This topic describes the changes ACK Lingjun made to support Kubernetes 1.20, including component version updates, deprecations, required pre-upgrade actions, and new features.
Component versions
| Component | Version | Change notes |
|---|---|---|
| Kubernetes | 1.20.11-aliyun.1 | See Before you upgrade for required pre-upgrade actions. |
| Docker runtime | 19.03.5 | — |
| containerd | 1.5.10 | — |
| etcd | 3.4.3 | — |
| CoreDNS | v1.9.3.6-32932850-aliyun | The deprecated upstream plugin is removed automatically in a secure way during upgrade. Metric names have changed—update your monitoring system if it relies on CoreDNS metrics. New capabilities: EndpointSlices monitoring and IPv6 DNS resolution. |
| NVIDIA Container Runtime | 3.13.0 | — |
Before you upgrade
Complete the following actions before upgrading your cluster to Kubernetes 1.20. Skipping these steps may cause upgrade failures or service disruptions.
Action required: Add Subject Alternative Names (SANs) to admission webhook certificates
Kubernetes 1.20 requires Subject Alternative Names (SANs) in the self-signed server certificates of all admission webhooks in your cluster. Check your webhook certificates before upgrading. For reference, see this sample Helm chart.
Action required: Update alicloud-nas-controller before upgrading
If both FlexVolume and alicloud-nas-controller are deployed in your cluster, update the alicloud-nas-controller image to version 1.14.8.17-7b898e5-aliyun or later before upgrading to Kubernetes 1.20. FlexVolume is deprecated—migrate to Container Storage Interface (CSI) after the upgrade.
Deprecations and removals
Docker runtime deprecated
The Docker runtime is deprecated in Kubernetes 1.20 and will be removed in a future upstream Kubernetes release. Clusters already running Docker continue to work—this change does not affect container images. For details, see the Dockershim Deprecation FAQ.
selfLink field deprecated
The selfLink field is deprecated in kube-apiserver. For details, see Stop setting SelfLink in kube-apiserver.
node-role.kubernetes.io/master label deprecated
The node-role.kubernetes.io/master label is deprecated in Kubernetes versions later than 1.20. ACK dedicated clusters now add the node-role.kubernetes.io/control-plane label to master nodes by default.
Ingress API versions deprecated
extensions/v1beta1 and networking.k8s.io/v1beta1 can no longer manage Ingresses and IngressClasses, and will be deprecated in Kubernetes versions later than 1.22. Use networking.k8s.io/v1 instead.
The NGINX Ingress Controller installed in ACK clusters by default uses the networking.k8s.io/v1beta1 API version to manage Ingresses and IngressClasses.
CoreDNS upstream plugin removed
The deprecated upstream plugin is no longer supported. If the upstream plugin appears in your Corefile, it will be automatically deleted in a secure way when CoreDNS is upgraded.
CoreDNS metric names changed
CoreDNS metric names have changed. If your monitoring system relies on CoreDNS metrics, update the metric names after upgrading. For the full list of changes, see CoreDNS 1.7.0 metric changes.
New features and enhancements
kubelet exec probe timeout fix
kubelet exec probes now respect their configured timeout settings. The default timeout is 1 second, which may be too short for some probes. If you have exec probes without an explicit timeout, set a timeout value that matches the probe's expected execution time.
API Priority and Fairness (public preview)
API Priority and Fairness (APF) is enabled by default in Kubernetes 1.20. Use this feature to limit and prioritize requests sent to kube-apiserver. For more information, see API Priority and Fairness.
EndpointSlices enabled by default (Beta)
kube-proxy automatically enables EndpointSlices in Kubernetes 1.19 and later to support large-scale clusters. For more information, see EndpointSlices.
Immutable ConfigMaps and Secrets (public preview)
You can set a ConfigMap or Secret to immutable, preventing any further modifications. This reduces load on kube-apiserver by eliminating watch operations for immutable objects. For more information, see Immutable ConfigMaps.
Control plane improvements
-
Observability: Metrics are collected for request and watch operations, improving visibility into control plane component behavior.
-
Stability: etcd is protected against excessive requests during cluster startup, improving overall system stability.
-
Performance: Indexes have been added to accelerate list request processing, reducing CPU usage on kube-apiserver.
Performance improvements
In Kubernetes 1.20.11, kube-proxy is compatible with Alibaba Cloud Linux 2 with kernel version 4.19.91-23 or later. When IPVS mode is enabled, conn_reuse_mode is no longer set to 0. For details, see the related upstream issue.