AWS has recently announced that Amazon Elastic Kubernetes Service (EKS) now supports Kubernetes version 1.25. Highlights of this update include support for Pod Security Admission (PSA), general availability of ephemeral containers, and new values for control groups API version 2.
Lukonde Mwila, senior developer advocate at AWS, provided an overview of the update in a blog post. With Kubernetes 1.25, Pod Security Policies (PSPs) were removed and Pod Security Admission (PSA) was graduated to a stable feature. As a result, Amazon EKS has now enabled PSA as the default security mechanism. EKS customers can follow the detailed instructions to transition from PSP to PSA.
To acknowledge the wide variety of components included in the project and the individuals who contributed to it, the release has been titled "Combiner". Customers using EKS who want to upgrade to Kubernetes 1.25 are required to upgrade their AWS Load Balancer Controller to version 2.4.7. The documentation provides instructions on how to install or upgrade to the latest version of the AWS Load Balancer Controller.
When it comes to control groups (cgroups), API version 2 is stable in Kubernetes 1.25. Cgroups, a feature of the Linux kernel, provides a way to manage the resources used by processes. By utilizing cgroups, users can allocate and restrict the usage of various resources, including CPU, memory, network, disk I/O, and more. To work with Amazon EKS 1.25, users are required to review the new configuration values, including changes to resource value ranges. For instance, the range for cpu.weight
changes from [2-262144] to [1-10000].
AWS and Azure have been using ephemeral containers to provide their customers with more flexible and efficient ways to debug and troubleshoot their applications running on the cloud platform. In Amazon EKS 1.25, ephemeral containers are generally available.
The tech community on Reddit took notice of the announcement. In a discussion on Reddit, a Reddit user KJKingJ said, "Good to see them picking up the pace. We've had some awkward experiences in the past when EKS lagged so far behind that GKE was starting to force-upgrade us away from the highest equivalent version available on EKS."
Among the other updates, Amazon EKS will now have Seccomp profiles disabled by default. Seccomp is a Linux Kernel security mechanism that allows users to limit the actions of containers running on their nodes. To enforce strict security profiles on their nodes, customers must enable a feature and apply the –seccomp-default
flag during kubelet configuration. Additionally, customers can use the Kubernetes Security Profile to create and distribute seccomp profiles that enforce security on their nodes.
Support for Kubernetes 1.25 is available for Amazon EKS Distro and Amazon EKS anywhere. For further details about the update, interested readers can check out the release notes.