What’s New in Kubernetes 1.25? 40 Enhancements Across Every SIG

Kubernetes 1.25 has been officially released, bringing 40 new enhancements and a large set of bug fixes. This article gives a rapid overview of the most notable changes in each SIG, helping operators and developers stay up‑to‑date.

API Machinery

Two bright new enhancements appear in this area.

Validation Expression Language (beta)

Custom Resource Definitions (CRDs) now support validation using an expression language that has graduated to beta, allowing validation rules to be defined directly in the CRD schema instead of relying on external webhooks.

Retriable and Non‑Retriable Pod Failures for Jobs (alpha)

A new podFailurePolicy field in the Job spec lets users define rules for handling container exit codes and pod conditions. Example:

apiVersion: v1
kind: Job
spec:
  template:
    spec:
      containers:
      - name: main-job-container
        image: job-image
        command: ["./program"]
      - name: monitoring-job-container
        image: job-monitoring
        command: ["./monitoring"]
  backoffLimit: 3
  podFailurePolicy:
    rules:
    - action: Terminate
      onExitCodes:
        containerName: main-job-container
        operator: In
        values: [1,2,3]
    - action: Ignore
      onPodConditions:
      - type: DisruptionTarget

Apps

Apps SIG focuses on deploying complex applications. Two important upgrades land in 1.25.

Add minReadySeconds to StatefulSets (GA)

The new stable minReadySeconds field adds a buffer period after a pod becomes ready, giving the application time to finish initialization before receiving traffic.

CronJob time‑zone support (beta)

A new spec.timeZone field lets users specify a time‑zone from the tz database, making scheduled jobs independent of the controller manager’s host location.

Authentication

Removal of PodSecurityPolicy

PodSecurityPolicy, deprecated since 1.21, is fully removed. Users should migrate to the new Pod Security Admission controller, which provides a clearer migration path.

KMS v2 improvements (alpha)

KMS v2 adds automatic key rotation, better health checks for KMS plugins, and improved observability between the API server and KMS.

Networking

NetworkPolicy port ranges (GA)

The new endPort field allows specifying a range of ports in NetworkPolicy rules, e.g., ports 32000‑32768.

spec:
  egress:
  - ports:
    - protocol: TCP
      port: 32000
    endPort: 32768

Service IP static sub‑range (beta)

The ServiceIPStaticSubrange field lets administrators allocate a reserved IP range for services, avoiding conflicts when assigning static IPs.

Nodes

Ephemeral containers (GA)

Ephemeral containers enable adding a debugging container to a running pod without rebuilding the pod image. Example:

$ kubectl debug db-pod -it --image=busybox
Defaulting debug container name to debugger-8xzrl.
If you don’t see a command prompt, try pressing enter.
/ #

cgroups v2 (GA)

Kubernetes now supports cgroups v2, providing more secure and reliable resource isolation, especially for rootless containers.

Configurable grace period for probes (GA)

A new terminateGracePeriodSeconds field in liveness probes separates probe‑related termination from the pod‑level terminationGracePeriodSeconds, giving finer control over container shutdown timing.

Seccomp enabled by default (beta)

Seccomp profiles are now enabled by default, adding an extra security layer against CVEs and zero‑day attacks.

CPUManager align‑by‑socket policy (alpha)

The new AlignBySocket CPUManager policy treats CPU allocation based on socket boundaries rather than NUMA nodes, improving performance on systems with many sockets.

Security

Automatic refresh of official CVE sources (alpha)

This feature automatically tags issues and PRs related to CVEs, helping users, maintainers, and platform providers surface relevant security information.

Scheduling

Respect PodTopologySpread after rolling updates (alpha)

During rolling upgrades, the scheduler now respects existing PodTopologySpread constraints, improving pod distribution and availability across zones and nodes.

Storage

Local temporary storage capacity isolation (GA)

Pods now receive isolated temporary storage capacity, preventing “best‑effort” sharing of the node’s temporary storage pool.

In‑tree storage plugin migration to CSI (GA)

Several in‑tree volume plugins are deprecated or removed, and migration paths to CSI drivers are provided for AWS EBS, GCE PD, and vSphere.

Deprecated: GlusterFS, Portworx

Removed: Flocker, Quobyte, StorageOS

Migrated to CSI: AWS EBS, GCE PD, vSphere

Retrospective default StorageClass assignment (alpha)

When no StorageClass is specified for a PVC, the controller now retroactively assigns a default class, simplifying storage provisioning changes.

Conclusion

Kubernetes 1.25 aims to make the platform more secure, reliable, and flexible. Ensure your clusters are upgraded promptly and consult the official Kubernetes blog and release notes for detailed guidance on the new features.

Original article: https://medium.com/@jonathan_37674/kubernetes-version-1-25-everything-you-should-know-92fc1e02b5bd