Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Kubernetes Releases 2022

Kubernetes 1.25: PodSecurity GA and Extending Reliability

K8s Guru
6 min read
#kubernetes #1.25 #release #podsecurity #csi #networking #kubectl #api #podsecuritypolicy #cronjob #network-policy #storage #security #ga
Kubernetes 1.25: PodSecurity GA and Extending Reliability

Table of Contents

Introduction

On August 23, 2022, the Kubernetes project announced version 1.25, continuing its focus on security, reliability, and extensibility.
This release contained 40 enhancements — 13 graduated to stable (GA), 10 to beta, and 13 newly introduced as alpha — solidifying the platform’s maturity for enterprise-scale environments.

Official Highlights

1. PodSecurity Admission (GA)

After being introduced in 1.23, PodSecurity Admission reached General Availability in 1.25.
It replaced the deprecated PodSecurityPolicy mechanism, offering a simpler, namespace-scoped security enforcement model with three standard profiles.

Why PodSecurity Admission over PSP:

  • Simpler: Namespace-scoped, no complex RBAC
  • Better performance: No admission webhook overhead
  • Clearer semantics: Standard profiles with explicit modes
  • Easier migration: Straightforward mapping from PSP policies

Standard Security Profiles:

  1. Privileged - Unrestricted policy

    • Allows all capabilities and host access
    • Use for: System components, privileged workloads

  2. Baseline - Minimally restrictive

    • Prevents known privilege escalations
    • Allows common volume types
    • Use for: Legacy applications, development

  3. Restricted - Highly restrictive

    • Follows Pod hardening best practices
    • Requires read-only root filesystems
    • Drops all capabilities
    • Use for: Production workloads, security-sensitive apps

Enforcement Modes:

  • enforce: Policy violations cause pod rejection
  • audit: Log violations but allow pods (for migration)
  • warn: Show user warnings but allow pods

Complete Example:

# Namespace with Restricted profile
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
---
# Pod that complies with Restricted profile
apiVersion: v1
kind: Pod
metadata:
  name: secure-app
  namespace: production
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: my-app:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
    volumeMounts:
    - name: tmp
      mountPath: /tmp
  volumes:
  - name: tmp
    emptyDir: {}

Migration from PodSecurityPolicy:

  1. Audit existing PSP policies:

    kubectl get psp
kubectl get psp <name> -o yaml

  2. Map PSP to PodSecurity profiles:

    • Most restrictive PSP → Restricted profile
    • Moderate PSP → Baseline profile
    • Permissive PSP → Privileged profile

  3. Apply PodSecurity labels gradually:

    # Start with warn mode
pod-security.kubernetes.io/warn: restricted
# Then audit mode
pod-security.kubernetes.io/audit: restricted
# Finally enforce mode
pod-security.kubernetes.io/enforce: restricted

  4. Remove PSP after migration:

    kubectl delete psp <name>

“PodSecurity Admission gives operators a predictable and clear security posture across namespaces.”
— Kubernetes SIG Auth Team

2. CSI & Storage Enhancements

Kubernetes 1.25 delivered significant improvements in the Container Storage Interface (CSI) ecosystem:

CSI Volume Expansion (GA)

CSI Volume Expansion graduated to GA, enabling volume expansion without pod restart.

Example:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: fast-ssd
---
# Later, expand the volume
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi  # Expanded from 10Gi
  storageClassName: fast-ssd

CSI Ephemeral Volumes

CSI Ephemeral Volumes enhancements provide volumes tied to pod lifecycle, useful for temporary storage and caches.

Example:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: app
    image: my-app:latest
    volumeMounts:
    - name: cache
      mountPath: /cache
  volumes:
  - name: cache
    csi:
      driver: ephemeral-volume.csi.example.com
      volumeAttributes:
        size: 10Gi

CSI Migration Status

  • Complete: AWS EBS, GCE PD, Azure Disk, vSphere
  • All major cloud providers now use CSI drivers exclusively
  • Improved performance and feature parity

VolumeSnapshot Reliability

VolumeSnapshot reliability updates improve backup and restore workflows, providing more consistent snapshot management across different storage providers.

3. Network and Scheduling Improvements

Network Policy Status (Beta)

Kubernetes 1.25 introduces Network Policy Status, providing visibility into network policy enforcement.

Benefits:

  • See which policies are applied to pods
  • Debug network connectivity issues
  • Verify policy enforcement

Example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-app
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Check policy status:

kubectl get networkpolicy -n production
kubectl describe networkpolicy allow-app -n production

Scheduling Improvements

  • Kube-proxy enhancements improved load balancing consistency
  • PodTopologySpread optimizations reduced scheduling overhead
  • CNI plugin interfaces matured for hybrid and multi-cloud environments

Together, these changes refined Kubernetes networking and scheduling behavior for large-scale clusters.

CronJob Reliability Improvements

Kubernetes 1.25 improves CronJob reliability and scheduling:

Improvements:

  • Better handling of missed start times
  • Improved job scheduling logic
  • Reduced API server load
  • Better cleanup of completed jobs

Example:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: backup-job
spec:
  schedule: "0 2 * * *"  # Daily at 2 AM
  timeZone: "America/New_York"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: backup
            image: backup-tool:latest
          restartPolicy: OnFailure

New features:

  • timeZone support for scheduling in specific timezones
  • Improved concurrency handling for better reliability
  • Better history management for completed jobs

4. API and Developer Updates

  • CRD validation schemas gained extended capabilities for stricter API enforcement;
  • Structured Logging continued to roll out across more components;
  • kubectl explain and kubectl events enhancements improved developer experience.

5. Deprecations and Cleanups

As part of the ongoing API modernization process:

  • PodSecurityPolicy fully removed;
  • FlexVolume deprecated;
  • Multiple legacy APIs cleaned up from prior alpha features.

Breaking Changes and Migration

What You Need to Know Before Upgrading

Critical changes requiring attention:

  1. PodSecurityPolicy Removed

    • ⚠️ Action Required: Must migrate to PodSecurity Admission before upgrading
    • PodSecurityPolicy API completely removed in 1.25
    • No backward compatibility available

  2. FlexVolume Deprecated

    • ⚠️ Action Required: Migrate to CSI drivers
    • FlexVolume will be removed in future releases
    • Plan migration for custom FlexVolume plugins

  3. API Removals

    • Various v1beta1 APIs removed
    • Review cluster for deprecated API usage
    • Update manifests to use stable APIs

Upgrade checklist:

  • Complete PodSecurityPolicy migration to PodSecurity Admission
  • Review and update deprecated API usage
  • Migrate FlexVolume plugins to CSI if applicable
  • Test CronJob configurations with new scheduling logic
  • Verify network policy configurations
  • Test in non-production environment first

Milestones Timeline

DateEvent
Aug 23, 2022Kubernetes 1.25 officially released
Q3 2022PodSecurity Admission GA adopted by major providers
Late 2022CSI and storage enhancements deployed across enterprise clusters

Patch Releases for 1.25

Patch releases (1.25.x) included bug fixes, storage reliability updates, and networking optimizations.

Patch VersionRelease DateNotes
1.25.02022-08-23Initial release
1.25.1+various datesMaintenance and security updates

Legacy and Impact

Kubernetes 1.25 marked the completion of PodSecurityPolicy removal and the graduation of PodSecurity Admission to GA, cementing Kubernetes’ modern security model.
With stable CSI migration, enhanced logging, and API refinements, this release underscored Kubernetes’ readiness for secure, large-scale enterprise workloads.

Summary

AspectDescription
Release DateAugust 23, 2022
Key InnovationsPodSecurity Admission GA, CSI enhancements, network and scheduling improvements
SignificanceStrengthened Kubernetes’ reliability, security, and operational maturity

Getting Started with Kubernetes 1.25

Quick Verification

Check cluster version:

kubectl version
kubectl get nodes

Verify PodSecurity Admission:

kubectl get namespaces --show-labels | grep pod-security
kubectl get namespace production -o yaml | grep pod-security

Test PodSecurity enforcement:

# Try creating a pod that violates Restricted policy
kubectl run test-pod --image=nginx --restart=Never -n production
# Should be rejected if enforce mode is enabled

Check CronJob status:

kubectl get cronjobs
kubectl get jobs

Next in the Series

Next up: Kubernetes 1.26 (December 2022) — bringing CRD validation improvements, Storage Capacity Tracking GA, and extended support for multi-architecture deployments.