Kubernetes 1.30 release notes

更新时间:
复制 MD 格式

Alibaba CloudContainer Compute Service (ACS) is a fully conformant Kubernetes offering. This document describes the key changes in Kubernetes 1.30, including upgrade considerations, major changes, new features, deprecated features and APIs, and feature gates.

Component versions

The following table lists the supported versions of the key components in an Alibaba Cloud Container Compute Service (ACS) cluster.

Key component

Version

Kubernetes

1.30.1-aliyunacs.1

etcd

v3.5.9

containerd

1.6.28

CoreDNS

v1.9.3.10-7dfca203-aliyun

CSI

v1.30.1-98960d8-aliyun

CNI

Flannel v0.15.1.22-20a397e6-aliyun

Terway and TerwayControlplane v1.9.0 or later

Note

Starting from v1.30, NetworkPolicy in new clusters is implemented by eBPF. Upgrading the cluster or its components does not change existing behavior. For more information, see Use network policies in ACS clusters.

New features

In Kubernetes 1.29

  • The PreStop hook introduces a sleep mode, which pauses a container for a specified time before termination. This pause provides time for pending operations or network requests to complete. For more information, see KEP-3960: Introducing Sleep Action for PreStop Hook.

  • SidecarContainers is now in Beta and is enabled by default. This feature allows you to set the restartPolicy of an init container to Always, turning it into a sidecar container that can be started, stopped, or restarted independently without affecting the main application container or other init containers. For more information, see Sidecar Containers.

  • The new ServiceCIDR resource type allows dynamic configuration of the Service ClusterIP range. This feature is in Alpha and disabled by default. For more information on dynamically expanding the number of available IPs for Services, see KEP-1880: Multiple Service CIDRs.

  • PVCs (Persistent Volume Claims) and Containers originally used the same ResourceRequirements struct to define resource requests and limits. This caused the PVC API to change whenever the Container resources struct was modified, for example, by adding the claims field. Therefore, PVCs were switched to a separate VolumeResourceRequirements struct that contains only requests and limits, and excludes the claims field. For more information, see Volume resource requirements.

  • The PodReadyToStartContainers feature is in Beta and enabled by default. This feature indicates that a pod's sandbox is created and its network is configured. This means the container runtime is ready and helps the kubelet determine the pod's status. For more information, see Pod conditions.

  • PodAffinity and PodAntiAffinity now support matchLabelKeys and mismatchLabelKeys to resolve an issue where the scheduler cannot distinguish between old and new pods during a rolling update of a Deployment, which can lead to scheduling results that do not meet affinity and anti-affinity expectations. When you configure matchLabelKeys for PodAffinity, the Deployment adds a pod-template-hash label to the ReplicaSet. This gives each pod of the Deployment a corresponding hash string, which tells the scheduler to evaluate only pods with the same pod-template-hash value, making it easy to distinguish pods from the same update batch. For more information, see KEP-3633.

  • In addition to core Kubernetes API resources, type checking for ValidatingAdmissionPolicy now supports CRDs and API extensions. This helps ensure policy reliability and cluster configuration correctness. For more information, see type-checking.

  • The new UserNamespacesPodSecurityStandards feature gate integrates user namespaces with Pod Security Standards. When enabled, it allows containers to run as a non-root user or a specified user ID within the pod's security context. This feature gate is in Alpha and disabled by default, and it may remain disabled in future releases. For more information, see KEP-127: Update PSS based on feature gate.

  • For node objects, the new DisableNodeKubeProxyVersion feature gate deprecates the status.nodeInfo.kubeProxyVersion field. This means that setting the kubeProxyVersion field for nodes is disabled in Kubernetes. The kubelet cannot always accurately identify the version of kube-proxy, so this field is not always accurate. This feature gate is currently in the Alpha stage and is disabled (false) by default.

  • The JobBackoffLimitPerIndex feature gate is promoted to Beta and is enabled by default. This feature lets you specify the maximum number of retries for each index in an indexed job. For more information about indexed jobs, see Use Indexed Job for Parallel Processing with Static Work Assignment.

In Kubernetes 1.30

  • The ImageMaximumGCAge feature gate allows kubelet to configure the maximum age of an unused image before it is garbage collected. If an image remains unused for longer than this specified age, the garbage collection mechanism can clean it up. The default value is "0s", which means no time limit is set. This feature gate entered Alpha in v1.29 and was promoted to Beta in v1.30.

  • Kubelet adds the new monitoring metric image_pull_duration_seconds to track the image pull duration. For more information, see List of Alpha Kubernetes Metrics.

  • The LegacyServiceAccountTokenCleanUp feature gate is promoted to GA and is enabled by default. If an auto-generated Secret associated with a ServiceAccount has not been used for a specific period (one year by default) and is not mounted by any Pod, the kube-controller-manager adds the kubernetes.io/legacy-token-invalid-since label to the Secret with the current date as its value, marking the Secret as invalid. If a Secret remains unused for a specific period (one year by default) after it is marked as invalid, it will be automatically cleaned up by the kube-controller-manager. For Secrets that are marked as invalid but have not yet been automatically removed, you can remove the kubernetes.io/legacy-token-invalid-since label to make them valid again. For more information, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.

  • In v1.30, if the --nodeport-addresses flag for kube-proxy is not set (which is the default), updates to a NodePort Service will only affect the node's primary IP address, not all of its IP addresses. For more information, see #122724.

  • To prevent configuration conflicts and security issues, the OIDC Issuer URL must not be the same as the API server ServiceAccount Issuer URL. For more information, see #123561.

  • The LoadBalancerIPMode feature gate adds the .status.loadBalancer.ingress.ipMode field to Services of type LoadBalancer. This field specifies the forwarding behavior of the load balancer IP. You can specify this field only when the .status.loadBalancer.ingress.ip field is also specified. The LoadBalancerIPMode feature gate is now in Beta. For more information, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.

  • Horizontal Pod Autoscaling (HPA) based on ContainerResource metrics was promoted to Stable in v1.30. This feature allows HPA to scale based on the resource usage of individual containers in a pod, rather than just the pod's overall resource usage. This makes it easier to configure scaling thresholds for the most important containers in a pod. For more information, see Container resource metrics.

  • The AdmissionWebhookMatchConditions feature gate has graduated to General Availability (GA). It is enabled by default and cannot be disabled. This feature gate allows admission webhooks to be matched based on specific conditions, providing more fine-grained control over their trigger conditions. For more information, see Dynamic Admission Control.

  • A JobSuccessPolicy feature gate is added, which allows you to declare that a Job is successfully completed based on a set of successful pods. In the success policy, you can specify that the Job is complete based on certain indexes (for example, the indexes of pods x, y, and z) or a number of successful pods from a set of indexes (for example, three pods). This feature gate is in the Alpha stage. For more information, see Job success/completion policy.

  • Added the RelaxedEnvironmentVariableValidation feature gate to allow the use of most printable ASCII characters in environment variables (all characters from 32 to 126, except for =). This feature gate is in the Alpha stage and is disabled by default. For more information, see #123385.

  • The CustomResourceFieldSelectors feature gate is added. You can use this feature gate to configure selectableFields for CRDs. This allows you to use Field Selectors to filter List, Watch, and DeleteCollection requests, which makes it easier to locate or manage CRD resources that meet specific criteria. This feature gate is in the Alpha stage and is disabled by default. For more information, see Custom Resource Field Selectors.

  • The CRDValidationRatcheting feature gate introduces an update. When new validation is added to a CRD, existing resources may become invalid. However, the API Server will not block updates to these resources as long as the parts that fail validation are not modified. This change prevents disruptions to existing resources and users. This helps with validation when migrating CRDs to use OpenAPI v3 schemas and allows you to safely update validation rules. This feature gate is in Beta and is enabled by default. For more information, see CRD Validation ratcheting.

  • The Downward API uses the status.hostIPs field to support dual stack, which supports both IPv4 and IPv6. The first IP address in the status.hostIPs list is always the same as status.hostIP. For more information, see Downward API.

  • The NodeLogQuery feature gate allows you to query logs of node services by using the /logs endpoint. This feature gate is promoted to Beta and is disabled by default. For more information, see Log Query.

Deprecated features

In Kubernetes 1.29

  • CronJob no longer supports setting CRON_TZ or TZ in .spec.schedule. Use the .spec.timeZone field instead. This field has been available since v1.25. For more information, see CronJob limitations.

  • The controversial networking/v1alpha1 API ClusterCIDR has been removed. It was in the Alpha stage. For more information, see ClusterCIDR v1alpha1.

In Kubernetes 1.30

  • The --prune-whitelist parameter has been removed from the kubectl apply command. Use --prune-allowlist instead. For more information, see --prune.

  • The SecurityContextDeny admission plug-in was deprecated in v1.27 and removed from the code in v1.30. Use the PodSecurity admission plug-in instead. The PodSecurity admission plug-in became Stable in v1.25 and is enabled by default. For more information, see PodSecurity.

Deprecated APIs

The flowcontrol.apiserver.k8s.io/v1beta2 API version of FlowSchema and PriorityLevelConfiguration was deprecated in v1.29. Migrate to the flowcontrol.apiserver.k8s.io/v1 API version (available since v1.29) or the flowcontrol.apiserver.k8s.io/v1beta3 API version (available since v1.26).

  • Notable changes in flowcontrol.apiserver.k8s.io/v1 include:

    The spec.limited.assuredConcurrencyShares field of PriorityLevelConfiguration has been renamed to spec.limited.nominalConcurrencyShares, which defaults to 30 only when unspecified, and an explicit value of 0 is not changed to 30.

  • Notable changes in flowcontrol.apiserver.k8s.io/v1beta3 include:

    PriorityLevelConfiguration's spec.limited.assuredConcurrencyShares field has been renamed to spec.limited.nominalConcurrencyShares.

Feature gates

For more information about Kubernetes feature gates, including version support and descriptions, see Feature Gates.

Feature gates typically have three stages:

  • Alpha: Disabled by default.

  • Beta: Usually enabled by default.

  • GA: The feature is always enabled and can no longer be disabled. The feature gate toggle is removed.

References

For the complete changelogs for Kubernetes 1.29 and 1.30, see CHANGELOG-1.29 and CHANGELOG-1.30.