►
Description
In this briefing, Cole Mickens and Stefan Schimanski, Red Hat walk thru what's in the Kubernetes 1.10 Release. Key Features in this release include API aggregation which graduated to GA, along with Container Storage Interface (CSI) and Mechanism for hardware device support which both graduated to beta. As with previous release, there has been a strong focus on fixing bug and maturing existing features to beta and stable. As always, ensuring stability matters and the community continues to refine, polish, scale, and tighten Kubernetes for production use with each release.
Learn more at https://commons.openshift.org
A
Hello,
everybody
and
welcome
again
to
another
openshift
Commons
briefing.
We're
really
pleased
today
to
have
this
update
on
kubernetes
1.10
and
we've
got
full
Mickens
and
stefan
shemanski
both
now
Red
Hatters
Cole
comes
to
us
from
4os
and
we're
really
pleased
to
have
these
expertise
as
part
of
this
briefing
as
well.
There's
a
lot
in
this
release
so
I'm
going
to
keep
this
short.
The
format
is
we're
gonna,
let
Cole
and
Stefan
talked
for
probably
about
30
minutes.
B
Thank
you
very
much,
Diane
all
right
folks.
Let's
take
a
look
at
what's
new
in
one
time
right
off
the
bat.
We've
got
three
key
features
here
we
won't
talk
about.
The
first
is
API
aggregation
coming
to
us
from
sake
API
machinery.
It
has
graduated
to
GA
in
this
release,
which
is
a
big
deal.
We
had
the
container
storage
interface
commonly
referred
to
as
CSI,
which
is
graduating
to
beta
out
of
six
storage,
which
is
providing
a
common
interface
for
vendors
to
provide
storage
options
for
kubernetes
clusters.
C
Yeah,
hello,
everybody
auto
for
me,
so
we
took
a
look
at
the
reese
stats
from
last
released,
1-iron
and
now
110
and
yeah.
The
numbers
are
going
extremely
quickly:
sec
e,
so
we
have
8,000
pool
requests
merged
across
the
organization
in
110.
That's
certain
percent!
More
than
one
nine.
Of
course
online
was
a
holiday
released,
but
still
it's
impressive
90,000
comments,
so
we're
a
active
people
on
github,
commenting
on
issues
on
PRS
and
so
on.
I
counted,
1,700
or
I
didn't
count
it,
but
statistics
server
accounted
for
us
impressive
number.
C
C
We
have
a
list
of
features,
9fr
features,
so
they
are
really
really
new
innovation
going
on
and
16
of
them
actually
variations
from
alpha
to
beta
or
even
to
GA.
So,
as
you
see
from
the
numbers,
the
ability
is
still
a
big
focus
and
yeah.
So
next
slide
so
I
copied
the
next
two
slides
just
from
1/9.
Nothing
has
changed.
Stability
is
important.
C
B
This
is
the
first
release
after
red
hand,
chorus
of
the
join
forces,
as
Diane
mentioned
Corvis
got
acquired
a
couple
months
ago
and
we've
been
integrating
our
teams
and
I
think
actually
on
Monday
we
officially
became
red
hat
associates
it's
very
exciting
time.
So
it's
great
to
be
part
of
this
larger
openshift
team.
I'm,
very
excited
to
see
where,
where
this
takes
us.
C
Yeah
before
we
go
to
details
just
usual
words
about
what
is
I,
if
I
were
to
speed
up
with
SGA,
so
I,
usually
new
features
or
at
least
features
which
are
not
good
enough,
complete
enough
to
graduate
you
meter.
Those
guys
can
change
dramatically,
so
don't
rely
on
them,
especially
not
in
production.
In
the
worst
case,
it
can
even
go
away.
Meters
are
those
which
are
on
the
way
to
to
to
stable
2j,
so
those
features
will
stay
in
the
product
and
very
important
for
many
people.
Those
features
ETA
features.
C
They
are
the
first
time
enabled
without
feature
gates,
so
it
can
really
use
them
in
nearly
every
cluster.
Of
course,
no
shift.
A
lot
of
them
are
just
take
abuse,
but
still
they
are
enabled
and
very
important.
If
you
program
against
the
AP
is
peter
feature,
AP
is
will
at
least
six
months
even
when
GTA
v
is
out
already
and
finally
GA.
Those
are
the
really
tested
rocket
proof,
stay
with
AP
ice.
C
Yeah,
so
we
highlight
a
number
of
features
sorted
by
special
interest
groups.
Oh,
he
has
sick,
ass
or
authentication
authorization
or,
in
short,
everything
about
the
qet,
the
first
one.
It's
not
that
new.
In
fact,
most
of
you
will
have
seen
port
security
policies.
In
short,
because
MPs
piece,
they
have
started
their
road
to
GA,
so
they
officially
graduated
eita
in
this
release.
They
used
to
be
in
the
extended
ins
V
one
meter,
one
API
group,
but
this
really
didn't
count
much
because
this
API
group
was
invented
before
even
had
alpha.
C
So
this
time
it's
really
officially
in
the
policy
V
1
beta,
1,
API
group.
It's
all
about
them
controlling
what
pots
can
do
so
examples
are,
you
can
define
which
volume
plugins
are
allowed,
for
example,
the
hosts
pass
volume.
You
can
read
everything
from
the
host
when
it's
not
related
in
some
way,
and
this
can
be
controlled
by
a
PS
PS
namespaces
user
group
IDs
a
lot
of
mechanisms
from
the
Linux
kernel.
This
controls
all
this
can
be
controlled
and
you
see
it
on
the
right
one
example
of
such
a
PSP.
C
If
you
want
some
kind
of
multi
tenant
set
up,
where
don't
trust
workloads,
you
need
PS
PS,
there's
no
way
around
that
and
in
general,
similar
to
the
apart
introduction
in
1:6,
and
the
further
releases
expect
a
measure
slowly
and
controlled
all
out
of
PS
PS
into
kubernetes
by
default.
That's
it
that's
the
future
jest
they
take
care
you
in
an
open
shift,
so
in
suis
9
we
had
them
already
as
tech
preview.
C
C
Another
one
about
security,
which
is
really
exciting.
If
you
look
at
the
last
bullet
point
here,
what
we
plan
to
do
it's
about
container
identity,
so
you
know
service
accounts,
service
accounts
allowing
you
to
do
certain
things
in
a
cluster.
To
use.
Ap
is
probably
service
accounts
is
they
are
not
bound
to
any
pots.
So
if
you,
if
you
eat
a
service
account,
you
have
the
whole
API
Oh,
at
least
those
parts
which
are
they
have
permissions
via
our
back.
C
You
can
just
use
them,
and
this
is
not
a
good
idea
to
have,
of
course,
in
a
production.
Castor,
sotto
Tain's
are
introduced
now,
which
you
can
do
I
from
service
accounts
or
you
post
to
the
service
account
resource
on
the
api
of
this
totin
sap
we
saw
was
Thoth
request,
that's
what
you
see
as
top
white
and
you
get
back
JSON
web
token
and
those
step
totems.
They
are
constrained
by
time,
so
they
expire
in
contrast
to
service
crowns.
C
They
can
be
restricted
to
special
audiences,
for
example,
just
to
the
API
or
part
of
the
API
or
other
services
in
the
cluster,
and
they
are
bound
to
pots.
So
if
you
steal
such
an
account,
Sascha
totin,
you
will
not
be
able
to
do
much
in
another
part.
You
may
just
not
work
as
JSON
web
tokens.
They
are
signed
signed
by
API
server,
which
means
they
are
not
persisted.
So
if
you
have
huge
clusters-
and
you
know,
service
accounts
are
critical
point
in
instigating
them.
C
Those
tokens
are
not
persisted,
which
makes
them
really
huge
it
for
for
big
clusters
and
there's
a
new
endpoint
on
the
API
server
to
this
current
signature
key.
So
you
can
compare
every
JSON
web
token
you
get
whether
it's
valid
or
how
much
and
some
some
goals
with
them.
They
should
be
injected
into
the
couplet.
It's
not
done
yet,
but
it
will
be
in
the
near
future
and
should
work
with
external
services
for
tor,
for
example,
is
one
example
and
any
kind
of
advance
policies.
B
Another
security
feature
highlighted
for
one
town
is
support
for
external
authentication
providers
for
Qt
TL
and
for
Clank
Oh
again
fitting
with
the
larger
theme
of
out
of
tree
plugins.
We
have
a
model
where
vendors
can
provide
authentication
plugins
to
huge
ETL
without
needing
to
modify
the
key
TTL
a
source
code,
and
additionally,
this
functionality
is
available
to
all
consumers
of
client
go.
C
Yeah,
we
have
big
features
from
the
networking
special
interest
group.
The
first
one
is
about
to
solve
corners,
so
you
can
finally
customize
the
names
server
behavior
in
a
container,
so
you
can
define
a
custom
name
server
and
you
can
define
touch,
domains
and
even
special
options
and
all
those
information.
This
information
is
written
into
the
LCD
as
etc'
at
the
soil
column
of
each
container.
C
It's
a
pure
go
implemented
where
they
were
a
suited
for
kubernetes
the
basic
theme
again
as
fewer
moving
parts
go
with
simplicity,
speed,
of
course,
flexibility,
II
via
plugins,
so
I
counted
today
is
there
are
48
plugins
today
on
the
website
of
core
DNS,
quite
impressive
and,
of
course,
ease
of
service.
Discovery
is
go
I'm
in
your
service
inside
the
cluster.
You
know
that
already,
but
you
can
even
plug
insert
logins
to
integrate
other
services
from
other
sources.
At
the
moment
this
is
Peter,
but
we
still
ship
to
Keon
as
in
110.
C
C
The
next
special
interest
group
is
API.
Rafi
Nui,
if
you
need,
does
a
lot
of
work
about
extension
points
extending
the
API
and
we
we
have
two
ways
to
extend
the
API
nowadays.
The
first
one
is
custom
resources,
schwartzy
IDs
and
the
second
one
we
have
here
it's
about
allocation,
so
writing
your
own
API
servers
and
integrating
them
into
a
cluster,
and
you
can
use
those
API,
of
course,
as
a
storage
counterpart
for
operators
of
course
started
last
year,
writing
operators
for
EDD
and
policies
and
those
API
servers
can
be
used
for
that.
C
Actually,
so
we
started
to
use
this
feature
for
service
catalog,
which
is
quite
for
quite
some
time,
tech
review
in
OpenShift
and
we
have
started
after
this
experience,
which
was
really
positive
to
use
this
feature
for
the
future
of
observed,
so
we
will
move
out.
Api
is
from
OpenShift
into
its
own
API
server.
So
this
is
the
future
of
the
architecture
of
overshift.
The
basic
idea
is
you
see
it
on
the
white
picture.
Requests
come
in
from
to
control,
for
example,
and
which
API
server
and
insert
the
cube
API
serve
as
an
aggregator.
C
It's
basically
a
proxy
which
either
sends
a
request
through
the
normal
tube
api's
or
it's
for
SE
IDs,
and
it's
also
handled
internally
or
it's
really
a
proxy
to
the
in
cluster
api
server.
So,
first
off
in
this
example,
here
the
net
arrows,
it's
tend
to
open
drift
and
you
can
even
install
your
own
API
servers.
There
are
more
of
them
in
the
community
and
you
can
even
write
your
own.
So
the
vision
we
have
here
is
that
can
just
say,
he'll
install
and
then
some
API
server
name
and
it's
install
it
plug-and-play.
C
So
without
doing
anything,
certificates
are
done
automatically
and
you
have
new
API.
It's
API
is
to
use
IR
to
control.
So
we
a
plug-and-play
experience.
That's
our
goal!
If
you
want
to
dive
deeper
here
in
this
topic,
there
is
a
the
library
API
server,
it's
in
the
kubernetes
k-8
as
IO
domain.
There's
an
example,
simple
API
server.
You
can
look
at
and
we
have
an
API
server
builder
to
help
to
get.
You
started
this
code.
C
As
mentioned
already
is
the
second
mechanism
for
extending
API,
as
are
the
customary
sources.
Custom
resources
are
limited
in
feature,
so
they
cannot
do
13
things
which
API
servers
can
do
so
you
have
to
decide
which
way
to
go.
Custom
resources
are
very
simply
defined.
That's
why
people
you
want
to
use
them
I
without
any
code,
just
respect
with
you,
which
you
post
to
the
server
and
we're
working
on
making
them
even
more
native.
So
as
a
user
of
the
cluster,
you
should
not
notice
whether
it's
a
CID
or
real
API
server.
C
In
one
feature,
we
edit
now
as
alpha
version
of
SAP
resources,
which
gives
them
features,
which
has
been
known
only
only
from
native
resources
like
the
status
and
scale
endpoint
and
the
generation
fear.
So
everybody
who
writes
controllers
will
laughs
the
meta
generation
fear
this
is
now
supported
in
I,
foresee
at
ease.
The
2d
r
is
very
simple.
What
you
want
to
do
is
something
like
you
control
scale,
so
you
should
be
able
to
scale
any
resource.
B
When
you've
got
some
update
from
six
storage
to
start
off
with
from
talk
about
container
storage
interface,
particularly
kubernetes
support
for
the
container
storage
interface
is
now
in
beta
and
this
release
after
being
introduced
in
1
minus
alpha
fitting.
In
with
the
larger
overarching
theme,
this
is
again
supporting
and
out
of
tree
plug-in
model
versus
previous
plugins
that
have
been
built
into
kubernetes
quarter
and
ultimately,
this
is
going
to
allow
for
installing
volume
plugins
via
daemon
sets,
and
what
you
should
be
thinking
about
here
is
CNI
plugins.
B
This
slide
touches
on
a
number
of
enhancements
that
are
going
on
in
regards
to
local
persistent
storage,
first
off
being
local,
persistent
storage
itself
graduating
to
beta
in
this
release.
This
is
a
functionality
that
allows
for
pods
to
request
persistent
storage
on
local
node
disks.
As
a
result
of
this,
the
pot
needs
to
be
able
to
specify
which
node
it
gets
scheduled
on,
so
that
it
is
always
good
to
that
nodes
that
it
can
access
its
node
storage
and
one
sorry,
that's
a
type
of
that
should
say
1-9.
B
B
Local
ephemeral
storage
now
has
the
ability
to
specify
quota
constraints,
and
this
functionality
is
in
beta
prior
to
this
functionality.
Pods
had
no
ability
to
make
guarantees
about
the
amount
of
ephemeral,
temporary
scratch,
storage
that
they
would
have,
and
so
it's
possible
if
they
were
processing
some
sort
of
job
and
we're
co-located
with
another
pod
processing,
a
large
job
that
they
could
be
fighting
with
each
other.
For
disk
space,
and
ultimately,
you
could
have
sporadic
failures
with
this
functionality.
B
Pods
can
now
directly
make
requests
for
ephemeral
storage
and
make
assumptions
that
they
will
be
getting
that
full
amount
of
storage
and
then,
finally,
we
have
a
beta
feature.
Topology
aware
volume
scheduling
that
allows
to
specify
scheduling,
constraints
or
persistent
volumes,
that'll
actually
happen
after
the
pod
is
already
scheduled.
B
This
is
useful
again
for
local
volumes
that
need
to
specify
affinities
to
specific
nodes
and
in
the
future,
this
is
going
to
be
expanded
and
be
much
more
useful
by
allowing
specification
of
region
constraints
around
persistent
volumes
such
that
you
can
make
guarantees
that
your
PVCs
will
have
persistent
volumes
created
in
certain
regions,
matching
where
your
pod
and
started
running
today.
This
requires
an
amount
of
coordination
on
the
deployer
to
ensure
that
these
things
are
done
correctly
and
that
you
don't
have
a
pod
talking
across
the
regions
to
storage.
B
There's
a
large
number
of
other
smaller
storage
features
that
landed
for
1:10,
particularly
deleting
the
persistent
volumes
when
they're
in
use,
as
it
happens
today
and
1/9.
You
can
accidentally
walk
up
to
your
cluster
and
delete
TVs
and
PVCs
that
are
currently
in
use
and
there's
two
new
features
to
prevent
this.
There
is
online
support
for
resizing
persistent
volumes.
It
is
an
alpha
that
allows
you
to
enlarge
the
underlying
volume
without
taking
it
off
aligner.
Without
stopping
your
pod.
B
There
is
support
for
resizing
flex
volumes
as
alpha
and,
if
you're
not
familiar
with
them
flex
volumes
were
the
first
attempt
at
providing
a
way
of
installing
external
storage
mechanisms
into
a
Cooper
Annie's
cluster.
It's
been
largely
replaced
by
the
container
storage
interface,
but
it's
nice
to
see
that
for
the
existing
flex
volume
plugins,
there
is
now
resize
support,
and
then
we
have
detailed
storage,
metrics
of
internal
state
that
are
being
published
to
the
metric
server.
B
B
One
thing,
I
will
say
like
a
qubit
configuration
is
that
the
dots
are
pretty
advanced
and
pretty
sophisticated
for
it,
and
so
if
this
is
a
scenario
that
interests
you
please
check
out
the
docs
walk
through
the
scenario
and
see
what
works
for
you
and
what
doesn't.
Ultimately,
this
feature
is
built
to
allow
cluster
operators
to
change
options
in
the
Keyblade
without
having
any
downtime.
B
There
are
a
number
of
enhancements
that
have
been
created
by
Sigma
out
for
performance,
critical
workloads,
the
first
of
which
is
migrating.
The
removing
the
device
plugins
API
to
beta
device,
plugins
API,
is
again
and
add
a
pre
plug-in
model
that
allows
vendors
to
advertise
advanced
features
to,
in
this
case
the
cubelet.
These
are
things
such
as
GPUs,
FPGA
is
high-performance
networking
interfaces
and
finna
band
and
much
more
really
anything
you
can
think
of
it's
a
that
falls
under
the
category
of
hardware.
Features
can
be
advertised
to
the
Keyblade
historically
again.
B
This
is
something
that
had
to
be
built
into
core
and
was
limited
by
crewnecks
velocity
and
now
can
happen
at
the
pace
that
the
vendor
would
like
it
to
happen.
At
and
currently
available,
there
are
two
different
GPU
plug-ins
for
Nvidia.
There
is
an
RDM,
a
plugin,
there's
a
solar
flare
plug-in,
and
then
there
you
see
the
little
lakota
code
snippet.
These
are
consumed.
Much
like
any
other
cluster
resources.
B
B
Look
at
the
example
in
the
example,
the
container
does
not
make
a
request
for
resources,
it
only
specifies
limits,
and
the
community's
behavior
here
is
that
the
requests
automatically
are
set
to
the
same
values
as
the
limits,
and
in
this
case,
because
the
request
is
for
two
CPUs
two
is
a
whole
integer
value
and
is
greater
than
one.
This
actually
activates
guaranteed
mode
and
act
activates.
B
This
application
CPU
pending
feature,
and
in
this
example
the
nginx
container
and
note
it's
the
container,
not
the
pod,
the
nginx
container,
actually
gets
to
full
exclusive
CPUs
guaranteed
to
it
on
this
is
those
are
removed
from
the
CPU
pool
that
the
cube
list
and
using
for
any
other
bottom
and
then
the
other
big
feature
here
is
huge
pages
and
containers.
So
nodes
can
now
allocate
and
advertise
huge
pages,
and
the
cubelet
will
expose
them
as
a
scheduler
resource
and
much
like
the
device.
B
Plug-Ins
api
on
the
previous
slide
you'll
see
that
these
are
consumed
via
resource
limits
for
the
containers
similar
to
other
cluster
resources,
and
they
are
surfaced
to
the
Container
via
a
huge
pages
volume
type,
and
we
want
to
make
a
note
here.
If
these
sorts
of
performance,
critical
workloads
aren't
important
to
you,
we
encourage
you
to
join
the
resource
management
working
for
it
to
help
the
community
deliver
even
more
improvements.
B
Then.
Finally,
we
have
some
updates
to
the
container
at
runtime
interface.
It
is
still
or
these
can
be.
The
first
feature
is
in
alpha
and
add
support
for
Windows
container
configuration.
You
may
be
confused
since
kubernetes
has
supported
windows
containers
for
a
while.
It
just
turns
out
that
it
has
not
supported
resource
constraints
for
these
containers
previously,
in
fact,
if
you've
specified
them
in
the
past,
they
were
being
ignored
and
they
were
instead
being
set
to
the
house.
Dockers
default
configuration
with
110
and
the
interface
has
actually
been
revved.
B
It's
now
the
one
alpha
2
and
it
now
includes
a
Windows
container
config
struct,
enabling
the
past
3
of
these
constraints
from
the
kubernetes
manifests
all
the
way
down
to
the
runtime,
and
we
also
see
the
CRI
validation
test
week,
graduating
to
beta.
With
this
release.
As
I
mentioned,
there's
a
new
CRI
protocol
version.
It
did
have
breaking
changes
so
for
criminate
is
110.
B
B
There
is
an
initial
implementation
for
a
jerk'
MS,
which
is
an
implementation
of
kubernetes
KMS,
which,
if
you're
not
familiar
with
it,
is
a
mechanism
by
which
providers
can
plug
in
the
kubernetes
and
provide
sort
of
a
translation
layer
between
EDD
and
its
final
storage,
allowing
for
encryption
of
etsy
D
and
the
secrets
organ
NCD
at
rest.
So
for
azure
this
is
done
via
a
tricky
vault.
This
is
in
again
an
out
of
tree
repository.
B
You'll
see
this
actually
lives
in
the
agile
organization,
but
it
includes
instructions
for
how
you
would
deploy
this
any
cubrir
these
cluster
and
configure
communities
to
take
advantage
of
it.
Also
an
alpha.
A
juror
now
has
support
for
virtual
machine
skill
set,
which
is
their
higher
level
concept
for
multiple,
identical
virtual
machines.
B
Previously
the
kubernetes
cooperate
or
support
only
supported,
loose
individual
deems
that
customers
that
they
can
manually
orchestrate,
but
now
there
is
full
support,
including
attachment
and
detachment
of
persistent
volumes
to
individual
machines
in
one
of
those
groups,
and
then
finally,
we
have
autoscaler
enhancements.
There
was
previously
support
for
scale
set
themes
in
the
cluster
autoscaler
project,
but
the
majority
of
azure
deployments
were
using
loose
beams.
The
azure
team
has
done
work
in
the
autoscaler
to
support
both
of
these
types,
so
hopefully,
all
after
customers
can
be
covered
by
the
cluster
autoscaler
in
some
capacity
now.
C
Yeah,
this
was
a
overview
of
features,
a
selection
of
features,
I
think
there
are
many,
many
more
which
we
haven't
mentioned
here.
If
you
go
to
the
next
slide,
we
have
listed
the
special
interest
groups.
I
mentioned
29
area
season
lists.
So
if
you're
interested
in
some
topics
go
to
those
meetings,
so
in
the
community
rapport
there
are
there's
a
page
for
each
of
them
with
the
meeting
times.
Usually
every
two
weeks
or
something
like
that,
join
them
participate
too
I
have
the
project
creates
a
future.
A
A
We
also
have
another
briefing
coming
up
tomorrow
with
tae
Guerra
there,
a
couple
of
their
technical
folks
are
going
to
come
in
and
talk
about
contrail
and
using
it
with
OpenShift.
So
if
you
got
any
questions-
and
this
is
your
opportunity,
if
not
then
we'll
give
you
all
back
a
half
an
hour
anything
else-
you
want
to
add
poll
or
Stefan
I.
B
Think
I,
just
echo
you're
here
to
comment:
I
am
Stefan
and
I
have
made
efforts
to
make
sure
that
these
slides
have
links
both
to
documentation
as
well
as
feature
proposals
and,
in
some
cases,
pull
requests.
So
if
you
want
to
know
more
definitely
check
out
the
links
on
the
slides
and
then
again,
it's
dan
said:
please
reach
out
I'm
happy
to
chat
about
these
things.
C
A
And
there's
also
a
couple
of
writer
blogs:
I'll,
add
them
in
when
I
post
this
one
video
on
the
blog
OpenShift
comm
links
back
to
some
of
the
is
a
blog,
a
very
nice
blog
that
Eric
Chang
wrote
on
the
core
OS
site
and
there's
a
couple
other
works
that
are
out
there
too.
Hopefully
we
can
get
you
everything
you
need
to
get
up
and
running
and
we're
looking
forward
to
1.11.