← Back to all briefings
Infrastructure 6 min read Published Updated Credibility 88/100

Compliance Briefing — August 26, 2020

Deep dive into Kubernetes 1.19 with its extended one-year support window, Ingress GA, seccomp hardening, and upgrade guidance for platform teams.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Kubernetes 1.19 release: extended support with safer defaults

Kubernetes 1.19 (released August 26, 2020) stretches the support window to 12 months and graduates several long-running features. This briefing summarizes what platform teams need to know before upgrading clusters and workloads.

Feature highlights

The release is anchored on production hardening. The support window now runs for a full year, giving enterprise teams more time to certify add-ons, validate cloud integrations, and plan node OS updates. Ingress reaches general availability under networking.k8s.io/v1, bringing stricter validation, pathType enforcement, and the new IngressClass resource so platform teams can map traffic to specific controllers without custom annotations. EndpointSlices are enabled by default, improving the scalability of Service backends and laying groundwork for topology-aware routing. Security saw a notable milestone with seccomp moving to general availability through the seccompProfile field on Pods and containers; clusters can now consistently apply RuntimeDefault profiles instead of relying on Docker-specific annotations. SIG CLI also delivered kubectl alpha debug, enabling ad-hoc node and workload debugging without requiring ephemeral containers to be pre-enabled. Logging continues its modernization with structured logging APIs in core components, which makes it easier to forward logs into analytics tools without bespoke parsing rules. The release also updates the toolchain to Go 1.15, which tightens TLS defaults and brings garbage-collection improvements useful for busy control planes.

Storage and networking usability got incremental boosts. CSI volume snapshots continue to mature in the v1beta1 API, with test improvements that honor VolumeSnapshotClass configuration to ensure drivers pick the right provisioner. This helps operators validate disaster recovery workflows while keeping snapshot controllers predictable across environments. The Ingress graduation also clarifies default backend handling: new objects must specify a default backend or rely on per-rule backends, reducing surprises caused by implicit controller behavior. With EndpointSlices turned on for kube-proxy, large clusters gain lower memory overhead and a path to future features such as topology-aware hints.

Deprecations and removals

Deprecation visibility improves in Kubernetes 1.19. API servers now return warnings when clients call deprecated API versions, including older Ingress APIs such as extensions/v1beta1 and networking.k8s.io/v1beta1, which are slated for removal in 1.22. Admission webhooks can also emit warnings so platform owners can coordinate migrations before upgrades enforce removals. SIG Architecture highlighted a new policy to prevent "permanent beta" APIs: beginning with Kubernetes 1.20, beta REST APIs must either graduate or iterate within nine months, otherwise they will be deprecated in the next release. Administrators should track these timers in change management plans, especially for CustomResourceDefinitions that may need version bumps to stay supported.

Several legacy defaults are tightening. The move to structured logging means third-party log parsers should be checked for compatibility before removing old filters. Seccomp GA deprecates the Docker-specific seccomp.security.alpha.kubernetes.io/pod annotation path; clusters should switch to the seccompProfile field in Pod and container security contexts. kube-apiserver and kube-controller-manager images are now built with Go 1.15, so any out-of-tree admission plugins compiled against older Go versions should be rebuilt to avoid mismatched TLS libraries. Although not removed in 1.19, the release deepens the warning cycle around PodSecurityPolicy deprecation (removal planned in 1.25), pushing teams to evaluate alternatives such as the Pod Security Admission controller or Gatekeeper-based policy.

Upgrade guidance and testing

Plan the move to 1.19 as a two-phase effort: platform validation and workload migration. Start by verifying cluster add-ons—CNI plugins, ingress controllers, CSI drivers, and observability agents—are compatible with Ingress networking.k8s.io/v1 and EndpointSlices. Many ingress controllers released GA-ready builds during the 1.19 timeframe but often require explicit flags to turn on IngressClass support and pathType handling. For storage, confirm that snapshot controllers and sidecars align with the v1beta1 snapshot APIs and test restoring volumes on representative stateful applications. Because Kubernetes binaries are compiled with Go 1.15, rebuild any custom admission controllers or scheduler plugins with the same Go version and run integration tests to catch TLS or module-related regressions.

During cluster upgrades, enable audit or warning collection so you can capture deprecated API calls in staging before touching production. Begin migrations by updating manifests: set apiVersion: networking.k8s.io/v1 for Ingress objects, define pathType values, and introduce the ingressClassName field instead of controller-specific annotations. For workloads that need stricter syscall controls, add a securityContext.seccompProfile.type: RuntimeDefault entry and validate the effect in pre-production with kubectl alpha debug to capture node-level behavior. When using EndpointSlices, watch kube-proxy logs and metrics during canary rollouts; although the feature is enabled by default, verifying backend distribution and readiness reporting will reduce surprises in traffic-heavy services.

Testing should extend beyond functionality to observability. Structured logging changes can alter index patterns in log pipelines, so stage upgrades should include verification that Fluentd or Vector rules still extract severity, component, and namespace fields as expected. Because API deprecation warnings surface in client responses, update continuous delivery systems to flag warnings as build failures; this helps enforce manifest hygiene ahead of future removals. If PodSecurityPolicy is still in use, rehearse migration to alternatives by enabling the Pod Security Admission controller in warn or audit mode, then progressively switch to enforce once workloads conform.

Operational risk considerations

Kubernetes 1.19 extends the patch support window to twelve months, reducing upgrade pressure but increasing the need for disciplined backporting awareness. Teams should subscribe to patch releases (for example, v1.19.16) and practice rolling upgrades that preserve workload disruption budgets. The Go 1.15 runtime introduces stricter certificate validation and changes default cipher suites; clusters terminating TLS at the API server or kubelet must present valid intermediate chains to avoid handshake issues with older clients. With seccomp GA, distribution maintainers may begin shipping more opinionated defaults; platform owners should document whether nodes use RuntimeDefault or Unconfined profiles and ensure container runtimes (containerd, CRI-O) share the same behavior across environments.

EndpointSlices can materially change how large Services are represented. Monitor API server object counts and kube-proxy performance after enabling the feature on busy clusters, and ensure network policy controllers that consume Endpoints can read EndpointSlices if required. If you run multi-cluster ingress or service meshes, check whether their control planes already support the v1 Ingress API and EndpointSlices; older releases may silently ignore new fields. For auditing, consider enabling the new deprecation warning metrics exposed by API servers to visualize which teams or services still rely on deprecated APIs.

Upgrade checklist

  • Manifests: Migrate all Ingress objects to networking.k8s.io/v1, set explicit pathType, and map controllers with ingressClassName.
  • Security: Replace seccomp annotations with securityContext.seccompProfile, and rehearse Pod Security Admission policies before PodSecurityPolicy removal.
  • Tooling: Rebuild custom controllers against Go 1.15; validate log pipelines against structured logging output.
  • Networking: Confirm CNI and ingress controllers support EndpointSlices and IngressClass. Monitor kube-proxy behavior during rollout.
  • Storage: Align CSI snapshot controllers and CRDs with the v1beta1 APIs; test restore workflows for stateful apps.
  • Observability: Capture and triage API deprecation warnings in CI/CD and staging clusters before production upgrades.

Sources

  • Kubernetes 1.19 Release Blog (Kubernetes.io)
  • Kubernetes v1.19 Release Notes (GitHub kubernetes/kubernetes)
Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Kubernetes
  • Cloud native
  • Platform engineering
  • Security
  • DevOps
Back to curated briefings