dcsimg
 

Kubernetes 1.18 Improves Networking and Security for Cloud Native

by Sean Michael Kerner

New open source Kubernetes release lands with AppProtocol, security certificate and memory enhancements.

The open source Kubernetes platform has become the defacto standard for enabling cloud native application delivery.

At its core, Kubernetes is a container orchestration platform, with organizations using it both on-premises and across both public and private cloud providers to deploy, schedule and manage container application workloads. On March 25, Kubernetes 1.18 became generally available, the second major release of Kubernetes in 2020, following the 1.17 update that came out on Jan. 7.

The Kubernetes community defines new capabilities as 'enhancements,' with each typically passing through a staged alpha, beta, stable maturity cycle. The Kubernetes 1.18 release had a total of 38 enhancements, 15 in stable, 11 in beta and 12 falling into the alpha category.

AppProtocol Improves Networking

Among the key stable improvements is one that was led by the networking Special Interest Group (SIG) within Kubernetes for an enhancement known as AppProtocol.

"The lack of standardized application protocol support for Services and Endpoints has frustrated countless Kubernetes end users," Google developer Rob Scott wrote in a pull request. "With EndpointSlices, we added a new AppProtocol field as a first step, adding that same field to Services and Endpoints will ensure full API support for application protocols."

The real challenge is that Kubernetes previously only allowed applications to use either TCP, UDP or SCTP. AppProtocol changes that, such that for each port an administrator can specify an application protocol to be used.

Security Improvements

Another stable improvement that landed in Kubernetes 1.18 is the new Certificates API, which is critically important for good security hygiene.

SSL/TLS security certificates underpin the security of data in motion inside of Kubernetes networking and across clusters. What the Certificate API does is enable the automation of credential provisioning for certificates and provides an interface for clients to get certificates.

The Kubernetes Enhancement Proposal (KEP) for Certificates API notes that the security of the Kubernetes platform is underpinned by a public key infrastructure (PKI) and each Kubernetes cluster has a root certificate authority (CA).

"This CA is used to secure communication between cluster components," the KEP states. "The Certificates API was originally merged to support Kubelet TLS Bootstrap but users have also begun to use this API to provision certificates for PKI needs out of core."

Huge Pages Get Better

Also of note in Kubernetes 1.18 is improved Huge pages support, which could have significant impact on Kubernetes performance. Huge Pages are large memory allocation blocks. The KEP explains that in modern x86 based systems, memory is managed in blocks known as pages. On most systems, a page is 4Ki. 1Mi of memory is equal to 256 pages; 1Gi of memory is 256,000 pages. A huge page is a memory page that is larger than 4Ki. On x86_64 architectures, there are two common huge page sizes: 2Mi and 1Gi.

Kubernetes 1.18 now allows for applications running in a Kubernetes cluster to use huge pages.

"Managing memory is hard, and unfortunately, there is no one-size fits all solution for all applications," the KEP states. "This proposal only includes pre-allocated huge pages configured on the node by the administrator at boot time or by manual dynamic allocation."

Sean Michael Kerner is a senior editor at EnterpriseNetworkingPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

This article was originally published on Saturday Mar 28th 2020
Home
Mobile Site | Full Site