Release notes for standard support versions
This topic gives important changes to be aware of for each Kubernetes version in standard support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster.
Note
For 1.24
and later clusters, officially published Amazon EKS AMIs include
containerd
as the only runtime. Kubernetes versions earlier than
1.24
use Docker as the default runtime. These versions
have a bootstrap flag option that you can use to test out your workloads on any
supported cluster with containerd
. For more information, see Amazon EKS ended support for
Dockershim.
Kubernetes 1.29
Kubernetes 1.29
is now available in Amazon EKS. For more information about Kubernetes
1.29
, see the official
release announcement
Important
-
The deprecated
flowcontrol.apiserver.k8s.io/v1beta2
API version ofFlowSchema
andPriorityLevelConfiguration
are no longer served in Kubernetesv1.29
. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade tov1.29
.
-
The
.status.kubeProxyVersion
field for Node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed bykubelet
- which does not actually know thekube-proxy
version, or even whetherkube-proxy
is running. If you've been using this field in client software, stop - the information isn't reliable and the field is now deprecated. -
In Kubernetes
1.29
to reduce potential attack surface, theLegacyServiceAccountTokenCleanUp
feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run:kubectl get cm kube-apiserver-legacy-service-account-token-tracking -nkube-system
For the complete Kubernetes 1.29
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280
Kubernetes 1.28
Kubernetes 1.28
is now available in Amazon EKS. For more information about Kubernetes
1.28
, see the official
release announcement
-
Kubernetes
v1.28
expanded the supported skew between core node and control plane components by one minor version, fromn-2
ton-3
, so that node components (kubelet
andkube-proxy
) for the oldest supported minor version can work with control plane components (kube-apiserver
,kube-scheduler
,kube-controller-manager
,cloud-controller-manager
) for the newest supported minor version. -
Metrics
force_delete_pods_total
andforce_delete_pod_errors_total
in thePod GC Controller
are enhanced to account for all forceful pods deletion. A reason is added to the metric to indicate whether the pod is forcefully deleted because it's terminated, orphaned, terminating with the out-of-service taint, or terminating and unscheduled. -
The
PersistentVolume (PV)
controller has been modified to automatically assign a defaultStorageClass
to any unboundPersistentVolumeClaim
with thestorageClassName
not set. Additionally, thePersistentVolumeClaim
admission validation mechanism within the API server has been adjusted to allow changing values from an unset state to an actualStorageClass
name.
For the complete Kubernetes 1.28
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270
Kubernetes 1.27
Kubernetes 1.27
is now available in Amazon EKS. For more information about Kubernetes
1.27
, see the official
release announcement
Important
-
The support for the alpha
seccomp
annotationsseccomp.security.alpha.kubernetes.io/pod
andcontainer.seccomp.security.alpha.kubernetes.io
annotations was removed. The alphaseccomp
annotations was deprecated in1.19
, and with their removal in1.27
,seccomp
fields will no longer auto-populate forPods
withseccomp
annotations. Instead, use thesecurityContext.seccompProfile
field forPods
or containers to configureseccomp
profiles. To check whether you are using the deprecated alphaseccomp
annotations in your cluster, run the following command:kubectl get pods --all-namespaces -o json | grep -E 'seccomp.security.alpha.kubernetes.io/pod|container.seccomp.security.alpha.kubernetes.io'
-
The
--container-runtime
command line argument for thekubelet
was removed. The default container runtime for Amazon EKS has beencontainerd
since1.24
, which eliminates the need to specify the container runtime. From1.27
onwards, Amazon EKS will ignore the--container-runtime
argument passed to any bootstrap scripts. It is important that you don't pass this argument to--kubelet-extra-args
in order to prevent errors during the node bootstrap process. You must remove the--container-runtime
argument from all of your node creation workflows and build scripts.
-
The
kubelet
in Kubernetes1.27
increased the defaultkubeAPIQPS
to50
andkubeAPIBurst
to100
. These enhancements allow thekubelet
to handle a higher volume of API queries, improving response times and performance. When the demands forPods
increase, due to scaling requirements, the revised defaults ensure that thekubelet
can efficiently manage the increased workload. As a result,Pod
launches are quicker and cluster operations are more effective. -
You can use more fine grained
Pod
topology to spread policies such asminDomain
. This parameter gives you the ability to specify the minimum number of domains yourPods
should be spread across.nodeAffinityPolicy
andnodeTaintPolicy
allow for an extra level of granularity in governingPod
distribution. This is in accordance to node affinities, taints, and thematchLabelKeys
field in thetopologySpreadConstraints
of yourPod's
specification. This permits the selection ofPods
for spreading calculations following a rolling upgrade. -
Kubernetes
1.27
promoted to beta a new policy mechanism forStatefulSets
that controls the lifetime of theirPersistentVolumeClaims
(PVCs
). The newPVC
retention policy lets you specify if thePVCs
generated from theStatefulSet
spec template will be automatically deleted or retained when theStatefulSet
is deleted or replicas in theStatefulSet
are scaled down. -
The
goaway-chance
option in the Kubernetes API server helps prevent HTTP/2
client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version1.27
has enabledgoaway-chance
flag. If your workload running on Amazon EKS cluster uses a client that is not compatible withHTTP GOAWAY
, we recommend that you update your client to handle GOAWAY
by reconnecting on connection termination.
For the complete Kubernetes 1.27
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1260
Kubernetes 1.26
Kubernetes 1.26
is now available in Amazon EKS. For more information about Kubernetes
1.26
, see the official
release announcement
Important
Kubernetes 1.26
no longer supports CRI
v1alpha2
. This results in the kubelet
no longer registering the node
if the container runtime doesn't support CRI
v1
. This also means that Kubernetes 1.26
doesn't support
containerd minor version 1.5
and earlier. If you're using containerd,
you need to upgrade to containerd version 1.6.0
or later before you
upgrade any nodes to Kubernetes 1.26
. You also need to upgrade any other
container runtimes that only support the v1alpha2
. For more
information, defer to the container runtime vendor. By default, Amazon Linux
and Bottlerocket AMIs include containerd version
1.6.6
.
-
Before you upgrade to Kubernetes
1.26
, upgrade your Amazon VPC CNI plugin for Kubernetes to version1.12
or later. If you don't upgrade to Amazon VPC CNI plugin for Kubernetes version1.12
or later, the Amazon VPC CNI plugin for Kubernetes will crash. For more information, see Working with the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on. -
The
goaway-chance
option in the Kubernetes API server helps prevent HTTP/2
client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version1.26
has enabledgoaway-chance
flag. If your workload running on Amazon EKS cluster uses a client that is not compatible withHTTP GOAWAY
, we recommend that you update your client to handle GOAWAY
by reconnecting on connection termination.
For the complete Kubernetes 1.26
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1250