Kubernetes 1.7: Security Hardening, Stateful Application Updates and Extensibility

Table of Contents
Introduction
On June 30, 2017, the Kubernetes project released version 1.7 — a milestone release marked by enterprise-grade security, extensibility and stateful workload support.
Official Highlights
1. Security Hardening
Kubernetes 1.7 includes multiple major security enhancements:
- The NetworkPolicy API was promoted to stable (GA).
- Node Authorizer and admission plugin introduced to restrict kubelet access to only its node’s pods/secrets.
- Encryption at rest for etcd secrets (alpha) and improved audit log filtering and webhooks.
- PodSecurityPolicy advanced to beta, enabling fine-grained pod admission controls.
- Remember: NetworkPolicy enforcement still requires a compatible CNI (Calico, Cilium, kube-router, etc.).
2. Stateful Application Updates
- StatefulSet updates (beta) added automated rolling updates and faster scaling/burst mode.
- Local storage volumes (alpha) support via standard PVC/PV interface.
- DaemonSet enhancements for rollback and history.
3. Extensibility and API-Ecosystem
- Custom Resource Definitions (CRDs, beta) enabled extension of Kubernetes API.
- API Aggregation at runtime (beta) allows adding user-provided apiservers to the Kubernetes API.
- Enhanced Container Runtime Interface (CRI) support, including new RPCs and containerd integration (alpha).
- ThirdPartyResource began formal deprecation; plan migrations to CRDs early.
Implementation Tips
Enable encryption at rest by supplying an
EncryptionConfiguration:apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: ["secrets"] providers: - aescbc: keys: - name: key1 secret: <BASE64-SECRET> - identity: {}kube-apiserver \ --experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yamlLock down kubelets by enabling Node Authorizer + admission controller:
kube-apiserver \ --authorization-mode=Node,RBAC \ --enable-admission-plugins=NodeRestrictionValidate NetworkPolicy GA: ensure your CNI plugin has GA support, then roll out namespace default-deny + targeted allow rules.
Adopt StatefulSet updates: use
spec.updateStrategy.type=RollingUpdateto unlock ordered rolling restarts and parallel pod provisioning.
Milestones Timeline
| Date | Event |
|---|---|
| June 30 2017 | Kubernetes 1.7 officially released. |
| July 12 2017 | Google Kubernetes Engine (GKE) begins rolling 1.7 in production. |
| Mid-2017 | Enterprise adoption increases for stateful and extensible workloads. |
Patch Releases for 1.7
Patch releases in the 1.7 branch (1.7.x) delivered ongoing bug-fixes, stability improvements, and compatibility updates.
| Patch Version | Release Date | Notes |
|---|---|---|
| 1.7.0 | 2017-06-30 | Initial 1.7 release |
| 1.7.1+ | various dates | Successive patches for production readiness |
Legacy and Impact
With Kubernetes 1.7, the project made a significant leap toward enterprise readiness: the combination of hardened security, stateful workload support and extensibility features laid the foundation for multi-tenant, cloud-native platforms.
This release broadened Kubernetes beyond stateless microservices into the domain of databases, hybrid clouds and custom API extensions. Operators who embraced the new security knobs early found fewer surprises in Kubernetes 1.8/1.9 where many of these features became defaults.
Deprecations & Gotchas
- ThirdPartyResource is deprecated; start porting custom APIs to CRDs.
- Legacy ABAC-only clusters may break once RBAC or NodeRestriction are enabled—audit and migrate policies.
- Local PersistentVolumes were introduced as alpha; expect storage semantics to evolve in subsequent releases.
Summary
| Aspect | Description |
|---|---|
| Release Date | June 30, 2017 |
| Key Innovations | Security enhancements, StatefulSet updates, CRDs & API Aggregation |
| Significance | Major step toward enterprise, extensible, production-grade Kubernetes |
Next in the Series
Up next: Kubernetes 1.8 (September 2017) — we’ll explore improved workloads support, deeper feature stabilization and enterprise toolchains.