Container Service for Kubernetes:(Deprecated) ACK Release Notes for Kubernetes 1.31

CephFS volume plug-in removed

The built-in CephFS volume plug-in kubernetes.io/cephfs is removed in 1.31. Use the CephFS CSI driver instead.

If your cluster uses the CephFS volume plug-in, re-deploy your application to use the CephFS CSI driver after upgrading to 1.31.

CephRBD volume plug-in removed

The built-in CephRBD volume plug-in kubernetes.io/rbd is removed in 1.31. Use the RBD CSI driver instead.

If your cluster uses the CephRBD volume plug-in, re-deploy your application to use the RBD CSI driver after upgrading to 1.31.

CSIMigrationPortworx enabled by default

The CSIMigrationPortworx feature gate is enabled by default, migrating volumes from the legacy embedded Portworx plug-in to the Portworx CSI plug-in.

If you use Portworx as a storage solution, install and configure the Portworx CSI plug-in before upgrading to 1.31.

Workload scheduling

MatchLabelKeysInPodAffinity promoted to beta (enabled by default)

To resolve scheduling conflicts during rolling updates where pods violate affinity and anti-affinity rules, specify the new matchLabelKeys and mismatchLabelKeys fields in podAffinity and podAntiAffinity. The scheduler uses these fields to distinguish old pods from new pods during a rollout. See matchLabelKeys and mismatchLabelKeys.

Storage

RecursiveReadOnlyMounts promoted to beta (enabled by default)

Volumes mounted to pods can now be made recursively read-only. All subdirectories and files under the mount are set to read-only mode. See Recursive read-only mounts.

HonorPVReclaimPolicy promoted to beta (enabled by default)

Finalizers can now be added to a PersistentVolume (PV) to ensure that a PV with the Delete reclaim policy is deleted only after the associated backing storage is deleted. See PersistentVolume deletion protection finalizer.

Workloads

JobSuccessPolicy promoted to beta (enabled by default)

A success policy can now be configured for Indexed Jobs. See Job success policy.

kubelet no longer restarts containers on non-image spec changes

If the spec field of a pod changes but the image field is unchanged, the kubelet does not restart the container. This prevents unnecessary pod restarts caused by non-functional configuration updates.

Security and authentication

ServiceAccountTokenNodeBinding promoted to beta (enabled by default)

A ServiceAccount token can now be bound to a specific node. The token is invalidated if it expires, or if the associated node or ServiceAccount is deleted.

API and tooling

DisableNodeKubeProxyVersion promoted to beta (enabled by default)

The status.nodeInfo.kubeProxyVersion field no longer displays the kube-proxy version. The value in this field was inaccurate and did not reflect the actual kube-proxy version running on the node.

kubectl debug custom profiling promoted to beta

kubectl debug now supports custom profiling configuration for troubleshooting pods. See Kubernetes 1.31: Custom Profiling in Kubectl Debug Graduates to Beta.

kubectl streaming migrated from SPDY to WebSocket

kubectl cp, kubectl attach, kubectl exec, and kubectl port-forward now use WebSocket for streaming instead of SPDY. WebSocket is the default streaming protocol for Kubernetes clients including kubectl.

Consistent reads from cache promoted to beta

The Kubernetes API server can now serve consistent reads from cache instead of fetching the full dataset from etcd, improving the efficiency of List requests. See Consistent reads from cache.

CRD validation

caBundle validation enforced

If the caBundle field in a CustomResourceDefinition (CRD) is non-empty but contains an invalid value or no CA certificates, the CRD stops serving requests. Once a valid caBundle is established, updates that would render it invalid or empty are rejected to prevent service disruption.