Kubernetes Release Notes

A summary of the Kubernetes release notes

Updated date: 2025-06-01

Kubernetes Release Notes

Version 1.33

• Release Date: 2025-04-23

• Official Release Notes: Kubernetes 1.33 Release Notes

• Key Features:

  • Stable

    • Sidecar containers:

      • Change: The sidecar pattern graduates to stable in v1.33. Kubernetes implements sidecars as a special class of init containers with restartPolicy: Always. They start before application containers, run throughout the pod's lifecycle, and terminate automatically after the main containers exit. Sidecars can use probes (startup, readiness, liveness) to signal their state and have OOM score adjustments aligned with primary containers.
      • Importance: Sidecars handle auxiliary capabilities like networking, logging, and metrics gathering. Their stable graduation indicates reliability for handling these tasks alongside main application containers.

    • Backoff limits per index for indexed Jobs:

      • Change: This feature allows setting backoff limits on a per-index basis for Indexed Jobs.
      • Importance: Traditionally, backoffLimit applied to the entire Job. This enhancement provides more granular control over retry behavior for individual tasks within an Indexed Job. It ensures that the failure of specific indices does not prematurely terminate the entire Job, allowing other indices to continue processing independently.
        • Indexed Jobs

          Indexed Jobs

          Indexed Job is a special type of Job that is designed to run multiple parallel pods with each pod assigned a unique index (e.g., 0, 1, 2, ..., N-1). These indexes are especially useful when each pod needs to process a specific, distinct chunk of work (like a specific part of a dataset or task).

    • Job success policy:

      • Change: Users can specify which pod indexes must succeed (succeededIndexes), how many pods must succeed (succeededCount), or a combination using .spec.successPolicy.
      • Importance: This feature benefits workloads like simulations where partial completion is sufficient and leader-worker patterns where only the leader's success determines the overall Job outcome.

    • Bound ServiceAccount token security improvements:

      • Change: Introduces features like including a unique token identifier (JWT ID Claim) and node information within tokens, and supports node-specific restrictions. These improvements are now generally available.
      • Importance: These enhancements aim to improve the overall security posture of service account tokens by enabling more precise validation and auditing, and by reducing the risk of token misuse and potential security breaches.

    • Subresource support in kubectl:

      • Change: The --subresource argument is now generally available for kubectl subcommands like get, patch, edit, apply, and replace.
      • Importance: This allows users to fetch and update subresources for all resources that support them, enhancing kubectl's capability.

    • Multiple Service CIDRs:

      • Change: Introduces a new implementation of allocation logic for Service IPs using the newly stable API objects ServiceCIDR and IPAddress. These APIs are now generally available.
      • Importance: Allows cluster administrators to dynamically increase the number of IP addresses available for type: ClusterIP Services by creating new ServiceCIDR objects.

    • nftables backend for kube-proxy:

      • Change: The nftables backend for kube-proxy is now stable.
      • Importance: Adds a new implementation that significantly improves performance and scalability for Services implementation. iptables remains the default on Linux nodes for compatibility.

    • Topology aware routing with trafficDistribution: PreferClose:

      • Change: Topology-aware routing and traffic distribution graduate to GA. Topology-aware hints in EndpointSlices allow components like kube-proxy to prioritize routing traffic to endpoints within the same zone. The trafficDistribution field is added to the Service specification with the PreferClose option.
      • Importance: This allows optimizing service traffic in multi-zone clusters by reducing latency and cross-zone data transfer costs. The PreferClose option enhances performance and cost-efficiency by minimizing inter-zone communication.

    • Options to reject non SMT-aligned workload:

      • Change: Added policy options to the CPU Manager to reject workloads that do not align with Simultaneous Multithreading (SMT) configurations. This is now generally available.
      • Importance: Ensures that when a pod requests exclusive use of CPU cores, the CPU Manager can enforce allocation of entire core pairs (primary and sibling threads) on SMT-enabled systems. This prevents scenarios where workloads share CPU resources in unintended ways.

    • Defining Pod affinity or anti-affinity using matchLabelKeys and mismatchLabelKeys:

      • Change: The matchLabelKeys and mismatchLabelKeys fields are available in Pod affinity terms. These are newly stable options.
      • Importance: Enables users to finely control the scope where Pods are expected to co-exist (Affinity) or not (AntiAffinity). These complement the existing labelSelector mechanism and facilitate enhanced scheduling for versatile rolling updates and service isolation.

    • Considering taints and tolerations when calculating Pod topology spread skew:

      • Change: Enhanced PodTopologySpread by introducing nodeAffinityPolicy and nodeTaintsPolicy fields. Defaults are nodeAffinityPolicy: Honor and nodeTaintsPolicy: Ignore.
      • Importance: Allows users to specify whether node affinity rules and node taints should be considered when calculating pod distribution across nodes. This provides finer control over pod placement, ensuring pods are scheduled on nodes that meet both affinity and taint toleration requirements and preventing pods from remaining pending due to unsatisfied constraints.

    • Volume populators:

      • Change: Volume populators graduate to GA in v1.33. This feature allows users to pre-populate volumes with data from various sources using the dataSourceRef field in a PersistentVolumeClaim (PVC). A volume-data-source-validator controller and a new VolumePopulator CRD are part of this.
      • Importance: Provides more flexibility than the existing dataSource field by allowing for custom resources to be used as data sources. This enables scenarios beyond just PVC clones or volume snapshots for pre-populating volumes.

    • Always honor PersistentVolume reclaim policy:

      • Change: Kubernetes now sets finalizers on relevant PVs to ensure the reclaim policy is enforced even if the PV is deleted before its associated PVC.
      • Importance: Addresses an issue where the PV reclaim policy might not be consistently honored, preventing potential storage resource leaks and maintaining consistency in PV lifecycle management.

    • Portworx file in-tree to CSI driver migration

    • CRD Validation Ratcheting

    • Recursive Read-only (RRO) mounts

• Beta

  • Support for Direct Service Return (DSR) in Windows kube-proxy:
    • Change: Support for DSR has been promoted to beta in v1.33.
    • Importance: DSR provides performance optimizations by allowing return traffic routed through load balancers to bypass the load balancer and respond directly to the client. This reduces load on the load balancer and lowers overall latency.
  • Structured parameter support (part of Dynamic Resource Allocation - DRA):
    • Change: Continues as a beta feature with significant improvements, including a new v1beta2 version of the resource.k8s.io API. Regular users with the namespaced cluster edit role can now use DRA. Kubelet includes seamless upgrade support for drivers, preventing deletion/re-creation of ResourceSlices during rolling updates, and adds a 30-second grace period before cleaning up after unregistering a driver.
    • Importance: Simplifies the API and improves the development and management of DRA, allowing for smoother driver upgrades and better handling of driver unregistration.
  • Dynamic Resource Allocation (DRA) for network interfaces:
    • Change: Standardized reporting of network interface data via DRA graduates to beta.
    • Importance: Enables more native Kubernetes network integrations, simplifying the development and management of networking devices.
  • Handle unscheduled pods early when scheduler does not have any pod on activeQ:
    • Change: The scheduler will pop pods from the backoffQ (if not backed off due to errors) when the activeQ is empty.
    • Importance: Improves queue scheduling behavior by preventing the scheduler from becoming idle when the activeQ is empty, thus improving scheduling efficiency.
  • Asynchronous preemption in the Kubernetes Scheduler:
    • Change: Asynchronous Preemption graduates to beta. Heavy operations like API calls to delete pods are processed in parallel.
    • Importance: Allows the scheduler to continue scheduling other pods without delays when performing preemption. This is particularly beneficial in clusters with high Pod churn or frequent scheduling failures, ensuring a more efficient and resilient scheduling process.
  • ClusterTrustBundles:
    • Change: ClusterTrustBundle, a cluster-scoped resource for holding X.509 trust anchors (root certificates), graduates to beta.
    • Importance: Makes it easier for in-cluster certificate signers to publish and communicate X.509 trust anchors to cluster workloads.
  • Fine-grained SupplementalGroups control:
    • Change: This feature graduates to beta and is now enabled by default in v1.33. If the SupplementalGroupsPolicy feature gate is enabled, the supplementalGroupsPolicy field in a Pod's securityContext supports Merge (default, backward compatible) and Strict policies.
    • Importance: Helps address security concerns where implicit group memberships from container images could lead to unintended file access permissions and bypass policy controls.
  • Support for mounting images as volumes:
    • Change: Support for using Open Container Initiative (OCI) images as volumes in Pods graduates to beta. Users can specify an image reference as a volume in a Pod and reuse it as a volume mount within containers.
    • Importance: Opens up the possibility of packaging volume data separately and sharing it among containers in a Pod without including it in the main image. This can reduce vulnerabilities and simplify image creation.
  • Support for user namespaces within Linux Pods:
    • Change: This KEP (KEP-127) has moved to an on-by-default beta as part of v1.33. It does not impact existing Pods unless pod.spec.hostUsers is manually specified to opt-in.
    • Importance: This is an important milestone for mitigating vulnerabilities by providing user namespace isolation for Pods.
  • Pod procMount option:
    • Change: The procMount option has moved to an on-by-default beta in v1.33. It adds a field to the Pod securityContext to override the default behavior of masking and marking certain /proc paths as read-only.
    • Importance: Improves Pod isolation by allowing users to fine-tune access to the /proc filesystem. This is particularly useful for scenarios where users want to run unprivileged containers inside the Kubernetes Pod using user namespaces, as it allows relaxing default strict /proc mount settings.
  • CPUManager policy to distribute CPUs across NUMA nodes:
    • Change: Adds a new policy option for the CPU Manager to distribute CPUs across Non-Uniform Memory Access (NUMA) nodes instead of concentrating them on a single node.
    • Importance: Optimizes CPU resource allocation by balancing workloads across multiple NUMA nodes, thereby improving performance and resource utilization in multi-NUMA systems.
  • Zero-second sleeps for container PreStop hooks:
    • Change: The Sleep action in a preStop hook can now accept a zero-second duration as a beta feature.
    • Importance: Allows defining a no-op preStop hook, which is useful when a preStop hook is required but no delay is desired. The Sleep action itself, introduced in v1.29, provides a straightforward method to delay container shutdown for tasks like connection draining or cleanup.
  • Internal tooling for declarative validation of Kubernetes-native types:
    • Change: Kubernetes v1.33 introduces validation-gen, an internal tool for contributors to generate declarative validation rules.
    • Importance: The goal is to improve the robustness and maintainability of API validations by enabling developers to specify validation constraints declaratively, reducing manual coding errors and ensuring consistency across the codebase

• Alpha

  • Support for Direct Service Return (DSR) in Windows kube-proxy:
    • Change: Support for DSR has been promoted to beta in v1.33.
    • Importance: DSR provides performance optimizations by allowing return traffic routed through load balancers to bypass the load balancer and respond directly to the client. This reduces load on the load balancer and lowers overall latency.
  • Structured parameter support (part of Dynamic Resource Allocation - DRA):
    • Change: Continues as a beta feature with significant improvements, including a new v1beta2 version of the resource.k8s.io API. Regular users with the namespaced cluster edit role can now use DRA. Kubelet includes seamless upgrade support for drivers, preventing deletion/re-creation of ResourceSlices during rolling updates, and adds a 30-second grace period before cleaning up after unregistering a driver.
    • Importance: Simplifies the API and improves the development and management of DRA, allowing for smoother driver upgrades and better handling of driver unregistration.
  • Dynamic Resource Allocation (DRA) for network interfaces:
    • Change: Standardized reporting of network interface data via DRA graduates to beta.
    • Importance: Enables more native Kubernetes network integrations, simplifying the development and management of networking devices.
  • Handle unscheduled pods early when scheduler does not have any pod on activeQ:
    • Change: The scheduler will pop pods from the backoffQ (if not backed off due to errors) when the activeQ is empty.
    • Importance: Improves queue scheduling behavior by preventing the scheduler from becoming idle when the activeQ is empty, thus improving scheduling efficiency.
  • Asynchronous preemption in the Kubernetes Scheduler:
    • Change: Asynchronous Preemption graduates to beta. Heavy operations like API calls to delete pods are processed in parallel.
    • Importance: Allows the scheduler to continue scheduling other pods without delays when performing preemption. This is particularly beneficial in clusters with high Pod churn or frequent scheduling failures, ensuring a more efficient and resilient scheduling process.
  • ClusterTrustBundles:
    • Change: ClusterTrustBundle, a cluster-scoped resource for holding X.509 trust anchors (root certificates), graduates to beta.
    • Importance: Makes it easier for in-cluster certificate signers to publish and communicate X.509 trust anchors to cluster workloads.
  • Fine-grained SupplementalGroups control:
    • Change: This feature graduates to beta and is now enabled by default in v1.33. If the SupplementalGroupsPolicy feature gate is enabled, the supplementalGroupsPolicy field in a Pod's securityContext supports Merge (default, backward compatible) and Strict policies.
    • Importance: Helps address security concerns where implicit group memberships from container images could lead to unintended file access permissions and bypass policy controls.
  • Support for mounting images as volumes:
    • Change: Support for using Open Container Initiative (OCI) images as volumes in Pods graduates to beta. Users can specify an image reference as a volume in a Pod and reuse it as a volume mount within containers.
    • Importance: Opens up the possibility of packaging volume data separately and sharing it among containers in a Pod without including it in the main image. This can reduce vulnerabilities and simplify image creation.
  • Support for user namespaces within Linux Pods:
    • Change: This KEP (KEP-127) has moved to an on-by-default beta as part of v1.33. It does not impact existing Pods unless pod.spec.hostUsers is manually specified to opt-in.
    • Importance: This is an important milestone for mitigating vulnerabilities by providing user namespace isolation for Pods.
  • Pod procMount option:
    • Change: The procMount option has moved to an on-by-default beta in v1.33. It adds a field to the Pod securityContext to override the default behavior of masking and marking certain /proc paths as read-only.
    • Importance: Improves Pod isolation by allowing users to fine-tune access to the /proc filesystem. This is particularly useful for scenarios where users want to run unprivileged containers inside the Kubernetes Pod using user namespaces, as it allows relaxing default strict /proc mount settings.
  • CPUManager policy to distribute CPUs across NUMA nodes:
    • Change: Adds a new policy option for the CPU Manager to distribute CPUs across Non-Uniform Memory Access (NUMA) nodes instead of concentrating them on a single node.
    • Importance: Optimizes CPU resource allocation by balancing workloads across multiple NUMA nodes, thereby improving performance and resource utilization in multi-NUMA systems.
  • Zero-second sleeps for container PreStop hooks:
    • Change: The Sleep action in a preStop hook can now accept a zero-second duration as a beta feature.
    • Importance: Allows defining a no-op preStop hook, which is useful when a preStop hook is required but no delay is desired. The Sleep action itself, introduced in v1.29, provides a straightforward method to delay container shutdown for tasks like connection draining or cleanup.
  • Internal tooling for declarative validation of Kubernetes-native types:
    • Change: Kubernetes v1.33 introduces validation-gen, an internal tool for contributors to generate declarative validation rules.
    • Importance: The goal is to improve the robustness and maintainability of API validations by enabling developers to specify validation constraints declaratively, reducing manual coding errors and ensuring consistency across the codebase

• Duplicated

  • Deprecation of the stable Endpoints API:
    • Change: The original Endpoints API is being deprecated.
    • Importance: It faced challenges scaling to large numbers of network endpoints, and the EndpointSlices API, stable since v1.21, has effectively replaced it and introduced new features like dual-stack networking. Users who use the Endpoints API directly should migrate to EndpointSlices.
  • Removal of kube-proxy version information in node status:
    • Change: The .status.nodeInfo.kubeProxyVersion field for Nodes was removed in v1.33, following its deprecation in v1.31.
    • Importance: The field's value was not consistently accurate.
  • Removal of in-tree gitRepo volume driver:
    • Change: The in-tree driver code for the gitRepo volume type is removed in v1.33. It has been deprecated since v1.11.
    • Importance: There have been security concerns regarding how gitRepo volumes could be exploited to gain remote code execution as root on nodes. Alternatives like git-sync and initContainers are available. While the API field remains for backward compatibility with an opt-in feature gate, the driver is planned for full removal in v1.39.
  • Removal of host network support for Windows pods:
    • Change: Support for host network for Windows Pods was fully removed in v1.33. The associated KEP was withdrawn.
    • Importance: The feature faced unexpected containerd behaviors and technical limitations with Windows networking logic, and alternative solutions are available. This removal does not affect HostProcess containers