Container Service for Kubernetes (ACK) strictly abides by the terms of the Certified Kubernetes Conformance Program. This page covers the updates in Kubernetes 1.31, including component versions, new features, behavior changes, and migration actions required before upgrading.
Before you upgrade
The following changes require action before you upgrade your cluster to Kubernetes 1.31. Review each item to determine whether it affects your cluster.
CephFS in-tree plug-in removed. The built-in CephFS volume plug-in (
kubernetes.io/cephfs) is replaced by the CephFS CSI driver. If your cluster uses this plug-in, switch to the CephFS CSI driver and redeploy your applications after upgrading.CephRBD in-tree plug-in removed. The built-in CephRBD volume plug-in (
kubernetes.io/rbd) is replaced by the RBD CSI driver. If your cluster uses this plug-in, switch to the RBD CSI driver and redeploy your applications after upgrading.Portworx CSI migration enabled by default. The
CSIMigrationPortworxfeature gate is now enabled by default, migrating volumes from the Portworx plug-in to the Portworx CSI plug-in. If your cluster uses the Portworx plug-in, install and configure the Portworx CSI plug-in before upgrading to 1.31.
Component versions
The following key components are updated by Alibaba Cloud Container Compute Service (ACS) to support Kubernetes 1.31.
| Core component | Version |
|---|---|
| Kubernetes | 1.31.1-aliyun.1 |
| etcd | v3.5.4 |
| containerd | 1.6.22 |
| CoreDNS | v1.11.3.2-f57ea7ed6-aliyun |
| CSI | Updated to the latest version. For more information, see csi-provisioner. |
Feature updates
Features promoted to Beta
The following feature gates reach the Beta state and are enabled by default in Kubernetes 1.31.
MatchLabelKeysInPodAffinity
Pod affinity and pod anti-affinity now support matchLabelKeys and mismatchLabelKeys. These fields let the scheduler distinguish between old and new pods during Deployment rolling updates, preventing scheduling failures caused by ambiguous affinity rules.
JobSuccessPolicy
Configure success policies for Indexed Jobs to define when a Job is considered successful before all pods complete. For more information, see Job success policy.
DisableNodeKubeProxyVersion
The status.nodeInfo.kubeProxyVersion field on nodes no longer reports the kube-proxy version. The value previously shown in this field was not the actual kube-proxy version running on the node.
ServiceAccountTokenNodeBinding
Create ServiceAccount tokens bound directly to a node. A token bound this way becomes invalid when the token expires, the associated node is deleted, or the ServiceAccount is deleted.
RecursiveReadOnlyMounts
Set recursive read-only mounts for volumes attached to pods. When enabled, the volume and all its subdirectories and files are read-only. For more information, see Recursive read-only mounts.
HonorPVReclaimPolicy
A finalizer is added to PersistentVolumes (PVs) to ensure that a PV marked for deletion is only removed after the underlying storage resources are deleted. For more information, see PersistentVolume deletion protection finalizer.
Additional updates
CRD caBundle validation
If you specify the caBundle field in a CustomResourceDefinition (CRD) but the value is invalid or no CA certificate is specified, the CRD does not take effect. Once set to a valid value, the field cannot be updated to an invalid value or an empty string, preventing service interruptions.
Kubelet no longer restarts containers on non-image spec changes
When a pod's spec changes but the image field remains unchanged, the kubelet does not restart containers. This prevents unnecessary restarts caused by configuration updates unrelated to the container image.
kubectl debug custom profiling
kubectl debug supports configuring profiles to debug pods. For more information, see Kubernetes 1.31: Custom profiling in kubectl debug graduates to Beta.
kubectl streaming switched to WebSocket
The streaming protocol for kubectl cp, kubectl attach, kubectl exec, and kubectl port-forward has changed to WebSocket.
Consistent reads from cache
The API server supports consistent reads from caches, reducing the number of requests sent to etcd and improving LIST request performance. For more information, see Consistent reads from cache.