Key Change Notes for Kubernetes 1.28 Version

Special Notes

• Due to incompatible modifications to the kubeconfig used by CNI in UK8S, the CNI version must not be lower than 1.3.4.

Scheduling Logic Optimization

If scheduler plugins are used, adjustments may be required. Refer to Scheduler Framework Changes  for details.

CephFS Deprecation

The in-tree CephFS kubernetes.io/rbd driver has been removed. Please use CSI-based plugins like ceph-csi .

SecurityContextDeny Deprecation

Replaced by PodSecurity and deprecated. For details, refer to the official issues .

Removal of Seccomp Annotations

Seccomp  (Secure Computing Mode) reached GA in 1.19, enhancing security by restricting system calls for pods/containers. The Alpha-stage annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io were deprecated in v1.19 and fully removed in 1.27.

Recommendation: Use the securityContext.seccompProfile field in Pod or containers.

Native Sidecar Support

This feature is in Alpha stage in 1.28 and requires enabling the feature gate.

It introduces a restartPolicy field for init containers, which is used to indicate that an init container is a sidecar container. When restartPolicy=Always, Kubelet will start the init container together with other init containers in sequence, but it will not wait for it to complete; instead, it will wait for the container to start up.

For details, see the official documentation .

AdmissionWebhookMatchCondition Default Support for CEL Expressions

This feature is in the Beta phase in 1.28.

It allows the use of CEL expressions to accept or reject requests from the apiserver, serving as an alternative to webhooks. Refer to CEL  for implementation details.

API Deprecation

CSIStorageCapacity

CSIStorageCapacity  has been promoted to storage.k8s.io/v1. The previous storage.k8s.io/v1beta1 API was deprecated in 1.27.

Reference Links

For complete changelogs, see:

• CHANGELOG 1.27 
• CHANGELOG 1.28