Kubernetes 1.24: Removing Dockershim and Strengthening Core Security

Introduction

On May 3, 2022, the Kubernetes project released version 1.24, one of the most influential and security-focused updates in recent years.
This release contained 46 enhancements — 14 graduating to stable (GA), 15 moving to beta, and 13 newly introduced as alpha.
The standout change was the removal of Dockershim, fully completing Kubernetes’ transition to the Container Runtime Interface (CRI).

Official Highlights

1. Dockershim Removed

After being deprecated in Kubernetes 1.20, Dockershim was officially removed in 1.24.
This change does not mean Docker containers stopped working — Kubernetes now communicates directly with runtimes like containerd, CRI-O, and others via the CRI.

“This was the final step toward a truly modular runtime architecture.”
— Kubernetes SIG Node Team

The removal simplified Kubernetes’ internal runtime model, reducing maintenance overhead and improving compatibility with modern container runtimes.

Migration from Dockershim

If you’re still using Docker as your container runtime, you need to migrate to a CRI-compatible runtime before upgrading to Kubernetes 1.24.

Recommended runtimes:

containerd (recommended) - Most widely adopted, production-ready
CRI-O - Lightweight, OCI-compliant runtime
Mirantis Container Runtime - Docker Engine replacement

Migration steps:

Check current runtime:

kubectl get nodes -o wide
# Check CONTAINER-RUNTIME column

Install containerd (example on Ubuntu/Debian):

# Load required kernel modules
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# Install containerd
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y containerd.io

Configure containerd:

sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
sudo systemctl restart containerd

Update kubelet configuration:

# Edit /var/lib/kubelet/kubeadm-flags.env
# Remove: --container-runtime=remote --container-runtime-endpoint=unix:///var/run/dockershim.sock
# Add: --container-runtime-endpoint=unix:///run/containerd/containerd.sock

Restart kubelet:
```
sudo systemctl restart kubelet
```

Verification:

kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'
# Should show containerd version, not docker

Important notes:

Docker images continue to work - containerd uses the same OCI image format
No application changes required
Migration can be done node-by-node for zero-downtime upgrades

2. Enhanced Security Defaults

Several important security enhancements landed in 1.24:

PodSecurity Admission (Beta)

PodSecurity Admission moved to Beta in Kubernetes 1.24, providing a simpler replacement for the deprecated PodSecurityPolicy. It offers namespace-level security enforcement with three standard profiles.

Key features:

Namespace-scoped enforcement (simpler than cluster-wide PSP)
Three standard profiles: Privileged, Baseline, Restricted
Three enforcement modes: enforce, audit, warn
Better performance than PodSecurityPolicy

Example configuration:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Profile comparison:

Privileged: Unrestricted (for system workloads)
Baseline: Minimal restrictions (prevents known privilege escalations)
Restricted: Strongest restrictions (follows hardening best practices)

Enforcement modes:

enforce: Reject pods that violate the policy
audit: Log violations but allow pods
warn: Show warnings but allow pods

Note: PodSecurity Admission will graduate to GA in Kubernetes 1.25

ServiceAccount Token Volume Projection (Default)

ServiceAccount Token Volume Projection became the default authentication method, deprecating legacy service account tokens.

Benefits:

Time-bound tokens with expiration
Audience-specific tokens for different services
Automatic rotation reduces security risk
Better security than long-lived tokens

Example:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-service-account
  containers:
  - name: app
    image: my-app:latest
    volumeMounts:
    - name: token
      mountPath: /var/run/secrets/tokens
  volumes:
  - name: token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 3600
          audience: api

Seccomp Defaulting

Seccomp Defaulting moved closer to GA, improving container isolation by default. This feature applies secure default seccomp profiles to pods that don’t explicitly specify one.

These updates aligned Kubernetes with stronger security and compliance standards for enterprise workloads.

3. Storage and CSI Upgrades

Kubernetes 1.24 delivered significant improvements in the Container Storage Interface (CSI) ecosystem:

CSI Migration Completed

CSI Migration for AWS EBS, GCE PD, and Azure Disk was completed, fully removing in-tree storage plugins.

What this means:

All storage operations now use CSI drivers
Better feature parity with cloud-native storage
Improved performance and reliability
Easier maintenance and updates

Migration status:

✅ GA: AWS EBS, GCE PD, Azure Disk
✅ Beta: vSphere (completed in 1.23)
🔄 In progress: Other in-tree plugins

No action required for most users - cloud providers handle migration automatically.

Verification:

# Check if CSI migration is enabled
kubectl get csidriver
# Should show cloud provider CSI drivers

Generic Ephemeral Volumes (GA)

Generic Ephemeral Volumes graduated to GA, improving flexibility for temporary storage needs.

Example:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: app
    image: my-app:latest
    volumeMounts:
    - name: cache
      mountPath: /cache
  volumes:
  - name: cache
    ephemeral:
      volumeClaimTemplate:
        metadata:
          labels:
            type: cache
        spec:
          accessModes: ["ReadWriteOnce"]
          storageClassName: fast-ssd
          resources:
            requests:
              storage: 1Gi

Additional Storage Features

Volume Populators (Alpha) introduced more control over how volumes are prepared and populated
CSI Inline Volume Secrets reached GA for safer credentials handling

4. Networking and Node Improvements

Network Policy Status added visibility for policy enforcement.
IPv4/IPv6 Dual-Stack continued stabilization.
kubelet gained better memory management and more resilient node shutdown logic.

5. Developer Experience Enhancements

kubectl events stabilized, improving debugging workflows.
Structured logging continued expanding across core components.
Go 1.18 became the minimum compiler version for Kubernetes builds.

Breaking Changes and Migration

What You Need to Know Before Upgrading

Critical changes requiring attention:

Dockershim Removal
- ⚠️ Action Required: Migrate to containerd, CRI-O, or another CRI-compatible runtime
- Docker images continue to work (same OCI format)
- See migration guide above for detailed steps
PodSecurityPolicy Deprecation
- ⚠️ Action Required: Migrate to PodSecurity Admission (Beta in 1.24)
- PodSecurityPolicy will be removed in 1.25
- Plan migration before upgrading to 1.25
ServiceAccount Token Changes
- Legacy tokens deprecated
- New default uses Token Volume Projection
- Most applications work without changes
- Review custom token usage

Upgrade checklist:

Verify container runtime compatibility (containerd/CRI-O)
Review and migrate PodSecurityPolicy configurations
Test ServiceAccount token usage
Update CSI drivers if using custom storage
Review deprecated API usage
Test in non-production environment first

Milestones Timeline

Date	Event
May 3, 2022	Kubernetes 1.24 officially released
May–June 2022	Dockershim removal fully adopted by cloud providers
Mid 2022	PodSecurity Admission and Token Projection rolled out in production

Patch Releases for 1.24

Patch releases (1.24.x) focused on runtime compatibility, security, and stability.

Patch Version	Release Date	Notes
1.24.0	2022-05-03	Initial release
1.24.1+	various dates	Maintenance and runtime stability updates

Legacy and Impact

Kubernetes 1.24 was a historic release — the one that officially removed Dockershim and completed Kubernetes’ transition to CRI-based runtimes.
It also delivered meaningful advances in security, identity, and storage, making clusters more secure and maintainable by default.
This release solidified Kubernetes’ identity as a runtime-agnostic, enterprise-grade orchestration platform.

Summary

Aspect	Description
Release Date	May 3, 2022
Key Innovations	Dockershim removal, PodSecurity Admission, Token Projection, CSI upgrades
Significance	Major runtime evolution and security modernization milestone

Getting Started with Kubernetes 1.24

Quick Verification

Check cluster version:

kubectl version
kubectl get nodes

Verify container runtime:

kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'
# Should show containerd or CRI-O, not docker

Check PodSecurity Admission status:

kubectl get namespaces --show-labels | grep pod-security

Verify CSI drivers:

kubectl get csidriver

Next in the Series

Next up: Kubernetes 1.25 (August 2022) — introducing PodSecurity Admission GA, CSI Ephemeral Volume updates, and key scalability improvements.

Table of Contents