Container Service for Kubernetes:(Discontinued) Kubernetes 1.26 release notes

Breaking changes at a glance

Before upgrading to Kubernetes 1.26, review this summary of breaking changes:

• CRI v1alpha2 removed — Kubernetes 1.26 requires CRI v1. containerd 1.5 and earlier are not supported; upgrade containerd to 1.6.0 or later before upgrading your cluster.

• PodSecurityPolicy (PSP) removed — PSP was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. Migrate to Pod Security Admission or a third-party admission webhook before upgrading.

• Beta APIs deprecated — Multiple beta APIs are removed in Kubernetes 1.25 and 1.26. Check whether your controllers and applications use any of the deprecated APIs listed in Deprecated APIs and migrate to the stable versions.

• kube-proxy userspace mode removed — --mode userspace now returns an error. Use iptables or IPVS on Linux, or kernelspace on Windows.

• In-tree credential code removed — Azure and Google Cloud nested identity authentication code is removed from client-go and kubectl in Kubernetes versions later than 1.26. Replace with authentication plug-ins.

• DynamicKubeletConfig feature gate removed — Update the kubelet configuration file directly and restart the kubelet instead.

• CVE fixes in 1.26.15-aliyun.1 — CVE-2023-45288, CVE-2024-3177, and CVE-2024-24786 are fixed.

CRI requirement

Kubernetes 1.26 requires CRI v1 and no longer supports CRI v1alpha2. containerd 1.5 and earlier are incompatible. Before upgrading to Kubernetes 1.26, upgrade containerd to 1.6.0 or later.

PSP migration

PodSecurityPolicy (PSP) was deprecated in Kubernetes 1.21 and removed from Kubernetes 1.25. For background, see PodSecurityPolicy: The Historical Context.

If your clusters currently use PSP, choose one of the following migration paths before upgrading:

• ACK policy governance — Use the policy management feature built into ACK, which provides Kubernetes-optimized policies that are easy to configure. See Enable the policy governance feature.

• Built-in Pod Security Admission — Migrate to the Kubernetes-native pod security admission controller. See Pod Security Admission and Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.

• Third-party admission webhook — Deploy and configure a third-party admission plug-in.

kubelet read-only port

By default, the read-only port 10255 is no longer open in ACK clusters that run Kubernetes 1.26 or later. The authentication port 10250 is used instead. For details, see \[Product Changes\] Open the authentication port instead of the read-only port for the kubelet in ACK clusters that run Kubernetes versions earlier than 1.26.

Kubernetes 1.25

• Ephemeral containers (GA) — Run ephemeral containers inside a pod to debug crashed or inaccessible pods without a debugging tool. See Ephemeral Containers.

• cgroup v2 (Stable) — An improved version of cgroup v1 with better resource isolation. See About cgroup v2.

• Windows support improvements — CI unit tests, conformance tests, and a new repository for Windows operational readiness.

• Image registry redirect — Requests to k8s.gcr.io are redirected to registry.k8s.io. See k8s.gcr.io Redirect to registry.k8s.io.

• NetworkPolicy EndPort field (GA) — Specify a port range in network policies using the endPort field. If your network plug-in does not support endPort, the policy applies only to the single port specified in the port field. See Network Policies.

• Local ephemeral storage capacity isolation (GA) — Pods can be hard-limited in their consumption of local ephemeral storage (such as emptyDir volumes). Pods that exceed the limit are evicted. See Local Ephemeral Storage Capacity Isolation.

• Ephemeral inline CSI volumes (Stable) — CSI volumes that originate from PersistentVolumes (PVs) and PersistentVolumeClaims (PVCs) cannot be specified directly in a pod spec when using ephemeral CSI volumes. See Ephemeral Inline CSI volumes.

• KMS v2 alpha1 API — Improves key rotation performance and observability. Replaces AES-CBC with AES-GCM and uses a Data Encryption Key (DEK) to encrypt Kubernetes Secrets at rest. Encrypted data can be decrypted with both AES-GCM and AES-CBC. See Using a KMS provider for data encryption.

• Container Object Storage Interface (COSI) (Alpha) — Standardizes the provisioning and consuming of object storage. See COSI.

• PodHasNetwork condition (Alpha) — When PodHasNetwork in a pod's status field is true, the pod's runtime sandbox is initialized and its network is configured. Use this condition to measure pod initialization latency (excluding image pull time and application startup). Enable the PodHasNetworkCondition feature gate on the kubelet to use this feature. See How is this different from the existing Initialized condition?.

• StatefulSet minReadySeconds (Stable) — The minReadySeconds field lets each pod wait a specified period before the next pod in a rolling update proceeds, slowing the rollout deliberately. See Minimum ready seconds.

• DaemonSet maxSurge (Stable) — maxSurge specifies the number of extra pods that can be created on a node during a DaemonSet rolling update, reducing downtime. maxSurge and hostPort cannot be used together because two active pods cannot share the same port on a node. See Perform a Rolling Update on a DaemonSet.

• User namespace support for pods (Alpha) — Map a root user inside a pod to a non-zero ID outside the pod. The user appears as root from the container's perspective but as an unprivileged user from the host's perspective. Enable the UserNamespacesStatelessPodsSupport feature gate and ensure your container runtime supports this feature. See Kubernetes 1.25: alpha support for running Pods with user namespaces.

• RetroactiveDefaultStorageClass — When enabled, a default StorageClass can be automatically allocated to a PVC that was created without one. Previously, the StorageClass remained nil and required deleting and recreating the PVC. This feature gate reaches Beta and is enabled by default in Kubernetes 1.26.

• JobPodFailurePolicy (Alpha) — Configure a Job to handle pod disruptions based on exit codes and pod status, avoiding unnecessary retries and ignoring evictions. Define the podFailurePolicy field in a Job to use this feature. This feature reaches Beta in Kubernetes 1.26. See Handling retriable and non-retriable pod failures with Pod failure policy.

• PodTopologySpread improvements — Fixed the issue where pods were not evenly spread during rolling updates. minDomains field support reaches Beta.

• kube-proxy optimization for large clusters — In a cluster that has 1,000 endpoints, unused iptables rules are retained temporarily (up to one maximum iptables synchronization cycle) rather than being deleted immediately. In smaller clusters, unused rules are deleted immediately.

Kubernetes 1.26

• Dynamic resource allocation API (Alpha) — Request and share resources between pods or between containers within a pod, with support for custom resource initialization parameters. Enable the DynamicResourceAllocation feature gate and the resource.k8s.io/v1alpha1 API group, then install a resource driver for the resources you want to manage. See Alpha API For Dynamic Resource Allocation.

• Non-graceful node shutdown (Beta) — When a node shuts down ungracefully, pods on that node get stuck in the Terminating state and VolumeAttachments cannot be deleted, preventing StatefulSet pods from being rescheduled elsewhere. To trigger non-graceful node shutdown, manually add the out-of-service taint to the node. This forces pod deletion and volume detach for the terminated pods. Remove the taint manually after the node recovers. See Non-graceful node shutdown.

• Delegate fsGroup to CSI driver — When mounting a volume to a pod, the CSI driver can apply fsGroup to change file and directory permissions instead of the kubelet. This is transparent to users. For CSI driver developers, see CSI Driver fsGroup Support.

• Pod scheduling gates — Mark a newly created pod as not ready for scheduling by configuring spec.schedulingGates. The scheduler ignores the pod until an external controller removes the gate. This prevents large numbers of unschedulable pending pods from degrading scheduler performance. See Pod Scheduling Readiness.

• CPU Manager (GA) — Allocates exclusive CPUs to containers as part of the kubelet. Three CPU management policies are supported. See Control CPU Management Policies on the Node.

• Cross-namespace storage data sources (Alpha) — Specify a data source from a different namespace for a PVC. See Kubernetes v1.26: Alpha support for cross-namespace storage data sources.

• PodDisruptionBudget unhealthy pod eviction policy (Alpha) — Set .spec.unhealthyPodEvictionPolicy=AlwaysAllow to force a PodDisruptionBudget (PDB) to always allow eviction of unhealthy pods. Enable the PDBUnhealthyPodEvictionPolicy feature gate to use this feature. See Unhealthy Pod Eviction Policy.

• Consistent HTTP GET handlers for lifecycle hooks — httpGet for container lifecycle hooks preStop and postStart now respects the scheme and headers fields, matching probe behavior. HTTPS is supported with the same configuration as probes. If HTTPS is accidentally specified, an error message is returned and the system falls back to HTTP without compatibility issues. Disable this behavior by setting --feature-gates=ConsistentHTTPGetHandlers=false on the kubelet.

• API Priority and Fairness (APF) seat borrowing — Two fields are added to .spec.limited: lendablePercent (the percentage of seats other priority levels can borrow from the current level) and borrowingLimitPercent (the maximum seats this level can borrow from other levels).

• Configurable HPA controller concurrency — Set --concurrent-horizontal-pod-autoscaler-syncs on kube-controller-manager to control the number of workers used by the Horizontal Pod Autoscaler (HPA) controller.

• HPA label selector validation — When multiple HPAs target the same set of pods or Deployment, the HPAs stop taking effect and an AmbiguousSelector event is generated.

• Multiple default StorageClasses — When multiple StorageClasses are annotated with storageclass.kubernetes.io/is-default-class, Kubernetes selects the most recently created one instead of throwing an error.

Command line arguments

kube-controller-manager

kubeadm

• In Kubernetes 1.25, UnversionedKubeletConfigMap reaches GA. By default, kube-system/kubelet-config replaces kube-system/kubelet-config-x.yy.

• In Kubernetes 1.25, kubeadm no longer adds the node-role.kubernetes.io/master:NoSchedule label to control plane nodes. The label is removed when you run kubeadm upgrade apply.

• In Kubernetes 1.25, the seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io are no longer supported. Use SeccompProfile instead. See Restrict a Container's Syscalls with seccomp.

Other arguments removed in Kubernetes 1.26

• Several logging-related klog flags are removed (previously deprecated).

• --master-service-namespace flag on the API server is deprecated (unused).

• The following kubectl run subcommands are deprecated and will be removed in a later version: --cascade, --filename, --force, --grace-period, --kustomize, --recursive, --timeout, and --wait.

Deprecated flags in Kubernetes 1.26

• The --prune-whitelist flag is deprecated and replaced by --prune-allowlist to align with the Inclusive Naming Initiative. The deprecated flag will be removed in later versions.

Storage drivers

• In Kubernetes 1.25, in-tree storage plug-ins are removed as core CSI migration reaches GA. See CSI migration.

• In Kubernetes 1.25, the GlusterFS and Portworx in-tree storage plug-ins are deprecated. The Flocker, Quobyte, and StorageOS in-tree plug-ins are removed. The in-tree vSphere storage driver no longer supports vSphere versions earlier than 7.0u2.

• In Kubernetes 1.26, the GlusterFS in-tree storage driver is deprecated, and the deprecated OpenStack in-tree storage integration (Cinder volumes) is removed.

Other removals

• kube-proxy userspace mode — The userspace mode is removed in Kubernetes 1.26. Use iptables or IPVS on Linux, or kernelspace on Windows. --mode userspace now returns an error. Windows winkernel kube-proxy no longer supports Windows HNS v1 APIs.

• In-tree credential code — Azure and Google Cloud nested identity authentication code is removed from client-go and kubectl in Kubernetes versions later than 1.26. Replace with authentication plug-ins.

• DynamicKubeletConfig feature gate — Removed from the kubelet in Kubernetes 1.24 and removed from the API server in Kubernetes 1.26. Update the kubelet configuration file directly and restart the kubelet. See remove DynamicKubeletConfig feature gate from the code.

• iptables chain cleanup — In Kubernetes 1.25 and later, the kubelet uses the IPTablesCleanup feature gate to stop creating KUBE-MARK-DROP, KUBE-MARK-MASQ, and KUBE-POSTROUTING chains in the NAT table. These chains are internal to Kubernetes and are not intended as a public API. See Kubernetes's IPTables Chains Are Not API and Cleaning up IPTables Chain Ownership.

API version changes

Field-level changes

EndpointSlice (`discovery.k8s.io/v1`)

Event (`events.k8s.io/v1`)

Additional requirements for events.k8s.io/v1 events:

• type can only be set to Normal or Warning.

• action, reason, reportingController, and reportingInstance are required fields.

PodDisruptionBudget (`policy/v1`)

spec.selector behavior differs between API versions:

Reaching GA in Kubernetes 1.25

Reaching Beta in Kubernetes 1.25

Added in Alpha in Kubernetes 1.25

Reaching GA in Kubernetes 1.26

Reaching Beta in Kubernetes 1.26

Added in Alpha in Kubernetes 1.26