Kubernetes 1.25 release includes a total of 40 enhancements. The highlight of this release is the final removal of PodSecurityPolicies from the Kubernetes core.

These are the features that look most exciting to us in this release.

PodSecurityPolicy (PSP) is removed

Pod Security Policies (PSPs) are a great Kubernetes-native tool to restrict what deployments can do, like limiting the execution to a list of users, or access resources like the network or volumes. This feature is deprecated since 1.23 and removed in 1.25.

As Guida we have implemented the Pod Security Standards using Kyverno as a replacement. Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.

Alternative are the built-in admission controller Pod Security Admission which also graduated to stable this release or Open Policy Agent.

Want to learn more?

PodSecurityPolicy Deprecation: Past, Present, and Future

Ephemeral Containers Graduate to Stable

This is particularly useful for troubleshooting when you need to examine a container but cannot use kubectl exec because that container has crashed, its image lacks debugging utilities or when using distroless/scratch images. You can also use emphemeral containers for making a TCP dump of the virtual network interface of the container.

Want to learn more?

Understanding ephemeral containers

Network Policy Port Range to Stable

Network Policy providers that support endPort field can use it now to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port.

spec:
  egress:
  - ports:
    - protocol: TCP
      port: 32000
      endPort: 32768

Want to learn more?

Targeting a range of ports

TimeZone support in CronJob to Beta

Until now, the Jobs created by CronJobs are set in the same timezone as the kube-controller-manager process. Which could result in issues when the kube-controller-manager runs in UTC and you have a business requirement to run Jobs on set times in a timezone using Daylight Savings Time. Or have Jobs spread over multiple timezone which should be scheduled according to local time.

Workarounds for these problems can now be replaced by this Kubernetes-native solution in the CronJob spec.

Want to learn more?

https://github.com/kubernetes/enhancements/blob/master/keps/sig-apps/3140-TimeZone-support-in-CronJob/

minReadySeconds for Statefulsets to Stable

This brings the optional minReadySeconds field to StatefulSets that is already available on Deployments, DaemonSets, and ReplicasSets.

If declared, a newly created Pod won’t be considered available until its containers stay ready without crashing for the specified number of seconds.

Want to learn more?

Minimum Ready Seconds for StatefulSets

DaemonSets should support MaxSurge to improve workload availability to Stable

When performing a rolling update, the spec.strategy.rollingUpdate.maxSurge field allows specifying how many new Pods will be created to replace the old ones.

Want to learn more?

Perform a Rolling Update on a DaemonSet

Retriable and non-retriable Pod failures for Jobs to Alpha

Currently, if a Job fails and its restartPolicy is set on OnFailure, Kubernetes will try to run it again, up to a maximum backoff limit.

In particular, the extension allows determining some pod failures caused by infrastructure errors and to retry them without incrementing the counter towards backoffLimit.

Additionally, the extension allows determining some pod failures caused by software bugs and to terminate the associated job early. This is needed to save time and computational resources wasted due to unnecessary retries of containers destined to fail due to software bugs.

Want to learn more?

https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/3329-retriable-and-non-retriable-failures

References

https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/