ACK is certified Kubernetes conformant. This release-note topic summarizes the patches, features, deprecated APIs, and feature gate changes for ACK on Kubernetes 1.27 and 1.28.
Upstream changelogs: CHANGELOG-1.27, CHANGELOG-1.28.
Before upgrading to Kubernetes 1.28, review these breaking changes:
-
CephFS in-tree volume plugin removed: The in-tree CephFS volume plug-in is removed in 1.28. Clusters using the in-tree driver break after the upgrade. Migrate to the CephFS CSI driver before upgrading and evaluate compatibility, stability, or performance risks.
-
Ceph RBD CSI migration no longer possible: Migration of Ceph RBD volumes (
kubernetes.io/rbd) to the out-of-tree CSI driver is no longer possible in Kubernetes 1.28 and will be fully removed in a future release. Complete the migration before removal. -
IPv6DualStack feature gate removed: The
IPv6DualStackfeature gate was removed in Kubernetes 1.27. If you manually set this in your cluster configuration, remove it before upgrading. -
kubelet endpoint flags moved to config file: The
--container-runtime-endpointand--image-service-endpointflags can no longer be passed as kubelet command-line arguments. Move these settings to the kubelet configuration file before upgrading.
Component versions
Core component versions for ACK clusters on Kubernetes 1.28.
| Core component | Version |
|---|---|
| Kubernetes | 1.28.15-aliyun.1, 1.28.9-aliyun.1, and 1.28.3-aliyun.1 |
| etcd | v3.5.9 |
| CoreDNS | v1.9.3.10-7dfca203-aliyun |
| CRI | containerd 1.6.20 |
| CSI | Upgrade to the latest supported version. Changelogs: csi-plugin, csi-provisioner. |
| CNI | Flannel v0.15.1.22-20a397e6-aliyun |
| CNI (Terway) | Terway and TerwayControlplane v1.5.0 and later |
| NVIDIA Container Runtime | v3.13.0 |
| Ingress Controller | v1.8.0-aliyun.1 |
Security patches
| Version | CVEs fixed |
|---|---|
| 1.28.15-aliyun.1 | CVE-2024-10220 |
| 1.28.9-aliyun.1 | CVE-2023-45288, CVE-2024-3177, CVE-2024-24786 |
What's new
Kubernetes 1.28
Non-graceful node shutdown (GA)
When a node shuts down unexpectedly—for example, due to a power failure—Kubernetes can automatically reschedule StatefulSet pods with the same name on another node, preventing service interruptions. Now GA.
Retroactive default StorageClass assignment (GA)
Previously, a PVC without storageClassName remained Pending indefinitely if no default StorageClass existed. Kubernetes now assigns a later-created default StorageClass to unbound PVCs without storageClassName. Now GA.
Scheduler performance
The scheduler's retry logic reduces invalid scheduling attempts, improving performance. If your cluster uses a custom scheduler plugin, update it for the new scheduling framework. See Scheduling framework changes.
Job failure handling
Two new Alpha feature gates improve how failed Jobs are handled:
-
`JobPodReplacementPolicy`: A replacement pod is created only when the original reaches the
Failedphase (status.phase: Failed), not when it has adeletionTimestamp. This prevents two pods from simultaneously occupying the same index and consuming node resources. -
`JobBackoffLimitPerIndex`: Set
.spec.backoffLimitPerIndexon an Indexed Job to cap the number of retries per index, rather than counting all failures toward a single shared.spec.backoffLimit. A persistently failing index no longer causes the entire Job to fail.
Large Indexed Job warning
If a Job has completion above 100,000 and parallelism above 10,000 with many pod failures, Kubernetes displays a warning—termination status may not track reliably at that scale.
CRD validation improvements
reason and fieldPath fields are added to CRD validation rules. When a CEL expression fails, the API server returns the reason code and failing field path. See CRD Validation Expression Language.
Webhook matching with CEL expressions
Webhook matchConditions now support CEL expressions (up to 64 per webhook), giving fine-grained control over which requests trigger a webhook without a full admission controller. See Matching requests: matchConditions.
ValidatingAdmissionPolicy (Beta)
ValidatingAdmissionPolicy provides a declarative, in-cluster alternative to validating admission webhooks. Write CEL expressions directly in the policy object; the API server evaluates them on every matching request—no webhook infrastructure needed. See ValidatingAdmissionPolicy.
PVC resize status field replaced
The .status.resizeStatus field on PVCs is replaced by .status.allocatedResourceStatus, a map that tracks the resize state of each resource independently. Update any tooling that reads .status.resizeStatus. See PersistentVolumeClaimStatus.
Pod index labels for Indexed Jobs and StatefulSets
Pods from Indexed Jobs and StatefulSets now include their ordinal index as a label, simplifying pod selection by position.
Kube Controller Manager concurrency flags
Two new flags control controller concurrency:
-
--concurrent-cron-job-syncs: Sets the number of concurrent CronJob reconciliation workers. -
--concurrent-job-syncs: Sets the number of concurrent Job reconciliation workers.
See --concurrent-cron-job-syncs and --concurrent-job-syncs.
API server optimizations
-
Reduced GetList memory: Cache-served list requests use less memory. See GetList test data.
-
Endpoint cleanup fix: Fixed a bug where a Kubernetes Service endpoint was not removed when only one API server replica remained during graceful shutdown.
-
OpenAPI v2 lazy aggregation: The OpenAPI v2 controller now aggregates CRD information only on request, reducing CPU and memory overhead when no client polls the endpoint. This improves install time for large numbers of CRDs but may slow the first request. Migrate clients to OpenAPI v3.
-
ConsistentListFromCache (Alpha): The
ConsistentListFromCachefeature gate lets the API server serve LIST requests from the watch cache with consistency guarantees, reducing etcd load. -
Additional monitoring metrics: More metrics are available through the metrics endpoint.
Kubernetes 1.27
Pod termination status corrected
-
Pods deleted while
Pendingare now set toFailed. -
Pods deleted while
Runningare set toSucceededorFailedbased on container exit code.
This fixes a bug where pods with a failure policy could stay stuck in Pending. If a pod has RestartPolicy=Always, it may show Succeeded after deletion—review your controllers if this matters. See Set the termination status for pods that do not require a restart.
ReadWriteOncePod for PersistentVolumes (Beta)
ReadWriteOncePod limits a volume to a single pod—more restrictive than ReadWriteOnce, which allows multiple pods on the same node. See Single Pod Access Mode for PersistentVolumes graduates to Beta.
Pod topology spread constraints (Beta)
Several topology spread constraint options are now Beta and enabled by default: minDomains (minimum eligible domains), nodeTaintsPolicy (count tainted nodes), nodeAffinityPolicy (count affinity-excluded nodes), and whenUnsatisfiable (behavior when constraints cannot be met). See More fine-grained pod topology spread policies.
Server-side field validation (GA)
The API server now validates resource fields server-side. kubectl automatically uses Strict mode and skips client-side validation, returning an error if the server rejects a field. See Server-side field validation and OpenAPI v3 move to GA.
OpenAPI v3 (GA)
OpenAPI v3, introduced in Kubernetes 1.23, is now GA. See Server Side Field Validation and OpenAPI V3 move to GA.
HPA ContainerResource metric type (Beta)
HPA now supports the ContainerResource metric type, scaling based on individual container resource usage rather than pod average. This fixes a common issue where a low-usage sidecar pulls the average below the threshold, preventing scale-out even when the application container is resource-constrained. See Container resource metrics.
StatefulSet enhancements (Beta)
Two StatefulSet features reach Beta:
-
`StatefulSetStartOrdinal`: Start pod ordinals at a number other than zero using the
ordinals.startfield. -
`StatefulSetAutoDeletePVC`: Control whether StatefulSets delete PVCs created from
volumeClaimTemplatewhen pods are deleted or the StatefulSet is scaled in.
In-place pod vertical scaling (Alpha)
InPlacePodVerticalScaling (Alpha, disabled by default) lets you change CPU and memory requests and limits for a running container without restarting the pod. See Resize CPU and memory resources assigned to containers.
Parallel image pulls
Set serializeImagePulls: false in the kubelet configuration to pull images in parallel. Use maxParallelImagePulls (added in 1.27) to cap concurrent pulls and avoid saturating network bandwidth or disk I/O. See Serial and parallel image pulls.
Volume group snapshots (Alpha)
A volume group snapshot API lets you create crash-consistent snapshots of multiple PersistentVolumes at once. See Introducing an API for volume group snapshots.
Deprecated features and APIs
Kubernetes 1.28
| Deprecated feature | Impact | Action required |
|---|---|---|
| In-tree CephFS volume plugin | Code removed in 1.28. Workloads using the in-tree driver will break. | Migrate to the CephFS CSI driver before upgrading. |
| Ceph RBD CSI migration | Ceph RBD volume migration to the out-of-tree CSI driver is no longer possible in 1.28 and will be fully removed in a future release. | Complete the migration before the removal. |
RBD volume plugin (kubernetes.io/rbd) |
Deprecated; will be removed in a future release. | Switch to the CephFS CSI driver. |
| Key Management Service (KMS) v1 | Deprecated. | Use KMSv2. To continue using KMSv1 temporarily, set --feature-gates=KMSv1=true. See Mark KMS v1beta1 as deprecated. |
KCM flags --volume-host-cidr-denylist and --volume-host-allow-local-loopback |
Deprecated; will be removed in a future release. | Remove these flags from your Kube Controller Manager configuration. |
kubelet flag --azure-container-registry-config |
Deprecated; will be removed in a future release. | Use image-credential-provider-config and --image-credential-provider-bin-dir instead. |
| Windows node pools | Creating Windows node pools is no longer supported. | Use Alibaba Cloud Linux 3 or ContainerOS 3.1 node pools. See Create and manage a node pool. |
Kubernetes 1.27
| Deprecated feature | Impact | Action required |
|---|---|---|
| In-tree AWS EBS storage plugin | Replaced by the out-of-tree CSI plugin. | See cloud-provider-aws. |
Node spec.externalID field |
Deprecated; clients that update this field receive a warning. | Stop updating spec.externalID. |
Alpha seccomp annotations (seccomp.security.alpha.kubernetes.io/pod, container.seccomp.security.alpha.kubernetes.io) |
Removed in v1.27. Workloads relying on these annotations silently lose seccomp settings. | Use the securityContext.seccompProfile field instead. |
KCM flags --pod-eviction-timeout and --enable-taint-manager |
Removed in 1.27. | Remove these flags from your Kube Controller Manager configuration. |
kubelet flag --container-runtime |
Removed in 1.27 (deprecated since 1.24). | No action needed; the default remote value is preserved. |
kubelet flags --container-runtime-endpoint and --image-service-endpoint (as CLI flags) |
These can no longer be set as command-line flags. | Move them to the kubelet configuration file. |
SecurityContextDeny admission controller |
Deprecated; will be removed in a future release. | Migrate to Pod Security Admission or a validating webhook. |
Deprecated APIs
The storage.k8s.io/v1beta1 CSIStorageCapacity API was deprecated in 1.24 and removed in 1.27. Use storage.k8s.io/v1 (available since 1.24). See Storage Capacity Constraints for Pod Scheduling KEP.
Feature gate changes
Feature gates define the maturity of a Kubernetes feature:
-
Alpha: Disabled by default. Experimental and subject to change.
-
Beta: Enabled by default. Stable enough for most clusters.
-
GA (Generally Available): Always enabled. The feature gate is removed.
Promoted to GA
These feature gates reached GA and are permanently enabled. The gates are removed.
In Kubernetes 1.28:
| Feature gate | What it does |
|---|---|
NodeOutOfServiceVolumeDetach |
When node.kubernetes.io/out-of-service is added to a node, non-tolerating pods are forcefully deleted and their volumes immediately detached, enabling fast recovery on other nodes. |
IPTablesOwnershipCleanup |
Kubernetes no longer creates the KUBE-MARK-DROP and KUBE-MARK-MASQ iptables chains. |
ProbeTerminationGracePeriod |
Enables probe-level terminationGracePeriodSeconds to override the pod-level grace period for liveness and startup probes. |
DelegateFSGroupToCSIDriver, DevicePlugins, KubeletCredentialProviders, MixedProtocolLBService, ServiceInternalTrafficPolicy, ServiceIPStaticSubrange, EndpointSliceTerminatingCondition |
Various stable features now always enabled. Feature gates removed. |
In Kubernetes 1.27:
| Feature gate | What it does |
|---|---|
ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes |
Volume expansion for CSI volumes, in-use PVs, and PVs generally. All three are now always enabled. |
CSIInlineVolume |
Inline CSI volumes in pod specs. GA since 1.25, removed in 1.27. |
EphemeralContainers |
Ephemeral debug containers. GA since 1.25, feature gate removed. |
LocalStorageCapacityIsolation |
Hard limits on emptyDir usage per pod; kubelet evicts pods that exceed the limit. GA since 1.25, removed in 1.27. |
NetworkPolicyEndPort |
endPort field in NetworkPolicy rules to specify port ranges. GA since 1.25, removed in 1.27. |
StatefulSetMinReadySeconds |
minReadySeconds field on StatefulSets. GA since 1.25, removed in 1.27. |
DaemonSetUpdateSurge |
maxSurge field on DaemonSet rolling updates. GA since 1.25, removed. |
IdentifyPodOS |
os field on pods to specify the operating system. GA since 1.25, removed. |
CSIMigration |
In-tree to out-of-tree CSI migration reached GA in v1.25. The feature gate is always enabled and removed. |
Promoted to Beta (enabled by default)
In Kubernetes 1.28:
| Feature gate | What it does |
|---|---|
AdmissionWebhookMatchCondition |
CEL expressions in webhook matchConditions. Up to 64 conditions per webhook. |
In Kubernetes 1.27:
| Feature gate | What it does |
|---|---|
StatefulSetStartOrdinal |
Start StatefulSet pod ordinals from a non-zero number. |
StatefulSetAutoDeletePVC |
Control automatic PVC deletion when StatefulSet pods are removed. |
ReadWriteOncePod |
ReadWriteOncePod access mode for PersistentVolumes. |
New in Alpha (disabled by default)
In Kubernetes 1.28:
| Feature gate | What it does |
|---|---|
UnknownVersionInteroperabilityProxy |
Routes requests to the correct API server when multiple API server versions coexist in the cluster. See Mixed version proxy. |
ConsistentListFromCache |
Lets the API server use the watch cache to serve LIST requests with consistency guarantees. |
In Kubernetes 1.27:
| Feature gate | What it does |
|---|---|
NodeLogQuery |
Query node logs with kubectl after setting enableSystemLogHandler: true and enableSystemLogQuery: true in the kubelet configuration. |
ServiceNodePortStaticSubrange |
Divides the NodePort range into two bands. Dynamic allocation uses the upper band; the lower band is reserved for static assignments, reducing port conflicts. See Avoid collisions assigning ports to NodePort Services. |
InPlacePodVerticalScaling |
Resize container CPU and memory without restarting the pod. |
Removed (no longer needed to configure)
In Kubernetes 1.27:
The IPv6DualStack feature gate was removed after reaching GA in v1.23. If you manually set this in your cluster configuration, remove it before upgrading.