Platform Briefing — Kubernetes 1.25 Release
Kubernetes 1.25 (Combiner) introduces 40 enhancements, including PodSecurity admission GA, CSI migration completions, and CRD validation improvements, while removing PodSecurityPolicy and key beta APIs that operators must replace.
Executive briefing: Kubernetes 1.25, code-named “Combiner,” was released on 23 August 2022 with 40 enhancements across security, storage, networking, and extensibility, including 13 graduations to stable, 10 features moving to beta, and 15 new alpha capabilities.1 The release promotes PodSecurity admission to general availability, completing the transition away from the deprecated PodSecurityPolicy admission controller, and finalises container storage interface (CSI) migration for Azure Disk and Azure File drivers.1 Cluster operators must plan for removal of several beta APIs – notably PodSecurityPolicy, FlexVolume, beta Ingress APIs, and the beta autoscaling/v2beta2 API – while validating new security, scheduling, and custom resource definition (CRD) features.2
1.25 delivers significant changes to the Kubernetes control plane and node components. Kubelet credential provider plugins are now generally available, enabling cloud credential rotation without kubelet restarts.1 The release also introduces topology-aware hints GA, network policy status, and improvements to CRD validation schemas (CEL expressions in beta). Administrators should prepare for default behavior changes such as the removal of the seccompProfile defaulting feature gate, adjustments to projected service account tokens, and stricter validation of StatefulSet update strategies.2
Security and policy implications
The GA of PodSecurity admission enforces namespace-level policies aligned with the Pod Security Standards (privileged, baseline, restricted), providing a streamlined alternative to PodSecurityPolicy.1 Organisations must migrate existing PSP configurations to PodSecurity admission by defining namespace labels and admission configurations. This may require translating custom PSP rules into validating admission policies or policy engines such as Open Policy Agent Gatekeeper. Operators should perform policy-as-code reviews, update CI/CD pipelines to validate manifests, and implement dry-run testing in staging clusters.
Kubernetes 1.25 also enhances security auditing. Structured logging improvements provide richer context for audit events, while the default seccomp profile now aligns with runtime spec updates.2 The release continues deprecation of insecure features: the kubectl exec port forwarding vulnerabilities addressed in earlier versions remain patched, and credential provider GA encourages rotation of cloud secrets without embedding long-lived keys. Security teams should ensure audit pipelines capture PodSecurity violations, seccomp profile usage, and admission rejections for compliance reporting.
Storage and workload portability
CSI migration reaches a major milestone in 1.25 with Azure Disk and Azure File in-tree volume plugins completing migration to their CSI drivers.1 Clusters running on Azure should validate CSI driver deployment, RBAC, and node tolerations before upgrading. In-tree kubernetes.io/azure-disk and kubernetes.io/azure-file volume types now use CSI by default; operators must ensure clusters meet prerequisites (CSI drivers installed, CSIMigrationAzureDisk feature gate enabled). The release also stabilises the CSI driver node serviceable mode, improving node readiness checks when CSI plugins are not fully operational.
Ephemeral containers debugging support graduates to beta, enabling operators to attach troubleshooting containers to running pods for diagnostics without restarting workloads.1 Workload portability improves with kube-scheduler enhancements for topology-aware scheduling, such as NodeInclusionPolicy refinements and Pod topology spread constraints defaults. Stateful applications should be retested to confirm scheduling behavior, especially when using zone-aware policies or custom topology keys.
API changes and deprecations
Kubernetes 1.25 removes several long-standing beta APIs. PodSecurityPolicy, beta Ingress (networking.k8s.io/v1beta1), and legacy storage APIs are gone; manifests referencing them will fail on upgrade.2 The HorizontalPodAutoscaler autoscaling/v2beta2 API graduates to autoscaling/v2, requiring manifest updates and validation of metrics definitions. CronJob batch/v1beta1 is also removed, with batch/v1 now the supported version. Operators must update YAML manifests, Helm charts, and operators to use supported API versions.
To prepare, run kubectl convert or use the kubent (Kubernetes deprecated API checker) tool to identify outdated API usage before upgrading. Admission webhooks and controllers should be updated to handle new API versions. Custom controllers built with client-go must update dependencies to Kubernetes 1.25 libraries to avoid compile-time and runtime incompatibilities.
Cluster upgrade strategy
Before upgrading, review the official release notes and the Kubernetes version skew policy to ensure compatibility between control plane and node versions.2 Back up etcd, rotate certificates, and test restore procedures. Validate that CNI plugins, CSI drivers, service meshes, and monitoring agents support 1.25. For managed services (GKE, EKS, AKS), confirm availability of 1.25 control plane versions and corresponding node images, then stage updates in development environments.
Migrating PodSecurityPolicy requires a detailed plan: inventory PSP usage, map equivalent Pod Security Standards, and adjust workloads that require elevated privileges (e.g., hostPath, privileged containers). Implement progressive rollouts with canary namespaces, using audit mode to detect policy violations before enforcing. Update CI pipelines to block deployments that violate new policies.
Developer experience and extensibility
CustomResourceDefinition (CRD) authors gain new capabilities in 1.25. Common Expression Language (CEL) validation rules enter beta, allowing developers to declaratively express field-level constraints directly within CRD schemas.1 This reduces reliance on bespoke admission webhooks, lowering maintenance overhead. `kubectl` improves server-side dry-run and field management, helping developers preview object mutations safely. The structured logging migration continues, and client-go adds context propagation improvements, making custom controllers more resilient.
The release also advances kube-apiserver encryption. KMS v2 (Key Management Service) for envelope encryption progresses, offering improved performance and reliability for secrets encryption at rest.2 Operators using external KMS providers should validate compatibility and consider rolling upgrades to benefit from reduced gRPC load and better cache controls. For networking extensibility, eBPF-based CNI projects may leverage updated APIs and node feature discovery enhancements introduced in 1.25.
Operations, observability, and testing
Kubernetes 1.25 enhances observability with structured logging fields and metrics updates (e.g., kubelet_cgroup_manager_duration_seconds). Operators should update monitoring dashboards and alerting thresholds to account for metric name changes and newly exposed labels.2 The release introduces CEL validation expressions for CRDs (beta), enabling declarative validation rules without custom admission controllers. Teams should experiment with CEL in lower environments to enforce schema constraints and reduce runtime errors.
Upgrade testing should include conformance suites (sonobuoy), workload smoke tests, and network policy validation. Pay particular attention to workloads using host networking, privileged DaemonSets, or deprecated API versions. Validate backup and restore of persistent volumes, especially when using CSI migration. Review RBAC policies to ensure new resources (e.g., removal of podsecuritypolicies) do not break automation.
Action checklist
- Policy migration: Translate PodSecurityPolicy configurations to PodSecurity admission labels or alternative policy engines; run audit mode before enforcement.
- API inventory: Scan manifests and Helm charts for removed or deprecated API versions and update them to supported GA versions.
- Driver readiness: Validate CSI driver deployments (Azure Disk/File, in-tree migrations) and ensure node images include required components.
- Upgrade rehearsal: Execute blue/green or rolling upgrade simulations in staging clusters, capturing rollback plans and verifying workload health checks.
- Documentation updates: Refresh runbooks, SRE checklists, and onboarding materials to reflect 1.25 operational changes, including new metrics and debugging tools.
Sources
- 1 Kubernetes Blog: Kubernetes 1.25 Release – Combiner.
- 2 Kubernetes v1.25 release notes and deprecation guide.
Zeph Tech helps platform teams plan Kubernetes 1.25 upgrades, policy migrations, and reliability testing.
Continue in the Infrastructure pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Edge Resilience Infrastructure Guide — Zeph Tech
Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented by Zeph Tech.
-
Infrastructure Resilience Guide — Zeph Tech
Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered by Zeph Tech.
-
Infrastructure Sustainability Reporting Guide — Zeph Tech
Produce audit-ready infrastructure sustainability disclosures aligned with CSRD, IFRS S2, and sector-specific benchmarks curated by Zeph Tech.