Kubernetes 1.7: Security Hardening, Stateful Application Updates and Extensibility

Introduction

On June 30, 2017, the Kubernetes project released version 1.7 — a milestone release marked by enterprise-grade security, extensibility and stateful workload support.

Official Highlights

1. Security Hardening

Kubernetes 1.7 includes multiple major security enhancements:

The NetworkPolicy API was promoted to stable (GA).
Node Authorizer and admission plugin introduced to restrict kubelet access to only its node’s pods/secrets.
Encryption at rest for etcd secrets (alpha) and improved audit log filtering and webhooks.
PodSecurityPolicy advanced to beta, enabling fine-grained pod admission controls.
Remember: NetworkPolicy enforcement still requires a compatible CNI (Calico, Cilium, kube-router, etc.).

2. Stateful Application Updates

StatefulSet updates (beta) added automated rolling updates and faster scaling/burst mode.
Local storage volumes (alpha) support via standard PVC/PV interface.
DaemonSet enhancements for rollback and history.

3. Extensibility and API-Ecosystem

Custom Resource Definitions (CRDs, beta) enabled extension of Kubernetes API.
API Aggregation at runtime (beta) allows adding user-provided apiservers to the Kubernetes API.
Enhanced Container Runtime Interface (CRI) support, including new RPCs and containerd integration (alpha).
ThirdPartyResource began formal deprecation; plan migrations to CRDs early.

Implementation Tips

Enable encryption at rest by supplying an EncryptionConfiguration:

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources: ["secrets"]
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <BASE64-SECRET>
  - identity: {}

kube-apiserver \
  --experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml

Lock down kubelets by enabling Node Authorizer + admission controller:

kube-apiserver \
  --authorization-mode=Node,RBAC \
  --enable-admission-plugins=NodeRestriction

Validate NetworkPolicy GA: ensure your CNI plugin has GA support, then roll out namespace default-deny + targeted allow rules.
Adopt StatefulSet updates: use spec.updateStrategy.type=RollingUpdate to unlock ordered rolling restarts and parallel pod provisioning.

Milestones Timeline

Date	Event
June 30 2017	Kubernetes 1.7 officially released.
July 12 2017	Google Kubernetes Engine (GKE) begins rolling 1.7 in production.
Mid-2017	Enterprise adoption increases for stateful and extensible workloads.

Patch Releases for 1.7

Patch releases in the 1.7 branch (1.7.x) delivered ongoing bug-fixes, stability improvements, and compatibility updates.

Patch Version	Release Date	Notes
1.7.0	2017-06-30	Initial 1.7 release
1.7.1+	various dates	Successive patches for production readiness

Legacy and Impact

With Kubernetes 1.7, the project made a significant leap toward enterprise readiness: the combination of hardened security, stateful workload support and extensibility features laid the foundation for multi-tenant, cloud-native platforms.
This release broadened Kubernetes beyond stateless microservices into the domain of databases, hybrid clouds and custom API extensions. Operators who embraced the new security knobs early found fewer surprises in Kubernetes 1.8/1.9 where many of these features became defaults.

Deprecations & Gotchas

ThirdPartyResource is deprecated; start porting custom APIs to CRDs.
Legacy ABAC-only clusters may break once RBAC or NodeRestriction are enabled—audit and migrate policies.
Local PersistentVolumes were introduced as alpha; expect storage semantics to evolve in subsequent releases.

Summary

Aspect	Description
Release Date	June 30, 2017
Key Innovations	Security enhancements, StatefulSet updates, CRDs & API Aggregation
Significance	Major step toward enterprise, extensible, production-grade Kubernetes

Next in the Series

Up next: Kubernetes 1.8 (September 2017) — we’ll explore improved workloads support, deeper feature stabilization and enterprise toolchains.

Table of Contents