Kubernetes v1.30 - The overview table
8 min read
Table of contents
Foreword
This blog post is the start of a new series of posts covering the evolution of Kubernetes. The series will cover each release of Kubernetes and will be split into multiple posts. There will be one overview post to cover every change at a high level and multiple deep dive posts covering a single interesting change in more detail.
I always found it tough to see what was coming down the pipeline for k8s, the release posts are great but don't contain all the KEPs (Kubernetes Enhancement Proposal) that changed state. This makes it not super scannable. If you want to find out about the KEPs that are not talked about, you need to do a lot of digging through Github.
We did that digging so you don't have to.
This overview post lets you scan what you find interesting so you can dive in further, whether through a deep dive we post or through looking around the KEP itself. I'll explain each KEP in a single sentence.
So let's take a look at all 45 KEPs that changed state!
If you're interested in a particular KEP, I recommend that you Ctrl/Cmd-f for it!
The KEP table
| Feature | KEP | ELI5 | 1.29 State | 1.30 State | Deepdive |
| Container Resource based Pod Autoscaling | 1610 | Horizontal Pod Autoscaler can scale based on a specific container's resource usage rather than the whole pod | Beta | Stable | Coming |
| Remove transient node predicates from KCCM's service controller | 3458 | Allows nodes to be drain load balancer connections when they become NotReady or are about to be torn down instead of immediately terminating all connections | Beta | Stable | No |
| Go workspaces for k/k | 4402 | Moves the k8s repos to go workspaces, no user-facing changes | N/A | Stable | No |
| Reduction of Secret-based Service Account Tokens | 2799 | Moves to the token request API instead of storing service account tokens as secrets. Makes things more secure | Beta | Stable | No |
| CEL for Admission Control | 3488 | Allows in-process validation rules for requests to the API server through a Common Expression Language (CEL). The only previous option was to stand up an admission webhook | Beta | Stable | Coming |
| CEL-based admission webhook match conditions | 3716 | Admission webhooks can fail. This causes massive cluster-wide issues. Allows users to only send the requests that absolutely need to go to the admission webhook there, isolating failures. | Beta | Stable | No |
| Pod Scheduling Readiness | 3521 | Allows pods to be marked as unscheduleable so it gets skipped over by the pod scheduler. Can be mutated. Useful if you expect pods to be unscheduleable for a long time. | Beta | Stable | No |
| Min domains in PodTopologySpread | 3022 | Allows users to require that there's a minimum number of domains before scheduling a deployment with pod topology spread constraints | Beta | Stable | No |
| Prevent unauthorised volume mode conversion during volume restore | 3141 | Prevents a vulnerability which allows malicious users to mount snapshotted volumes in a different mode | Beta | Stable | No |
| API Server Tracing | 650 | Enables distributed tracing for requests to the api server | Beta | Stable | Coming |
| Cloud Dual-Stack --node-ip Handling | 3705 | Allows users to change both the ipv4 and ipv6 addresses of nodes when the cluster is backed by a cloud provider | Beta | Stable | No |
| AppArmor support | 24 | Enables AppArmour (kernel module for enhanced security) support for containers running in k8s | Beta | Stable | No |
| Robust VolumeManager reconstruction after kubelet restart | 3756 | Makes volume mounting after a kubelet restart more robust. The previous way had several issues | Beta | Stable | No |
| kubectl delete: Add interactive(-i) flag | 3895 | kubectl -i delete ... shows you things that are going to be deleted before they actually are. You can then confirm or stop before actually deleting | Beta | Stable | Coming |
| Metric cardinality enforcement | 2305 | Prevents metrics exploding in cardinality by enforcing limits on the labels of a metric. Allows users to specify a file with the allowed values of metrics at boot. | Beta | Stable | No |
Field status.hostIPs added for Pod | 2681 | status.hostIPs is a new field on pods which allows you to see both the ipv4 and ipv6 address of the node running the pod. Useful when you're doing a dual-stack migration | Beta | Stable | No |
| Aggregated Discovery | 3352 | Previously k8s clients (like kubectl) would have to discover what resources were available in the cluster by making a bunch of requests for lots of small amounts of data. This creates a lot of requests and load. This KEP makes it possible to make much fewer calls to stop request storms. | Beta | Stable | No |
| Job success/completion policy | 3998 | Updates the Job resource to allow setting specific conditions under which job can be declared as succeeded, by introducing customizable success policies | N/A | Alpha | No |
| Custom profiling support in kubectl debug command | 4292 | Adds a custom profiling feature to the kubectl debug command, allowing users to configure the debug container's specifications via a JSON file | N/A | Alpha | No |
| Node Log Query | 2258 | Allows users to view api server / kubelet logs through k8s itself rather than sshing to the box runnning kubelet. | Alpha | Beta | Coming |
| Move Storage Version Migrator in-tree | 4192 | Ever had to write every resource back to k8s to perform an upgrade, it's a pain and pretty manual. This KEP aims to make that process much easier. | N/A | Alpha | No |
| Custom Resource Field Selectors | 4359 | Lets custom resources have field selectors. Improves performance for filtering and stops people needing to throw things into labels | N/A | Alpha | No |
| Retry Generate Name | 4420 | When you ask k8s to generate a name for you for a resource when you create it, it generates a 5 char suffix to add to a prefix. This collides which causes create calls to fail in that case. This KEP retries those calls on the api server side. | N/A | Alpha | No |
| Job API managed-by mechanism | 4368 | Enables jobs to be managed by controllers other than the main job controller. Supporting the work for MultiKueue (run jobs across multiple clusters) | N/A | Alpha | No |
| Structured Authorization Configuration | 3221 | Allows users to specify multiple authorization webhooks in a chain for api server calls instead of just one. | Alpha | Beta | No |
| Structured Authentication Config | 3331 | Introduces a new structured authentication config file which lays the groundwork for more complex auth customization | Alpha | Beta | No |
| Bound service account token improvements | 4193 | Adds the node that a pod is running on to the claims of the JWT for the service account token | Alpha | Beta | |
| Contextual Logging | 3077 | Allows callers of kubernetes components to pass in the logger they like. Enables structured json logging for k8s components | Alpha | Beta | No |
| kube-proxy-IP-node-binding | 1860 | Adds an ipMode field to the service status which allows cloud providers to configure kube proxy. Makes networking better on some clouds. | Alpha | Beta | No |
| Kube-proxy improved ingress connectivity reliability | 3836 | Allows for better connection draining on terminating nodes for some load balancers. | Alpha | Beta | No |
| Traffic Distribution for Services | 4444 | Adds a field trafficDistribution to the service spec to allow users to specify how they want traffic to be routed to the pods backing the service. An initial implementation of PreferClose is included which targets topologically close nodes. | N/A | Alpha | Coming |
| User namespaces | 127 | Enables user namespaces which increase isolation between the pod and the node its running on by having privileged pod processes be unprivileged on the node. Mitigates the impact of container breakout vulnerabilities | Alpha | Beta | Coming |
| Kubelet limit of Parallel Image Pulls | 3673 | Add a node-level limit to kubelet to limit the number of parallel image pulls. Stops the scenario where a bunch of containers need images pulling and max out the bandwidth to the node. Note: you need to opt in to parallel image pulling, by default image pulling is serialized. | Alpha | Beta | Coming |
| Recursive Read Only Mounts | 3857 | If you mount a readOnly volume in k8s then only the top level mount is read only. If it has submounts that are writeable then they will also be writable by the pod. The KEP introduces a new field to a mount recursiveReadOnly which can force that all submounts are read only too. | N/A | Alpha | No |
| Pod Lifecycle Sleep Action | 3960 | Enables you to wait before terminating a container. Super useful for enabling graceful termination. If you have a service, you can just add a sleep of 10 seconds before termination on the pods so that new traffic is routed elsewhere and your service finishes any requests before terminating. | Alpha | Beta | Coming |
| Max image age GC | 4210 | Adds an option to specify the maximum amount of time an image will be kept in the node cache before its deleted. LRU style | Alpha | Beta | No |
| Allow almost all printable ASCII characters in environment variables | 4373 | Relaxes validation so all printable ascii characters (except =) can be used in env vars (like :, {, } etc) | N/A | Alpha | No |
| DRA: structured parameters | 4381 | Adds new resource types to support different resources needed by pods like network attached resources, shared resource between pods etc | N/A | Alpha | Coming |
General References
Kubernetes release page: https://kubernetes.io/blog/2024/04/17/kubernetes-v1-30-release/
Github k8s Changelog: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md