Last checked and updated on 05 Jun 2026
What Is New in Kubernetes 1.29
Kubernetes 1.29, dubbed "Mandala," delivers a substantial set of enhancements focused on control plane stability, security, and expanding the ecosystem of workloads it can support. This release includes several long-awaited features moving to stable.
| Category | Key Highlights |
|---|---|
| New Features (Stable) | ReadWriteOncePod, Node Log Query, Structured Parameters for Dynamic Resource Allocation, LoadBalancer IP Mode |
| Security | KMS v2 Stability, User Namespace Support (alpha), seccomp by Default for kubelet |
| Improvements & Changes | Pod Replacement Policy for Jobs, Min Domains in Pod Topology Spread, IPv4/IPv6 Dual-Stack Networking (removed) |
| Deprecations & Removals | Kubernetes API Removal: v1beta1 FlowSchema and PriorityLevelConfiguration, Removal of several in-tree cloud provider integrations |
What are the major new stable features?
Four major features graduated to stable in this release, bringing production-ready capabilities for storage, debugging, and networking.
ReadWriteOncePod Access Mode
The ReadWriteOncePod access mode for PersistentVolumes ensures a volume can be mounted by only a
single pod across the entire cluster. This is a game-changer for stateful workloads like databases that require
strict write exclusivity to prevent data corruption.
Node Log Query
The node log query feature (/logs endpoint) moves to stable, providing a standardized API to
retrieve container logs directly from the kubelet. This simplifies debugging by offering a consistent way to
access logs without relying solely on a cluster-level logging solution.
LoadBalancer IP Mode
The ipMode field for LoadBalancer Services allows you to specify whether the load balancer's IP
should route traffic to the node's internal IP or to the pod's IP. This provides finer control over traffic
flow, which is critical for certain network configurations.
How does Kubernetes 1.29 improve security?
This release hardens security through encryption stability and granular isolation features, reducing the attack surface by default.
KMS v2 Encryption Stability
Key Management Service (KMS) v2 API for at-rest encryption graduates to stable. It offers performance improvements over v1 with key rotation without a full secret re-encryption and health checks.
User Namespaces Support (Alpha)
User namespaces for pods enter alpha, allowing you to remap UIDs and GIDs inside a container to a different range on the host. This dramatically limits the impact of a container breakout by isolating host privileges.
seccomp by Default
The kubelet now uses a default seccomp profile if no other profile is specified, restricting the syscalls a container can make. This is a major step towards a more secure out-of-the-box configuration.
What workload management improvements were added?
Enhancements to Jobs and topology spreading give developers more control over pod lifecycle and placement.
Pod Replacement Policy for Jobs
The podReplacementPolicy field for Jobs allows you to control when failed pods are replaced. Setting
it to Failed prevents Kubernetes from creating a new pod until the old one is fully terminated,
helping to avoid resource spikes.
MinDomains in Pod Topology Spread
You can now set a minimum number of domains (minDomains) for Pod Topology Spread constraints. This
guarantees a minimum level of spread even if there are more pods than domains, ensuring better high
availability.
What has been deprecated or removed?
Kubernetes 1.29 continues the project's cleanup by removing outdated APIs and features, pushing users towards modern alternatives.
The v1beta1 API versions for FlowSchema and PriorityLevelConfiguration (part of the
flowcontrol.apiserver.k8s.io group) are no longer served. You must migrate to the v1 API version.
Dual-stack IPv4/IPv6 networking, which was previously deprecated, has now been completely removed from the codebase. Cloud provider integrations for Azure, OpenStack, and vSphere have also been cut after being replaced by external cloud controller managers.
FAQ
When should I use ReadWriteOncePod over ReadWriteOnce?
Use ReadWriteOncePod when
you need an absolute guarantee that only one pod in the entire cluster can write to a volume. This is critical
for data safety in distributed databases (e.g., PostgreSQL, MySQL) to prevent split-brain scenarios. Standard
ReadWriteOnce only restricts mounting to one node, not one pod.
Does the stable KMS v2 API require me to reconfigure my encryption?
No, if you were already
using the v2 API in its beta form, your configuration should continue to work seamlessly. The upgrade to stable
is backward-compatible. If you're on v1, you should plan a migration to v2 for its key rotation and health check
benefits.
What happens to my LoadBalancer Service if I don't set ipMode?
The behavior remains
unchanged. The default traffic routing depends on your cloud provider's implementation, which typically routes
to the node IP. The new ipMode field gives you explicit control to override this and route directly
to the pod IP if needed.
Why is dual-stack networking being removed?
The original dual-stack implementation was
considered incomplete and was superseded by a newer, more robust implementation. The removal cleans up the old
code to reduce maintenance burden and prevent confusion. You should be using the newer dual-stack support if
needed.
How does the Pod Replacement Policy for Jobs help with resource usage?
By setting
podReplacementPolicy: Failed, you prevent Kubernetes from immediately creating a new replacement
pod the moment a failure is detected. This avoids a potential "thundering herd" of pod creations and
terminations, which can lead to resource exhaustion on nodes during large Job failures.