Only registred users can make comments
kubernetes news
Written By Aleksandro Matejic
Published 2025-03-14 22:16:55

New Features in Kubernetes 1.32: An Overview

Kubernetes 1.32, codenamed “Penelope”, introduces new features and enhancements across different areas of the system. In this blog post, we break down the notable additions by category, helping you understand what each feature is, when to use it, how to implement it, and where to find more details (via the official KEP – Kubernetes Enhancement Proposal).

Kubernetes 1.32 New Features

Table Of Content

1. API & Custom Resources

2. Security & Policy

3. Networking

4. Storage & Data Management

5. Node & Resource Management

6. Scheduling

7. Workloads & Controllers

8. Observability & Operations

9. Windows Node Enhancements

10. Conclusion

API & Custom Resources

Custom Resource Field Selectors

πŸ”— KEP-4358

Kubernetes v1.32 allows custom resource definitions (CRDs) to support field selectors, similar to those for built-in objects. This means CRD authors can designate certain spec or status fields as selectable, enabling server-side filtering of custom resources. Before this, you could only filter CRDs by metadata.name or namespace, but now you can define custom fields (like .spec.color or .status.phase) to query against.

When to Use It: Use this feature when you have a large number of custom resources and need to list or watch only those with specific field values. It’s especially useful for controllers or UIs that need to efficiently find custom resources matching criteria (for example, all instances of a CRD in a certain state).

How to Implement It: When defining a CRD, add a selectableFields section listing the JSON paths of fields you want to make filterable. For example, you might specify .spec.color as selectable in your CRD schema. Once that’s in place (and the cluster is running 1.32+), you can use kubectl get <crd> --field-selector spec.color=blue to retrieve resources with that field value. No feature gate is required as this is a stable feature in 1.32.

API Server Retries for generateName Collisions

πŸ”— KEP-4420

The Kubernetes API server can now automatically retry object creations that use the generateName field when a name conflict occurs. Previously, if two clients created resources (like ConfigMaps or Jobs) with the same generateName prefix at the same time, one would fail due to a name collision. In 1.32, the API server will retry up to 7 times to generate a unique name.

When to Use It: This improvement is automatically in effect and doesn’t require user action, but it’s beneficial in scenarios like Job or Pod creation where generateName is used to get a random suffix. It reduces the chance of seeing errors in high-concurrency environments. Use generateName as before – the system is simply more robust now.

How to Implement It: There’s nothing specific to implement for end users; just be aware that Kubernetes 1.32 handles these collisions for you. If you’re testing this feature explicitly, you could attempt to create a large number of resources with the same generateName in parallel and observe that Kubernetes avoids conflicts. (As an alpha feature in 1.32, this might be behind a feature gate by the name ApiServerGenerateNameRetries, but it is targeted to become a standard behavior.)

Security & Policy

Bound Service Account Token Enhancements

πŸ”— KEP-4193

Kubernetes 1.32 strengthens service account tokens by further binding them to specific Kubernetes objects. When you create a token for a service account, you can bind its validity to a particular Pod, Secret, or even a Node. The token’s JWT claims now include the bound object’s name and UID, and even the node name if applicable. This means if the object is deleted (or the node changes), the token automatically becomes invalid.

When to Use It: Use bound tokens whenever possible to tighten security. For example, if a service account token is only meant to be used by a specific Pod, binding it ensures it can’t be misused elsewhere. In multi-tenant clusters or any security-conscious environment, this reduces the risk of token theft leading to broader cluster access.

How to Implement It: Kubernetes already issues bound tokens when you use the TokenRequest API. To manually create one, you can run a command like kubectl create token <sa-name> --bound-object-kind=Pod --bound-object-name=<pod-name> to get a token tied to a given Pod. The token review API can show you the token’s embedded claims to verify the binding. This feature is enabled by default in 1.32 (no need to enable a feature gate).

Structured Authorization Configuration

πŸ”— KEP-3221

Kubernetes now offers a way to configure multiple authorization modules in a sequence with fine-grained control. Instead of relying on a single mode (or the fixed order of AlwaysAllow, RBAC, Webhook, etc.), you can define a AuthorizationConfiguration file that specifies a chain of authorizers and conditions for each. This supports advanced scenarios like using a webhook authorizer only for certain requests, then falling back to RBAC, etc., with CEL expressions to decide which authorizer applies.

When to Use It: Use this when the built-in RBAC (or other single authorizer) isn’t sufficient for your needs. For instance, if you have special rules for a subset of requests (like all requests to a certain namespace must go through a webhook authorizer with extra business logic), this feature lets you enforce that without writing a custom authorization proxy.

How to Implement It: Enable the feature gate if it’s not enabled by default (it was alpha in 1.32). Then create an authorization config file (API version apiserver.config.k8s.io/v1 or v1beta1) and list your authorizers in order. Each entry can include a type (e.g., Webhook, RBAC), a name, and optional matchConditions (CEL expressions) to restrict which requests it handles. Start the API server with the flag --authorization-config-file=<your-config.yaml> instead of the usual --authorization-mode. Kubernetes will then process authZ by checking each authorizer in sequence as defined.

Restricting Anonymous API Access

πŸ”— KEP-4633

This feature lets cluster admins specify exactly which API endpoints (if any) should allow anonymous access. By default, Kubernetes can allow unauthenticated requests to certain endpoints like /healthz or /metrics (if not behind auth). In 1.32, you can narrow this down so that only a defined set of paths are permitted for anonymous requests, and everything else rejects anonymous users.

When to Use It: This is useful in hardened clusters where you want to ensure no accidental exposure. Even if you’ve left --anonymous-auth=true on the API server for health checks, you might want to guarantee that only health and readiness endpoints are reachable without auth. It provides defense in depth against misconfigurations.

How to Implement It: Kubernetes 1.32 introduces an AuthenticationConfiguration file for the API server. In this file, you can specify an anonymous section with an allowlist of URL paths. For example, you might allow /livez, /readyz, and /healthz for unauthenticated access and nothing else. Then start the API server with --authentication-config-file=<config.yaml>. With this in place, any anonymous request to an endpoint not listed will be denied, even if RBAC rules are open.

Mutating Admission Policies via CEL

πŸ”— KEP-3962

Kubernetes 1.32 introduces MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding resources, which allow you to define mutation rules using CEL (Common Expression Language) rather than writing a webhook. This is analogous to the existing validating admission policies. You can declare policies that automatically modify incoming API requests – for example, adding a default label or injecting a sidecar container – all within the API server’s admission chain.

When to Use It: Use this to simplify your admission control setup. If you currently maintain mutating webhook services (for tasks like adding tolerations, defaults, or enforcing naming conventions), you can replace some of them with CEL-based policies. This reduces operational overhead (no separate service to manage) and latency. It’s ideal for standard, repeated mutations that can be expressed as rules.

How to Implement It: This feature is in alpha, so you’ll need to enable the MutatingAdmissionPolicy feature gate on the API server. Once on, you can create a MutatingAdmissionPolicy CRD with rules. Each rule defines a match criteria (which objects, what operations) and a mutation to apply, either as a JSON Patch or as a “apply” style overlay. For instance, you could write a policy that says: if a created Pod has no sidecar container, then append a predefined sidecar spec. After creating the policy, you usually also create a MutatingAdmissionPolicyBinding to enforce it (binding it cluster-wide or to certain namespaces). The API server will then execute these mutations during admission, in order.

Networking

Pod status.hostIPs for Dual-Stack Nodes

πŸ”— KEP-2681

Pods now report all the IP addresses of their node in the Pod status. In addition to the existing status.hostIP (which held a single IP), there’s a new array status.hostIPs that can contain multiple addresses. Typically, this will include both an IPv4 and IPv6 address when the node is dual-stack. This change also comes with Downward API support, meaning pods can self-discover their node’s addresses easily.

When to Use It: If you’re running dual-stack clusters, this is very useful. Applications can use the Downward API to get the node’s IPv4/IPv6 and, for example, register themselves in service discovery with both addresses. It’s also handy for any scenario where a pod needs to know something about the node it’s running on (like to contact a node-local service via the appropriate IP).

How to Implement It: This feature is GA in 1.32, so it’s on by default. You don’t need to do anything special except upgrade your cluster. To use the information, you can mount the Downward API as an environment variable or file. For example, an environment variable with fieldPath: status.hostIPs will now provide a list of IPs (the exact syntax may allow indexing into the list). Alternatively, just inspect the Pod’s status  kubectl get pod -o yaml and you’ll see both hostIP and hostIPs. If you only have single-stack networking, hostIPs will just have one entry (same as hostIP).

Configurable LoadBalancer IP Mode

πŸ”— KEP-1860

Kubernetes Services of type LoadBalancer gain a new setting that influences how kube-proxy handles the service’s external IP. Cloud providers can now specify an ipMode in the Service’s status (via the cloud controller manager) which can be “Proxy” or “VIP”. In “VIP” mode (the traditional behavior), kube-proxy binds the load balancer’s external IP to the node’s network interface. In “Proxy” mode, kube-proxy will not bind the IP, and will instead rely on proxying, which is useful for certain cloud load balancer implementations.

When to Use It: As a cluster operator, you don’t set this directly; it’s used by cloud providers. It is beneficial on clouds where the native load balancer expects to handle the routing itself (for example, to avoid conflicts or double handling of traffic). If you’re noticing issues like health check failures or bypassed features (TLS termination, PROXY protocol) with your cloud LB, this enhancement allows the cloud provider to fix that by switching to Proxy mode. Essentially, it brings Kubernetes networking in line with the cloud’s networking model.

How to Implement It: Ensure your cloud controller manager is updated to a version that supports this feature (1.32 or above, and the cloud provider code implements it). The cloud controller will set the ipMode in the status.loadBalancer field of the Service, typically automatically based on the cloud’s default or annotations. Kube-proxy in 1.32 will read this field. There’s no user action unless your cloud provider offers a way to choose the mode (e.g., an annotation). If so, you could annotate a Service to indicate you prefer Proxy mode, and the CCM will mark it accordingly. Otherwise, just be aware of it – it should “just work” by making LB's behavior more correct.

Relaxed DNS Search Domain Validation

πŸ”— KEP-4427

Kubernetes 1.32 introduces a more lenient validation for DNS search domains in Pod dnsConfig. Historically, Kubernetes (following RFC 1123) disallowed certain entries in the searches list, notably those with underscores _ or a single dot . as a domain. With this feature (alpha in 1.32), those restrictions can be lifted. This means you can include domains like _tcp.example.com or just . in your search list if needed.

When to Use It: In some environments, particularly with legacy systems or certain discovery protocols, you might need search domains that don’t strictly conform to DNS naming rules. For example, Microsoft Active Directory can use underscores in SRV records, and some setups might use alone . to indicate a search root. If your workloads have to resolve such domains, this feature can accommodate that . Otherwise, most users won’t need to change the default behavior.

How to Implement It: Because this is an alpha feature, you’d need to enable the feature gate RelaxedDNSSearchValidation on the API server and kubelet. Once enabled, you can create Pods with a dnsConfig.searches list that includes entries like _svc._tcp.example.com or .

Kubernetes will allow those values (without the feature, it would reject the Pod spec). Make sure to test this in a non-production cluster, as improper use of search domains can have DNS resolution implications.

Storage & Data Management

Automatic PVC Cleanup for StatefulSets

πŸ”— KEP-1847

A new policy for StatefulSets lets you control what happens to PersistentVolumeClaims (PVCs) when you delete or scale down a StatefulSet. Kubernetes 1.32 adds the persistentVolumeClaimRetentionPolicy field to the StatefulSet spec, which has two settings: whenDeleted and whenScaled. Each can be set to either Retain (the old behavior) or Delete. For example, you can now have Kubernetes automatically delete the PVCs for pods that you remove (scale down) while still keeping PVCs if the whole StatefulSet is deleted – or vice versa.

When to Use It: This is very useful for managing the storage lifecycle. If your StatefulSet is managing truly persistent data (like a database), you might keep PVCs on deletion to avoid data loss. But if your StatefulSet is more ephemeral or you manage backups externally, you may choose to delete PVCs when the StatefulSet is removed to avoid orphaned volumes. For scale-down, auto-deleting PVCs can save space when you remove pods intentionally (as opposed to pods being temporarily gone during upgrades).

How to Implement It: Simply edit your StatefulSet manifest in 1.32 to include:

spec:
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain|Delete
    whenScaled: Retain|Delete

This would delete all PVCs if the whole StatefulSet is deleted, but retain PVCs on scale-down (perhaps to allow re-use if scaling back up). Choose the combination that fits your use case. Once set, the controller will handle it – if a Pod is removed due to scaling or StatefulSet deletion, Kubernetes will delete its associated PVC according to the policy (note: it only deletes PVCs that the StatefulSet controller created). Ensure you’ve upgraded your cluster to 1.32 so the field is supported. This greatly reduces manual storage clean-up and avoids forgotten volumes piling up.

Volume Group Snapshot 

πŸ”— KEP-3476

Use volume group snapshots when you need to take simultaneous snapshots of multiple volumes that need to be consistent with each other. This is common with stateful applications like databases that use multiple PVCs (for data, logs, etc.) where a point-in-time snapshot across all volumes is needed for consistency. In Kubernetes 1.32, VolumeGroupSnapshot has matured to Beta, meaning you can more easily create crash-consistent backups across several PVCs at once. This is useful for backing up complex apps or doing data migration, ensuring that all related volumes are captured at the exact same time, avoiding data skew between them.

How to Implement: First, ensure your CSI snapshot controller and CSI driver support group snapshots (Kubernetes external-snapshotter v5.1+ and a CSI driver with the group snapshot capability). On Kubernetes 1.32, enable the VolumeGroupSnapshot feature gate if it’s not already (it’s Beta, so likely on by default). The cluster should have the VolumeGroupSnapshot CRDs installed (most distributions will include them). Then you can create a VolumeGroupSnapshot object via the Kubernetes API. In the spec, you will reference the PVCs (or a label selector for PVCs) that you want included in the group snapshot. Kubernetes will coordinate with the CSI driver to snapshot all those volumes together. For example:

apiVersion: snapshot.storage.k8s.io/v1beta1
kind: VolumeGroupSnapshot
metadata: { name: my-app-group-snapshot }
spec:
  volumeSnapshots:
  - persistentVolumeClaimName: data-pvc
  - persistentVolumeClaimName: logs-pvc
  volumeGroupSnapshotClassName: <your-snapshot-class>

Once created, the snapshot controller will handle taking snapshots of each volume at the same time. You’ll end up with individual VolumeSnapshot objects that belong to the group (and underlying VolumeGroupSnapshotContent records). Restoring is similar: you can create new PVCs from those grouped snapshots. Note: This requires storage vendor support – check that your CSI driver version supports volume group snapshots (many will in 1.32+). When configured, using this feature will give you a single consistent restore point for all volumes in the group

Recover from Volume Expansion Failures

πŸ”—KEP-1790

This feature helps when a PVC expansion cannot be fulfilled – for example, you requested a new size that the storage backend can’t provide (out of space or beyond quota). Previously, once a volume expansion failed, you were stuck because Kubernetes wouldn’t let you shrink the PVC request to try a smaller size, and the PVC could be left in a limbo state. In 1.32, Kubernetes can handle expansion failures more gracefully by allowing a retry with a different size. Use this if you encounter expansion failures; it improves resilience by giving you a path forward (other than deleting and re-creating the PVC). This is particularly useful in on-prem or quota-managed environments where you might overshoot an expansion and then want to adjust.

How to Implement: This is a beta feature in 1.32 (and likely enabled by default when beta). If a volume expansion fails, you (or the external controller) can now modify the PVC to a smaller size than originally requested (but not smaller than the current actual size) and Kubernetes will attempt the expansion again. In practice, ensure the feature gate RecoverVolumeExpansionFailure is on. Then, if you see a PVC stuck in an “ExpansionFailed” condition, edit the PVC’s .spec.resources.requests.storage to a slightly lower value that might succeed (maybe the maximum available space). The control plane will trigger the volume expansion controller to retry using that new target size. There’s no direct user command for “retry”; it’s the act of editing to a smaller size that signals the retry. The PVC should then proceed to expand (if the new size is acceptable to the storage system). This mechanism protects against permanent stuck PVCs and reduces manual intervention. Always check storage provider documentation on how it reports failures – this feature kicks in on recognized failure conditions to allow the size tweak.

Node & Resource Management

Dynamic Sizing for Memory-backed Volumes (GA)

πŸ”—KEP-1967

EmptyDir volumes with medium: "Memory" now dynamically size themselves based on your Pod’s resources. In Kubernetes 1.32, this feature graduates to GA οΏΌ. Previously, a tmpfs (memory) volume would default to 50% of the node’s memory, which could be unpredictable across nodes. Now, the maximum size of such volumes is the lesser of the Pod’s memory limit and an optional sizeLimit if you specify one οΏΌ.
When to Use It: You likely benefit from this automatically if you use memory-backed volumes (e.g., for caching or scratch space). It improves portability – a Pod that’s limited to 1Gi memory will have its memory EmptyDir capped at ~1Gi, even if running on a big node οΏΌ. Use this to avoid unintentionally consuming excessive memory on a node and to ensure pods behave consistently in different environments (dev vs prod hardware).
How to Implement It: No action is needed for basic use; the scheduler and kubelet enforce the new sizing by default in 1.32 (the feature gate SizeMemoryBackedVolumes is now on by default). If you want a custom size smaller than the Pod memory, you can still set sizeLimit on the EmptyDir volume as before. To test it, create a Pod with a memory limit and an EmptyDir volume (medium: Memory). Inside the pod, check the volume size (e.g., by running df -h in the container) – it should match the Pod’s limit (or the explicit sizeLimit if set), not half the node’s RAM.

Strict Pod-to-Core CPU Allocation (Beta)

πŸ”—KEP-2625

A new CPU manager option in 1.32 (beta) ensures that if a Pod requests full CPU cores, it gets exclusive cores without sharing them with other pods (considering hyperthreading). In simpler terms, it can reject pods that request fractional CPU when the policy is enabled. This prevents two different pods from ending up on two threads of the same physical core (which can contend with each other).

When to Use It: Use this in performance-sensitive environments where CPU isolation is critical – for example, high-frequency trading, telecom NFV workloads, or database workloads that are sensitive to CPU jitter. If you have a node dedicated to “exclusive” workloads, you can enable this so any pod that isn’t asking for whole CPUs will just not be scheduled there, ensuring those that are scheduled truly have isolated cores to themselves.

How to Implement It: This feature comes under the CPU Manager in the kubelet. Enable the feature gate (likely named CPUManagerPolicyOptions) on the nodes. In the kubelet config, when using the static CPU manager policy, you can specify an option to disallow SMT-aligned (Simultaneous MultiThreading) sharing. For example, set --cpu-manager-policy=static and --cpu-manager-policy-options=full-pcores-only=true (the exact syntax could differ) . With that in place, the scheduler will also take this into account – if a pod requests 0.5 CPU, it won’t schedule it onto a node with this strict policy. Only pods requesting integer CPU (1, 2, 4, etc.) will run there. Monitor your pods; if some get pending with “Not enough CPUs” even though there’s a fractional CPU free, it could be due to this policy (which is by design).

Pod-Level Resource Requests & Limits (Alpha)

πŸ”— KEP-2837

Traditionally, CPU and memory requests/limits are set per container. In 1.32, an alpha feature lets you specify resource requirements at the Pod level as well οΏΌ. This means you can treat the entire Pod as a scheduling unit with a total resource ask, without splitting it among individual containers manually.


When to Use It: This can simplify configuration for Pods with many containers (sidecars, ambassadors, etc.). Instead of figuring out how to divide 1 CPU across 3 containers, you could just request 1 CPU at the Pod level and let Kubernetes ensure the sum of container requests doesn’t exceed that. It’s also useful for Vertical Pod Autoscaler or other tooling that might prefer operating on the whole Pod’s resources. Note that containers still need some values – this feature likely coexists with per-container requests to some degree – but it allows an easier “whole pod” guarantee.


How to Implement It: Because it’s alpha, enable the feature gate (for example PodResources or similar) on both the API server and scheduler. The Pod spec gets new fields, probably spec.resources.requests and spec.resources.limits as maps for CPU, memory, etc. You’d set those at the Pod level in addition to (or instead of) container-level requests. In 1.32, the scheduler will consider the Pod-level request if present (ensuring a node has that much free), and the kubelet will enforce the Pod limit across all containers. You might use this along with Guaranteed QoS pods to lock a whole Pod to certain resources. As it’s alpha, expect possible changes in syntax in future releases.

In-Place Pod Resource Resize (Alpha)

πŸ”— KEP-1287

Kubernetes 1.32 makes progress on in-place resource resizing. This feature (alpha) allows you to increase or decrease a container’s CPU and memory requests/limits without killing the Pod. Currently, to change resources, you typically have to delete the Pod or let a deployment roll out a new one. In-place resize aims to adjust the cgroup of the running container so it can use more or less resources on the fly.

When to Use It: Imagine a stateful service that is running low on memory; previously you’d either suffer until a restart or do a disruptive redeploy with higher limits. With in-place resize, you can patch the Pod’s spec and give it more memory and the container will just get those extra resources. This is excellent for Vertical Pod Autoscaler, which could automatically bump up a Pod’s resources without a restart. It’s also useful in scenarios where a quick surge in capacity is needed temporarily.

How to Implement It: As an alpha feature, enable the corresponding feature gate (e.g., InPlacePodVerticalScaling) on your cluster components. When scheduling pods, you might have to indicate which containers can be resized (the KEP suggests possibly an annotation or field to mark containers that tolerate in-place updates). Then, to resize, you’d issue a patch to the Pod’s spec (for example, using kubectl patch pod <name> -p '{"spec": {"containers": [{"name": "...", "resources": {"limits": {"memory": "2Gi"}}}]}}'). The scheduler and kubelet will coordinate to adjust the allocation. If something prevents in-place update (like not enough room on the node), the behavior might fall back to recreate (the KEP discusses strategies). Because it’s alpha, use this in experiments and watch for improvements in upcoming releases.

Dynamic Resource Allocation (DRA) – Structured Parameters

πŸ”— KEP-4381

Dynamic Resource Allocation is the pluggable system for requesting custom resources (like GPUs or DPUs) via Kubernetes. In 1.32, DRA gets an upgrade: Structured Parameter Support moves to beta. This allows the resource drivers to use typed, structured data in their claims, rather than opaque strings. The scheduler and autoscaler can then understand these parameters and make decisions without calling external drivers.

When to Use It: If you use specialized hardware through DRA (for example, a GPU vendor plugin), this feature allows more intelligence. For instance, you might request a GPU with model: A100, memory: 40Gi in a structured way. The scheduler can see those parameters and know which nodes have GPUs that match, improving scheduling accuracy. It’s mostly of interest to those writing or deploying DRA-based solutions (like device plugins that go beyond the older “extended resources” concept).

How to Implement It: As a cluster admin, enable the DynamicResourceAllocation feature gates and install the updated DRA drivers that support structured params. From a user perspective, when you create a ResourceClaim, the parameters field can now be a JSON object with well-defined fields (the schema is provided by the driver). The driver’s ResourceClass will advertise that it supports structured parameters. Kubernetes components (scheduler, cluster autoscaler) will use that info to simulate allocations and capacity accurately. This means fewer scheduling retries and better bin-packing for things like GPUs. Essentially, use DRA as you normally would, but expect it to work more smoothly in 1.32 if the driver takes advantage of this.

Scheduling

Asynchronous Preemption in Scheduler

πŸ”— KEP-4832

Kubernetes 1.32 introduces Asynchronous Preemption for the scheduler. Normally, when the scheduler finds that a pending high-priority pod could fit only by evicting (preempting) some lower-priority pods, it triggers those preemptions and waits for them to happen before scheduling the pod. With asynchronous preemption, the scheduler doesn’t wait; it initiates the victim pod evictions and then continues scheduling other pods immediately. The preemption logic runs in parallel, which means the scheduler’s main loop is not blocked.

When to Use It: This feature shines in clusters with heavy loads and frequent preemption events (lots of priority/preemption use cases). In such scenarios, the scheduler can become a bottleneck if it’s constantly pausing to handle preemptions. Asynchronous preemption keeps scheduling throughput high. In practice, if you use PriorityClasses and have critical pods that preempt others, enabling this can make the system respond faster under pressure.

How to Implement It: The feature is alpha in 1.32, so you need to enable the SchedulerAsyncPreemption feature gate on the kube-scheduler. Once that’s on, the scheduler will automatically perform preemptions asynchronously. There’s no change needed in pod specs or PriorityClass definitions – they work the same, but the underlying scheduling algorithm is more efficient. Monitor your cluster if you enable this; you should see that the scheduler’s metrics (like scheduling latency) improve when preemptions are involved.

Scheduler Plugin QueueingHints (Per-Plugin Requeue)

πŸ”— KEP-4247

A new mechanism called QueueingHint allows scheduler plugins to give hints about when to retry scheduling a pod. In previous versions, when a pod couldn’t be scheduled, the scheduler would periodically retry it or wait for any relevant cluster event. Now, individual plugins (like the NodeAffinity plugin, ResourceFit plugin, etc.) can say “requeue this pod when X happens”. This avoids unnecessary retries and focuses the scheduler on real opportunities for the pod to schedule.

When to Use It: This is an internal improvement; you’ll “use” it implicitly. It’s most noticeable in large clusters where many pods are unschedulable due to specific constraints. For example, if a pod requires a node with a special label and none exists, the NodeAffinity plugin can hint not to bother retrying until a node’s labels change (or a new node appears). This targeted requeue logic reduces CPU cycles and event spam.

How to Implement It: The feature is likely on by default once beta. Each default scheduler plugin has been updated to provide relevant QueueingHints. As a cluster admin, you just run the 1.32 (or later) scheduler – no configuration is needed because it’s built-in behavior. If you write custom scheduler plugins, you can now utilize the QueueingHint API to hook into this mechanism. In short, after upgrading, your scheduler will be smarter about when to retry unschedulable pods, which you can observe via scheduler metrics or logs.

Workloads & Controllers

Sleep Action for PreStop Hook

πŸ”—KEP-3960

Kubernetes now provides a built-in way to delay pod termination via a sleep in the PreStop hook. Instead of writing a shell script or adding a dummy sidecar to hold a pod open, you can simply specify a sleep duration in the Pod’s lifecycle hooks. For example, you can tell Kubernetes to wait, say, 5 seconds in PreStop. This gives the container time to finish processing or for the service endpoints to update, etc., before the pod is completely removed.

When to Use It: Use this for graceful shutdown of pods. Common scenarios: When you have a load balancer or service mesh that needs a few seconds to stop sending traffic to a pod after it’s been signaled to stop. By sleeping in PreStop, your pod can remain alive just long enough to serve any in-flight requests and avoid connection errors during rolling updates . It’s also useful if your app needs a moment to flush buffers or save state on termination.

How to Implement It: This feature is stable in 1.32 (it was beta in earlier releases under a feature gate). To use it, in your Pod (or container) spec, add:

lifecycle:
  preStop:
    sleep:
      seconds: 5

This example tells Kubernetes to wait 5 seconds when the pod is terminating οΏΌ. Ensure your pod’s terminationGracePeriodSeconds is longer than the sleep (which by default is 30s, so usually fine). No external commands or scripts are needed – Kubernetes handles the delay internally.

External Job Management via managedBy

πŸ”—KEP-4368

The Job API gets a new spec.managedBy field (beta in 1.32) that allows an external controller to take over handling of a Job . Normally, the built-in Kubernetes job controller manages all Jobs (handling retries, completions, etc.). With managedBy, you can set a different controller identity (string) there, and Kubernetes will not manage that Job, assuming your controller will.

When to Use It: This is useful for advanced batch processing systems or multi-cluster batch jobs. For example, if you’re using Kueue or another custom scheduler for batch jobs, that system can create Jobs with managedBy pointing to itself. The benefit is you avoid conflicts or double-handling – the custom controller can implement custom logic (like queueing, fair sharing, multi-cluster dispatch), and Kubernetes won’t interfere with its own controller. It essentially turns the Job object into a handshake point between Kubernetes and external systems.

How to Implement It: To use it, enable the JobManagedBy feature gate (if not already enabled by default). When creating a Job, set spec.managedBy: some-id (anything other than the default kubernetes.io/job-controller). For instance:

apiVersion: batch/v1
kind: Job
spec:
  managedBy: my-controller
  ...

The built-in job controller sees that and will ignore this Job. Your custom controller (identified by “my-controller”) must be running and watching Jobs, and it should take care of spawning pods, tracking completions, etc. If no such controller exists, the Job will just sit there, so use this only in conjunction with the intended external controller. This feature lets you integrate Kubernetes jobs into higher-level orchestration systems cleanly.

Observability & Operations

Kubelet OpenTelemetry Tracing

πŸ”— KEP-2831

Kubernetes 1.32 adds tracing capabilities to the kubelet. The kubelet can emit OpenTelemetry traces for actions like pod creation, container start, and other internal operations. Essentially, each major step the kubelet takes (including interactions with the container runtime, CNI plugin, CSI volume mounts, etc.) can be tracked as a span in a distributed trace.

When to Use It: This is great for debugging performance issues or strange delays in pod startup. If you have ever wondered “why did it take 2 minutes for my container to start?”, tracing can pinpoint if it was image pull, or waiting on a volume, or something else. It’s also useful in large clusters where you want to ensure the control plane and kubelet are working efficiently – you can collect traces from kubelet and see where time is spent. For cloud providers and platform teams, this insight can help optimize configurations.

How to Implement It: This feature was beta in 1.32, so enable the KubeletTracing (or similar) feature gate on your nodes if needed. Then, configure the kubelet with a tracing configuration (likely via the kubelet config file or command-line flags) to output traces. You’ll specify an OpenTelemetry endpoint (perhaps your OpenTelemetry Collector’s address) and sampling rate. Once configured, the kubelet will start sending spans. For example, a pod startup might produce spans for “pull image”, “create container”, “CNI attach”, each with duration and result. Use an OpenTelemetry-compatible viewer (Jaeger, Zipkin, etc.) to visualize the traces. Make sure you have the infra to collect this data, as it can be high volume.

Component /flagz Endpoint

πŸ”— KEP-4828

Inspired by Go’s diagnostics, Kubernetes components (API server, controller manager, scheduler, etc.) now have a /flagz endpoint (alpha in 1.32) that lists all the command-line flags and their values for that running component. It’s a quick way to see exactly what settings a component is using (including default vs explicit flags).

When to Use It: This is handy for troubleshooting and auditing. Imagine you suspect a flag wasn’t set correctly on the API server – you can hit /flagz and confirm the value it’s running with. It’s also useful for support scenarios: a tool or script could gather /flagz output from all components to get a snapshot of the configuration in effect. This helps detect misconfigurations or unexpected defaults.

How to Implement It: The feature is alpha, so enable the ComponentFlagz feature gate on the components. Once that’s done, each component will serve the new endpoint on its insecure port by default (or possibly under the /debug or metrics port depending on implementation). Accessing https://<component-address>/flagz will return a list of flags and values (the format might be plain text or JSON). Be cautious: this could expose sensitive info (like feature gates or file paths), so ensure proper authentication/authorization. Ideally, only cluster admins should be able to hit these endpoints. You might integrate this with Kubernetes’ auth by requiring admin creds to query it.

Component /statusz Endpoint

πŸ”— KEP-4827

Similar to /flagz, Kubernetes 1.32 introduces a standardized /statusz endpoint for core components (alpha feature). While Kubernetes already has health checks (/healthz, /livez, /readyz), /statusz is meant to provide a status report. This could include version info, build data, and also checks for internal conditions or dependencies (for example, if the scheduler detects it’s not leader or if the controller manager sees an unmet dependency, it might report it here).

When to Use It: Use /statusz when you need deeper diagnostics on a component. It can be polled during troubleshooting to quickly see if anything is wrong. For instance, if the API server /statusz shows a certain controller is lagging or a known issue flag, it saves time digging through logs. It’s also useful for monitoring systems – you might scrape /statusz periodically to trigger alerts on certain content (though the exact format might evolve).

How to Implement It: Enable the ComponentStatusz feature gate on your control plane components. With that on, the components start serving /statusz (likely on the same ports as /healthz). Each component will output different information; for example, the API server might list the enabled admission controllers and their status, or the controller manager might list controllers and if they are running OK. Access it via kubectl get --raw '/statusz' or using curl against the admin secure port. Again, secure access is important – don’t expose this publicly. Check the Kubernetes documentation for the exact fields available once the feature matures.

Separate Stdout/Stderr Logs

πŸ”— KEP-3288

Kubernetes adds the ability to fetch container logs split by stream. Instead of combining stdout and stderr as the kubectl logs command normally does, you can now retrieve only stdout or only stderr output for a container. This feature was in alpha for 1.32 and extends the logging API.

When to Use It: This is useful for applications that treat stdout and stderr differently (for example, stdout is application output, stderr is error or debug logs). Logging systems can take advantage by pulling only stderr to flag errors, or you might save stderr logs separately for auditing. It’s also helpful when a container produces a lot of output and you only care about one stream.

How to Implement It: Enable the SplitStreamLogging feature gate on the API server. Once enabled, the kubectl logs command might get new flags (e.g., --stderr or --stdout) or an API parameter to select the stream. For example, kubectl logs <pod> -c <container> --stderr would return just the stderr from that container (if the CLI support is added). Under the hood, the Kubernetes logging endpoint now understands a query for a specific stream. If you use a custom logging client or aggregator, you can call the REST API with a parameter like ?logStream=stderr. Keep in mind this is alpha – in 1.32 you may need kubectl from 1.32 and the feature gate on the API server for it to work.

Windows Node Enhancements

Graceful Node Shutdown for Windows

πŸ”— KEP-4802

Kubernetes 1.32 closes a long-standing gap by introducing graceful shutdown on Windows nodes. The kubelet running on a Windows node will now detect when the Windows OS is shutting down or rebooting, and it will proactively mark the node as down and start evicting pods, honoring their grace periods and preStop hooks. Essentially, Windows pods get the same courtesy as Linux pods on node shutdown.

When to Use It: If you run workloads on Windows worker nodes, this feature is crucial for reliability. Previously, a Windows node shutdown (e.g., due to an update or manual reboot) would cut off pods abruptly, because Kubernetes wasn’t catching the event in time. With 1.32, Windows nodes can undergo planned restarts (or even unexpected ones, to a degree) with less disruption – pods will terminate gracefully, allowing your workload to clean up or failover smoothly.

How to Implement It: Simply upgrade your Windows nodes to Kubernetes 1.32 (kubelet version 1.32). The feature is built-in and on by default (it was behind GracefulNodeShutdown and GracefulNodeShutdownWindows feature gates in earlier alphas). Ensure that your pods have appropriate terminationGracePeriodSeconds and preStop hooks if needed – the kubelet will use those values when shutting down. You can test this by cordoning a Windows node and initiating a shutdown: the pods should go through their normal termination logic. This is cloud-agnostic, so it works on any Windows node, whether on-prem or in cloud.

❗(Windows nodes see continued improvements. In 1.32, support for CPU and memory managers on Windows was enhanced, bringing Windows closer to feature parity with Linux in areas like core pinning and NUMA-aware memory allocation. These changes mean Windows containers can benefit from more advanced resource management, just as Linux containers do.)

Conclusion

Kubernetes v1.32 brings improvements across the board, from simplifying custom resource queries to making scheduling and node management more efficient. Security gets a boost with finer-grained controls and built-in mutating policies, while storage management becomes more automation-friendly. Many of these features start as alpha or beta–cluster operators should experiment with them in non-production environments and watch their progress toward stability in future releases. Overall, 1.32’s enhancements aim to make Kubernetes clusters more secure, efficient, and easy to manage for Kubernetes practitioners, DevOps engineers, and cluster administrators alike.

Comments