(Discontinued) Kubernetes 1.26 release notes

更新时间:
复制 MD 格式

ACK strictly abides by the terms of the Certified Kubernetes Conformance Program. This topic describes the changes ACK has made to support Kubernetes 1.26.

Component versions

Key component

Version

Notes

Kubernetes

1.26.15-aliyun.1 and 1.26.3-aliyun.1

See Update notes before upgrading.

etcd

v3.5.4

CoreDNS

1.9.3.10-7dfca203-aliyun

CRI

containerd 1.6.20

Kubernetes 1.24.0 and later only.

CSI

For latest versions of csi-plugin and csi-provisioner, see csi-plugin and csi-provisioner release notes.

CNI

Flannel v0.15.1.22-20a397e6-aliyun

CNI

Terway & TerwayControlplane v1.5.0+

NVIDIA Container Runtime

v3.13.0

Kubernetes 1.26 only. Other versions use v3.7.0.

Ingress Controller

v1.6.4-aliyun.1

Update notes

Breaking changes at a glance

Before upgrading to Kubernetes 1.26, review this summary of breaking changes:

  • CRI v1alpha2 removed — Kubernetes 1.26 requires CRI v1. containerd 1.5 and earlier are not supported; upgrade containerd to 1.6.0 or later before upgrading your cluster.

  • PodSecurityPolicy (PSP) removed — PSP was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. Migrate to Pod Security Admission or a third-party admission webhook before upgrading.

  • Beta APIs deprecated — Multiple beta APIs are removed in Kubernetes 1.25 and 1.26. Check whether your controllers and applications use any of the deprecated APIs listed in Deprecated APIs and migrate to the stable versions.

  • kube-proxy userspace mode removed--mode userspace now returns an error. Use iptables or IPVS on Linux, or kernelspace on Windows.

  • In-tree credential code removed — Azure and Google Cloud nested identity authentication code is removed from client-go and kubectl in Kubernetes versions later than 1.26. Replace with authentication plug-ins.

  • DynamicKubeletConfig feature gate removed — Update the kubelet configuration file directly and restart the kubelet instead.

  • CVE fixes in 1.26.15-aliyun.1 — CVE-2023-45288, CVE-2024-3177, and CVE-2024-24786 are fixed.

CRI requirement

Kubernetes 1.26 requires CRI v1 and no longer supports CRI v1alpha2. containerd 1.5 and earlier are incompatible. Before upgrading to Kubernetes 1.26, upgrade containerd to 1.6.0 or later.

PSP migration

PodSecurityPolicy (PSP) was deprecated in Kubernetes 1.21 and removed from Kubernetes 1.25. For background, see PodSecurityPolicy: The Historical Context.

If your clusters currently use PSP, choose one of the following migration paths before upgrading:

kubelet read-only port

By default, the read-only port 10255 is no longer open in ACK clusters that run Kubernetes 1.26 or later. The authentication port 10250 is used instead. For details, see \[Product Changes\] Open the authentication port instead of the read-only port for the kubelet in ACK clusters that run Kubernetes versions earlier than 1.26.

New features

Kubernetes 1.25

  • Ephemeral containers (GA) — Run ephemeral containers inside a pod to debug crashed or inaccessible pods without a debugging tool. See Ephemeral Containers.

  • cgroup v2 (Stable) — An improved version of cgroup v1 with better resource isolation. See About cgroup v2.

  • Windows support improvements — CI unit tests, conformance tests, and a new repository for Windows operational readiness.

  • Image registry redirect — Requests to k8s.gcr.io are redirected to registry.k8s.io. See k8s.gcr.io Redirect to registry.k8s.io.

  • NetworkPolicy EndPort field (GA) — Specify a port range in network policies using the endPort field. If your network plug-in does not support endPort, the policy applies only to the single port specified in the port field. See Network Policies.

  • Local ephemeral storage capacity isolation (GA) — Pods can be hard-limited in their consumption of local ephemeral storage (such as emptyDir volumes). Pods that exceed the limit are evicted. See Local Ephemeral Storage Capacity Isolation.

  • Ephemeral inline CSI volumes (Stable) — CSI volumes that originate from PersistentVolumes (PVs) and PersistentVolumeClaims (PVCs) cannot be specified directly in a pod spec when using ephemeral CSI volumes. See Ephemeral Inline CSI volumes.

  • KMS v2 alpha1 API — Improves key rotation performance and observability. Replaces AES-CBC with AES-GCM and uses a Data Encryption Key (DEK) to encrypt Kubernetes Secrets at rest. Encrypted data can be decrypted with both AES-GCM and AES-CBC. See Using a KMS provider for data encryption.

  • Container Object Storage Interface (COSI) (Alpha) — Standardizes the provisioning and consuming of object storage. See COSI.

  • PodHasNetwork condition (Alpha) — When PodHasNetwork in a pod's status field is true, the pod's runtime sandbox is initialized and its network is configured. Use this condition to measure pod initialization latency (excluding image pull time and application startup). Enable the PodHasNetworkCondition feature gate on the kubelet to use this feature. See How is this different from the existing Initialized condition?.

  • StatefulSet minReadySeconds (Stable) — The minReadySeconds field lets each pod wait a specified period before the next pod in a rolling update proceeds, slowing the rollout deliberately. See Minimum ready seconds.

  • DaemonSet maxSurge (Stable)maxSurge specifies the number of extra pods that can be created on a node during a DaemonSet rolling update, reducing downtime. maxSurge and hostPort cannot be used together because two active pods cannot share the same port on a node. See Perform a Rolling Update on a DaemonSet.

  • User namespace support for pods (Alpha) — Map a root user inside a pod to a non-zero ID outside the pod. The user appears as root from the container's perspective but as an unprivileged user from the host's perspective. Enable the UserNamespacesStatelessPodsSupport feature gate and ensure your container runtime supports this feature. See Kubernetes 1.25: alpha support for running Pods with user namespaces.

  • RetroactiveDefaultStorageClass — When enabled, a default StorageClass can be automatically allocated to a PVC that was created without one. Previously, the StorageClass remained nil and required deleting and recreating the PVC. This feature gate reaches Beta and is enabled by default in Kubernetes 1.26.

  • JobPodFailurePolicy (Alpha) — Configure a Job to handle pod disruptions based on exit codes and pod status, avoiding unnecessary retries and ignoring evictions. Define the podFailurePolicy field in a Job to use this feature. This feature reaches Beta in Kubernetes 1.26. See Handling retriable and non-retriable pod failures with Pod failure policy.

  • PodTopologySpread improvements — Fixed the issue where pods were not evenly spread during rolling updates. minDomains field support reaches Beta.

  • kube-proxy optimization for large clusters — In a cluster that has 1,000 endpoints, unused iptables rules are retained temporarily (up to one maximum iptables synchronization cycle) rather than being deleted immediately. In smaller clusters, unused rules are deleted immediately.

Kubernetes 1.26

  • Dynamic resource allocation API (Alpha) — Request and share resources between pods or between containers within a pod, with support for custom resource initialization parameters. Enable the DynamicResourceAllocation feature gate and the resource.k8s.io/v1alpha1 API group, then install a resource driver for the resources you want to manage. See Alpha API For Dynamic Resource Allocation.

  • Non-graceful node shutdown (Beta) — When a node shuts down ungracefully, pods on that node get stuck in the Terminating state and VolumeAttachments cannot be deleted, preventing StatefulSet pods from being rescheduled elsewhere. To trigger non-graceful node shutdown, manually add the out-of-service taint to the node. This forces pod deletion and volume detach for the terminated pods. Remove the taint manually after the node recovers. See Non-graceful node shutdown.

  • Delegate fsGroup to CSI driver — When mounting a volume to a pod, the CSI driver can apply fsGroup to change file and directory permissions instead of the kubelet. This is transparent to users. For CSI driver developers, see CSI Driver fsGroup Support.

  • Pod scheduling gates — Mark a newly created pod as not ready for scheduling by configuring spec.schedulingGates. The scheduler ignores the pod until an external controller removes the gate. This prevents large numbers of unschedulable pending pods from degrading scheduler performance. See Pod Scheduling Readiness.

  • CPU Manager (GA) — Allocates exclusive CPUs to containers as part of the kubelet. Three CPU management policies are supported. See Control CPU Management Policies on the Node.

  • Cross-namespace storage data sources (Alpha) — Specify a data source from a different namespace for a PVC. See Kubernetes v1.26: Alpha support for cross-namespace storage data sources.

  • PodDisruptionBudget unhealthy pod eviction policy (Alpha) — Set .spec.unhealthyPodEvictionPolicy=AlwaysAllow to force a PodDisruptionBudget (PDB) to always allow eviction of unhealthy pods. Enable the PDBUnhealthyPodEvictionPolicy feature gate to use this feature. See Unhealthy Pod Eviction Policy.

  • Consistent HTTP GET handlers for lifecycle hookshttpGet for container lifecycle hooks preStop and postStart now respects the scheme and headers fields, matching probe behavior. HTTPS is supported with the same configuration as probes. If HTTPS is accidentally specified, an error message is returned and the system falls back to HTTP without compatibility issues. Disable this behavior by setting --feature-gates=ConsistentHTTPGetHandlers=false on the kubelet.

  • API Priority and Fairness (APF) seat borrowing — Two fields are added to .spec.limited: lendablePercent (the percentage of seats other priority levels can borrow from the current level) and borrowingLimitPercent (the maximum seats this level can borrow from other levels).

  • Configurable HPA controller concurrency — Set --concurrent-horizontal-pod-autoscaler-syncs on kube-controller-manager to control the number of workers used by the Horizontal Pod Autoscaler (HPA) controller.

  • HPA label selector validation — When multiple HPAs target the same set of pods or Deployment, the HPAs stop taking effect and an AmbiguousSelector event is generated.

  • Multiple default StorageClasses — When multiple StorageClasses are annotated with storageclass.kubernetes.io/is-default-class, Kubernetes selects the most recently created one instead of throwing an error.

Deprecated features

Command line arguments

kube-controller-manager

Argument

Change

Replacement

deleting-pods-qps

Removed in Kubernetes 1.25

deleting-pods-burst

Removed in Kubernetes 1.25

register-retry-count

Removed in Kubernetes 1.25

experimental-cluster-signing-duration

Deprecated in Kubernetes 1.25

cluster-signing-duration

pod-eviction-timeout

Deprecated in Kubernetes 1.25; removed in Kubernetes 1.27

cluster-signing-duration

enable-taint-manager

Removed in Kubernetes 1.27

kubeadm

  • In Kubernetes 1.25, UnversionedKubeletConfigMap reaches GA. By default, kube-system/kubelet-config replaces kube-system/kubelet-config-x.yy.

  • In Kubernetes 1.25, kubeadm no longer adds the node-role.kubernetes.io/master:NoSchedule label to control plane nodes. The label is removed when you run kubeadm upgrade apply.

  • In Kubernetes 1.25, the seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io are no longer supported. Use SeccompProfile instead. See Restrict a Container's Syscalls with seccomp.

Other arguments removed in Kubernetes 1.26

  • Several logging-related klog flags are removed (previously deprecated).

  • --master-service-namespace flag on the API server is deprecated (unused).

  • The following kubectl run subcommands are deprecated and will be removed in a later version: --cascade, --filename, --force, --grace-period, --kustomize, --recursive, --timeout, and --wait.

Deprecated flags in Kubernetes 1.26

  • The --prune-whitelist flag is deprecated and replaced by --prune-allowlist to align with the Inclusive Naming Initiative. The deprecated flag will be removed in later versions.

Storage drivers

Other removals

  • kube-proxy userspace mode — The userspace mode is removed in Kubernetes 1.26. Use iptables or IPVS on Linux, or kernelspace on Windows. --mode userspace now returns an error. Windows winkernel kube-proxy no longer supports Windows HNS v1 APIs.

  • In-tree credential code — Azure and Google Cloud nested identity authentication code is removed from client-go and kubectl in Kubernetes versions later than 1.26. Replace with authentication plug-ins.

  • DynamicKubeletConfig feature gate — Removed from the kubelet in Kubernetes 1.24 and removed from the API server in Kubernetes 1.26. Update the kubelet configuration file directly and restart the kubelet. See remove DynamicKubeletConfig feature gate from the code.

  • iptables chain cleanup — In Kubernetes 1.25 and later, the kubelet uses the IPTablesCleanup feature gate to stop creating KUBE-MARK-DROP, KUBE-MARK-MASQ, and KUBE-POSTROUTING chains in the NAT table. These chains are internal to Kubernetes and are not intended as a public API. See Kubernetes's IPTables Chains Are Not API and Cleaning up IPTables Chain Ownership.

Deprecated APIs

Kubernetes 1.25 and 1.26 remove several previously deprecated beta APIs. For the complete list, see Deprecated API migration guide.

API version changes

Resource

Removed API version

Use instead

Available since

CronJob

batch/v1beta1

batch/v1

Kubernetes 1.21

EndpointSlice

discovery.k8s.io/v1beta1

discovery.k8s.io/v1

Kubernetes 1.21

Event

events.k8s.io/v1beta1

events.k8s.io/v1

Kubernetes 1.19

PodDisruptionBudget

policy/v1beta1

policy/v1

Kubernetes 1.21

PodSecurityPolicy

policy/v1beta1

Removed; migrate to Pod Security Admission

RuntimeClass

node.k8s.io/v1beta1

node.k8s.io/v1

Kubernetes 1.20

HorizontalPodAutoscaler

autoscaling/v2beta1

autoscaling/v2

Kubernetes 1.23

HorizontalPodAutoscaler

autoscaling/v2beta2

autoscaling/v2

Kubernetes 1.23

FlowSchema, PriorityLevelConfiguration

flowcontrol.apiserver.k8s.io/v1beta1

flowcontrol.apiserver.k8s.io/v1beta2 (1.23+) or v1beta3 (1.26+)

Kubernetes 1.23 / 1.26

Field-level changes

EndpointSlice (`discovery.k8s.io/v1`)

Deprecated field

Replacement

topology["kubernetes.io/hostname"]

nodeName

topology["kubernetes.io/zone"]

zone

topology

deprecatedTopology (unavailable in v1)

Important

After upgrading, check for the error failed to list *v1beta1.EndpointSlice in the CoreDNS pod logs. If present, restart or upgrade the CoreDNS component. See Why does CoreDNS use deprecated APIs?.

Event (`events.k8s.io/v1`)

Deprecated field

Replacement

Notes

firstTimestamp

eventTime

Renamed to deprecatedFirstTimestamp; not allowed in v1 events

lastTimestamp

series.lastObservedTime

Renamed to deprecatedLastTimestamp; not allowed in v1 events

count

series.count

Renamed to deprecatedCount; not allowed in v1 events

source.component

reportingController

Renamed to deprecatedSource.component; not allowed in v1 events

source.host

reportingInstance

Renamed to deprecatedSource.host; not allowed in v1 events

Additional requirements for events.k8s.io/v1 events:

  • type can only be set to Normal or Warning.

  • action, reason, reportingController, and reportingInstance are required fields.

PodDisruptionBudget (`policy/v1`)

spec.selector behavior differs between API versions:

API version

spec.selector: {} (empty)

spec.selector not set

policy/v1

Selects all pods in the namespace

No pods selected

policy/v1beta1

No pods selected

No pods selected

Feature gates

Feature gates have three lifecycle phases:

  • Alpha — Disabled by default. Enable manually with --feature-gates=<FeatureGate>=true.

  • Beta — Enabled by default. Disable manually with --feature-gates=<FeatureGate>=false.

  • GA — Enabled by default. Cannot be disabled. The feature gate flag is removed in a later version.

For the full list, see Feature Gates.

Reaching GA in Kubernetes 1.25

Feature gate

Description

StatefulSetMinReadySeconds

Supports the minReadySeconds field for StatefulSets.

CronJobTimeZone

Supports the timeZone field for CronJobs.

DaemonSetUpdateSurge

Supports the maxSurge field for DaemonSet rolling updates.

IdentifyPodOS

Supports the spec.podOS field.

CSIInlineVolume

Supports ephemeral inline CSI volumes.

EphemeralContainers

Supports ephemeral containers.

CSIMigration

Enables CSI migration for in-tree storage plug-ins.

Reaching Beta in Kubernetes 1.25

Feature gate

Description

SeccompDefault

Enables SeccompDefault. See Restrict a Container's Syscalls with seccomp.

CustomResourceValidationExpressions

Enables Common Expression Language (CEL) validation for CustomResourceDefinitions (CRDs). Enabled by default. See Validation rules.

ServerSideFieldValidation

Enables API server-side validation of unknown fields. Enabled by default. See Field validation.

CSIMigrationPortworx

Enables CSI migration for Portworx.

ProbeTerminationGracePeriod

Default value changes to true. See Probe-level terminationGracePeriodSeconds.

Added in Alpha in Kubernetes 1.25

Feature gate

Description

ContainerCheckpoint

Enables the Kubelet Checkpoint API.

PodHasNetworkCondition

Enables the kubelet to add the PodHasNetwork condition to pods.

UserNamespacesStatelessPodsSupport

Enables user namespaces for stateless pods.

JobPodFailurePolicy

Allows Jobs to handle pod failures based on exit codes and pod status. Reaches Beta in Kubernetes 1.26.

MultiCIDRRangeAllocator

Allows NodeIPAM to support multiple ClusterCIDRs. Set --cidr-allocator-type=MultiCIDRRangeAllocator on kube-controller-manager.

CSINodeExpandSecret

Allows passing identity authentication data stored in Secrets to the CSI driver when you add nodes.

Reaching GA in Kubernetes 1.26

Feature gate

Description

JobTrackingWithFinalizers

Tracks Job progress by tracking pods rather than counting remaining pods. See Job tracking with finalizers.

ServiceInternalTrafficPolicy

Enables the internalTrafficPolicy field for Services. See Service Internal Traffic Policy.

MixedProtocolLBService

Allows different protocols on the same LoadBalancer Service.

EndpointSliceTerminatingCondition

Supports the Terminating and Serving condition fields for EndpointSlices.

DelegateFSGroupToCSIDriver

Allows the CSI driver to apply fsGroup instead of the kubelet.

ServiceIPStaticSubrange

Enables the Service ClusterIP allocation policy to subdivide the ClusterIP range.

CPUManager

Allocates exclusive CPUs to containers. See Control CPU Management Policies on the Node.

DevicePlugins

Enables Device Plugins support.

WindowsHostProcessContainers

Supports Windows HostProcess containers.

LegacyServiceAccountTokenNoAutoGeneration

Disables auto-generation of ServiceAccount tokens based on Secrets.

Reaching Beta in Kubernetes 1.26

Feature gate

Description

APIServerIdentity

Creates a lease for each active API server in kube-system.

NodeOutOfServiceVolumeDetach

After adding the node.kubernetes.io/out-of-service taint, forcefully deletes pods that do not tolerate the taint and performs volume detach for terminated pods. Enabled by default.

ExpandedDNSConfig

Allows more DNS search paths and a longer DNS search path list. Requires container runtime support.

ProxyTerminatingEndpoints

Allows kube-proxy to handle terminating endpoints when ExternalTrafficPolicy=Local. Enabled by default.

PodDisruptionConditions

Adds the DisruptionTarget condition to a pod being deleted due to a disruption, with the reason exposed in the reason field. Enabled by default. See Pod disruption conditions.

JobPodFailurePolicy

Reaches Beta. See Handling retriable and non-retriable pod failures with Pod failure policy.

RetroactiveDefaultStorageClass

Automatically allocates a default StorageClass to existing PVCs that have none. Enabled by default.

Added in Alpha in Kubernetes 1.26

Feature gate

Description

PDBUnhealthyPodEvictionPolicy

Configures the unhealthy pod eviction policy for a PodDisruptionBudget.

DynamicResourceAllocation

Enables the dynamic resource allocation API for managing resources with custom parameters.

StatefulSetStartOrdinal

Configures StatefulSet start ordinals.

ValidatingAdmissionPolicy

Uses CEL expressions to implement extensible admission controllers.

ComponentSLIs

Enables the /metrics/slis endpoint on kubelet, kube-scheduler, kube-proxy, kube-controller-manager, and cloud-controller-manager to expose health check metrics.

LegacyServiceAccountTokenTracking

Adds the kubernetes.io/legacy-token-last-used label to Secret-based ServiceAccount tokens to track expiration. Disabled by default.

ACK security enhancements

ACK has restricted access permissions on the following Kubernetes configuration files for clusters that run Kubernetes 1.26 and later.

File path

Permission

/etc/kubernetes/admin.conf

600

/etc/kubernetes/kube.conf

600

/etc/kubernetes/controller-manager.conf

600

/etc/kubernetes/kubelet.conf

600

/etc/kubernetes/scheduler.conf

600

/etc/kubernetes/manifests/*.yaml

600

/etc/kubernetes/pki/*.key

600

/etc/kubernetes/pki/*.crt

600

/etc/kubernetes/pki/dashboard/*.crt

600

/etc/kubernetes/pki/etcd/*.pem

600

/var/lib/etcd/cert/*.pem

600

/var/lib/etcd/cert/*.csr

600

/var/lib/kubelet/pki/*.crt

600

/var/lib/kubelet/config.yaml

600

/usr/lib/systemd/system/etcd.service

600

/etc/systemd/system/kubelet.service

600

/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

600

References