# Key Change Notes for Kubernetes 1.28 Version ## Special Notes - Due to incompatible modifications to the kubeconfig used by CNI in UK8S, the CNI version must not be lower than `1.3.4`. ## Scheduling Logic Optimization If scheduler plugins are used, adjustments may be required. Refer to [Scheduler Framework Changes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#no-really-you-must-read-this-before-you-upgrade) for details. ## CephFS Deprecation The in-tree CephFS `kubernetes.io/rbd` driver has been removed. Please use CSI-based plugins like [ceph-csi](https://github.com/ceph/ceph-csi/). ## SecurityContextDeny Deprecation Replaced by PodSecurity and deprecated. For details, refer to the official [issues](https://github.com/kubernetes/kubernetes/issues/111516). ## Removal of Seccomp Annotations [Seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp) (Secure Computing Mode) reached GA in 1.19, enhancing security by restricting system calls for pods/containers. The Alpha-stage annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io` were deprecated in v1.19 and fully removed in 1.27. **Recommendation**: Use the `securityContext.seccompProfile` field in Pod or containers. ## Native Sidecar Support This feature is in **Alpha stage** in 1.28 and requires enabling the feature gate. It introduces a `restartPolicy` field for init containers, which is used to indicate that an init container is a sidecar container. When `restartPolicy=Always`, Kubelet will start the init container together with other init containers in sequence, but it will not wait for it to complete; instead, it will wait for the container to start up. For details, see the [official documentation](https://kubernetes.io/blog/2023/08/25/native-sidecar-containers/). ## AdmissionWebhookMatchCondition Default Support for CEL Expressions This feature is in the Beta phase in 1.28. It allows the use of CEL expressions to accept or reject requests from the apiserver, serving as an alternative to webhooks. Refer to [CEL](https://kubernetes.io/docs/reference/using-api/cel/#cel-community-libraries) for implementation details. ## API Deprecation ### CSIStorageCapacity [CSIStorageCapacity](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/) has been promoted to `storage.k8s.io/v1`. The previous `storage.k8s.io/v1beta1` API was deprecated in 1.27. ## Reference Links For complete changelogs, see: - [CHANGELOG 1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1260) - [CHANGELOG 1.28](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270)