All Products
Search

This Product

    Container Service for Kubernetes:ACK Kubernetes 1.33 release notes

    Document Center

    Container Service for Kubernetes:ACK Kubernetes 1.33 release notes

    Last Updated:Mar 26, 2026

    Alibaba Cloud Container Service for Kubernetes (ACK) is fully compliant with the Kubernetes community conformance certification. This topic describes the major changes in ACK's release of Kubernetes 1.33, including upgrade considerations, major changes, new features, and deprecated APIs.

    Component versions

    Core component Version
    Kubernetes 1.33.1-aliyun.1 and 1.33.3-aliyun.1
    etcd v3.5.21
    containerd 2.1.1
    CoreDNS v1.11.3.5-5321daf49-aliyun
    CSI Upgraded to the latest supported version. For more information, see the change logs for csi-plugin and csi-provisioner.
    CNI Flannel v0.15.1.22-20a397e6-aliyun; Terway and TerwayControlplane v1.14.0 and later

    Upgrade considerations

    If your cluster contains pods that were created in Kubernetes 1.20 or earlier and have never had their containers restarted or updated, those pods will be restarted when you upgrade the cluster to Kubernetes 1.33.

    Major changes

    • containerd 2.1 is now the default container runtime (automatically applied during node upgrades). ACK clusters running Kubernetes 1.33 and later use containerd 2.1 by default. For existing clusters, the container runtime is upgraded to containerd 2.1 during node upgrades. For more information, see Introduction to containerd 2.1.

    • ack-ram-authenticator is installed by default on new managed clusters (automatically applied to new clusters). Newly created ACK managed clusters of v1.33 and later install the latest version of ack-ram-authenticator by default. For more information, see \[Service Notice\] ack-ram-authenticator is installed by default on ACK managed clusters of v1.33 and later.

    Feature changes

    • In-place pod resize is promoted to Beta and enabled by default. Dynamically modify the CPU and memory resource configurations of a container without restarting the pod. (Automatically enabled; no action required.)

    • kubectl `--subresources` flag lets you adjust specific subresources directly. For example, run kubectl edit pod <pod-name> --subresource resize to resize a pod's resources. Supported subresources in Kubernetes 1.33: status, scale, and resize. (No migration required.)

    • EndpointSlice TopologyAwareHints is promoted to General Availability (GA). The Beta annotation service.kubernetes.io/topology-mode is deprecated—use the spec.trafficDistribution field instead. Setting trafficDistribution to PreferClose routes traffic to endpoints in the same zone as the client. For more information, see Traffic distribution. (Migration required: update service.kubernetes.io/topology-mode annotations to use spec.trafficDistribution.)

    • `.status.resize` field is deprecated and can no longer be set. Two new condition fields replace it: PodResizeInProgress and PodResizePending. (Migration required if you read or set .status.resize.)

    • DisableNodeKubeProxyVersion is enabled by default and cannot be disabled. The kubelet no longer sets the status.kubeProxyVersion field on a node. (Automatically applied; no action required unless you depend on status.kubeProxyVersion.)

    • StatefulSet `.spec.serviceName` is now optional. Validation is strengthened to enforce the DNS-1123 standard. If an existing StatefulSet fails this validation, no new pods can be created until the field is manually removed. This moves DNS validation from pod creation to the StatefulSet resource configuration phase, reducing failed retries by the StatefulSet controller. (Action required: check existing StatefulSets if you see pod creation failures after upgrading.)

    • Git-Repo volume plugin is disabled by default. To re-enable it, manually set the GitRepoVolumeDriver feature gate. (Action required if you use Git-Repo volumes.)

    • Security fix: Version 1.33.3-aliyun.1 patches CVE-2025-4563.

    Features

    Workload and pod lifecycle

    • Sidecar containers are promoted to GA and enabled by default. A sidecar container is a special type of init container. Set restartPolicy: Always to keep it running throughout the pod lifecycle. Probe configuration is also supported. (Automatically enabled; no action required.)

    • PodLifecycleSleepActionAllowZero is promoted to Beta. The sleep action in a preStop lifecycle hook can now be set to a wait time of 0 seconds. (Automatically enabled; no action required.)

    • UserNamespacesSupport is promoted to Beta and enabled by default. Pods can use Linux user namespaces to improve container isolation. This change does not affect existing pods. To use this feature, you must manually specify pod.spec.hostUsers. For more information, see User namespaces enabled by default. (Opt-in required: set pod.spec.hostUsers to enable per pod.)

    Security and access control

    • SupplementalGroupsPolicy is promoted to Beta and enabled by default. Control supplemental groups for a pod through the .spec.securityContext.supplementalGroupsPolicy field for more precise access permissions on persistent volumes. For more information, see Configure fine-grained SupplementalGroups control for a pod. (Opt-in required: set .spec.securityContext.supplementalGroupsPolicy on the pod.)

    • ProcMountType is promoted to Beta. Customize the mount type of the /proc file system in a container using the securityContext.procMount field. This is particularly useful for unprivileged containers running in user namespaces, where relaxing /proc restrictions improves compatibility. (Opt-in required: set securityContext.procMount to use.)

    Scheduling

    • SchedulerPopFromBackoffQ is added and enabled by default. When the activeQ is empty, pods are popped directly from the backoffQ, significantly reducing scheduling latency. (Automatically enabled; no action required.)

    • SchedulerAsyncPreemption is promoted to Beta and enabled by default. Preemptive scheduling runs asynchronously, reducing the latency impact of preemption on the scheduling cycle. (Automatically enabled; no action required.)

    • Scheduling performance for topology spread constraints is optimized. (Automatically applied; no action required.)

    • MatchLabelKeysInPodAffinity is promoted to GA and enabled by default. Pod affinity rules now support matchLabelKeys and mismatchLabelKeys for more precise control over pod colocation. (Opt-in required: set matchLabelKeys or mismatchLabelKeys in pod affinity rules to use.)

    • NodeInclusionPolicyInPodTopologySpread is promoted to GA and enabled by default. Use nodeAffinityPolicy and nodeTaintsPolicy in pod topology spread constraints to filter schedulable nodes dynamically. (Automatically applied with default values; configure explicitly to change behavior.)

      • nodeAffinityPolicy: Defaults to Honor. Only nodes matching the pod's nodeSelector or nodeAffinity are included in topology spread calculations.

      • nodeTaintsPolicy: Defaults to Ignore. The nodeAffinity and nodeSelector rules are ignored, and all nodes are included in the topology spread calculation.

    • CPUManagerPolicyOptions is promoted to GA and enabled by default. Fine-tune CPU Manager resource allocation with two options: (Opt-in required: configure CPUManagerPolicy options to use.)

    Storage and networking

    • HonorPVReclaimPolicy is promoted to GA and enabled by default. When a persistent volume's (PV) reclaimPolicy is set to Delete, the underlying storage resource is deleted according to the policy regardless of the deletion order of the PV or PVC, preventing storage resource leaks. (Automatically applied; no action required.)

    • MultiCIDRServiceAllocator is promoted to GA and enabled by default. Introduces ServiceCIDR and IPAddress resources to track ClusterIP allocations for Services. The allocatable ClusterIP range can be expanded dynamically through ServiceCIDR. (Automatically enabled; no action required.)

    • ImageVolume is promoted to Beta but is disabled by default. To use it, manually enable the feature gates on both the kube-apiserver and kubelet. This lets you mount a container image as a read-only volume using an image volume source in a pod. (Opt-in required: enable feature gates on both kube-apiserver and kubelet.)

    • ResourceQuota can now limit the number of PVCs associated with a specific volume attributes class. (Opt-in required: configure ResourceQuota with the volume attributes class.)

    • RelaxedDNSSearchValidation is promoted to Beta and enabled by default. Special characters, including . and _, are now allowed in the .spec.dnsConfig.searches field of a pod, providing more flexibility for DNS configuration. (Automatically enabled; no action required.)

    Jobs

    • JobBackoffLimitPerIndex is promoted to GA. Specify the maximum number of pod retries per index in an indexed job. (Opt-in required: set backoffLimitPerIndex on the job spec.)

    • JobSuccessPolicy is promoted to GA. Define custom success policies for a job—for example, determine job completion based on which indexes succeeded and how many. For more information, see Job's SuccessPolicy goes GA. (Opt-in required: set successPolicy on the job spec.)

    Namespace lifecycle

    • OrderedNamespaceDeletion is promoted to Beta. When a namespace is deleted, workload pods are removed first, followed by dependencies such as NetworkPolicy and storage resources. This prevents pods from remaining after critical security resources are deleted. (Automatically applied; no action required.)

    API server performance

    • Streaming list responses replace the WatchList mechanism. The kube-apiserver now uses StreamingCollectionEncodingToJSON and StreamingCollectionEncodingToProtobuf to stream responses for large-scale resource list requests. For list requests containing many resources, this significantly reduces memory usage and improves system stability. The kube-controller-manager no longer actively enables the WatchListClient feature. For more information, see Streaming list responses. (Automatically applied; no action required.)

    Deprecated APIs

    • CRI v1alpha2 is removed in containerd 2.1. This affects workloads or tooling that directly call the CRI v1alpha2 API. Migrate to the CRI v1 API before upgrading. (Migration required if you use CRI v1alpha2.)

    • The v1 Endpoints API is officially deprecated. This affects only users who call the Endpoints API directly from workloads or scripts. Migrate to the EndpointSlice API, which has been stable since Kubernetes 1.21 and supports dual-stack networking. The v1 Endpoints API will not be removed at this time. For more information, see Continuing the transition from Endpoints to EndpointSlices. (Migration required only if you call the Endpoints API directly.)

    • The `apidiscovery.k8s.io/v2beta1` API group is disabled. This affects clients that use v2beta1 to query registered API resources in a cluster. Migrate to the stable v2 version. Clients not yet updated for v2 fall back to the unaggregated v1 API automatically, but must make multiple API calls to retrieve complete data, which may increase request count and latency. (Migration required if you use apidiscovery.k8s.io/v2beta1.)

    References

    For the complete changelog for Kubernetes 1.33, see CHANGELOG-1.33 and Kubernetes v1.33: Octarine.