The next version of Kubernetes, 1.25, is expected to be released in a few weeks (UPDATE: 1.25 is now available). In advance of that, Sysdig, creator of Falco, an open-source project for securing Kubernetes, has shared details of what to expect in the release.
Sysdig often gives an advance look into upcoming releases of Kubernetes. In this one, it says there are 40 enhancements (for reference, Kubernetes 1.24 had 46 and Kubernetes 1.23 had 45). Thirteen of the features are ones that have graduated to Stable, 10 are improvements to existing features, 15 are new, and 2 features are being deprecated.
According to Sysdig, the big highlight of this release is the removal of PodSecurityPolicies. It is being replaced by PodSecurity admission, which is one of the features that is graduating to Stable in this release.
Another highlight is the finalization of the migration to the Container Storage Interface (CSI), which will make working with storage plugins easier. It used to be that storage plugins were built into the Kubernetes codebase, which increased the complexity of the code. Over the past three years there has been a migration of these plugins from the codebase to loadable plugins that can be interacted with through the CSI.
“Not a new feature at all, but the storage SIG deserves a big kudos for this migration. They’ve been tirelessly moving CSI drivers from the Kubernetes core for more than three years, and we’ve been following their updates release after release. Now the migration is finally close to the end. In the long term, this will mean an easier to maintain Kubernetes code and cooler features around storage,” said Víctor Jiménez Cerrada, content manager engineer at Sysdig.
Kubernetes 1.25 will also get a number of security features, such as support for user namespaces, checkpoints for forensic analysis, improvements to the mounting process in SELinux, NodeExpansion secrets, and CVE feed improvements.
Updates that will make it easier to manage clusters include non-retriable Pod failures, KMS v2 improvements, a cleaner IPTables chain ownership, and better handling of StorageClass defaults on PVCs.
To read more about these features and what else can be expected from this release, read the blog post.