Kubernetes 1.33: Orion – Smarter Autoscaling and Enhanced Efficiency

Introduction

In April 2025, the Kubernetes project released version 1.33, codenamed “Orion.”
This release emphasizes intelligent automation, resource efficiency, and observability, further strengthening Kubernetes’ role as the backbone of modern cloud-native infrastructure.
It includes 47 enhancements — 15 graduating to stable (GA), 18 moving to beta, and 14 new alpha features.

Official Highlights

1. Smarter Cluster Autoscaling (GA)

Kubernetes 1.33 introduces Intelligent Cluster Autoscaler improvements that use historical workload data and predictive scheduling to anticipate demand spikes.
It integrates seamlessly with custom metrics and offers more granular scaling thresholds, optimizing both performance and cost.

“Orion refines Kubernetes’ intelligence — clusters now learn, adapt, and scale more predictively.”
— Kubernetes SIG Autoscaling

What is Intelligent Cluster Autoscaling?

Intelligent Cluster Autoscaling represents a significant advancement in Kubernetes’ autoscaling capabilities, moving from reactive to predictive scaling. It analyzes historical workload patterns, resource utilization trends, and application behavior to anticipate scaling needs before they occur.

Key Features:

• Predictive scaling: Uses machine learning models to predict future resource demands based on historical patterns
• Historical data analysis: Analyzes workload patterns over time to identify trends and cycles
• Custom metrics integration: Seamlessly integrates with custom metrics from Prometheus, Datadog, and other monitoring systems
• Granular thresholds: More precise scaling thresholds reduce unnecessary scaling events and costs
• Cost optimization: Optimizes both performance and cost by scaling proactively rather than reactively

How it works:

1. Data Collection: Collects historical workload data including CPU, memory, request rates, and custom metrics
2. Pattern Analysis: Analyzes patterns to identify trends, cycles, and anomalies in workload behavior
3. Prediction: Uses predictive models to forecast future resource demands
4. Proactive Scaling: Scales resources proactively before demand spikes occur
5. Continuous Learning: Continuously learns and adapts to changing workload patterns

Benefits:

• Reduced latency: Proactive scaling reduces latency spikes during traffic surges
• Cost savings: More efficient scaling reduces unnecessary resource allocation, saving up to 30% on cloud costs
• Better performance: Ensures resources are available when needed, improving application performance
• Reduced operational overhead: Automates scaling decisions, reducing manual intervention
• Improved reliability: Prevents capacity issues before they impact applications

Example Configuration:

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: intelligent-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: my-app
  minReplicas: 3
  maxReplicas: 100
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Pods
    pods:
      metric:
        name: requests_per_second
      target:
        type: AverageValue
        averageValue: "1000"
  behavior:
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
      - type: Percent
        value: 50
        periodSeconds: 60
      - type: Pods
        value: 4
        periodSeconds: 60
      selectPolicy: Max
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 10
        periodSeconds: 60
      selectPolicy: Min

Use Cases:

• E-commerce platforms: Handle traffic spikes during sales events and peak shopping hours
• SaaS applications: Scale proactively based on user activity patterns and business hours
• Batch processing: Optimize resource allocation for batch jobs with predictable schedules
• Microservices: Scale services based on inter-service communication patterns
• Cost-sensitive workloads: Optimize costs while maintaining performance SLAs

2. Workload Efficiency Enhancements

Pod Resource Overhead (GA)

Pod Resource Overhead allows finer control over resource requests vs actual runtime overhead, enabling more accurate resource allocation and better cluster utilization.

What is Pod Resource Overhead?

Pod Resource Overhead accounts for the additional resources consumed by the container runtime, kubelet, and other system components that aren’t part of the application itself. This feature allows cluster administrators to define overhead per RuntimeClass, ensuring accurate resource accounting.

Benefits:

• Accurate resource accounting: Better understanding of actual resource consumption
• Improved scheduling: More accurate scheduling decisions based on real resource needs
• Better utilization: Optimize cluster utilization by accounting for all resource consumption
• Cost optimization: More accurate cost allocation and resource planning
• Reduced OOM events: Better memory management reduces out-of-memory conditions

How it works:

1. Define overhead per RuntimeClass specifying CPU and memory overhead
2. Kubernetes automatically adds overhead to pod resource requests
3. Scheduler considers total resource needs including overhead
4. Kubelet reserves overhead resources for runtime components

Example:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc
overhead:
  podFixed:
    memory: "128Mi"
    cpu: "100m"
---
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  runtimeClassName: gvisor
  containers:
  - name: app
    image: myapp:latest
    resources:
      requests:
        memory: "512Mi"
        cpu: "500m"
      limits:
        memory: "1Gi"
        cpu: "1000m"
  # Total requests: 640Mi memory, 600m CPU (includes overhead)

Use Cases:

• Container runtimes with overhead: Account for gVisor, Kata Containers, or other runtime overhead
• High-density clusters: Optimize resource allocation in clusters with many pods per node
• Cost allocation: Accurate cost allocation for multi-tenant clusters
• Resource planning: Better capacity planning with accurate resource accounting

NodeSwap Improvements

NodeSwap improvements reduce memory pressure and OOM conditions on high-density nodes, enabling better memory management and resource utilization.

Improvements:

• Better swap management: Improved swap file management and configuration
• Memory pressure handling: Better handling of memory pressure situations
• OOM prevention: Reduced out-of-memory conditions through better swap utilization
• Performance optimization: Optimized swap usage to minimize performance impact
• Configurable thresholds: More granular control over swap behavior

Configuration:

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
memorySwap:
  swapBehavior: LimitedSwap
  # LimitedSwap: Swap is limited to memory requests only
  # UnlimitedSwap: Swap can exceed memory requests

Benefits:

• Reduced OOM events: Better memory management reduces pod evictions
• Higher density: Enable more pods per node with better memory management
• Cost savings: Better utilization of node resources
• Improved stability: More stable clusters with better memory handling

JobSet API (GA)

JobSet API orchestrates batch workloads as unified groups, improving throughput and fault tolerance for complex batch processing scenarios.

What is JobSet?

JobSet provides a higher-level abstraction for managing groups of related Jobs, enabling better orchestration of batch workloads with dependencies, ordering, and failure handling.

Key Features:

• Job grouping: Group related Jobs into a single JobSet for unified management
• Dependencies: Define dependencies between Jobs within a JobSet
• Failure handling: Configurable failure policies for handling Job failures
• Success criteria: Define success criteria for the entire JobSet
• Unified lifecycle: Manage the lifecycle of multiple Jobs as a single unit

Benefits:

• Simplified management: Manage complex batch workloads as single units
• Better fault tolerance: Improved failure handling and recovery
• Higher throughput: Optimized scheduling and execution of batch workloads
• Dependency management: Handle complex dependencies between batch jobs
• Resource optimization: Better resource utilization through coordinated scheduling

Example:

apiVersion: jobset.x-k8s.io/v1alpha2
kind: JobSet
metadata:
  name: data-pipeline
spec:
  replicatedJobs:
  - name: data-ingestion
    replicas: 3
    template:
      spec:
        completions: 1
        parallelism: 1
        template:
          spec:
            containers:
            - name: ingestion
              image: data-ingestion:latest
            restartPolicy: OnFailure
  - name: data-processing
    replicas: 5
    template:
      spec:
        completions: 5
        parallelism: 5
        template:
          spec:
            containers:
            - name: processing
              image: data-processing:latest
            restartPolicy: OnFailure
  successPolicy:
    operator: AllJobsSuccessful
  failurePolicy:
    operator: FailJobSet
    restartPolicy: OnFailure

Use Cases:

• Data pipelines: Orchestrate multi-stage data processing pipelines
• ML training: Coordinate distributed machine learning training jobs
• Batch processing: Manage complex batch processing workflows
• ETL jobs: Orchestrate extract, transform, load operations
• Workflow automation: Automate complex workflows with dependencies

3. Observability and Logging Upgrades

Structured Logging (GA)

Structured Logging is now fully rolled out across all Kubernetes components, providing consistent, parseable log formats for better observability and troubleshooting.

What is Structured Logging?

Structured logging outputs logs in a structured format (typically JSON) with consistent fields, making it easier to parse, search, and analyze logs from Kubernetes components.

Benefits:

• Consistent format: All components use consistent log structure
• Better parsing: Easier to parse and analyze logs with structured data
• Improved searchability: Better log search and filtering capabilities
• Integration: Easier integration with log aggregation systems (ELK, Splunk, etc.)
• Troubleshooting: Faster troubleshooting with structured log data

Log Format:

{
  "timestamp": "2025-04-09T10:30:00Z",
  "level": "info",
  "msg": "Pod scheduled successfully",
  "pod": "my-pod",
  "namespace": "default",
  "node": "node-1",
  "scheduler": "default-scheduler",
  "traceID": "abc123",
  "spanID": "def456"
}

Configuration:

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
logging:
  format: json
  verbosity: 2

Use Cases:

• Log aggregation: Better integration with centralized logging systems
• Troubleshooting: Faster issue identification and resolution
• Monitoring: Better monitoring and alerting based on structured logs
• Compliance: Easier compliance reporting with structured audit logs
• Analytics: Better log analytics and insights

Event Filtering and Sampling

Event Filtering and Sampling improves audit signal-to-noise ratio by allowing administrators to filter and sample events, reducing log volume while maintaining important information.

Features:

• Event filtering: Filter events based on type, level, reason, and other criteria
• Sampling: Sample events to reduce volume while maintaining coverage
• Configurable policies: Define filtering and sampling policies per namespace or cluster
• Audit optimization: Optimize audit logs for better performance and storage efficiency

Example Configuration:

apiVersion: audit.k8s.io/v1
kind: EventFilter
metadata:
  name: production-events
spec:
  rules:
  - level: Warning
  - level: Error
  - type: PodFailed
  - type: NodeNotReady
  - reason: ImagePullBackOff
  - reason: CrashLoopBackOff
  sampling:
    rate: 0.1  # Sample 10% of matching events

Benefits:

• Reduced noise: Focus on important events, reducing log noise
• Better performance: Improved audit pipeline performance
• Storage savings: Reduced storage requirements for audit logs
• Cost optimization: Lower costs for log storage and processing

Kubernetes Metrics Pipeline (Alpha)

Kubernetes Metrics Pipeline introduces a unified observability layer for metrics, logs, and traces, providing a single interface for collecting and exporting observability data.

What is Metrics Pipeline?

The Metrics Pipeline provides a unified way to collect, process, and export metrics, logs, and traces from Kubernetes components, enabling better observability and integration with external systems.

Key Features:

• Unified collection: Single interface for collecting metrics, logs, and traces
• Processing pipeline: Configurable processing pipeline for data transformation
• Multiple exporters: Support for multiple exporters (Prometheus, OpenTelemetry, etc.)
• Resource efficiency: Efficient resource usage with optimized collection
• Extensibility: Extensible architecture for custom collectors and exporters

Architecture:

Kubernetes Components → Metrics Pipeline → Processing → Exporters → External Systems
                      (Collection)        (Transform)  (Prometheus, OTLP, etc.)

Example Configuration:

apiVersion: metrics.k8s.io/v1alpha1
kind: MetricsPipeline
metadata:
  name: default
spec:
  collectors:
  - type: kubelet
    enabled: true
  - type: apiserver
    enabled: true
  - type: scheduler
    enabled: true
  processors:
  - type: aggregation
    config:
      interval: 30s
  exporters:
  - type: prometheus
    config:
      endpoint: prometheus:9090
  - type: otlp
    config:
      endpoint: otel-collector:4317

Benefits:

• Unified observability: Single interface for all observability data
• Better integration: Easier integration with observability stacks
• Resource efficiency: More efficient resource usage
• Flexibility: Configurable pipeline for different use cases
• Future-proof: Extensible architecture for future enhancements

Use Cases:

• Multi-cloud deployments: Unified observability across multiple clusters
• Complex environments: Better observability in complex Kubernetes environments
• Compliance: Comprehensive observability for compliance requirements
• Performance optimization: Better insights for performance optimization

4. Gateway API & Networking Updates

TCPRoute and UDPRoute (GA)

TCPRoute and UDPRoute have reached GA, completing the core Gateway API suite and enabling comprehensive routing for TCP and UDP traffic alongside HTTP/HTTPS.

What are TCPRoute and UDPRoute?

TCPRoute and UDPRoute provide Gateway API resources for routing TCP and UDP traffic, enabling Kubernetes-native load balancing and routing for non-HTTP protocols.

Key Features:

• TCP routing: Route TCP traffic based on hostname and port
• UDP routing: Route UDP traffic for DNS, gaming, and other UDP-based services
• Load balancing: Built-in load balancing for TCP/UDP services
• TLS termination: TLS termination for TCP connections
• Multi-protocol support: Support for multiple protocols in a single Gateway

Benefits:

• Protocol support: Support for non-HTTP protocols (database, messaging, etc.)
• Unified API: Consistent API for all protocol types
• Better integration: Better integration with existing infrastructure
• Simplified management: Simplified management of multi-protocol services
• Production ready: GA status indicates production readiness

Example:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tcp-gateway
spec:
  gatewayClassName: istio
  listeners:
  - name: tcp
    protocol: TCP
    port: 3306
---
apiVersion: gateway.networking.k8s.io/v1
kind: TCPRoute
metadata:
  name: mysql-route
spec:
  parentRefs:
  - name: tcp-gateway
  rules:
  - backendRefs:
    - name: mysql-service
      port: 3306

Use Cases:

• Database services: Route TCP traffic to database services (MySQL, PostgreSQL, etc.)
• Messaging systems: Route TCP/UDP traffic for messaging systems (RabbitMQ, Kafka, etc.)
• Gaming services: Route UDP traffic for gaming services
• DNS services: Route UDP traffic for DNS services
• Legacy applications: Route traffic for legacy applications using TCP/UDP

BackendTLSPolicy (GA)

BackendTLSPolicy now enforces consistent encryption standards across providers, ensuring secure communication between gateways and backend services.

What is BackendTLSPolicy?

BackendTLSPolicy provides a standardized way to configure TLS settings for backend services, ensuring consistent security policies across different Gateway implementations.

Key Features:

• mTLS support: Mutual TLS support for backend connections
• Certificate management: Automatic certificate management and rotation
• Policy enforcement: Consistent TLS policies across providers
• Security standards: Enforce security standards for backend communication
• Provider agnostic: Works with all Gateway API implementations

Benefits:

• Security: Enhanced security for backend communication
• Consistency: Consistent TLS configuration across providers
• Compliance: Meet compliance requirements for encrypted communication
• Zero-trust: Enable zero-trust networking models
• Simplified management: Simplified TLS configuration management

Example:

apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: backend-tls-policy
spec:
  targetRef:
    group: ""
    kind: Service
    name: my-backend-service
  tls:
    hostname: backend.example.com
    caCertRefs:
    - name: ca-cert
      group: ""
      kind: Secret
    clientCertRefs:
    - name: client-cert
      group: ""
      kind: Secret
    cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    minVersion: "1.2"
    maxVersion: "1.3"

Use Cases:

• Service-to-service security: Secure communication between services
• Zero-trust networking: Implement zero-trust security models
• Compliance: Meet compliance requirements for encrypted communication
• Multi-tenant: Secure communication in multi-tenant environments
• Hybrid cloud: Secure communication across cloud boundaries

NetworkPolicy v2 (Alpha)

NetworkPolicy v2 introduces more expressive rules, supporting wildcard and range-based matching for more flexible network policy definitions.

What is NetworkPolicy v2?

NetworkPolicy v2 extends the existing NetworkPolicy API with more expressive matching capabilities, enabling more flexible and powerful network policy definitions.

Key Features:

• Wildcard matching: Support for wildcard matching in selectors
• Range-based matching: Support for IP ranges and port ranges
• More expressive rules: More flexible rule definitions
• Better performance: Optimized policy evaluation performance
• Backward compatibility: Backward compatible with NetworkPolicy v1

Benefits:

• Flexibility: More flexible network policy definitions
• Simplified rules: Simpler rules for complex scenarios
• Better performance: Improved policy evaluation performance
• Easier management: Easier management of network policies
• Future-proof: Foundation for future network policy enhancements

Example:

apiVersion: networking.k8s.io/v2
kind: NetworkPolicy
metadata:
  name: advanced-policy
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    - namespaceSelector:
        matchLabels:
          name: production
    - ipBlock:
        cidr: 192.168.1.0/24
        except:
        - 192.168.1.100/32
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

Use Cases:

• Complex policies: Define complex network policies with fewer rules
• Multi-tenant: Better network isolation in multi-tenant environments
• Security: Enhanced security with more expressive policies
• Compliance: Meet compliance requirements with flexible policies
• Performance: Better performance with optimized policy evaluation

5. Security and Compliance Improvements

KMS v3 (Alpha)

KMS v3 adds cloud-agnostic envelope encryption with rotation automation, providing enhanced security and key management capabilities.

What is KMS v3?

KMS v3 is the next generation of Kubernetes Key Management Service integration, providing cloud-agnostic envelope encryption with automatic key rotation and improved performance.

Key Features:

• Cloud-agnostic: Works with any KMS provider (AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault, etc.)
• Automatic rotation: Automatic key rotation with zero-downtime
• Envelope encryption: Efficient envelope encryption for secrets
• Multi-provider: Support for multiple KMS providers simultaneously
• Performance: Improved performance for encryption/decryption operations

Benefits:

• Security: Enhanced security with automatic key rotation
• Compliance: Meet compliance requirements for key management
• Flexibility: Support for multiple KMS providers
• Performance: Better performance with optimized encryption
• Reliability: Improved reliability with better error handling

Example Configuration:

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - kms:
      name: aws-kms-v3
      endpoint: unix:///var/run/kms-plugin/socket
      cachesize: 1000
      timeout: 3s
      healthz:
        path: /healthz
        timeout: 3s
      rotation:
        enabled: true
        interval: 24h
        gracePeriod: 1h

Use Cases:

• Multi-cloud: Consistent encryption across multiple cloud providers
• Compliance: Meet compliance requirements (PCI-DSS, HIPAA, etc.)
• Security: Enhanced security for sensitive data
• Key management: Centralized key management across clusters
• Disaster recovery: Better disaster recovery with key rotation

PodSecurity Admission Profiles

PodSecurity Admission Profiles now natively support custom policies per namespace, enabling fine-grained security policy enforcement.

Improvements:

• Custom policies: Define custom security policies per namespace
• Policy composition: Compose multiple policies for complex scenarios
• Namespace-specific: Different policies for different namespaces
• Better validation: Improved validation of security policies
• Audit mode: Enhanced audit mode for policy violations

Example:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
---
apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Custom Policy Example:

apiVersion: pod-security.admission.k8s.io/v1
kind: PodSecurityPolicy
metadata:
  name: custom-restricted
spec:
  enforce:
    level: restricted
    version: latest
  exemptions:
    usernames:
    - system:serviceaccount:kube-system:cluster-admin
    runtimeClasses:
    - gvisor
    namespaces:
    - kube-system

Use Cases:

• Multi-tenant: Different security policies for different tenants
• Compliance: Meet compliance requirements with custom policies
• Development: Relaxed policies for development, strict for production
• Legacy applications: Exemptions for legacy applications
• Security hardening: Progressive security hardening across namespaces

RuntimeClass Scheduling

RuntimeClass Scheduling ensures secure isolation for mixed workloads (AI, ML, GPU), enabling better security and resource management for specialized workloads.

Features:

• Workload isolation: Isolate different workload types (AI, ML, GPU, etc.)
• Security: Enhanced security for specialized workloads
• Resource management: Better resource management for specialized hardware
• Scheduling: Intelligent scheduling based on runtime requirements
• Compliance: Meet compliance requirements for workload isolation

Example:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gpu-runtime
handler: nvidia
scheduling:
  nodeSelector:
    accelerator: nvidia-tesla-v100
  tolerations:
  - key: nvidia.com/gpu
    operator: Exists
    effect: NoSchedule
overhead:
  podFixed:
    memory: "512Mi"
    cpu: "1000m"
---
apiVersion: v1
kind: Pod
metadata:
  name: gpu-workload
spec:
  runtimeClassName: gpu-runtime
  containers:
  - name: gpu-app
    image: gpu-app:latest
    resources:
      requests:
        nvidia.com/gpu: 1
      limits:
        nvidia.com/gpu: 1

Use Cases:

• AI/ML workloads: Secure isolation for AI/ML training and inference
• GPU workloads: Better management of GPU resources
• Security-sensitive workloads: Enhanced security for sensitive workloads
• Multi-tenant: Workload isolation in multi-tenant environments
• Compliance: Meet compliance requirements for workload isolation

Milestones Timeline

Patch Releases for 1.33

Patch releases (1.33.x) focused on refining autoscaling intelligence and observability accuracy.

Legacy and Impact

Kubernetes 1.33 represents a step into autonomous orchestration, where clusters analyze patterns, adapt proactively, and reduce operational overhead.
By coupling predictive autoscaling with full observability and refined APIs, Kubernetes becomes not just reactive — but intelligently proactive.

Summary

Next in the Series

Next up: Kubernetes 1.34 (August 2025) — the release expected to expand AI-native scheduling, WASM workload integration, and next-generation runtime interfaces.