (PVCs) with an empty storageClassName

Security:

Improvements in Bound Service Acount token ( β): Embed Node information into Pod-bound service account tokens as additional metadata which helps to improve the traceablity and hence security. Bound service token are more secure.

Discouraging the use of Service Based Account tokens( :stable:🏠) : As Bound SA tokens are found to be more secure, so usage of service based account token is reduced. Service account controller now do not auto generate the token for SAs. Also, purging of unused token is being done.

Structured Authorization Config(:β): A very signification Kube auth system which can support multiple auth providers simultaneously, change the config without restarting api server and many more

Option to delete undecryptable objects ( :β) Admin has to manually figure out and delete objects which are not decryptable due to any reason. This enhancement provide kube api to offer such option.

Prevent Unauthorized Volume mode Conversion( :stable:🏠): This prevent the volume mode change of PVC while creating volume from VolumeSnapshot unless authorized by admin.

Ensure Secret pulled Images(:⍶): It helps to ensure that only intended pod can use the image after the image has been pulled to a node. This is particularly for the pods with policy ifNotPresent and an imagePullSecret. Kubelet will ensure the pods try to access the image has the valid secret and can be authenticated.

Support for User Namespaces in Pods(:β): This can restrict the privileges within a container and can save the unwanted scenario where a process/user might get priviliged access to host same as granted just for container.

AppArmor Support(:stable:🏠): AppArmor is a linux kernel module which is used by Admins to restrict some capabilities by attaching a profile to application(s) or container(s). The profile defined is enforced by container runtime which helps to restrict actions as per the rules defined in profile.

Others:

Restarting Sidecar container during Pod Termination if exits early( ⍶) : Sidecar should be restarted if those exit pre-maturely when terminating a pod to ensure those do not terminate in the order expected.

Relaxed environment variable ( ⍶): As various type of application has differeent allow list for the variable name charactres. This KEP allow printable ASCII characters except = to be set as environment variables, the range of printable ASCII characters is 32–126 . A feature gate RelaxedEnvironmentVariableValidation controls the relaxing criteria, default is current( strictValidation )

Custom Profile in kubectl debug( ⍶) : There will be a new flag custom which is used to pass json file with fields and this can be patched over pre-defined profiles. Using this you can pass custom environent variables, mount volumes or change resource request for debugging purpose.

Pod Lifecycle sleep action(β) : Sleep action for preStop lifecycle hook, which helps to pause container for the duration before termination which can help in graceful shutdown .

Job Policy to handle retriable and non-retriable errors: This helps to figure out the infrastructure related errors which can be retried without increasing the counter for backOfLimit and also help to identify errors which are due to software bug and end those early to save time and resource

Forensic Container Checkpointing: Provides option to take snapshot of a running container which can be transferred to a new node without interrupting the live container. Restoring the container in sandboxed/experimental environment provides various analysis options.

Container resource based autoscaling: This enhances HPA( Horizontal pod autoscaling) functionality to scale based on usage metrics of individual container within a pod which helps to have a custom scaling policy for applications rather than a general policy for all.

Version compatibility and Emulation options in control plane: Introduced--emulate-version flag to emulate previous version capabilities ( like API, feature, binaries etc). This helps to emulate the previous versions and also give the option to verify the binary before upgrading to newer version by verifying the previous version functionality by emulating the version.

APIServer tracing: API Server to allow tracing requests. For this, it proposes using OpenTelemetry libraries, and exports in the OpenTelemetry format

Pod Health policy for PDB: This helps to handle case where the pod running are unhealthy and can not be evicted because of PDB.

unhealthyPodEvictionPolicy field on the PDB API will give option to choose whether to evict those or continue running based on user need.