Today we're proud to announce Kontena Pharos 2.2, the latest release of our enterprise-ready Kubernetes distribution, is now available. This version is the first to ship with an integrated Helm Chart management UI, networking enhancements and improved security.

Kontena Network LoadBalancer

One of the goals when selecting and building different addons is to enable cloud-like experience even in bare-metal environments. Load balancing is one of the most commonly used features in cloud environment integration with Kubernetes. Kontena Network LB enables type: LoadBalancer for a Service running in bare metal or non-cloud clusters. This is not universally usable though as it requires some support from the networking environment, such as support for ARP and/or BGP protocols. Basically you create a type: LoadBalancer service and the Kontena Network LB components announce the address to the wider world. How wide depends on the configuration and how your networking is configured to address those addresses. Kontena Network LB add-on is built on top of MetalLB

Kontena Lens 1.4

Pharos 2.2 comes with updated Kontena Lens. The new version of Kontena Lens includes a couple of interesting new features and lots of fixes and enhancements.

Integrated Helm Charts

The most notable new feature of Kontena Lens is the management UI for Helm charts making it super easy to install new applications and services to a Pharos cluster. When installing Pharos, stable Helm repository will be enabled by default. Repositories are configurable through cluster.yml so you can add all necessary repositories that your cluster requires.

Persistent Terminal Sessions

Kontena Lens comes with a very handy embedded terminal providing kubectl access to the cluster. Now terminal sessions are run inside Tmux sessions. If the network connection is interrupted, users will always return to the previous state after the re-connect instead of a fresh terminal session.

Draining and Cordoning Nodes

We have added option to cordon and drain nodes from Kontena Lens dashboard. These actions are shortcuts to related kubectl commands that are executed in the embedded terminal.

See Kontena Lens 1.4.0 full changelog

Firewalld

In the past users who needed a host level firewall solution had to tweak iptables manually (or via their favorite configuration management tool, like Ansible or Chef). Kontena Pharos 2.2 includes a managed firewall, based on Firewalld, that opens only well known ports to the outside world (like 443 for https). Firewall is not enabled by default but it's super easy to switch on via cluster.yml:

network:
  firewalld:
    enabled: true

Custom Networking

Pharos 2.2 allows users to plug-in any CNI networking implementation on the cluster.

Custom networking can be enabled by setting the network provider to custom and configuring the deployment manifest path properly. This will allow Pharos to deploy all the needed networking components during the cluster creation.

OpenID Connect

In Kubernetes, user management is fully “outsourced” from the solution. With Kontena Lens you can manage users within the cluster, but in many cases you want to integrate to some existing user management solution that is already in place in your organization. Hence we’ve made it possible to configure Open ID Connect integration through cluster.yml configuration. By doing so you can authenticate via Google or other such provider that support OIDC. Read more in Pharos docs.

Security Enhancements

From the start of Kontena Pharos, security has been one of our top priorities. For this release, we've baked in again a few security enhancements, many driven by CIS Benchmarks. Pharos now comes up with e.g. profiling disabled, fixed TLS ciphers, more admission plugins on by default and fully automated certificate bootstrapping between master and kubelets thanks to our newest open source component kubelet-rubber-stamp.

Some of the CIS Benchmark tests give false failures as the tests are only looking for double-dash options on system components. There are also some tests which, if configured to pass, will actually fail on the Kubernetes conformance tests. Our intent is to keep an up-to-date document to explain why some of the tests still fail and what kind of security threat they still impose, if any.

Kubernetes 1.13

Kubernetes 1.13 brings a few nice features:

  • “Kubectl diff” will give you a preview of what changes “kubectl apply” will make on your cluster.
  • Out of tree CSI volume plugin interface is now stable.
  • Topology aware volume scheduling is now stable.
  • Taint based eviction is now in beta.

Read the full changelog here.

About Kontena Inc.

Kontena Inc. is specialized in creating the most developer friendly solutions for running containers. Kontena's products are built on open source technology developed and maintained by Kontena. Kontena was founded in 2015 and has offices in Helsinki, Finland and New York, USA. More information: www.kontena.io.