k8s

Kubernetes 1.10 新特性概览

Posted by Mathew on 2019-08-01

1.10版本提升了三大关键性功能的稳定度,分别为存储安全网络。另外,此次新版本还引入了外部kubectl凭证提供程序(处于alpha测试阶段)、在安装时将DNS服务切换为CoreDNS(beta测试阶段)以及容器存储接口(简称CSI)与持久本地分卷的beta测试版。

新特性:

1. 存储——CSI与本地存储迎来beta测试版

   This release brings additional power to both local storage and Persistent Volumes. Mount namespace propagation allows a container to mount a volume as rslave so that host mounts can be seen inside the container, or as rshared so that mounts made inside a container can be seen by the host. (Note that this is not supported on Windows.) Local Ephemeral Storage Capacity Isolation makes it possible to set requests and limits on ephemeral local storage resources. In addition, you can now create Local Persistent Storage, which enables PersistentVolumes to be created with locally attached disks, and not just network volumes.

On the Persistent Volumes side, this release Prevents deletion of Persistent Volume Claims that are used by a pod and Persistent Volumes that are bound to a Persistent Volume Claim, making it impossible to delete storage that is in use by a pod.

This release also includes Topology Aware Volume Scheduling for local persistent volumes, the stable release of Detailed storage metrics of internal state, and beta support for Out-of-tree CSI Volume Plugins.

   存储支持挂载命名空间传播,即挂载卷 rshared ,从而容器内的任何挂载都能反映在root(= host)挂载命名空间中,这一功能现已是stable状态,同时支持对本地临时存储设置配额以及开启持久化存储特性之后可以在本地创建磁盘支持持久化存储

   在本版本中,持久(非共享)本地存储管理也迈向beta阶段,这意味着本地连接(非网络连接)存储可作为持久分卷源使用。如此一来,分布式文件系统与数据库的性能将进一步提升,而使用成本则有所降低。

   此版本还包含对持久分卷的多项更新。Kubernetes如今可以自动防止某一pod正在使用的持久分卷声明遭到删除(beta阶段),同时亦可防止删除与持久分卷声明绑定的持久分卷(beta阶段)。这将有助于保证用户以正确的顺序删除存储API对象。

2. 安全——外部凭证供应方(alpha阶段)

   This release lays the groundwork for new authentication methods, including the alpha release of External client-go credential providers and the TokenRequest API. In addition, Pod Security Policy now lets administrators decide what contexts pods can run in, and gives administrators the ability to limit node access to the API.
   Kubenetes在1.10版本当中得以对接kubectl凭证提供程序(alpha阶段),从而进一步提升扩展性水平。各云服务供应商、厂商以及其他平台开发者现在能够发布二进制插件以处理特定云供应商IAM服务的身价验证,或者与Active Directory等并非天然受到支持的内部身份验证系统相集成。

3. 网络——利用CoreDNS作为DNS提供程序(beta阶段)

  新版本允许您在安装过程中将DNS服务切换为CoreDNS,这一功能目前处于beta阶段。CoreDNS的移动部件更少——仅拥有单一可执行文件与单一进程,且可支持更多其它用例。