The Kubernetes container orchestrator just made two major changes in its latest release, Kubernetes 1.24 Stargazer. With this release, developers will have to drop support for the Docker Engine container runtime, but in return gain enhanced supply chain security via Sigstore.
Dockershim’s depreciation is not as dramatic as it sounds. While Dockershim allowed you to use the containerd Docker runtime in Kubernetes, it was never intended to be integrated with Kubernetes. Moreover, Dockershim is incompatible with the Container Runtime Interface (CRI) of Kubernetes and – above all – its maintenance was a real chore.
While Kubernetes users expanded their range of runtime choices with CRI, the Docker engine was not compatible with it. The solution, Dockershim, bridged the gap between Docker Engine and CRI. However, “this little piece of software was never intended as a permanent solution. Over the years, its existence has introduced a lot of unnecessary complexity,” argues Kat Cosgrove, Pulumi Developer Advocate and Cloud Native Computing Foundation (CNCF) Ambassador, at the start of Kubernetes. “At the time, there weren’t really many other options and Docker was the dominant tool for working with containers, so this choice wasn’t controversial. »
A disputed abandonment
Still, the community of Kubernetes developers was unable to explain the reasons for Dockershim’s abandonment, which may have caused misunderstanding, regrets the latter. “Docker is not going away, neither as a tool nor as a company. However, “removing dockershim from kubelet is ultimately a good thing for the community, the ecosystem, the project and open source in general”, argues the developer.
And to remember that if you really want to stay true to the Docker engine, you can do so even if Kubernetes no longer supports it natively. Mirantis, which now owns the Docker program, will continue to support Dockershim in Docker Engine and Mirantis Container Runtime with Kubernetes. This new Dockershim program, cri-dockerd, provides a shim for Docker Engine, which lets you control Docker through Kubernetes’ CRI. You can also, of course, upgrade to one of the supported Kubernetes runtimes, such as containerd v1.6.4 and later, v1.5.11 and later, or CRI-O 1.24 and later.
Another major development, Kubernetes now supports encrypted signing of software artifacts to improve the security of its software supply chain. According to Sigstore founding developer Dan Lorenc, Sigstore certificates allow Kubernetes users to verify the authenticity and integrity of the distribution they are using by “giving users the ability to verify signatures and have a greater confidence in the origin of every deployed Kubernetes binary, source code bundle, and container image.”
Lots of improvements
Kubernetes 1.24 also brings other improvements. For example, the new beta application programming interfaces (APIs) will no longer be enabled by default in clusters. However, existing beta APIs and their new versions will continue to be enabled by default. In another API change, Kubernetes 1.24 offers beta support for releasing its APIs in the OpenAPI v3 format.
Changes have also been made to storage and volumes. Storage capacity tracking now supports exposing currently available storage capacity through CSIStorageCapacity objects and improves scheduling of pods that use Container Storage Interface (CSI) volumes with late binding . In the meantime, you can resize an existing persistent volume with Volume Expansion. Work is also underway to migrate the internals of the tree storage plugins to use CSI plugins while retaining the original API. So far Azure Disk and OpenStack Cinder plugins have both been migrated.
Finally, while there are many other changes and improvements, keep in mind that the new optional networking feature in Kubernetes 1.24, which allows you to reserve a range for assigning static IP addresses to services has been modified. With manual activation of this feature, the cluster will prefer automatic assignment from the Services IP address pool, thus reducing the risk of collision. I really like this feature.
Source: ZDNet.com