Alibaba Cloud Container Compute Service (ACS) follows the Certified Kubernetes Conformance Program. This topic covers what changed in Kubernetes 1.30 — including promoted and new features, deprecated features and APIs, and component versions.
Component versions
The following components are updated for Kubernetes 1.30 on ACS clusters.
| Component | Version |
|---|---|
| Kubernetes | 1.30.1-aliyunacs.1 |
| etcd | v3.5.9 |
| containerd | 1.6.28 |
| CoreDNS | v1.9.3.10-7dfca203-aliyun |
| CSI | v1.30.1-98960d8-aliyun |
| CNI (Flannel) | v0.15.1.22-20a397e6-aliyun |
| Terway and TerwayControlplane | 1.9.0 and later |
Starting with Kubernetes 1.30, new ACS clusters that use Terway as the network plugin and enable network policy support implement network policies using Extended Berkeley Packet Filter (eBPF). Upgrading existing clusters and components does not change their current behavior. For details, see Use network policies in ACS clusters.
Features
Features from Kubernetes 1.29
The following features were introduced in Kubernetes 1.29 and are included in ACS Kubernetes 1.30 clusters.
PreStop hook sleep action
A sleep action is now available for the PreStop hook, letting containers pause for a specified duration before termination. For details, see KEP-3960: Introducing Sleep Action for PreStop Hook.
Sidecar containers (Beta, enabled by default)
The SidecarContainers feature gate reached Beta and is enabled by default. Set restartPolicy: Always on an init container to run it as a sidecar container. Sidecar containers start, stop, and restart independently without affecting main application containers or other init containers. For details, see Sidecar containers.
Multiple Service CIDRs (Alpha, disabled by default)
Service CIDRs can now dynamically specify the IP address range for ClusterIP Services. This feature gate is at Alpha and disabled by default. For details, see KEP-1880: Multiple Service CIDRs.
PVC API uses VolumeResourceRequirements
The persistent volume claim (PVC) API now uses an independent VolumeResourceRequirements structure containing only requests and limits. This prevents changes to the container API's resources structure (such as adding the claims field) from unintentionally affecting the PVC API. For details, see Volume resource requirements.
PodReadyToStartContainers (Beta, enabled by default)
The PodReadyToStartContainers feature gate reached Beta and is enabled by default. This condition indicates that the pod sandbox is created and the network is configured, giving the kubelet accurate pod status information. For details, see Pod conditions.
matchLabelKeys and mismatchLabelKeys for pod affinity
Pod affinity and pod anti-affinity now support matchLabelKeys and mismatchLabelKeys. These fields address a scheduling issue where the scheduler could not distinguish between old and new pods during Deployment rolling updates. When you configure matchLabelKeys for pod affinity, the Deployment adds the pod-template-hash label to the ReplicaSet, so the scheduler can group pods with the same hash value. For details, see KEP-3633.
ValidatingAdmissionPolicy type checking extended to CRDs
In addition to core Kubernetes API resources, ValidatingAdmissionPolicy type checking now covers CustomResourceDefinitions (CRDs) and API extensions, helping ensure policy reliability and valid cluster configuration. For details, see Type checking.
UserNamespacesPodSecurityStandards (Alpha, disabled by default)
The UserNamespacesPodSecurityStandards feature gate adds support for Pod Security Standards in user namespaces, letting containers run with a non-root or specified user identity in the pod security context. This feature gate is at Alpha and set to false by default. For details, see KEP-127: Update PSS based on feature gate.
DisableNodeKubeProxyVersion (Alpha, disabled by default)
The DisableNodeKubeProxyVersion feature gate deprecates the status.nodeInfo.kubeProxyVersion field on node objects. Because the kubelet may not reliably identify the kube-proxy version, the field value can be inaccurate. This feature gate is at Alpha and set to false by default.
JobBackoffLimitPerIndex (Beta, enabled by default)
The JobBackoffLimitPerIndex feature gate reached Beta and is enabled by default. This lets you set the maximum retry attempts per index in an Indexed Job. For details, see Indexed Job for Parallel Processing with Static Work Assignment.
Features from Kubernetes 1.30
ImageMaximumGCAge (Beta)
ImageMaximumGCAge configures the maximum TTL of an unused container image before garbage collection removes it. The default value is "0s", which disables TTL-based cleanup. This feature gate graduated from Alpha (Kubernetes 1.29) to Beta in Kubernetes 1.30.
image_pull_duration_seconds metric (Alpha)
A new image_pull_duration_seconds metric is added to the kubelet to track image pull duration. For the full list of Alpha metrics, see List of Alpha Kubernetes metrics.
LegacyServiceAccountTokenCleanUp (GA, enabled by default)
The LegacyServiceAccountTokenCleanUp feature gate reached GA and is enabled by default. The cleanup process works as follows:
-
If an auto-generated Secret associated with a ServiceAccount has not been used within a period of time (one year by default) and is not mounted to any pod, kube-controller-manager labels it with
kubernetes.io/legacy-token-invalid-since(set to the current date). -
If the Secret is still unused within a period of time (one year by default) after being labeled, kube-controller-manager deletes it automatically.
To restore a labeled Secret that has not yet been deleted, remove the kubernetes.io/legacy-token-invalid-since label. For details, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.
NodePort behavior change when --nodeport-addresses is not set
If --nodeport-addresses is not configured for kube-proxy (the default), NodePort Service updates now affect only the primary node IP address instead of all node IP addresses. For details, see #122724.
If your workloads rely on NodePort Services updating all node IP addresses, configure --nodeport-addresses explicitly before upgrading to Kubernetes 1.30.
OIDC Issuer URL and ServiceAccount Issuer URL must differ
The OIDC Issuer URL and the API server ServiceAccount Issuer URL must not use the same value. Using the same parameter for both causes configuration conflicts and security issues. For details, see #123561.
If your cluster configures the OIDC Issuer URL and the API server ServiceAccount Issuer URL with the same parameter, update the configuration before upgrading to Kubernetes 1.30.
LoadBalancerIPMode (Beta)
The LoadBalancerIPMode feature gate reached Beta. It adds the .status.loadBalancer.ingress.ipMode field to LoadBalancer Services, specifying how requests sent to the load balancer IP address are forwarded. This field is only available when .status.loadBalancer.ingress.ip is set. For details, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.
HPA container resource metrics (GA)
Horizontal Pod Autoscaler (HPA) scaling based on per-container resource metrics reached GA in Kubernetes 1.30. This lets you set independent scaling thresholds for each container in a pod, rather than scaling based on aggregate pod resource usage. For details, see Container resource metrics.
AdmissionWebhookMatchConditions (GA, enabled by default)
The AdmissionWebhookMatchConditions feature gate reached GA, is enabled by default, and cannot be disabled. It lets you define match conditions on admission webhooks for finer-grained control over when webhooks are triggered. For details, see Dynamic admission control.
JobSuccessPolicy (Alpha)
The JobSuccessPolicy feature gate is added at Alpha. It lets you declare a Job complete based on a subset of successful pods — either by specifying particular pod indexes (such as indexes X, Y, and Z) or a minimum count of successful indexes. For details, see Job success/completion policy.
RelaxedEnvironmentVariableValidation (Alpha, disabled by default)
The RelaxedEnvironmentVariableValidation feature gate is added at Alpha. When enabled, environment variable names can include most printable ASCII characters (code points 32 through 126), excluding the equal sign (=). This feature gate is disabled by default. For details, see #123385.
CustomResourceFieldSelectors (Alpha, disabled by default)
The CustomResourceFieldSelectors feature gate is added at Alpha. It lets you configure selectableFields on CRDs so that field selectors can filter List, Watch, and DeleteCollection requests. This feature gate is disabled by default. For details, see Custom Resource field selectors.
CRDValidationRatcheting (Beta, enabled by default)
The CRDValidationRatcheting feature gate reached Beta and is enabled by default. When a CRD validation rule is updated, the API server no longer blocks updates to existing resources that already fail the new validation — as long as the failing fields are not changed in the update. This prevents new schema rules from breaking existing resources during CRD migrations validated through OpenAPI v3 schemas. For details, see CRD validation ratcheting.
Downward API supports IPv4/IPv6 dual-stack host IPs
The Downward API now exposes status.hostIPs to support IPv4/IPv6 dual-stack. The first IP in the status.hostIPs list always matches status.hostIP. For details, see Downward API.
NodeLogQuery (Beta, disabled by default)
The NodeLogQuery feature gate reached Beta but remains disabled by default. When enabled, it lets you query node service logs through the /logs endpoint. For details, see Log query.
Deprecated features
Kubernetes 1.29
CronJob timezone: use .spec.timeZone instead of CRON_TZ or TZ
CronJobs no longer support CRON_TZ or TZ timezone settings in .spec.schedule. Use .spec.timeZone instead, which has been available since Kubernetes 1.25.
If your CronJobs use CRON_TZ or TZ in .spec.schedule, migrate them to .spec.timeZone before upgrading. For details, see CronJob limitations.
ClusterCIDR v1alpha1 API removed
The networking/v1alpha1 API ClusterCIDR (Alpha) is removed in Kubernetes 1.29. For reference, see ClusterCIDR v1alpha1.
Kubernetes 1.30
kubectl apply --prune-whitelist removed
The --prune-whitelist flag for kubectl apply is removed in Kubernetes 1.30. Use --prune-allowlist instead, which has been available since --prune-whitelist was deprecated. For details, see --prune.
If your scripts or pipelines use --prune-whitelist, update them to --prune-allowlist before upgrading.
SecurityContextDeny admission plugin removed
The SecurityContextDeny admission plugin, deprecated in Kubernetes 1.27, is removed in Kubernetes 1.30. Use the PodSecurity admission plugin instead, which has been stable and enabled by default since Kubernetes 1.25. For details, see PodSecurity.
If your clusters enable SecurityContextDeny, switch to the PodSecurity admission plugin before upgrading.
Deprecated APIs
The flowcontrol.apiserver.k8s.io/v1beta2 API versions of FlowSchema and PriorityLevelConfiguration are deprecated in Kubernetes 1.29.
Migrate to one of the following supported API versions:
-
flowcontrol.apiserver.k8s.io/v1(available since Kubernetes 1.29, recommended) -
flowcontrol.apiserver.k8s.io/v1beta3(available since Kubernetes 1.26)
Note the following field renames before migrating:
| API version | Old field | New field | Default | Notes |
|---|---|---|---|---|
flowcontrol.apiserver.k8s.io/v1 |
spec.limited.assuredConcurrencyShares |
spec.limited.nominalConcurrencyShares |
30 | An explicit value of 0 is not converted to 30 |
flowcontrol.apiserver.k8s.io/v1beta3 |
spec.limited.assuredConcurrencyShares |
spec.limited.nominalConcurrencyShares |
— | — |
If you are using flowcontrol.apiserver.k8s.io/v1beta2 resources, migrate to v1 or v1beta3 before this API version is removed.
Feature gates
Feature gates control experimental and graduated features in Kubernetes. Each gate has one of the following stages:
| Stage | Default | Notes |
|---|---|---|
| Alpha | Disabled | Experimental; subject to change |
| Beta | Enabled | Mostly stable; may change before GA |
| GA | Enabled, cannot be disabled | The feature gate is no longer needed |
For a full list of feature gates, their stages, and versions, see Feature Gates.