Kubernetes 1.7 Improves Container Security And API Aggregation

Containers

Second major release of Kubernetes in 2017 debuts, providing new stable features to improve the extensibility and security

The open-source Kubernetes 1.7 release is now available, providing users with new features to help manage and secure container infrastructure.

Kubernetes 1.7 is the second major release of the open-source container orchestration platform so far in 2017 and follows the Kubernetes 1.6 release that debuted in March at the CloudNative Con/Kubecon event in Berlin, Germany.

The Kubernetes project was first developed by Google and has been an open-source project run by the Linux Foundation’s Cloud Native Computing Foundation (CNCF) since July 2015.

Containers

Kubernetes 1.7

Kubernetes 1.7 includes multiple features that improve security, including the newly stable Network Policy API which helps to enforce rules about which containers pods can connect to each other.

“Red Hat was very happy to lead the Network Policy stabilization effort so that users could define their own application communication requirements,” Clayton Coleman, architect, Containerized Application Infrastructure at Red Hat, told eWEEK

Coleman said that while working to write a software-defined networking implementation which can realize the NetworkPolicy specification, Red Hat’s developers found inconsistencies, vagueness, and other problems which could have left users with divergent experiences on different platforms or when using different network vendors. Those issues have now been resolved, which is why the Network Policy API is a stable feature in the Kubernetes 1.7 release.

“We are very excited to see the specification reach general availability, where any compliant networking vendor can run underneath Kubernetes and users can still use application-centric network controls in a common reliable manner on any platform,”  Coleman said.

Eric Chiang, software engineer at CoreOS commented that having a feature marked as ‘stable’ in a Kubernetes release is an indication that the feature has been ‘battle tested’ and is production ready. 

“The changes made between 1.6 and 1.7 were small, but network policy becoming a standard and expected component of Kubernetes is a great step forward for the platform’s security,” Chiang told eWEEK.

While the Network Policy API is now stable, Kubernetes 1.7 is introducing a “secrets” encryption feature that is labelled as an alpha. Secrets refers to tokens and passwords used by Kubernetes to grant access to various resources.

“Encryption at rest was developed by Red Hatters in close concert with Google,” Coleman said. “It was a key enterprise requirement and we wanted to ensure the community could also leverage the feature.”

API Aggregation

Looking beyond security, Kubernetes 1.7 benefits from the new API aggregation feature that offers the promise of improved extensibility for users. The Kubernetes project documentation explains that the API aggregation layer allows Kubernetes to be extended with additional APIs, beyond what is offered by the core Kubernetes APIs.

“Aggregation allows large, opinionated features that would otherwise require significant changes to core Kubernetes to be developed externally,” Chiang said. “This means Kubernetes can continue to focus on improving the stability of the platform, while distributions can produce extremely customized solutions without impacting the broader community.”

APIs in Kubernetes 1.7 also get a boost with the new Custom Resource Definitions (CRD) API model which replaces the existing Third Party Resource (TPR) model. Coleman said the goal with CRD is to provide an easy way to define and retrieve new extensions to the Kubernetes API.

“We think the features introduced in 1.7 will set the stage for the next phase of Kubernetes’ growth and its growing role in the enterprise,” Coleman said.

Originally published on eWeek