Kubernetes 1.30 release notes

Container Service for Kubernetes (ACK) strictly abides by the terms of the Certified Kubernetes Conformance Program. This topic describes the updates in Kubernetes 1.30, including update notes, major changes, new features, deprecated features and APIs, and feature gates.

Component versions

The following key component versions are supported by Kubernetes 1.30.

Key component	Version

Key component	Version
Kubernetes	1.30.7-aliyun.1 and 1.30.1-aliyun.1
etcd	v3.5.9
containerd	1.6.28
CoreDNS	v1.9.3.10-7dfca203-aliyun
CSI	1.24.10-7ae4421-aliyun
CNI	Flannel v0.15.1.22-20a397e6-aliyun
CNI	Terway and TerwayControlplane 1.9.0 and later Note Since Kubernetes 1.30, when you create a cluster and select Terway as the network plug-in to configure network policies, the implementation of network policies is based on the Extended Berkeley Packet Filter (eBPF). The updates of clusters and components do not change their existing behavior. For more information, see Use network policies in ACK clusters.

Update notes

Item	Description	Solution

Item

Description

Solution

Operating system

CentOS and Alibaba Cloud Linux 2 are no longer supported as node pool operating systems. For more information, see [Product Changes] Alibaba Cloud Linux 2 and CentOS 7 are discontinued.

You can change the operating system of a node pool by updating the node pool. For more information, see Update a node pool.

We recommend that you use the official operating systems of Alibaba Cloud: ContainerOS and Alibaba Cloud Linux 3.

kube-proxy

In Kubernetes versions later than 1.29, kube-proxy updates the method used to configure the value of conntrack_max. The value of conntrack_max can be calculated and updated based on the kube-proxy configuration and the number of CPU cores on a node. In Kubernetes versions from 1.23 to 1.28, kube-proxy does not overwrite the value of conntrack_max manually configured by the cluster administrator. After you update the Kubernetes version to 1.29, kube-proxy may automatically decrease the value of conntrack_max based on the new logic. For more information, see #120448.

If you have modified the value of conntrack_max, add the nf_conntrack_max parameter and other configurations to the kube-proxy ConfigMap before the update to avoid overwriting. For more information, see How do I increase the maximum number of tracked connections in the conntrack table of the Linux kernel?

To check whether the syctls value is modified, enable the cluster inspection feature. For more information, see Work with the cluster inspection feature.

Features

The following Common Vulnerabilities and Exposures (CVE) is fixed in 1.30.7-aliyun.1:

CVE-2024-10220

Kubernetes 1.29

A sleep mode is added for the PreStop hook. This mode allows containers to pause for the specified period of time before they are terminated. For more information, see KEP-3960: Introducing Sleep Action for PreStop Hook.
The SidecarContainers feature has reached Beta and is enabled by default. This feature allows you to run init containers as sidecar containers by setting restartPolicy to Always. Sidecar containers can independently start, stop, and restart without affecting the main application containers and other init containers. For more information, see Sidecar Containers.
Service CIDRs are supported to dynamically specify the IP address range of ClusterIP Services. This feature has reached Alpha and is disabled by default. For more information about how to dynamically increase the number of IP addresses available for a Service, see KEP-1880: Multiple Service CIDRs.
The Persistent volume claims (PVC) and container APIs use the same ResourceRequirements structure to define resource requests and limits. Consequently, when the resources structure of the container API changes, for example, when the claims field is added, the resource structure of the PVC API also changes. To prevent this issue, the PVC API now uses an independent VolumeResourceRequirements structure, which consists of only requests and limits. The structure does not consist of claims. For more information, see Volume resource requirements.
The PodReadyToStartContainers feature has reached Beta and is enabled by default. This feature indicates that the sandboxed runtime environment of a pod is created (the runtime environment is ready) and the network is configured. This allows the kubelet to learn the status of the pod. For more information, see Pod conditions.
Pod affinity and pod anti-affinity support matchLabelKeys and mismatchLabelKeys to resolve the issue that the scheduler cannot distinguish between old pods and new pods during Deployment rolling updates. When this issue occurs, pods fail to be scheduled based on the pod affinity or pod anti-affinity rules. When you configure matchLabelKeys for pod affinity, the Deployment adds the pod-template-hash label to the ReplicaSet. This way, each pod of the Deployment has the same hash string. This enables the scheduler to assess pods that have the same pod-template-hash value in order to distinguish pods in the same update batch. For more information, see KEP-3633.
In addition to core Kubernetes API resources, ValidatingAdmissionPolicies also support CustomResourceDefinitions (CRDs) and API extensions. This helps ensure the reliability of the policies and the validity of the cluster configuration. For more information, see type-checking.
The UserNamespacesPodSecurityStandards feature gate is added to enable user namespaces to support Pod Security Standards. When this feature gate is enabled, you can run containers with a non-root user identity or with the specified user identify in pod security context. This feature gate has reached Alpha and is set to false by default. The feature gate may remain in the false state in later versions. For more information, see KEP-127: Update PSS based on feature gate.
The DisableNodeKubeProxyVersion feature gate is added for node objects. The status.nodeInfo.kubeProxyVersion field is deprecated. This means that the kubeProxyVersion field is disabled for nodes in Kubernetes. The kubelet may fail to recognize the right kube-proxy version. Therefore, the value of this field is inaccurate. This feature gate has reached Alpha and is set to false by default.
The JobBackoffLimitPerIndex feature gate has reached Beta and set to true by default. This feature gate allows you to specify the maximum attempts of retries for each index in an indexed job. For more information about indexed jobs, see Indexed Job for Parallel Processing with Static Work Assignment.

Kubernetes 1.30

ImageMaximumGCAge allows you to use the kubelet to configure the maximum TTL of an unused image before garbage collection. If an image is still not used after its TTL ends, the image is deleted by garbage collection. The default value is "0s", which means no TTL is set. This feature gate has reached Alpha in Kubernetes 1.29 and reached Beta in Kubernetes 1.30.
The image_pull_duration_seconds metric is added to the kubelet to track the image pulling time. For more information, see List of Alpha Kubernetes Metrics.
The LegacyServiceAccountTokenCleanUp feature gate has reach GA and is enabled by default. If an automatically generated Secret associated with a ServiceAccount is not used within a period of time (one year by default) and is not mounted to any pod, kube-controller-manager adds the kubernetes.io/legacy-token-invalid-since label to the Secret. The Secret is marked as invalid. The label value is the current date. Starting from the day when the Secret is marked as invalid, if it is still not used within a period of time (one year by default), kube-controller-manager automatically deletes the Secret. For Secrets that have this label but are not deleted, you can remove the kubernetes.io/legacy-token-invalid-since label to make the Secrets valid again. For more information, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.
In Kubernetes 1.30, if --nodeport-addresses is not configured for kube-proxy (this flag is not configured by default), NodePort Service updates will update only the primary node IP address instead of updating all node IP addresses. For more information, see #122724.
To prevent configuration conflicts and security issues, the OIDC Issuer URL and API server ServiceAccount Issuer URL must not be configured with the same parameter. For more information, see #123561.
The LoadBalancerIPMode feature gate allows you to add the .status.loadBalancer.ingress.ipMode field to LoadBalancer Services to specify forwarding actions for requests sent to the specified load balancer IP address. This field is available only when the .status.loadBalancer.ingress.ip field is specified. The LoadBalancerIPMode feature gate has reached Beta. For more information, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.
The Horizontal Pod Autoscaler (HPA) based on ContainerResource metrics has reached Stable in Kubernetes 1.30. This enables the HPA to configure auto scaling based on the resource usage of each container in a pod instead of scaling based on the resource usage of the pod. This way, scaling thresholds can be separately configured for important containers in a pod. For more information, see Container resource metrics.
The AdmissionWebhookMatchConditions feature gate has reached GA and is enabled by default. This feature gate cannot be disabled. This feature gate allows you to define match conditions for admission webhooks in order to trigger webhooks in a more fine-grained manner. For more information, see Dynamic Admission Control.
The JobSuccessPolicy feature gate is added to claim that a job is completed when a group of pods that belong to the job are succeeded. You can specify specific indexes (such as pod indexes X, Y, and Z) or a number of indexes (such as three indexes) to claim that a job is completed. This feature gate has reached Alpha. For more information, see Job success/completion policy.
The RelaxedEnvironmentVariableValidation feature gate is added to control most printable ASCII characters (all characters from 32 to 126) used in environment variables, excluding the equal sign (=). This feature gate has reached Alpha and is disabled by default. For more information, see #123385.
The CustomResourceFieldSelectors feature gate is added to configure selectableFields for CRDs. This way, Field Selectors can be sued to filter List, Watch, DeleteCollection requests in order to locate or manage CRDs that meet specific conditions. This feature gate has reached Alpha and is disabled by default. For more information, see Custom Resource Field Selectors.
An update is released for the CRDValidationRatcheting feature gate. After a new CRD validation ratcheting is added, even if existing resources will become invalid after updates, the API server does not block resource updates if resources that fail to pass the validation are not updated. This avoids affecting existing resources and users. This way, CRDs can be validated through OpenAPI v3 schemas during migration. This feature gate has reached Beta and is enabled by default. For more information, see CRD Validation ratcheting.
The Downward API uses the status.hostIPs field to support IPv4/IPv6 dual stack. The first IP address in the status.hostIPs list is always the same as the status.hostIP. For more information, see Downward API.
The NodeLogQuery feature gate allows you to use the /logs endpoint to query node service logs. This feature gate has reached Beta and is set to false by default. For more information, see Log query.

Deprecated features

Kubernetes 1.29

CronJobs no longer support the CRON_TZ or TZ setting in .spec.schedule. The .spec.timeZone field is used as a replacement. This field is available in Kubernetes 1.25 and later versions. For more information, see CronJob limitations.
The networking/v1alpha1 API ClusterCIDR in Alpha is removed.

Kubernetes 1.30

The --prune-whitelist parameter of the kubectl apply command is removed. We recommend that you use --prune-allowlist. For more information, see --prune.
The admission plug-in is deprecated in Kubernetes 1.27 and removed in Kubernetes 1.30. We recommend that you use the PodSecurity admission plug-in. This plug-in has reached Stable in Kubernetes 1.25 and is enabled by default. For more information, see PodSecurity.

Deprecated APIs

FlowSchema and PriorityLevelConfiguration of the flowcontrol.apiserver.k8s.io/v1beta2 API version are deprecated in Kubernetes 1.29. We recommend that you use flowcontrol.apiserver.k8s.io/v1 API (available in Kubernetes 1.29 and later versions) or flowcontrol.apiserver.k8s.io/v1beta3 API (available in Kubernetes 1.26 and later versions).

Major changes in flowcontrol.apiserver.k8s.io/v1:
The spec.limited.assuredConcurrencyShares field of PriorityLevelConfiguration is renamed as spec.limited.nominalConcurrencyShares. The default value is 30 and the explicit value 0 cannot be changed to 30.
Major changes in flowcontrol.apiserver.k8s.io/v1beta3:
The spec.limited.assuredConcurrencyShares field of PriorityLevelConfiguration is renamed as spec.limited.nominalConcurrencyShares.

Feature gates

For more information about the feature gates supported by Kubernetes, feature gate versions, and features, see Feature Gates.

Feature gates have the following stages:

Alpha: By default, the feature is disabled.
Beta: By default, the feature is enabled.
GA: By default, the feature is enabled and cannot be disabled, and the corresponding feature gateway is no longer needed.

References

For more information about the release notes for Kubernetes 1.29 and 1.30, see CHANGELOG-1.29 and CHANGELOG-1.30.

Component versions

Update notes

Features

Kubernetes 1.29

Kubernetes 1.30

Deprecated features

Kubernetes 1.29

Kubernetes 1.30

Deprecated APIs

Feature gates

References

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

China Gateway Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic Desktop Service (EDS) Featured

Cloud Phone Beta

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)