Alibaba CloudContainer Compute Service (ACS) complies with the Certified Kubernetes Conformance Program. This document describes the major changes in Kubernetes 1.26, including upgrade notes, breaking changes, new features, deprecated features and APIs, feature gates, and security enhancements.
Upgrade notes
The following components are updated in ACK clusters to support Kubernetes 1.26.
Core component | Version | Notes |
Kubernetes | 1.26.15-aliyunacs.1 |
|
etcd | v3.5.9 | None |
CoreDNS | v1.9.3.10-7dfca203-aliyun | None |
CRI | containerd 1.6.22.1-20240524143336 | Supports only Kubernetes 1.24.0 and later. |
CSI | v1.30.1-1.acs-685ce77-aliyun | None |
CNI | Terway and TerwayControlplane v1.5.0 or later | None |
Release analysis
Breaking changes
Kubernetes 1.25 and 1.26 deprecate a large number of beta APIs. Before upgrading, you must verify that controllers and applications that use the beta APIs have been updated to the stable API versions. For more information, see Deprecated APIs.
Kubernetes 1.26 drops support for CRI v1alpha2 and requires the container runtime to support CRI v1. Therefore, Kubernetes 1.26 does not support containerd 1.5 or earlier. Containerd 1.6 is the minimum version required. When you upgrade a cluster, you must upgrade containerd to 1.6.0 or later before upgrading the nodes to Kubernetes 1.26.
PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. PodSecurityPolicy is complex to use and can easily grant more permissions than intended, which causes serious availability issues. For more information, see The Historical Context of PodSecurityPolicy.
If your clusters use PodSecurityPolicy, apply one of the following admission controls before upgrading them.
Use the policy management feature provided by ACK. ACK provides more policy rules tailored for Kubernetes application scenarios and simplifies rule configurations. For more information, see Configure container security policies.
Use the built-in Pod Security Admission. This feature is easier to use. For more information, see Pod Security Admission. For more information about how to migrate from PodSecurityPolicy to the built-in PodSecurity admission controller, see Migrate from PodSecurityPolicy to the Built-in PodSecurity Admission Controller.
Deploy and configure a third-party admission plugin.
The following CVE vulnerabilities are fixed in 1.26.15-aliyunacs.1:
CVE-2023-45288
CVE-2024-3177
CVE-2024-24786
New features
The ephemeral container feature was in beta in Kubernetes 1.23 and is promoted to Stable in Kubernetes 1.25. If a container crashes or lacks the debugging tools to run the
kubectl execcommand, you can run an ephemeral container in the existing Pod to check its status and run arbitrary commands. For more information, see Ephemeral Containers.In Kubernetes 1.25, support for cgroups v2 is promoted to Stable. cgroups v2 provides many improvements over cgroups v1. For more information, see cgroup v2.
In Kubernetes 1.25, Kubernetes continues to optimize its support for Windows, for example, unit testing, conformance testing, and a new repository for Windows Operational Readiness.
In Kubernetes 1.25, the k8s.gcr.io image registry is migrated to registry.k8s.io, and traffic is redirected to registry.k8s.io. For more information, see k8s.gcr.io Redirect to registry.k8s.io.
In Kubernetes 1.25, the EndPort field in NetworkPolicy is promoted to General Availability (GA). If your NetworkPolicy provider supports the EndPort field, you can use this field to specify a port range in a NetworkPolicy. If your NetworkPolicy provider does not support EndPort, only a single-port network policy is created. For more information, see Network Policies.
In Kubernetes 1.25, local ephemeral storage capacity isolation is promoted to General Availability (GA). This feature supports local ephemeral storage capacity isolation between Pods, such as for EmptyDir. Therefore, if a Pod consumes local ephemeral storage beyond its configured limit, the kubelet can evict the Pod to enforce a hard limit on its consumption of shared resources. For more information, see Local Ephemeral Storage Capacity Isolation.
In Kubernetes 1.25, CSI ephemeral volumes are promoted to Stable. This feature allows you to specify CSI volumes directly in a Pod definition for temporary use, bypassing the need for PersistentVolumes (PVs) or PersistentVolumeClaims (PVCs). For more information, see CSI Ephemeral Volumes.
In Kubernetes 1.25, the KMS v2 alpha1 API is introduced to improve performance, rotation, and observability. The API uses AES-GCM instead of AES-CBC to implement encryption at rest for Kubernetes Secrets by using a data encryption key (DEK). This process requires no extra operations and supports reads with both AES-GCM and AES-CBC. For more information, see Using a KMS provider for data encryption.
In Kubernetes 1.25, Kubernetes specifies a new standard interface for object storage, the Container Object Storage Interface (COSI). COSI aims to standardize the use of object storage and is currently in alpha.
In Kubernetes v1.25, if the PodHasNetwork condition in a Pod's
statusfield is set to True, it indicates that the Pod runtime sandbox has been successfully initialized and created, and that networking is configured. The Kubelet starts to pull images and start containers only after the PodHasNetwork condition is set to True. Therefore, this condition can be used as a metric for Pod initialization latency that excludes factors such as image pulling speed and application load. This allows you to accurately generate Service Level Indicators (SLIs). Because PodHasNetwork is in its alpha stage, you must enable the PodHasNetworkCondition feature gate on the Kubelet to use it. For more information, see the difference between PodHasNetwork and Initialized.In Kubernetes 1.25, the minReadySeconds field of StatefulSets is promoted to Stable. This allows each Pod to wait for a specified period to slow down the rolling update of a StatefulSet. For more information, see Minimum Ready Seconds.
In Kubernetes 1.25, the maxSurge field of DaemonSets is promoted to Stable. This allows a DaemonSet workload to run multiple instances of the same Pod on a node during a rolling update, which helps minimize the downtime of the DaemonSet. You cannot use the maxSurge and hostPort fields at the same time because two active Pods cannot share the same port on a node. For more information, see Perform a Rolling Update on a DaemonSet.
In Kubernetes 1.25, an alpha feature provides support for running Pods by using a user namespace. The root user in a Pod is mapped to a non-zero ID outside the container. This way, the Pod runs as the root user from the container's perspective, but as a regular unprivileged user from the host's perspective. This feature is in alpha. To use this feature, you must enable the UserNamespacesStatelessPodsSupport feature gate and ensure that the container runtime supports this feature. For more information, see Alpha support for running Pods with user namespaces.
In Kubernetes 1.25, a feature gate named RetroactiveDefaultStorageClass is added to change the way the default StorageClass is assigned to a PVC. Previously, you needed to create a StorageClass and then a PVC to have the default StorageClass assigned. Otherwise, the StorageClass of the PVC would remain nil. After this feature is enabled, PVCs without an assigned StorageClass can be automatically updated with the default StorageClass without being re-created. This feature is promoted to Beta in Kubernetes 1.26 and is enabled by default.
In Kubernetes 1.25, the JobPodFailurePolicy feature is added to allow you to configure a Job to specify how to handle Pod failures based on container exit codes and Pod conditions. This feature is promoted to Beta in Kubernetes 1.26. You can configure the podFailurePolicy field in the Job definition to specify a Pod failure policy, which helps avoid unnecessary Pod retries and ignore Pod evictions. For more information, see Pod failure policy.
In Kubernetes 1.25, an issue where the PodTopologySpread feature caused uneven Pod distribution that violated constraints during rolling updates is fixed. The minDomains field is in Beta.
In Kubernetes 1.25, the performance of kube-proxy is improved for large clusters. For example, in a cluster with 1,000 Endpoints, unused iptables rules are retained for up to one maximum synchronization period and are therefore exempt from scanning during each synchronization. For smaller clusters, unused iptables rules are still immediately deleted.
In Kubernetes 1.26, the dynamic resource allocation feature is added to request and share resources between Pods and between containers within a Pod. This feature allows users to initialize resources by providing parameters. This feature is in alpha. To use this feature, you must enable the DynamicResourceAllocation feature gate and the resource.k8s.io/v1alpha1 API group, and install a driver for the specific resources that you want to manage. For more information, see Alpha API For Dynamic Resource Allocation.
In Kubernetes 1.26, non-graceful node shutdown entered the Beta stage. When a node fails, Pods on that node remain in the Terminating state, and VolumeAttachments cannot be deleted. For StatefulSet Pods, a new Pod is not started on another node because Pod names must be unique. Unlike graceful node shutdown, which is handled by the Kubelet detecting a node shutdown event, non-graceful node shutdown requires you to manually add an
out-of-servicetaint to the Node. This triggers the movement of Pods to new running nodes. After the node recovers, you must also manually remove the taint.In Kubernetes 1.26, the Pod fsGroup can be passed to CSI drivers during mounting, which allows the CSI driver to change the permissions of files and directories in a volume instead of the kubelet. This feature is mostly transparent to users. If you are a CSI driver developer, see CSI Driver fsGroup Support.
The Pod scheduling gates feature, introduced in Kubernetes 1.26, informs the scheduler when to start scheduling a Pod. The performance of the scheduler can be affected when a large number of Pods are blocked by external events and cannot be scheduled for a long time. The scheduling gates feature resolves this issue by allowing you to declare that newly created Pods are not yet ready to be scheduled. When the
spec.schedulingGatesfield is set for a Pod, the scheduler ignores the Pod, which prevents unnecessary scheduling attempts. This feature requires an external controller to determine when the Pod is ready to be scheduled and to clear the gates. For more information, see Pod Scheduling Gates.In Kubernetes 1.26, the cpu manager is promoted to General Availability (GA). This feature has been in Beta since Kubernetes v1.10. It is part of the kubelet and is responsible for allocating exclusive CPUs to containers. The cpu manager supports three policy options. For more information, see Control CPU Management Policies on the Node.
In Kubernetes 1.26, alpha support for cross-namespace storage data sources is provided. This allows you to specify a data source for a PVC when the source data belongs to a different namespace. For more information, see Cross-Namespace Storage Data Sources.
In Kubernetes v1.26, you can configure an eviction policy for unhealthy pods in a PodDisruptionBudget. Setting
.spec.unhealthyPodEvictionPolicy=AlwaysAllowallows unhealthy pods to be evicted without being blocked by the PDB. This feature is currently in the Alpha stage, and you must enable the PDBUnhealthyPodEvictionPolicy feature gate to use it. For more information, see Unhealthy Pod Eviction Policy.In Kubernetes v1.26, the
httpGethandlers forpreStopandpostStartcontainer lifecycle hooks honor theschemeandheadersfields. This makes their behavior consistent with probes and allows you to set custom headers and use HTTPS. If HTTPS is used when HTTP is expected, an error is logged and the handler falls back to using HTTP to maintain backward compatibility. You can disable this feature on the Kubelet by setting the--feature-gates=ConsistentHTTPGetHandlers=falseflag.In Kubernetes v1.26, API Priority and Fairness (APF) supports borrowing seats from other priority levels. Two new fields are added to
.spec.limited:lendablePercentspecifies the percentage of seats that can be lent, andborrowingLimitPercentspecifies the maximum percentage of seats that can be borrowed from other priority levels.In Kubernetes v1.26, the kube-controller-manager component supports setting
--concurrent-horizontal-pod-autoscaler-syncsto specify the number of workers for the HPA (Horizontal Pod Autoscaler) controller.In Kubernetes 1.26, a label selector validation for HPA is added. When multiple HPAs point to the same set of Pods or the same deployment, these HPAs do not take effect and the system generates an AmbiguousSelector event.
In Kubernetes v1.26, when multiple StorageClasses are set as the default (via the
storageclass.kubernetes.io/is-default-classannotation), the latest StorageClass is selected as the default, instead of throwing an exception.
Deprecated features
Deprecations and removals of storage drivers
In Kubernetes 1.25, in-tree volume plugins are removed for storage integration. CSI migration is a continuous effort by SIG Storage in previous versions to move in-tree volume plugin code to out-of-tree CSI drivers. In Kubernetes 1.25, core CSI migration is stable.
In Kubernetes 1.25, the GlusterFS and Portworx in-tree volume plugins are deprecated, and the Flocker, Quobyte, and StorageOS in-tree volume plugins are removed. The in-tree vSphere volume driver no longer supports vSphere versions earlier than 7.0u2.
In Kubernetes 1.26, the GlusterFS in-tree driver is removed, and the deprecated OpenStack in-tree storage integration (Cinder volume type) is removed.
Cleanup of iptables chain ownership
Kubernetes typically creates iptables chains to ensure network packets are delivered as expected. These iptables chains and their names are internal implementation details of Kubernetes and are for internal use only. Some components currently rely on these internal implementation details. Kubernetes generally does not want to support tools that rely on these details. For more information, see Kubernetes's IPTables Chains Are Not API.
After Kubernetes 1.25, the kubelet uses the IPTablesCleanup feature gate to complete the migration in stages to stop creating iptables chains in the NAT table, such as KUBE-MARK-DROP, KUBE-MARK-MASQ, and KUBE-POSTROUTING.
For more information about the cleanup of iptables chain ownership, see Cleaning up iptables chain ownership.
Removal of in-tree credential management code
After Kubernetes 1.26, the embedded vendor-specific authentication code for Azure and Google Cloud is removed from client-go and kubectl. You can use the authentication plugin mechanism instead. For more information, see Authentication plugins.
Removal of kube-proxy components
In Kubernetes 1.26, the Userspace proxy mode has been removed. This deprecated mode is no longer supported on Linux or Windows. Linux users should use iptables or IPVS, and Windows users should use Kernelspace. Using
--mode userspacewill now fail.The Windows winkernel kube-proxy no longer supports Windows HNS v1 APIs.
Deprecation of the kubectl
--prune-whitelistflagIn Kubernetes 1.26, to support the Inclusive Naming Initiative, the
--prune-whitelistflag will be deprecated and replaced with--prune-allowlist, and will be completely removed in the future.Removal of dynamic Kubelet configuration
The DynamicKubeletConfig feature gate is removed. This feature allows you to dynamically update the kubelet configuration on a node by using an API. The related code was removed from the kubelet in Kubernetes 1.24 and from the API server in Kubernetes 1.26. Removing this logic helps simplify the code and improve reliability. The recommended approach is to modify the kubelet configuration file and restart the kubelet. For more information, see Remove Dynamic Kubelet Configuration from the API server.
Removal of command-line parameters
In Kubernetes 1.25, the UnversionedKubeletConfigMap from kubeadm reaches GA. By default, kube-system or kubelet-config is used instead of kube-system or kubelet-config-x.yy.
As of Kubernetes 1.25, kubeadm no longer applies the
node-role.kubernetes.io/master:NoScheduletaint to control plane nodes. This taint is also removed when you runkubeadm upgrade apply.In Kubernetes 1.25, the Seccomp annotations
seccomp.security.alpha.kubernetes.io/podandcontainer.seccomp.security.alpha.kubernetes.ioare no longer supported. We recommend that you use SeccompProfile instead. For more information, see Restrict a Container's Syscalls with seccomp.In Kubernetes 1.25 and Kubernetes 1.26, some startup parameters of kube-controller-manager are deprecated and removed.
deleting-pods-qps, deleting-pods-burst, and register-retry-count are removed.
experimental-cluster-signing-duration and pod-eviction-timeout are deprecated and replaced with cluster-signing-duration.
In Kubernetes 1.27, pod-eviction-timeout and enable-taint-manager will be removed together.
In Kubernetes 1.26, some log-related command-line parameters that were deprecated in previous versions are removed.
In Kubernetes 1.26, the --master-service-namespace command-line parameter is deprecated. It has no effect on the API server.
In Kubernetes 1.26, several unused flags for
kubectl runwill be marked as deprecated and removed in a future version. These flags include--cascade,--filename,--force,--grace-period,--kustomize,--recursive,--timeout, and--wait.
Deprecated APIs
The following APIs are deprecated in Kubernetes 1.25 and 1.26. For more information, see Deprecated API Migration Guide.
CronJob
After Kubernetes 1.25, the batch/v1beta1 API version of CronJob is no longer served. You can use the batch/v1 API version, which is available since Kubernetes 1.21.
EndpointSlice
After Kubernetes 1.25, the discovery.k8s.io/v1beta1 API version of EndpointSlice is no longer served. You can use the discovery.k8s.io/v1 API version, which is available since Kubernetes 1.21.
The following list describes the notable changes in discovery.k8s.io/v1.
The NodeName field is used for each Endpoint instead of the deprecated topology["kubernetes.io/hostname"] field.
The Zone field is used for each Endpoint instead of the deprecated topology["kubernetes.io/zone"] field.
The Topology field is replaced with the deprecatedTopology field and is not writable in the v1 API version.
Event
After Kubernetes 1.25, the events.k8s.io/v1beta1 API version of Event is no longer served. You can use the events.k8s.io/v1 API version, which is available since Kubernetes v1.19.
The following list describes the notable changes in events.k8s.io/v1.
The type field can only be set to Normal or Warning.
The
involvedObjectfield has been renamed toregarding.When creating a new
events.k8s.io/v1Event,action,reason,reportingController, andreportingInstanceare all required fields.Use the eventTime field instead of the deprecated firstTimestamp field. The firstTimestamp field has been renamed to deprecatedFirstTimestamp and is not allowed in new events.k8s.io/v1 Event objects.
Use the
series.lastObservedTimefield instead of the deprecatedlastTimestampfield. ThelastTimestampfield has been renamed todeprecatedLastTimestampand is not allowed in newevents.k8s.io/v1Eventobjects.Use the
series.countfield instead of the deprecatedcountfield. Thecountfield has been renamed todeprecatedCountand is not allowed in newevents.k8s.io/v1Eventobjects.Use the
reportingControllerfield instead of the deprecatedsource.componentfield. Thesource.componentfield has been renamed todeprecatedSource.componentand is not allowed in newevents.k8s.io/v1Event objects.Use the
reportingInstancefield instead of the deprecatedsource.hostfield. Thesource.hostfield has been renamed todeprecatedSource.hostand is not permitted in newevents.k8s.io/v1Eventobjects.
PodDisruptionBudget
In Kubernetes 1.25 and later, the policy/v1beta1 API version of PodDisruptionBudget is no longer available. Use the policy/v1 API version, which has been available since Kubernetes 1.21.
A notable change in policy/v1 is that setting spec.selector to empty ({}) selects all Pods in the namespace. In the policy/v1beta1 version, an empty spec.selector selected no Pods. If spec.selector is unset, no Pods are selected in either API version.
PodSecurityPolicy
Starting with Kubernetes v1.25, PodSecurityPolicy is no longer available from the policy/v1beta1 API. The PodSecurityPolicy admission controller is also removed. Migrate PodSecurityPolicy to Pod Security Admission or a third-party admission webhook.
For a migration guide, see Migrate from PodSecurityPolicy to the Built-in PodSecurity Admission Controller. For more information about the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future.
RuntimeClass
As of Kubernetes v1.25, the
node.k8s.io/v1beta1API version of RuntimeClass is no longer supported. You can use thenode.k8s.io/v1API version, which has been available since Kubernetes v1.20.HorizontalPodAutoscaler
In Kubernetes 1.25 and later, the
autoscaling/v2beta1API version of the HorizontalPodAutoscaler is no longer available.In Kubernetes 1.26 and later, the
autoscaling/v2beta2API version of the HorizontalPodAutoscaler is no longer available. Use theautoscaling/v2API version, which has been available since Kubernetes 1.23.
Flow control resources
As of Kubernetes v1.26, the
flowcontrol.apiserver.k8s.io/v1beta1API version is no longer served for FlowSchema and PriorityLevelConfiguration resources. Theflowcontrol.apiserver.k8s.io/v1beta2API has been available since Kubernetes v1.23. Theflowcontrol.apiserver.k8s.io/v1beta3API is available as of Kubernetes v1.26.
Feature gate
Feature gates generally have three stages: Alpha, Beta, and GA. A feature is disabled by default in the Alpha stage, typically enabled by default in the Beta stage, and always enabled by default in the GA stage. In the GA stage, the feature cannot be disabled and its toggle is removed in a subsequent version. The following are some of the major changes. For more information, see Feature Gates.
In Kubernetes 1.25, SeccompDefault is promoted to Beta. For more information about how to use SeccompDefault, see Restrict a Container's Syscalls with seccomp.
In Kubernetes 1.25, the Custom Resource Definition (CRD) validation expression language is promoted to Beta, and
CustomResourceValidationExpressionsis enabled by default. Using the Common Expression Language (CEL) to validate custom resources is more convenient and efficient than using webhooks. For more information, see Validation rules.In Kubernetes 1.25, the
ServerSideFieldValidationfeature gate is promoted to Beta and is enabled by default. The API server supports validation for unknown fields, which allows for the future removal of this feature from kubectl. For more information, see Server-side field validation.In Kubernetes 1.25, the new
ContainerCheckpointAlpha feature is added, which enables the Kubelet Checkpoint API. For more information, see Kubelet Checkpoint API.In Kubernetes 1.25, the new
PodHasNetworkConditionAlpha feature is added. This feature lets the Kubelet mark a Pod with thePodHasNetworkcondition. For more information, see PodHasNetwork.In Kubernetes 1.25, the new
UserNamespacesStatelessPodsSupportAlpha feature is added to enable user namespace support for stateless Pods.In Kubernetes 1.25, the new
JobPodFailurePolicyAlpha feature is added. It lets you configure how a Job handles Pod failures based on container exit codes and Pod conditions. This feature is promoted to Beta in Kubernetes 1.26.In Kubernetes 1.25, the new
MultiCIDRRangeAllocatorAlpha feature is added. It enables NodeIPAM to support multiple ClusterCIDRs. To enable controller support, configure the kube-controller-manager with--cidr-allocator-type=MultiCIDRRangeAllocator.In Kubernetes 1.25,
StatefulSetMinReadySecondsis promoted to GA. TheminReadySecondsfield is supported by default for StatefulSets and cannot be disabled.In Kubernetes 1.25,
CronJobTimeZoneis promoted to Beta. TheTimeZonefield can be used in CronJobs by default and cannot be disabled.In Kubernetes 1.25,
DaemonSetUpdateSurgeis promoted to GA. TheMaxSurgefield can be used in DaemonSets by default and cannot be disabled.In Kubernetes 1.25,
IdentifyPodOSis promoted to GA. Thespec.podOSfield is enabled by default and cannot be disabled.In Kubernetes 1.25,
CSIInlineVolumeis promoted to GA. Support for CSI inline volumes is enabled by default and cannot be disabled.In Kubernetes 1.25,
EphemeralContainersis promoted to GA. Support for ephemeral containers is enabled by default and cannot be disabled.In Kubernetes 1.25, the new
CSINodeExpandSecretfeature is added. It lets you pass secret authentication data to a CSI driver for use when a node is added.In Kubernetes 1.25,
CSIMigrationis promoted to GA. This feature is enabled by default and cannot be disabled.In Kubernetes 1.25,
CSIMigrationPortworxis promoted to Beta.In Kubernetes 1.25,
ProbeTerminationGracePeriodremains in Beta, but its default value is changed totrue. For more information, see Probe-level terminationGracePeriodSeconds.In Kubernetes 1.26,
JobTrackingWithFinalizersis promoted to GA. By default, Job completion is tracked using finalizers instead of by counting remaining Pods. For more information, see Job tracking with finalizers.In Kubernetes 1.26, the new
PDBUnhealthyPodEvictionPolicyAlpha feature is added. It supports specifying an eviction policy for unhealthy Pods in a PodDisruptionBudget.In Kubernetes 1.26, support for the dynamic resource allocation API is enabled. This provides support for managing and using resources that have custom parameters and are independent of the Pod lifecycle.
In Kubernetes 1.26, the new
StatefulSetStartOrdinalAlpha feature is added. It supports configuring the start ordinal for a StatefulSet.In Kubernetes 1.26,
ServiceInternalTrafficPolicyis promoted to GA. It lets you use theinternalTrafficPolicyfield to configure the internal traffic policy for a Service. This feature is enabled by default and cannot be disabled. For more information, see Service Traffic Policy.In Kubernetes 1.26, the new
ValidatingAdmissionPolicyAlpha feature is added. It implements an extensible admission controller using CEL expressions.In Kubernetes 1.26,
MixedProtocolLBServiceis promoted to GA. It lets you use different protocols in the same Service instance of theLoadBalancertype.In Kubernetes 1.26,
EndpointSliceTerminatingConditionis promoted to GA. It lets you use theTerminatingandServingcondition fields of an EndpointSlice. This feature cannot be disabled.In Kubernetes 1.26,
APIServerIdentityis promoted to Beta. By default, it creates a Lease in thekube-systemnamespace for each active API server.In Kubernetes 1.26,
DelegateFSGroupToCSIDriveris promoted to GA and cannot be disabled.In Kubernetes 1.26,
NodeOutOfServiceVolumeDetachis promoted to Beta and is enabled by default. When a node is marked as out of service with thenode.kubernetes.io/out-of-servicetaint, Pods that do not tolerate this taint are forcibly deleted. Volume detachment is immediately performed for the Pods terminated on that node.In Kubernetes 1.26,
ServiceIPStaticSubrangeis promoted to GA. It enables the Service ClusterIP allocation strategy to subdivide the ClusterIP range.In Kubernetes 1.26,
CPUManagerandDevicePluginsare promoted to GA. These features are enabled by default and cannot be disabled.In Kubernetes 1.26, the new
ComponentSLIsAlpha feature is added. It enables the/metrics/slisendpoint on Kubernetes components such as kubelet, kube-scheduler, kube-proxy, kube-controller-manager, and cloud-controller-manager. This allows for the scraping of health check metrics.In Kubernetes 1.26,
WindowsHostProcessContainersis promoted to GA. Support for Windows HostProcess containers is enabled by default.In Kubernetes 1.26,
ExpandedDNSConfigis promoted to Beta. It lets you use more DNS search domains and a longer search domain list. This requires runtime support.In Kubernetes 1.26,
LegacyServiceAccountTokenNoAutoGenerationis promoted to GA. It stops the automatic generation of service account tokens based on Secrets. This feature is enabled by default and cannot be disabled.In Kubernetes 1.26,
ProxyTerminatingEndpointsis promoted to Beta and is enabled by default. It allows kube-proxy to handle terminating endpoints whenExternalTrafficPolicyis set toLocal.In Kubernetes 1.26, the new
LegacyServiceAccountTokenTrackingAlpha feature is added. It is disabled by default. This feature adds a label,kubernetes.io/legacy-token-last-used, to Secret service account tokens to show the expiration time.In Kubernetes 1.26, the
PodDisruptionConditionsfeature is promoted to Beta and is enabled by default. You can add aDisruptionTargetcondition to a Pod's status to indicate that the Pod is being deleted due to a disruption. You can find more information about the reason for the Pod's termination in thereasonfield. For more information, see Pod disruption conditions.
Enhancements for Kubernetes 1.26
Security enhancements
The access permissions for the following sensitive Kubernetes files on nodes have been further strengthened.
File path | Hardened access permissions |
/etc/kubernetes/admin.conf | 600 |
/etc/kubernetes/kube.conf | 600 |
/etc/kubernetes/controller-manager.conf | 600 |
/etc/kubernetes/kubelet.conf | 600 |
/etc/kubernetes/scheduler.conf | 600 |
/etc/kubernetes/manifests/*.yaml | 600 |
/etc/kubernetes/pki/*.key | 600 |
/etc/kubernetes/pki/*.crt | 600 |
/etc/kubernetes/pki/dashboard/*.crt | 600 |
/etc/kubernetes/pki/etcd/*.pem | 600 |
/var/lib/etcd/cert/*.pem | 600 |
/var/lib/etcd/cert/*.csr | 600 |
/var/lib/kubelet/pki/*.crt | 600 |
/var/lib/kubelet/config.yaml | 600 |
/usr/lib/systemd/system/etcd.service | 600 |
/etc/systemd/system/kubelet.service | 600 |
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf | 600 |