Last checked and updated on 10 Jun 2026
What Is New in Kubernetes 1.25
Kubernetes 1.25, "Combinator", delivers significant enhancements across core APIs, security, storage, and workload management. This release focuses on maturing existing features and introducing key capabilities for complex cluster operations.
| Category | Key Changes |
|---|---|
| New Features | PodSecurity admission GA, Ephemeral Containers GA, cgroups v2 GA, KMS v2 improvements |
| API Changes | CRD validation expression language beta, StatefulSet minReadySeconds, Pod hasIP condition |
| Storage | Non-graceful node shutdown GA, Volume populator CRDs alpha, ReadWriteOncePod PV access mode |
| Workloads | Job API with backoff limit per index, PodDisruptionBudget support for unhealthy pods |
| Deprecations/Removals | GlusterFS driver removed, CSI migration for AWS/EBS GA, PodSecurityPolicy finally removed |
How does PodSecurity admission improve cluster security?
The PodSecurity admission controller graduates to stable in 1.25, replacing the deprecated PodSecurityPolicy. This built-in admission controller enforces Pod Security Standards through namespace labels rather than complex RBAC policies.
You configure it by applying labels to namespaces like pod-security.kubernetes.io/enforce: baseline. The controller then validates or mutates pods against the baseline, restricted, or privileged standards. This approach simplifies security policy management significantly compared to the previous PSP model.
In practice, this means faster pod admissions and clearer policy definitions. The migration path from PSP is straightforward, and the integration with namespace labels makes policy assignments intuitive for cluster operators.
What container debugging capabilities arrived in 1.25?
Ephemeral containers have reached general availability, providing production-ready debugging capabilities. This feature allows you to inject temporary containers into running pods for troubleshooting without restarting the pod.
You can use kubectl debug with the --target flag to attach debugging containers to specific processes within the pod. The debug containers share the pod's namespaces and resources, giving you full visibility into the runtime environment.
This is particularly valuable for diagnosing issues in production where restarting pods would cause service disruption. The GA status means the API is stable and ready for enterprise use cases.
How does cgroups v2 support affect resource management?
cgroups v2 support graduates to GA, providing enhanced resource management capabilities for nodes running Linux kernels 5.8+. This brings improved memory management, unified hierarchy, and better isolation between workloads.
The key advantage is more predictable resource enforcement, especially for memory limits. cgroups v2 prevents memory leaks from affecting system stability and offers finer-grained control over resource allocation.
For cluster operators, this means better node stability under heavy load. Applications experience more consistent performance since resource contention is managed more effectively at the kernel level.
What storage improvements should operators know about?
Non-graceful node shutdown handling moves to GA, significantly improving storage reliability during unexpected node failures. The feature allows volumes to be automatically detached and made available on other nodes after a node shutdown.
ReadWriteOncePod access mode for PersistentVolumes reaches beta, enabling storage access restriction to a single pod. This is crucial for stateful workloads that require exclusive access to their storage to prevent data corruption.
Volume populator CRDs enter alpha, providing a standardized way to pre-popvolume data before binding to a pod. This simplifies the process of creating volumes from snapshots or other data sources.
How do Job API improvements help batch processing?
The Job API introduces backoff limit per index for Indexed Jobs, allowing finer control over retry behavior. This means failed pods in specific indexes can be retried independently without affecting other indexes.
PodFailurePolicy support expands to provide more granular handling of job failures. You can define rules to specify whether a pod failure should be counted against the backoff limit based on the exit code or other conditions.
These enhancements make Kubernetes Jobs more robust for scientific computing and batch processing workloads where partial failures are common and should be handled intelligently.
FAQ
Is PodSecurityPolicy completely removed in 1.25?
Yes, PodSecurityPolicy has been completely removed from the core API. You must migrate to the PodSecurity admission controller or third-party alternatives like OPA Gatekeeper before upgrading to 1.25.
What happens to my GlusterFS volumes after upgrading?
The in-tree GlusterFS driver has been removed. You need to migrate to the CSI-based GlusterFS driver before upgrading. Existing volumes will become inaccessible if you haven't completed the migration.
Can I use cgroups v2 on older Linux kernels?
No, cgroups v2 requires Linux kernel 5.8 or newer. Nodes with older kernels will continue using cgroups v1, but you won't benefit from the new resource management features.
How do Ephemeral Containers affect pod security?
Ephemeral containers inherit the security context of the target pod but can be constrained through security policies. The PodSecurity admission controller can restrict which users can create debug containers based on namespace policies.
What's the benefit of ReadWriteOncePod access mode?
ReadWriteOncePod ensures that only one pod can access a PersistentVolume at a time. This prevents data corruption in stateful applications where multiple writers would cause issues, such as databases or file-based storage systems.