All Products
Search

This Product

    Container Service for Kubernetes:(End of maintenance) Kubernetes 1.20 version guide for ACK

    Document Center

    Container Service for Kubernetes:(End of maintenance) Kubernetes 1.20 version guide for ACK

    Last Updated:Mar 26, 2026

    Container Service for Kubernetes (ACK) conforms to the Certified Kubernetes Conformance Program. This topic lists the changes ACK has made to support Kubernetes 1.20, including 6 action items required before upgrading, 5 deprecations, and several new features and ACK-specific enhancements.

    Component versions

    Core component Version Notes
    Kubernetes 1.20.11 See action items below before upgrading.
    Docker Runtime 19.03.5 Deprecated in this release; existing clusters continue to work.
    Containerd Runtime 1.4.4 None
    etcd 3.4.3 None
    CSI (Container Storage Interface) 1.26 None
    CoreDNS 1.7.0 Metric names updated; upstream plug-in removed.
    NVIDIA Container Runtime 3.4.1 None

    Action required before upgrading

    Important

    Review each item below before upgrading an ACK cluster to Kubernetes 1.20. Some items require changes to your workloads or cluster configuration before the upgrade.

    Check admission webhook certificates for SANs

    Self-signed server certificates for admission webhooks must include the required subject alternative names (SANs). Verify that your admission webhook certificates include the required SANs before upgrading. For an example of a compliant certificate configuration, see the sample Helm chart.

    Migrate away from selfLink

    What changed: The selfLink field is deprecated in Kubernetes 1.20 and returns empty values.

    Who is affected: Applications that read the selfLink field from API responses, and clusters using the open-source nfs-client-provisioner.

    What to do:

    • Update any application that reads selfLink from API responses.

    • If you use nfs-client-provisioner, update it to a version that does not rely on selfLink.

    For details, see Stop setting SelfLink in kube-apiserver.

    Update alicloud-nas-controller before upgrading (FlexVolume clusters only)

    Who is affected: Clusters with both FlexVolume and alicloud-nas-controller deployed.

    What to do: Update the alicloud-nas-controller image to 1.14.8.17-7b898e5-aliyun or later before upgrading to Kubernetes 1.20.

    FlexVolume is deprecated. To migrate to Container Storage Interface (CSI), see Upgrade from FlexVolume to CSI.

    Update CoreDNS metric names

    CoreDNS 1.7.0 renames existing metrics. If your monitoring system collects CoreDNS metrics, update the metric names before upgrading. For the full list of changes, see Metric changes.

    Note

    The upstream plug-in is no longer supported. If upstream is specified in your Corefile, it is automatically removed when CoreDNS is upgraded.

    Fix exec probe timeouts

    What changed: Kubernetes 1.20 fixes a long-standing bug where kubelet ignored the timeoutSeconds setting for exec probes. Before this fix, exec probes ran indefinitely instead of timing out. After the fix, the default timeout is 1 second.

    Who is affected: Any pod with an exec probe that takes longer than 1 second and does not have timeoutSeconds explicitly set. These probes will now fail after 1 second.

    What to do: Before upgrading, audit your pod definitions for exec probes without an explicit timeoutSeconds. Set timeoutSeconds to an appropriate value.

    Update Ingress API version

    The extensions/v1beta1 and networking.k8s.io/v1beta1 API versions for Ingresses and IngressClasses will be deprecated in Kubernetes versions later than 1.22. Migrate to networking.k8s.io/v1 before upgrading to 1.22.

    Note

    ACK clusters include the NGINX Ingress controller by default. It currently supports networking.k8s.io/v1beta1. Plan your migration to networking.k8s.io/v1 before upgrading to Kubernetes 1.22.

    Deprecations

    Deprecated item Replacement Removed in
    Docker Runtime Containerd Runtime A future Kubernetes release
    node-role.kubernetes.io/master label node-role.kubernetes.io/control-plane Kubernetes versions later than 1.20
    extensions/v1beta1 / networking.k8s.io/v1beta1 for Ingress networking.k8s.io/v1 Kubernetes versions later than 1.22
    selfLink field N/A (removed from API) Kubernetes versions later than 1.20
    FlexVolume CSI (Container Storage Interface) A future release

    On Docker Runtime deprecation: In Kubernetes 1.20, Docker is marked as deprecated — not removed. Existing clusters continue to work without any changes. Container images built with Docker are unaffected; this change applies only to the container runtime, not the image format. As an ACK user on a managed service, you do not need to take immediate action. You will need to migrate worker nodes to a supported container runtime before Docker support ends in a future release. For details, see Dockershim Deprecation FAQ.

    On master node label: ACK dedicated clusters now add the node-role.kubernetes.io/control-plane label to master nodes by default. The node-role.kubernetes.io/master label is deprecated in Kubernetes versions later than 1.20.

    What's new

    API Priority and Fairness

    API Priority and Fairness (APF) is available in public preview and enabled by default. APF lets you limit and prioritize API requests to kube-apiserver. See API Priority and Fairness for details.

    EndpointSlice enabled by default

    EndpointSlice is now enabled by default by kube-proxy in Kubernetes 1.19 and later. EndpointSlice improves scalability for large clusters. See EndpointSlices for details.

    Immutable ConfigMaps and Secrets (public preview)

    Mark a ConfigMap or Secret as immutable to prevent accidental modifications. Immutable resources also reduce the load on kube-apiserver. See Immutable ConfigMaps for details.

    Windows container enhancements

    • EndpointSlice is enabled by default for Windows containers.

    • Device plug-ins are now supported. See Device plug-ins for details.

    ACK-specific enhancements

    Control plane improvements

    • Observability: Metrics are now collected for both request operations and watch operations, giving you better visibility into control plane component behavior.

    • Stability: kube-apiserver now protects etcd against excessive requests during cluster startup, improving resilience during cold-start scenarios.

    • Performance: List request processing is accelerated by new indexes, reducing kube-apiserver CPU usage under heavy read loads.

    kube-proxy compatibility with Alibaba Cloud Linux 2

    In Kubernetes 1.20.11, kube-proxy is compatible with Alibaba Cloud Linux 2 with kernel version 4.19.91-23 or later. When IPVS mode is enabled, conn_reuse_mode is not set to 0. For background, see IPVS.

    Virtual node scheduling (applies after upgrading to Kubernetes 1.22 or later)

    After upgrading to Kubernetes 1.22 or later, virtual node scheduling is enabled by default. Pods scheduled to virtual nodes are subject to:

    • Taints on virtual nodes

    • Node affinity

    • Pod affinity/anti-affinity rules

    • Topology spread constraints

    To keep the pre-upgrade scheduling behavior, clear Enable Virtual Node-based Pod Scheduling in the kube-scheduler settings. For configuration steps, see Custom parameters of kube-scheduler.

    References