Kubernetes 1.32 release notes

更新时间:
复制 MD 格式

Alibaba Cloud Container Compute Service (ACS) is fully compliant with the community conformance tests. This document covers the key changes in Kubernetes 1.32, including upgrade notices, new features, deprecated APIs, and feature gates.

Component versions

The following table lists the supported versions of core components in ACS clusters.

Core component

Version

Kubernetes

1.32.7-aliyun.1

etcd

v3.5.15

containerd

1.6.36

CoreDNS

v1.11.3.2-f57ea7ed6-aliyun

CSI

Upgraded to the latest supported version. For more information, see the component csi-provisioner changelog.

Changes

  • Starting from v1.32, kube-apiserver no longer supports the TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 TLS cipher suites. This change applies automatically when you upgrade existing clusters to v1.32.

  • Starting from v1.32, enabling the RRSA feature no longer modifies the --api-audiences parameter of kube-apiserver. Existing configurations are preserved. This change does not affect clusters where the RRSA feature is already enabled.

  • The ServiceAccount annotation kubernetes.io/enforce-mountable-secrets is removed in v1.32. Use separate namespaces to isolate access to Secrets.

  • The DRAControlPlaneController feature gate, which was introduced as Alpha in v1.26 and disabled by default, is removed in v1.32. If you have enabled and used this feature, delete the related resources before you upgrade your cluster to prevent workload issues after the upgrade. For more information, see #128003.

  • Version 1.32.7-aliyun.1 fixes CVE-2024-4563.

New features

  • The WatchList feature gate is promoted to Beta and is enabled by default. Large list operations can significantly increase the resource consumption of the control plane. The WatchList feature allows client-go to use a streaming request instead of a full list operation, reducing control plane resource usage. The kube-controller-manager component enables this feature by default. For more information, see Enhancing Kubernetes API Server Efficiency with API Streaming.

  • The RelaxedEnvironmentVariableValidation feature gate is promoted to Beta and is enabled by default. This feature relaxes the validation rules for environment variable names, allowing almost all printable ASCII characters (except for =) to be used as environment variable names.

  • This version improves Pod status reporting. When an image pull fails, the Pod's status.containerStatuses[*].state.waiting field now includes the reason (ImagePullBackOff) and a detailed message about the failure.

  • The CustomResourceFieldSelectors feature gate is now Generally Available (GA) in v1.32 and is enabled by default. This feature allows you to enable selectableFields in a CustomResourceDefinition (CRD), which can be used in list, watch, and deletecollection operations to filter CRD resources more efficiently and precisely.

  • The StatefulSetAutoDeletePVC feature gate is now GA in v1.32 and is enabled by default. This feature provides fine-grained control over PersistentVolumeClaim (PVC) deletion in a StatefulSet. It automatically cleans up PVCs that are no longer needed by the StatefulSet, which reduces the impact of orphaned PVCs. This automatic cleanup is not triggered during StatefulSet updates or node maintenance.

  • The JobManagedBy feature gate is promoted to Beta and is enabled by default. This feature allows an external controller to manage the reconciliation of a Job by setting the spec.managedBy field, which provides more flexibility in Job scheduling and management.

    The managedBy field cannot be set to kubernetes.io/job-controller, which is a reserved value for the built-in Kubernetes Job controller.

  • Each plugin in the scheduler now integrates a QueueingHint callback function. This function suggests to the scheduler whether a Pod should be re-queued, which reduces unnecessary scheduling retries and improves scheduling throughput. For more information, see QueueingHint Brings a New Possibility to Optimize Pod Scheduling.

  • The RecoverVolumeExpansionFailure feature gate is promoted to Beta and is enabled by default. When a PVC expansion fails, it typically requires complex manual recovery by an administrator. This feature allows you to manually reduce the size of the PVC's .spec.resources to help the PVC recover quickly without data loss. For specific instructions, see Recovering from Failure when Expanding Volumes.

  • The AuthorizeWithSelectors and AuthorizeNodeWithSelectors feature gates are promoted to Beta. AuthorizeNodeWithSelectors must be used with AuthorizeWithSelectors. When enabled, AuthorizeNodeWithSelectors allows the node authorizer to use more fine-grained selectors (such as fieldSelector and labelSelector) for authorization, which increases the flexibility of the Kubernetes authorization system. The kubelet has minimal permissions, allowing it to read only its own node object and the Pods bound to it. For more information, see Using Node Authorization.

  • The Stream field is added to the PodLogOptions parameters for client requests for pod logs, enabling streaming requests for container logs. This means logs can be transmitted to the client in real time without waiting for the entire log file to download. Note that the Stream and TailLines fields cannot be used together.

  • The JobController is optimized to significantly improve Job update and deletion performance, especially in large-scale scenarios. For more information, see #126567, #127228, and #127378.

  • The kube-proxy is optimized to use fieldSelector: clusterIP!=None when watching for Service updates. This avoids watching Headless Services and reduces unnecessary bandwidth consumption. For more information, see #126769.

Deprecated APIs

  • The flowcontrol.apiserver.k8s.io/v1beta3 API versions of FlowSchema and PriorityLevelConfiguration are deprecated in v1.32. Migrate to the flowcontrol.apiserver.k8s.io/v1 API version, which has been available since v1.29.

    In the flowcontrol.apiserver.k8s.io/v1 version, the spec.limited.nominalConcurrencyShares field of PriorityLevelConfiguration defaults to 30 if not specified. If it is explicitly set to 0, it is not changed to 30.

References

For the complete changelog for Kubernetes 1.32, see CHANGELOG-1.32 and Kubernetes v1.32: Penelope.