Kubernetes v1.24.0-alpha.4 is live!

Skip to first unread message

Nabarun Pal

Mar 22, 2022, 9:22:41 AM3/22/22
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.24.0-alpha.4 has been built and pushed using Golang version 1.18.

The release notes have been updated in CHANGELOG-1.24.md, with a pointer to them on GitHub:


Downloads for v1.24.0-alpha.4

Source Code

filename sha512 hash
kubernetes.tar.gz 951531e83aed1aaaf6df424e195a913aa7c6faf9aae4f4b55970b37bc223727201088011f5ed35b988aca36e30b8cea75f6a666721b2c52d672c6c8406d3d9c4
kubernetes-src.tar.gz c715efaa416a7fe208188bf01f40c34e559cf1c2ed6b153eb843563398ec05b1b4574219bb9a4a548e5f726c30d0739753c7a8086837c0ffeee8f2053a6c463b

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz dd7d18c1babbc2fcbe481f8e41335cadcd9274b27f05c2d3ded19e820e9b8cc55be72eb2cc404afeea8107c503731cd62b0684533582bfb05b3b58b74d8c091e
kubernetes-client-darwin-arm64.tar.gz 0ce731610736b3ed26ac0aa9f193cd76adee1e7d34e4dcfb233dbcb83fcd8620e13371ec9583629bb8a404506c779e8f51415756049849c11c230cec475cfbe4
kubernetes-client-linux-386.tar.gz bc5e071407dd994bfa45788e4aa395d23e0a3c0431703804db910dc76eea9cff2ff3d02046e4ead8b04c7bec0d148cdd1332f9951a4b546a32b6f3ca2c8e839d
kubernetes-client-linux-amd64.tar.gz 2e52b5d5b7852f1d61a7d03bbcf2d20967846f3295501b32014ed99db0694868a5f67e8ea835d58bd6835d1dcba9bdfba4418f10669a71a8859f7768037fe4c9
kubernetes-client-linux-arm.tar.gz 6210c9e5a0327b483fa243b88be0f9afeec36c435c0e001bc25360204ea32ebddf98d4dfdf42b93cad683665ad7976706214abfc84f479c0e47f26d971a9752b
kubernetes-client-linux-arm64.tar.gz acba30ad585a11e1a875660556118fb449a2e2e92c19d647c030323bbb3f265face715bda90e67458fbd3272fe2c23abad5dfd712874a5c1a232017ca8747984
kubernetes-client-linux-ppc64le.tar.gz 9336988dd0933424f70772b21d17a8c798965abbb77722dec58b3a92da8e6ab2f2dcf8702def7f0d4498b9f76a90dcb6af316650569328cc2f988c015ba9c9b7
kubernetes-client-linux-s390x.tar.gz d073aa8ad2ee476b12ae1fabcc762d514a01dab18e3e0afb27396e4d2d77bc9091858146c30c8906e9e577411386c009fa591b2f667765dabf5df04c57330f4b
kubernetes-client-windows-386.tar.gz 4096d1de90320c4ad68abf7458eb3d57e6e4e8603a430e0109d4b3e1086a8784f284adc567bd99b063e928e7090d60d17491e528416a7e99c39a00aae7679e9e
kubernetes-client-windows-amd64.tar.gz e86cc5e6817f5defbc344958ca88c5d0272d65449bf9bedf95a4588ba188d1c1b870c71513fdbf8159d8bce9b7d3026c37f18c42f60649225d542ab6c545f842
kubernetes-client-windows-arm64.tar.gz bcac6d5daeb604857feff355a6e999ae7f64d748a4c9ecb4393282b6a6ad488bbb43f770de86e173bd2299b18cc98bb9f1690664dc8857753a2f625cc82b15a2

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz d511b8ab8d3ecb70f35f472a25de8d3b301d384e347f5aedcaeb286e82f264c8715bd87ac9dbf8474c431c6d10290d49b6b2e92cba9bbfe8b6f0af8f11e434e3
kubernetes-server-linux-arm.tar.gz 2b2f4f596675ac3871f0f8ba12f619e550395c3ac40cf3c26b8b5aab4f0a9c0e5b30398bcb9aaf5c5e717ba0eb53e317f01d9f6ff4c37c8a8f2bd644a864b43c
kubernetes-server-linux-arm64.tar.gz 4da262bb6112ae5a8bf0b65659a8a15fda17fdeab4935f137e7680bef03e6262b7db57cea2db6c1a143ef43ca3346d845bba3e1fa97ca0dba7e3769d333310b4
kubernetes-server-linux-ppc64le.tar.gz e64aa2f04c46deef946a88a87449dd46f6cbc5ee7cf4662ba6f455877c4bdc3527edeb8eb861e56fe458d8e49d933db5c4a485b587252ee6f55b7751f01c62cd
kubernetes-server-linux-s390x.tar.gz 75a4ad3e091709ff2e8ac04f7a7af2999527322a9e857a41985413080a01c5989208648765617ee8bfbc00b462831f3dea5fc512228bda4fcebb45055417c2f7

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz 1593bd6ced1aa42e1834a6e049d257a298c7964c706ac07f57d087271e5a4d13866fadc36661affa078bc64f91a7058666fe85879d1d339015e3637669c4c8c6
kubernetes-node-linux-arm.tar.gz 883a6b24e134d825330baf1805d563f94300fa060b3c978da9138bba174059b604e28c115437673b0411fbb38e3a7949b99a7089da716ef9a482386dc0b45ca4
kubernetes-node-linux-arm64.tar.gz d317105d7ef00696cc27660a871f181a319fcf2d4c1f19a88091f8c7d2bbfbd0a9a4ac8f0fa1e28e432df6ea1215848e23e002eb7f7f51b1f01b67d4acaaaa5a
kubernetes-node-linux-ppc64le.tar.gz 01bd08aabd58aee0db6b1e376e76d741d2ebd592995407a47cb315f73c2a5b311a540ae620eb4471eb2aea74c13162107f299efe98c15e5ec6948d9d3e1cd378
kubernetes-node-linux-s390x.tar.gz 81cd8e22010cab4cabefb4e2a879a61dd1d5d057ec15bb3b98d5aa5e79820abf0a650cb7c667d7fb38afd9c851a5043df8a148e303a77da2ed14a69a7747c18e
kubernetes-node-windows-amd64.tar.gz 033527ea64ddc4d4f166ebee9e171958fd8b25f1f515c736fe820ae1e7c763b1a79e402e2f8446a216582dda23564dd810bed064d35e8652d27bc51dca224e10

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
k8s.gcr.io/conformance:v1.24.0-alpha.4 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-apiserver:v1.24.0-alpha.4 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-controller-manager:v1.24.0-alpha.4 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-proxy:v1.24.0-alpha.4 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-scheduler:v1.24.0-alpha.4 amd64, arm, arm64, ppc64le, s390x

Changelog since v1.24.0-alpha.3

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

  • The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang) [SIG API Machinery, Apps, Auth and Testing]

Changes by Kind


  • --pod-infra-container-image kubelet flag is deprecated and will be removed in future releases (#108045, @hakman) [SIG Node]
  • Client.authentication.k8s.io/v1alpha1 ExecCredential has been removed. If you are using a client-go credential plugin that relies on the v1alpha1 API please contact the distributor of your plugin for instructions on how to migrate to the v1 API. (#108616, @margocrawf) [SIG API Machinery and Auth]
  • Remove deprecated feature gates ValidateProxyRedirects and StreamingProxyRedirects (#106830, @pacoxu) [SIG API Machinery]
  • The node.k8s.io/v1alpha1 RuntimeClass API is no longer served. Use the node.k8s.io/v1 API version, available since v1.20 (#103061, @SergeyKanzhelev) [SIG API Machinery, CLI, Node and Testing]

API Change

  • Add 2 new options for kube-proxy running in winkernel mode. --forward-healthcheck-vip, if specified as true, health check traffic whose destination is service VIP will be forwarded to kube-proxy's healthcheck service. --root-hnsendpoint-name specifies the name of the hns endpoint for the root network namespace. This option enables the pass-through load balancers like Google's GCLB to correctly health check the backend services. Without this change, the health check packets is dropped, and Windows node will be considered to be unhealthy by those load balancers. (#99287, @anfernee) [SIG API Machinery, Cloud Provider, Network, Testing and Windows]
  • Added CEL runtime cost calculation into CustomerResource validation. CustomerResource validation will fail if runtime cost exceeds the budget. (#108482, @cici37) [SIG API Machinery]
  • CRD writes will generate validation errors if a CEL validation rule references the identifier "oldSelf" on a part of the schema that does not support it. (#108013, @benluddy) [SIG API Machinery]
  • Feature of DefaultPodTopologySpread is graduated to GA (#108278, @kerthcet) [SIG Scheduling]
  • Feature of PodOverhead is graduated to GA (#108441, @pacoxu) [SIG API Machinery, Apps, Node and Scheduling]
  • Fixes a regression in v1beta1 PodDisruptionBudget handling of "strategic merge patch"-type API requests for the selector field. Prior to 1.21, these requests would merge matchLabels content and replace matchExpressions content. In 1.21, patch requests touching the selector field started replacing the entire selector. This is consistent with server-side apply and the v1 PodDisruptionBudget behavior, but should not have been changed for v1beta1. (#108138, @liggitt) [SIG Apps, Auth and Testing]
  • Kube-apiserver: --audit-log-version and --audit-webhook-version now only support the default value of audit.k8s.io/v1. The v1alpha1 and v1beta1 audit log versions, deprecated since 1.13, have been removed. (#108092, @carlory) [SIG API Machinery, Auth and Testing]
  • Pod-affinity namespace selector and cross-namespace quota graduated to GA. The feature gate PodAffinityNamespaceSelector is locked and will be removed in 1.26. (#108136, @ahg-g) [SIG API Machinery, Apps, Scheduling and Testing]
  • Suspend job to GA. The feature gate SuspendJob is locked and will be removed in 1.26. (#108129, @ahg-g) [SIG Apps and Testing]
  • The CertificateSigningRequest spec.expirationSeconds API field has graduated to GA. The CSRDuration feature gate for the field is now unconditionally enabled and will be removed in 1.26. (#108782, @cfryanr) [SIG API Machinery, Apps, Auth, Instrumentation and Testing]
  • TopologySpreadConstraints includes minDomains field to limit the minimum number of topology domains. (#107674, @sanposhiho) [SIG API Machinery, Apps and Scheduling]


  • Add a deprecated cmd flag for the time interval between flushing pods from unschedualbeQ to activeQ or backoffQ. (#108017, @denkensk) [SIG Scheduling]
  • Add one metrics(kubelet_volume_stats_health_abnormal) of volume health state to kubelet (#105585, @fengzixu) [SIG Instrumentation, Node, Storage and Testing]
  • Add the metric container_oom_events_total to kubelet's cAdvisor metric endpoint. (#108004, @jonkerj) [SIG Node]
  • Added support for btrfs resizing (#108561, @RomanBednar) [SIG Storage]
  • CRD x-kubernetes-validations rules now support the CEL functions: isSorted, sum, min, max, indexOf, lastIndexOf, find and findAll. (#108312, @jpbetz) [SIG API Machinery]
  • Client-go metrics: change bucket distribution for rest_client_request_duration_seconds and rest_client_rate_limiter_duration_seconds from [0.001, 0.002, 0.004, 0.008, 0.016, 0.032, 0.064, 0.128, 0.256, 0.512] to [0.005, 0.025, 0.1, 0.25, 0.5, 1.0, 2.0, 4.0, 8.0, 15.0, 30.0, 60.0}] (#106911, @aojea) [SIG API Machinery, Architecture and Instrumentation]
  • Client-go: add new histogram metric to record the size of the requests and responses. (#108296, @aojea) [SIG API Machinery, Architecture and Instrumentation]
  • Cluster/gce/gci/configure.sh now supports downloading crictl on ARM64 nodes (#108034, @tstapler) [SIG Cloud Provider]
  • Env var for additional cli flags used in the csi-proxy binary when a Windows nodepool is created with kube-up.sh (#107806, @mauriciopoppe) [SIG Cloud Provider and Windows]
  • Increase default value of discovery cache TTL for kubectl to 6 hours. (#107141, @mk46) [SIG CLI]
  • Introduce policy to allow the HPA to consume the external.metrics.k8s.io API group. (#104244, @dgrisonnet) [SIG Auth, Autoscaling and Instrumentation]
  • Kubeadm: apply "second stage" of the plan to migrate kubeadm away from the usage of the word "master" in labels and taints. For new clusters, the label "node-role.kubernetes.io/master" will no longer be added to control plane nodes, only the label "node-role.kubernetes.io/control-plane" will be added. For clusters that are being upgraded to 1.24 with "kubeadm upgrade apply", the command will remove the label "node-role.kubernetes.io/master" from existing control plane nodes. For new clusters, both the old taint "node-role.kubernetes.io/master:NoSchedule" and new taint "node-role.kubernetes.io/control-plane:NoSchedule" will be added to control plane nodes. In release 1.20 ("first stage"), a release note instructed to preemptively tolerate the new taint. For clusters that are being upgraded to 1.24 with "kubeadm upgrade apply", the command will add the new taint "node-role.kubernetes.io/control-plane:NoSchedule" to existing control plane nodes. Please adapt your infrastructure to these changes. In 1.25 the old taint "node-role.kubernetes.io/master:NoSchedule" will be removed. (#107533, @neolit123) [SIG Cluster Lifecycle and Testing]
  • Kubeadm: better surface errors during "kubeadm upgrade" when waiting for the kubelet to restart static pods on control plane nodes (#108315, @Monokaix) [SIG Cluster Lifecycle]
  • Kubeadm: improve the strict parsing of user YAML/JSON configuration files. Next to printing warnings for unknown and duplicate fields (current state), also print warnings for fields with incorrect case sensitivity - e.g. "controlPlaneEndpoint" (valid), "ControlPlaneEndpoint" (invalid). Instead of only printing warnings during "init" and "join" also print warnings when downloading the ClusterConfiguration, KubeletConfiguration or KubeProxyConfiguration objects from the cluster. This can be useful if the user has patched these objects in their respective ConfigMaps with mistakes. (#107725, @neolit123) [SIG Cluster Lifecycle]
  • Kubelet: add kubelet_volume_metric_collection_duration_seconds metrics for volume disk usage calculation duration (#107201, @pacoxu) [SIG Instrumentation, Node and Storage]
  • Kubernetes in now built with go1.18rc1 (#107105, @justaugustus) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Release, Storage and Testing]
  • No (#108432, @iXinqi) [SIG Testing and Windows]
  • PreFilter extension in the scheduler framework now returns not only status but also PreFilterResult (#108648, @ahg-g) [SIG Scheduling, Storage and Testing]
  • Remove the deprecated flag --experimental-check-node-capabilities-before-mount. With CSI now GA, there is a better alternative. Remove any use of --experimental-check-node-capabilities-before-mount from your kubelet scripts or manifests. (#104732, @mengjiao-liu) [SIG Apps, Cloud Provider, Node and Storage]
  • Set PodMaxUnschedulableQDuration as 5 min. (#108761, @denkensk) [SIG Scheduling]
  • Support in-tree PV deletion protection finalizer. (#108400, @deepakkinni) [SIG Apps and Storage]
  • The .spec.loadBalancerClass field for Services is now generally available. (#107979, @XudongLiuHarold) [SIG Cloud Provider, Network and Testing]
  • Turn on CSIMigrationAzureFile by default on 1.24 (#105070, @andyzhangx) [SIG Cloud Provider]
  • When invoked with -list-images, the e2e.test binary now also lists the images that might be needed for storage tests. (#108458, @pohly) [SIG Testing]

Bug or Regression

  • fails for unexpected extra arguments (#107967, @jlsong01) [SIG CLI]
  • Bug: client-go clientset was not defaulting the user agent, using the default golang agent for all the requests. (#108772, @aojea) [SIG API Machinery and Instrumentation]
  • Bump sigs.k8s.io/apiserver-network-proxy/konnectiv...@v0.0.30 to fix a goroutine leak in kube-apiserver when using egress selctor with the gRPC mode. (#108437, @andrewsykim) [SIG API Machinery, Auth and Cloud Provider]
  • Existing InTree AzureFile PVs which don't have a secret namespace defined will now work properly after enabling CSI migration - the namespace will be obtained from ClaimRef. (#108000, @RomanBednar) [SIG Cloud Provider and Storage]
  • Fix a bug in attachdetach controller that didn't properly handle kube-apiserver errors leading to stuck attachments/detachments. (#108167, @jfremy) [SIG Apps]
  • Fix a bug that out-of-tree plugin is misplaced when using scheduler v1beta3 config (#108613, @Huang-Wei) [SIG Scheduling and Testing]
  • Fix container creation errors for pods with cpu requests bigger than 256 cpus (#106570, @odinuge) [SIG Node]
  • Fix to allow fsGroup to be applied for CSI Inline Volumes (#108662, @dobsonj) [SIG Storage]
  • Fix: do not return early in the node informer when there is no change of the topology label. (#108149, @nilo19) [SIG Cloud Provider]
  • Fixed a bug that caused credentials in an exec plugin to override the static certificates set in a kubeconfig. (#107410, @margocrawf) [SIG API Machinery, Auth and Testing]
  • Fixed a regression that could incorrectly reject pods with OutOfCpu errors if they were rapidly scheduled after other pods were reported as complete in the API. The Kubelet now waits to report the phase of a pod as terminal in the API until all running containers are guaranteed to have stopped and no new containers can be started. Short-lived pods may take slightly longer (~1s) to report Succeeded or Failed after this change. (#108366, @smarterclayton) [SIG Apps, Node and Testing]
  • Fixes a bug where a partial EndpointSlice update could cause node name information to be dropped from endpoints that were not updated. (#108198, @liggitt) [SIG Network]
  • Fixes bug in CronJob Controller V2 where it would lose track of jobs upon job template labels change. (#107997, @d-honeybadger) [SIG Apps]
  • Improved logging when volume times out waiting for attach/detach. (#108628, @RomanBednar) [SIG Storage]
  • Increase Azure ACR credential provider timeout (#108209, @andyzhangx) [SIG Cloud Provider]
  • Kube-apiserver: ensures the namespace of objects sent to admission webhooks matches the request namespace. Previously, objects without a namespace set would have the request namespace populated after mutating admission, and objects with a namespace that did not match the request namespace would be rejected after admission. (#94637, @liggitt) [SIG API Machinery and Testing]
  • Kube-apiserver: removed apf_fd from server logs which could contain data identifying the requesting user (#108631, @jupblb) [SIG API Machinery]
  • Kube-proxy in iptables mode now only logs the full iptables input at -v=9 rather than -v=5. (#108224, @danwinship) [SIG Network]
  • Kube-proxy will no longer hold service node ports open on the node. Users are still advised not to run any listener on node ports range used by kube-proxy. (#108496, @khenidak) [SIG Network]
  • Kubeadm: fix a bug when using "kubeadm init --dry-run" with certificate authority files (ca.key / ca.crt) present in /etc/kubernetes/pki) (#108410, @Haleygo) [SIG Cluster Lifecycle]
  • Kubeadm: fix a bug where Windows nodes fail to join an IPv6 cluster due to preflight errors (#108769, @SataQiu) [SIG Cluster Lifecycle]
  • Kubelet don't forcefully close active connections on heartbeat failures, using the http2 health check mechanism to detect broken connections. Users can force the previous behavior of the kubelet by setting the environment variable DISABLE_HTTP2. (#108107, @aojea) [SIG API Machinery and Node]
  • Prevent unnecessary Endpoints and EndpointSlice updates caused by Pod ResourceVersion change (#108078, @tnqn) [SIG Apps and Network]
  • Print as the value in case kubectl describe ingress shows default-backend:80 when no default backend is present (#108506, @jlsong01) [SIG CLI]
  • Replace the url label of rest_client_request_duration_seconds and rest_client_rate_limiter_duration_seconds metrics with a host label to prevent cardinality explosions and keep only the useful information. This is a breaking change required for security reasons. (#106539, @dgrisonnet) [SIG Instrumentation]
  • The TopologyAwareHints feature gate is now enabled by default. This will allow users to opt-in to Topology Aware Hints by setting the service.kubernetes.io/topology-aware-hints on a Service. This will not affect any Services without that annotation set. (#108747, @robscott) [SIG Network]
  • This code change fixes the bug that UDP services would trigger unnecessary LoadBalancer updates. The root cause is that a field not working for non-TCP protocols is considered. ref: https://github.com/kubernetes-sigs/cloud-provider-azure/pull/1090 (#107981, @lzhecheng) [SIG Cloud Provider]
  • Topology translation of in-tree vSphere volume to vSphere CSI. (#108611, @divyenpatel) [SIG Storage]

Other (Cleanup or Flake)

  • API server's deprecated --deserialization-cache-size flag is now removed. (#108448, @ialidzhikov) [SIG API Machinery]
  • API server's deprecated --experimental-encryption-provider-config flag is now removed. Adapt your machinery to use the --encryption-provider-config flag that is available since v1.13. (#108423, @ialidzhikov) [SIG API Machinery]
  • API server's deprecated --target-ram-mb flag is now removed. (#108457, @ialidzhikov) [SIG API Machinery, Cloud Provider, Scalability and Testing]
  • Endpoints and EndpointSlice controllers no longer populate resourceVersion of targetRef in Endpoints and EndpointSlices (#108450, @tnqn) [SIG Apps and Network]
  • Improve error message when applying CRDs before the CRD exists in a cluster (#107363, @eddiezane) [SIG CLI]
  • Improved algorithm for selecting "best" non-preferred hint in the TopologyManager (#108154, @klueska) [SIG Node]
  • Kube-proxy doesn't set the sysctl net.ipv4.conf.all.route_localnet=1 if no IPv4 loopback address is selected by the nodePortAddresses configuration parameter. (#107684, @aojea) [SIG Network]
  • Remove support for node-expansion between node-stage and node-publish (#108614, @gnufied) [SIG Storage]
  • The WarningHeaders feature gate that is GA since v1.22 is unconditionally enabled, and can no longer be specified via the --feature-gates argument. (#108394, @ialidzhikov) [SIG API Machinery]
  • The e2e.test binary supports a new --kubelet-root parameter to override the default /var/lib/kubelet path. CSI storage tests use this. (#108253, @pohly) [SIG Node, Storage and Testing]
  • The scheduler framework option runAllFilters is removed. (#108829, @kerthcet) [SIG Scheduling]
  • Windows Pause no longer has support for SAC releases 1903, 1909, 2004. Windows image support is now Ltcs 2019 (1809), 20H2, LTSC 2022 (#107056, @jsturtevant) [SIG Windows]
  • kube-addon-manager image version is bumped to 9.1.6 (#108341, @zshihang) [SIG Cloud Provider, Scalability and Testing]





Contributors, the CHANGELOG-1.24.md has been bootstrapped with v1.24.0-alpha.4 release notes and you may edit now as needed.

Published by your Kubernetes Release Managers.

Reply all
Reply to author
0 new messages