主题:
1.提高用户体验
添加了kubeadm命令安装集群,更容易了解集群http://kubernetes.io/docs/getting-started-guides/kubeadm/添加api auditlog http://kubernetes.io/docs/admin/audit/
2.有状态应用程序支持
StorageClasses http://kubernetes.io/docs/user-guide/persistent-volumes/
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: gold
provisioner: kubernetes.io/cinder
parameters:
type: fast
availability: nova
pod/node affinity/anti-affinity支持 http://kubernetes.io/docs/user-guide/node-selection/
apiVersion: v1
kind: Pod
metadata:
name: with-pod-affinity
annotations:
scheduler.alpha.kubernetes.io/affinity: >
{
"podAffinity": {
"requiredDuringSchedulingIgnoredDuringExecution": [
{
"labelSelector": {
"matchExpressions": [
{
"key": "security",
"operator": "In",
"values": ["S1"]
}
]
},
"topologyKey": "failure-domain.beta.kubernetes.io/zone"
}
]
},
"podAntiAffinity": {
"requiredDuringSchedulingIgnoredDuringExecution": [
{
"labelSelector": {
"matchExpressions": [
{
"key": "security",
"operator": "In",
"values": ["S2"]
}
]
},
"topologyKey": "kubernetes.io/hostname"
}
]
}
}
spec:
containers:
- name: with-pod-affinity
image: gcr.io/google_containers/pause:2.0
3.集群联邦
全局 https GCE/GKE
扩大对混合云的支持包括 rs secrets,namespaces events
4.安全
增加sysctl 支持 http://kubernetes.io/docs/admin/sysctls/
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
annotations:
security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.route.min_pmtu=1000,kernel.msgmax=1 2 3
集群级别的安全控制 http://kubernetes.io/docs/admin/authorization/
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": false,
"reason": "user does not have read access to the namespace"
}
}
实现:
1.api
audit logs
swagger 2.0
2.Apps:
ScheduledJobs
apiVersion: batch/v2alpha1kind: ScheduledJob
metadata:
name: hello
spec:
schedule: 0/1 * * * ?
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
4.auth
imagepolicywebhook api参数添加:--admission-control=ImagePolicyWebhook
SubjectAccessReview5.clusterlifecircle
Ensure critical cluster infrastructure pods 驱逐其他pod,确保Heapster, DNS等正常运行 http://kubernetes.io/docs/admin/rescheduler/#guaranteed-scheduling-of-critical-add-on-pods
简化kubelet和apiserver之间的认证
kubeadm初始化集群
6.netwrok
保持源ip http://kubernetes.io/docs/user-guide/load-balancer/#caveats-and-limitations-when-preserving-source-ips
7.node
Publish node performance dashboard (分析收集node性能测试结果) 我编译了一个看下效果:http://pan.baidu.com/s/1hrAgjJY
sysctl
AppArmor
kubectl压力大驱逐pod
8,调度podAffinity
StorageClass
quobyte支持 volume https://github.com/kubernetes/kubernetes/tree/master/examples/volumes/quobyte
Azure Data Disk支持
10.ui:
升级dashboard
由server增加默认配置