All Products
Search

This Product

    Container Service for Kubernetes:ACK Lingjun release notes for Kubernetes 1.22

    Document Center

    Container Service for Kubernetes:ACK Lingjun release notes for Kubernetes 1.22

    Last Updated:Mar 26, 2026

    Container Service for Kubernetes (ACK) strictly abides by the terms of the Certified Kubernetes Conformance Program. This topic describes the changes ACK Lingjun makes to support Kubernetes 1.22.

    Component versions

    All components in ACK Lingjun clusters have been updated to support Kubernetes 1.22.

    ComponentVersionNotes
    Kubernetes1.22.15-aliyun.1See Breaking changes and What's new below
    etcd3.5.1
    CoreDNSv1.9.3.6-32932850-aliyunNon-disruptive update. Adds EndpointSlice monitoring and IPv6 DNS resolution
    CRIcontainerd 1.5.13
    CSIv1.26.3-fc2ba2a-aliyun
    CNITerway v1.5.7
    NVIDIA Container Runtime3.13.0
    Ingress controllerv1.8.0-aliyun.1May temporarily interrupt workloads and cause compatibility issues. Evaluate the impact before upgrading

    Breaking changes

    Important

    The following changes require action before upgrading to Kubernetes 1.22. Skipping these steps may cause workload failures after the upgrade.

    Discontinued beta APIs

    Kubernetes 1.22 removes a set of beta APIs in favor of their stable (v1) versions. Existing resources created via beta APIs are preserved and remain accessible through the stable APIs — but controllers, operators, and tools that call the removed beta API versions will stop working after the upgrade.

    Before upgrading, update manifests and API clients to the stable API versions listed in the table below, and redeploy controllers and applications that call the removed beta APIs.

    The following beta APIs are discontinued in Kubernetes 1.22:

    ResourceDiscontinued APIStable API (use instead)
    MutatingWebhookConfiguration, ValidatingWebhookConfigurationadmissionregistration.k8s.io/v1beta1admissionregistration.k8s.io/v1
    CustomResourceDefinition (CRD)apiextensions.k8s.io/v1beta1apiextensions.k8s.io/v1
    APIServiceapiregistration.k8s.io/v1beta1apiregistration.k8s.io/v1
    TokenReviewauthentication.k8s.io/v1beta1authentication.k8s.io/v1
    SubjectAccessReviewauthorization.k8s.io/v1beta1authorization.k8s.io/v1
    CertificateSigningRequest (CSR)certificates.k8s.io/v1beta1certificates.k8s.io/v1
    Leasecoordination.k8s.io/v1beta1coordination.k8s.io/v1
    Ingress, IngressClassnetworking.k8s.io/v1beta1, extensions/v1beta1networking.k8s.io/v1
    ClusterRole, ClusterRoleBinding, Role, RoleBindingrbac.authorization.k8s.io/v1beta1rbac.authorization.k8s.io/v1
    CSIDriver, CSINode, StorageClass, VolumeAttachmentstorage.k8s.io/v1beta1storage.k8s.io/v1
    PriorityClassscheduling.k8s.io/v1beta1scheduling.k8s.io/v1

    dockershim removal

    dockershim, deprecated in Kubernetes 1.20, is removed in Kubernetes 1.22. Clusters still running Docker as the container runtime must migrate to containerd before upgrading.

    Migration steps:

    1. Calculate the number of new nodes needed based on your current Docker workload.

    2. Add new nodes running containerd to the cluster during off-peak hours. To change the container runtime for node pools, see Change the container runtime from Docker to containerd.

    3. Drain Docker nodes one at a time. After each drain, verify that all pods have migrated successfully before draining the next node.

    4. Remove drained Docker nodes once no pods remain on them.

    NodePort behavior change (Kubernetes 1.22.10 and later)

    kube-proxy no longer listens on the ports of NodePort Services. If the NodePort Service port range (configured by ServiceNodePortRange on the API server) overlaps with the ephemeral port range defined by the net.ipv4.ip_local_port_range kernel parameter, TCP connections may fail intermittently, causing health check failures and service exceptions.

    Before upgrading to 1.22.10 or later, verify that your NodePort Service port ranges do not conflict with net.ipv4.ip_local_port_range. For configuration guidance, see How do I configure a proper node port range? or the Kubernetes community PR.

    Service account token expiration

    In Kubernetes 1.22 and later, service account tokens have a validity period of one year. kubelet periodically renews tokens before expiration.

    • client-go >= 11.0.0 or >= 0.15.0: Tokens are automatically reloaded from disk.

    • client-go < 11.0.0 or < 0.15.0: Tokens are not automatically renewed. After a token expires, API server access from within the cluster fails. Upgrade client-go to 11.0.0 or later (or 0.15.0 or later) to avoid this.

    For details on impacts and solutions, see [Product Changes] Solutions for service account token expiration in Kubernetes 1.22 and later.

    Other pre-upgrade items

    • Back up control plane node data: All containers on control plane nodes are recreated during a version upgrade. Back up any container data before starting the upgrade.

    • CVE-2022-3172: This vulnerability may affect your cluster. Review the details and apply the fix described in CVE-2022-3172.

    • PodSecurityPolicy (PSP): PSP was deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25. PSPs continue to work in 1.22. Start planning a migration to the PodSecurity admission controller. For details, see Pod security admission and PodSecurityPolicy deprecation: past, present, and future.

    What's new

    Feature gates enabled by default

    The following feature gates are enabled by default in Kubernetes 1.22 (or earlier as noted).

    Enabled since Kubernetes 1.21:

    Feature gateDescription
    ImmutableEphemeralVolumesMark ConfigMaps and Secrets as immutable, significantly reducing API server load
    IPv6DualStackEnable IPv4/IPv6 dual-stack networking. Requires proper CIDR blocks and a CNI plug-in that supports dual-stack
    GracefulNodeShutdownkubelet detects node shutdown events and evicts pods within the shutdown grace period. Linux nodes only
    EfficientWatchResumptionResume the API server watch cache efficiently after restart. Useful for large-scale clusters

    Enabled since Kubernetes 1.22:

    Feature gateDescription
    CSIStorageCapacitykube-scheduler places pods on nodes with sufficient storage capacity for the required volume
    DaemonSetUpdateSurgeUse .spec.strategy.rollingUpdate.maxSurge to allow extra pods during DaemonSet rolling updates
    IndexedJobSet .spec.completionMode=Indexed on a Job to assign each pod a unique index via the batch.kubernetes.io/job-completion-index annotation and JOB_COMPLETION_INDEX environment variable
    MemoryManagerEnable non-uniform memory access (NUMA)-aware memory management for applications with guaranteed memory requirements. Linux nodes only. ACK does not configure memory reservation for this feature
    PodAffinityNamespaceSelectorApply pod affinity label selectors across namespaces rather than only within the same namespace
    PodDeletionCostPods with lower resource utilization incur lower deletion costs during scale-down
    PreferNominatedNodekube-scheduler prioritizes nominated nodes; evaluates other nodes only if nominated nodes are unavailable
    ProbeTerminationGracePeriodSet a probe-level or pod-level terminationGracePeriodSeconds to shorten pod restart time after a failed liveness probe
    NetworkPolicyEndPortSpecify port ranges in NetworkPolicy rules
    LogarithmicScaleDownUse randomized pod selection during scale-in to reduce the impact of pod topology spread constraints
    SuspendJobSuspend and resume Jobs to manage lifecycle more flexibly
    ServiceInternalTrafficPolicyRoute internal Service traffic to node-local endpoints or all ready endpoints in the cluster
    ServiceLoadBalancerClassCustomize load balancer implementation using .spec.loadBalancerClass
    ServiceLBNodePortControlDisable NodePort allocation for LoadBalancer Services by setting .spec.allocateLoadBalancerNodePorts=false, routing traffic directly to pods
    SizeMemoryBackedVolumesSet the size of emptyDir memory-backed volumes using emptyDir.sizeLimit. Linux nodes only
    Server-side ApplyTrack field-level changes to resource configurations, including the source, timestamp, and operation
    CSRDurationSet certificate validity to the smaller of .spec.expirationSeconds in the CSR and --cluster-signing-duration in kube-controller-manager. ACK default --cluster-signing-duration is 10 years
    BoundServiceAccountTokenVolumeGA in Kubernetes 1.22. Default service account token validity is one year for tokens not mounted as projected volumes

    CSI integration with Windows containers (stabilized in 1.22):

    The Container Storage Interface (CSI) integration with Windows containers is now stable. Use CSI Proxy to run storage operations on Windows nodes that do not support privileged containers (such as Windows Server 2019 and Windows Server version 2004). The CSI plug-in you use must support this feature. For details, see CSI Proxy.

    New features

    FeatureACK statusDescription
    Volume health monitoringEnabled by defaultDetects the health status of persistent volumes (PVs) provisioned by the CSI plug-in to prevent reads and writes to unhealthy volumes. Requires CSI plug-in support. See Volume health monitoring
    Memory QoS (cgroups v2)Enabled by defaultApplies memory throttling under resource contention using optimized cgroups v2 interfaces. Linux nodes only. Requires OS kernel support. See Memcg QoS feature of the cgroup v1 interface
    Windows HostProcess containersEnabled by defaultCreate Windows privileged containers using HostProcess containers. Requires OS kernel support. See Create a Windows HostProcess Pod
    Swap memoryDisabled in ACKRun workloads using swap memory to improve node stability under memory contention. Linux nodes only. See Swap memory management
    Default seccomp profilesDisabled in ACKApply the RuntimeDefault seccomp profile by default. Workloads with fewer syscall restrictions may fail when this is enabled. Linux nodes only

    Feature updates

    • PodSecurityPolicy (PSP): PSP was deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25. ACK provides pod security policies as an alternative. See Pod security admission.

    • Topology Aware Hints: The topologyKeys field was deprecated in Kubernetes 1.21. Use the Topology Aware Hints feature instead to enable Service topology-aware routing. Service topology is disabled by default in ACK 1.22 clusters. See Topology Aware Hints.

    ACK Lingjun enhancements

    Observability

    • Additional metrics for Kubernetes API server access and request patterns improve API server observability.

    • Key metrics for control plane components can now be collected from ACK Lingjun clusters.

    Stability

    • Storage resource protection reduces etcd load during cold starts.

    • API server traffic throttling based on request source, type, and route reduces etcd load during cold starts.

    Performance improvements

    • kubelet: During in-place kubelet upgrades, the system prevents pod restarts on a best-effort basis. See the related Kubernetes issue.

    • kube-proxy: kube-proxy is now compatible with Alibaba Cloud Linux 2 (kernel 4.19.91-23 and later). When IP Virtual Server (IPVS) mode is enabled, conn_reuse_mode is no longer set to 0. See the related Kubernetes issue.

    Fixed issues

    References