Last checked and updated on 05 Jun 2026
What Is New in Kubernetes 1.23
Kubernetes 1.23 brings a solid set of incremental improvements, focusing on maturing existing features and refining the core experience. This release includes a significant feature promotion, key API changes, and essential storage enhancements that address real-world operational needs.
| Category | Key Highlights |
|---|---|
| New Features & Enhancements | IPv4/IPv6 dual-stack networking graduates to GA. PodSecurity replaces PodSecurityPolicy (beta). Introduction of HorizontalPodAutoscaler v2. Expanded support for generic ephemeral volumes. |
| API Changes | CRD validation expression language (CEL) enters alpha. The PodSecurity admission plugin is now enabled by default. |
| Storage | CSI snapshot operations support the VolumeSnapshot move feature. Introduction of the CSIVolumeHealth alpha feature for monitoring volume health. |
| Deprecations & Removals | Several in-tree storage plugins to AWS, OpenStack, and vSphere have been removed. The topologyKeys field is deprecated. |
Is IPv6 finally production-ready in Kubernetes 1.23?
Yes, IPv4/IPv6 dual-stack networking has officially graduated to General Availability (GA) in this release. This marks a major milestone for running workloads in environments that require native IPv6 connectivity.
The GA status signifies that the API is stable and the feature is fully supported for production use. You can now configure cluster networking to assign both IPv4 and IPv6 addresses to Pods and Services, which is crucial for modern infrastructure and compliance with IPv6-only networks.
What replaced the deprecated PodSecurityPolicy?
The PodSecurity admission controller, which entered beta in 1.23, is the direct replacement. This new implementation is a huge improvement in usability and clarity over the complex and often confusing PodSecurityPolicy.
Instead of managing complex policy objects, you define security standards directly on namespaces using labels. You can enforce the baseline, restricted, or privileged security profile, making it far easier to apply sensible defaults across your clusters without the operational overhead of the old system.
How did Horizontal Pod Autoscaling get better?
The HorizontalPodAutoscaler (HPA) API version autoscaling/v2 has been promoted to beta, unlocking more powerful scaling metrics. This is the API you should be using for any new HPA configurations.
The key advantage is native support for scaling based on multiple metrics, not just CPU and memory. You can now create autoscaling rules that react to custom or external metrics directly in the HPA spec, which simplifies your architecture by reducing the need for custom metrics adapters in many cases.
What storage improvements should I know about?
Two storage features stand out. First, the CSI snapshot controller now supports the VolumeSnapshot move feature, which is critical for operations like migrating stateful workloads between clusters.
Second, the alpha CSIVolumeHealth feature allows a CSI driver to report abnormal volume conditions from the underlying storage system directly to the Pod using the volume. This gives developers earlier warning of potential storage issues that could affect their application.
Were any legacy components removed?
Yes, the removal of several in-tree cloud provider storage plugins is a continuation of the effort to clean up the core codebase. Plugins for AWS, OpenStack, and vSphere have been removed in favor of their out-of-tree CSI driver equivalents.
This removal forces a migration to the CSI standard, which is a good thing long-term. It means storage functionality is developed and released independently of the main Kubernetes release cycle, allowing for faster innovation and more reliable driver updates.
FAQ
Is the PodSecurity feature enabled by default in 1.23?
Yes, the PodSecurity admission plugin is enabled by default in this release. However, it runs in a non-enforcing mode (i.e., warn and audit) unless you explicitly configure it to enforce policies on your namespaces.
What happens if I'm still using PodSecurityPolicy?
PodSecurityPolicy was deprecated in earlier versions and remains so in 1.23. You should begin migrating your policies to the new PodSecurity admission configuration. The old PSP controller will be removed in a future release.
Can I use the new HPA v2 API for all my metrics?
Absolutely. The autoscaling/v2 API supports resource (CPU/Memory), object, and pod metrics natively. It consolidates what previously required multiple API versions or external adapters, making your HPA definitions cleaner and more powerful.
Do I need to do anything for the dual-stack GA feature?
If you want to use dual-stack, you need to ensure your cloud provider, CNI plugin, and kubelet configuration all support it. The feature is stable, but enabling it requires specific cluster-level setup during initialization (--feature-gates="IPv6DualStack=true" and dual-stack service and pod CIDRs).
My cluster uses in-tree AWS EBS volumes, what now?
You must migrate to the AWS EBS CSI driver. The in-tree volume plugin has been removed. The CSI driver offers feature parity and is the only supported way to provision EBS volumes on Kubernetes 1.23 and above.