Kubernetes 1.21: PodSecurityPolicies Deprecation and Stability Advancements
Table of Contents
Introduction
On April 8, 2021, Kubernetes version 1.21 was released, marking a milestone in security, stability, and predictability.
The release included 50 enhancements — 15 graduating to stable (GA), 19 to beta, and 16 newly introduced as alpha.
It emphasized reliability, safe deprecations, and improved user experience across APIs and workloads.
Official Highlights
1. PodSecurityPolicy (PSP) Deprecated
The long-used PodSecurityPolicy (PSP) feature was officially deprecated in Kubernetes 1.21, with removal planned for Kubernetes 1.25.
This move prepared for a new, simpler and more consistent Pod Security Admission model to replace PSP in future releases.
Why PSP was deprecated:
- Complex RBAC requirements made it difficult to use correctly
- Performance issues with large numbers of policies
- Confusing semantics around policy application and precedence
- Limited namespace-scoped enforcement capabilities
Migration path:
- PSP will continue to work in 1.21 and 1.22 but will be removed in 1.25
- Users should migrate to Pod Security Admission (introduced in 1.23) or alternative policy engines like Kyverno or Gatekeeper
- The Kubernetes documentation provides migration guides and tools to help with the transition
“PSP served its purpose but was hard to use and maintain. A better, more consistent model is coming.”
— Kubernetes SIG Auth Team
2. Graceful Node Shutdown (GA)
Graceful Node Shutdown became generally available (GA), enabling nodes to properly terminate pods during OS shutdowns.
This feature improved cluster resilience and workload consistency, reducing data loss and service disruption during planned maintenance.
How it works:
- When a node receives a shutdown signal, the kubelet sets a condition indicating the node is shutting down
- Pods are given a grace period (configurable via
shutdownGracePeriodandshutdownGracePeriodCriticalPods) to terminate gracefully - Critical pods (with
priorityClassNameset to a priority class withpreemptionPolicy: Never) receive extended grace periods - The kubelet stops accepting new pods and begins evicting existing pods in priority order
Configuration example:
# kubelet configuration
shutdownGracePeriod: 30s
shutdownGracePeriodCriticalPods: 10s
This feature is particularly valuable for:
- Planned maintenance windows
- Node reboots for security patches
- Cluster scaling operations
- Cloud provider instance termination
3. Immutable Secrets and ConfigMaps (GA)
Immutable Secrets and ConfigMaps also graduated to GA, allowing administrators to mark resources as unchangeable after creation.
This feature provides several key benefits:
- Performance improvements: Immutable resources are never watched for changes, reducing API server load and improving scalability
- Security: Prevents accidental or malicious modifications to critical configuration data
- Predictability: Ensures configuration consistency across pod restarts and updates
To mark a Secret or ConfigMap as immutable, set the immutable: true field:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
immutable: true
data:
password: <base64-encoded>
Once marked immutable, the resource cannot be modified and must be deleted and recreated to make changes.
4. CronJobs to GA
The CronJob controller graduated to General Availability, ensuring stable scheduling for time-based workloads and improving reliability of recurring tasks.
5. API and Runtime Improvements
CSI Volume Health Monitoring (Alpha) introduced new metrics for better observability, allowing operators to detect and respond to volume health issues proactively. This feature enables storage drivers to report volume health status, helping prevent data loss and service disruptions.
PodDisruptionBudget behavior refined for balanced scaling, ensuring that voluntary disruptions respect PDB constraints more accurately during rolling updates and node drains.
Enhanced kubectl alpha debug improved troubleshooting capabilities with ephemeral containers, allowing operators to debug running pods without restarting them. This feature became more stable and gained better integration with container runtimes.
CronJob controller rewrite (Beta) improved reliability and performance for scheduled workloads, with better handling of time zones, missed schedules, and concurrent job execution.
Milestones Timeline
| Date | Event |
|---|---|
| Apr 8, 2021 | Kubernetes 1.21 officially released |
| Mid 2021 | PSP deprecated; Graceful Shutdown GA adoption grows |
| Late 2021 | Immutable resources widely adopted in production |
Patch Releases for 1.21
Patch releases (1.21.x) focused on stability, API compatibility, and security patches.
| Patch Version | Release Date | Notes |
|---|---|---|
| 1.21.0 | 2021-04-08 | Initial release |
| 1.21.1+ | various dates | Maintenance and compatibility patches |
Legacy and Impact
Kubernetes 1.21 represented a turning point in security policy design and operational maturity.
The deprecation of PodSecurityPolicy signaled a cleaner path forward for cluster administrators, while GA features like Graceful Node Shutdown and Immutable Configs enhanced production reliability.
This release was about ensuring Kubernetes remained secure, predictable, and operator-friendly at scale.
Summary
| Aspect | Description |
|---|---|
| Release Date | April 8, 2021 |
| Key Innovations | PodSecurityPolicy deprecation, Graceful Node Shutdown GA, Immutable Configs, CronJobs GA |
| Significance | Focused on stability, security, and operator experience |
Next in the Series
Next up: Kubernetes 1.22 (August 2021) — the release that brought major API removals, client-go v1.22 updates, and new security controls for modern clusters.