Container Service for Kubernetes:ACK Kubernetes 1.30 release notes

Operating system support change

Impact: CentOS and Alibaba Cloud Linux 2 are no longer supported as node pool operating systems in v1.30. For background, see \[Product Change\] Announcement on the discontinuation of maintenance for Alibaba Cloud Linux 2 and CentOS 7.

Action required: Upgrade each affected node pool to switch its OS. Use ContainerOS or Alibaba Cloud Linux 3, the recommended Alibaba Cloud operating systems. For the upgrade procedure, see Upgrade a node pool.

kube-proxy conntrack_max recalculation

Impact: In versions later than v1.29, kube-proxy recalculates and updates the node's conntrack_max value based on the kube-proxy configuration and CPU core count. In v1.23–v1.28, kube-proxy did not overwrite a manually set conntrack_max. After upgrading to v1.29 or later, kube-proxy may automatically lower the value. For details, see #120448.

Action required (if you customized conntrack_max): Before upgrading, add the nf_conntrack_max setting to the kube-proxy ConfigMap to prevent it from being overwritten. For configuration details, see How do I increase the Linux connection tracking (Conntrack) limit?. To check whether the sysctl value was modified, use cluster inspection.

kube-proxy NodePort behavior change

If --nodeport-addresses is not set (the default), NodePort Service updates in v1.30 apply only to the primary node IP address, not all IP addresses on the node. For details, see #122724.

OIDC and ServiceAccount Issuer URL conflict

Do not set the OIDC Issuer URL to the same value as the API server ServiceAccount Issuer URL, to avoid configuration conflicts and security issues. For details, see #123561.

Stable (GA)

LegacyServiceAccountTokenCleanUp — Graduated to GA in v1.30, enabled by default.

Auto-generated ServiceAccount secrets that are unused for one year and not mounted by any Pod are labeled kubernetes.io/legacy-token-invalid-since (the label value is the current date, marking the secret as invalid). If the secret remains unused for another year after being labeled, the kube-controller-manager removes it automatically. To reactivate a labeled secret before it is removed, delete the kubernetes.io/legacy-token-invalid-since label.

For details, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.

AdmissionWebhookMatchConditions — Graduated to GA in v1.30, enabled by default and cannot be disabled.

Define match conditions on admission webhooks for finer-grained control over when a webhook is invoked. For details, see Dynamic Admission Control.

HPA ContainerResource metrics — Graduated to Stable in v1.30.

The HorizontalPodAutoscaler (HPA) can now scale based on the resource usage of individual containers in a Pod, not just the Pod's aggregate usage. This is useful when one container in a multi-container Pod drives scaling decisions. For details, see Container resource metrics.

Beta

ImageMaximumGCAge — Promoted to Beta in v1.30 (was Alpha in v1.29).

Configure a maximum TTL for unused images on a node. Images unused longer than the configured duration become eligible for garbage collection. The default is "0s", which means no TTL limit.

LoadBalancerIPMode — Beta in v1.30.

Adds a .status.loadBalancer.ingress.ipMode field to LoadBalancer Services, specifying how the load balancer IP address handles traffic forwarding. This field is only valid when .status.loadBalancer.ingress.ip is also set. For details, see Specifying IPMode of load balancer status.

CRDValidationRatcheting — Beta in v1.30, enabled by default.

When you add a new validation rule to a CustomResourceDefinition (CRD), the API server no longer rejects updates to existing resources that become invalid under the new rule, as long as the invalid fields remain unchanged. This lets you safely add new validation rules and migrate CRDs to OpenAPI v3 schemas. For details, see CRD Validation ratcheting.

NodeLogQuery — Promoted to Beta in v1.30, disabled by default.

Query node service logs through the /logs endpoint. For details, see Log query.

Features promoted to Beta in Kubernetes 1.29:

• SidecarContainers — Beta, enabled by default. Set restartPolicy: Always on an init container to run it as a sidecar. The sidecar starts, stops, and restarts independently of the main application container and other init containers. Make sure the kubelet version on nodes matches the control plane version. For details, see Sidecar Containers.

• PodReadyToStartContainers — Beta, enabled by default. This Pod condition indicates that the sandbox is created and its network is configured, giving the kubelet a more accurate view of Pod startup status. For details, see Pod conditions.

• JobBackoffLimitPerIndex — Beta, enabled by default. Specify the maximum number of retries per index in an indexed Job. For details, see Indexed Job for parallel processing with static work assignment.

Alpha

image_pull_duration_seconds metric — Alpha in v1.30. The kubelet now records how long each image pull takes. For the full metrics list, see List of Alpha Kubernetes Metrics.

JobSuccessPolicy — Alpha in v1.30. Declare a Job complete based on a set of succeeded Pods—either by specific Pod indexes (for example, indexes x, y, and z) or by a count from a set of indexes. For details, see Job success/completion policy.

RelaxedEnvironmentVariableValidation — Alpha in v1.30, disabled by default. Allows most printable ASCII characters (code points 32–126, except =) in environment variables. For details, see #123385.

CustomResourceFieldSelectors — Alpha in v1.30, disabled by default. Configure selectableFields on a CRD to support field selectors on List, Watch, and DeleteCollection requests. For details, see Custom Resource Field Selectors.

Downward API dual-stack support — In v1.30. Access both IPv4 and IPv6 host addresses via status.hostIPs. The first address in status.hostIPs always matches status.hostIP. For details, see Downward API.

Features added as Alpha in Kubernetes 1.29:

• PreStop hook sleep action — Pause a container for a specified duration before termination to allow pending processes or network requests to complete. For details, see KEP-3960: Introducing Sleep Action for PreStop Hook.

• ServiceCIDR — Alpha, disabled by default. Dynamically configure the ClusterIP address range for Services. For details, see KEP-1880: Multiple Service CIDRs.

• PodAffinity and PodAntiAffinity matchLabelKeys / mismatchLabelKeys — Solves a scheduling issue during rolling updates where the scheduler could not distinguish pods from different update batches. When matchLabelKeys is configured, the Deployment adds a pod-template-hash label to the ReplicaSet so the scheduler evaluates only Pods with the same hash. For details, see KEP-3633.

• ValidatingAdmissionPolicy CRD type checking — Type checking now covers CRD and API Extension types (previously limited to core Kubernetes API resources), improving policy reliability. For details, see type-checking.

• UserNamespacesPodSecurityStandards — Alpha, disabled by default; may remain disabled in future versions. Integrates user namespaces with Pod Security Standards, allowing containers to run as non-root or as a specific user defined in the Pod's security context. For details, see KEP-127: Update PSS based on feature gate.

• DisableNodeKubeProxyVersion — Alpha, disabled by default. Deprecates the status.nodeInfo.kubeProxyVersion field on Node objects, preventing it from being set. The kubelet cannot reliably identify the kube-proxy version, so this field is often inaccurate.

• PVC API change — PersistentVolumeClaims (PVCs) now use a separate VolumeResourceRequirements struct that contains only requests and limits, replacing the shared ResourceRequirements struct. This prevents changes to the container resources struct (such as adding a claims field) from unintentionally affecting the PVC API. For details, see Volume resource requirements.

In Kubernetes 1.29

• CronJob timezone in .spec.schedule — Setting CRON_TZ or TZ directly in the .spec.schedule field is no longer supported. Use .spec.timeZone instead, which has been available since v1.25. For details, see CronJob limitations.

• networking/v1alpha1 ClusterCIDR API — This Alpha API has been removed.

In Kubernetes 1.30

• --prune-whitelist flag — Removed from kubectl apply. Use --prune-allowlist instead. For details, see --prune.

• SecurityContextDeny admission plugin — Removed in v1.30 (deprecated since v1.27). Use the PodSecurity admission plugin instead, which has been Stable since v1.25 and is enabled by default. For details, see PodSecurity.