Kubernetes 1.12 Improves Cloud-Native Security With TLS Bootstrap

The third major release of the open-source Kubernetes container orchestration system in 2018 is now out, providing users with a stable release of a key security feature that has been in development for two years, while previewing a new sandboxing isolation capability.


Some features take longer than others to get right.

On Sept. 27, the Cloud Native Computing Foundation announced the general availability of Kubernetes 1.12. Among the highlights of the update is the stable release of TLS Bootstrapping, a security capability that developers have been working on for the past two years, since the release of Kubernetes 1.4 in 2016. For context, Kubernetes has only existed for four years.

"Security is a very nuanced complicated space," Tim Pepper, senior staff engineer at VMware and release lead for Kubernetes 1.12, told eWEEK. "Things like the TLS Bootstrap where you're having to set up certificates and certificate authorities, signing requests and all of that, that's really tricky to get, right. So, it makes sense that it took some time."

Kubernetes is a container orchestration platform technology that is developed under the auspices of the multi-stakeholder CNCF, which itself is a project from the Linux Foundation. Kubernetes 1.12 is the third major release of the open-source project in 2018, following the 1.11 milestone on June 27 and 1.10 on March 26.

With TLS Bootstrapping, a Kubernetes node (Kubelet) can request and obtain a Transport Layer Security (TLS) certificate to join a TLS-secured cluster. Pepper explained that any feature that comes to Kubernetes needs to go through a maturation process to make sure it's ready and stable for production deployments.

In Kubernetes, ideas that come up through the community are first implemented as alpha features. Alpha phase features go through a graduation process to become beta, at which point the APIs for the features are expected to be stable, according to Pepper. The stable, or generally available (GA), stage for a feature is only achieved when the capability is robust, validated and known to be good.

Kubernetes 1.12 Features

Among the other stable features that have landed in Kubernetes 1.12 is support for Microsoft Azure Virtual Machine Set (VMSS) and cluster-autoscaler capabilities. VMSS enables users to create Kubernetes pods that can scale based on policy or on demand.

Kubernetes was first developed with support for Linux and has since added support for Microsoft's Azure and Windows platforms.

Beta Features

Kubernetes 1.12 also includes multiple notable features that have achieved the beta level of stability. One is Taint Node by Condition. Pepper explained that a "Taint" is a toleration for scheduling. He said that Kubernetes started out scheduling a few basic capabilities including CPU and memory availability.

"The taints feature is something that really starts to build out a framework where you can have effectively arbitrary scheduling considerations happen without having to write a custom scheduler," he said. "So as an operator of a cluster, you declare that you have certain features and constraints within the cluster, and then the pod users are able to declare which of those they can tolerate or not."

Topology Aware Dynamic Profiling is another feature that has now reached the beta status. Pepper explained that the new Dynamic Profiling beta feature is different from the ConfigMap dynamic configuration features that landed in the Kubernetes 1.11 release. Topology Aware Dynamic Profiling is storage-specific and is part of a broader push within Kubernetes for enabling differentiated types of enterprise storage capabilities, he said.

Alpha Features

Along with beta features, Kubernetes 1.12 introduces multiple alpha features, including the new RuntimeClass resource, which Pepper said had particular interest to him as an employee of VMware and also because of prior jobs he's had.

"I used to work at Intel in the department build what became Kata containers and was originally called Clear Containers," he said. "So I've been really interested in this idea of, of what it means to provide differentiated sandboxing and levels of security around the container, a pod or whatever a workload is."

The Kata containers effort is led by a project operated by the OpenStack Foundation to help enable containers to run in an isolated and secured manner. Pepper explained that the RuntimeClass in Kubernetes 1.12 is a Custom Resource Definition (CRD), which enables administrators to define and retrieve new extensions to the Kubernetes API.

"RuntimeClass is particularly interesting for what it enables from a differentiated security perspective," Pepper said. "Initially, sure it will just be some pod sandboxing, putting probably a VM [virtual machine] under some pods, but I think it has the potential to do a lot more than that and it's going to be really interesting to see over the coming year how it progresses."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.