k8s1.4 新特性

主题：

1.提高用户体验  

添加了kubeadm命令安装集群，更容易了解集群http://kubernetes.io/docs/getting-started-guides/kubeadm/
添加api auditlog  http://kubernetes.io/docs/admin/audit/
2.有状态应用程序支持
StorageClasses   http://kubernetes.io/docs/user-guide/persistent-volumes/
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
  name: gold
provisioner: kubernetes.io/cinder
parameters:
  type: fast
  availability: nova

pod/node affinity/anti-affinity支持 http://kubernetes.io/docs/user-guide/node-selection/
apiVersion: v1
kind: Pod
metadata:
  name: with-pod-affinity
  annotations:
    scheduler.alpha.kubernetes.io/affinity: >
        {
          "podAffinity": {
            "requiredDuringSchedulingIgnoredDuringExecution": [
              {
                "labelSelector": {
                  "matchExpressions": [
                    {
                      "key": "security",
                      "operator": "In",
                      "values": ["S1"]
                    }
                  ]
                },
                "topologyKey": "failure-domain.beta.kubernetes.io/zone"
             }
            ]
           },
          "podAntiAffinity": {
            "requiredDuringSchedulingIgnoredDuringExecution": [
              {
                "labelSelector": {
                  "matchExpressions": [
                    {
                      "key": "security",
                      "operator": "In",
                      "values": ["S2"]
                    }
                  ]
                },
                "topologyKey": "kubernetes.io/hostname"
             }
            ]
           }
         }
spec:
  containers:
  - name: with-pod-affinity
    image: gcr.io/google_containers/pause:2.0


3.集群联邦
全局 https GCE/GKE
扩大对混合云的支持包括 rs secrets,namespaces events
4.安全
增加sysctl 支持 http://kubernetes.io/docs/admin/sysctls/
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
  annotations:
    security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
    security.alpha.kubernetes.io/unsafe-sysctls: net.ipv4.route.min_pmtu=1000,kernel.msgmax=1 2 3

集群级别的安全控制   http://kubernetes.io/docs/admin/authorization/
{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": false,
    "reason": "user does not have read access to the namespace"
  }
}


实现：

1.api

 audit logs 

 swagger 2.0

2.Apps: 

ScheduledJobs

apiVersion: batch/v2alpha1
kind: ScheduledJob
metadata:
  name: hello
spec:
  schedule: 0/1 * * * ?
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
          restartPolicy: OnFailure

4.auth

imagepolicywebhook   api参数添加：--admission-control=ImagePolicyWebhook

SubjectAccessReview


5.clusterlifecircle
Ensure critical cluster infrastructure pods  驱逐其他pod,确保Heapster, DNS等正常运行 http://kubernetes.io/docs/admin/rescheduler/#guaranteed-scheduling-of-critical-add-on-pods

简化kubelet和apiserver之间的认证

kubeadm初始化集群

6.netwrok
保持源ip http://kubernetes.io/docs/user-guide/load-balancer/#caveats-and-limitations-when-preserving-source-ips


7.node
Publish node performance dashboard  (分析收集node性能测试结果) 我编译了一个看下效果：http://pan.baidu.com/s/1hrAgjJY
sysctl
AppArmor 
kubectl压力大驱逐pod

8,调度podAffinity

9.Storage:
StorageClass 
quobyte支持 volume  https://github.com/kubernetes/kubernetes/tree/master/examples/volumes/quobyte
Azure Data Disk支持

10.ui:
升级dashboard
由server增加默认配置