Container Compute Service:Kubernetes 1.31 release notes

Component versions

The following key components are updated and optimized by Alibaba Cloud Container Compute Service (ACS) to support Kubernetes 1.28.

Features

• If you specify the caBundle field in a CustomResourceDefinition (CRD) but the value of the caBundle field is invalid or no CA certificate is specified, the CRD does not take effect. After you set the caBundle field to a valid value, you can no longer update the CRD to set the field to an invalid value or an empty string. This ensures that the service of the CRD is not interrupted.

• The MatchLabelKeysInPodAffinity feature gate reaches the Beta state and is enabled by default. Pod affinity and pod anti-affinity support matchLabelKeys and mismatchLabelKeys to resolve the issue that the scheduler cannot distinguish between old pods and new pods during Deployment rolling updates. When this issue occurs, pods fail to be scheduled based on the pod affinity or pod anti-affinity rules.

• The JobSuccessPolicy feature gate reaches the Beta state and is enabled by default. This feature gate allows you to configure success policies for Indexed Jobs. For more information, see Job Success Policy.

• The DisableNodeKubeProxyVersion feature gate reaches the Beta state and is enabled by default. After this feature gate is enabled, the status.nodeInfo.kubeProxyVersion field of nodes no longer displays the kube-proxy version. This is because the version displayed in this field is not the actual kube-proxy version.

• The ServiceAccountTokenNodeBinding feature gate reaches the Beta state and is enabled by default. It allows you to create a ServiceAccount token that is directly bound to a node. When the token expires, the associated node is removed, or the ServiceAccount is deleted, the token becomes invalid.

• The RecursiveReadOnlyMounts feature gate reaches Beta and is enabled by default. It allows you to set recursive read-only mounts for volumes mounted to pods. This way, the volumes and all subdirectories and files in the volumes are read-only. For more information, see Recursive read-only mounts.

• When the spec of a pod changes but the image field remains unchanged, the kubelet does not restart containers. This avoids pod restarts due to updates for configurations other than feature configurations.

• The HonorPVReclaimPolicy feature gate reaches the Beta state. It allows to add a finalizer to a PV to ensure that the PV marked for deletion is deleted only after the underlying storage resources are deleted. For more information, see PersistentVolume deletion protection finalizer.

• kubectl debug allows you to configure profiles to debug pods. For more information, see Kubernetes 1.31: Custom Profiling in Kubectl Debug Graduates to Beta.

• The streaming protocol used by Kubernetes clients, such as kubectl, for the kubectl cp, kubectl attach, kubectl exec, and kubectl port-forward commands is changed to WebSocket, which is more flexible.

• The API server supports consistent reads based on caches to reduce the number of requests sent to the etcd and improve the processing efficiency of LIST requests. For more information, see Consistent Reads from Cache.

Updates

• The built-in CephFS volume plug-in (kubernetes.io/cephfs) is replaced by CephFS CSI driver.

  If you are using the CephFS volume plug-in, update your cluster to 1.31 to use the CephFS CSI driver and redeploy your applications.

• The built-in CephRBD volume plug-in kubernetes.io/rbd) is replaced by RBD CSI driver.

  If you are using the CephRBD volume plug-in, update your cluster to 1.31 to use the RBD CSI driver and redeploy your applications.

• The CSIMigrationPortworx feature gate is enabled by default. It allows you to migrate volumes from the Portworx plug-in to the Portworx CSI plug-in. If your cluster uses the Portworx plug-in, install and configure the Portworx CSI plug-in before you update your cluster to 1.31.

References

For more information about Kubernetes 1.31 release notes, see CHANGELOG-1.31 and Kubernetes v1.31: Elli.