Release Notes for CCE Kubernetes 1_31 Version

Baidu AI Cloud Container Engine in Kubernetes version strictly adheres to the community conformance certification. This document introduces the major changes in the CCE Kubernetes 1.31 version, including functional features, deprecated functionalities and APIs, feature gates, etc.

Functional features

• Enhanced verification for CRD caBundle field. When the caBundle field is not null, but contains invalid content (e.g., no valid CA certificate), the corresponding CRD will fail to serve. Once caBundle is set to a valid value, it is prohibited to set it null or invalid during subsequent update to ensure service continuity.
• Granular pod affinity/anti-affinity configuration (Beta). The MatchLabelKeysInPodAffinity feature gate is enabled by default, introducing matchLabelKeys and mismatchLabelKeys fields to distinguish between existing and new pods during rolling update, preventing misjudgment in affinity policies.
• Indexed Job custom success policy (Beta). JobSuccessPolicy advances to Beta, allowing flexible success conditions (e.g., permitting partial index failures) for Indexed Jobs and optimizing batch task management. Reference: Job Success Policy.
• Hiding node kube-proxy version information (Beta). DisableNodeKubeProxyVersion is enabled by default, removing the kubeProxyVersion field from node status (due to inaccuracies) to reduce potential risks.
• Node-bound ServiceAccount Token (Beta). ServiceAccountTokenNodeBinding is enabled by default, binding token directly to node. It is automatically invalidated when node/ServiceAccount is deleted or token expires.
• Recursive read-only volume mount (Beta). RecursiveReadOnlyMounts is enabled by default, supporting recursive read-only permissions for volume mounts to prevent modifications to subdirectories or files. Reference: Recursive read-only mounts.
• Non-image field update for pod without restart. When Pod spec changes do not involve the image field, kubelet no longer restarts container, avoiding unnecessary disruption.
• Persistent volume deletion protection Finalizer (Beta). HonorPVReclaimPolicy is enabled by default, adding a Finalizer to PV with a Delete policy to ensure underlying storage resources are deleted before PV removal. Reference: PersistentVolume deletion protection finalizer.
• kubectl debug custom template support (Beta). Support the expansion of debugging function through custom profile template (e.g., predefined resource limits or commands). Reference: Kubernetes 1.31: Custom Profiling in Kubectl Debug Graduates to Beta.
• Client streaming protocol upgraded to WebSocket. The transport protocol for kubectl cp, exec, attach and port-forward commands is updated to WebSocket, improving compatibility and performance.
• API Server cache consistency read optimization. Support direct consistent reads from cache, reducing dependency on etcd and significantly improving list request efficiency. Reference: Consistent Reads from Cache.

Function change

• Built-in CephFS volume plugin removal. The built-in plugin kubernetes.io/cephfs is deprecated so migration to CephFS CSI driver is required. Upgrade impact: Users of the previous plugin must switch to the CSI driver and redeploy applications before upgrading.
• Built-in CephRBD volume plugin removal. The built-in plugin kubernetes.io/rbd is deprecated so migration to the RBD CSI driver is required. Upgrade impact: Same migration steps as CephFS.
• Portworx storage plugin migration support. The CSIMigrationPortworx feature gate is enabled by default; the Portworx CSI driver must be installed in advance for compatibility with 1.31.

Reference links

For the complete change records of Kubernetes 1.31, please refer to CHANGELOG-1.31、Kubernetes v1.31: Elli.