Kubernetes 1.22 sheds beta ballast, takes steps towards rootless control plane

Kubernetes 1.22 sheds beta ballast, takes steps towards rootless control plane

The team behind container orchestrator Kubernetes has finished version 1.22 of the CNCF flagship project. Highlights of the release include server-side apply and client credential plugins hitting general availability, as well as the addition of an initial rootless control plane implementation.

Organisations wanting to upgrade to the new version should be aware of the 12 beta APIs removed in favour of their GA equivalents. Since these include commonly used APIs such as Ingress, CustomResourceDefinition, APIService, and TokenReview, chances are you might still be using at least one old version in a manifest somewhere. 

A careful check along with a quick glance at the migration tipps available in the project blog are therefore much recommended. More removals are already planned for the release of Kubernetes 1.25 next year, so activating the now generally available warning mechanism for deprecated versions to plan for those early could be a good idea.

The main theme of the 1.22 release seems to be around feature maturity, as the Kubernetes team focuses on things like Kubernetes client credential plugins, server-side apply, and CSI support for Windows reaching general availability in its announcement. A closer look however reveals a whole slew of new metrics (for API priority and fairness for instance), new Windows development tools, an early implementation of node system swap support, and the option to run kubelet in a user namespace.

Version 1.22 also introduces a feature gate to disable cloud-provider initialisation in several instances, a kubeadm field for specifying which phases to skip during init and join operations, and the tool finally learned to mask secret values in diff outputs per default. Kubernetes’ job controller removes running pods when the number of predefined completions is reached once you’ve updated your installation.

Security improvements have been on the agenda as well, one of which is the highly requested option to run kubeadm control plane components as non-root users. Another alpha addition provides cluster-wide seccomp defaults by using the RuntimeDefault seccomp profile instead of Unconfined.

Details on all changes can be found in the project’s changelog. The new release itself is available via the Kubernetes repo. Known issues currently include guaranteed pods with multiple containers not properly working with set allocations for CPU and memory manager, and a missing CSIMigrationvSphere feature gate, meaning those needing the associated functionality should refrain from updating for now.

Another thing to note is that the interface used to create ephemeral containers has changed with the update and isn’t supported by kubectl 1.21. Operators looking to use the tool’s debugging option should switch to kubectl 1.22 if they need to work with various cluster versions.

As was hinted at earlier, v1.22 marks the switch to a new release cycle, which sees Kubernetes getting three feature releases a year. Version 1.23 is therefore to become the third and final release of the year and is planned to hit in the second week of December.