What’s New in Kubernetes 1.22? Key Features, Deprecations, and Upgrade Guide

Removal of Deprecated APIs

Kubernetes 1.22 removes a series of beta APIs that must be migrated before upgrading: ValidatingWebhookConfiguration and MutatingWebhookConfiguration (admissionregistration.k8s.io/v1beta1 → admissionregistration.k8s.io/v1) CustomResourceDefinition (apiextensions.k8s.io/v1beta1 → apiextensions.k8s.io/v1) APIService (apiregistration.k8s.io/v1beta1 → apiregistration.k8s.io/v1) TokenReview (authentication.k8s.io/v1beta1 → authentication.k8s.io/v1) SubjectAccessReview, LocalSubjectAccessReview, SelfSubjectAccessReview (authorization.k8s.io/v1beta1 → authorization.k8s.io/v1) CertificateSigningRequest (certificates.k8s.io/v1beta1 → certificates.k8s.io/v1) Lease (coordination.k8s.io/v1beta1 → coordination.k8s.io/v1)

All beta Ingress (extensions/v1beta1 and networking.k8s.io/v1beta1 → networking.k8s.io/v1)

Use kubectl convert to automate the migration, e.g.:

kubectl convert -f ./legacy-ingress.yaml --output-version networking.k8s.io/v1

Kubernetes Release Cycle Changes

Due to COVID‑19, the release cadence changed from four to three releases per year starting April 2021. The 2022 schedule includes releases 1.24 (weeks 1 and 15), 1.25 (weeks 17 and 32), and 1.26 (weeks 34 and 49).

client-go Credential Plugin GA

The client‑go credential plugin, beta since 1.11, reaches GA in 1.22. Many bugs are fixed, interactive login is improved, and cloud‑provider plugins such as Azure’s have moved to independent implementations (e.g., kubelogin).

Pod Security Policy Replacement

PodSecurityPolicy is deprecated in 1.21. 1.22 introduces the built‑in Pod Security Admission controller with three standards:

Privileged : unrestricted, allows known privilege escalations.

Baseline : minimal restrictions, prevents known privilege escalations, allows default pod configurations.

Restricted : strict policy following current pod hardening best practices.

Server‑Side Apply GA

Server‑Side Apply enables declarative configuration of resources, allowing clients to submit a complete desired state that the server creates or updates.

CSI Sub‑features GA

CSI Windows and CSI Service Account Token become GA in 1.22. CSI Windows uses CSIProxy to proxy privileged operations from Linux nodes, enabling non‑privileged CSI plugins on Windows. The Service Account Token feature lets CSI plugins use the pod‑bound service‑account token instead of privileged keys.

Memory QoS (Alpha)

Previously, QoS only covered CPU. 1.22 adds cgroups v2 support with memory.min and memory.high to provide memory QoS. Example paths:

// Container
/cgroup2/kubepods/pod<UID>/<container-id>/memory.min=pod.spec.containers[i].resources.requests[memory]
/cgroup2/kubepods/pod<UID>/<container-id>/memory.high=(pod.spec.containers[i].resources.limits[memory]/node allocatable memory)*memory throttling factor // Burstable

// Pod
/cgroup2/kubepods/pod<UID>/memory.min=sum(pod.spec.containers[i].resources.requests[memory])

// QoS ancestor cgroup
/cgroup2/kubepods/burstable/memory.min=sum(pod[i].spec.containers[j].resources.requests[memory])

Seccomp Default Policy (Alpha)

Kubelet 1.22 adds the SeccompDefault alpha feature, making RuntimeDefault the default Seccomp profile for all pods, significantly improving cluster security.

Windows Privileged Containers (Alpha)

1.22 introduces Windows HostProcess containers (enabled via WindowsHostProcessContainers feature), allowing privileged workloads on Windows nodes without extra agents. Example pod spec:

spec:
  securityContext:
    windowsOptions:
      hostProcess: true
      runAsUserName: "NT AUTHORITY\\Local service"
  hostNetwork: true
  containers:
  - name: test
    image: image1:latest
    command:
    - ping
    - -t
    - 127.0.0.1
  nodeSelector:
    "kubernetes.io/os": windows

HostProcess requires containerd 1.5.4 or newer on Windows nodes.

Other Major Features

etcd upgraded to 3.5.0, bringing security, performance, and monitoring improvements.

StreamingProxyRedirects deprecated and disabled by default, removal planned for 1.24.

kubeadm now supports deploying control planes as non‑root users (RootlessControlPlane feature).

Rootless kubelet support added.

Pod Eviction now uses policy/v1 API (v1beta1 deprecated).

DynamicKubeletConfig deprecated and disabled by default.

When a Service with externalTrafficPolicy: Local has only terminating pods on a node, kube‑proxy now forwards traffic to those pods instead of dropping it. CertificateSigningRequest.certificates.k8s.io API gains expirationSeconds support.

Node now supports swap memory (Alpha).

ExpandedDNSConfig (Alpha) raises MaxDNSSearchPaths to 32 and MaxDNSSearchListChars to 2048.

Features such as MemoryManager, NetworkPolicyEndPort, PodDeletionCost, SuspendJob, ServiceLBNodePortControl, and ServiceLoadBalancerClass enter Beta and are enabled by default.