What You Should Know about Kubernetes 1.20

By Weaveworks
December 08, 2020

The new Kubernetes 1.20 boasts 43 enhancements, up from 34 in the last release. But there are some depreciations to consider. Click here to find out more.

Related posts

Kubernetes Security - A Complete Guide to Securing Your Containers

KubeCon EU 2023 Recap – GitOps Sessions on Flux with OCI, Liquid Metal CI/CD Platforms & Telco Cloud Platforms

Extending GitOps Beyond Kubernetes with Terraform Controller

The latest release boasts 43 enhancements (up from 34 in version 1.D19), including 15 that are entirely new, 11 graduating to Stable, and 17 improvements on existing features.

This suggests that these enhancements are smaller in scope. For example, some changes were made to kube-apiserver to make it more user-friendly and perform better in HA clusters. It also reboots more efficiently after an upgrade.

Why is this Happening?

These small improvements and new features pave the way for the significant changes that lie ahead. However, one major change (although long expected) was already made to the latest release.

Kubernetes Deprecating Docker

Starting with version 1.20, Kubernetes will deprecate Docker as a container runtime in favor of the Container Runtime Interface (CRI).

But don't panic!

This doesn't mean that Docker is dead. You don't have to abandon the containerization tool. For the end-user of Kubernetes, not much will change as you can still build containers using Docker. The images produced will also continue to run in a Kubernetes cluster.

However, Kubernetes plans to remove Docker Engine support in the kubelet and dockershim in a future release, most likely late next year. But you can continue to use it by swapping a built-in dockershim to an external one.

Docker and Mirantis also agreed to partner and maintain the shim code outside Kubernetes as a conformant CRI interface for Docker Engine. This ensures that it passes all the conformance tests and works seamlessly like the previous built-in version.

To maintain excellent developer experiences, Docker plans to continue to ship this shim into Docker Desktop, while Mirantis will leverage this in the Mirantis Kubernetes Engine. Further, net/net support for your container images built with Docker tools won't be deprecated and will work as before.

Docker, although a leading container solution, wasn't developed to be embedded inside Kubernetes. It's more than a container runtime as it's equipped with multiple UX enhancements that enable developers to interact with it seamlessly.

Docker is a complete tech stack (and not just a containerization platform). But it does provide high-level container runtime called "containerd," and this will be your container runtime option from now on.

These updates and enhancements aren't necessarily focused on Kubernetes. Instead, they're designed to work around obstacles to allow developers to get the most out of it. For example, at present, the Kubernetes cluster requires a tool called Dockershim, which is containerd. It's used to add a level of complexity to another tool that the team must maintain. However, it's a source that often produces bugs and other problems. So, the Kubernetes Project plans to remove Dockershim in version 1.23 and terminate Docker support.

This means that the issue just boils down to swapping Docker for CRI runtimes. But for now, Docker development remains the same without any noticeable differences. Images built-in Docker aren't Docker-specific and are Open Container Initiative (OCI) images.

The OCI was setup by Docker in 2015 to support interoperable container standards (to ensure that containers can run in any environment). Over the last five years, it has proved to be a huge hit promoting innovation while maintaining interoperability. To pull and work with these images, leverage containerd or CRI-O.

New Features to Get Excited about

1. CronJobs and Kubelet CRI Support

CronJobs was introduced in version 1.4 and had CRI support from version 1.5. However, although widely used, neither was considered stable. So, it's good to see features developers depend on to run production clusters aren't considered alphas anymore.

2. CSIServiceAccountToken

This update improves security considerably by enhancing the authentication and the handling of tokens. Now you can access volumes that demand authentication (including secret vaults) more securely. It's also much easier (now) to set up and deploy.

3. Expose Metrics Focused on Resource Requests and Limits to the Pod Model

More metrics are now available to better plan the capacity of the cluster. It also helps the troubleshooting process when encountering eviction problems.

4. Graceful Node Shutdown

While it's a small feature, it makes the developer's life so much easier. By properly releasing resources as nodes shut down, you can now avoid odd behaviors.

5. kube-apiserver Identity

Unique identifiers for each kube-apiserver instance often goes unnoticed. But it's essential as knowing it will help ensure high availability features in future Kubernetes releases.

6. System Components Log Sanitization

Kubernetes system vulnerabilities recently came to light, especially credentials leaked into the log output. Keeping the bigger picture in mind, you can now identify the leaks' potential sources and place a redacting mechanism to eliminate those leaks.

Key Deprecations you Should Know about

1. kubeadm Master Node-role Renamed

Stage: Deprecation

Feature group: cluster-lifecycle

The node-role.kubernetes.io/master is now called the node-role.kubernetes.io/control-plane.

2. Deprecate and Disable SelfLink

Stage: Graduating to Beta

Feature group: api-machinery

The SelfLink field in every Kubernetes object contains a URL representing the given object but doesn't offer any new information. At the same time, its creation and maintenance impacts performance.

Kubernetes 1.16 was the beginning of the deprecation process. From now on, the feature gate is disabled by default and scheduled for removal in Kubernetes 1.21.

3. Streaming Proxy Redirects

Stage: Deprecation

Feature group: node

Marked for deprecation in version 1.18, both StreamingProxyRedirects and the --redirect-container-streaming flag won't be enabled. It will also be disabled by default in version 1.22 and entirely removed in version 1.24.

As you can see from the above, Kubernetes developers and administrators don't have anything to worry about. It's essentially business as usual when they leverage docker commands and kubectl commands to manage Kubernetes clusters.

However, as significant changes to the way we work with containers are still some releases away, it'll be wise to keep an eye on our blog for future updates.

Related posts

Kubernetes Security - A Complete Guide to Securing Your Containers

KubeCon EU 2023 Recap – GitOps Sessions on Flux with OCI, Liquid Metal CI/CD Platforms & Telco Cloud Platforms

Extending GitOps Beyond Kubernetes with Terraform Controller

Whitepaper: Production Ready Checklists for Kubernetes

Download these comprehensive checklists to help determine your internal readiness and gain an understanding of the areas you should update

Download your Copy