Kubernetes v1.24 Stargazer: What's new?

Introduction

Kubernetes v1.24 was released last May 24, 2022. In this article, we will go through notable changes, improvements, breaking removals, and deprecations. It should give you all the information you need to prepare your cluster for this upgrade.

Significant Changes

1. Complete removal of Dockershim component

Docker has been the default container runtime in earlier versions of Kubernetes. It uses a component called Dockershim that the Kubernetes team developed to create a temporary bridge that will allow communication between Docker and Kubernetes.

However, the Kubernetes team also wants to support other container-runtimes for Kubernetes to become more extensible and provide more options for the user. So the team developed the CRI (Container Runtime Interface) It allows other container runtimes to be compatible with Kubernetes as long as it adheres to the requirements set by the interface. Long story short, the Kubernetes team decided to start the deprecation of the Dockershim component at v1.20 and its complete removal on v1.24.

So what does this mean for you? If you have an existing Kubernetes Cluster that uses Docker Engine to run containers through Dockershim, you will most likely be affected if you plan to upgrade to version v1.24.

However, it is not as bad as you think. Since there is another standard that popular container runtimes follow, called Open Container Initiative or OCI, it ensures cross-compatibility for containers across all container runtimes as long as they are OCI-compliant.

For more details about the migration and removal of Dockershim, you can check out this blog here.

2. Newly created service accounts no longer automatically create secrets

LegacyServiceAccountTokenNoAutoGeneration feature is now in beta and enabled by default.

In earlier versions, creating a new service account will automatically create a non-expiring secret with the type kubernetes.io/service-account-token. In version v1.24, the secrets are no longer automatically generated and the tokens are taken care of by the TokenRequest API. It is more secure since these tokens expire. However, you can still create a secret with the type kubernetes.io/service-account-token and annotate it to your service account. But do keep in mind the security risk of doing it this way.

3. Beta APIs Off by Default

Beta APIs are to be disabled by default. Since Beta APIs are not considered stable at the time, this may cause issues for users setting up a new Kubernetes cluster or upgrading to a more recent version. It also makes them susceptible to breaking bugs if there is a dependency on a particular API that’s not yet fully released.

But should you choose to have this enabled, you can do so by adding the appropriate --runtime-config flags.

4. New metrics for monitoring: OOM (Out of Memory) Events

Part of maintaining a Kubernetes cluster is to have information on what’s happening under the hood through monitoring. In version 1.24, there’s a new metric added to kubelet called container_oom_events_total. This metric keeps track of all OutOfMemory events that occurred, and this should provide better insight to determine if the nodes can meet the resources needed by your pods.

5. The Master label will no longer be present in kubeadm control plane nodes

In the previous version, when you create a cluster through kubeadm, the control plane node holds a label node-role.kubernetes.io/master along with other labels by default. The new version will no longer have this label but will still include node-role.kubernetes.io/control-plane. This change may be minimal, but if your setup relies on the control-plane labels for pod scheduling, this may significantly affect you.

6. VolumeSnapshot CRD to move up to General Availability (GA)

VolumeSnapshot is a snapshot-and-restore feature built into Kubernetes and the Container Storage Interface (CSI). On version v1.24, VolumeSnapshot will no longer be part of the v1beta1 API version but, instead, be available in v1.

7. New option to PriorityClasses: NonPreemptingPriority

This option enables or disables pod scheduling preemption. Preemption means the cluster can evict or remove other pods (to free up resources) to make way for other pods that are higher priority.

PriorityClasses define the scheduling priority of pods in the cluster. You can use this new feature by setting preemptionPolicy to Never; this will cause the priority class not to cause other pods to be removed but instead will wait until there are enough resources to schedule the pod.

8. Support for OpenAPI v3

Support for OpenAPI v3 is now in beta for Kubernetes v1.24. You can call /openapi/v3 endpoint then it should respond with the group/versions available. Now since this is considered a Beta API, you can enable or disable this feature through the --feature-gates flag in the kube-apiserver.

9. New optional feature: ServiceIPStaticSubrange

Starting Kubernetes v.1.24, a new feature gate called ServiceIPStaticSubrange is now available in the kube-apiserver.

Turning on this feature will improve the IP allocation strategy for your services, resulting in fewer IP conflicts in your cluster. For more details about the formula or the method used by the feature, you can check out this blog here.

10. Contextual logging is now in Alpha

Contextual logging is a new alpha feature that can be enabled as a feature gate using ContextualLogging. It allows you to modify the logging mechanism of the Kubernetes client libraries giving you the ability to get more information from the logs. Primarily useful for developers that build applications that integrate with Kubernetes.

Summary of API Deprecations and Removals

Kube-apiserver

  • Flags --address, --insecure-bind-address, --port and --insecure-port are now removed.
  • Flags --master-count --endpoint-reconciler-type=master-count are now deprecated.

Kubeadm

  • the master label is no longer present in new kubeadm clusters
  • Kubelet
  • --pod-infra-container-image flag is now deprecated.

Services

  • Service.Spec.LoadBalancerIP is now deprecated.
  • Tolerate-unready-endpoints annotation is now deprecated. Use Service.spec.publishNotReadyAddresses instead

Others

  • DynamicKubeletConfig flag removed.
  • Experimental feature: Dynamic Log Sanitization feature is deprecated and removed.
  • Dockershim (compatibility layer for Docker) removed.
  • VolumeSnapshot v1beta1 CRD removed. Use v1 instead
  • CSIStorageCapacity API is now stable. Now useable with v1
  • Pod Affinity NamespaceSelector is now in stable and can be used with v1 apiVersion
  • CertificateSigningRequest API field spec.expirationSeconds is now in GA
  • Cronjobs resource now has API field spec.timeZone that allows you to set a different timezone aside from the one being used by kube-controller-manager.

Conclusion

Kubernetes v1.24 brings significant changes and removals that may change how you interact with your cluster. Usually, you want to run the latest stable version of Kubernetes, but some people might want to hold off on the update until they are fully prepared for the changes.

If you are planning to upgrade to this version of Kubernetes and wish to find out the full details about the update, be sure to check these resources:

There is a great demand in the job market for IT professionals who are proficient in container technologies thanks to Kubernetes.

And it is never too late to start learning! Go from beginner to certified expert by following these courses: