Alibaba CloudContainer Compute Service (ACS) is a fully conformant Kubernetes offering. This document describes the key changes in Kubernetes 1.30, including upgrade considerations, major changes, new features, deprecated features and APIs, and feature gates.
Component versions
The following table lists the supported versions of the key components in an Alibaba Cloud Container Compute Service (ACS) cluster.
Key component | Version |
Kubernetes | 1.30.1-aliyunacs.1 |
etcd | v3.5.9 |
containerd | 1.6.28 |
CoreDNS | v1.9.3.10-7dfca203-aliyun |
CSI | v1.30.1-98960d8-aliyun |
CNI | Flannel v0.15.1.22-20a397e6-aliyun |
Terway and TerwayControlplane v1.9.0 or later Note Starting from v1.30, NetworkPolicy in new clusters is implemented by eBPF. Upgrading the cluster or its components does not change existing behavior. For more information, see Use network policies in ACS clusters. |
New features
In Kubernetes 1.29
The PreStop hook introduces a sleep mode, which pauses a container for a specified time before termination. This pause provides time for pending operations or network requests to complete. For more information, see KEP-3960: Introducing Sleep Action for PreStop Hook.
SidecarContainers is now in Beta and is enabled by default. This feature allows you to set the
restartPolicyof an init container toAlways, turning it into a sidecar container that can be started, stopped, or restarted independently without affecting the main application container or other init containers. For more information, see Sidecar Containers.The new ServiceCIDR resource type allows dynamic configuration of the Service ClusterIP range. This feature is in Alpha and disabled by default. For more information on dynamically expanding the number of available IPs for Services, see KEP-1880: Multiple Service CIDRs.
PVCs (Persistent Volume Claims) and Containers originally used the same ResourceRequirements struct to define resource
requestsandlimits. This caused the PVC API to change whenever the Containerresourcesstruct was modified, for example, by adding theclaimsfield. Therefore, PVCs were switched to a separate VolumeResourceRequirements struct that contains onlyrequestsandlimits, and excludes theclaimsfield. For more information, see Volume resource requirements.The
PodReadyToStartContainersfeature is in Beta and enabled by default. This feature indicates that a pod's sandbox is created and its network is configured. This means the container runtime is ready and helps the kubelet determine the pod's status. For more information, see Pod conditions.PodAffinity and PodAntiAffinity now support
matchLabelKeysandmismatchLabelKeysto resolve an issue where the scheduler cannot distinguish between old and new pods during a rolling update of a Deployment, which can lead to scheduling results that do not meet affinity and anti-affinity expectations. When you configurematchLabelKeysfor PodAffinity, the Deployment adds apod-template-hashlabel to the ReplicaSet. This gives each pod of the Deployment a corresponding hash string, which tells the scheduler to evaluate only pods with the samepod-template-hashvalue, making it easy to distinguish pods from the same update batch. For more information, see KEP-3633.In addition to core Kubernetes API resources, type checking for
ValidatingAdmissionPolicynow supports CRDs and API extensions. This helps ensure policy reliability and cluster configuration correctness. For more information, see type-checking.The new
UserNamespacesPodSecurityStandardsfeature gate integrates user namespaces with Pod Security Standards. When enabled, it allows containers to run as a non-root user or a specified user ID within the pod's security context. This feature gate is in Alpha and disabled by default, and it may remain disabled in future releases. For more information, see KEP-127: Update PSS based on feature gate.For node objects, the new
DisableNodeKubeProxyVersionfeature gate deprecates thestatus.nodeInfo.kubeProxyVersionfield. This means that setting thekubeProxyVersionfield for nodes is disabled in Kubernetes. The kubelet cannot always accurately identify the version of kube-proxy, so this field is not always accurate. This feature gate is currently in the Alpha stage and is disabled (false) by default.The
JobBackoffLimitPerIndexfeature gate is promoted to Beta and is enabled by default. This feature lets you specify the maximum number of retries for each index in an indexed job. For more information about indexed jobs, see Use Indexed Job for Parallel Processing with Static Work Assignment.
In Kubernetes 1.30
The
ImageMaximumGCAgefeature gate allowskubeletto configure the maximum age of an unused image before it is garbage collected. If an image remains unused for longer than this specified age, the garbage collection mechanism can clean it up. The default value is"0s", which means no time limit is set. This feature gate entered Alpha in v1.29 and was promoted to Beta in v1.30.Kubelet adds the new monitoring metric
image_pull_duration_secondsto track the image pull duration. For more information, see List of Alpha Kubernetes Metrics.The LegacyServiceAccountTokenCleanUp feature gate is promoted to GA and is enabled by default. If an auto-generated Secret associated with a ServiceAccount has not been used for a specific period (one year by default) and is not mounted by any Pod, the kube-controller-manager adds the
kubernetes.io/legacy-token-invalid-sincelabel to the Secret with the current date as its value, marking the Secret as invalid. If a Secret remains unused for a specific period (one year by default) after it is marked as invalid, it will be automatically cleaned up by the kube-controller-manager. For Secrets that are marked as invalid but have not yet been automatically removed, you can remove thekubernetes.io/legacy-token-invalid-sincelabel to make them valid again. For more information, see Auto-generated legacy ServiceAccount token clean up and Legacy ServiceAccount token cleaner.In v1.30, if the
--nodeport-addressesflag for kube-proxy is not set (which is the default), updates to a NodePort Service will only affect the node's primary IP address, not all of its IP addresses. For more information, see #122724.To prevent configuration conflicts and security issues, the OIDC Issuer URL must not be the same as the API server ServiceAccount Issuer URL. For more information, see #123561.
The LoadBalancerIPMode feature gate adds the
.status.loadBalancer.ingress.ipModefield to Services of type LoadBalancer. This field specifies the forwarding behavior of the load balancer IP. You can specify this field only when the.status.loadBalancer.ingress.ipfield is also specified. The LoadBalancerIPMode feature gate is now in Beta. For more information, see Specifying IPMode of load balancer status and Load Balancer IP Mode for Services.Horizontal Pod Autoscaling (HPA) based on
ContainerResourcemetrics was promoted to Stable in v1.30. This feature allows HPA to scale based on the resource usage of individual containers in a pod, rather than just the pod's overall resource usage. This makes it easier to configure scaling thresholds for the most important containers in a pod. For more information, see Container resource metrics.The AdmissionWebhookMatchConditions feature gate has graduated to General Availability (GA). It is enabled by default and cannot be disabled. This feature gate allows admission webhooks to be matched based on specific conditions, providing more fine-grained control over their trigger conditions. For more information, see Dynamic Admission Control.
A
JobSuccessPolicyfeature gate is added, which allows you to declare that a Job is successfully completed based on a set of successful pods. In the success policy, you can specify that the Job is complete based on certain indexes (for example, the indexes of pods x, y, and z) or a number of successful pods from a set of indexes (for example, three pods). This feature gate is in the Alpha stage. For more information, see Job success/completion policy.Added the RelaxedEnvironmentVariableValidation feature gate to allow the use of most printable ASCII characters in environment variables (all characters from 32 to 126, except for
=). This feature gate is in the Alpha stage and is disabled by default. For more information, see #123385.The
CustomResourceFieldSelectorsfeature gate is added. You can use this feature gate to configureselectableFieldsfor CRDs. This allows you to use Field Selectors to filter List, Watch, and DeleteCollection requests, which makes it easier to locate or manage CRD resources that meet specific criteria. This feature gate is in the Alpha stage and is disabled by default. For more information, see Custom Resource Field Selectors.The CRDValidationRatcheting feature gate introduces an update. When new validation is added to a CRD, existing resources may become invalid. However, the API Server will not block updates to these resources as long as the parts that fail validation are not modified. This change prevents disruptions to existing resources and users. This helps with validation when migrating CRDs to use OpenAPI v3 schemas and allows you to safely update validation rules. This feature gate is in Beta and is enabled by default. For more information, see CRD Validation ratcheting.
The Downward API uses the
status.hostIPsfield to support dual stack, which supports both IPv4 and IPv6. The first IP address in thestatus.hostIPslist is always the same asstatus.hostIP. For more information, see Downward API.The NodeLogQuery feature gate allows you to query logs of node services by using the
/logsendpoint. This feature gate is promoted to Beta and is disabled by default. For more information, see Log Query.
Deprecated features
In Kubernetes 1.29
CronJob no longer supports setting
CRON_TZorTZin.spec.schedule. Use the.spec.timeZonefield instead. This field has been available since v1.25. For more information, see CronJob limitations.The controversial networking/v1alpha1 API ClusterCIDR has been removed. It was in the Alpha stage. For more information, see ClusterCIDR v1alpha1.
In Kubernetes 1.30
The
--prune-whitelistparameter has been removed from the kubectl apply command. Use--prune-allowlistinstead. For more information, see --prune.The SecurityContextDeny admission plug-in was deprecated in v1.27 and removed from the code in v1.30. Use the PodSecurity admission plug-in instead. The PodSecurity admission plug-in became Stable in v1.25 and is enabled by default. For more information, see PodSecurity.
Deprecated APIs
The flowcontrol.apiserver.k8s.io/v1beta2 API version of FlowSchema and PriorityLevelConfiguration was deprecated in v1.29. Migrate to the flowcontrol.apiserver.k8s.io/v1 API version (available since v1.29) or the flowcontrol.apiserver.k8s.io/v1beta3 API version (available since v1.26).
Notable changes in
flowcontrol.apiserver.k8s.io/v1include:The
spec.limited.assuredConcurrencySharesfield of PriorityLevelConfiguration has been renamed tospec.limited.nominalConcurrencyShares, which defaults to 30 only when unspecified, and an explicit value of 0 is not changed to 30.Notable changes in
flowcontrol.apiserver.k8s.io/v1beta3include:PriorityLevelConfiguration's
spec.limited.assuredConcurrencySharesfield has been renamed tospec.limited.nominalConcurrencyShares.
Feature gates
For more information about Kubernetes feature gates, including version support and descriptions, see Feature Gates.
Feature gates typically have three stages:
Alpha: Disabled by default.
Beta: Usually enabled by default.
GA: The feature is always enabled and can no longer be disabled. The feature gate toggle is removed.
References
For the complete changelogs for Kubernetes 1.29 and 1.30, see CHANGELOG-1.29 and CHANGELOG-1.30.