1.25 version information and update actions
Review information about version 1.25 of IBM Cloud® Kubernetes Service.
Looking for general information on updating IBM Cloud® Kubernetes Service clusters, or information on a different version? See Kubernetes version information and update actions.
Kubernetes version 1.25 is no longer supported. Update your cluster to at least version 1.26 as soon as possible.
IBM Cloud Kubernetes Service is a Certified Kubernetes product for version 1.25 under the CNCF Kubernetes Software Conformance Certification program. Kubernetes® is a registered trademark of The Linux Foundation in the United States and other countries, and is used pursuant to a license from The Linux Foundation.
For more information about Kubernetes project version 1.25, see the Kubernetes change log
Release timeline
The following table includes the expected release timeline for version 1.25 of IBM Cloud® Kubernetes Service. You can use this information for planning purposes, such as to estimate the general time that the version might become unsupported.
Dates that are marked with a dagger (†) are tentative and subject to change.
| Version | Supported? | Release date | Unsupported date |
|---|---|---|---|
| 1.25 | Deprecated | 06 October 2022 | 31 January 2024 |
Preparing to update
This information summarizes updates that are likely to have and impact on deployed apps when you update a cluster to version 1.25. For a complete list of changes, review the community Kubernetes change log and IBM version change log for version 1.25. You can also review the Kubernetes helpful warnings.
Update before master
The following table shows the actions that you must take before you update the Kubernetes master.
Pod security policies have been removed in Kubernetes version 1.25. See the Kubernetes Deprecated API migration guide for more information. Customers have the option to replace Pod Security Policies with Pod security admission or a third party admission webhook. For more information, see Migrating from PSPs to Pod Security Admission.
| Type | Description |
|---|---|
Unsupported: Beta version of the CronJob API |
Migrate manifests and API clients to use the batch/v1 API version, available since Kubernetes version 1.21. For more information, see Deprecated API Migration Guide - v1.25. |
Unsupported: Beta version of the EndpointSlice API |
Migrate manifests and API clients to use the discovery.k8s.io/v1 API version, available since Kubernetes version 1.21. For more information, see Deprecated API Migration Guide - v1.25. |
Unsupported: Beta version of the Event API |
Migrate manifests and API clients to use the events.k8s.io/v1 API version, available since Kubernetes version 1.19. For more information, see Deprecated API Migration Guide - v1.25. |
Unsupported: Beta version of the HorizontalPodAutoscaler API |
Migrate manifests and API clients to use the autoscaling/v2 API version, available since Kubernetes version 1.23. For more information, see Deprecated API Migration Guide - v1.25. |
Unsupported: Beta version of the PodDisruptionBudget API |
Migrate manifests and API clients to use the policy/v1 API version, available since Kubernetes version 1.21. For more information, see Deprecated API Migration Guide - v1.25. |
Unsupported: Beta version of the RuntimeClass API |
Migrate manifests and API clients to use the node.k8s.io/v1 API version, available since Kubernetes version 1.20. For more information, see Deprecated API Migration Guide - v1.25. |
| Unsupported: Pod Security Policies | Pod Security Policies have been removed in Kubernetes version 1.25. See Migrating from PSPs to Pod Security admission and the Kubernetes Deprecated API Migration Guide for more information. IBM Cloud Kubernetes Service version 1.25 now configures Pod Security Admission and no longer supports Pod Security Policies. |
Unsupported: Pod kubectl.kubernetes.io/default-logs-container annotation |
Pods no longer support the kubectl.kubernetes.io/default-logs-container annotation. This annotation has been replaced by the kubectl.kubernetes.io/default-container annotation. If your pods rely on the unsupported
annotation, update them to use the kubectl.kubernetes.io/default-container annotation instead. For more information, see Well-Known Labels, Annotations and Taints. |
Unsupported: Pod seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io annotations |
Kubernetes no longer fully supports the pod seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io annotations. These annotations have been deprecated since Kubernetes version
1.19 and has been replaced by the securityContext.seccompProfile field for pods and containers. All remaining support for these annotations is planned to be removed in Kubernetes version 1.27. If your pods rely on these
unsupported annotations, update them to use the securityContext.seccompProfile field instead. For more information, see Create Pod that uses the container runtime default seccomp profile. |
| Unsupported: Select Kubernetes API server metrics removed | The following Kubernetes API service metrics were removed: priority_level_seat_count_watermarks, priority_level_request_count_watermarks and read_vs_write_request_count_watermarks. If you rely on
these removed metrics, update accordingly. |
| Unsupported: Select Kubernetes API server metrics replaced | The following Kubernetes API service metrics were replaced: priority_level_seat_count_samples is replaced by priority_level_seat_utilization, priority_level_request_count_samples is replaced by
priority_level_request_utilization and read_vs_write_request_count_samples is replaced by read_vs_write_current_requests. If you rely on these replaced metrics, update accordingly. |
| Service account tokens are not automatically generated | The LegacyServiceAccountTokenNoAutoGeneration feature gate has been enabled. As a result, secrets containing service account tokens are no longer automatically generated. Use the TokenRequest API to acquire
service account tokens. Or if a non-expiring service account token is required, follow the Service account token Secrets guide to create one. During an upgrade to IKS version 1.25, existing service account token secrets remain in the cluster and continue to function as expected. |
Application updates required for natPortRange changes. |
Updates might be required if your app makes a lot of egress network connections from pod-network pods out to something external to the cluster. For example, if your app or has either 30,000+ of egress connections open on
a single worker node at once, or opens over 30,000 egress connections on a single worker node within a few minutes of each other. For more information, see Why am I running out of SNAT ports for egress connections from pods in my cluster?. |
| Kubernetes CSI snapshot controller installed by default | IBM Cloud Kubernetes Service now installs and manages the Kubernetes CSI snapshot controller. As a result, upgrade your storage drivers and plug-ins to versions that don't require installing their own version of the Kubernetes CSI snapshot controller. For example, see Setting up snapshots with the Block Storage for VPC add-on for instructions to enable support for VPC block storage volume snapshots. You do not need to uninstall an existing Kubernetes CSI snapshot controller install before the upgrade. However after the upgrade, IBM Cloud Kubernetes Service will take over management of the install. |
Update after master
The following table shows the actions that you must take after you update the Kubernetes master.
| Type | Description |
|---|---|
kubectl diff ignores managed fields by default |
The kubectl diff command was changed to ignore managed fields by default. A new --show-managed-fields option has been added to allow you to include managed fields in the **diff** command. If your
scripts rely on the previous behavior, update them. |