Container Service for Kubernetes:ACK Kubernetes 1.34 release notes

The --register-schedulable flag is removed

The --register-schedulable flag is removed in Kubernetes 1.34. Marking a node as unschedulable during registration no longer works, so the node pool option Make nodes unschedulable no longer takes effect. For more information, see kubelet: remove --register-schedulable flag #122384.

Who is affected: Clusters that rely on the node pool Make nodes unschedulable setting to prevent scheduling on newly added nodes.

What to do: Use node taints instead. Do not use node.kubernetes.io/unschedulable as the taint key.

TLS cipher suites removed from kubelet

The kubelet server no longer supports the TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 cipher suites.

Who is affected: Clients that connect to the kubelet server and negotiate exclusively using these cipher suites.

What to do: Update clients to use supported cipher suites before upgrading. After you upgrade an existing cluster to version 1.34, new nodes automatically apply this change.

Default OS image changed to Alibaba Cloud Linux 3

When you create a node pool without specifying an OS image, the default is now the container-optimized version of Alibaba Cloud Linux 3.

kube-proxy removed from Terway DataPath V2 nodes

For new clusters that use the Terway network plugin with DataPath V2 enabled, kube-proxy no longer runs on nodes. DataPath V2 uses eBPF to handle network acceleration in shared ENI mode, making kube-proxy redundant. This change applies to new clusters only.

Kubelet certificate auto-rotation enabled by default in ACK Pro

In ACK Pro clusters, the serverTLSBootstrap parameter and the RotateKubeletServerCertificate feature gate are now enabled by default for regular and managed node pools. With this configuration:

• Kubelet server-side certificates on each node rotate automatically.

• The cluster CA validates kubelet server-side certificates, improving node security.

GA: Dynamic Resource Allocation (DRA) core APIs

The core APIs for Dynamic Resource Allocation (DRA) have graduated to GA and are enabled by default. DRA lets workloads request hardware resources by specifying required device properties. The scheduler handles device allocation and places the pod on a node that can access those devices; the device driver and kubelet then configure the device and grant the pod access.

Several DRA-related capabilities have also graduated to Beta and are enabled by default:

• Administrators can access in-use devices with limited permissions for monitoring and diagnostics.

• Workloads can specify an optional list of preferred device allocation plans at request time.

• Kubelet monitors and reports DRA-allocated resources for pods on a node.

GA: Pod replacement policy for Jobs

The .spec.podReplacementPolicy field for Jobs has graduated to GA. By default, a replacement pod is created as soon as the old pod starts terminating, which can cause resource contention. Set .spec.podReplacementPolicy to delay replacement pod creation until the old pod is fully terminated—avoiding contention and unnecessary node scale-outs.

GA: RecoverVolumeExpansionFailure

RecoverVolumeExpansionFailure has graduated to GA. If a PVC (PersistentVolumeClaim) volume expansion fails because the requested capacity is too large, reduce the capacity request in the PVC to recover.

GA: VolumeAttributesClass

Volume Attributes Classes have graduated to GA and are enabled by default. Define common volume parameters in a VolumeAttributesClass object, then reference it from a PVC to apply those parameters.

kube-apiserver performance improvements

Two improvements to kube-apiserver stability and memory efficiency:

• Reads served from cache: Read requests are now served from cache rather than passed through to etcd. This reduces etcd load and lowers kube-apiserver memory pressure. Kubernetes 1.31 introduced Consistent Reads from Cache; 1.34 adds a Snapshottable API server cache for historical data.

• Streaming LIST responses: LIST responses can now be returned as a stream, keeping server-side memory usage constant even when clients pull large datasets. For more information, see Streaming Encoding for LIST Responses.

Improved: Static pod dependency handling

If a static pod references an API object that does not exist—such as a Secret, ConfigMap, PVC, or ServiceAccount—kubelet now refuses to start the pod's containers. This prevents the pod from starting with missing dependencies and entering an unstable state.

Beta: PodLevelResources

PodLevelResources has graduated to Beta. Set total resource requests and limits at the pod level instead of individually for each container. The combined resource consumption of all containers in the pod cannot exceed the pod-level limits.

PodLevelResources is not supported on Windows nodes.

Beta: Kubelet short-term credentials for image pulls

Kubelet now supports using short-term credentials to authenticate with container image repositories. Short-term credentials reduce the risk associated with long-lived credentials. For more information, see Service Account Token Integration for Image Pulls Graduates to Beta.

Beta: ExternalServiceAccountTokenSigner

ExternalServiceAccountTokenSigner has graduated to Beta. This feature introduces the ExternalJWTSigner gRPC service, enabling an external key management solution to sign ServiceAccount tokens instead of using the local static key.

Beta: SchedulerAsyncAPICalls

SchedulerAsyncAPICalls has graduated to Beta and is enabled by default. kube-scheduler previously blocked scheduling threads on slow API calls during the scheduling cycle. With asynchronous API calls, scheduling latency decreases, threads are not blocked by slow responses, and unschedulable pods get faster retry opportunities. For more information, see Asynchronous API calls during scheduling.

Beta: WindowsGracefulNodeShutdown

WindowsGracefulNodeShutdown has graduated to Beta, adding support for graceful node shutdown on Windows nodes.

Beta: PreferSameTrafficDistribution

PreferSameTrafficDistribution has graduated to Beta. Set the .spec.trafficDistribution field of a Service to PreferSameZone or PreferSameNode to prioritize routing traffic to endpoints in the same zone or on the same node. The previous PreferClose option is deprecated. For more information, see Traffic Distribution.

Beta: kubeletPSI metrics

The kubeletPSI feature has graduated to Beta. kubelet now exposes Pressure Stall Information (PSI) metrics through the Summary API and Prometheus. For more information, see PSI Metrics for Kubernetes Graduates to Beta.

New: CPU Manager prefer-align-cpus-by-uncorecache option

The CPU Manager static policy now supports the prefer-align-cpus-by-uncorecache option. On processors with a separate uncore cache architecture, this option aligns CPU assignments to the same uncore cache domain, improving workload performance. For more information, see Introducing CPU Manager Static Policy Option for Uncore Cache Alignment.

New: kubectl user preferences with .kuberc

By default, kubectl supports a .kuberc file for storing user preferences. Unlike kubeconfig, which holds authentication credentials, .kuberc is intended for non-sensitive client configuration. For more information, see Introduce kuberc.