TL;DR recap on Kubernetes v1.28 changes 🕸️

cloudnative
K8S
Kubernetes
Read this post for a summarized view on important changes in Kubernetes v1.28
Published

December 3, 2023

Photo by Ian Taylor on Unsplash

Here is the TL;DR version:

1️⃣ API Awareness of Sidecar Containers 👀

This is a way for having more granular control on sidecar containers. Now you set the feature gates for sidecarcontainers=true and then set the restartPolicy : always, to let K8S handle the initContainers independent to the main containers.

2️⃣ Recovery from Non-Graceful Node Shutdown 👨🏻‍🔧

If a node shutdowns abruptly, kubelet also disappears thereby leaving the volume attached in a limbo state. Now you can forcefully taint that node as NoSchedule using out-of-service label which will force the scheduler to move the pods to a different node. Needs NodeOutOfServiceVolumeDetach=true gate to be set.

3️⃣ Improvements to CustomResourceDefinition (CRD) Validation Rules 🪄

You can use CEL (Common Express Language) to include validation rules on the CRD right within the spec. For example, you could add a validator section using CEL as follows:

validator:
    - rule : "spec.crdItemX > 0"
      message : "Item X value has to be positive"

and if you set the crdItemX value to be negative, kubectl apply -f crd.yaml would throw Item X value has to be positive error. This greatly improves the overall operations.

4️⃣ Automatic, Retroactive Assignment of a default StorageClass graduates to Stable 💡

Most often, developers forget to add a storageClassName in their PVCs. Now in v1.28, if you forget to add a storage class to your PVCs, there is now a default treatment. K8S control plane automatically add this storageClassName for you.

5️⃣ Promotion of the SelfSubjectReview API 🧑🏻‍💼

SelfSubjectReview now includes user groups information. This way any API user can get their user groups information without bugging their Admins. You simply issue a POST to /apis/authentication.k8s.io/v1aplha1/selfsubjectreviews with kind: SelfSubjectReview to get this info.

6️⃣ Backdate generated kubeadm CA certificates 🕰️

Includes a 5 mins clock offset for cert generation start time to deal with clock skews. This way the node certificates won’t expire due to clock skews more frequently

7️⃣ kubeadm “config validate” command 🤝

Use this command to pre-validate kubeadm config files to catch errors sooner. You simply issue kubeadm config validate -f kadm-config.yaml.

Subscribe to Techno Adventure Newsletter

I also publish a newsletter where I share my techo adventures in the intersection of Telecom, AI/ML, SW Engineering and Distributed systems. If you like getting my post delivered directly to your inbox whenever I publish, then consider subscribing to my substack.

I pinky promise 🤙🏻 . I won’t sell your emails!

Subscribe ✉️