Looking back on a busy 2023
December 26, 2023
With 2023 drawing to a close, I wanted to take a moment and reflect on some highlights.
1. Joining the Kubernetes release team
I first joined the enhancements team for the 1.27 release and wasn’t sure what to expect. It ended up being a great experience and introduction to the open source Kubernetes community. I enjoyed it so much I came back for the 1.28 and 1.29 release teams!
One of my favorite things about the release team is the creative release logo that get designed for each Kubernetes release. I’ve now been a part of 1.27, 1.28 and 1.29 and here are the logos of all the releases I’ve been a part of in 2023:
1.27 Chill Vibes
1.28 Planternetes 🌱
1.29 Mandala (The Universe) ✨🌌
2. Kubecon EU in Amsterdam
Aaron Birkland and I got our talk, Developing a Mental Model of Istio: From Kubernetes to Sidecars to Ambient accepted at Kubecon EU!
We compared Istio policies for a sidecar set versus an Ambient setup to illustrate some of the subtle differences in two setups. It was a litttttle nerve racking making sure our live demo worked in front of all those people. Luckily I scripted everything before hand and if you’re curious about the scenarios I made them publicly available along with my demo script on GitHub.
As part of the 1.27 release team, I was attended the Contributer Summit. Every year, just before the official start of KubeCon+CloudNativeCon, there’s a special meetup that is open to all members of one of the Kubernetes orgs.
3. Enhancements Lead for 1.29
As part of being a release lead for enhancements, I got to present at the CNCF 1.29 release webinar with Priyanka Saggu and Carol Valencia! There were many exciting new features graduating in 1.29, but these were some of the highlights I was very happy to see graduate:
🎉 Sidecar containers are (finally) a thing 🎉
SidecarContainers have been a long awaited feature which graduated to beta and is now enabled by default starting 1.29. I think this is the most popular Github issue in both the enhancements repo and kubernetes repo.
SidecarContainers are a new type of containers that start among the Init containers, run through the lifecycle of the Pod and don’t block pod termination. Kubelet makes a best effort to keep them alive and running while other containers are running.
This is particularly nice for service meshes following the sidecar pattern, such as Istio. John Howard wrote a great Istio blog testing out the kubernetes native sidecar feature with Istio when sidecars graduated into alpha in 1.28.
If you’re curious, you can read more on the enhancement issue for KEP-753: Sidecar Containers.
NFTables are coming
The nftables API is the successor to the iptables API, and although it is designed to provide better performance and scalability than iptables, the kube-proxy nftables mode is still under heavy development as of v1.29 and is not necessarily expected to outperform the other Linux modes. It’s also only currently available on linux nodes.
If you’re curious, you can read more on the enhancement issue for KEP-3866: nftables kube-proxy backend.
In-place updates of pod resources
Currently changes to resource allocation such as cpu/memory require you to recreate the Pod. That’s not something we need/want to do in a lot of cases. For example, if the load on a Pod increases significantly and the current resources are not sufficient, we don’t necessarily want to kill the pod and restart- we just want to give more resources. This change make PodSpec containers mutable which unlocks vertical autoscaling as a usecase.
Some historical context- this feature ended up staying in alpha for 1.29, but has been a long awaited feature in the community. Discussions around it started during 1.17 in 2019 and there have been github issues open since 2015 (#9043)!! So yeah, this one has been in the works for a while…
If you’re curious, you can read more on the enhancement issue for KEP-1287: In-Place Update of Pod Resources.
4. Kubecon NA in Chicago
Marino Wijay and I has a talk, Pi in the Sky: Onboarding Edge Workloads Into the Service Mesh accepted to Kubernetes on EDGE Day. We ran Istio ambient on a Raspberry Pi (thank goodness for ARM builds!) and Istio on a local kind cluster on the same network, then showed off some fancy Istio magic with routing and AuthorizationPolicies.
Hardware live demos are always fun because there are even more things that can go wrong. But… Marino and I had run through the scenarios so many times, I knew how to live debug our setup when the ztunnel on the Raspberry Pi wasn’t getting any updates from our cluster (it turned out to be a pesky missing iptable route). Along the way, we had a lot of fun prepping different scenarios to show (and ended up having to cut a couple for the demo to fit everything in).
In Chicago, I also attended the Contributer Summit again and got to meet some of the release team members in person!
