Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Kubernetes Releases 2021

Kubernetes 1.22: Major API Removals and Security Enhancements

K8s Guru
5 min read
#kubernetes #1.22 #release #api #removals #seccomp #client-go #SSA #server-side-apply #ephemeral-containers #api-priority-fairness #go-1.16
Kubernetes 1.22: Major API Removals and Security Enhancements

Table of Contents

Introduction

On August 4, 2021, the Kubernetes team announced version 1.22, one of the most significant releases in the project’s history.
It contained 53 enhancements — 13 graduated to stable, 24 moved to beta, and 16 newly introduced as alpha — but most notably, this version brought major API removals, modernization of client libraries, and several important security and reliability updates.

Official Highlights

1. Major API Removals

Kubernetes 1.22 marked a key cleanup milestone by removing several long-deprecated APIs that had been superseded in earlier releases.
Among the most important removals were:

  • Ingress v1beta1 → networking.k8s.io/v1: The Ingress API graduated to v1, providing stable ingress configuration. Migration requires updating API versions in manifests and ensuring ingress controllers support v1.

  • PodSecurityPolicy → Deprecated (pending removal): While not removed in 1.22, PSP was marked for removal in 1.25. Users must migrate to Pod Security Admission or alternative policy engines.

  • ValidatingWebhookConfiguration / MutatingWebhookConfiguration v1beta1 → admissionregistration.k8s.io/v1: Admission webhook configurations moved to v1, requiring updates to webhook definitions and controllers.

  • CustomResourceDefinition v1beta1 → apiextensions.k8s.io/v1: CRDs moved to v1, requiring updates to CRD definitions and any tools that create or manage CRDs.

Migration impact:

  • Tools and controllers using deprecated APIs must be updated
  • Manifests using old API versions will fail to apply
  • Cluster operators need to audit and update all API references
  • Some third-party tools may require updates to support new API versions

Migration tools:

  • kubectl convert can help migrate some resources (though deprecated in 1.22)
  • API migration guides available in Kubernetes documentation
  • Most cloud providers and distributions provided migration tooling

“This release was about finishing what we started years ago — cleaning up Kubernetes for the future.”
— Kubernetes 1.22 Release Team

2. client-go v1.22 and Go 1.16

Kubernetes 1.22 required Go 1.16 and introduced a major update to client-go, aligning API clients with modern Go module management and security best practices.
This brought more predictable dependency resolution for developers building tools and operators.

Key improvements:

  • Go modules: Full support for Go modules with better version management
  • Dependency resolution: More predictable and secure dependency resolution
  • API compatibility: Better alignment between client-go and Kubernetes API versions
  • Performance: Improved client performance and reduced memory usage
  • Security: Updated dependencies with security patches and modern cryptographic libraries

Impact on developers:

  • Operators and controllers built with older client-go versions may need updates
  • Go 1.16+ required for building Kubernetes components
  • Better support for vendoring and dependency management
  • Improved compatibility with modern Go tooling

3. Server-Side Apply (SSA) GA

The long-awaited Server-Side Apply feature graduated to General Availability.
It allows Kubernetes to track field ownership for declarative configuration, improving GitOps workflows and avoiding “last-write wins” issues during object updates.

Key benefits:

  • Field ownership tracking: Kubernetes tracks which tool or user last applied each field, enabling conflict resolution
  • Merge strategies: Supports strategic merge patches with better conflict detection
  • GitOps compatibility: Works seamlessly with tools like Argo CD, Flux, and kubectl apply
  • Cooperative editing: Multiple controllers and users can modify different fields of the same object without conflicts

Usage:

kubectl apply --server-side -f deployment.yaml

How it works:

  • Each field in an object can be “owned” by a specific manager (identified by a manager name)
  • When applying changes, SSA merges fields based on ownership, preventing accidental overwrites
  • Conflicts are detected and reported when multiple managers try to modify the same field
  • This enables true declarative configuration management where multiple tools can collaborate

Impact on GitOps:

  • Eliminates the need for kubectl replace operations
  • Prevents configuration drift between Git and cluster state
  • Enables better collaboration between automated tools and human operators

4. Seccomp Defaulting and Security Improvements

  • Seccomp (Secure Computing Mode) moved to Beta, making it easier to apply secure-by-default profiles to Pods. This feature allows cluster administrators to set default seccomp profiles at the node or pod level, reducing the attack surface without requiring application changes. The default RuntimeDefault profile provides a good balance between security and compatibility.

  • Kubelet Credential Providers were improved for cloud provider integrations, enabling more secure and flexible authentication mechanisms for pulling container images from cloud registries. This reduces the need for static credentials and improves security posture.

  • Ephemeral containers (Beta) became more stable for debugging live workloads. This feature allows operators to temporarily add debugging containers to running pods without restarting them, significantly improving troubleshooting capabilities:

# Example: Add ephemeral debug container
kubectl alpha debug -it <pod-name> --image=busybox --target=<container-name>

Security improvements:

  • Seccomp profiles can now be applied via Pod Security Standards
  • AppArmor and SELinux support improvements
  • Enhanced network policy enforcement
  • Better RBAC integration for security contexts

5. API Priority and Fairness (GA)

The API Priority and Fairness feature — responsible for ensuring fair request handling — reached General Availability, improving API server reliability under heavy load.

Milestones Timeline

DateEvent
Aug 4, 2021Kubernetes 1.22 officially released
Aug–Sept 2021API deprecations and removals enforced
Late 2021SSA and Seccomp adopted broadly by enterprises

Patch Releases for 1.22

Patch releases (1.22.x) focused on migration support, security patches, and bug fixes.

Patch VersionRelease DateNotes
1.22.02021-08-04Initial release
1.22.1+various datesStability and migration patches

Legacy and Impact

Kubernetes 1.22 was a transformational release, marking a cleanup and modernization phase for the entire project.
It enforced a more stable, secure API ecosystem while simplifying the developer experience with Server-Side Apply GA and client-go modernization.
This release signaled that Kubernetes was ready for the next decade of cloud-native evolution.

Summary

AspectDescription
Release DateAugust 4, 2021
Key InnovationsAPI removals, Server-Side Apply GA, Seccomp improvements, client-go v1.22
SignificanceA modernization and cleanup release ensuring long-term maintainability

Next in the Series

Next up: Kubernetes 1.23 (December 2021) — introducing PodSecurity Admission, dual-stack networking GA, and enhanced scheduler performance.