Last checked and updated on 05 Jun 2026
What is New in Kubernetes 1.30
Kubernetes 1.30, nicknamed Uwubernetes, delivers a strong mix of stability improvements, security enhancements, and feature graduations. The release includes 45 enhancements with 17 features reaching stable status, 18 moving to beta, and several new alpha capabilities.
Key focus areas include maturing scheduler performance with queueing hints, structured authentication and authorization configuration, better memory swap handling on Linux nodes, user namespace support, and continued progress on Dynamic Resource Allocation (DRA). Administrators will benefit from improved security, more reliable pod scheduling, and easier cluster operations.
Major Feature Promotions
Kubernetes 1.30 graduates many features to stable and beta status, making them ready for production use.
| Feature | Status in 1.30 | Description |
|---|---|---|
| ValidatingAdmissionPolicy | GA (Stable) | ValidatingAdmissionPolicy is now generally available and enabled by default. |
| Pod scheduling gates | GA (Stable) | The .spec.schedulingGates field is always available without a feature gate. |
| MinDomains in PodTopologySpread | GA (Stable) | Support for minDomains in topology spread constraints is now stable. |
| HorizontalPodAutoscaler per-container metrics | GA (Stable) | Container resource based autoscaling is now stable. |
| CloudDualStackNodeIPs and PodHostIPs | GA (Stable) | Dual-stack node IP support and hostIPs in pod status are now always available. |
| NewVolumeManagerReconstruction | GA (Stable) | Improved volume manager reconstruction logic is now stable. |
| StructuredAuthenticationConfiguration | Beta (enabled by default) | Supports multiple JWT authenticators and dynamic configuration reload. |
| Contextual logging | Beta (enabled by default) | Improved structured logging with context information. |
| Forensic Container Checkpointing | Beta | Enhanced debugging through container checkpointing. |
| LoadBalancerIPMode and ImageMaximumGCAge | Beta | Flexible LoadBalancer IP handling and image garbage collection age control. |
Dynamic Resource Allocation (DRA) Improvements
DRA receives structured parameters support and other refinements to make device allocation more efficient.
- Structured parameters allow the scheduler to handle ResourceClaim allocation directly.
- ResourceClaim and PodSchedulingContext status updates no longer permit metadata changes.
- Fixed potential data races and reduced scheduling latency impact for pods using DRA resources.
- Better handling of pods rejected by PreEnqueue plugins related to DRA.
These updates prepare DRA for broader adoption with hardware accelerators like GPUs.
Scheduler Enhancements
The scheduler benefits from queueing hints and other performance optimizations.
- Scheduling hints added for NodeAffinity, NodeResourceFit, NodeUnschedulable, and PodTopologySpread plugins to reduce unnecessary retries.
- Improved throughput for DaemonSet pods and gated pods.
- Sidecar and init container image locations are now considered during scoring.
- Better preemption behavior that respects PodDisruptionBudgets.
- Performance gains when no scoring plugins are defined and for MultiPoint plugin handling.
Node and Kubelet Updates
Kubelet introduces better memory management and security controls.
- Memory swap support on Linux with new swapBehavior values (NoSwap is default; UnlimitedSwap removed).
- User namespaces move to beta with support for pods with and without volumes, plus configurable UID/GID ranges.
- Kubelet rejects pods if the runtime does not support user namespaces when hostUserNs is false.
- Concurrent log rotation with configurable workers and monitoring interval.
- New metrics for image pull duration, memory manager, and lifecycle handler sleep actions.
- Added /sys/devices/virtual/powercap to default masked paths for security.
- SELinuxMount (alpha) for faster volume relabeling and Recursive Read-Only mounts support.
Security and Authentication Improvements
Security receives significant attention with structured configuration options.
- AppArmor profiles can now be set directly in PodSecurityContext and container SecurityContext (beta annotations deprecated).
- Structured Authorization Configuration supports multiple webhooks and is enabled by default in beta.
- OIDC authentication fails cleanly if username extraction returns empty.
- Service account tokens include embedded node information and JTI field for better security.
- Fixed important vulnerabilities including command injection on Windows and checkpoint API denial-of-service.
Kubeadm and Cluster Lifecycle
Kubeadm includes practical fixes and improvements for initialization and upgrades.
- WaitForAllControlPlaneComponents feature gate to ensure all control plane components are ready.
- Improved upgrade plan output showing all nodes needing updates.
- Better handling of etcd member addition/removal and certs check-expiration with structured output (v1alpha3).
- Removed socat and ebtables from preflight checks.
- Fixed several regressions in config handling and timeout behavior.
Bug Fixes and Regressions Addressed
Kubernetes 1.30 resolves multiple issues from previous versions.
| Component | Key Fixes |
|---|---|
| kube-proxy (Windows) | Fixed race condition that could blackhole UDP traffic and intermittent ClusterIP issues. |
| Kubelet | Prevented volume unmount on restart when PVC is deleting, fixed terminated pod re-admission, and improved init container handling. |
| Scheduler | Fixed preemption violations of PDBs and nil panic regressions with affinity rules. |
| Storage | Fixed volume reconstruction, multipath device handling, and PV phase assignment for CSI migrated volumes. |
| API Server | Improved watch stability and fixed connection issues with websocket exec/attach/portforward. |
Additional fixes address memory leaks in tracing, endpoints synchronization, and various Windows-specific behaviors.
Deprecations and Removals
Several legacy items have been cleaned up.
- SecurityContextDeny admission plugin removed (use Pod Security Admission instead).
- Deprecated beta AppArmor annotations replaced by fields in SecurityContext.
- vSphere and Azure in-tree cloud providers removed (use external CSI drivers).
- azureFile in-tree storage plugin deprecated.
- Multiple GA feature gates removed as they are now unconditionally enabled.
- kubectl prune-whitelist flag removed in favor of prune-allowlist.
Review the upgrade notes if you use in-tree providers or older admission configurations.
Dependencies and Build Changes
Kubernetes 1.30 is built with Go 1.22 (with later patch releases updating to Go 1.23.x). CoreDNS was upgraded to v1.11.3, and many deprecated dependencies were removed for improved security and maintainability.
These updates help keep the codebase secure and compatible with modern tooling.
Summary
Kubernetes 1.30 strengthens the platform with stable ValidatingAdmissionPolicy, better scheduler efficiency, structured auth configuration, and improved node memory and security features. The release balances new capabilities with important bug fixes and cleanup of legacy components.
Whether you run large production clusters or focus on advanced scheduling and device management, Kubernetes 1.30 offers enhanced reliability and security. Test upgrades thoroughly in non-production environments and consult the full upgrade documentation for a smooth transition.