Container Service for Kubernetes:Kubernetes 1.30 release notes

A sleep mode is added for the PreStop hook. This mode allows containers to pause for the specified period of time before they are terminated. For more information, see KEP-3960: Introducing Sleep Action for PreStop Hook.

The SidecarContainers feature has reached Beta and is enabled by default. This feature allows you to run init containers as sidecar containers by setting restartPolicy to Always. Sidecar containers can independently start, stop, and restart without affecting the main application containers and other init containers. For more information, see Sidecar Containers.

Service CIDRs are supported to dynamically specify the IP address range of ClusterIP Services. This feature has reached Alpha and is disabled by default. For more information about how to dynamically increase the number of IP addresses available for a Service, see KEP-1880: Multiple Service CIDRs.

The Persistent volume claims (PVC) and container APIs use the same ResourceRequirements structure to define resource requests and limits. Consequently, when the resources structure of the container API changes, for example, when the claims field is added, the resource structure of the PVC API also changes. To prevent this issue, the PVC API now uses an independent VolumeResourceRequirements structure, which consists of only requests and limits. The structure does not consist of claims. For more information, see Volume resource requirements.

The PodReadyToStartContainers feature has reached Beta and is enabled by default. This feature indicates that the sandboxed runtime environment of a pod is created (the runtime environment is ready) and the network is configured. This allows the kubelet to learn the status of the pod. For more information, see Pod conditions.

Pod affinity and pod anti-affinity support matchLabelKeys and mismatchLabelKeys to resolve the issue that the scheduler cannot distinguish between old pods and new pods during Deployment rolling updates. When this issue occurs, pods fail to be scheduled based on the pod affinity or pod anti-affinity rules. When you configure matchLabelKeys for pod affinity, the Deployment adds the pod-template-hash label to the ReplicaSet. This way, each pod of the Deployment has the same hash string. This enables the scheduler to assess pods that have the same pod-template-hash value in order to distinguish pods in the same update batch. For more information, see KEP-3633.

In addition to core Kubernetes API resources, ValidatingAdmissionPolicies also support CustomResourceDefinitions (CRDs) and API extensions. This helps ensure the reliability of the policies and the validity of the cluster configuration. For more information, see type-checking.

The UserNamespacesPodSecurityStandards feature gate is added to enable user namespaces to support Pod Security Standards. When this feature gate is enabled, you can run containers with a non-root user identity or with the specified user identify in pod security context. This feature gate has reached Alpha and is set to false by default. The feature gate may remain in the false state in later versions. For more information, see KEP-127: Update PSS based on feature gate.

The DisableNodeKubeProxyVersion feature gate is added for node objects. The status.nodeInfo.kubeProxyVersion field is deprecated. This means that the kubeProxyVersion field is disabled for nodes in Kubernetes. The kubelet may fail to recognize the right kube-proxy version. Therefore, the value of this field is inaccurate. This feature gate has reached Alpha and is set to false by default.

The JobBackoffLimitPerIndex feature gate has reached Beta and set to true by default. This feature gate allows you to specify the maximum attempts of retries for each index in an indexed job. For more information about indexed jobs, see Indexed Job for Parallel Processing with Static Work Assignment.

ImageMaximumGCAge allows you to use the kubelet to configure the maximum TTL of an unused image before garbage collection. If an image is still not used after its TTL ends, the image is deleted by garbage collection. The default value is "0s", which means no TTL is set. This feature gate has reached Alpha in Kubernetes 1.29 and reached Beta in Kubernetes 1.30.

The image_pull_duration_seconds metric is added to the kubelet to track the image pulling time. For more information, see List of Alpha Kubernetes Metrics.

The LegacyServiceAccountTokenCleanUp feature gate has reach GA and is enabled by default. If an automatically generated Secret associated with a ServiceAccount is not used within a period of time (one year by default) and is not mounted to any pod, kube-controller-manager adds the kubernetes.io/legacy-token-invalid-since label to the Secret. The Secret is marked as invalid. The label value is the current date. Starting from the day when the Secret is marked as invalid, if it is still not used within a period of time (one year by default), kube-controller-manager automatically deletes the Secret. For Secrets that have this label but are not deleted, you can remove the kubernetes.io/legacy-token-invalid-since label to make the Secrets valid again. For more information, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.

In Kubernetes 1.30, if --nodeport-addresses is not configured for kube-proxy (this flag is not configured by default), NodePort Service updates will update only the primary node IP address instead of updating all node IP addresses. For more information, see #122724.

To prevent configuration conflicts and security issues, the OIDC Issuer URL and API server ServiceAccount Issuer URL must not be configured with the same parameter. For more information, see #123561.

The LoadBalancerIPMode feature gate allows you to add the .status.loadBalancer.ingress.ipMode field to LoadBalancer Services to specify forwarding actions for requests sent to the specified load balancer IP address. This field is available only when the .status.loadBalancer.ingress.ip field is specified. The LoadBalancerIPMode feature gate has reached Beta. For more information, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.

The Horizontal Pod Autoscaler (HPA) based on ContainerResource metrics has reached Stable in Kubernetes 1.30. This enables the HPA to configure auto scaling based on the resource usage of each container in a pod instead of scaling based on the resource usage of the pod. This way, scaling thresholds can be separately configured for important containers in a pod. For more information, see Container resource metrics.

The AdmissionWebhookMatchConditions feature gate has reached GA and is enabled by default. This feature gate cannot be disabled. This feature gate allows you to define match conditions for admission webhooks in order to trigger webhooks in a more fine-grained manner. For more information, see Dynamic Admission Control.

The JobSuccessPolicy feature gate is added to claim that a job is completed when a group of pods that belong to the job are succeeded. You can specify specific indexes (such as pod indexes X, Y, and Z) or a number of indexes (such as three indexes) to claim that a job is completed. This feature gate has reached Alpha. For more information, see Job success/completion policy.

The RelaxedEnvironmentVariableValidation feature gate is added to control most printable ASCII characters (all characters from 32 to 126) used in environment variables, excluding the equal sign (=). This feature gate has reached Alpha and is disabled by default. For more information, see #123385.

The CustomResourceFieldSelectors feature gate is added to configure selectableFields for CRDs. This way, Field Selectors can be sued to filter List, Watch, DeleteCollection requests in order to locate or manage CRDs that meet specific conditions. This feature gate has reached Alpha and is disabled by default. For more information, see Custom Resource Field Selectors.

An update is released for the CRDValidationRatcheting feature gate. After a new CRD validation ratcheting is added, even if existing resources will become invalid after updates, the API server does not block resource updates if resources that fail to pass the validation are not updated. This avoids affecting existing resources and users. This way, CRDs can be validated through OpenAPI v3 schemas during migration. This feature gate has reached Beta and is enabled by default. For more information, see CRD Validation ratcheting.

The Downward API uses the status.hostIPs field to support IPv4/IPv6 dual stack. The first IP address in the status.hostIPs list is always the same as the status.hostIP. For more information, see Downward API.

The NodeLogQuery feature gate allows you to use the /logs endpoint to query node service logs. This feature gate has reached Beta and is set to false by default. For more information, see Log query.

CronJobs no longer support the CRON_TZ or TZ setting in .spec.schedule. The .spec.timeZone field is used as a replacement. This field is available in Kubernetes 1.25 and later versions. For more information, see CronJob limitations.

The networking/v1alpha1 API ClusterCIDR in Alpha is removed.

The --prune-whitelist parameter of the kubectl apply command is removed. We recommend that you use --prune-allowlist. For more information, see --prune.

The admission plug-in is deprecated in Kubernetes 1.27 and removed in Kubernetes 1.30. We recommend that you use the PodSecurity admission plug-in. This plug-in has reached Stable in Kubernetes 1.25 and is enabled by default. For more information, see PodSecurity.