Metoro logo

Kubernetes v1.30 - The overview table

8 min read


This blog post is the start of a new series of posts covering the evolution of Kubernetes. The series will cover each release of Kubernetes and will be split into multiple posts. There will be one overview post to cover every change at a high level and multiple deep dive posts covering a single interesting change in more detail.

I always found it tough to see what was coming down the pipeline for k8s, the release posts are great but don't contain all the KEPs (Kubernetes Enhancement Proposal) that changed state. This makes it not super scannable. If you want to find out about the KEPs that are not talked about, you need to do a lot of digging through Github.

We did that digging so you don't have to.

This overview post lets you scan what you find interesting so you can dive in further, whether through a deep dive we post or through looking around the KEP itself. I'll explain each KEP in a single sentence.

So let's take a look at all 45 KEPs that changed state!

If you're interested in a particular KEP, I recommend that you Ctrl/Cmd-f for it!

The KEP table

FeatureKEPELI51.29 State1.30 StateDeepdive
Container Resource based Pod Autoscaling1610Horizontal Pod Autoscaler can scale based on a specific container's resource usage rather than the whole podBetaStableComing
Remove transient node predicates from KCCM's service controller3458Allows nodes to be drain load balancer connections when they become NotReady or are about to be torn down instead of immediately terminating all connectionsBetaStableNo
Go workspaces for k/k4402Moves the k8s repos to go workspaces, no user-facing changesN/AStableNo
Reduction of Secret-based Service Account Tokens2799Moves to the token request API instead of storing service account tokens as secrets. Makes things more secureBetaStableNo
CEL for Admission Control3488Allows in-process validation rules for requests to the API server through a Common Expression Language (CEL). The only previous option was to stand up an admission webhookBetaStableComing
CEL-based admission webhook match conditions3716Admission webhooks can fail. This causes massive cluster-wide issues. Allows users to only send the requests that absolutely need to go to the admission webhook there, isolating failures.BetaStableNo
Pod Scheduling Readiness3521Allows pods to be marked as unscheduleable so it gets skipped over by the pod scheduler. Can be mutated. Useful if you expect pods to be unscheduleable for a long time.BetaStableNo
Min domains in PodTopologySpread3022Allows users to require that there's a minimum number of domains before scheduling a deployment with pod topology spread constraintsBetaStableNo
Prevent unauthorised volume mode conversion during volume restore3141Prevents a vulnerability which allows malicious users to mount snapshotted volumes in a different modeBetaStableNo
API Server Tracing650Enables distributed tracing for requests to the api serverBetaStableComing
Cloud Dual-Stack --node-ip Handling3705Allows users to change both the ipv4 and ipv6 addresses of nodes when the cluster is backed by a cloud providerBetaStableNo
AppArmor support24Enables AppArmour (kernel module for enhanced security) support for containers running in k8sBetaStableNo
Robust VolumeManager reconstruction after kubelet restart3756Makes volume mounting after a kubelet restart more robust. The previous way had several issuesBetaStableNo
kubectl delete: Add interactive(-i) flag3895kubectl -i delete ... shows you things that are going to be deleted before they actually are. You can then confirm or stop before actually deletingBetaStableComing
Metric cardinality enforcement2305Prevents metrics exploding in cardinality by enforcing limits on the labels of a metric. Allows users to specify a file with the allowed values of metrics at boot.BetaStableNo
Field status.hostIPs added for Pod2681status.hostIPs is a new field on pods which allows you to see both the ipv4 and ipv6 address of the node running the pod. Useful when you're doing a dual-stack migrationBetaStableNo
Aggregated Discovery3352Previously k8s clients (like kubectl) would have to discover what resources were available in the cluster by making a bunch of requests for lots of small amounts of data. This creates a lot of requests and load. This KEP makes it possible to make much fewer calls to stop request storms.BetaStableNo
Job success/completion policy3998Updates the Job resource to allow setting specific conditions under which job can be declared as succeeded, by introducing customizable success policiesN/AAlphaNo
Custom profiling support in kubectl debug command4292Adds a custom profiling feature to the kubectl debug command, allowing users to configure the debug container's specifications via a JSON fileN/AAlphaNo
Node Log Query2258Allows users to view api server / kubelet logs through k8s itself rather than sshing to the box runnning kubelet.AlphaBetaComing
Move Storage Version Migrator in-tree4192Ever had to write every resource back to k8s to perform an upgrade, it's a pain and pretty manual. This KEP aims to make that process much easier.N/AAlphaNo
Custom Resource Field Selectors4359Lets custom resources have field selectors. Improves performance for filtering and stops people needing to throw things into labelsN/AAlphaNo
Retry Generate Name4420When you ask k8s to generate a name for you for a resource when you create it, it generates a 5 char suffix to add to a prefix. This collides which causes create calls to fail in that case. This KEP retries those calls on the api server side.N/AAlphaNo
Job API managed-by mechanism4368Enables jobs to be managed by controllers other than the main job controller. Supporting the work for MultiKueue (run jobs across multiple clusters)N/AAlphaNo
Structured Authorization Configuration3221Allows users to specify multiple authorization webhooks in a chain for api server calls instead of just one.AlphaBetaNo
Structured Authentication Config3331Introduces a new structured authentication config file which lays the groundwork for more complex auth customizationAlphaBetaNo
Bound service account token improvements4193Adds the node that a pod is running on to the claims of the JWT for the service account tokenAlphaBeta
Contextual Logging3077Allows callers of kubernetes components to pass in the logger they like. Enables structured json logging for k8s componentsAlphaBetaNo
kube-proxy-IP-node-binding1860Adds an ipMode field to the service status which allows cloud providers to configure kube proxy. Makes networking better on some clouds.AlphaBetaNo
Kube-proxy improved ingress connectivity reliability3836Allows for better connection draining on terminating nodes for some load balancers.AlphaBetaNo
Traffic Distribution for Services4444Adds a field trafficDistribution to the service spec to allow users to specify how they want traffic to be routed to the pods backing the service. An initial implementation of PreferClose is included which targets topologically close nodes.N/AAlphaComing
User namespaces127Enables user namespaces which increase isolation between the pod and the node its running on by having privileged pod processes be unprivileged on the node. Mitigates the impact of container breakout vulnerabilitiesAlphaBetaComing
Kubelet limit of Parallel Image Pulls3673Add a node-level limit to kubelet to limit the number of parallel image pulls. Stops the scenario where a bunch of containers need images pulling and max out the bandwidth to the node. Note: you need to opt in to parallel image pulling, by default image pulling is serialized.AlphaBetaComing
Recursive Read Only Mounts3857If you mount a readOnly volume in k8s then only the top level mount is read only. If it has submounts that are writeable then they will also be writable by the pod. The KEP introduces a new field to a mount recursiveReadOnly which can force that all submounts are read only too.N/AAlphaNo
Pod Lifecycle Sleep Action3960Enables you to wait before terminating a container. Super useful for enabling graceful termination. If you have a service, you can just add a sleep of 10 seconds before termination on the pods so that new traffic is routed elsewhere and your service finishes any requests before terminating.AlphaBetaComing
Max image age GC4210Adds an option to specify the maximum amount of time an image will be kept in the node cache before its deleted. LRU styleAlphaBetaNo
Allow almost all printable ASCII characters in environment variables4373Relaxes validation so all printable ascii characters (except =) can be used in env vars (like :, {, } etc)N/AAlphaNo
DRA: structured parameters4381Adds new resource types to support different resources needed by pods like network attached resources, shared resource between pods etcN/AAlphaComing

General References

Kubernetes release page:

Github k8s Changelog: