Kubernetes 1.25 Release: 40+ New Features You Need to Know

API Machinery

The API Machinery SIG adds two notable enhancements. The Validation Expression Language for CustomResourceDefinitions (CRDs) is promoted to beta, allowing validation rules to be expressed directly in the CRD schema instead of using webhooks. Additionally, a new alpha feature introduces retriable and non‑retriable pod failures for Jobs via a podFailurePolicy field, enabling fine‑grained control over job pod outcomes.

Example Job Spec with podFailurePolicy

apiVersion: v1
kind: Job
spec:
  template:
    spec:
      containers:
      - name: main-job-container
        image: job-image
        command: ["./program"]
      - name: monitoring-job-container
        image: job-monitoring
        command: ["./monitoring"]
  backoffLimit: 3
  podFailurePolicy:
    rules:
    - action: Terminate
      onExitCodes:
        containerName: main-job-container
        operator: In
        values: [1,2,3]
    - action: Ignore
      onPodConditions:
      - type: DisruptionTarget

Apps

The Apps SIG focuses on deploying complex applications. Two key improvements arrive in 1.25:

Add minReadySeconds to StatefulSets (GA) : A new stable field that adds a buffer period after a pod becomes ready, giving applications time to initialize before receiving traffic.

CronJob time‑zone support (beta) : A new spec.timeZone field lets users specify IANA time‑zone identifiers, decoupling job schedules from the controller manager’s host time.

Authentication

Removal of PodSecurityPolicy (GA) : Deprecated in 1.21, PSP is fully removed. Users should migrate to the newer Pod Security Admission controller, which provides a clearer migration path.

KMS v2 improvements (alpha) : Enhances key rotation automation, health checks, and observability for the external Key Management Service used to encrypt etcd data.

Networking

NetworkPolicy port ranges (GA) : Introduces an endPort field to declare port ranges, simplifying rules such as allowing ports 32000‑32768.

spec:
  egress:
  - ports:
    - protocol: TCP
      port: 32000
    endPort: 32768

Service IP static sub‑range (beta) : The ServiceIPStaticSubrange field lets administrators allocate a reserved IP range for services, avoiding conflicts when assigning static IPs.

Nodes

Ephemeral containers (GA) : Enables attaching a temporary debugging container (e.g., busybox) to a running pod without modifying the pod spec.

$ kubectl debug db-pod -it --image=busybox

cgroups v2 support (GA) : Moves container resource management to the modern cgroup v2 hierarchy, improving security and compatibility with rootless containers.

Configurable grace period in probes (GA) : Adds terminateGracePeriodSeconds to liveness probes, separating container termination timing from pod‑level termination.

Seccomp defaulting (beta) : Seccomp profiles are enabled by default, adding an extra security layer against CVEs and zero‑day exploits.

CPUManager align‑by‑socket policy (alpha) : Introduces an alignment strategy that groups CPUs by socket rather than NUMA node, optimizing CPU allocation for certain workloads.

Security

Automatic refresh of official CVE sources (alpha) : An automation that tags issues and pull requests related to CVEs, helping maintainers and platform providers surface relevant security information.

Scheduling

Respect PodTopologySpread after rolling updates (alpha) : Ensures that the PodTopologySpread constraints are honored during rolling upgrades, improving pod distribution and availability across zones and nodes.

Storage

Local temporary storage capacity isolation (GA) : Provides per‑pod isolation for temporary storage, preventing pods from unknowingly consuming each other’s space.

In‑tree storage plugins migration to CSI (GA) : Deprecates several in‑tree drivers (e.g., GlusterFS, Portworx) and removes others (Flocker, Quobyte, StorageOS), while migrating supported drivers (AWS EBS, GCE PD, vSphere) to CSI.

Deprecate: GlusterFS, Portworx

Remove: Flocker, Quobyte, StorageOS

Migrate to CSI: AWS EBS, GCE PD, vSphere

Retrospective default StorageClass assignment (alpha) : Changes default behavior so that a PVC without an explicit StorageClass can inherit a default class retroactively when the cluster’s default changes.

Conclusion

Kubernetes 1.25 aims to make the platform safer, more reliable, and more flexible. Users should review the official release notes and upgrade guides to adopt these enhancements and ensure their clusters are up‑to‑date.

Original article: https://medium.com/@jonathan_37674/kubernetes-version-1-25-everything-you-should-know-92fc1e02b5bd