Aqua Blog

Kubernetes Version 1.26: An Overview

Aqua Team
December 8, 2022
Kubernetes Version 1.26: An Overview

Kubernetes Version 1.26 was released with 37 new enhancements including 11 Stable, 10 Beta, 16 Alpha, and 12 features deprecated or removed. In this blog, we will highlight its most notable features and show how using Trivy will help you find deprecated Kubernetes resources.

Kubernetes Release Diagram Version 1.26

registry.k8s.io, Generally Available

The container image registry has changed from k8s.gcr.io to registry.k8s.io to reduce costs and improve availability using multiple Cloud Providers and Regions. You can read more details at the Kubernetes Blog.

Support for Windows Privileged Containers, Generally Available

WindowsHostProcessContainers support containers’ ability to run as one of the supported Windows service accounts. Support for this feature in Windows nodes will now graduate to stable and will be enabled by default. Windows privileged container supports hostProcess and networking. See KEP-1981.

LoadBalancer Validation, Generally Available

The MixedProtocolLBService feature, load balancers with mixed protocol types, enables the creation of a LoadBalancer Service that has different port definitions with different protocols. See KEP-1435.

Service Internal Traffic Policy, Generally Available

Also introduced is a new field spec.internalTrafficPolicy in service that will allow clusterIP routing to be node local. The new internalTrafficPolicy field has two options: Cluster (default) and Local. Before 1.26, Kubernetes services randomly distributed incoming requests to all endpoints in the whole cluster. If the request did not find the endpoint in a node, it would keep bouncing around until it hit the endpoint on another node. With this release, Kubernetes services will use the node-local mechanism to route incoming requests only to an endpoint within same node if it exists or, otherwise, drop the request. This is done through the introduction of the new spec internalTrafficPolicy. See KEP-2086.

Pod FSGroup to CSI Driver on Mount, Generally Available

The DelegateFSGroupToCSIDriver feature allows Kubernetes to supply the pod’s fsGroup to the CSI driver during attach or mount time of the volumes, avoiding the Kubelet from changing the permissions of volumes. See KEP-2317.

Kubernetes Signing Artifacts, in Beta

The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign’s keyless signing. With this step, the release process improves security related to the software supply chain. See KEP-3031.

Dynamic Resource Allocation, in Alpha

The DynamicResourceAllocation feature allows for request and share resources between pods and containers inside a pod. It is a generalization of the persistent volumes API for generic resources. Third-party resource drivers are responsible for tracking and allocating resources. See KEP-3063.

Common Expression Language (CEL) in Admission Controllers, in Alpha

The ValidatingAdmissionPolicy feature implements the CEL validation for incoming requests using the Common Expression Language to declare validation rules of a policy. Admission webhooks can be burdensome and complex to develop. This enhancement avoids much of the complexity of admissionwebhooks by embedding CEL expressions into Kubernetes resources instead of calling out to a remote webhook binary. See KEP-3488.

Pod stats from CRI, in Alpha

The feature PodAndContainerStatsFromCRI configure the kubelet to gather container and pod stats from the CRI container runtime rather than gathering them from cAdvisor. The metrics are related to the node, volume, pod, and container level by the kubelet. See KEP-2371.

Health SLI metrics, in Alpha

The ComponentSLIs feature improves the ability to consume Service Level Indicator (SLI) metrics for each Kubernetes component binary. This metric endpoint is exposed on the serving  HTTPS port of each component at the path /metrics/slis. With SLI metrics enabled, each Kubernetes component exposes two metrics, a gauge and a counter. See KEP-3466.

Container Runtime Interface (CRI) v1alpha2, Now Removed

In the previous version 1.25, runtime.v1alpha2.RuntimeService was deprecated and in this release this feature has been removed. This affects the kubelet and the container runtime that were needed to support the CRI v1. Containerd 1.5 will be EOL on January 28, 2023, since it is not supported by Kubernetes 1.26. User would need to upgrade to Containerd 1.6 before upgrading to 1.26. See CRI v1alpha2, sig/node, PR.

Kube-Proxy from the User Space, Now Removed

The kube-proxy in the user space has been removed from the Kubernetes core. The sig/network has been tracking this removal since the deprecation of the flag options for the kube-proxy mode in the 1.23 release. In this release, it is no longer supported on either Linux or Windows. Users should now use iptables or ipvs on Linux or kernelspace on Windows. See kube-proxy userspace, sig/network, PR.

Check for Deprecated Kubernetes Resources with Trivy

Trivy helps you to find vulnerabilities, misconfigurations, secrets, SBOMs in containers, Kubernetes, code repositories, clouds, and more.  By using Trivy for misconfigurations in your manifests or Trivy Operator for your cluster, you will get information related to deprecated Kubernetes resources.

Release Features 1.26

37 Enhancements, Start date: Mon 5th Sep 2022, Release date: Thurs 8th Dec 2022

Stable, GA

Beta

  • Kubernetes signed artifacts, sig/release, KEP-3031
  • JobPodFailurePolicy KEP-3329
  • NodeOutOfServiceVolumeDetach, Non-graceful node shutdown, sig/node, KEP-2268
  • RetroactiveDefaultStorageClass, sig/storage, KEP-3333

Alpha

  • Health SLI (Service Level Indicators) metrics, sig/instrumentation, KEP-3466
  • Pod Stats from CRI, cAdvisor-less, CRI-full Container, sig/node, KEP-2371
  • Dynamic Resource Allocation, sig/node, KEP-3063
  • CEL in Admission Controller, sig/api-machinery, KEP-3488
  • Provision Volumes from data source E.g. snapshots, sig/storage, KEP-3294

Deprecations and Removals

  • GlusterFS deprecated in 1.25 and removed 1.26
  • kube-proxy userspace, sig/network, PR
  • CRI v1alpha2, sig/node, PR
  • autoscaling/v2beta2, used the autoscaling/v2 API version, available since v1.23
  • Dynamic Kubelet Config, sig/node

Published under: KUBERNETES SECURITY

Tags: , ,

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links