← Back to all briefings
Developer 6 min read Published Updated Credibility 88/100

Runtime Briefing — Kubernetes 1.20 Release

Kubernetes 1.20 delivered GA CSI volume snapshots, kubectl debug, Windows HostProcess containers, and a clear dockershim deprecation roadmap, requiring platform teams to validate storage workflows, runtime migrations, and RBAC controls before upgrading.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Kubernetes v1.20 became generally available on . The release focused on hardening storage and operations workflows while mapping a clear path away from the dockershim runtime. This briefing distills the changes platform owners, SRE leaders, and security teams should prioritize as they plan upgrades or audit clusters that still run 1.20-era features.

Feature updates

CSI volume snapshots reached GA. The Container Storage Interface (CSI) snapshot APIs moved from beta to general availability. This unlocks supported, portable backup and restore workflows for StatefulSets and other persistent workloads. GA status means Kubernetes now ships conformance tests, stable APIs (v1), and the expectation that storage vendors deliver compatible drivers. Teams should review the VolumeSnapshotClass, VolumeSnapshot, and VolumeSnapshotContent objects, validate snapshot controllers, and verify that snapshot APIs are enabled across control planes and admission policies.

kubectl debug simplifies incident response. A new kubectl debug subcommand improves live troubleshooting by launching ephemeral containers into running Pods. This eliminates the need for SSH or daemonset-based debuggers, offering controlled access with RBAC and audit logging. Incident responders can now inject curated images that include packet captures, log forwarders, or language profilers while respecting Pod isolation boundaries.

Process namespace sharing for Windows. Windows nodes gained HostProcess containers, which allow privileged host-level troubleshooting similar to Linux tools while maintaining Kubernetes scheduling and logging primitives. Operators supporting mixed Linux/Windows clusters can now standardize diagnostics and reduce reliance on out-of-band access.

API server tracing. Alpha support for distributed tracing in the API server landed, enabling OpenTelemetry-compatible traces for request lifecycles. Even in alpha, this provides valuable insights for latency investigations and audit requirements in regulated environments.

Topology-aware hints. EndpointSlice topology hints were introduced to guide load balancers and proxies toward endpoints that minimize cross-zone traffic. Multizone clusters can cut network egress costs and reduce latency by preferring same-zone endpoints when hints are honored by service meshes or kube-proxy.

Improved credential plugins. Exec credential plugin support added interactive mode and standardized expiry handling, which benefits cloud-provider CLIs and SSO flows that refresh client certificates or tokens. Cluster operators should verify that developer tooling using kubectl aligns with the new plugin contract to avoid authentication regressions.

Deprecations and removals

Dockershim deprecation announced. Kubernetes signaled the removal of the built-in Docker Engine shim from the kubelet. While the shim remained in 1.20, future releases required migrating to CRI-compliant runtimes such as containerd or CRI-O. The change does not remove the ability to build images with Docker; it affects only the runtime used by kubelet to launch containers. Platform teams must audit nodes, daemonsets, and admission policies that assume Docker-specific behaviors (e.g., container runtime logging paths or insecure registries) and plan migration testing.

PodSecurityPolicy on the path to removal. PodSecurityPolicy (PSP) was deprecated in 1.21 but the 1.20 release reiterated the long-term plan to replace PSP with admission controllers that implement the Pod Security standards. Clusters that still rely on PSP should roadmap a migration to the built-in Pod Security Admission or policy engines such as Gatekeeper or Kyverno.

Beta API removals. Several beta APIs were deprecated or removed to stabilize the surface area. Notable changes include the deprecation of the kubelet flags --container-runtime-endpoint defaults, removal of some alpha-level metrics, and continuing cleanup of legacy cloud provider integrations as external cloud-controller-manager adoption accelerates.

In-tree storage driver migration. The release advanced migration of in-tree storage plugins (e.g., AzureDisk, vSphere) toward CSI drivers. While many migrations were optional in 1.20, future releases would disable in-tree plugins. Storage administrators should test CSI driver readiness, enforce feature gates consistently, and confirm that backup tooling works with migrated PersistentVolumes.

Upgrade guidance

Pre-upgrade validation. Capture a manifest inventory of VolumeSnapshot objects, StatefulSets, and cluster-scoped snapshot controllers, then stage upgrades in a non-production environment. Verify that snapshot restore operations succeed under load and that disaster-recovery scripts reference the GA API versions (snapshot.storage.k8s.io/v1).

Runtime migration readiness. For clusters still using Docker Engine, install containerd or CRI-O on a subset of nodes and perform node cordon/drain cycles to confirm workload compatibility. Pay special attention to logging paths, image pull secrets, and any admission webhooks that parse Docker-specific metadata. Document operational differences (e.g., crictl usage) for SRE runbooks.

RBAC and security reviews. The kubectl debug workflow introduces new verbs and ephemeral container usage. Update ClusterRoles to limit debug privileges to trusted responders and ensure audit sinks capture debug session activity. For organizations subject to compliance controls, verify that ephemeral container images are built and signed through the same supply-chain processes as production images.

Networking checks. If adopting topology-aware hints, confirm that your service proxies or meshes (kube-proxy, Envoy, Cilium, or cloud load balancers) support the hints feature gate. Conduct latency baselines before and after enabling hints to verify expected reductions in cross-zone traffic.

Node feature gates. Review node bootstrap templates and managed Kubernetes versions to ensure feature gates for CSI snapshot GA, HostProcess containers (Windows), and API server tracing are set appropriately. Managed services such as GKE, EKS, and AKS may gate these features differently; validate provider documentation before rollout.

Operational considerations for long-term support

Lifecycle status. Kubernetes 1.20 reached end of life in December 2021. Clusters still on this version lack security fixes, API stability improvements, and storage migration tooling present in later releases (e.g., 1.24+). Plan expedited upgrades to currently supported releases (1.28 or later) to benefit from built-in Pod Security Admission, finalized dockershim removal, and GA-level CSI migration controllers.

Observability. Enable API server tracing in staging to map request paths and latency hotspots before promoting to production. Combine traces with existing metrics (Prometheus) and logs to tune admission webhooks, custom controllers, or sidecar patterns that introduce latency.

Backup and recovery drills. With CSI snapshots now stable, bake quarterly restore drills into your incident response plan. Validate cross-namespace restores, clone workflows for blue/green rollouts, and encryption-at-rest coverage for both PersistentVolumes and snapshots. Ensure snapshot retention policies align with data-classification requirements.

Mixed-OS clusters. If running Windows worker nodes, standardize on HostProcess-enabled diagnostic images and align them with Linux debug images to streamline incident response. Confirm that network policies and DNS configurations are consistent across operating systems to avoid drift in security posture.

Documentation and training. Update internal playbooks to reflect runtime migration steps, new debug workflows, and CSI snapshot usage patterns. Provide lab environments where developers can practice kubectl debug and snapshot restores without production risk.

Key risks and mitigations

Runtime compatibility gaps. Applications depending on Docker-specific behaviors (such as log locations, cgroup layout, or docker socket mounts) may misbehave after migrating to containerd/CRI-O. Mitigate by scanning manifests for Docker socket mounts, adjusting log collectors (Fluent Bit/Fluentd) to CRI paths, and running blue/green node pools during migration.

Storage controller readiness. CSI snapshot GA assumes a reliable snapshot controller and compatible storage driver. Validate driver versions, upgrade controllers, and ensure etcd quotas can handle snapshot object churn. Monitor controller metrics (volumesnapshot_controller) to detect reconciliation lag.

API drift. Teams maintaining custom operators must update client libraries to the new snapshot API versions and re-run code generation. Pin dependencies to Kubernetes 1.20 client-go or later to ensure compatibility and regenerate CRDs where applicable.

Sources

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Kubernetes 1.20
  • Container orchestration
  • Runtime lifecycle
Back to curated briefings