Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Review release notes for Kubernetes versions on standard support
This topic gives important changes to be aware of for each Kubernetes version in standard support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster.
Note
For 1.24
and later clusters, officially published Amazon EKS AMIs include containerd
as the only runtime. Kubernetes versions earlier than 1.24
use Docker as the default runtime. These versions have a bootstrap flag option that you can use to test out your workloads on any supported cluster with containerd
. For more information, see Migrate from dockershim to containerd.
Kubernetes 1.32
Kubernetes
1.32
is now available in Amazon EKS. For more information about Kubernetes
1.32
, see the official release announcement
Important
-
The
flowcontrol.apiserver.k8s.io/v1beta3
API version of FlowSchema and PriorityLevelConfiguration has been removed inv1.32
. If you are using these APIs, you must update your configurations to use the latest supported version before upgrading. -
ServiceAccount
metadata.annotations[kubernetes.io/enforce-mountable-secrets]
has been deprecated inv1.32
and will be removed in a future Kubernetes minor version release. It is recommended to use separate namespaces to isolate access to mounted secrets. -
Kubernetes version 1.32 is the last version for which Amazon EKS will release Amazon Linux 2 (AL2) AMIs. From v1.33 onwards, Amazon EKS will continue to release Amazon Linux 2023 (AL2023) and Bottlerocket based AMIs.
-
The Memory Manager feature has graduated to Generally Available (GA) status in Kubernetes
v1.32
. This enhancement provides more efficient and predictable memory allocation for containerized applications, particularly beneficial for workloads with specific memory requirements. -
PersistentVolumeClaims (PVCs) created by StatefulSets now include automatic cleanup functionality. When PVCs are no longer needed, they will be automatically deleted while maintaining data persistence during StatefulSet updates and node maintenance operations. This feature simplifies storage management and helps prevent orphaned PVCs in your cluster.
-
Custom Resource Field Selector functionality has been introduced, allowing developers to add field selectors to custom resources. This feature provides the same filtering capabilities available for built-in Kubernetes objects to custom resources, enabling more precise and efficient resource filtering and promoting better API design practices.
For the complete Kubernetes
1.32
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md
Anonymous authentication changes
Starting with Amazon EKS 1.32
, anonymous authentication is restricted to the following API server health check endpoints:
-
/healthz
-
/livez
-
/readyz
Requests to any other endpoint using the system:unauthenticated
user will receive a 401 Unauthorized
HTTP response. This security enhancement helps prevent unintended cluster access that could occur due to misconfigured RBAC policies.
Note
The public-info-viewer
RBAC role continues to apply for the health check endpoints listed above.
Amazon Linux 2 AMI deprecation
For Kubernetes versions 1.33 and later, EKS will not provide pre-built optimized Amazon Linux 2 (AL2) Amazon Machine Images (AMIs).
Amazon suggests adopting EKS Auto Mode, or migrating to a more recent operating system, such as Amazon Linux 2023 (AL2023) or Bottlerocket.
Note
This update applies to EKS-optimized AL2 AMIs. For more information about the operating system itself, see Amazon Linux 2 FAQs
Kubernetes 1.31
Kubernetes
1.31
is now available in Amazon EKS. For more information about Kubernetes
1.31
, see the official release announcement
Important
-
The kubelet flag
--keep-terminated-pod-volumes
deprecated since 2017 has been removed as part of thev1.31
release. This change impacts how terminated pod volumes are handled by the kubelet. If you are using this flag in your node configurations, you must update your bootstrap scripts and launch templates to remove it before upgrading.
-
The beta
VolumeAttributesClass
feature gate and API resource is enabled in Amazon EKSv1.31
. This feature allows cluster operators to modify mutable properties of Persistent Volumes (PVs) managed by compatible CSI Drivers, including the Amazon EBS CSI Driver. To leverage this feature, ensure that your CSI Driver supports theVolumeAttributesClass
feature (for the Amazon EBS CSI Driver, upgrade to versionv1.35.0
or later to automatically enable the feature). You will be able to createVolumeAttributesClass
objects to define the desired volume attributes, such as volume type and throughput, and associate them with your Persistent Volume Claims (PVCs). See the official Kubernetes documentationas well as the documentation of your CSI driver for more information. -
For more information about the Amazon EBS CSI Driver, see Store Kubernetes volumes with Amazon EBS.
-
-
Kubernetes support for AppArmor
has graduated to stable and is now generally available for public use. This feature allows you to protect your containers with AppArmor by setting the appArmorProfile.type
field in the container’ssecurityContext
. Prior to Kubernetesv1.30
, AppArmor was controlled by annotations. Starting withv1.30
, it is controlled using fields. To leverage this feature, we recommend migrating away from annotations and using theappArmorProfile.type
field to ensure that your workloads are compatible. -
The PersistentVolume last phase transition time feature has graduated to stable and is now generally available for public use in Kubernetes
v1.31
. This feature introduces a new field,.status.lastTransitionTime
, in the PersistentVolumeStatus, which provides a timestamp of when a PersistentVolume last transitioned to a different phase. This enhancement allows for better tracking and management of PersistentVolumes, particularly in scenarios where understanding the lifecycle of volumes is important.
For the complete Kubernetes
1.31
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md
Kubernetes 1.30
Kubernetes
1.30
is now available in Amazon EKS. For more information about Kubernetes
1.30
, see the official release announcement
Important
-
Starting with Amazon EKS version
1.30
or newer, any newly created managed node groups will automatically default to using Amazon Linux 2023 (AL2023) as the node operating system. Previously, new node groups would default to Amazon Linux 2 (AL2). You can continue to use AL2 by choosing it as the AMI type when creating a new node group.-
For more information about Amazon Linux, see Comparing AL2 and AL2023 in the Amazon Linux User Guide.
-
For more information about specifiying the operating system for a managed node group, see Create a managed node group for your cluster.
-
-
With Amazon EKS
1.30
, thetopology.k8s.aws/zone-id
label is added to worker nodes. You can use Availability Zone IDs (AZ IDs) to determine the location of resources in one account relative to the resources in another account. For more information, see Availability Zone IDs for your Amazon resources in the Amazon RAM User Guide. -
Starting with
1.30
, Amazon EKS no longer includes thedefault
annotation on thegp2 StorageClass
resource applied to newly created clusters. This has no impact if you are referencing this storage class by name. You must take action if you were relying on having a defaultStorageClass
in the cluster. You should reference theStorageClass
by the namegp2
. Alternatively, you can deploy the Amazon EBS recommended default storage class by setting thedefaultStorageClass.enabled
parameter to true when installingv1.31.0
or later of theaws-ebs-csi-driver add-on
. -
The minimum required IAM policy for the Amazon EKS cluster IAM role has changed. The action
ec2:DescribeAvailabilityZones
is required. For more information, see Amazon EKS cluster IAM role.
For the complete Kubernetes
1.30
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md
Kubernetes 1.29
Kubernetes
1.29
is now available in Amazon EKS. For more information about Kubernetes
1.29
, see the official release announcement
Important
-
The deprecated
flowcontrol.apiserver.k8s.io/v1beta2
API version ofFlowSchema
andPriorityLevelConfiguration
are no longer served in Kubernetesv1.29
. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade tov1.29
.
-
The
.status.kubeProxyVersion
field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed bykubelet
- which does not actually know thekube-proxy
version, or even whetherkube-proxy
is running. If you’ve been using this field in client software, stop - the information isn’t reliable and the field is now deprecated. -
In Kubernetes
1.29
to reduce potential attack surface, theLegacyServiceAccountTokenCleanUp
feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run:kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system
For the complete Kubernetes
1.29
changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280