← Back to all briefings
Infrastructure 6 min read Published Updated Credibility 88/100

Platform Briefing — Kubernetes 1.21 Release

Kubernetes 1.21 (“Power to the Community”) shipped on 8 April 2021, promoting CronJobs and IPv4/IPv6 dual-stack to GA while deprecating PodSecurityPolicy—demanding policy governance, upgrade sequencing, and supply chain hardening across clusters.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Kubernetes 1.21, codenamed “Power to the Community,” was released on 8 April 2021 as the first four-release-year cadence aligned to the restructured release team. The version stabilised CronJobs and IPv4/IPv6 dual-stack networking, graduated Immutable Secrets and ConfigMaps, introduced pod memory/CPU swap support as alpha, and formally deprecated PodSecurityPolicy (PSP). Platform owners must interpret these API changes alongside container runtime transitions, admission control redesign, and supply chain security requirements triggered by the SolarWinds and Codecov incidents that dominated early 2021.

Release governance and timelines

The Kubernetes Release Special Interest Group (SIG Release) delivered 1.21 with a nine-week cycle, emphasising documentation completeness and CI signal quality. Cluster operators should align upgrade windows with the version’s 14-month patch support, mapping 1.21.0 through 1.21.z into maintenance calendars. Google Kubernetes Engine, Amazon EKS, Azure AKS, and Red Hat OpenShift announced availability windows staggered over Q2 2021, requiring teams to validate managed service channel updates. Admission webhook registries, Container Storage Interface (CSI) drivers, and CNI plugins must compile against the 1.21 APIs before promotion across environments.

Key feature graduations

  • CronJobs GA. Scheduled workloads are now generally available, removing the v1beta1 API in a future release. Operators should migrate manifests to batch/v1 CronJob, ensure timezone handling via spec.timeZone, and confirm controller concurrency policies meet operational expectations. Observe metrics such as cronjob_controller_job_creation_skew_seconds to detect scheduling drift.
  • IPv4/IPv6 dual-stack. Dual-stack networking reached GA, letting pods and services receive both IPv4 and IPv6 addresses. Network teams must confirm CNI plugin compatibility (e.g., Calico, Cilium), update firewall rules for IPv6, and adjust service discovery to advertise AAAA records. Governance policies should mandate IPv6 logging and security inspection parity to avoid blind spots.
  • Immutable Secrets and ConfigMaps. Graduated to GA, the immutable flag prevents accidental updates to configuration data. Platform SREs should adopt immutability for sensitive configuration sets, enforce rotation procedures that create new objects, and update deployment automation to reference versioned names.

Security and policy implications

  • PodSecurityPolicy deprecation. PSP entered deprecation in 1.21 and is targeted for removal in 1.25. Security teams must develop migration plans to alternative enforcement mechanisms such as the Pod Security Admission controller (introduced later), Open Policy Agent Gatekeeper, or Kyverno. Conduct inventory of existing PSP objects, translate constraints into new policy templates, and test in non-production clusters to avoid privilege regressions.
  • Rootless container support. CRI-O and containerd enhancements enable rootless runtimes, reducing host compromise blast radius. Governance frameworks should update container hardening standards to require user namespace remapping where supported, aligning with CIS Kubernetes Benchmark controls.
  • Artifact signing. Following CNCF’s formation of the Sigstore project in March 2021, release teams encourage adoption of cosign and in-toto attestations for container images and Helm charts. Supply chain policies should mandate signature verification during admission and integrate with software bill of materials (SBOM) generation using tools like Syft or Tern.

Operational readiness checklist

  1. Review API deprecations using kubectl get --raw discovery endpoints and the kubent tool, ensuring manifests shift from beta to stable resources.
  2. Update monitoring dashboards to track controller-manager, scheduler, and kubelet metrics newly exposed in 1.21 (including CSI storage operations). Validate Prometheus rules and alert thresholds after the metrics stability framework adjustments.
  3. Coordinate kubelet upgrade order—control plane nodes first, followed by workers—while confirming container runtime interface compatibility (containerd ≥1.4.4, CRI-O ≥1.21).
  4. Reassess etcd backups and disaster recovery drills. Kubernetes 1.21 depends on etcd 3.4.13; confirm snapshot automation and encrypt secrets at rest with keys rotated per organisational policy.

Application developer considerations

  • Workload APIs. Beta removal of PodDisruptionBudget spec.selector defaulting requires explicit labels. CI pipelines should enforce schema validation using kubectl --dry-run=server and kubeconform.
  • Service account token volume projection. Bound service account token volumes progressed, providing audience-bound, time-limited tokens. Developers should adopt projected volumes, update SDKs to refresh tokens, and disable legacy secret-based tokens where possible.
  • Sidecar containers. Alpha support for StartupProbe with grpc behaviour aids readiness gating. Observability teams must add gRPC health endpoints and integrate with OpenTelemetry Collector deployments for distributed tracing.

Compliance and risk management

Regulated enterprises—financial services, telecom, and healthcare—should map Kubernetes 1.21 changes against controls such as NIST SP 800-190 (Application Container Security) and PCI DSS 3.2.1. The PSP deprecation, for example, affects control statements around privileged containers. Governance boards need to approve alternative policy engines and document compensating controls. Dual-stack networking introduces IPv6 logging obligations under frameworks like ISO/IEC 27001 Annex A.13; ensure security information and event management (SIEM) platforms can parse IPv6 flow logs and correlate identity data.

Documentation and communication

Update runbooks, cluster onboarding guides, and developer portals to highlight 1.21 behavioural shifts. Provide architecture decision records covering dual-stack adoption strategy, PSP replacement, and CronJob migration. Communicate release timelines to business stakeholders, emphasising testing windows and potential service interruptions. Managed service customers must coordinate with cloud provider change notices to avoid surprise rollouts.

Future roadmap awareness

Kubernetes 1.22 (August 2021) continues API removals, including the beta PodSecurityPolicy endpoint, while 1.23 and beyond refine Gateway API and topology-aware hints. Teams should sustain upgrade rhythm every 6–9 months, ensuring compatibility testing and automated conformance (sonobuoy) remain part of CI pipelines. Monitor SIG Security outputs, including Kubernetes supply chain security guidance responding to the U.S. Executive Order 14028, to future-proof controls introduced in 1.21.

Zeph Tech guides platform engineering teams through Kubernetes 1.21 adoption by translating release notes into control requirements, validating policy engine migrations, and building observability baselines for dual-stack production clusters.

Ecosystem and vendor readiness

Kubernetes distributors—including VMware Tanzu, Rancher, and Canonical—announced 1.21 support with their own release cadences. Multi-cloud adopters should synchronise upgrade policies across managed and self-managed clusters to maintain consistent API behaviour. Review cloud provider admission policies (for example, AWS EKS defaulting to PodSecurityPolicy until replacements are available) and ensure third-party operators from partners like HashiCorp, Datadog, and Splunk have published 1.21 compatibility matrices.

The CNCF conformance programme certified more than 60 distributions on 1.21 within months of release. Organisations leveraging vendor support agreements should verify that conformance badges are current, enabling portability commitments in multi-cluster governance.

Skills development and change management

Upgrade projects require coordinated enablement for platform, network, and application teams. Run internal workshops on dual-stack networking design, PSP migration strategies, and CronJob scheduling best practices. Update runbooks in Git-based documentation repositories and ensure self-service portals communicate new feature availability. Certification programmes—CKA, CKAD, and CKS—update exam objectives periodically; encourage practitioners to revise study plans to include 1.21 features and security practices.

Regulatory and industry alignment

Kubernetes often underpins regulated workloads. Map 1.21 capabilities to regulatory obligations such as the U.S. Executive Order 14028’s emphasis on software supply chain security and the UK National Cyber Security Centre’s cloud guidance. Document how artifact signing, policy engines replacing PSP, and enhanced observability contribute to compliance with ISO/IEC 27001 Annex A controls (access management, operations security) and SOC 2 trust principles.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Kubernetes 1.21
  • CronJob
  • Immutable Secrets
  • PodSecurityPolicy
  • Dual-stack networking
Back to curated briefings