All Products
Search
Document Center

Container Compute Service:Kubernetes 1.26 release notes

Last Updated:Jun 05, 2026

Alibaba CloudContainer Compute Service (ACS) complies with the Certified Kubernetes Conformance Program. This document describes the major changes in Kubernetes 1.26, including upgrade notes, breaking changes, new features, deprecated features and APIs, feature gates, and security enhancements.

Upgrade notes

The following components are updated in ACK clusters to support Kubernetes 1.26.

Core component

Version

Notes

Kubernetes

1.26.15-aliyunacs.1

  • Kubernetes 1.26 includes many optimizations. Before you upgrade, carefully read the Release analysis section.

  • Kubernetes 1.25 and 1.26 deprecate a large number of beta APIs. Before upgrading, verify that controllers and applications using beta APIs have been updated to the recommended stable API versions. For more information, see Deprecated APIs.

  • Kubernetes 1.26 drops support for CRI v1alpha2 and requires the container runtime to support CRI v1. Therefore, Kubernetes 1.26 requires containerd 1.6 or later. Before you upgrade a cluster, you must upgrade containerd to 1.6.0 or later, and then upgrade the nodes to Kubernetes 1.26.

  • PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. PodSecurityPolicy is complex to use and can easily grant more permissions than intended, which causes serious availability issues. For more information about alternative solutions, see Release analysis.

etcd

v3.5.9

None

CoreDNS

v1.9.3.10-7dfca203-aliyun

None

CRI

containerd 1.6.22.1-20240524143336

Supports only Kubernetes 1.24.0 and later.

CSI

v1.30.1-1.acs-685ce77-aliyun

None

CNI

Terway and TerwayControlplane v1.5.0 or later

None

Release analysis

Breaking changes

  • Kubernetes 1.25 and 1.26 deprecate a large number of beta APIs. Before upgrading, you must verify that controllers and applications that use the beta APIs have been updated to the stable API versions. For more information, see Deprecated APIs.

  • Kubernetes 1.26 drops support for CRI v1alpha2 and requires the container runtime to support CRI v1. Therefore, Kubernetes 1.26 does not support containerd 1.5 or earlier. Containerd 1.6 is the minimum version required. When you upgrade a cluster, you must upgrade containerd to 1.6.0 or later before upgrading the nodes to Kubernetes 1.26.

  • PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. PodSecurityPolicy is complex to use and can easily grant more permissions than intended, which causes serious availability issues. For more information, see The Historical Context of PodSecurityPolicy.

    If your clusters use PodSecurityPolicy, apply one of the following admission controls before upgrading them.

  • The following CVE vulnerabilities are fixed in 1.26.15-aliyunacs.1:

    • CVE-2023-45288

    • CVE-2024-3177

    • CVE-2024-24786

New features

  • The ephemeral container feature was in beta in Kubernetes 1.23 and is promoted to Stable in Kubernetes 1.25. If a container crashes or lacks the debugging tools to run the kubectl exec command, you can run an ephemeral container in the existing Pod to check its status and run arbitrary commands. For more information, see Ephemeral Containers.

  • In Kubernetes 1.25, support for cgroups v2 is promoted to Stable. cgroups v2 provides many improvements over cgroups v1. For more information, see cgroup v2.

  • In Kubernetes 1.25, Kubernetes continues to optimize its support for Windows, for example, unit testing, conformance testing, and a new repository for Windows Operational Readiness.

  • In Kubernetes 1.25, the k8s.gcr.io image registry is migrated to registry.k8s.io, and traffic is redirected to registry.k8s.io. For more information, see k8s.gcr.io Redirect to registry.k8s.io.

  • In Kubernetes 1.25, the EndPort field in NetworkPolicy is promoted to General Availability (GA). If your NetworkPolicy provider supports the EndPort field, you can use this field to specify a port range in a NetworkPolicy. If your NetworkPolicy provider does not support EndPort, only a single-port network policy is created. For more information, see Network Policies.

  • In Kubernetes 1.25, local ephemeral storage capacity isolation is promoted to General Availability (GA). This feature supports local ephemeral storage capacity isolation between Pods, such as for EmptyDir. Therefore, if a Pod consumes local ephemeral storage beyond its configured limit, the kubelet can evict the Pod to enforce a hard limit on its consumption of shared resources. For more information, see Local Ephemeral Storage Capacity Isolation.

  • In Kubernetes 1.25, CSI ephemeral volumes are promoted to Stable. This feature allows you to specify CSI volumes directly in a Pod definition for temporary use, bypassing the need for PersistentVolumes (PVs) or PersistentVolumeClaims (PVCs). For more information, see CSI Ephemeral Volumes.

  • In Kubernetes 1.25, the KMS v2 alpha1 API is introduced to improve performance, rotation, and observability. The API uses AES-GCM instead of AES-CBC to implement encryption at rest for Kubernetes Secrets by using a data encryption key (DEK). This process requires no extra operations and supports reads with both AES-GCM and AES-CBC. For more information, see Using a KMS provider for data encryption.

  • In Kubernetes 1.25, Kubernetes specifies a new standard interface for object storage, the Container Object Storage Interface (COSI). COSI aims to standardize the use of object storage and is currently in alpha.

  • In Kubernetes v1.25, if the PodHasNetwork condition in a Pod's status field is set to True, it indicates that the Pod runtime sandbox has been successfully initialized and created, and that networking is configured. The Kubelet starts to pull images and start containers only after the PodHasNetwork condition is set to True. Therefore, this condition can be used as a metric for Pod initialization latency that excludes factors such as image pulling speed and application load. This allows you to accurately generate Service Level Indicators (SLIs). Because PodHasNetwork is in its alpha stage, you must enable the PodHasNetworkCondition feature gate on the Kubelet to use it. For more information, see the difference between PodHasNetwork and Initialized.

  • In Kubernetes 1.25, the minReadySeconds field of StatefulSets is promoted to Stable. This allows each Pod to wait for a specified period to slow down the rolling update of a StatefulSet. For more information, see Minimum Ready Seconds.

  • In Kubernetes 1.25, the maxSurge field of DaemonSets is promoted to Stable. This allows a DaemonSet workload to run multiple instances of the same Pod on a node during a rolling update, which helps minimize the downtime of the DaemonSet. You cannot use the maxSurge and hostPort fields at the same time because two active Pods cannot share the same port on a node. For more information, see Perform a Rolling Update on a DaemonSet.

  • In Kubernetes 1.25, an alpha feature provides support for running Pods by using a user namespace. The root user in a Pod is mapped to a non-zero ID outside the container. This way, the Pod runs as the root user from the container's perspective, but as a regular unprivileged user from the host's perspective. This feature is in alpha. To use this feature, you must enable the UserNamespacesStatelessPodsSupport feature gate and ensure that the container runtime supports this feature. For more information, see Alpha support for running Pods with user namespaces.

  • In Kubernetes 1.25, a feature gate named RetroactiveDefaultStorageClass is added to change the way the default StorageClass is assigned to a PVC. Previously, you needed to create a StorageClass and then a PVC to have the default StorageClass assigned. Otherwise, the StorageClass of the PVC would remain nil. After this feature is enabled, PVCs without an assigned StorageClass can be automatically updated with the default StorageClass without being re-created. This feature is promoted to Beta in Kubernetes 1.26 and is enabled by default.

  • In Kubernetes 1.25, the JobPodFailurePolicy feature is added to allow you to configure a Job to specify how to handle Pod failures based on container exit codes and Pod conditions. This feature is promoted to Beta in Kubernetes 1.26. You can configure the podFailurePolicy field in the Job definition to specify a Pod failure policy, which helps avoid unnecessary Pod retries and ignore Pod evictions. For more information, see Pod failure policy.

  • In Kubernetes 1.25, an issue where the PodTopologySpread feature caused uneven Pod distribution that violated constraints during rolling updates is fixed. The minDomains field is in Beta.

  • In Kubernetes 1.25, the performance of kube-proxy is improved for large clusters. For example, in a cluster with 1,000 Endpoints, unused iptables rules are retained for up to one maximum synchronization period and are therefore exempt from scanning during each synchronization. For smaller clusters, unused iptables rules are still immediately deleted.

  • In Kubernetes 1.26, the dynamic resource allocation feature is added to request and share resources between Pods and between containers within a Pod. This feature allows users to initialize resources by providing parameters. This feature is in alpha. To use this feature, you must enable the DynamicResourceAllocation feature gate and the resource.k8s.io/v1alpha1 API group, and install a driver for the specific resources that you want to manage. For more information, see Alpha API For Dynamic Resource Allocation.

  • In Kubernetes 1.26, non-graceful node shutdown entered the Beta stage. When a node fails, Pods on that node remain in the Terminating state, and VolumeAttachments cannot be deleted. For StatefulSet Pods, a new Pod is not started on another node because Pod names must be unique. Unlike graceful node shutdown, which is handled by the Kubelet detecting a node shutdown event, non-graceful node shutdown requires you to manually add an out-of-service taint to the Node. This triggers the movement of Pods to new running nodes. After the node recovers, you must also manually remove the taint.

  • In Kubernetes 1.26, the Pod fsGroup can be passed to CSI drivers during mounting, which allows the CSI driver to change the permissions of files and directories in a volume instead of the kubelet. This feature is mostly transparent to users. If you are a CSI driver developer, see CSI Driver fsGroup Support.

  • The Pod scheduling gates feature, introduced in Kubernetes 1.26, informs the scheduler when to start scheduling a Pod. The performance of the scheduler can be affected when a large number of Pods are blocked by external events and cannot be scheduled for a long time. The scheduling gates feature resolves this issue by allowing you to declare that newly created Pods are not yet ready to be scheduled. When the spec.schedulingGates field is set for a Pod, the scheduler ignores the Pod, which prevents unnecessary scheduling attempts. This feature requires an external controller to determine when the Pod is ready to be scheduled and to clear the gates. For more information, see Pod Scheduling Gates.

  • In Kubernetes 1.26, the cpu manager is promoted to General Availability (GA). This feature has been in Beta since Kubernetes v1.10. It is part of the kubelet and is responsible for allocating exclusive CPUs to containers. The cpu manager supports three policy options. For more information, see Control CPU Management Policies on the Node.

  • In Kubernetes 1.26, alpha support for cross-namespace storage data sources is provided. This allows you to specify a data source for a PVC when the source data belongs to a different namespace. For more information, see Cross-Namespace Storage Data Sources.

  • In Kubernetes v1.26, you can configure an eviction policy for unhealthy pods in a PodDisruptionBudget. Setting .spec.unhealthyPodEvictionPolicy=AlwaysAllow allows unhealthy pods to be evicted without being blocked by the PDB. This feature is currently in the Alpha stage, and you must enable the PDBUnhealthyPodEvictionPolicy feature gate to use it. For more information, see Unhealthy Pod Eviction Policy.

  • In Kubernetes v1.26, the httpGet handlers for preStop and postStart container lifecycle hooks honor the scheme and headers fields. This makes their behavior consistent with probes and allows you to set custom headers and use HTTPS. If HTTPS is used when HTTP is expected, an error is logged and the handler falls back to using HTTP to maintain backward compatibility. You can disable this feature on the Kubelet by setting the --feature-gates=ConsistentHTTPGetHandlers=false flag.

  • In Kubernetes v1.26, API Priority and Fairness (APF) supports borrowing seats from other priority levels. Two new fields are added to .spec.limited: lendablePercent specifies the percentage of seats that can be lent, and borrowingLimitPercent specifies the maximum percentage of seats that can be borrowed from other priority levels.

  • In Kubernetes v1.26, the kube-controller-manager component supports setting --concurrent-horizontal-pod-autoscaler-syncs to specify the number of workers for the HPA (Horizontal Pod Autoscaler) controller.

  • In Kubernetes 1.26, a label selector validation for HPA is added. When multiple HPAs point to the same set of Pods or the same deployment, these HPAs do not take effect and the system generates an AmbiguousSelector event.

  • In Kubernetes v1.26, when multiple StorageClasses are set as the default (via the storageclass.kubernetes.io/is-default-class annotation), the latest StorageClass is selected as the default, instead of throwing an exception.

Deprecated features

  • Deprecations and removals of storage drivers

    • In Kubernetes 1.25, in-tree volume plugins are removed for storage integration. CSI migration is a continuous effort by SIG Storage in previous versions to move in-tree volume plugin code to out-of-tree CSI drivers. In Kubernetes 1.25, core CSI migration is stable.

    • In Kubernetes 1.25, the GlusterFS and Portworx in-tree volume plugins are deprecated, and the Flocker, Quobyte, and StorageOS in-tree volume plugins are removed. The in-tree vSphere volume driver no longer supports vSphere versions earlier than 7.0u2.

    • In Kubernetes 1.26, the GlusterFS in-tree driver is removed, and the deprecated OpenStack in-tree storage integration (Cinder volume type) is removed.

  • Cleanup of iptables chain ownership

    Kubernetes typically creates iptables chains to ensure network packets are delivered as expected. These iptables chains and their names are internal implementation details of Kubernetes and are for internal use only. Some components currently rely on these internal implementation details. Kubernetes generally does not want to support tools that rely on these details. For more information, see Kubernetes's IPTables Chains Are Not API.

    After Kubernetes 1.25, the kubelet uses the IPTablesCleanup feature gate to complete the migration in stages to stop creating iptables chains in the NAT table, such as KUBE-MARK-DROP, KUBE-MARK-MASQ, and KUBE-POSTROUTING.

    For more information about the cleanup of iptables chain ownership, see Cleaning up iptables chain ownership.

  • Removal of in-tree credential management code

    After Kubernetes 1.26, the embedded vendor-specific authentication code for Azure and Google Cloud is removed from client-go and kubectl. You can use the authentication plugin mechanism instead. For more information, see Authentication plugins.

  • Removal of kube-proxy components

    • In Kubernetes 1.26, the Userspace proxy mode has been removed. This deprecated mode is no longer supported on Linux or Windows. Linux users should use iptables or IPVS, and Windows users should use Kernelspace. Using --mode userspace will now fail.

    • The Windows winkernel kube-proxy no longer supports Windows HNS v1 APIs.

  • Deprecation of the kubectl --prune-whitelist flag

    In Kubernetes 1.26, to support the Inclusive Naming Initiative, the --prune-whitelist flag will be deprecated and replaced with --prune-allowlist, and will be completely removed in the future.

  • Removal of dynamic Kubelet configuration

    The DynamicKubeletConfig feature gate is removed. This feature allows you to dynamically update the kubelet configuration on a node by using an API. The related code was removed from the kubelet in Kubernetes 1.24 and from the API server in Kubernetes 1.26. Removing this logic helps simplify the code and improve reliability. The recommended approach is to modify the kubelet configuration file and restart the kubelet. For more information, see Remove Dynamic Kubelet Configuration from the API server.

  • Removal of command-line parameters

    • In Kubernetes 1.25, the UnversionedKubeletConfigMap from kubeadm reaches GA. By default, kube-system or kubelet-config is used instead of kube-system or kubelet-config-x.yy.

    • As of Kubernetes 1.25, kubeadm no longer applies the node-role.kubernetes.io/master:NoSchedule taint to control plane nodes. This taint is also removed when you run kubeadm upgrade apply.

    • In Kubernetes 1.25, the Seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io are no longer supported. We recommend that you use SeccompProfile instead. For more information, see Restrict a Container's Syscalls with seccomp.

    • In Kubernetes 1.25 and Kubernetes 1.26, some startup parameters of kube-controller-manager are deprecated and removed.

      • deleting-pods-qps, deleting-pods-burst, and register-retry-count are removed.

      • experimental-cluster-signing-duration and pod-eviction-timeout are deprecated and replaced with cluster-signing-duration.

      • In Kubernetes 1.27, pod-eviction-timeout and enable-taint-manager will be removed together.

    • In Kubernetes 1.26, some log-related command-line parameters that were deprecated in previous versions are removed.

    • In Kubernetes 1.26, the --master-service-namespace command-line parameter is deprecated. It has no effect on the API server.

    • In Kubernetes 1.26, several unused flags for kubectl run will be marked as deprecated and removed in a future version. These flags include --cascade, --filename, --force, --grace-period, --kustomize, --recursive, --timeout, and --wait.

Deprecated APIs

The following APIs are deprecated in Kubernetes 1.25 and 1.26. For more information, see Deprecated API Migration Guide.

  • CronJob

    After Kubernetes 1.25, the batch/v1beta1 API version of CronJob is no longer served. You can use the batch/v1 API version, which is available since Kubernetes 1.21.

  • EndpointSlice

    After Kubernetes 1.25, the discovery.k8s.io/v1beta1 API version of EndpointSlice is no longer served. You can use the discovery.k8s.io/v1 API version, which is available since Kubernetes 1.21.

    The following list describes the notable changes in discovery.k8s.io/v1.

    • The NodeName field is used for each Endpoint instead of the deprecated topology["kubernetes.io/hostname"] field.

    • The Zone field is used for each Endpoint instead of the deprecated topology["kubernetes.io/zone"] field.

    • The Topology field is replaced with the deprecatedTopology field and is not writable in the v1 API version.

  • Event

    After Kubernetes 1.25, the events.k8s.io/v1beta1 API version of Event is no longer served. You can use the events.k8s.io/v1 API version, which is available since Kubernetes v1.19.

    The following list describes the notable changes in events.k8s.io/v1.

    • The type field can only be set to Normal or Warning.

    • The involvedObject field has been renamed to regarding.

    • When creating a new events.k8s.io/v1 Event, action, reason, reportingController, and reportingInstance are all required fields.

    • Use the eventTime field instead of the deprecated firstTimestamp field. The firstTimestamp field has been renamed to deprecatedFirstTimestamp and is not allowed in new events.k8s.io/v1 Event objects.

    • Use the series.lastObservedTime field instead of the deprecated lastTimestamp field. The lastTimestamp field has been renamed to deprecatedLastTimestamp and is not allowed in new events.k8s.io/v1 Event objects.

    • Use the series.count field instead of the deprecated count field. The count field has been renamed to deprecatedCount and is not allowed in new events.k8s.io/v1 Event objects.

    • Use the reportingController field instead of the deprecated source.component field. The source.component field has been renamed to deprecatedSource.component and is not allowed in new events.k8s.io/v1 Event objects.

    • Use the reportingInstance field instead of the deprecated source.host field. The source.host field has been renamed to deprecatedSource.host and is not permitted in new events.k8s.io/v1 Event objects.

  • PodDisruptionBudget

    In Kubernetes 1.25 and later, the policy/v1beta1 API version of PodDisruptionBudget is no longer available. Use the policy/v1 API version, which has been available since Kubernetes 1.21.

    A notable change in policy/v1 is that setting spec.selector to empty ({}) selects all Pods in the namespace. In the policy/v1beta1 version, an empty spec.selector selected no Pods. If spec.selector is unset, no Pods are selected in either API version.

  • PodSecurityPolicy

    Starting with Kubernetes v1.25, PodSecurityPolicy is no longer available from the policy/v1beta1 API. The PodSecurityPolicy admission controller is also removed. Migrate PodSecurityPolicy to Pod Security Admission or a third-party admission webhook.

    For a migration guide, see Migrate from PodSecurityPolicy to the Built-in PodSecurity Admission Controller. For more information about the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future.

  • RuntimeClass

    As of Kubernetes v1.25, the node.k8s.io/v1beta1 API version of RuntimeClass is no longer supported. You can use the node.k8s.io/v1 API version, which has been available since Kubernetes v1.20.

  • HorizontalPodAutoscaler

    • In Kubernetes 1.25 and later, the autoscaling/v2beta1 API version of the HorizontalPodAutoscaler is no longer available.

    • In Kubernetes 1.26 and later, the autoscaling/v2beta2 API version of the HorizontalPodAutoscaler is no longer available. Use the autoscaling/v2 API version, which has been available since Kubernetes 1.23.

  • Flow control resources

    As of Kubernetes v1.26, the flowcontrol.apiserver.k8s.io/v1beta1 API version is no longer served for FlowSchema and PriorityLevelConfiguration resources. The flowcontrol.apiserver.k8s.io/v1beta2 API has been available since Kubernetes v1.23. The flowcontrol.apiserver.k8s.io/v1beta3 API is available as of Kubernetes v1.26.

Feature gate

Feature gates generally have three stages: Alpha, Beta, and GA. A feature is disabled by default in the Alpha stage, typically enabled by default in the Beta stage, and always enabled by default in the GA stage. In the GA stage, the feature cannot be disabled and its toggle is removed in a subsequent version. The following are some of the major changes. For more information, see Feature Gates.

  • In Kubernetes 1.25, SeccompDefault is promoted to Beta. For more information about how to use SeccompDefault, see Restrict a Container's Syscalls with seccomp.

  • In Kubernetes 1.25, the Custom Resource Definition (CRD) validation expression language is promoted to Beta, and CustomResourceValidationExpressions is enabled by default. Using the Common Expression Language (CEL) to validate custom resources is more convenient and efficient than using webhooks. For more information, see Validation rules.

  • In Kubernetes 1.25, the ServerSideFieldValidation feature gate is promoted to Beta and is enabled by default. The API server supports validation for unknown fields, which allows for the future removal of this feature from kubectl. For more information, see Server-side field validation.

  • In Kubernetes 1.25, the new ContainerCheckpoint Alpha feature is added, which enables the Kubelet Checkpoint API. For more information, see Kubelet Checkpoint API.

  • In Kubernetes 1.25, the new PodHasNetworkCondition Alpha feature is added. This feature lets the Kubelet mark a Pod with the PodHasNetwork condition. For more information, see PodHasNetwork.

  • In Kubernetes 1.25, the new UserNamespacesStatelessPodsSupport Alpha feature is added to enable user namespace support for stateless Pods.

  • In Kubernetes 1.25, the new JobPodFailurePolicy Alpha feature is added. It lets you configure how a Job handles Pod failures based on container exit codes and Pod conditions. This feature is promoted to Beta in Kubernetes 1.26.

  • In Kubernetes 1.25, the new MultiCIDRRangeAllocator Alpha feature is added. It enables NodeIPAM to support multiple ClusterCIDRs. To enable controller support, configure the kube-controller-manager with --cidr-allocator-type=MultiCIDRRangeAllocator.

  • In Kubernetes 1.25, StatefulSetMinReadySeconds is promoted to GA. The minReadySeconds field is supported by default for StatefulSets and cannot be disabled.

  • In Kubernetes 1.25, CronJobTimeZone is promoted to Beta. The TimeZone field can be used in CronJobs by default and cannot be disabled.

  • In Kubernetes 1.25, DaemonSetUpdateSurge is promoted to GA. The MaxSurge field can be used in DaemonSets by default and cannot be disabled.

  • In Kubernetes 1.25, IdentifyPodOS is promoted to GA. The spec.podOS field is enabled by default and cannot be disabled.

  • In Kubernetes 1.25, CSIInlineVolume is promoted to GA. Support for CSI inline volumes is enabled by default and cannot be disabled.

  • In Kubernetes 1.25, EphemeralContainers is promoted to GA. Support for ephemeral containers is enabled by default and cannot be disabled.

  • In Kubernetes 1.25, the new CSINodeExpandSecret feature is added. It lets you pass secret authentication data to a CSI driver for use when a node is added.

  • In Kubernetes 1.25, CSIMigration is promoted to GA. This feature is enabled by default and cannot be disabled.

  • In Kubernetes 1.25, CSIMigrationPortworx is promoted to Beta.

  • In Kubernetes 1.25, ProbeTerminationGracePeriod remains in Beta, but its default value is changed to true. For more information, see Probe-level terminationGracePeriodSeconds.

  • In Kubernetes 1.26, JobTrackingWithFinalizers is promoted to GA. By default, Job completion is tracked using finalizers instead of by counting remaining Pods. For more information, see Job tracking with finalizers.

  • In Kubernetes 1.26, the new PDBUnhealthyPodEvictionPolicy Alpha feature is added. It supports specifying an eviction policy for unhealthy Pods in a PodDisruptionBudget.

  • In Kubernetes 1.26, support for the dynamic resource allocation API is enabled. This provides support for managing and using resources that have custom parameters and are independent of the Pod lifecycle.

  • In Kubernetes 1.26, the new StatefulSetStartOrdinal Alpha feature is added. It supports configuring the start ordinal for a StatefulSet.

  • In Kubernetes 1.26, ServiceInternalTrafficPolicy is promoted to GA. It lets you use the internalTrafficPolicy field to configure the internal traffic policy for a Service. This feature is enabled by default and cannot be disabled. For more information, see Service Traffic Policy.

  • In Kubernetes 1.26, the new ValidatingAdmissionPolicy Alpha feature is added. It implements an extensible admission controller using CEL expressions.

  • In Kubernetes 1.26, MixedProtocolLBService is promoted to GA. It lets you use different protocols in the same Service instance of the LoadBalancer type.

  • In Kubernetes 1.26, EndpointSliceTerminatingCondition is promoted to GA. It lets you use the Terminating and Serving condition fields of an EndpointSlice. This feature cannot be disabled.

  • In Kubernetes 1.26, APIServerIdentity is promoted to Beta. By default, it creates a Lease in the kube-system namespace for each active API server.

  • In Kubernetes 1.26, DelegateFSGroupToCSIDriver is promoted to GA and cannot be disabled.

  • In Kubernetes 1.26, NodeOutOfServiceVolumeDetach is promoted to Beta and is enabled by default. When a node is marked as out of service with the node.kubernetes.io/out-of-service taint, Pods that do not tolerate this taint are forcibly deleted. Volume detachment is immediately performed for the Pods terminated on that node.

  • In Kubernetes 1.26, ServiceIPStaticSubrange is promoted to GA. It enables the Service ClusterIP allocation strategy to subdivide the ClusterIP range.

  • In Kubernetes 1.26, CPUManager and DevicePlugins are promoted to GA. These features are enabled by default and cannot be disabled.

  • In Kubernetes 1.26, the new ComponentSLIs Alpha feature is added. It enables the /metrics/slis endpoint on Kubernetes components such as kubelet, kube-scheduler, kube-proxy, kube-controller-manager, and cloud-controller-manager. This allows for the scraping of health check metrics.

  • In Kubernetes 1.26, WindowsHostProcessContainers is promoted to GA. Support for Windows HostProcess containers is enabled by default.

  • In Kubernetes 1.26, ExpandedDNSConfig is promoted to Beta. It lets you use more DNS search domains and a longer search domain list. This requires runtime support.

  • In Kubernetes 1.26, LegacyServiceAccountTokenNoAutoGeneration is promoted to GA. It stops the automatic generation of service account tokens based on Secrets. This feature is enabled by default and cannot be disabled.

  • In Kubernetes 1.26, ProxyTerminatingEndpoints is promoted to Beta and is enabled by default. It allows kube-proxy to handle terminating endpoints when ExternalTrafficPolicy is set to Local.

  • In Kubernetes 1.26, the new LegacyServiceAccountTokenTracking Alpha feature is added. It is disabled by default. This feature adds a label, kubernetes.io/legacy-token-last-used, to Secret service account tokens to show the expiration time.

  • In Kubernetes 1.26, the PodDisruptionConditions feature is promoted to Beta and is enabled by default. You can add a DisruptionTarget condition to a Pod's status to indicate that the Pod is being deleted due to a disruption. You can find more information about the reason for the Pod's termination in the reason field. For more information, see Pod disruption conditions.

Enhancements for Kubernetes 1.26

Security enhancements

The access permissions for the following sensitive Kubernetes files on nodes have been further strengthened.

File path

Hardened access permissions

/etc/kubernetes/admin.conf

600

/etc/kubernetes/kube.conf

600

/etc/kubernetes/controller-manager.conf

600

/etc/kubernetes/kubelet.conf

600

/etc/kubernetes/scheduler.conf

600

/etc/kubernetes/manifests/*.yaml

600

/etc/kubernetes/pki/*.key

600

/etc/kubernetes/pki/*.crt

600

/etc/kubernetes/pki/dashboard/*.crt

600

/etc/kubernetes/pki/etcd/*.pem

600

/var/lib/etcd/cert/*.pem

600

/var/lib/etcd/cert/*.csr

600

/var/lib/kubelet/pki/*.crt

600

/var/lib/kubelet/config.yaml

600

/usr/lib/systemd/system/etcd.service

600

/etc/systemd/system/kubelet.service

600

/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

600

References