1.22 version information and update actions
This version is no longer supported. Update your cluster to a supported version as soon as possible.
Review information about version 1.22 of IBM Cloud® Kubernetes Service, released 29 Sept 2021.
IBM Cloud Kubernetes Service is a Certified Kubernetes product for version 1.22 under the CNCF Kubernetes Software Conformance Certification program. Kubernetes® is a registered trademark of The Linux Foundation in the United States and other countries, and is used pursuant to a license from The Linux Foundation.
For more information about Kubernetes project version 1.22, see the Kubernetes change log.
Release timeline
The following table includes the expected release timeline for version 1.22 of IBM Cloud® Kubernetes Service. You can use this information for planning purposes, such as to estimate the general time that the version might become unsupported.
Dates that are marked with a dagger (†
) are tentative and subject to change.
Version | Supported? | Release date | Unsupported date |
---|---|---|---|
1.22 | Yes | 29 Sept 2021 | 14 Dec 2022 † |
Preparing to update
This information summarizes updates that are likely to have and impact on deployed apps when you update a cluster to version 1.22. For a complete list of changes, review the community Kubernetes change log and IBM version change log for version 1.22. You can also review the Kubernetes helpful warnings.
Review Security Bulletin: IBM Cloud Kubernetes Service is affected by an endpoint resource security design flaw in Kubernetes (CVE-2021-25740)before updating.
Update before master
The following table shows the actions that you must take before you update the Kubernetes master.
Type | Description |
---|---|
Unsupported: Beta versions of PriorityClass API |
Migrate manifests and API clients to use the scheduling.k8s.io/v1 API version, available since Kubernetes version 1.14. For more information, see Deprecated API Migration Guide - v1.22. |
Unsupported: Beta versions of ClusterRole , ClusterRoleBinding , Role , and RoleBinding APIs |
Migrate manifests and API clients to use the rbac.authorization.k8s.io/v1 API version, available since Kubernetes version 1.8. For more information, see Deprecated API Migration Guide - v1.22. |
Unsupported: Beta versions of ValidatingWebhookConfiguration and MutatingWebhookConfiguration APIs |
Migrate manifests and API clients to use the admissionregistration.k8s.io/v1 API version, available since Kubernetes version 1.16. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta version of CustomResourceDefinition API |
Migrate manifests and API clients to use the apiextensions.k8s.io/v1 API version, available since Kubernetes version 1.16. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta version of APIService API |
Migrate manifests and API clients to use the apiregistration.k8s.io/v1 API version, available since Kubernetes version 1.10. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta version of TokenReview API |
Migrate manifests and API clients to use the authentication.k8s.io/v1 API version, available since Kubernetes version 1.10. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta versions of SubjectAccessReview , LocalSubjectAccessReview , SelfSubjectAccessReview APIs |
Migrate manifests and API clients to use the authorization.k8s.io/v1 API version, available since Kubernetes version 1.6. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta version of CertificateSigningRequest API |
Migrate manifests and API clients to use the certificates.k8s.io/v1 API version, available since Kubernetes version 1.19. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta version of Lease API |
Migrate manifests and API clients to use the coordination.k8s.io/v1 API version, available since Kubernetes version 1.14. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: Beta versions of Ingress API |
Migrate manifests and API clients to use the networking.k8s.io/v1 API version, available since Kubernetes version 1.19. For more information, see Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know. |
Unsupported: IBM Cloud Kubernetes Ingress Controller | As of 1 Jun 2021, the IBM Cloud Kubernetes Ingress Controller is no longer supported on IBM Cloud Kubernetes Service. Migrate your IBM Cloud Kubernetes Ingress Controller based ALBs to the Kubernetes Ingress Controller. |
Ingress |
Kubernetes 1.22 supports Ingress and IngressClass resources with
|
Unsupported: Service service.alpha.kubernetes.io/tolerate-unready-endpoints annotation |
Services no longer support the service.alpha.kubernetes.io/tolerate-unready-endpoints annotation. The annotation has been deprecated since Kubernetes version 1.11 and has been replaced by the spec.publishNotReadyAddresses field. If your services rely on this annotation, update them to use the spec.publishNotReadyAddresses field instead. For more information on this field, see DNS for Services and Pods. |
Update after master
The following table shows the actions that you must take after you update the Kubernetes master.
Type | Description |
---|---|
Endpoint Security Mitigation | Kubernetes cluster role system:aggregate-to-edit has removed endpoints permissions as a security mitigation for CVE-2021-25740.
If your cluster does not require any customizations to the system:aggregate-to-edit cluster role, besides removing the endpoints permission, allow Kubernetes to reconcile the permissions by running the kubectl annotate --overwrite clusterrole/system:aggregate-to-edit rbac.authorization.kubernetes.io/autoupdate=true command. Subsequent cluster master operations (for example, ibmcloud ks cluster master refresh ) will then ensure the permissions are reconciled by Kubernetes. |
Unsupported: kubectl autoscale removes --generator option |
The kubectl austoscale no longer uses the deprecated --generator option. If your scripts rely on this option, update them. |
Unsupported: kubectl create deployment removes --generator option |
The kubectl create deployment command no longer uses the deprecated --generator option. If your scripts rely on this option, update them. |
system:aggregate-to-edit write access for Endpoints API |
The system:aggregate-to-edit role no longer includes write access to the Endpoints API. Existing clusters that are upgraded to Kubernetes 1.22 are not impacted. However, in new Kubernetes 1.22 clusters, the Editor and Administrator
roles don't have write access to the Endpoints API. For more information on retaining this access in newly created 1.22 clusters, see Write access for Endpoints. This update is a mitigation for CVE-2021-25740. |