All Products
Search

This Product

    Container Service for Kubernetes:(Discontinued) ACK release notes for Kubernetes 1.28

    Document Center

    Container Service for Kubernetes:(Discontinued) ACK release notes for Kubernetes 1.28

    Last Updated:Mar 26, 2026

    Container Service for Kubernetes (ACK) follows the Certified Kubernetes Conformance Program. This page covers what changed in the Kubernetes 1.27 and 1.28 releases for ACK clusters: component versions, security patches, new features, deprecated APIs, and feature gate changes.

    For the complete upstream changelogs, see CHANGELOG-1.27 and CHANGELOG-1.28.

    Important

    Before upgrading to Kubernetes 1.28, review these breaking changes:

    • CephFS in-tree volume plug-in removed: The in-tree CephFS volume plug-in code is removed in 1.28. Clusters using the in-tree driver will break after the upgrade. Migrate to the out-of-tree CephFS CSI driver before upgrading, and evaluate any compatibility, stability, or performance risks.

    • Ceph RBD CSI migration no longer possible: Migration of Ceph RBD volumes (kubernetes.io/rbd) to the out-of-tree CSI driver is no longer possible in Kubernetes 1.28 and will be fully removed in a future release. Complete the migration before the removal takes effect.

    • IPv6DualStack feature gate removed: The IPv6DualStack feature gate was removed in Kubernetes 1.27. If you manually set this in your cluster configuration, remove it before upgrading.

    • kubelet endpoint flags moved to config file: The --container-runtime-endpoint and --image-service-endpoint flags can no longer be passed as kubelet command-line arguments. Move these settings to the kubelet configuration file before upgrading.

    Component versions

    The following table lists the core component versions supported in ACK clusters running Kubernetes 1.28.

    Core component Version
    Kubernetes 1.28.15-aliyun.1, 1.28.9-aliyun.1, and 1.28.3-aliyun.1
    etcd v3.5.9
    CoreDNS v1.9.3.10-7dfca203-aliyun
    CRI containerd 1.6.20
    CSI Upgrade to the latest supported version. See the changelogs for csi-plugin and csi-provisioner.
    CNI Flannel v0.15.1.22-20a397e6-aliyun
    CNI (Terway) Terway and TerwayControlplane v1.5.0 and later
    NVIDIA Container Runtime v3.13.0
    Ingress Controller v1.8.0-aliyun.1

    Security patches

    Version CVEs fixed
    1.28.15-aliyun.1 CVE-2024-10220
    1.28.9-aliyun.1 CVE-2023-45288, CVE-2024-3177, CVE-2024-24786

    What's new

    Kubernetes 1.28

    Non-graceful node shutdown (GA)

    When a node shuts down unexpectedly—for example, due to a power failure—Kubernetes can now automatically reschedule StatefulSet pods with the same name on another node, preventing service interruptions. This feature is now Generally Available (GA).

    Retroactive default StorageClass assignment (GA)

    Previously, a PersistentVolumeClaim (PVC) created without storageClassName would remain in Pending indefinitely if no default StorageClass existed at the time. Now, when a default StorageClass is created later, Kubernetes automatically assigns it to any unbound PVC with no storageClassName. This feature is now GA.

    Scheduler performance

    The scheduler's retry logic is optimized to reduce invalid scheduling attempts, improving overall performance. If your cluster uses a custom scheduler plug-in, update the plug-in to take advantage of the new scheduling framework. See Scheduling framework changes for details.

    Job failure handling

    Two new Alpha feature gates improve how failed Jobs are handled:

    • `JobPodReplacementPolicy`: A replacement pod is created only when the original reaches the Failed phase (status.phase: Failed), not when it has a deletionTimestamp. This prevents two pods from simultaneously occupying the same index and consuming node resources.

    • `JobBackoffLimitPerIndex`: Set .spec.backoffLimitPerIndex on an Indexed Job to cap the number of retries per index, rather than counting all failures toward a single shared .spec.backoffLimit. A persistently failing index no longer causes the entire Job to fail.

    Large Indexed Job warning

    If a Job has completion set above 100,000 and parallelism set above 10,000, and many pods fail, Kubernetes now displays a warning—termination status may not be tracked reliably at that scale.

    CRD validation improvements

    reason and fieldPath fields are added to CustomResourceDefinition (CRD) validation rules. When a Common Expression Language (CEL) expression fails, the API server returns a specific reason code and the path to the failing field. See CRD Validation Expression Language.

    Webhook matching with CEL expressions

    Webhook matchConditions now support CEL expressions, with up to 64 matching conditions per webhook. This gives you fine-grained control over which requests trigger a webhook without writing a full admission controller. See Matching requests: matchConditions.

    ValidatingAdmissionPolicy (Beta)

    ValidatingAdmissionPolicy provides a declarative, in-cluster alternative to validating admission webhooks. Write CEL expressions directly in the policy object; the API server evaluates them on every matching request—no webhook infrastructure needed. See ValidatingAdmissionPolicy.

    PVC resize status field replaced

    The .status.resizeStatus field on PVCs is replaced by .status.allocatedResourceStatus, a map that tracks the resize state of each resource independently. Update any tooling that reads .status.resizeStatus. See PersistentVolumeClaimStatus.

    Pod index labels for Indexed Jobs and StatefulSets

    Pods created by Indexed Jobs and StatefulSets now have their ordinal index added as a label, making it easier to select or filter pods by position.

    Kube Controller Manager concurrency flags

    Two new flags control controller concurrency:

    • --concurrent-cron-job-syncs: Sets the number of concurrent CronJob reconciliation workers.

    • --concurrent-job-syncs: Sets the number of concurrent Job reconciliation workers.

    See --concurrent-cron-job-syncs and --concurrent-job-syncs.

    API server optimizations

    • Reduced GetList memory: Memory usage for serving list requests from the cache is reduced. See GetList test data.

    • Endpoint cleanup fix: Fixed a bug where the endpoint for a Kubernetes Service was not removed when only one API server replica remained during a graceful shutdown.

    • OpenAPI v2 lazy aggregation: The OpenAPI v2 controller now aggregates CRD information only when a client requests it, reducing CPU and memory overhead when no client polls the OpenAPI v2 endpoint. This also improves install time for large numbers of CRDs but may slow the first request to the endpoint. Migrate clients to OpenAPI v3.

    • ConsistentListFromCache (Alpha): The new ConsistentListFromCache feature gate lets the API server use the watch cache to serve LIST requests with consistency guarantees, reducing load on etcd.

    • Additional monitoring metrics: More metrics are now available through the metrics endpoint.

    Kubernetes 1.27

    Pod termination status corrected

    • Pods deleted in the Pending phase are now set to Failed.

    • Pods deleted in the Running phase are set to Succeeded or Failed based on the container exit code.

    This fixes a bug where pods with a configured failure policy could remain stuck in Pending. If a pod has RestartPolicy=Always, it may now show Succeeded after deletion—review your controllers if this behavior matters for your workloads. See Set the termination status for pods that do not require a restart.

    ReadWriteOncePod for PersistentVolumes (Beta)

    The ReadWriteOncePod access mode limits a volume to a single pod at a time—more restrictive than ReadWriteOnce, which allows multiple pods on the same node. See Single Pod Access Mode for PersistentVolumes graduates to Beta.

    Pod topology spread constraints (Beta)

    Several topology spread constraint options are now Beta and enabled by default: minDomains (minimum number of eligible domains), nodeTaintsPolicy (whether to count tainted nodes), nodeAffinityPolicy (whether to count nodes excluded by affinity rules), and whenUnsatisfiable (behavior during rolling updates when constraints cannot be met). See More fine-grained pod topology spread policies.

    Server-side field validation (GA)

    The API server now validates resource fields server-side. kubectl automatically uses Strict mode and skips client-side validation, returning an error if the server rejects a field. See Server Side Field Validation and OpenAPI V3 move to GA.

    OpenAPI v3 (GA)

    OpenAPI v3, introduced in Kubernetes 1.23, is now GA. See Server-side field validation and OpenAPI v3 move to GA.

    HPA ContainerResource metric type (Beta)

    Horizontal Pod Autoscaler (HPA) now supports the ContainerResource metric type, which scales based on the resource usage of individual containers rather than the pod average. This addresses a common issue where a pod fails to scale out because a low-usage sidecar container pulls the average below the threshold, even though the application container is resource-constrained. See Container resource metrics.

    StatefulSet enhancements (Beta)

    Two StatefulSet features reach Beta:

    • `StatefulSetStartOrdinal`: Start pod ordinals at a number other than zero using the ordinals.start field.

    • `StatefulSetAutoDeletePVC`: Control whether StatefulSets delete PVCs created from volumeClaimTemplate when pods are deleted or the StatefulSet is scaled in.

    In-place pod vertical scaling (Alpha)

    The InPlacePodVerticalScaling feature gate (Alpha, disabled by default) lets you change the CPU and memory requests and limits for a running container without restarting the pod. See Resize CPU and memory resources assigned to containers.

    Parallel image pulls

    Set serializeImagePulls: false in the kubelet configuration to pull container images in parallel instead of serially. Use maxParallelImagePulls (added in 1.27) to cap concurrent pulls and avoid saturating network bandwidth or disk I/O. See Serial and parallel image pulls.

    Volume group snapshots (Alpha)

    A new volume group snapshot API lets you create crash-consistent snapshots of multiple PersistentVolumes at a single point in time. See Introducing an API for volume group snapshots.

    Deprecated features and APIs

    Kubernetes 1.28

    Deprecated feature Impact Action required
    In-tree CephFS volume plug-in Code removed in 1.28. Workloads using the in-tree driver will break. Migrate to the CephFS CSI driver before upgrading.
    Ceph RBD CSI migration Migration of Ceph RBD volumes to the out-of-tree CSI driver is no longer possible in Kubernetes 1.28 and will be fully removed in a future release. Complete the migration before the removal.
    RBD volume plug-in (kubernetes.io/rbd) Deprecated; will be removed in a future release. Switch to the CephFS CSI driver.
    Key Management Service (KMS) v1 Deprecated. Use KMSv2. To continue using KMSv1 temporarily, set --feature-gates=KMSv1=true. See Mark KMS v1beta1 as deprecated.
    KCM flags --volume-host-cidr-denylist and --volume-host-allow-local-loopback Deprecated; will be removed in a future release. Remove these flags from your Kube Controller Manager configuration.
    kubelet flag --azure-container-registry-config Deprecated; will be removed in a future release. Use image-credential-provider-config and --image-credential-provider-bin-dir instead.
    Windows node pools Creating Windows node pools is no longer supported. Use Alibaba Cloud Linux 3 or ContainerOS 3.1 node pools. See Create and manage a node pool.

    Kubernetes 1.27

    Deprecated feature Impact Action required
    In-tree AWS EBS storage plug-in Replaced by the out-of-tree CSI plug-in. See cloud-provider-aws.
    Node spec.externalID field Deprecated; clients that update this field receive a warning. Stop updating spec.externalID.
    Alpha seccomp annotations (seccomp.security.alpha.kubernetes.io/pod, container.seccomp.security.alpha.kubernetes.io) Removed in v1.27. Workloads relying on these annotations silently lose seccomp settings. Use the securityContext.seccompProfile field instead.
    KCM flags --pod-eviction-timeout and --enable-taint-manager Removed in 1.27. Remove these flags from your Kube Controller Manager configuration.
    kubelet flag --container-runtime Removed in 1.27 (deprecated since 1.24). No action needed; the default remote value is preserved.
    kubelet flags --container-runtime-endpoint and --image-service-endpoint (as CLI flags) These can no longer be set as command-line flags. Move them to the kubelet configuration file.
    SecurityContextDeny admission controller Deprecated; will be removed in a future release. Migrate to Pod Security Admission or a validating webhook.

    Deprecated APIs

    The storage.k8s.io/v1beta1 version of the CSIStorageCapacity API was deprecated in Kubernetes 1.24 and removed in 1.27. Use storage.k8s.io/v1, available from Kubernetes 1.24. See Storage Capacity Constraints for Pod Scheduling KEP.

    Feature gate changes

    Feature gates define the maturity of a Kubernetes feature:

    • Alpha: Disabled by default. Experimental and subject to change.

    • Beta: Enabled by default. Stable enough for most clusters.

    • GA (Generally Available): Always enabled. The feature gate is removed.

    Promoted to GA

    The following feature gates reached GA and are permanently enabled. The feature gates themselves are removed.

    In Kubernetes 1.28:

    Feature gate What it does
    NodeOutOfServiceVolumeDetach When node.kubernetes.io/out-of-service is added to a node, pods that do not tolerate the taint are forcefully deleted and their volumes are immediately detached, allowing fast recovery on other nodes.
    IPTablesOwnershipCleanup Kubernetes no longer creates the KUBE-MARK-DROP and KUBE-MARK-MASQ iptables chains.
    ProbeTerminationGracePeriod Enables probe-level terminationGracePeriodSeconds to override the pod-level grace period for liveness and startup probes.
    DelegateFSGroupToCSIDriver, DevicePlugins, KubeletCredentialProviders, MixedProtocolLBService, ServiceInternalTrafficPolicy, ServiceIPStaticSubrange, EndpointSliceTerminatingCondition Various stable features now always enabled. Feature gates removed.

    In Kubernetes 1.27:

    Feature gate What it does
    ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes Volume expansion for CSI volumes, in-use PVs, and PVs generally. All three are now always enabled.
    CSIInlineVolume Inline CSI volumes in pod specs. GA since 1.25, removed in 1.27.
    EphemeralContainers Ephemeral debug containers. GA since 1.25, feature gate removed.
    LocalStorageCapacityIsolation Hard limits on emptyDir usage per pod; kubelet evicts pods that exceed the limit. GA since 1.25, removed in 1.27.
    NetworkPolicyEndPort endPort field in NetworkPolicy rules to specify port ranges. GA since 1.25, removed in 1.27.
    StatefulSetMinReadySeconds minReadySeconds field on StatefulSets. GA since 1.25, removed in 1.27.
    DaemonSetUpdateSurge maxSurge field on DaemonSet rolling updates. GA since 1.25, removed.
    IdentifyPodOS os field on pods to specify the operating system. GA since 1.25, removed.
    CSIMigration In-tree to out-of-tree CSI migration reached GA in Kubernetes v1.25. The feature gate is always enabled and has been removed.

    Promoted to Beta (enabled by default)

    In Kubernetes 1.28:

    Feature gate What it does
    AdmissionWebhookMatchCondition CEL expressions in webhook matchConditions. Up to 64 conditions per webhook.

    In Kubernetes 1.27:

    Feature gate What it does
    StatefulSetStartOrdinal Start StatefulSet pod ordinals from a non-zero number.
    StatefulSetAutoDeletePVC Control automatic PVC deletion when StatefulSet pods are removed.
    ReadWriteOncePod ReadWriteOncePod access mode for PersistentVolumes.

    New in Alpha (disabled by default)

    In Kubernetes 1.28:

    Feature gate What it does
    UnknownVersionInteroperabilityProxy Routes requests to the correct API server when multiple API server versions coexist in the cluster. See Mixed version proxy.
    ConsistentListFromCache Lets the API server use the watch cache to serve LIST requests with consistency guarantees.

    In Kubernetes 1.27:

    Feature gate What it does
    NodeLogQuery Query node logs with kubectl after setting enableSystemLogHandler: true and enableSystemLogQuery: true in the kubelet configuration.
    ServiceNodePortStaticSubrange Divides the NodePort range into two bands. Dynamic allocation uses the upper band; the lower band is reserved for static assignments, reducing port conflicts. See Avoid collisions assigning ports to NodePort Services.
    InPlacePodVerticalScaling Resize container CPU and memory without restarting the pod.

    Removed (no longer needed to configure)

    In Kubernetes 1.27:

    The IPv6DualStack feature gate was removed after reaching GA in v1.23. If you manually set this in your cluster configuration, remove it before upgrading.