Kubernetes 1.22 – What’s new?

Kubernetes 1.22 is about to be released, and it comes packed with novelties! Where do we begin?\r\r

\rThis release brings 56 enhancements, an increase from 50 in Kubernetes 1.21 and 43 in Kubernetes 1.20. Of those 56 enhancements, 13 are graduating to Stable, a whopping 24 are existing features that keep improving, and 16 are completely new.\r

\r

\rIt's great to see so many new features focusing on security, like the replacement for the Pod Security Policies, a rootless mode, and enabling Seccomp by default.\r

\r

\rAlso, watch out for all the deprecations and removals in this version!\r

\r

\rThere is plenty to talk about, so let's get started with what's new in Kubernetes 1.22.\r

\r\r\r

Kubernetes 1.22 – Editor's pick:

\r

\rThese are the features that look most exciting to us in this release (ymmv):\r

\r\r\r

#2579 Pod Security Policy replacement

\r

\rAfter being deprecated in Kubernetes 1.21, we knew a replacement for Pod Security Policies was on the way, but we didn't know what it would look like. Now, we are happy to learn that it will be an Admission Controller, reusing part of the existing infrastructure.\r

\r

\r

\rAlvaro Iradier – Software Engineer at Sysdig

\r

\r\r\r

#2033 Rootless mode containers

\r

\rNot running containers as root is the No. 1 container security best practice. It's reassuring that this measure is being taken to the extreme, allowing us to run the entire Kubernetes stack in the user space. This is really gonna make Kubernetes more secure.\r

\r

\r

\rAlejandro Villanueva – Product Analyst at Sysdig

\r

\r\r\r

#2413 Seccomp by default

\r

\rIf one thing is clear after this Kubernetes release, it's the shift to security first. Adding this extra layer of security by default will render many potential exploits pointless. Steps like this will absolutely change how people see Kubernetes.\r

\r

\r

\rVíctor Jiménez – Content Engineering Manager at Sysdig

\r

\r\r\r

#2400 Node swap support

\r

\rOne of those tiny details we like to see on every Kubernetes release, it won't make headlines, but will make lives much easier. Swap was a given for every developer. By being supported, there's one thing less to worry about when using Kubernetes.\r

\r

\r

\rMichele Zuccala – Director of Open Source Engineering at Sysdig

\r

\r\r\r

#2254 #2570 Cgroupsv2

\r

\rSame as with swap, it's great to see support for more native Linux features. In this case, Cgroupsv2 is enabling more options for Memory QoS, which (in Kubernetes 1.22) will help avoid performance throttling of workloads running in Kubernetes.\r

\r

\r

\rDavid de Torres – Manager of engineer at Sysdig

\r

\r\r\r

Deprecations

\r\r\r

Beta API and feature removals

\r

\rAs Kat Cosgrove warned us, a few beta APIs and features have been removed in Kubernetes 1.22, including:\r

\r

\r
• Ingress\r
• CustomResourceDefinition\r
• ValidatingWebhookConfiguration\r
• MutatingWebhookConfiguration\r
• CertificateSigningRequest\r
\r

\r

\rNot deprecated, but removed. That means that you won't be able to re-enable them with a feature flag. If you are using them, you'll have to migrate to their stable versions.\r

\r

\rCheck in the Kubernetes blog for the full list of removals and steps to migrate. And keep the deprecated API migration guide close for the future.\r

\r\r\r

#1558 Streaming proxy redirects deprecation

\r

\rFeature group: node\r

\r

\rThe StreamingProxyRedirects feature was initially developed to alleviate request overhead driven by the implementation of the Container Runtime Interface. The rationale was that by bypassing the kubelet, performance wouldn't take a big hit.\r

\r

\rHowever, with all requests centralized in the apiserver, those theoretical improvements weren't as important. Also, some security concerns required the implementation of the ValidateProxyRedirects feature.\r

\r

\rAfter being initially deprecated in 1.20, the feature gates have been disabled in 1.22. In Kubernetes 1.24, these features will be removed and the only way to configure container streaming will be by using the local redirect with Kubelet proxy approach. Check the full details in the KEP.\r

\r\r\r

#536 Topology API

\r

\rFeature group: network\r

\r

\rAs we mentioned in the last release, the #2433 Topology Aware Hints enhancement will replace the ServiceTopology feature gate that was introduced in Kubernetes 1.17.\r

\r\r\r

#281 DynamicKubeletConfig deprecation

\r

\rFeature group: node\r

\r

\rAfter being in beta since Kubernetes 1.11, the Kubernetes team has decided to deprecate DynamicKubeletConfig instead of continuing its development.\r

\r\r\r

Kubernetes 1.22 API

\r\r\r

#555 Server-side Apply

\r

\rStage: Graduating to Stable
Feature group: api-machinery\r

\r

\rThis feature aims to move the logic away from kubectl apply to the apiserver, fixing most of the current workflow pitfalls and also making the operation accessible directly from the API (for example using curl), without strictly requiring kubectl or a Golang implementation.\r

\r

\rRead more in our "Kubernetes 1.14 – What's new?" article.\r

\r\r\r

#1693 Warnings mechanism

\r

\rStage: Graduating to Stable
Feature group: api-machinery\r

\r

\rFrom now on, the API server will include a warning header with deprecation information. This includes when an API was introduced, when it will be deprecated, and when it will be removed.\r

\r

\rRead more in our "Kubernetes 1.19 – What's new?" article.\r

\r\r\r

#2161 Immutable label selectors for all namespaces

\r

\rStage: Graduating to Stable
Feature group: api-machinery\r

\r

\rA new immutable label kubernetes.io/metadata.name has been added to all namespaces, where its value is the namespace name. This label can be used with any namespace selector, like in the previously mentioned NetworkPolicy objects.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#1040 Priority and Fairness for API Server Requests

\r

\rStage: Graduating to Beta
Feature group: api-machinery\r

\r

\rThe APIPriorityAndFairness feature gate enables a new max-in-flight request handler in the API server. By defining different types of requests with FlowSchema objects and assigning them resources with RequestPriority objects, you can ensure the Kubernetes API server will be responsive for admin and maintenance tasks during high loads.\r

\r

\rRead more in our "Kubernetes 1.18 – What's new?" article.\r

\r\r\r

Apps in Kubernetes 1.22

\r\r\r

#2307 Job tracking without lingering Pods

\r

\rStage: Graduating to Alpha
Feature group: apps\r

\r

\rWith this enhancement, Jobs will be able to remove completed pods earlier, freeing resources in the cluster.\r

\r

\rThe current Job controller tracks completed Jobs by keeping Pods in a lingering state after they finish. Only when the Job is finished are the Pods removed, and the resources freed.\r

\r

\rWith the new approach, the Job controller will keep track of the completed jobs while allowing the completed Pods to be removed.\r

\r

\rCheck the KEP to learn the implementation details.\r

\r\r\r

#2599 Add minReadySeconds to Statefulsets

\r

\rStage: Graduating to Alpha
Feature group: apps\r

\r

\rThis enhancement brings to StatefulSets the optional minReadySeconds field that is already available on Deployments, DaemonSets, ReplicasSets, and Replication Controllers.\r

\r

\rIf declared, a newly created Pod won't be considered available until their containers stay ready without crashing for the specified number of seconds.\r

\r\r\r

#19 CronJobs

\r

\rStage: Graduating to Stable
Feature group: apps\r

\r

\rIntroduced in Kubernetes 1.4 and in beta since 1.8, CronJobs are finally on the road to becoming Stable.\r

\r

\rCronJobs runs periodic tasks in a Kubernetes cluster, similar to cron on UNIX-like systems.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#85 PodDisruptionBudget eviction

\r

\rStage: Graduating to Stable
Feature group: apps\r

\r

\rIntroduced in Kubernetes 1.4 and in beta since 1.5, PodDisruptionBudget finally graduates to Stable.\r

\r

\rWith this API, you can define a minAvailable number of replicas for a Pod. If you try to voluntarily disrupt a Pod in a way that violates minAvailable value, it won't be deleted.\r

\r

\rWhile in Kubernetes 1.21 we saw the graduation of PodDisruptionBudget to GA, in Kubernetes 1.22 we see the graduation of the Eviction subresource:\r

\r{\r
"apiVersion": "policy/v1",\r
"kind": "Eviction",\r
"metadata": {\r
"name": "quux",\r
"namespace": "default"\r
}\r
}\r
\r\r\r

#1591 Graduate DaemonSet maxSurge to beta

\r

\rStage: Graduating to Beta
Feature group: apps\r

\r

\rWhen performing a rolling update, this enhancement allows specifying how many new Pods will be created to replace the old ones.\r

\r

\rThis is done via the optional spec.strategy.rollingUpdate.maxSurge field. By assigning an absolute number, you can tell the maximum number of Pods that can be created over the desired number of Pods. The value can also be a percentage of the desired Pods. The default value, to match the previous behavior, is 25 percent.\r

\r\r\r

#2185 Graduate LogarithmicScaleDown to Beta

\r

\rStage: Graduating to Beta
Feature group: apps\r

\r

\rWhen the LogarithmicScaleDown feature gate is enabled, a semi-random selection of Pods will be used to downscale ReplicaSets based on logarithmic bucketing of pod timestamps.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2255 Graduate PodDeletionCost to Beta

\r

\rStage: Graduating to Beta
Feature group: apps\r

\r

\rYou can now annotate Pods with controller.kubernetes.io/pod-deletion-cost=10, with 0 being the default value. When scaling down, a best effort will be made to remove Pods with a lower deletion cost.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2214 Indexed Job semantics in Job API

\r

\rStage: Graduating to Beta
Feature group: apps\r

\r

\rIndexed jobs were introduced in Kubernetes 1.21 to make it easier to schedule highly parallelizable Jobs.\r

\r

\rThis enhancement adds completion indexes into the Pods of a Job with fixed completion count, to support running embarrassingly parallel programs. \r

\r

\rThis way, it is possible to pass the job index to the Pods via environment variables, or even create indexed jobs where pods can address each other by a hostname built from the index:\r

\r[...]\r
spec:\r
subdomain: my-job-svc\r
containers:\r
- name: task\r
image: registry.example.com/processing-image\r
command: ["./process", "--index", "$JOB_COMPLETION_INDEX", "--hosts-pattern", "my-job-{{.id}}.my-job-svc"]\r
\r\r\r

#2232 add suspend field to Jobs API

\r

\rStage: Graduating to Beta
Feature group: apps\r

\r

\rSince Kubernetes 1.21, Jobs can be temporarily suspended by setting the .spec.suspend field of the job to true, and resumed later by setting it back to false.\r

\r\r\r

Kubernetes 1.22 Authentication

\r\r\r

#2579 Pod Security Policy replacement

\r

\rStage: Graduating to Alpha
Feature group: auth\r

\r

\rA new PodSecurity admission controller is available to replace the Pod Security Policies deprecated in Kubernetes 1.21.\r

\r

\rThis new admission controller will be able to enforce Pod Security Standards by namespace. The enforcement can be done at three levels:\r

\r

\r
• enforce: Policy violations will cause the pod to be rejected.\r
• audit: Policy violations will trigger the addition of an audit annotation, but are otherwise allowed.\r
• warn: Policy violations will trigger a user-facing warning, but are otherwise allowed.\r
\r

\r

\rIt'll be possible to configure this via the AdmissionConfiguration file:\r

\rapiVersion: apiserver.config.k8s.io/v1\r
kind: AdmissionConfiguration\r
plugins:\r
- name: PodSecurity\r
configuration:\r
defaults: # Defaults applied when a mode label is not set.\r
enforce: \r
enforce-version: \r
audit: \r
audit-version: \r
warn: \r
warn-version: \r
exemptions:\r
usernames: [ ]\r
runtimeClassNames: [ ]\r
namespaces: [ ]\r
\r

\rTo learn more about the rationale behind this enhancement, and possible new developments, check the KEP.\r

\r\r\r

#541 External client-go credential providers

\r

\rStage: Graduating to Stable
Feature group: auth\r

\r

\rThis enhancement allows Go clients to authenticate using external credential providers, like Key Management Systems (KMS), Trusted Platform Modules (TPM), or Hardware Security Modules (HSM).\r

\r

\rThose devices are already used to authenticate against other services, are easier to rotate, and are more secure, as they don't exist as files on the disk.\r

\r

\rInitially introduced on Kubernetes 1.10, this feature concludes the work done in 1.20 and 1.21. \r

\r\r\r

#542 Bound Service Account Token Volumes

\r

\rStage: Graduating to Stable
Feature group: auth\r

\r

\rThe current JSON Web Tokens (JWT) that workloads use to authenticate against the API have some security issues. This enhancement comprises the work to create a more secure API for JWT.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#2784 CSR Duration

\r

\rStage: Graduating to Beta
Feature group: auth\r

\r

\rUp until now, clients of the Certificates API weren't able to request a specific duration for an issued certificate.\r

\r

\rThis duration defaulted to one year for every new certificate, which may be too long for some use cases.\r

\r

\rA new ExpirationSeconds field has been added to CertificateSigningRequestSpec, which accepts a minimum value of 600 seconds (10 minutes).\r

\r\r\r

Network in Kubernetes 1.22

\r\r\r

#1669 kube-proxy handling terminating endpoints

\r

\rStage: Graduating to Alpha
Feature group: network\r

\r

\rThis enhancement approaches the edge case where Services with externalTrafficPolicy=Local will drop all traffic from a load balancer if the number of endpoints changes to 0. This behavior makes zero downtime rolling updates impossible for such services.\r

\r

\rThe implemented solution is to send all external traffic on the affected nodes to both ready and not ready terminating endpoints (preferring the ready ones).\r

\r

\rTo learn more about this edge case and the implementation details, check the KEP.\r

\r\r\r

#2595 Expanded DNS configuration

\r

\rStage: Graduating to Alpha
Feature group: network\r

\r

\rWith this enhancement, Kubernetes allows more DNS search paths, and a longer list of DNS search paths, to keep up with recent DNS resolvers.\r

\r

\rAfter enabling the MaxDNSSearchPathsExpanded feature gate, two DNS configuration limits are changed:\r

\r

\r
• MaxDNSSearchPaths jumps from 6 to 32.\r
• MaxDNSSearchListChars increases from 256 to 2048.\r
\r

\r\r\r

#752 EndpointSlice API

\r

\rStage: Graduating to Stable
Feature group: network\r

\r

\rThe new EndpointSlice API will split endpoints into several Endpoint Slice resources. This solves many problems in the current API that are related to big Endpoints objects. This new API is also designed to support other future features, like multiple IPs per pod.\r

\r

\rNoteworthy in Kubernetes 1.22 is that if an Endpoints resource has more than 1000 endpoints, the cluster annotates them with endpoints.kubernetes.io/over-capacity: truncated, where before it was annotated with endpoints.kubernetes.io/over-capacity: warning.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#1507 AppProtocol field in Services and Endpoints

\r

\rStage: Graduating to Stable
Feature group: network\r

\r

\rAfter being stable since 1.20, the ServiceAppProtocol feature gate has now been removed.\r

\r

\rRead more in our "Kubernetes 1.18 – What's new?" article.\r

\r\r\r

#1864 Service Disabling LB Node Ports

\r

\rStage: Graduating to Beta
Feature group: network\r

\r

\rSome implementations of the LoadBalancer API do not consume the node ports automatically allocated by Kubernetes, like MetalLB or kube-router. However, the API requires a port to be defined and allocated, even if it's not being used.\r

\r

\rWhen the field allocateLoadBalancerNodePort in Service.Spec is set to false, it will stop allocating new node ports.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#1959 Service LoadBalancer Class

\r

\rStage: Graduating to Beta
Feature group: network\r

\r

\rThis enhancement allows you to leverage multiple Service Type=LoadBalancer implementations in a cluster.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2079 Network Policy EndPort

\r

\rStage: Graduating to Beta
Feature group: network\r

\r

\rThis enhancement will allow you to define all ports in a NetworkPolicy as a range:\r

\rspec:\r
egress:\r
- ports:\r
- protocol: TCP\r
port: 32000\r
endPort: 32768\r
\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2086 Service InternalTrafficPolicy

\r

\rStage: Graduating to Beta
Feature group: network\r

\r

\rYou can now set the spec.trafficPolicy field on Service objects to optimize your cluster traffic:\r

\r

\r
• With Cluster, the routing will behave as usual.\r
• When set to Topology, it will use the topology-aware routing.\r
• With PreferLocal, it will redirect traffic to services on the same node.\r
• With Local, it will only send traffic to services on the same node.\r
\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2365 Namespace Scoped Ingress Class Parameters

\r

\rStage: Graduating to Beta
Feature group: network\r

\r

\rWith this enhancement, you can now specify parameters for an IngressClass with a Namespace scope.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

Kubernetes 1.22 nodes

\r\r\r

#2033 Rootless mode containers

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rNot running containers as root is the No. 1 container security best practice.\r

\r

\rWith this enhancement, Kubernetes goes a step further, allowing you to run the whole Kubernetes stack as a non-root user. This way, if your cluster is compromised, attackers will have a bad time accessing the rest of your infrastructure.\r

\r

\rYou can run Kubernetes in rootless mode by enabling the KubeletInUserNamespace feature gate and following these instructions.\r

\r

\rHowever, keep in mind that there are plenty of caveats you'll have to address.\r

\r\r\r

#2254 Cgroupsv2

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rCgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. It's v2 API was declared stable more than two years ago, and many Linux distributions are already using it by default.\r

\r

\rThis enhancement covers the work done to make Kubernetes compatible with Cgroups v2, starting with the configuration files.\r

\r

\rCheck the new configuration values, as there will be some changes in the ranges of the values. For example cpu.weight values will change from [2-262144] to [1-10000].\r

\r

\rThis enhancement doesn't cover enabling the new features in v2 that aren't available in v1. It also doesn't cover the deprecation of v1.\r

\r\r\r

#2400 Node swap support

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rSwap (disk memory in Linux) is not the fastest. However, there are several workloads like Java and Node applications that benefit from it.\r

\r

\rThis enhancement enables Kubernetes workloads to use swap. For now, the configuration is global for the whole node, and cannot be configured per workload. To use it:\r

\r

\r
1. Provision swap on the target worker nodes.\r
2. Enable the NodeMemorySwap feature flag on the kubelet.\r
3. Set the --fail-on-swap flag to false.\r
4. Optionally, allow Kubernetes workloads to use swap by setting MemorySwap.SwapBehavior=UnlimitedSwap in the kubelet config.\r
\r

\r

\rCheck further implementation details in the KEP.\r

\r\r\r

#2413 Seccomp by default

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rKubernetes currently allows you to increase the security of your containers, executing them using a Seccomp profile.\r

\r

\rThis enhancement will enable this option by default, helping prevent CVEs and zero-day vulnerabilities. You can enable this behavior with the SeccompDefault, which will turn the existing RuntimeDefault profile into the default for any container.\r

\r\r\r

2570 Memory QoS with cgroupsv2

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rNow that Cgroupsv2 is supported, support for its new features has started.\r

\r

\rIt's now possible to configure Memory QoS with the following options:\r

\r

\r
• memory.min: Minimum amount of memory the cgroup must always retain.\r
• memory.max: The memory usage hard limit, acting as the final protection mechanism.\r
• memory.low: The best-effort memory protection, a "soft guarantee" that if the cgroup and all its descendants are below this threshold, the cgroup's memory won't be reclaimed unless memory can't be reclaimed from any unprotected cgroups. Not yet considered for now.\r
• memory.high: If a cgroup's memory use goes over the high boundary specified here, the cgroup's processes are throttled and put under heavy reclaim pressure.\r
\r

\r\r\r

#2625 New CPU Manager Policies

\r

\rStage: Graduating to Alpha
Feature group: node\r

\r

\rThis enhancement allows the CPU Manager to assign exclusive workloads to specific CPU cores. Isolating workloads per CPU core avoids context and cache switching, which is crucial for latency-sensitive applications.\r

\r

\rA new --cpu-manager-policy-options option is available on the CPU Manager. When set to full-pcups-only=true, the node will isolate the workloads per physical CPU cores. Note that it will only accept workloads that use entire CPUs.\r

\r\r\r

#1539 HugePageStorageMediumSize

\r

\rStage: Graduating to Stable
Feature group: node\r

\r

\rThese two enhancements added to the HugePages feature in Kubernetes 1.18 are now stable.\r

\r

\rFirst, the pods are now allowed to request HugePages of different sizes.\r

\r

\rAnd second, container isolation of HugePages has been put in place to solve an issue where a pod could use more memory than requested, ending up in resource starvation.\r

\r

\rRead more in our "Kubernetes 1.18 – What's new?" article.\r

\r\r\r

#1797 Set pod FQDN

\r

\rStage: Graduating to Stable
Feature group: node\r

\r

\rNow, it's possible to set a pod's hostname to its Fully Qualified Domain Name (FQDN), increasing the interoperability of Kubernetes with legacy applications.\r

\r

\rAfter setting hostnameFQDN: true, running uname -n inside a Pod returns foo.test.bar.svc.cluster.local instead of just foo.\r

\r

\rThis feature was introduced on Kubernetes 1.19, and you can read more details in the enhancement proposal.\r

\r\r\r

#277 Ephemeral Containers

\r

\rStage: Graduating to Beta
Feature group: node\r

\r

\rEphemeral containers are a great way to debug running pods. Although you can't add regular containers to a pod after creation, you can run ephemeral containers with kubectl debug.\r

\r

\rRead more in our "Kubernetes 1.16 – What's new?" article.\r

\r\r\r

#1769 Memory Manager

\r

\rStage: Graduating to Beta
Feature group: node\r

\r

\rA new Memory Manager component is available in kubelet to guarantee memory and hugepages allocation for pods. It will only act on Pods in the guaranteed QoS class.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#1967 Support to size memory backed volumes

\r

\rStage: Graduating to Beta
Feature group: node\r

\r

\rWhen a Pod defines a memory-backed empty dir volume (e.g., tmpfs), not all hosts size this volume equally. For example, a Linux host sizes it to 50 percent of the memory on the host. This new enhancement will size volumes not only with the node allocatable memory in mind, but also with the pod allocatable memory and the emptyDir.sizeLimit field.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#2238 Configurable grace period for probes

\r

\rStage: Graduating to Beta
Feature group: node\r

\r

\rThis enhancement introduces a second terminationGracePeriodSeconds field, inside the livenessProbe object, to differentiate two situations: How much should Kubernetes wait to kill a container under regular circumstances, and when is the kill due to a failed livenessProbe?\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

Scheduling in Kubernetes 1.22

\r\r\r

#785 Scheduler Component Config API

\r

\rStage: Graduating to Beta
Feature group: scheduling\r

\r

\rComponentConfig is an ongoing effort to make component configuration more dynamic and directly reachable through the Kubernetes API.\r

\r

\rRead more in our "Kubernetes 1.19 – What's new?" article.\r

\r\r\r

#1923 Honor Nominated node during the new scheduling cycle

\r

\rStage: Graduating to Beta
Feature group: scheduling\r

\r

\rThis feature lets you define a preferred node with the .status.nominatedNodeName field inside a Pod to speed up the scheduling process in large clusters.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2249 Namespace Selector to Beta

\r

\rStage: Graduating to Beta
Feature group: scheduling\r

\r

\rBy defining node affinity in a deployment, you can constrain which nodes your pod will be scheduled on. For example, deploy on nodes that are already running Pods with a label-value for an example-label.\r

\r

\rThis enhancement adds a namespaceSelector field so you can specify the namespaces by their labels, rather than their names. With this field, you can dynamically define the set of namespaces.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#2458 A single scoring plugin for node resources

\r

\rStage: Graduating to Beta
Feature group: scheduling\r

\r

\rThree score plugins of the default scheduler (NodeResourcesLeastAllocated, NodeResourcesMostAllocated and RequestedToCapacityRatio) implement mutually exclusive strategies for preferred resource allocation.\r

\r

\rThis enhancement simplifies the scheduler by deprecating those plugins and combining them under a single NodeResourcesFit plugin, using a ScoringStrategy property that can be set to LeastAllocated (default), MostAllocated, and RequestedToCapacityRatio.\r

\r\r\r

Kubernetes 1.22 storage

\r\r\r

#2317 Delegate FSGroup to CSI Driver instead of Kubelet

\r

\rStage: Graduating to Alpha
Feature group: storage\r

\r

\rBefore a CSI volume is bind mounted inside a container, Kubernetes modifies the volume ownership via fsGroup. For most volume plugins, kubelet does so by recursively chowning and chmoding the files and directories inside a volume. However, chown and chmod are unix primitives, so they are not available to some CSI drivers, like AzureFile. \r

\r

\rThis enhancement proposes providing the CSI driver with the fsgroup of the pods as an explicit field, so it can be the CSI driver applying this natively on mount time.\r

\r

\rThis behavior can be enabled with the DelegateFSGroupToCSIDriver feature gate, for drivers supporting the VOLUME_MOUNT_GROUP NodeServiceCapability. The fsGroup should be specified in the securityContext.\r

\r\r\r

#2485 New RWO access mode

\r

\rStage: Graduating to Alpha
Feature group: storage\r

\r

\rWith this enhancement, it's possible to access PersistenVolumes in a ReadWriteOncePod mode, restricting access to a single pod on a single node.\r

\r

\rWhile the existing ReadWriteOnce, access mode restricts access to a single node, but allows simultaneous access from many pods on that node.\r

\r

\rThe new mode is ideal for maintenance tasks in PersistenVolumes.\r

\r\r\r

#2047 CSIServiceAccountToken

\r

\rStage: Graduating to Stable
Feature group: storage\r

\r

\rWith this enhancement, CSI drivers will be able to request the service account tokens from Kubelet to the NodePublishVolume function. Kubelet will also be able to limit what tokens are available to which driver. And finally, the driver will be able to re-execute NodePublishVolume to remount the volume by setting RequiresRepublish to true. \r

\r

\rThis last feature will come in handy when the mounted volumes can expire and need a re-login. For example, a secrets vault.\r

\r

\rRead more in our "Kubernetes 1.20 – What's new?" article.\r

\r\r\r

#1495 Volume Populator DataSource

\r

\rStage: Graduating to Beta
Feature group: storage\r

\r

\rIntroduced in Kubernetes 1.18, this enhancement establishes the foundations that will allow users to create pre-populated volumes. For example, pre-populating a disk for a virtual machine with an OS image, or enabling data backup and restore.\r

\r

\rTo accomplish this, the current validations on the DataSource field of persistent volumes will be lifted, allowing it to set arbitrary objects as values. Implementation details on how to populate volumes are delegated to purpose-built controllers.\r

\r\r\r

Windows support in Kubernetes 1.22

\r\r\r

#1981 Windows Privileged Containers

\r

\rStage: Graduating to Alpha
Feature group: windows\r

\r

\rThis enhancement brings the privileged containers feature available in Linux to Windows hosts.\r

\r

\rPrivileged containers have access to the host, as if they were running directly on it. Although they are not recommended for most of the workloads, they are quite useful for administration, security, and monitoring purposes.\r

\r

\rIf your cluster has the WindowsHostProcessContainers feature enabled, you can create a Windows HostProcess pod by setting the windowsOptions.hostProcess flag on the security context of the pod spec. All containers in these pods must run as Windows HostProcess containers.\r

\r\r\r

#1122 Support CSI Plugins in Windows

\r

\rStage: Graduating to Stable
Feature group: windows\r

\r

\rContainer Storage Interface plugins were created to allow the development of third-party storage volume systems.\r

\r

\rSince Kubernetes 1.16, Windows nodes are able to use the existing CSI plugins. Now this feature is Stable.\r

\r\r\r

Other enhancements in Kubernetes 1.22

\r\r\r

#647 API Server Tracing

\r

\rStage: Graduating to Alpha
Feature group: instrumentation\r

\r

\rThis enhancement improves the API Server to allow tracing requests using OpenTelemetry libraries, and the OpenTelemetry format.\r

\r

\rYou can enable the tracing via the APIServerTracing feature gate and by launching the apiserver with --tracing-config-file=, where the config file would look like:\r

\rapiVersion: apiserver.config.k8s.io/v1alpha1\r
kind: TracingConfiguration\r
# default value\r
#endpoint: localhost:4317\r
samplingRatePerMillion: 100\r
\r\r\r

#2568 Run control-plane as non-root in kubeadm

\r

\rStage: Graduating to Alpha
Feature group: cluster-lifecycle\r

\r

\rRelated to #2033 Rootless mode containers, this enhancement summarizes the work to be able to run the control plane in kubeadm as non-root.\r

\r\r\r

#970 kubeadm: graduate the kubeadm configuration

\r

\rStage: Graduating to Beta
Feature group: cluster-lifecycle\r

\r

\rOver time, the number of options to configure the creation of a Kubernetes cluster has greatly increased in the kubeadm config file, while the number of CLI parameters has been kept the same. As a result, the config file is the only way to create a cluster with several specific use cases.\r

\r

\rThe goal of this feature is to redesign how the config is persisted, improving the current version and providing a better support for high availability clusters using substructures instead of a single flat file with all the options.\r

\r

\rRead more in our "Kubernetes 1.15 – What's new?" article.\r

\r\r\r

#2436 Leader Migration for Cloud Controller Managers

\r

\rStage: Graduating to Beta
Feature group: cloud-provider\r

\r

\rAs we've been discussing for a while, there is an active effort to move code specific to cloud providers outside of the Kubernetes core code (from in-tree to out-of-tree).\r

\r

\rThis enhancement establishes a migration process for sters with strict requirements on control plane availability.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r\r\r

#859 Include kubectl command metadata in http request headers

\r

\rStage: Graduating to Beta
Feature group: cli\r

\r

\rFrom now on, kubectl will include additional HTTP headers in the requests to the API server. By knowing what kubectl command triggered a given request, administrators will have useful information to aid in troubleshooting and enforcing best practices.\r

\r

\rRead more in our "Kubernetes 1.21 – What's new?" article.\r

\r

\r

\r

\r

\rThat's all for Kubernetes 1.22, folks! Exciting as always; get ready to upgrade your clusters if you are intending to use any of these features.\r

\r

\rIf you liked this, you might want to check out our previous 'What's new in Kubernetes' editions:\r

\r

\r
• What's new in Kubernetes 1.21\r
• What's new in Kubernetes 1.20\r
• What's new in Kubernetes 1.19\r
• What's new in Kubernetes 1.18\r
• What's new in Kubernetes 1.17\r
• What's new in Kubernetes 1.16\r
• What's new in Kubernetes 1.15\r
• What's new in Kubernetes 1.14\r
• What's new in Kubernetes 1.13\r
• What's new in Kubernetes 1.12\r
\r

\r

\rAnd if you enjoy keeping up to date with the Kubernetes ecosystem, subscribe to our container newsletter, a monthly email with the coolest stuff happening in the cloud-native ecosystem.\r