Kubernetes 1.25 release includes a total of 40 enhancements. The highlight of this release is the final removal of PodSecurityPolicies from the Kubernetes core.
These are the features that look most exciting to us in this release.
PodSecurityPolicy (PSP) is removed
Pod Security Policies (PSPs) are a great Kubernetes-native tool to restrict what deployments can do, like limiting the execution to a list of users, or access resources like the network or volumes. This feature is deprecated since 1.23 and removed in 1.25.
As Guida we have implemented the Pod Security Standards using Kyverno as a replacement. Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.
Alternative are the built-in admission controller Pod Security Admission which also graduated to stable this release or Open Policy Agent.
Want to learn more?
PodSecurityPolicy Deprecation: Past, Present, and Future
Ephemeral Containers Graduate to Stable
This is particularly useful for troubleshooting when you need to examine a container but cannot use kubectl exec
because that container has crashed, its image lacks debugging utilities or when using distroless/scratch images. You can also use emphemeral containers for making a TCP dump of the virtual network interface of the container.
Want to learn more?
Understanding ephemeral containers
Network Policy Port Range to Stable
Network Policy providers that support endPort
field can use it now to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port.
spec:
egress:
- ports:
- protocol: TCP
port: 32000
endPort: 32768
Want to learn more?
TimeZone support in CronJob to Beta
Until now, the Jobs
created by CronJobs
are set in the same timezone as the kube-controller-manager
process. Which could result in issues when the kube-controller-manager
runs in UTC and you have a business requirement to run Jobs on set times in a timezone using Daylight Savings Time. Or have Jobs spread over multiple timezone which should be scheduled according to local time.
Workarounds for these problems can now be replaced by this Kubernetes-native solution in the CronJob
spec.
Want to learn more?
minReadySeconds for Statefulsets to Stable
This brings the optional minReadySeconds
field to StatefulSets
that is already available on Deployments
, DaemonSets
, and ReplicasSets
.
If declared, a newly created Pod won’t be considered available until its containers stay ready without crashing for the specified number of seconds.
Want to learn more?
Minimum Ready Seconds for StatefulSets
DaemonSets should support MaxSurge to improve workload availability to Stable
When performing a rolling update, the spec.strategy.rollingUpdate.maxSurge
field allows specifying how many new Pods will be created to replace the old ones.
Want to learn more?
Perform a Rolling Update on a DaemonSet
Retriable and non-retriable Pod failures for Jobs to Alpha
Currently, if a Job
fails and its restartPolicy
is set on OnFailure
, Kubernetes will try to run it again, up to a maximum backoff limit.
In particular, the extension allows determining some pod failures caused by infrastructure errors and to retry them without incrementing the counter towards backoffLimit.
Additionally, the extension allows determining some pod failures caused by software bugs and to terminate the associated job early. This is needed to save time and computational resources wasted due to unnecessary retries of containers destined to fail due to software bugs.
Want to learn more?
References
https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/