Container Service for Kubernetes (ACK) strictly abides by the terms of the Certified Kubernetes Conformance Program. This topic describes the updates in Kubernetes 1.30, including update notes, major changes, new features, deprecated features and APIs, and feature gates.
Component versions
The following key component versions are supported by Kubernetes 1.30.
Key component | Version |
Kubernetes | 1.30.7-aliyun.1 and 1.30.1-aliyun.1 |
etcd | v3.5.9 |
containerd | 1.6.28 |
CoreDNS | v1.9.3.10-7dfca203-aliyun |
CSI | 1.24.10-7ae4421-aliyun |
CNI | Flannel v0.15.1.22-20a397e6-aliyun |
Terway and TerwayControlplane 1.9.0 and later Note Since Kubernetes 1.30, when you create a cluster and select Terway as the network plug-in to configure network policies, the implementation of network policies is based on the Extended Berkeley Packet Filter (eBPF). The updates of clusters and components do not change their existing behavior. For more information, see Use network policies in ACK clusters. |
Update notes
Item | Description | Solution |
Operating system | CentOS and Alibaba Cloud Linux 2 are no longer supported as node pool operating systems. For more information, see [Product Changes] Alibaba Cloud Linux 2 and CentOS 7 are discontinued. | You can change the operating system of a node pool by updating the node pool. For more information, see Update a node pool. We recommend that you use the official operating systems of Alibaba Cloud: ContainerOS and Alibaba Cloud Linux 3. |
kube-proxy | In Kubernetes versions later than 1.29, kube-proxy updates the method used to configure the value of conntrack_max. The value of conntrack_max can be calculated and updated based on the kube-proxy configuration and the number of CPU cores on a node. In Kubernetes versions from 1.23 to 1.28, kube-proxy does not overwrite the value of conntrack_max manually configured by the cluster administrator. After you update the Kubernetes version to 1.29, kube-proxy may automatically decrease the value of conntrack_max based on the new logic. For more information, see #120448. | If you have modified the value of conntrack_max, add the To check whether the syctls value is modified, enable the cluster inspection feature. For more information, see Work with the cluster inspection feature. |
Features
The following Common Vulnerabilities and Exposures (CVE) is fixed in 1.30.7-aliyun.1:
Kubernetes 1.29
A sleep mode is added for the PreStop hook. This mode allows containers to pause for the specified period of time before they are terminated. For more information, see KEP-3960: Introducing Sleep Action for PreStop Hook.
The SidecarContainers feature has reached Beta and is enabled by default. This feature allows you to run init containers as sidecar containers by setting
restartPolicy
toAlways
. Sidecar containers can independently start, stop, and restart without affecting the main application containers and other init containers. For more information, see Sidecar Containers.Service CIDRs are supported to dynamically specify the IP address range of ClusterIP Services. This feature has reached Alpha and is disabled by default. For more information about how to dynamically increase the number of IP addresses available for a Service, see KEP-1880: Multiple Service CIDRs.
The Persistent volume claims (PVC) and container APIs use the same ResourceRequirements structure to define resource
requests
andlimits
. Consequently, when theresources
structure of the container API changes, for example, when theclaims
field is added, the resource structure of the PVC API also changes. To prevent this issue, the PVC API now uses an independent VolumeResourceRequirements structure, which consists of onlyrequests
andlimits
. The structure does not consist ofclaims
. For more information, see Volume resource requirements.The
PodReadyToStartContainers
feature has reached Beta and is enabled by default. This feature indicates that the sandboxed runtime environment of a pod is created (the runtime environment is ready) and the network is configured. This allows the kubelet to learn the status of the pod. For more information, see Pod conditions.Pod affinity and pod anti-affinity support matchLabelKeys and mismatchLabelKeys to resolve the issue that the scheduler cannot distinguish between old pods and new pods during Deployment rolling updates. When this issue occurs, pods fail to be scheduled based on the pod affinity or pod anti-affinity rules. When you configure matchLabelKeys for pod affinity, the Deployment adds the
pod-template-hash
label to the ReplicaSet. This way, each pod of the Deployment has the same hash string. This enables the scheduler to assess pods that have the samepod-template-hash
value in order to distinguish pods in the same update batch. For more information, see KEP-3633.In addition to core Kubernetes API resources, ValidatingAdmissionPolicies also support CustomResourceDefinitions (CRDs) and API extensions. This helps ensure the reliability of the policies and the validity of the cluster configuration. For more information, see type-checking.
The UserNamespacesPodSecurityStandards feature gate is added to enable user namespaces to support Pod Security Standards. When this feature gate is enabled, you can run containers with a non-root user identity or with the specified user identify in pod security context. This feature gate has reached Alpha and is set to false by default. The feature gate may remain in the false state in later versions. For more information, see KEP-127: Update PSS based on feature gate.
The DisableNodeKubeProxyVersion feature gate is added for node objects. The
status.nodeInfo.kubeProxyVersion
field is deprecated. This means that thekubeProxyVersion
field is disabled for nodes in Kubernetes. The kubelet may fail to recognize the right kube-proxy version. Therefore, the value of this field is inaccurate. This feature gate has reached Alpha and is set to false by default.The JobBackoffLimitPerIndex feature gate has reached Beta and set to true by default. This feature gate allows you to specify the maximum attempts of retries for each index in an indexed job. For more information about indexed jobs, see Indexed Job for Parallel Processing with Static Work Assignment.
Kubernetes 1.30
ImageMaximumGCAge allows you to use the kubelet to configure the maximum TTL of an unused image before garbage collection. If an image is still not used after its TTL ends, the image is deleted by garbage collection. The default value is
"0s"
, which means no TTL is set. This feature gate has reached Alpha in Kubernetes 1.29 and reached Beta in Kubernetes 1.30.The
image_pull_duration_seconds
metric is added to the kubelet to track the image pulling time. For more information, see List of Alpha Kubernetes Metrics.The LegacyServiceAccountTokenCleanUp feature gate has reach GA and is enabled by default. If an automatically generated Secret associated with a ServiceAccount is not used within a period of time (one year by default) and is not mounted to any pod, kube-controller-manager adds the
kubernetes.io/legacy-token-invalid-since
label to the Secret. The Secret is marked as invalid. The label value is the current date. Starting from the day when the Secret is marked as invalid, if it is still not used within a period of time (one year by default), kube-controller-manager automatically deletes the Secret. For Secrets that have this label but are not deleted, you can remove thekubernetes.io/legacy-token-invalid-since
label to make the Secrets valid again. For more information, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.In Kubernetes 1.30, if
--nodeport-addresses
is not configured for kube-proxy (this flag is not configured by default), NodePort Service updates will update only the primary node IP address instead of updating all node IP addresses. For more information, see #122724.To prevent configuration conflicts and security issues, the OIDC Issuer URL and API server ServiceAccount Issuer URL must not be configured with the same parameter. For more information, see #123561.
The LoadBalancerIPMode feature gate allows you to add the
.status.loadBalancer.ingress.ipMode
field to LoadBalancer Services to specify forwarding actions for requests sent to the specified load balancer IP address. This field is available only when the.status.loadBalancer.ingress.ip
field is specified. The LoadBalancerIPMode feature gate has reached Beta. For more information, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.The Horizontal Pod Autoscaler (HPA) based on ContainerResource metrics has reached Stable in Kubernetes 1.30. This enables the HPA to configure auto scaling based on the resource usage of each container in a pod instead of scaling based on the resource usage of the pod. This way, scaling thresholds can be separately configured for important containers in a pod. For more information, see Container resource metrics.
The AdmissionWebhookMatchConditions feature gate has reached GA and is enabled by default. This feature gate cannot be disabled. This feature gate allows you to define match conditions for admission webhooks in order to trigger webhooks in a more fine-grained manner. For more information, see Dynamic Admission Control.
The JobSuccessPolicy feature gate is added to claim that a job is completed when a group of pods that belong to the job are succeeded. You can specify specific indexes (such as pod indexes X, Y, and Z) or a number of indexes (such as three indexes) to claim that a job is completed. This feature gate has reached Alpha. For more information, see Job success/completion policy.
The RelaxedEnvironmentVariableValidation feature gate is added to control most printable ASCII characters (all characters from 32 to 126) used in environment variables, excluding the equal sign (
=
). This feature gate has reached Alpha and is disabled by default. For more information, see #123385.The
CustomResourceFieldSelectors
feature gate is added to configureselectableFields
for CRDs. This way, Field Selectors can be sued to filter List, Watch, DeleteCollection requests in order to locate or manage CRDs that meet specific conditions. This feature gate has reached Alpha and is disabled by default. For more information, see Custom Resource Field Selectors.An update is released for the CRDValidationRatcheting feature gate. After a new CRD validation ratcheting is added, even if existing resources will become invalid after updates, the API server does not block resource updates if resources that fail to pass the validation are not updated. This avoids affecting existing resources and users. This way, CRDs can be validated through OpenAPI v3 schemas during migration. This feature gate has reached Beta and is enabled by default. For more information, see CRD Validation ratcheting.
The Downward API uses the
status.hostIPs
field to support IPv4/IPv6 dual stack. The first IP address in thestatus.hostIPs
list is always the same as thestatus.hostIP
. For more information, see Downward API.The NodeLogQuery feature gate allows you to use the
/logs
endpoint to query node service logs. This feature gate has reached Beta and is set to false by default. For more information, see Log query.
Deprecated features
Kubernetes 1.29
CronJobs no longer support the
CRON_TZ
orTZ
setting in.spec.schedule
. The.spec.timeZone
field is used as a replacement. This field is available in Kubernetes 1.25 and later versions. For more information, see CronJob limitations.The networking/v1alpha1 API ClusterCIDR in Alpha is removed.
Kubernetes 1.30
The
--prune-whitelist
parameter of the kubectl apply command is removed. We recommend that you use--prune-allowlist
. For more information, see --prune.The admission plug-in is deprecated in Kubernetes 1.27 and removed in Kubernetes 1.30. We recommend that you use the PodSecurity admission plug-in. This plug-in has reached Stable in Kubernetes 1.25 and is enabled by default. For more information, see PodSecurity.
Deprecated APIs
FlowSchema and PriorityLevelConfiguration of the flowcontrol.apiserver.k8s.io/v1beta2 API version are deprecated in Kubernetes 1.29. We recommend that you use flowcontrol.apiserver.k8s.io/v1 API (available in Kubernetes 1.29 and later versions) or flowcontrol.apiserver.k8s.io/v1beta3 API (available in Kubernetes 1.26 and later versions).
Major changes in flowcontrol.apiserver.k8s.io/v1:
The
spec.limited.assuredConcurrencyShares
field of PriorityLevelConfiguration is renamed asspec.limited.nominalConcurrencyShares
. The default value is 30 and the explicit value 0 cannot be changed to 30.Major changes in flowcontrol.apiserver.k8s.io/v1beta3:
The
spec.limited.assuredConcurrencyShares
field of PriorityLevelConfiguration is renamed asspec.limited.nominalConcurrencyShares
.
Feature gates
For more information about the feature gates supported by Kubernetes, feature gate versions, and features, see Feature Gates.
Feature gates have the following stages:
Alpha: By default, the feature is disabled.
Beta: By default, the feature is enabled.
GA: By default, the feature is enabled and cannot be disabled, and the corresponding feature gateway is no longer needed.
References
For more information about the release notes for Kubernetes 1.29 and 1.30, see CHANGELOG-1.29 and CHANGELOG-1.30.