Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Kubernetes Releases 2021

Kubernetes 1.23: The Next Frontier of Stability and Extensibility

K8s Guru
6 min read
#kubernetes #1.23 #release #podsecurity #dual-stack #csi #workloads #HPA-v2 #horizontal-pod-autoscaler #structured-logging #ipv6 #csi-migration
Kubernetes 1.23: The Next Frontier of Stability and Extensibility

Table of Contents

Introduction

On December 7, 2021, the Kubernetes project announced version 1.23, codenamed “The Next Frontier”.
This release focused on stability, security, and extensibility, bringing key features like PodSecurity Admission, dual-stack networking GA, and major CSI storage improvements.

Official Highlights

1. PodSecurity Admission (Alpha)

With PodSecurityPolicy (PSP) officially deprecated in 1.21, Kubernetes 1.23 introduced PodSecurity Admission, a new mechanism designed to replace PSP with a simpler and more consistent model.
It allowed namespaces to enforce predefined security profiles — Privileged, Baseline, and Restricted — with better usability and observability.

Key advantages over PSP:

  • Namespace-scoped: Policies apply at the namespace level, making them easier to understand and manage
  • Standard profiles: Three predefined profiles provide clear security postures without complex policy definitions
  • Better performance: No complex RBAC requirements or performance overhead
  • Clearer semantics: Explicit enforcement modes (enforce, audit, warn) provide predictable behavior

Security profiles:

  • Privileged: Unrestricted policy, provides widest range of permissions (equivalent to running without restrictions)
  • Baseline: Minimally restrictive policy, prevents known privilege escalations while allowing common workloads
  • Restricted: Highly restrictive policy, follows current Pod hardening best practices

Configuration example:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Enforcement modes:

  • enforce: Policy violations cause the pod to be rejected
  • audit: Policy violations are logged but pods are allowed
  • warn: Policy violations trigger user-facing warnings but pods are allowed

Migration from PSP:

  • PSP users should evaluate their policies and map them to appropriate Pod Security profiles
  • The Kubernetes documentation provides migration guides and tools
  • Pod Security Admission will graduate to beta in 1.24 and GA in 1.25

“PodSecurity Admission offers a practical path forward after PSP, designed with simplicity and safety in mind.”
— Kubernetes SIG Auth Team

2. Dual-Stack Networking (GA)

IPv4/IPv6 Dual-Stack Networking graduated to General Availability, enabling pods and services to use both IPv4 and IPv6 addresses simultaneously.
This made Kubernetes more adaptable to large, modern networks and hybrid infrastructures.

Key capabilities:

  • Dual-stack pods: Pods can have both IPv4 and IPv6 addresses assigned
  • Dual-stack services: Services can expose both IPv4 and IPv6 endpoints
  • Network policy support: Network policies work with both IP families
  • CNI compatibility: Works with CNI plugins that support dual-stack

Use cases:

  • IPv6 migration: Gradual migration from IPv4 to IPv6 while maintaining compatibility
  • Hybrid networks: Integration with IPv6-only or dual-stack network infrastructure
  • Compliance: Meeting requirements for IPv6 support in government and enterprise environments
  • Scalability: IPv6’s larger address space supports larger clusters and more pods

Configuration:

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ipFamilyPolicy: RequireDualStack
  ipFamilies:
  - IPv4
  - IPv6
  selector:
    app: my-app
  ports:
  - port: 80

Requirements:

  • CNI plugin must support dual-stack networking
  • Cluster networking must be configured for dual-stack
  • Node networking must support both IP families
  • Cloud providers may have specific requirements for dual-stack support

3. CSI Storage Updates

Kubernetes 1.23 brought numerous improvements to Container Storage Interface (CSI):

  • Volume snapshot and resizing functionality: Further stabilization of volume snapshot and resize operations, providing more reliable backup and restore workflows. The VolumeSnapshot API continued to mature, enabling consistent snapshot management across different storage providers.

  • CSI Migration for Azure Disk and vSphere (GA): The in-tree storage plugins for Azure Disk and vSphere were fully migrated to CSI drivers, completing the migration for these major cloud providers. This enables:

    • Better feature parity with cloud-native storage features
    • Improved performance and reliability
    • Easier maintenance and updates
    • Consistent storage interface across providers

  • Ephemeral Volumes (CSI-driven): Improved support for CSI ephemeral volumes, enabling storage drivers to provide volumes that are tied to pod lifecycle. This is particularly useful for:

    • Temporary storage that doesn’t need to persist
    • Cache volumes that can be recreated
    • Workloads that need fast, local storage

CSI Migration status:

  • GA: AWS EBS, Azure Disk, vSphere
  • Beta: GCE PD (graduated to GA in later releases)
  • In progress: Other in-tree plugins

Benefits of CSI migration:

  • Storage features can be developed and released independently of Kubernetes
  • Better support for cloud-specific storage features
  • Improved performance and reliability
  • Easier maintenance and bug fixes

4. Workload and API Enhancements

  • Horizontal Pod Autoscaler v2 (HPA v2) GA: The v2 API for HPA graduated to stable, providing improved scaling accuracy and better support for custom metrics. HPA v2 supports:

    • Multiple metrics (CPU, memory, custom metrics, external metrics)
    • Scaling policies with configurable behavior
    • Better integration with metrics APIs
    • Improved scaling decisions based on multiple factors

    Example HPA v2 configuration:

    apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: my-app-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: my-app
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 50
        periodSeconds: 60

  • Job and CronJob controller performance enhancements: Improved handling of large numbers of jobs, better cleanup of completed jobs, and more efficient scheduling of cron jobs. The CronJob controller rewrite from 1.21 continued to mature, providing better reliability for scheduled workloads.

  • kubectl events command: New kubectl events command provides better visibility into Kubernetes events, making it easier to troubleshoot issues and understand resource lifecycle:

    kubectl events --for pod/my-pod --sort-by='.lastTimestamp'
kubectl events --field-selector involvedObject.kind=Pod

  • Structured logging (Alpha): Continued advancement of structured logging across Kubernetes components, enabling better log parsing, filtering, and analysis. This improves observability and integration with log aggregation systems like ELK, Splunk, and Loki.

5. Developer and Operator Quality of Life

  • Go 1.17 became the minimum required version, bringing improved performance, better error handling, and modern language features. This enables:

    • Better build performance and smaller binaries
    • Improved security with updated standard library
    • Modern Go features for Kubernetes development
    • Alignment with Go ecosystem best practices

  • Extended test coverage and documentation: Comprehensive improvements to Kubernetes documentation, including:

    • Better migration guides for deprecated features
    • Enhanced API reference documentation
    • Improved troubleshooting guides
    • More examples and best practices

  • Enhanced error messages and defaults: Better error messages across kubectl and API layers provide:

    • Clearer guidance on how to fix issues
    • Better validation error messages
    • Improved default configurations
    • More helpful warnings and suggestions

Additional improvements:

  • kubectl improvements: Better command completion, improved output formatting, and enhanced plugin support
  • API improvements: Better validation, clearer error responses, and improved API documentation
  • Operator tooling: Enhanced support for building and maintaining Kubernetes operators
  • Testing tools: Improved testing frameworks and tools for validating Kubernetes configurations

Milestones Timeline

DateEvent
Dec 7, 2021Kubernetes 1.23 officially released
Jan 2022PodSecurity Admission rollout begins
Mid 2022Dual-Stack Networking widely adopted in production

Patch Releases for 1.23

Patch releases (1.23.x) focused on performance optimization, API stability, and operator experience.

Patch VersionRelease DateNotes
1.23.02021-12-07Initial release
1.23.1+various datesSecurity and bug fixes, stability improvements

Legacy and Impact

Kubernetes 1.23 represented the final step in the PSP deprecation journey and the maturity of dual-stack networking, both critical for production-grade Kubernetes clusters.
By introducing PodSecurity Admission and enhancing CSI, this release reinforced Kubernetes as a flexible, scalable, and secure orchestration platform ready for complex enterprise workloads.

Summary

AspectDescription
Release DateDecember 7, 2021
Key InnovationsPodSecurity Admission, Dual-Stack GA, CSI improvements, HPA v2 GA
SignificanceCemented Kubernetes’ maturity in networking, security, and extensibility

Next in the Series

Next up: Kubernetes 1.24 (May 2022) — the release that finally removed Dockershim, improved security defaults, and further evolved storage and auth subsystems.