The Kubernetes release 1.25 is set to the stable version on the 23rd of August. Detailed release notes are published on the official docs.
Important links are located at the bottom.
In this article overview of the major topics, deprecations, and removals will be listed, and compiled description from the official documentation will be listed also.
Major topics quick overview:
- PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable
- Ephemeral Containers Graduate to Stable
- Support for cgroups v2 Graduates to Stable
- Windows support improved
- Moved container registry service from k8s.gcr.io to registry.k8s.io
- Promoted SeccompDefault to Beta
- Promoted endPort in Network Policy to Stable
- Promoted Local Ephemeral Storage Capacity Isolation to Stable
- Promoted core CSI Migration to Stable
- Promoted CSI Ephemeral Volume to Stable
- Promoted Server Side Unknown Field Validation to Beta
- Introduced KMS v2
Deprecation removals quick overview - will no longer be served in v1.25:
- The batch/v1beta1 API version of CronJob
- The discovery.k8s.io/v1beta1 API version of EndpointSlice
- The events.k8s.io/v1beta1 API version of Event
- The autoscaling/v2beta1 API version of HorizontalPodAutoscaler
- The policy/v1beta1 API version of PodDisruptionBudget
- The PodSecurityPolicy in the policy/v1beta1 API version
- The RuntimeClass in the node.k8s.io/v1beta1 API version
Pod Security Admission
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
As a stable feature, Kubernetes offers a built-in Pod Security admission controller, the successor to PodSecurityPolicies. Pod security restrictions are applied at the namespace level when pods are created.
Ephemeral containers are useful for interactive troubleshooting when
kubectl exec is insufficient because a container has crashed or a container image doesn't include debugging utilities.
In particular, distroless images enable you to deploy minimal container images that reduce attack surface and exposure to bugs and vulnerabilities. Since distroless images do not include a shell or any debugging utilities, it's difficult to troubleshoot distroless images using
kubectl exec alone.
When using ephemeral containers, it's helpful to enable process namespace sharing so you can view processes in other containers.
Local Ephemeral Storage Capacity Isolation
The Local Ephemeral Storage Capacity Isolation feature moved to GA. This was introduced as alpha in 1.8, moved to beta in 1.10, and it is now a stable feature. It provides support for capacity isolation of local ephemeral storage between pods, such as
EmptyDir, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit.
Network Policy endPort
When writing a NetworkPolicy, you can target a range of ports instead of a single port.
This is achievable with the usage of the
endPort field, as the following example:
- protocol: TCP
CSI Ephemeral Volume
A great introduction is given in the Git repo itself.
- As a storage provider, I want to use the CSI API to develop drivers that can mount ephemeral volumes that follow the lifecycles of pods where they are embedded. This feature would allow me to create drivers that work similarly to how the in-tree Secrets or ConfigMaps driver works. My ephemeral CSI driver should allow me to inject arbitrary data into a pod using a volume mount point inside the pod.
- As a user, I want to be able to define pod specs with embedded ephemeral CSI volumes that are created/mounted when the pod is deployed and are deleted when the pod goes away.
A pod spec with an ephemeral inline CSI volume. Note that because the volume is expected to be ephemeral, the
volumeHandle is not provided. Instead, a CSI-generated ID will be submitted to the driver.
- name: vol
# Passed as NodePublishVolumeRequest.volume_context,
# valid options depend on the driver.
Watch out for the listed resources - if you use them, an update should be done.
The batch/v1beta1 API version of CronJob is removed.
Action needed: Migrate manifests and API clients to use the batch/v1 API version, available since v1.21.
The discovery.k8s.io/v1beta1 API version of EndpointSlice is removed.
Action needed: Migrate manifests and API clients to use the discovery.k8s.io/v1 API version, available since v1.21.
The events.k8s.io/v1beta1 API version of Event is removed.
Action needed: Migrate manifests and API clients to use the events.k8s.io/v1 API version, available since v1.19.
The autoscaling/v2beta1 API version of HorizontalPodAutoscaler is removed.
Action needed: Migrate manifests and API clients to use the autoscaling/v2 API version, available since v1.23.
The policy/v1beta1 API version of PodDisruptionBudget is removed.
Action needed: Migrate manifests and API clients to use the policy/v1 API version, available since v1.21.
The PodSecurityPolicy in the policy/v1beta1 API version is removed.
Action needed: PodSecurityPolicy in the policy/v1beta1 API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.
Migrate to Pod Security Admission or a 3rd party admission webhook. For a migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller. For more information on the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future.
The RuntimeClass in the node.k8s.io/v1beta1 API version is removed.
Action needed: Migrate manifests and API clients to use the node.k8s.io/v1 API version, available since v1.20.