All Products
Search

This Product

    Container Service for Kubernetes:(Discontinued) Kubernetes 1.24 release notes

    Document Center

    Container Service for Kubernetes:(Discontinued) Kubernetes 1.24 release notes

    Last Updated:Mar 26, 2026

    ACK is a Certified Kubernetes Conformance Program participant. This document covers the changes ACK has made to support Kubernetes 1.24.

    Important

    Before upgrading to Kubernetes 1.24, review the breaking changes below. Several require action before the upgrade.

    • Dockershim removed: Docker is no longer supported as a container runtime. Use containerd for new nodes. Docker images still work.

    • NodePort port conflict: kube-proxy no longer reserves NodePort ports. If any NodePort Service in your cluster uses a port in the net.ipv4.ip_local_port_range range of a node, TCP connections may fail intermittently after the upgrade, causing health check failures and service exceptions. Verify that no NodePort port overlaps with the kernel parameter net.ipv4.ip_local_port_range on each node before upgrading. See the Kubernetes community PR.

    • NGINX Ingress Controller: Ingress Controller 0.44.0 and earlier use the deprecated Ingress API v1beta1 and cannot run on Kubernetes 1.24. Upgrade the NGINX Ingress Controller to 1.2.0 or later before upgrading from 1.22 to 1.24.

    • Service account tokens: The LegacyServiceAccountTokenNoAutoGeneration feature gate is now enabled by default. The Secret API no longer auto-generates Secrets for service account tokens. Use the TokenRequest API to generate tokens. All tokens issued by the TokenRequest API expire by default. To create a non-expiring token, see service-account-token-secrets.

    • Control plane node labels (ACK dedicated clusters): kubeadm no longer adds the node-role.kubernetes.io/master label to control plane nodes — only node-role.kubernetes.io/control-plane is added. Both node-role.kubernetes.io/master:NoSchedule and node-role.kubernetes.io/control-plane:NoSchedule taints are applied. The node-role.kubernetes.io/master:NoSchedule taint will be removed in Kubernetes 1.25.

    Component versions

    Component Version Changes
    Kubernetes 1.24.6-aliyun.1 See breaking changes above and Version details.
    etcd 3.5.4 None
    CoreDNS 1.9.3.6-32932850-aliyun See CoreDNS.
    Container Runtime Interface (CRI) containerd 1.5.13 None
    Container Storage Interface (CSI) 1.26 None
    Container Network Interface (CNI) — Flannel v0.15.1.13-941db231-aliyun See Flannel.
    Terway Must be later than 1.1.0
    NVIDIA Container Runtime 3.7.0 None
    Ingress Controller 1.2.0-aliyun.1 See Ingress Controller.

    CoreDNS

    Update to CoreDNS 1.9.3.6-32932850-aliyun does not affect running workloads. Changes include:

    • Affinity settings for CoreDNS scheduling are optimized, enabling CoreDNS to run on clusters with auto-scaling nodes.

    • Caching of ServError DNS resolution results is disabled.

    • Pod anti-affinity based on hostnames changes from preferred to required, forcing anti-affinity rules within the topological domains of specified nodes.

    • Custom parameters are supported.

    • Log parsing is enabled by default.

    Flannel

    • An init container for installing the Flannel plugin is added.

    • /var/run is now the default directory for caching IP addresses, preventing IP leaks when nodes restart.

    • ARM64 instances are supported.

    • CVE-2022-28391 and CVE-2022-37434 are fixed.

    Ingress Controller

    Important

    Ingress Controller 0.44.0 and earlier use the Ingress API v1beta1, which was retained in Kubernetes 1.22 but is not available in Kubernetes 1.24. Upgrade the NGINX Ingress Controller to 1.2.0 or later before upgrading your cluster from 1.22 to 1.24.

    The update may temporarily interrupt workloads and cause compatibility issues with workload configurations. Evaluate the impact before upgrading.

    Version details

    Breaking changes

    Dockershim removed

    Dockershim is removed in Kubernetes 1.24. Docker is not supported as a container runtime. Docker images continue to work — only the runtime changes. Use containerd for new nodes. See Dockershim Removal FAQ and the related GitHub issue.

    kube-apiserver memory increase (Go 1.18 garbage collection)

    Kubernetes 1.24 compiles with Go 1.18, which changes the garbage collection algorithm. The result: 99th percentile API response latency is reduced by 10x, but kube-apiserver memory usage increases by roughly 25%. To reduce memory usage back to previous levels, set the GOGC environment variable to 63.

    Service account token auto-generation disabled

    The LegacyServiceAccountTokenNoAutoGeneration feature gate is enabled by default. The Secret API no longer auto-generates Secrets for service account tokens. Use the TokenRequest API to generate tokens. All tokens issued by the TokenRequest API expire by default. To create a non-expiring token, see service-account-token-secrets.

    Control plane node label change (ACK dedicated clusters)

    kubeadm no longer applies the node-role.kubernetes.io/master label to control plane nodes. Only node-role.kubernetes.io/control-plane is added. Both node-role.kubernetes.io/master:NoSchedule and node-role.kubernetes.io/control-plane:NoSchedule taints are applied to new control plane nodes. The node-role.kubernetes.io/master:NoSchedule taint will be removed in Kubernetes 1.25.

    NodePort port conflict with kernel parameter

    kube-proxy no longer reserves ports for NodePort Services. If a NodePort Service uses a port within the net.ipv4.ip_local_port_range kernel parameter range on a node, TCP connections may fail intermittently. This can cause health check failures and service exceptions. Before upgrading, verify that no NodePort port in your cluster conflicts with the net.ipv4.ip_local_port_range value on any node. See the Kubernetes community PR.

    Security fix: CVE-2022-3172

    New features

    Storage capacity scheduling

    CSIStorageCapacity reaches GA. The API exposes available storage capacity so that pods are scheduled only to nodes with sufficient storage, avoiding failures caused by volume creation or mounting errors. See Storage Capacity Constraints for Pod Scheduling.

    gRPC probes (public preview)

    gRPC probes are available for public preview. The GRPCContainerProbe feature gate is enabled by default. See Configure probes.

    CSI plugin improvements

    The CSI plugin now supports in-tree persistent volume (PV) deletion protection finalizers and migration of in-tree storage plugins to out-of-tree CSI drivers. See In-tree Storage Plugin to CSI Migration Design Doc.

    CronJob time zone support

    CronJobs now accept an optional timeZone parameter. Enable the CronJobTimeZone feature gate to run CronJobs in a specified time zone. This feature will reach public preview in Kubernetes 1.25.

    kube-proxy Windows support

    Two new kube-proxy options enable kube-proxy to run on Windows:

    • --forward-healthcheck-vip: Forwards health check requests destined for a Service's virtual IP address (VIP) to the kube-proxy health check Service.

    • --root-hnsendpoint-name: Specifies the name of the Host Networking Service (HNS) endpoint for the root network namespace.

    OpenAPI V3

    OpenAPI V3 is enabled by default.

    SHA-1 certificate verification disabled

    Certificates signed with the SHA-1 hash algorithm can no longer be verified by default. This is a consequence of Kubernetes 1.24 compiling with Go 1.18.

    iptables chain for detecting iptables mode

    kubelet creates a chain named KUBE-IPTABLES-HINT in the mangle table. Containerized components that need to modify iptables rules in the host network namespace can use this chain to reliably detect whether the system uses iptables-legacy or iptables-nft.

    New and updated metrics

    Metric Description
    webhook_fail_open_count Monitors webhook failures.
    sync_proxy_rules_no_local_endpoints_total Monitors Services with no internal endpoints (kube-proxy).
    kubelet_volume_stats_health_abnormal Monitors volume health status (kubelet).
    evictions_total Replaces the deprecated evictions_number.

    Features reaching GA in Kubernetes 1.23 (carried into 1.24)

    • Structured logging (public preview since 1.23): Components such as kube-scheduler and kubelet now log in structured key=value text format — for example, verb="GET" URI="/healthz" latency="57.126µs" resp=200 instead of GET /healthz: (57.126µs) 200. Regular expressions are no longer needed to parse these logs. Print logs in structured text or JSON format. By default, JSON-format logs are written to stderr. See Introducing Structured Logs.

    • StatefulSet `.spec.minReadySeconds`: Supported by default (public preview since 1.23). See Minimum Ready Seconds for StatefulSets.

    • CSI `StorageCapacity` field editable: CSIDriver.Spec.StorageCapacity can now be modified.

    • JobReadyPods: The number of pods in Ready state is shown in the Job status field.

    • CRD validation with CEL: The CustomResourceValidationExpressions feature gate uses Common Expression Language (CEL) via the x-kubernetes-validations extension to validate CustomResourceDefinitions (CRDs).

    • Windows ARM64 client binaries: Client-side binaries can be built for Windows on ARM64 (Go 1.17+ support).

    • client-go workqueue `Processing` state: When shutting down a workqueue in the Processing state, shutdown waits for all in-progress tasks to complete.

    • `admission_webhook_request_total` metric: Includes webhook name, admission type, operation, HTTP status code, rejection status, and resource namespace as labels.

    • API server metrics reach GA: controller_admission_duration_seconds, step_admission_duration_seconds, webhook_admission_duration_seconds, apiserver_current_inflight_requests, apiserver_response_sizes. A new metric monitors LIST requests to the Kubernetes API server.

    • Scheduler metrics reach GA: pending_pods, preemption_attempts_total, preemption_victims, schedule_attempts_total, scheduling_attempt_duration_seconds (formerly e2e_scheduling_duration_seconds), pod_scheduling_duration_seconds, pod_scheduling_attempts, framework_extension_point_duration_seconds, plugin_execution_duration_seconds, queue_incoming_pods_total.

    • kube-controller-manager health checks: All controllers are now included.

    • `pod.Spec.OS` enforcement: If the OS field is set on a pod but does not match the node's OS label, kubelet rejects the pod.

    kubectl improvements (1.23–1.24)

    • kubectl logs now shows the first container's log by default.

    • kubectl describe ingress now shows IngressClasses.

    • kubectl version now shows the embedded Kustomize version.

    • kubectl get supports resource name tab-completion (for example, kubectl get pod pod1 <TAB>).

    • fish and PowerShell are now supported for code completion and hinting.

    Deprecated and removed features

    Removed in Kubernetes 1.24

    Item Replacement
    --network-plugin kubelet startup option (Docker-specific) Removed along with Dockershim.
    --address, --insecure-bind-address, --port, --insecure-port=0 (kube-apiserver) Removed.
    --port=0, --address (kube-controller-manager, kube-scheduler) Removed.
    audit.k8s.io/v1alpha1 and audit.k8s.io/v1beta1 (kube-apiserver audit options) Only audit.k8s.io/v1 is supported.
    VolumeSnapshot CRD v1beta1 API (deprecated in Kubernetes 1.20) Use v1.
    Service annotation tolerate-unready-endpoints (deprecated in Kubernetes 1.11) Use Service.spec.publishNotReadyAddresses.
    Dynamic log cleanup Feature removed. See Dynamic log sanitization and KEP-1753.
    DynamicKubeletConfig feature gate (deprecated in Kubernetes 1.22) Removed.
    SetHostnameAsFQDN, ImmutableEphemeralVolumes, NamespaceDefaultLabelName feature gates (GA in Kubernetes 1.22) Removed.
    networking.k8s.io/v1alpha1 API version Removed.

    Deprecated in Kubernetes 1.24

    Item Replacement or note
    Service.Spec.LoadBalancerIP Deprecated; does not support IPv4/IPv6 dual stack.
    metadata.clusterName Deprecated; will be removed in the next release.
    ValidateProxyRedirects, StreamingProxyRedirects feature gates Deprecated.
    CSIStorageCapacity.storage.k8s.io v1beta1 API v1 is used; v1beta1 will be removed in Kubernetes 1.27.

    Deprecated in Kubernetes 1.23

    Item Replacement or note
    FlexVolume Use out-of-tree CSI drivers. See Kubernetes Volume Plugin FAQ for Storage Vendors.
    Specific klog command line flags Kubernetes will progressively simplify component logs. See System Logs.
    --experimental-patches (kubeadm init, join, upgrade) Use --patches. Note: --patches and --config cannot be used together.
    --log-file parameter Use kube-log-runner. See kube-log-runner.
    scheduler_volume_scheduling_duration_seconds metric Deprecated.
    apiserver_longrunning_gauge metric Replaced by apiserver_longrunning_requests.
    kubectl --dry-run without a mode Specify `--dry-run=(server|client|none)`.
    autoscaling/v2beta2 API version HorizontalPodAutoscaler (HPA) v2 reaches GA; use autoscaling/v2.

    API changes

    Kubernetes 1.24

    API version removed Replacement
    client.authentication.k8s.io/v1alpha1 v1
    node.k8s.io/v1alpha1 v1
    CSIStorageCapacity.storage.k8s.io/v1beta1 v1 (v1beta1 removed in Kubernetes 1.27)
    networking.k8s.io/v1alpha1 Removed.

    Kubernetes 1.23

    API version removed Replacement
    rbac.authorization.k8s.io/v1alpha1 rbac.authorization.k8s.io/v1
    scheduling.k8s.io/v1alpha1 scheduling.k8s.io/v1

    Other API changes in Kubernetes 1.23

    • HorizontalPodAutoscaler v2 reaches GA. The autoscaling/v2beta2 API version is deprecated.

    • Service.spec.ipFamilyPolicy is required when creating or updating IPv4/IPv6 dual stack Services. Set it to PreferDualStack or RequireDualStack.

    • Components configured via LogFormatRegistry must update to use the logr v1.0.0 API. JSON logs are exported in go-logr/zapr format.

    Feature gates

    Feature gates move through three stages: Alpha (disabled by default), Beta (enabled by default), and GA (always enabled, cannot be disabled). For full details, see Feature Gates.

    Reaching GA in Kubernetes 1.24

    Feature gate Notes
    NonPreemptingPriority GA.
    IndexedJob GA; cannot be disabled.
    SuspendJob GA; will be removed in Kubernetes 1.26. Allows suspending and resuming Jobs.
    RemoveSelfLink GA. Sets .metadata.selfLink to an empty string for all objects and collections. The field still exists in the API. Deprecated since Kubernetes 1.16.
    PodAffinityNamespaceSelector GA; will be removed in Kubernetes 1.26. Enables cross-namespace pod affinity rules.
    CSRDuration GA. Allows specifying certificate validity via the optional spec.expirationSeconds field in CertificateSigningRequest resources. Minimum value: 600.

    Public preview in Kubernetes 1.24 (enabled by default)

    Feature gate Notes
    JobReadyPods Tracks the number of Ready pods created by a Job, recorded in the status field.
    ServerSideFieldValidation Validates resources server-side (instead of client-side) when running kubectl create or kubectl apply.

    Public preview in Kubernetes 1.24

    Feature gate Notes
    AnyVolumeDataSource Allows custom resources as PersistentVolumeClaim (PVC) data sources.

    Enabled by default in Kubernetes 1.24

    Feature gate Notes
    LegacyServiceAccountTokenNoAutoGeneration Disables auto-generation of Secrets for service account tokens.

    Deprecated in Kubernetes 1.24

    Feature gate Notes
    ValidateProxyRedirects Deprecated.
    StreamingProxyRedirects Deprecated.

    Removed in Kubernetes 1.24

    Feature gate Notes
    DynamicKubeletConfig Deprecated in Kubernetes 1.22; removed in 1.24.
    SetHostnameAsFQDN, ImmutableEphemeralVolumes, NamespaceDefaultLabelName Reached GA in Kubernetes 1.22; removed in 1.24.

    Reaching GA in Kubernetes 1.23

    Feature gate Notes
    TTLAfterFinished Uses TTL controllers to clean up finished resource objects.
    ConfigurableFSGroupPolicy Configure volume permissions and ownership change policies. The volume_fsgroup_recursive_apply metric is renamed to volume_apply_access_control.
    IPv4/IPv6 Dual-stack Networking GA; the IPv6DualStack feature gate is removed.
    CSIVolumeFSGroupPolicy GA; always enabled.
    IngressClassNamespacedParams GA. Allows IngressClasses to reference namespace-scoped parameters. Adds scope and namespace fields to IngressClass.spec.parameters.
    StorageObjectInUseProtection GA in Kubernetes 1.11; will be removed in Kubernetes 1.25. Delays deletion of PVs or PVCs while in use.
    NodeLease The feature gate switch is removed; the feature is always enabled. Reached GA in Kubernetes 1.17.

    Public preview in Kubernetes 1.23

    Feature gate Notes
    StatefulSetAutoDeletePVC Allows automatic deletion of PVCs created by StatefulSet pods.
    PodSecurity Public preview; enabled by default. Replaces the deprecated PodSecurityPolicy admission controller.
    KubeletPodResourcesGetAllocatable Enables the GetAllocatableResources endpoint by default. See GetAllocatableResources gRPC endpoint.
    WindowsHostProcessContainers Enables Windows HostProcess containers by default.
    GenericEphemeralVolume Enabled by default. Supports all standard volume capabilities: third-party storage drivers, volume snapshots, and storage capacity tracking. See Ephemeral Volumes.

    GA across Kubernetes 1.23–1.24 (cannot be disabled)

    ConfigurableFSGroupPolicy, ControllerManagerLeaderMigration, CSIMigrationAzureDisk, CSIMigrationOpenStack, CSIStorageCapacity, CSIVolumeFSGroupPolicy, CSRDuration, CronJobControllerV2, DefaultPodTopologySpread, EfficientWatchResumption, ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes, GenericEphemeralVolume, IPv6DualStack, IndexedJob, IngressClassNamespacedParams, NonPreemptingPriority, PodAffinityNamespaceSelector, PodOverhead, PreferNominatedNode, RemoveSelfLink, ServiceLBNodePortControl, ServiceLoadBalancerClass, SuspendJob, DynamicKubeletConfig, TTLAfterFinished.

    References