All Products
Search

This Product

    Container Service for Kubernetes:(Discontinued) ACK release notes for Kubernetes 1.22

    Document Center

    Container Service for Kubernetes:(Discontinued) ACK release notes for Kubernetes 1.22

    Last Updated:Mar 26, 2026

    Alibaba Cloud Container Service for Kubernetes (ACK) is a certified Kubernetes-conformant platform. These release notes cover changes introduced with the Kubernetes 1.22 release on ACK.

    Before you upgrade

    Important

    Kubernetes 1.22 permanently removes multiple beta APIs. Before upgrading your cluster, complete the following checks — controllers or applications that call removed APIs will stop working after the upgrade.

    Required actions:

    • API migration (blocking): Kubernetes 1.22 removes all v1beta1 APIs listed in Removed beta APIs. Migrate every affected resource to the v1 stable version before upgrading. Existing resources created with beta APIs are not affected, but any controller or tooling that calls a removed API will fail after the upgrade.

    • Docker runtime migration: Dockershim is scheduled for removal in Kubernetes 1.24. Before upgrading to 1.24, migrate your nodes from Docker to containerd using the node pool upgrade feature. For dedicated clusters, master nodes migrate automatically during the cluster upgrade — all containers on master nodes are recreated, so back up any custom containers that require data persistence before the upgrade. For Windows nodes, continue using Docker EE due to functional limitations of containerd on Windows.

    • NodePort range overlap (1.22.10+): In Kubernetes 1.22.10 and later, kube-proxy no longer listens on NodePort service ports. If the NodePort range (ServiceNodePortRange on the API server) overlaps with the kernel's net.ipv4.ip_local_port_range on any node, intermittent TCP connection failures will occur, causing failed health checks and service disruptions. Verify there is no overlap before upgrading to 1.22.10 or later. See How do I configure the NodePort range? and the Kubernetes community PR.

    • Service account token expiration: Service account tokens now have a one-year default validity period. Clients using client-go v11.0.0+ or v0.15.0+ automatically reload rotated tokens. Clients on older versions do not auto-reload and will fail to authenticate after token expiry — upgrade your client-go dependency if affected. See \[Product Change\] Resolve ServiceAccount token expiration issues in Kubernetes 1.22+.

    • Ingress controller upgrade: The ingress controller upgrade to version 1.1.0-aliyun.1 may cause brief service interruptions and configuration compatibility issues. Verify your configurations during the component upgrade before proceeding with the cluster upgrade.

    • CVE-2022-3172: This version may be affected by CVE-2022-3172. Review the impact and mitigation before upgrading.

    • Virtual node pod scheduling: After upgrading to Kubernetes 1.22 or later, scheduling pods to virtual nodes is enabled by default. Pod scheduling to virtual nodes is affected by taints on virtual nodes and any node affinity, pod affinity, or topology spread constraints defined on the pod. To preserve pre-upgrade behavior, disable the Enable Virtual Node-based Pod Scheduling option for the kube-scheduler component. See Custom parameters of kube-scheduler.

    • PodSecurityPolicy (PSP) migration: PSP is scheduled for removal in Kubernetes 1.25. The pod security admission controller is enabled by default in ACK — start migrating away from PSP now. See Pod Security Admission and the PodSecurityPolicy Deprecation blog post.

    Component versions

    Component Version Release notes
    Kubernetes 1.22.15-aliyun.1 See Before you upgrade and Key changes in Kubernetes 1.22
    etcd 3.5.1 None
    CoreDNS v1.9.3.6-32932850-aliyun Non-disruptive upgrade. New: EndpointSlice watch support; DNS queries over IPv6
    CRI — Docker CE 19.03.15 None
    CRI — Docker EE Varies with Windows version None
    CRI — containerd 1.4.8 None
    CSI v1.26 None
    CNI — Flannel 0.15.1.4-e02c8f12-aliyun Non-disruptive upgrade. New: Kubernetes 1.22 APIVersion compatibility for Authorization and similar resources; HostPort service exposure; hairpin mode
    CNI — Terway None
    NVIDIA Container Runtime 3.7.0 None
    Ingress controller 1.1.0-aliyun.1 May cause brief service interruptions and configuration compatibility issues. Verify configurations before proceeding with the cluster upgrade.

    Key changes in Kubernetes 1.22

    Removed beta APIs

    All v1beta1 API versions listed below are permanently removed. Calls to these APIs fail immediately after the upgrade.

    Resource Removed API Migrate to
    MutatingWebhookConfiguration, ValidatingWebhookConfiguration admissionregistration.k8s.io/v1beta1 admissionregistration.k8s.io/v1
    CustomResourceDefinition (CRD) apiextensions.k8s.io/v1beta1 apiextensions.k8s.io/v1
    APIService apiregistration.k8s.io/v1beta1 apiregistration.k8s.io/v1
    TokenReview authentication.k8s.io/v1beta1 authentication.k8s.io/v1
    SubjectAccessReview authorization.k8s.io/v1beta1 authorization.k8s.io/v1
    CertificateSigningRequest certificates.k8s.io/v1beta1 certificates.k8s.io/v1
    Lease coordination.k8s.io/v1beta1 coordination.k8s.io/v1
    Ingress, IngressClass networking.k8s.io/v1beta1, extensions/v1beta1 networking.k8s.io/v1
    ClusterRole, ClusterRoleBinding, Role, RoleBinding rbac.authorization.k8s.io/v1beta1 rbac.authorization.k8s.io/v1
    CSIDriver, CSINode, StorageClass, VolumeAttachment storage.k8s.io/v1beta1 storage.k8s.io/v1
    PriorityClass scheduling.k8s.io/v1beta1 scheduling.k8s.io/v1

    Deprecations

    • Dockershim is deprecated and scheduled for removal in Kubernetes 1.24. See EP-2221 and cri-containerd. Before upgrading to Kubernetes 1.24, transition Docker-based nodes to a non-Docker runtime:

      1. Plan the capacity (instance types and count) for nodes that use a non-Docker runtime, based on the number of pods.

      2. Scale out the new nodes during off-peak hours.

      3. Drain the Docker-based nodes one by one. After draining each node, verify that your application pods have recovered before draining the next.

      4. Remove Docker-based nodes after all are drained and running no workloads.

    • NodePort kube-proxy behavior change (1.22.10+): In Kubernetes 1.22.10 and later, kube-proxy no longer listens on NodePort service ports. If the NodePort range (ServiceNodePortRange) overlaps with the kernel's net.ipv4.ip_local_port_range on any node, intermittent TCP connection failures will occur. Verify there is no overlap before upgrading. See How do I configure the NodePort range? and the Kubernetes community PR.

    Default-enabled feature gates

    The following feature gates are enabled by default in Kubernetes 1.22.

    Workloads and scheduling

    • ImmutableEphemeralVolumes: Mark ConfigMaps and Secrets as immutable to reduce API server load. See Secrets and ConfigMaps.

    • DaemonSetUpdateSurge: During a DaemonSet rolling update, set .spec.strategy.rollingUpdate.maxSurge to define the maximum number of pods that can be created above the desired count. See Perform a rolling update on a DaemonSet.

    • IndexedJob: Set .spec.completionMode to Indexed in a Job to assign each pod a completion index annotation (batch.kubernetes.io/job-completion-index) and environment variable (JOB_COMPLETION_INDEX). See Introducing Indexed Jobs.

    • SuspendJob: Suspend and resume a Job to control its lifecycle. See Introducing suspended Jobs.

    • PodDeletionCost: Influence pod termination order during scale-down by setting a deletion cost — pods with lower utilization receive lower cost and are terminated first. See ReplicaSet.

    • PodAffinityNamespaceSelector: Pod affinity policies now support label selection across namespaces, enabling more flexible cross-namespace scheduling. See KEP-2249.

    • PreferNominatedNode: The kube-scheduler prioritizes scheduling pods onto nominated nodes, evaluating other nodes only when all nominated nodes are unsuitable. See KEP-1923.

    • LogarithmicScaleDown: Pod termination is randomized during scale-down to mitigate issues related to topology spread constraints. See KEP-2185.

    • ProbeTerminationGracePeriod: Configure a probe-level terminationGracePeriodSeconds on liveness probes to reduce the wait time before a failed pod is restarted. See Configure liveness, readiness and startup probes.

    Node and runtime

    • GracefulNodeShutdown (Linux only): The kubelet is notified of a pending node shutdown, allowing it to gracefully terminate pods within a specified shutdown period. See Graceful node shutdown.

    • MemoryManager (Linux only): Provides Non-Uniform Memory Access (NUMA)-aware memory management, improving performance for applications with specific memory requirements. ACK does not configure any memory reservations for this feature. See Runtime memory maps and Control CPU management policies on the node.

    • SizeMemoryBackedVolumes (Linux only): Explicitly define the size of a memory-backed emptyDir volume using emptyDir.sizeLimit, improving pod scheduling transparency. See KEP-1967.

    • CSI support for Windows containers (stable): On operating systems that do not support privileged containers — such as Windows Server 2019 and Windows Server Core version 2004 — Windows containers can manage host storage using a CSI proxy. Requires a compatible CSI plugin. See csi-proxy.

    Networking

    • IPv4/IPv6 dual-stack (IPv6DualStack): Configure valid IPv4 and IPv6 CIDR blocks when creating the cluster and install a CNI plugin that supports dual-stack networking. See IPv4/IPv6 dual-stack.

    • NetworkPolicyEndPort: Define a range of ports in a NetworkPolicy. See Network Policies.

    • ServiceInternalTrafficPolicy: Route a Service's internal traffic to ready endpoints on the current node (Local) or to all ready endpoints cluster-wide (Cluster). See Service internal traffic policy.

    • ServiceLoadBalancerClass: Use a custom load balancer implementation. See Specifying the class of load balancer implementation.

    • ServiceLBNodePortControl: Disable NodePort allocation for LoadBalancer-type Services by setting .spec.allocateLoadBalancerNodePorts to false, for scenarios where traffic routes directly to pods. See Disabling load balancer NodePort allocation.

    Storage

    • CSIStorageCapacity: The kube-scheduler considers a node's storage capacity when scheduling pods that require a specific volume size, producing faster scheduling decisions. See Storage Capacity.

    Authentication and API

    • EfficientWatchResumption: Watch-based caches restore more efficiently after an API server restart, improving performance in large-scale clusters. See KEP-1904.

    • Server-Side Apply (GA): Track the source, time, and operation for changes to a resource's fields. See Server-Side Apply.

    • BoundServiceAccountTokenVolume (GA): Service accounts mounted into pods using non-projected volumes now have a default validity period of one year. The kubelet automatically rotates these tokens. Clients using client-go v11.0.0+ or v0.15.0+ automatically reload the new token from disk. See the feature documentation.

    • CSRDuration: When submitting a CertificateSigningRequest (CSR) with .spec.expirationSeconds, the issued certificate's validity is the lesser of the requested duration and the controller manager's --cluster-signing-duration parameter. The default value in ACK is 10 years. See Signers.

    New features

    • Persistent volume (PV) health monitoring: Workloads can detect the health of their PV, preventing reads or writes to a faulty volume. CSI volume health monitoring is enabled by default in ACK. Requires support from the underlying CSI plugin. See Volume Health Monitoring.

    • Memory Quality of Service (QoS) based on cgroup v2: Unlike CPU, memory cannot be throttled when resources are constrained. The Linux kernel community optimized cgroup v2 to support memory throttling. Memory QoS is enabled by default in ACK and is available only on Linux nodes with a supported kernel. See memcg QoS feature of the cgroup v1 interface and 2570-memory-qos.

    • Windows HostProcess containers: Run privileged containers on Windows nodes. Windows HostProcess containers are enabled by default in ACK and require support from the node's operating system. See What's new for Windows containers on Windows Server 2022 and Create a Windows HostProcess pod.

    • Node swap memory (disabled by default): Workloads can use node swap memory, useful for applications that perform better with swap or for improving node stability under memory pressure. Available on Linux nodes only. Disabled by default in ACK. See Swap memory management and KEP-2400.

    • Default seccomp profile (disabled by default): Configure a default seccomp profile for all workloads. When enabled, it applies the RuntimeDefault seccomp profile by default. Because some workloads may require fewer system call restrictions, this feature is disabled by default in ACK to avoid unexpected failures. Available on Linux nodes only. See Enable the use of RuntimeDefault as the default seccomp profile for all workloads.

    Feature replacements

    • PodSecurityPolicy (PSP) replaced by pod security admission controller: PSP is deprecated and scheduled for removal in Kubernetes 1.25. The pod security admission controller is enabled by default in ACK. Migrate your existing PSP resources in Kubernetes 1.22. See Pod Security Admission and the PodSecurityPolicy Deprecation blog post.

    • ServiceTopology replaced by Topology Aware Hints: The ServiceTopology feature, configured using the topologyKeys field in a Service, is deprecated and replaced by Topology Aware Hints. ServiceTopology is disabled by default in ACK. If enabled, enable Topology Aware Hints in Kubernetes 1.22 and migrate. See Topology Aware Hints.

    ACK enhancements for Kubernetes 1.22

    Observability

    • Additional metrics for API server access requests, improving API server observability.

    • For ACK Pro, ACK Serverless Pro, and ACK Edge Pro clusters, ACK now exposes key metrics for control plane components to improve control plane observability.

    Stability

    The following improvements apply to all cluster types:

    • Storage layer protection to reduce the impact on etcd during cold starts.

    • API server traffic throttling based on a combination of request source, type, or route to reduce API server impact during cold starts.

    Performance optimizations

    Bug fixes

    References