Kubernetes 1.22 – What’s new?

By Víctor Jiménez Cerrada - JULY 29, 2021
Topics: Open Source

SHARE:

Facebook logo LinkedIn logo X (formerly Twitter) logo
Kubernetes 1.22 is about to be released, and it comes packed with novelties! Where do we begin?

This release brings 56 enhancements, an increase from 50 in Kubernetes 1.21 and 43 in Kubernetes 1.20. Of those 56 enhancements, 13 are graduating to Stable, a whopping 24 are existing features that keep improving, and 16 are completely new.

It’s great to see so many new features focusing on security, like the replacement for the Pod Security Policies, a rootless mode, and enabling Seccomp by default.

Also, watch out for all the deprecations and removals in this version!

There is plenty to talk about, so let’s get started with what’s new in Kubernetes 1.22.

Kubernetes 1.22 – Editor’s pick:

These are the features that look most exciting to us in this release (ymmv):

#2579 Pod Security Policy replacement

After being deprecated in Kubernetes 1.21, we knew a replacement for Pod Security Policies was on the way, but we didn’t know what it would look like. Now, we are happy to learn that it will be an Admission Controller, reusing part of the existing infrastructure.

Alvaro Iradier – Software Engineer at Sysdig

#2033 Rootless mode containers

Not running containers as root is the No. 1 container security best practice. It’s reassuring that this measure is being taken to the extreme, allowing us to run the entire Kubernetes stack in the user space. This is really gonna make Kubernetes more secure.

Alejandro Villanueva – Product Analyst at Sysdig

#2413 Seccomp by default

If one thing is clear after this Kubernetes release, it’s the shift to security first. Adding this extra layer of security by default will render many potential exploits pointless. Steps like this will absolutely change how people see Kubernetes.

Víctor Jiménez – Content Engineering Manager at Sysdig

#2400 Node swap support

One of those tiny details we like to see on every Kubernetes release, it won’t make headlines, but will make lives much easier. Swap was a given for every developer. By being supported, there’s one thing less to worry about when using Kubernetes.

Michele Zuccala – Director of Open Source Engineering at Sysdig

#2254 #2570 Cgroupsv2

Same as with swap, it’s great to see support for more native Linux features. In this case, Cgroupsv2 is enabling more options for Memory QoS, which (in Kubernetes 1.22) will help avoid performance throttling of workloads running in Kubernetes.

David de Torres – Manager of engineer at Sysdig

Deprecations

Beta API and feature removals

As Kat Cosgrove warned us, a few beta APIs and features have been removed in Kubernetes 1.22, including:

  • Ingress
  • CustomResourceDefinition
  • ValidatingWebhookConfiguration
  • MutatingWebhookConfiguration
  • CertificateSigningRequest

Not deprecated, but removed. That means that you won’t be able to re-enable them with a feature flag. If you are using them, you’ll have to migrate to their stable versions.

Check in the Kubernetes blog for the full list of removals and steps to migrate. And keep the deprecated API migration guide close for the future.

#1558 Streaming proxy redirects deprecation

Feature group: node

The StreamingProxyRedirects feature was initially developed to alleviate request overhead driven by the implementation of the Container Runtime Interface. The rationale was that by bypassing the kubelet, performance wouldn’t take a big hit.

However, with all requests centralized in the apiserver, those theoretical improvements weren’t as important. Also, some security concerns required the implementation of the ValidateProxyRedirects feature.

After being initially deprecated in 1.20, the feature gates have been disabled in 1.22. In Kubernetes 1.24, these features will be removed and the only way to configure container streaming will be by using the local redirect with Kubelet proxy approach. Check the full details in the KEP.

#536 Topology API

Feature group: network

As we mentioned in the last release, the #2433 Topology Aware Hints enhancement will replace the ServiceTopology feature gate that was introduced in Kubernetes 1.17.

#281 DynamicKubeletConfig deprecation

Feature group: node

After being in beta since Kubernetes 1.11, the Kubernetes team has decided to deprecate DynamicKubeletConfig instead of continuing its development.

Kubernetes 1.22 API

#555 Server-side Apply

Stage: Graduating to Stable
Feature group: api-machinery

This feature aims to move the logic away from kubectl apply to the apiserver, fixing most of the current workflow pitfalls and also making the operation accessible directly from the API (for example using curl), without strictly requiring kubectl or a Golang implementation.

Read more in our “Kubernetes 1.14 – What’s new?” article.

#1693 Warnings mechanism

Stage: Graduating to Stable
Feature group: api-machinery

From now on, the API server will include a warning header with deprecation information. This includes when an API was introduced, when it will be deprecated, and when it will be removed.

Read more in our “Kubernetes 1.19 – What’s new?” article.

#2161 Immutable label selectors for all namespaces

Stage: Graduating to Stable
Feature group: api-machinery

A new immutable label kubernetes.io/metadata.name has been added to all namespaces, where its value is the namespace name. This label can be used with any namespace selector, like in the previously mentioned NetworkPolicy objects.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#1040 Priority and Fairness for API Server Requests

Stage: Graduating to Beta
Feature group: api-machinery

The APIPriorityAndFairness feature gate enables a new max-in-flight request handler in the API server. By defining different types of requests with FlowSchema objects and assigning them resources with RequestPriority objects, you can ensure the Kubernetes API server will be responsive for admin and maintenance tasks during high loads.

Read more in our “Kubernetes 1.18 – What’s new?” article.

Apps in Kubernetes 1.22

#2307 Job tracking without lingering Pods

Stage: Graduating to Alpha
Feature group: apps

With this enhancement, Jobs will be able to remove completed pods earlier, freeing resources in the cluster.

The current Job controller tracks completed Jobs by keeping Pods in a lingering state after they finish. Only when the Job is finished are the Pods removed, and the resources freed.

With the new approach, the Job controller will keep track of the completed jobs while allowing the completed Pods to be removed.

Check the KEP to learn the implementation details.

#2599 Add minReadySeconds to Statefulsets

Stage: Graduating to Alpha
Feature group: apps

This enhancement brings to StatefulSets the optional minReadySeconds field that is already available on Deployments, DaemonSets, ReplicasSets, and Replication Controllers.

If declared, a newly created Pod won’t be considered available until their containers stay ready without crashing for the specified number of seconds.

#19 CronJobs

Stage: Graduating to Stable
Feature group: apps

Introduced in Kubernetes 1.4 and in beta since 1.8, CronJobs are finally on the road to becoming Stable.

CronJobs runs periodic tasks in a Kubernetes cluster, similar to cron on UNIX-like systems.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#85 PodDisruptionBudget eviction

Stage: Graduating to Stable
Feature group: apps

Introduced in Kubernetes 1.4 and in beta since 1.5, PodDisruptionBudget finally graduates to Stable.

With this API, you can define a minAvailable number of replicas for a Pod. If you try to voluntarily disrupt a Pod in a way that violates minAvailable value, it won’t be deleted.

While in Kubernetes 1.21 we saw the graduation of PodDisruptionBudget to GA, in Kubernetes 1.22 we see the graduation of the Eviction subresource:

{
  "apiVersion": "policy/v1",
  "kind": "Eviction",
  "metadata": {
    "name": "quux",
    "namespace": "default"
  }
}

#1591 Graduate DaemonSet maxSurge to beta

Stage: Graduating to Beta
Feature group: apps

When performing a rolling update, this enhancement allows specifying how many new Pods will be created to replace the old ones.

This is done via the optional spec.strategy.rollingUpdate.maxSurge field. By assigning an absolute number, you can tell the maximum number of Pods that can be created over the desired number of Pods. The value can also be a percentage of the desired Pods. The default value, to match the previous behavior, is 25 percent.

#2185 Graduate LogarithmicScaleDown to Beta

Stage: Graduating to Beta
Feature group: apps

When the LogarithmicScaleDown feature gate is enabled, a semi-random selection of Pods will be used to downscale ReplicaSets based on logarithmic bucketing of pod timestamps.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2255 Graduate PodDeletionCost to Beta

Stage: Graduating to Beta
Feature group: apps

You can now annotate Pods with controller.kubernetes.io/pod-deletion-cost=10, with 0 being the default value. When scaling down, a best effort will be made to remove Pods with a lower deletion cost.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2214 Indexed Job semantics in Job API

Stage: Graduating to Beta
Feature group: apps

Indexed jobs were introduced in Kubernetes 1.21 to make it easier to schedule highly parallelizable Jobs.

This enhancement adds completion indexes into the Pods of a Job with fixed completion count, to support running embarrassingly parallel programs.

This way, it is possible to pass the job index to the Pods via environment variables, or even create indexed jobs where pods can address each other by a hostname built from the index:

[...]
    spec:
      subdomain: my-job-svc
      containers:
      - name: task
        image: registry.example.com/processing-image
        command: ["./process",  "--index", "$JOB_COMPLETION_INDEX", "--hosts-pattern", "my-job-{{.id}}.my-job-svc"]

#2232 add suspend field to Jobs API

Stage: Graduating to Beta
Feature group: apps

Since Kubernetes 1.21, Jobs can be temporarily suspended by setting the .spec.suspend field of the job to true, and resumed later by setting it back to false.

Kubernetes 1.22 Authentication

#2579 Pod Security Policy replacement

Stage: Graduating to Alpha
Feature group: auth

A new PodSecurity admission controller is available to replace the Pod Security Policies deprecated in Kubernetes 1.21.

This new admission controller will be able to enforce Pod Security Standards by namespace. The enforcement can be done at three levels:

  • enforce: Policy violations will cause the pod to be rejected.
  • audit: Policy violations will trigger the addition of an audit annotation, but are otherwise allowed.
  • warn: Policy violations will trigger a user-facing warning, but are otherwise allowed.

It’ll be possible to configure this via the AdmissionConfiguration file:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    defaults:  # Defaults applied when a mode label is not set.
      enforce:         <default enforce policy level>
      enforce-version: <default enforce policy version>
      audit:         <default audit policy level>
      audit-version: <default audit policy version>
      warn:          <default warn policy level>
      warn-version:  <default warn policy version>
    exemptions:
      usernames:         [ <array of authenticated usernames to exempt> ]
      runtimeClassNames: [ <array of runtime class names to exempt> ]
      namespaces:        [ <array of namespaces to exempt> ]

To learn more about the rationale behind this enhancement, and possible new developments, check the KEP.

#541 External client-go credential providers

Stage: Graduating to Stable
Feature group: auth

This enhancement allows Go clients to authenticate using external credential providers, like Key Management Systems (KMS), Trusted Platform Modules (TPM), or Hardware Security Modules (HSM).

Those devices are already used to authenticate against other services, are easier to rotate, and are more secure, as they don’t exist as files on the disk.

Initially introduced on Kubernetes 1.10, this feature concludes the work done in 1.20 and 1.21.

#542 Bound Service Account Token Volumes

Stage: Graduating to Stable
Feature group: auth

The current JSON Web Tokens (JWT) that workloads use to authenticate against the API have some security issues. This enhancement comprises the work to create a more secure API for JWT.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#2784 CSR Duration

Stage: Graduating to Beta
Feature group: auth

Up until now, clients of the Certificates API weren’t able to request a specific duration for an issued certificate.

This duration defaulted to one year for every new certificate, which may be too long for some use cases.

A new ExpirationSeconds field has been added to CertificateSigningRequestSpec, which accepts a minimum value of 600 seconds (10 minutes).

Network in Kubernetes 1.22

#1669 kube-proxy handling terminating endpoints

Stage: Graduating to Alpha
Feature group: network

This enhancement approaches the edge case where Services with externalTrafficPolicy=Local will drop all traffic from a load balancer if the number of endpoints changes to 0. This behavior makes zero downtime rolling updates impossible for such services.

The implemented solution is to send all external traffic on the affected nodes to both ready and not ready terminating endpoints (preferring the ready ones).

To learn more about this edge case and the implementation details, check the KEP.

#2595 Expanded DNS configuration

Stage: Graduating to Alpha
Feature group: network

With this enhancement, Kubernetes allows more DNS search paths, and a longer list of DNS search paths, to keep up with recent DNS resolvers.

After enabling the MaxDNSSearchPathsExpanded feature gate, two DNS configuration limits are changed:

  • MaxDNSSearchPaths jumps from 6 to 32.
  • MaxDNSSearchListChars increases from 256 to 2048.

#752 EndpointSlice API

Stage: Graduating to Stable
Feature group: network

The new EndpointSlice API will split endpoints into several Endpoint Slice resources. This solves many problems in the current API that are related to big Endpoints objects. This new API is also designed to support other future features, like multiple IPs per pod.

Noteworthy in Kubernetes 1.22 is that if an Endpoints resource has more than 1000 endpoints, the cluster annotates them with endpoints.kubernetes.io/over-capacity: truncated, where before it was annotated with endpoints.kubernetes.io/over-capacity: warning.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#1507 AppProtocol field in Services and Endpoints

Stage: Graduating to Stable
Feature group: network

After being stable since 1.20, the ServiceAppProtocol feature gate has now been removed.

Read more in our “Kubernetes 1.18 – What’s new?” article.

#1864 Service Disabling LB Node Ports

Stage: Graduating to Beta
Feature group: network

Some implementations of the LoadBalancer API do not consume the node ports automatically allocated by Kubernetes, like MetalLB or kube-router. However, the API requires a port to be defined and allocated, even if it’s not being used.

When the field allocateLoadBalancerNodePort in Service.Spec is set to false, it will stop allocating new node ports.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#1959 Service LoadBalancer Class

Stage: Graduating to Beta
Feature group: network

This enhancement allows you to leverage multiple Service Type=LoadBalancer implementations in a cluster.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2079 Network Policy EndPort

Stage: Graduating to Beta
Feature group: network

This enhancement will allow you to define all ports in a NetworkPolicy as a range:

spec:
  egress:
  - ports:
    - protocol: TCP
      port: 32000
      endPort: 32768

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2086 Service InternalTrafficPolicy

Stage: Graduating to Beta
Feature group: network

You can now set the spec.trafficPolicy field on Service objects to optimize your cluster traffic:

  • With Cluster, the routing will behave as usual.
  • When set to Topology, it will use the topology-aware routing.
  • With PreferLocal, it will redirect traffic to services on the same node.
  • With Local, it will only send traffic to services on the same node.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2365 Namespace Scoped Ingress Class Parameters

Stage: Graduating to Beta
Feature group: network

With this enhancement, you can now specify parameters for an IngressClass with a Namespace scope.

Read more in our “Kubernetes 1.21 – What’s new?” article.

Kubernetes 1.22 nodes

#2033 Rootless mode containers

Stage: Graduating to Alpha
Feature group: node

Not running containers as root is the No. 1 container security best practice.

With this enhancement, Kubernetes goes a step further, allowing you to run the whole Kubernetes stack as a non-root user. This way, if your cluster is compromised, attackers will have a bad time accessing the rest of your infrastructure.

You can run Kubernetes in rootless mode by enabling the KubeletInUserNamespace feature gate and following these instructions.

However, keep in mind that there are plenty of caveats you’ll have to address.

#2254 Cgroupsv2

Stage: Graduating to Alpha
Feature group: node

Cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. It’s v2 API was declared stable more than two years ago, and many Linux distributions are already using it by default.

This enhancement covers the work done to make Kubernetes compatible with Cgroups v2, starting with the configuration files.

Check the new configuration values, as there will be some changes in the ranges of the values. For example cpu.weight values will change from [2-262144] to [1-10000].

This enhancement doesn’t cover enabling the new features in v2 that aren’t available in v1. It also doesn’t cover the deprecation of v1.

#2400 Node swap support

Stage: Graduating to Alpha
Feature group: node

Swap (disk memory in Linux) is not the fastest. However, there are several workloads like Java and Node applications that benefit from it.

This enhancement enables Kubernetes workloads to use swap. For now, the configuration is global for the whole node, and cannot be configured per workload. To use it:

  1. Provision swap on the target worker nodes.
  2. Enable the NodeMemorySwap feature flag on the kubelet.
  3. Set the --fail-on-swap flag to false.
  4. Optionally, allow Kubernetes workloads to use swap by setting MemorySwap.SwapBehavior=UnlimitedSwap in the kubelet config.

Check further implementation details in the KEP.

#2413 Seccomp by default

Stage: Graduating to Alpha
Feature group: node

Kubernetes currently allows you to increase the security of your containers, executing them using a Seccomp profile.

This enhancement will enable this option by default, helping prevent CVEs and zero-day vulnerabilities. You can enable this behavior with the SeccompDefault, which will turn the existing RuntimeDefault profile into the default for any container.

2570 Memory QoS with cgroupsv2

Stage: Graduating to Alpha
Feature group: node

Now that Cgroupsv2 is supported, support for its new features has started.

It’s now possible to configure Memory QoS with the following options:

  • memory.min: Minimum amount of memory the cgroup must always retain.
  • memory.max: The memory usage hard limit, acting as the final protection mechanism.
  • memory.low: The best-effort memory protection, a “soft guarantee” that if the cgroup and all its descendants are below this threshold, the cgroup’s memory won’t be reclaimed unless memory can’t be reclaimed from any unprotected cgroups. Not yet considered for now.
  • memory.high: If a cgroup’s memory use goes over the high boundary specified here, the cgroup’s processes are throttled and put under heavy reclaim pressure.

#2625 New CPU Manager Policies

Stage: Graduating to Alpha
Feature group: node

This enhancement allows the CPU Manager to assign exclusive workloads to specific CPU cores. Isolating workloads per CPU core avoids context and cache switching, which is crucial for latency-sensitive applications.

A new --cpu-manager-policy-options option is available on the CPU Manager. When set to full-pcups-only=true, the node will isolate the workloads per physical CPU cores. Note that it will only accept workloads that use entire CPUs.

#1539 HugePageStorageMediumSize

Stage: Graduating to Stable
Feature group: node

These two enhancements added to the HugePages feature in Kubernetes 1.18 are now stable.

First, the pods are now allowed to request HugePages of different sizes.

And second, container isolation of HugePages has been put in place to solve an issue where a pod could use more memory than requested, ending up in resource starvation.

Read more in our “Kubernetes 1.18 – What’s new?” article.

#1797 Set pod FQDN

Stage: Graduating to Stable
Feature group: node

Now, it’s possible to set a pod’s hostname to its Fully Qualified Domain Name (FQDN), increasing the interoperability of Kubernetes with legacy applications.

After setting hostnameFQDN: true, running uname -n inside a Pod returns foo.test.bar.svc.cluster.local instead of just foo.

This feature was introduced on Kubernetes 1.19, and you can read more details in the enhancement proposal.

#277 Ephemeral Containers

Stage: Graduating to Beta
Feature group: node

Ephemeral containers are a great way to debug running pods. Although you can’t add regular containers to a pod after creation, you can run ephemeral containers with kubectl debug.

Read more in our “Kubernetes 1.16 – What’s new?” article.

#1769 Memory Manager

Stage: Graduating to Beta
Feature group: node

A new Memory Manager component is available in kubelet to guarantee memory and hugepages allocation for pods. It will only act on Pods in the guaranteed QoS class.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#1967 Support to size memory backed volumes

Stage: Graduating to Beta
Feature group: node

When a Pod defines a memory-backed empty dir volume (e.g., tmpfs), not all hosts size this volume equally. For example, a Linux host sizes it to 50 percent of the memory on the host. This new enhancement will size volumes not only with the node allocatable memory in mind, but also with the pod allocatable memory and the emptyDir.sizeLimit field.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#2238 Configurable grace period for probes

Stage: Graduating to Beta
Feature group: node

This enhancement introduces a second terminationGracePeriodSeconds field, inside the livenessProbe object, to differentiate two situations: How much should Kubernetes wait to kill a container under regular circumstances, and when is the kill due to a failed livenessProbe?

Read more in our “Kubernetes 1.21 – What’s new?” article.

Scheduling in Kubernetes 1.22

#785 Scheduler Component Config API

Stage: Graduating to Beta
Feature group: scheduling

ComponentConfig is an ongoing effort to make component configuration more dynamic and directly reachable through the Kubernetes API.

Read more in our “Kubernetes 1.19 – What’s new?” article.

#1923 Honor Nominated node during the new scheduling cycle

Stage: Graduating to Beta
Feature group: scheduling

This feature lets you define a preferred node with the .status.nominatedNodeName field inside a Pod to speed up the scheduling process in large clusters.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2249 Namespace Selector to Beta

Stage: Graduating to Beta
Feature group: scheduling

By defining node affinity in a deployment, you can constrain which nodes your pod will be scheduled on. For example, deploy on nodes that are already running Pods with a label-value for an example-label.

This enhancement adds a namespaceSelector field so you can specify the namespaces by their labels, rather than their names. With this field, you can dynamically define the set of namespaces.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#2458 A single scoring plugin for node resources

Stage: Graduating to Beta
Feature group: scheduling

Three score plugins of the default scheduler (NodeResourcesLeastAllocated, NodeResourcesMostAllocated and RequestedToCapacityRatio) implement mutually exclusive strategies for preferred resource allocation.

This enhancement simplifies the scheduler by deprecating those plugins and combining them under a single NodeResourcesFit plugin, using a ScoringStrategy property that can be set to LeastAllocated (default), MostAllocated, and RequestedToCapacityRatio.

Kubernetes 1.22 storage

#2317 Delegate FSGroup to CSI Driver instead of Kubelet

Stage: Graduating to Alpha
Feature group: storage

Before a CSI volume is bind mounted inside a container, Kubernetes modifies the volume ownership via fsGroup. For most volume plugins, kubelet does so by recursively chowning and chmoding the files and directories inside a volume. However, chown and chmod are unix primitives, so they are not available to some CSI drivers, like AzureFile.

This enhancement proposes providing the CSI driver with the fsgroup of the pods as an explicit field, so it can be the CSI driver applying this natively on mount time.

This behavior can be enabled with the DelegateFSGroupToCSIDriver feature gate, for drivers supporting the VOLUME_MOUNT_GROUP NodeServiceCapability. The fsGroup should be specified in the securityContext.

#2485 New RWO access mode

Stage: Graduating to Alpha
Feature group: storage

With this enhancement, it’s possible to access PersistenVolumes in a ReadWriteOncePod mode, restricting access to a single pod on a single node.

While the existing ReadWriteOnce, access mode restricts access to a single node, but allows simultaneous access from many pods on that node.

The new mode is ideal for maintenance tasks in PersistenVolumes.

#2047 CSIServiceAccountToken

Stage: Graduating to Stable
Feature group: storage

With this enhancement, CSI drivers will be able to request the service account tokens from Kubelet to the NodePublishVolume function. Kubelet will also be able to limit what tokens are available to which driver. And finally, the driver will be able to re-execute NodePublishVolume to remount the volume by setting RequiresRepublish to true.

This last feature will come in handy when the mounted volumes can expire and need a re-login. For example, a secrets vault.

Read more in our “Kubernetes 1.20 – What’s new?” article.

#1495 Volume Populator DataSource

Stage: Graduating to Beta
Feature group: storage

Introduced in Kubernetes 1.18, this enhancement establishes the foundations that will allow users to create pre-populated volumes. For example, pre-populating a disk for a virtual machine with an OS image, or enabling data backup and restore.

To accomplish this, the current validations on the DataSource field of persistent volumes will be lifted, allowing it to set arbitrary objects as values. Implementation details on how to populate volumes are delegated to purpose-built controllers.

Windows support in Kubernetes 1.22

#1981 Windows Privileged Containers

Stage: Graduating to Alpha
Feature group: windows

This enhancement brings the privileged containers feature available in Linux to Windows hosts.

Privileged containers have access to the host, as if they were running directly on it. Although they are not recommended for most of the workloads, they are quite useful for administration, security, and monitoring purposes.

If your cluster has the WindowsHostProcessContainers feature enabled, you can create a Windows HostProcess pod by setting the windowsOptions.hostProcess flag on the security context of the pod spec. All containers in these pods must run as Windows HostProcess containers.

#1122 Support CSI Plugins in Windows

Stage: Graduating to Stable
Feature group:
windows

Container Storage Interface plugins were created to allow the development of third-party storage volume systems.

Since Kubernetes 1.16, Windows nodes are able to use the existing CSI plugins. Now this feature is Stable.

Other enhancements in Kubernetes 1.22

#647 API Server Tracing

Stage: Graduating to Alpha
Feature group: instrumentation

This enhancement improves the API Server to allow tracing requests using OpenTelemetry libraries, and the OpenTelemetry format.

You can enable the tracing via the APIServerTracing feature gate and by launching the apiserver with --tracing-config-file=<path-to-config>, where the config file would look like:

apiVersion: apiserver.config.k8s.io/v1alpha1
kind: TracingConfiguration
# default value
#endpoint: localhost:4317
samplingRatePerMillion: 100

#2568 Run control-plane as non-root in kubeadm

Stage: Graduating to Alpha
Feature group: cluster-lifecycle

Related to #2033 Rootless mode containers, this enhancement summarizes the work to be able to run the control plane in kubeadm as non-root.

#970 kubeadm: graduate the kubeadm configuration

Stage: Graduating to Beta
Feature group: cluster-lifecycle

Over time, the number of options to configure the creation of a Kubernetes cluster has greatly increased in the kubeadm config file, while the number of CLI parameters has been kept the same. As a result, the config file is the only way to create a cluster with several specific use cases.

The goal of this feature is to redesign how the config is persisted, improving the current version and providing a better support for high availability clusters using substructures instead of a single flat file with all the options.

Read more in our “Kubernetes 1.15 – What’s new?” article.

#2436 Leader Migration for Cloud Controller Managers

Stage: Graduating to Beta
Feature group: cloud-provider

As we’ve been discussing for a while, there is an active effort to move code specific to cloud providers outside of the Kubernetes core code (from in-tree to out-of-tree).

This enhancement establishes a migration process for sters with strict requirements on control plane availability.

Read more in our “Kubernetes 1.21 – What’s new?” article.

#859 Include kubectl command metadata in http request headers

Stage: Graduating to Beta
Feature group: cli

From now on, kubectl will include additional HTTP headers in the requests to the API server. By knowing what kubectl command triggered a given request, administrators will have useful information to aid in troubleshooting and enforcing best practices.

Read more in our “Kubernetes 1.21 – What’s new?” article.


That’s all for Kubernetes 1.22, folks! Exciting as always; get ready to upgrade your clusters if you are intending to use any of these features.

If you liked this, you might want to check out our previous ‘What’s new in Kubernetes’ editions:

And if you enjoy keeping up to date with the Kubernetes ecosystem, subscribe to our container newsletter, a monthly email with the coolest stuff happening in the cloud-native ecosystem.

Subscribe and get the latest updates