immutable: true
), kubelet no longer watches the changes of these objects and mounts them to the container again to reduce the load of apiserver. This feature enters GA in 1.21.SeccompDefault
alpha feature in 1.22. According to the --seccomp-default
parameter and setting, kubelet will use the RuntimeDefault
seccomp setting instead of Unconfined
, improving the security of workloads.NodeResourcesFit
, which is used to replace three plug-ins: NodeResourcesLeastAllocated
, NodeResourcesMostAllocated
, and RequestedToCapacityRatio
.APIServerTracing
is enabled, apiserver supports distributed tracing and allows users to use the --service-account-issuer
parameter to set multiple issuers. In addition, apiserver can provide uninterrupted service when issuers are changed.Service TopologyKeys
is deprecated and replaced with Topology Aware Hints
.net.ipv4.conf.all.route_localnet=1
will not be automatically set in IPVS mode. For upgraded nodes, net.ipv4.conf.all.route_localnet=1
will be retained. But for new nodes, the default system value (usually 0
) is inherited.--cleanup-ipvs
parameter is deleted and can be replaced with the --cleanup
parameter.--horizontal-pod-autoscaler-use-rest-clients
parameter is removed.--port
and --address
parameters become invalid and will be removed in 1.24.--hard-pod-affinity-symmetric-weight
and --scheduler-name
parameters are removed in 1.22, and instead, these information can be configured in the config
file.DynamicKubeletConfig
feature is deprecated and is disabled by default. If the --dynamic-config-dir
parameter is set when kubelet is started, an alarm will be reported.--feature-gates="CronJobControllerV2=true"
in kube-controller -manager
to enable the new version. The new version will be enabled by default on later Kubernetes versions.InfoS
and ErrorS
.
The --logging-format
parameter is added to all components, and its default value is text
in the previous format. You can set it to json
to support structured logs, and the following parameters will become invalid: --add_dir_header
, --alsologtostderr
, --log_backtrace_at
, --log_dir
, --log_file
, --log_file_max_size
, --logtostderr
, --skip_headers
, --skip_log_headers
, --stderrthreshold
, --vmodule
, and --log-flush-frequency
.timeoutSeconds
field was not respected for exec probes. Instead, probes would run indefinitely, even past their configured deadline, until a result was returned. With this change, the default value of 1 second
will be applied if a value is not specified and existing Pod definitions may no longer be sufficient if a probe takes longer than one second. A feature gate, called ExecProbeTimeout
, has been added with this fix that enables you to revert to the previous behavior, but this will be locked and removed in subsequent releases. In order to revert to the previous behavior, you should set this feature gate to false
.
For more information, see Configure Liveness, Readiness and Startup Probes.kubectl alpha debug
command graduates to beta, becoming kubectl debug
. It supports common debugging workflows directly from kubectl, for example:EphemeralContainers
) are an alpha feature that are not enabled by default.)kubectl debug
takes priority over any kubectl plugin named debug
. You need to rename the affected plugins.
kubectl alpha debug
is now deprecated and will be removed in a subsequent release. Update your scripts to use kubectl debug
. For more information, see Debug Running Pods.kube-apiserver
to categorize incoming requests by priority.SupportNodePidsLimit
(node-to-Pod PID isolation) and SupportPodPidsLimit
(ability to limit PIDs per Pod) move to GA.GracefulNodeShutdown
feature is now in alpha on Kubernetes 1.20. It makes the kubelet aware of node system shutdowns, enabling graceful termination of Pods during a system shutdown.fsGroupPolicy
field to control whether ownership and permissions (ReadWriteOnceWithFSType
, File
, and None
) can be modified during mounting.PodFSGroupChangePolicy
= OnRootMismatch
.node.k8s.io/v1beta1
is deprecated and replaced with node.k8s.io/v1
.networking.k8s.io/v1beta1
is deprecated (it will be removed on Kubernetes 1.22) and replaced by networking.k8s.io/v1
.seccomp.security.alpha.kubernetes.io/pod
and container.seccomp.security.alpha.kubernetes.io/...
are deprecated (they will be removed on Kubernetes 1.22). You can directly specify the following fields for Pods and container specs:securityContext:seccompProfile:type: RuntimeDefault|Localhost|Unconfined ## choose one of the threelocalhostProfile: my-profiles/profile-allow.json ## only necessary if type == Localhost
certificates.k8s.io/v1beta1
, the certificates.k8s.io/v1
version is added to CertificateSigningRequest
. When using certificates.k8s.io/v1
:spec.signerName
and stop using kubernetes.io/legacy-unknown
.spec.usages
, which can contain only known and unique usages.status.conditions[*].status
.status.certificate
must be PEM encoded and can contain only the CERTIFICATE
block.Deprecated Version | New Version |
apiextensions.k8s.io/v1beta1 | apiextensions.k8s.io/v1 |
apiregistration.k8s.io/v1beta1 | apiregistration.k8s.io/v1 |
authentication.k8s.io/v1beta1 | authentication.k8s.io/v1 |
authorization.k8s.io/v1beta1 | authorization.k8s.io/v1 |
autoscaling/v2beta1 | autoscaling/v2beta2 |
coordination.k8s.io/v1beta1 | oordination.k8s.io/v1 |
storage.k8s.io/v1beta1 | storage.k8s.io/v1 |
componentstatus
API is deprecated. This API provided status of etcd, kube-scheduler and kube-controller-manager components, but only worked when those components were local to apiserver, and when kube-scheduler and kube-controller-manager exposed unsecured health endpoints.
After this API is deprecated, etcd health is included in the kube-apiserver health check and kube-scheduler/kube-controller-manager health checks can be made directly against those components' health endpoints.--address
and --insecure-bind-address
parameters can be set, but are invalid. The --port
and --insecure-port
parameters can be set to only 0
. These parameters will be removed on Kubernetes 1.24.TokenRequest
and TokenRequestProjection
graduate to GA. You need to set the following parameters for kube-apiserver:--service-account-issuer
: Fixed URL of the cluster API server.--service-account-key-file
: One or multiple public keys for token verification.--service-account-signing-key-file
: Private key for service account issuing, which can use the same file as the --service-account-private-key-file
parameter of kube-controller-manager
.--seccomp-profile-root
--cloud-provider
and --cloud-config
, which are replaced with config
--really-crash-for-testing
and --chaos-chance
metrics/resource/v1alpha1
endpoint is removed and replaced with metrics/resource
.failure-domain.beta.kubernetes.io/zone
and failure-domain.beta.kubernetes.io/region
labels are deprecated and replaced with topology.kubernetes.io/zone
and topology.kubernetes.io/region
respectively. All users of the failure-domain.beta...
labels should switch to the topology...
equivalents.basic auth
authentication method is no longer supported.Deprecated Label | New Label |
beta.kubernetes.io/instance-type | node.kubernetes.io/instance-type |
failure-domain.beta.kubernetes.io/region | topology.kubernetes.io/region |
failure-domain.beta.kubernetes.io/zone | topology.kubernetes.io/zone |
VolumeSnapshotDataSource
is enabled by default. For more information, see Kubernetes 1.17 Feature: Kubernetes Volume Snapshot Moves to Beta.IngressClass
resource is used to describe a type of Ingress within a Kubernetes cluster. Ingresses
can specify the class they are associated with by using a new ingressClassName
field on Ingresses. This new resource and field replace the deprecated kubernetes.io/ingress.class
annotation.kubectl debug
: Alpha feature.Windows CSI support
: Alpha feature.ImmutableEphemeralVolumes
: Alpha feature (it supports immutable ConfigMaps and Secrets without refreshing the corresponding volumes).ScheduleDaemonSetPods
TaintNodesByCondition
WatchBookmark
NodeLease
CSINodeInfo
VolumeSubpathEnvExpansion
AttachVolumeLimit
ResourceQuotaScopeSelectors
VolumePVCDataSource
TaintBasedEvictions
BlockVolume
、CSIBlockVolume
Windows RunAsUserName
EndpointSlices
: Disabled by defaultCSIMigrationAWS
: Disabled by defaultStartupProbe
EvenPodsSpread
GCERegionalPersistentDisk
EnableAggregatedDiscoveryTimeout
PersistentLocalVolumes
CustomResourceValidation
CustomResourceSubresources
CustomResourceWebhookConversion
CustomResourcePublishOpenAPI
CustomResourceDefaulting
system:csi-external-provisioner
system:csi-external-attacher
10.0.0.0/24
) is deprecated. It must be set through the --service-cluster-ip-range
parameter on kube-apiserver.rbac.authorization.k8s.io/v1alpha1
and rbac.authorization.k8s.io/v1beta1
API groups are deprecated and will be removed on Kubernetes 1.20. Therefore, migrate your resources to rbac.authorization.k8s.io/v1
.CSINodeInfo
feature gate is deprecated. This feature has graduated to GA and is enabled by default.--encryption-provider-config
: If cacheSize: 0
is specified in the configuration file, versions earlier than 1.18 are automatically configured to cache 1,000 keys, while version 1.18 will report a configuration verification error. You can disable the cache by setting cacheSize
to a negative value.--feature-gates
: The following features are enabled by default and can no longer be configured through the command line.PodPriority
TaintNodesByCondition
ResourceQuotaScopeSelectors
ScheduleDaemonSetPods
apps/v1beta1
and apps/v1beta2
, which are replaced with apps/v1
.extensions/v1beta1
:daemonsets
, deployments
and replicasets
, which are replaced with apps/v1
.networkpolicies
, which is replaced with networking.k8s.io/v1
.podsecuritypolicies
, which is replaced with policy/v1beta1
.--enable-cadvisor-endpoints
: This parameter is disabled by default. To access the cAdvisor v1 JSON
API, you must enable it.--redirect-container-streaming
parameter is deprecated and will be removed on later versions. Kubernetes 1.18 supports only the default behavior (kubelet proxy for streaming requests). If --redirect-container-streaming=true
is set, it must be removed./metrics/resource/v1alpha1
endpoint is deprecated and replaced with /metrics/resource
.--healthz-port
is deprecated and replaced with --healthz-bind-address
.--metrics-port
is deprecated and replaced with --metrics-bind-address
.EndpointSliceProxying
feature gate (disabled by default) is added to control whether to enable EndpointSlices in kube-proxy. The EndpointSlice
feature gate no longer affects the behaviors of kube-proxy.--ipvs-tcp-timeout
--ipvs-tcpfin-timeout
--ipvs-udp-timeout
scheduling_duration_seconds
metric is deprecated.scheduling_algorithm_predicate_evaluation_seconds
is deprecated and replaced with framework_extension_point_duration_seconds[extension_point="Filter"]
.scheduling_algorithm_priority_evaluation_seconds
is deprecated and replaced with framework_extension_point_duration_seconds[extension_point="Score"]
.AlwaysCheckAllPredicates
is deprecated in the scheduler policy API.kube-apiserver
, kube-controller-manager
and kube-scheduler
, profiling is enabled by default. To disable profiling, specify the --enable-profiling=false
parameter.--include-uninitialized
parameter is removed.kubectl
and k8s.io/client-go
no longer use http://localhost:8080 as the default apiserver address.kubectl run
supports Pod creation and no longer supports using the deprecated generator to create other types of resources.kubectl rolling-update
command is removed and replaced with the rollout
command.–dry-run
supports three parameter values: client
, server
, and none
.–dry-run=server
supports the following commands: apply
, patch
, create
, run
, annotate
, label
, set
, autoscale
, drain
, rollout undo
, and expose
.kubectl alpha debug
command is added, which can be used for debugging and troubleshooting on ephemeral containers in Pods (the EphemeralContainers
feature introduced on version 1.16 needs to be enabled).kubeadm init
and kubeadm join
commands to configure and deploy an HA control plane. Certificate management has become more robust, with kubeadm now seamlessly rotating all your certificates (on upgrades) before they expire. For more information, see Ability to create dynamic HA clusters with kubeadm and kubeadm: graduate the kubeadm configuration.DataSource
when configuring a new volume. If the underlying storage system supports this functionality and implements the CLONE_VOLUME
capability in its CSI driver, then the new volume becomes a clone of the source volume. For more information, see In-tree storage plugin to CSI Driver Migration.CRD
Admission Webhook
GCERegionalPersistentDisk
CustomResourcePublishOpenAPI
CustomResourceSubresources
CustomResourceValidation
CustomResourceWebhookConversion
kubernetes/legacy-cloud-providers
for easier removal later and external usage.extensions/v1beta1
, apps/v1beta1
and apps/v1beta2
APIs continue to be depreciated. These extensions will be retired on Kubernetes 1.16.extensions/v1beta1
, apps/v1beta1
and apps/v1beta2
APIs are deprecated.--log-file
parameter is known to be problematic on Kubernetes 1.15. This presents as things being logged multiple times to the same file. For more information, see [Failing Test] timeouts in ci-kubernetes-e2e-gce-scale-performance.beta.kubernetes.io/metadata-proxy-ready
, beta.kubernetes.io/metadata-proxy-ready
and beta.kubernetes.io/kube-proxy-ds-ready
.ip-mask-agent
uses node.kubernetes.io/masq-agent-ds-ready
as the node selector and no longer uses beta.kubernetes.io/masq-agent-ds-ready
.kube-proxy
uses node.kubernetes.io/kube-proxy-ds-ready
as the node selector and no longer uses beta.kubernetes.io/kube-proxy-ds-ready
.metadata-proxy
uses cloud.google.com/metadata-proxy-ready
as the node selector and no longer uses beta.kubernetes.io/metadata-proxy-ready
.k8s.io/kubernetes
and other published components (such as k8s.io/client-go
and k8s.io/api
) now contain Go module files, including version information of the dependent library. For more information on consuming k8s.io/client-go
using Go modules, see Installing client-go and add go module support, manage vendor directory using go mod vendor.v1alpha3
configuration is totally removed.kube-up.sh
no longer supports centos
and local
providers.Node.Status.Volumes.Attached.DevicePath
field is no longer set for CSI volumes. You must update any external controllers that depend on this field.StorageObjectInUseProtection
admission plugin is enabled by default. If you previously had not enabled it, your cluster behavior may change.PodInfoOnMount
is enabled for a CSI driver, the new csi.storage.k8s.io/ephemeral
parameter in the volume context allows a driver's NodePublishVolume
implementation to determine on a case-by-case basis whether the volume is ephemeral or a normal persistent volume. For more information, see persistent and ephemeral csi volumes.VolumePVCDataSource
(storage volume cloning feature) is promoted to beta. For more information, see Promote VolumePVCDataSource to beta for 1.16.--enable-logs-handler
parameter is deprecated and will be removed on Kubernetes 1.19.--basic-auth-file
flag and authentication mode are deprecated and will be removed from a future release.10.0.0.0/24
) is deprecated and will be removed in six months/two releases. The --service-cluster-ip-range
parameter is required to configure the service IP range.v1beta1
Event API is used. Any tool targeting scheduler events needs to use it.--conntrack-max
parameter is removed and replaced with --conntrack-min
and --conntrack-max-per-core
.--cleanup-iptables
parameter is removed.--resource-container
is removed.--allow-privileged
, --host-ipc-sources
, --host-pid-sources
and --host-network-sources
parameters are removed and replaced with the admission controller of PodSecurityPolicy
.--containerized
is removed.--node-labels
parameter can no longer be used to configure forbidden labels prefixed with kubernetes.io-
or k8s.io-
.kubectl scale job
is removed.--pod/-p
parameter of the kubectl exec
command is removed.kubectl convert
command is removed.--include-uninitialized
is removed.kubectl cp
no longer supports copying symbolic links from containers. You can use the following commands instead:local to pod
: tar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar
pod to local
:kubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar
kubeadm upgrade node config
and kubeadm upgrade node experimental-control-plane
commands are deprecated and replaced with kubeadm upgrade node
.--experimental-control-plane
parameter is deprecated and replaced with --control-plane
.--experimental-upload-certs
parameter is deprecated and replaced with --upload-certs
.kubeadm config upload
command is deprecated and replaced with kubeadm init phase upload-confi
.ready
plugin.proxy
plugin is deprecated and replaced with the forward
plugin.resyncperiod
option is removed from the kubernetes
plugin.upstream
option is deprecated. If it is specified, it will be ignored.dry-run
graduates to beta (dry-run
enables you to simulate real API requests without actually changing the cluster status).kubectl diff
graduates to beta.CSIPersistentVolume
graduates to GA.TaintBasedEviction
graduates to beta.RuntimeClass
graduates to beta.runAsGroup
graduates to beta.kubectl apply server-side
graduates to alpha, allowing you to perform apply operations on the server side.resolv.conf
can be configured in Pods.etcd2
is no longer supported. --storage-backend=etcd3
is used by default.--etcd-quorum-read
parameter is deprecated.--storage-versions
parameter is deprecated.--repair-malformed-updates
parameter is deprecated.--insecure-experimental-approve-all-kubelet-csrs-for-group
parameter is deprecated.--google-json-key
parameter is deprecated.--experimental-fail-swap-on
parameter is deprecated.componentconfig/v1alpha1
is no longer supported.run-container
command is no longer supported.node.alpha.kubernetes.io/notReady
and node.alpha.kubernetes.io/unreachable
are no longer supported and are replaced with node.kubernetes.io/not-ready
and node.kubernetes.io/unreachable
respectively.CustomResources
are now beta and enabled by default. With this, updates to the /status
subresource will disallow updates to all fields other than .status
(not just .spec
and .metadata
as before). Also, required
and description
can be used at the root of the CRD OpenAPI validation schema when the /status
subresource is enabled. In addition, you can now create multiple versions of CustomResourceDefinitions, but without any kind of automatic conversion, and CustomResourceDefinitions now allow specification of additional columns for kubectl get
output via the spec.additionalPrinterColumns
field.dry run
feature is supported. It allows you to view the execution results of some commands without having to submit relevant modifications.client-go credentials
plugin graduates to beta, allowing you to get TLS authentication information from external plugins.authorization.k8s.io/decision
(the allow
or forbid
authorization decision) and authorization.k8s.io/reason
(the reason for this decision).podsecuritypolicy.admission.k8s.io/admit-policy
and podsecuritypolicy.admission.k8s.io/validate-policy
annotations containing the name of the policy that allows a Pod to be admitted. (PodSecurityPolicy
also gains the ability to limit hostPath
volume mounts to be read-only.)kube-dns
.DynamicKubeletConfig
graduates to beta.cri-tools
graduates to GA.PodShareProcessNamespace
graduates to beta.RuntimeClass
and CustomCFSQuotaPeriod
are added.TaintNodeByCondition
graduates to beta.ClusterRole
and StorageObjectInUseProtection
.--storage-version
parameter is removed and replaced with --storage-versions
. The --storage-versions
parameter is also deprecated.--endpoint-reconciler-type
is changed to lease
.--enable-admission-plugins
is used, it is contained by default. When the --admission-control
parameter is used, it must be explicitly specified.--rotate-certificates
parameter is deprecated and replaced with the .RotateCertificates
field in the configuration file.kubectl run
generators except run-pod/v1
are deprecated.--interactive
parameter is removed from kubectl logs
.--use-openapi-print-columns
is deprecated and replaced with --server-print
.
Was this page helpful?