Kubernetes and service mesh are increasingly interrelated, yet their new versions are released separately on different dates. Kubernetes and Istio’s last releases help to get a clearer understanding of the interplay between them and how one affects the other.
What’s New in Kubernetes v1.21 and Istio 1.9 Releases and their implications on DevOps?
Kubernetes was updated in April 2021 to version 1.21 and Istio Service Mesh has also been updated to version 1.9. This blog covers the most important changes. Kubernetes updates and Istio updates are regularly released, and those interplay with each other, so it matters to look at them in tandem.
What is new in the v1.21 Kubernetes Update
Released on April 8. 2021, this
latest Kubernetes update included the highest number of features in its recent history. So, what are the main new developments?
- PodSecurityPolicy (PSP) Deprecation - From a security perspective, the PSP deprecation is a critical change, even if the actual deprecation will only be effective from version v1.25.
- CronJobs Graduate to Stable - Great for reliably running periodic or recurring tasks, and easy to create.
This example CronJob manifest prints the current time and a hello message every minute:
- Immutable Secrets and ConfigMaps - used to ensure your application configuration will not change to benefit from the scaling benefits associated with scaling resources. Immutable ConfigMaps and immutable secrets are controlled by the ImmutableEphemeralVolumes feature gate. You can create an immutable ConfigMap by setting the immutable field to true. For example:
Or an immutable Secret as follows:
- Pv4/IPv6 dual-stack support - IPv4/IPv6 dual-stack networking is now enabled by default for your Kubernetes cluster starting in 1.21, allowing the simultaneous assignment of both IPv4 and IPv6 addresses
- Graceful Node Shutdown - Graduated to beta, so you might now be able to access that feature that optimizes running pod termination when a node shuts down.
- PersistentVolume Health Monitor - a new alpha feature that improves monitoring PersistentVolumes health.
- Reducing Kubernetes Build Maintenance - this build process simplification opens the door for new contributors to community maintenance.
- TopologyKeys Deprecation - Topology keys are now fully deprecated. There are still some outstanding issues with Kubernetes update v1.21, updated here as they are uncovered or solved.
What is new in Istio v1.9?
- Kubernetes Gateway API support (Alpha) - integrating the Kubernetes Gateway API with Istio is now possible. To configure a gateway:
- Install the Gateway API CRDs:
- Install Istio:
- Deploy a test application:
- Deploy the Gateway API configuration
- Access the httpbin service using curl:
Note the use of the -H flag to set the Host HTTP header to “httpbin.example.com”. This is needed because the HTTPRoute is configured to handle “httpbin.example.com”, but in your test environment, you have no DNS binding for that host and are simply sending your request to the ingress IP.
- Access any other URL that has not been explicitly exposed should return an HTTP 404 error:
Remember! This feature is still an Alpha feature and might be buggy or contain security vulnerabilities that are not broadly disclosed, and the feature might be removed without warning.
- Integration with external authorization systems (Experimental) - heralding a more secure future, this feature increases the flexibility of setting up Istio authorization policy by delegating the access control to an external authorization system.
- Remote fetch and load of WebAssembly (Wasm) HTTP filters (Experimental) - This feature removes the need to distribute Wasm extensions to the proxy by letting the Istio agent dynamically download Wasm modules.
- Mirroring of images on gcr.io - Prevents limitations introduced by the Docker Hub’s rate limiting policy in December 2020.
- istioctl updates - improved debugging including:
- A new verify-install command that notifies users of any installation configuration errors.
- The analyze sub-command can now check if deprecated or alpha-level annotations are used.
Many of these updates have security implications, ranging from keeping track of existing and new PSPs in your application to be ready to adapt before upgrading to Kubernetes v1.25 when the time comes or checking that no topology keys are left before upgrading to Kubernetes v1.21. You need tokeep an eye on upcoming features and be ready when they are deemed stable.
PSPs are a core security feature to manage Admission Control without deploying additional external admission controllers. It is slated to be replaced by a new feature temporarily named PSP Replacement Policy, scheduled to be released as Alpha in Kubernetes update v1.22.
Come learn how we have evolved Portshift/Cisco Secure CN via API Security