Kubernetes 1.22 (Pompeii) Release

The Kubernetes Release Team delivered v1.22 "Pompeii" on 4 August 2021. The milestone includes 53 improvements with 13 graduating to stable, 24 moving to beta, and introduces breaking removals that require cluster operator action. This release marks a significant maturity milestone for the Kubernetes project, stabilizing foundational capabilities while establishing the migration path away from PodSecurityPolicies that had governed pod security constraints since early Kubernetes versions. Platform teams should plan carefully for the API removals and security model transitions this release introduces.

Server-Side Apply General Availability

Declarative apply is now stable, enabling controllers and GitOps tools to manage object fields without client-side merges and associated conflict risks. Server-side apply moves field ownership tracking from client setups to the Kubernetes API server, providing authoritative conflict detection when multiple actors attempt to manage the same object fields.

This architecture resolves long-standing issues with kubectl apply that could produce unexpected results when manifests diverged from actual cluster state. GitOps setups using Flux, Argo CD, or custom controllers benefit from server-side apply's field ownership semantics, which clearly identify when human operators, CI pipelines, or controllers make conflicting changes. Migration to server-side apply requires updating tooling configurations and potentially resolving historical field ownership ambiguities in existing objects.

External Credential Providers Graduation

Client-go can integrate with exec plugins such as AWS IAM authenticator and Azure CLI for seamless, pluggable authentication without embedding credentials in kubeconfig files. External credential providers enable dynamic credential acquisition aligned with enterprise identity and access management practices.

Cloud provider integrations support assuming IAM roles, obtaining Azure AD tokens, and authenticating with GCP service accounts without long-lived credentials in configuration files. Organizations can enforce credential rotation, conditional access policies, and audit logging through their standard identity infrastructure rather than managing separate Kubernetes credential lifecycles. This graduation validates the plugin architecture's stability for production authentication workflows across diverse enterprise environments.

PodSecurityPolicy Deprecation Path

PSP is deprecated in 1.22 and scheduled for removal in 1.25, with the release issuing warnings and introducing the admission-based Pod Security standards as the migration path. PodSecurityPolicy provided cluster-wide constraints on pod security contexts including privileged access, volume types, and host namespace access. However, PSP's complex authorization model and difficult debugging experience prompted development of simplified alternatives.

Pod Security Admission implements the Pod Security Standards (privileged, baseline, restricted) through namespace labels rather than cluster-scoped policies. Migration planning should begin immediately given the compressed timeline between deprecation announcement and removal. Policy enforcement tools like Kyverno and OPA Gatekeeper offer richer policy capabilities for organizations requiring controls beyond the built-in Pod Security Standards.

API Removals and Migration Requirements

Validate workloads for deprecated APIs such as autoscaling/v2beta2 and Ingress v1beta1, upgrading manifests before cluster upgrades to version 1.22. Kubernetes 1.22 removes multiple beta API versions that reached general availability in earlier releases, requiring manifest updates to reference stable API versions. Ingress resources must use networking.k8s.io/v1 with updated field specifications.

CustomResourceDefinition resources must use apiextensions.k8s.io/v1 with schema validation requirements. Audit logging and API deprecation warnings help identify workloads using deprecated APIs before upgrade. If you are affected, run pre-upgrade compatibility checks and update CI/CD pipelines generating Kubernetes manifests to produce current API versions.

Pod Security Standards Implementation

Plan namespace label strategies (privileged, baseline, restricted) and integrate with policy enforcement tooling for post-PSP security governance. Pod Security Admission applies standards at namespace granularity through labels specifying enforcement mode (enforce, audit, warn) and standard level. Privileged mode permits all pod specifications, appropriate for system namespaces running infrastructure components.

Baseline mode prevents known privilege escalations while permitting most workloads. Restricted mode enforces current pod hardening good practices, suitable for untrusted workloads and security-sensitive environments. If you are affected, audit existing namespaces for current security posture and plan label assignments that maintain security without disrupting legitimate workloads.

CSI Migration Progress

Kubernetes 1.22 continues progress on Container Storage Interface migration, moving in-tree volume plugins to CSI drivers without requiring manifest changes. CSI migration enables cloud providers and storage vendors to develop and release drivers independently of Kubernetes release cycles. If you are affected, verify CSI driver availability and compatibility for their storage backends before upgrading clusters where in-tree drivers approach migration milestones.

Upgrade Planning and Execution

Run conformance and upgrade rehearsals on staging clusters to uncover deprecated API usage and compatibility issues before production upgrades. Refresh internal platform documentation on CSI migration timelines, Windows node support improvements, and topology-aware scheduling hints introduced in 1.22. Update GitOps configurations and CI pipelines to use server-side apply and resolve field ownership conflicts. Coordinate with security teams on Kyverno, OPA, or similar policies replacing PodSecurityPolicy functionality in preparation for 1.25 removal.