Before You Start

Before the upgrade, you can check whether your cluster can be upgraded and which versions are available on the CCE console. For details, see Cluster Upgrade Overview.

Precautions

Before upgrading a cluster, pay attention to the following points:

  • Perform an upgrade during off-peak hours to minimize the impact on your services.

  • Before upgrading a cluster, learn about the features and differences of each cluster version in Kubernetes Release Notes to prevent exceptions due to the use of an incompatible cluster version. For example, check whether any APIs deprecated in the target version are used in the cluster. Otherwise, calling the APIs may fail after the upgrade. For details, see Deprecated APIs.

  • Do not upgrade a cluster within 10 minutes after the cluster configuration is modified on the Settings page. Otherwise, the cluster upgrade may fail due to operation conflicts.

During a cluster upgrade, pay attention to the following points that may affect your services:

  • During a cluster upgrade, do not perform any operation on the cluster. If you stop, restart, or delete nodes while upgrading the cluster, the upgrade will fail.

  • Before upgrading a cluster, ensure no high-risk operations are performed in the cluster. Otherwise, the cluster upgrade may fail or the configuration may be lost after the upgrade. Common high-risk operations include modifying cluster node configurations locally and modifying the configurations of the listeners managed by CCE on the ELB console. Instead, modify configurations on the CCE console so that the modifications can be automatically inherited during the upgrade.

  • During a cluster upgrade, the running workloads will not be interrupted, but access to the API server will be temporarily interrupted.

  • By default, application scheduling is not restricted during a cluster upgrade. During an upgrade of the following early cluster versions, the node.kubernetes.io/upgrade taint (equivalent to NoSchedule) will be added to the nodes in the cluster and removed after the cluster is upgraded:

    • All v1.15 clusters

    • All v1.17 clusters

    • v1.19 clusters with patch version v1.19.16-r4 or earlier

    • v1.21 clusters with patch version v1.21.7-r0 or earlier

    • v1.23 clusters with patch version v1.23.5-r0 or earlier

  • Clusters of version 1.27 or later do not support nodes running EulerOS 2.5 or CentOS 7.7. If a node running EulerOS 2.5 or CentOS 7.7 is used, migrate the node OS to EulerOS release 2.9, Ubuntu 22.04, or HCE OS 2.0 before the cluster upgrade. For details, see Resetting a Node.

  • During a cluster upgrade, if an add-on is also upgraded and cluster resources are limited, add-on pods can use resources that would otherwise be allocated to service pods. This may result in the eviction of service pods. After the add-on is upgraded, the evicted service pods will automatically recover.

  • When you upgrade a cluster to v1.28 or later, CCE will create an equal number of new master nodes to gradually replace the old ones. After the upgrade is complete, the IP addresses of the master nodes will change. If you accessed the cluster via master node IP addresses before, use the cluster's unified EIP or private IP address after the upgrade. For details, see Connection information.

  • During a cluster upgrade, the system automatically edits the /etc/rc.local file. This operation may trigger security program alarms. You can ignore the alarms.

Notes and Constraints

  • If an error occurred during a cluster upgrade, the cluster can be rolled back using the backup data. If you perform other operations (for example, modifying cluster specifications) after a successful cluster upgrade, the cluster cannot be rolled back using the backup data.

  • When clusters using the tunnel network model are upgraded to v1.19.16-r4, v1.21.7-r0, v1.23.5-r0, v1.25.1-r0, or later, SNAT rules that have a destination address within the pod CIDR block but a source address outside the pod CIDR block will be removed. If you have configured VPC routes to directly access all pods from outside the cluster, only pods on the corresponding nodes will remain directly accessible after the upgrade.

  • For more details, see Version Differences.

Version Differences

Upgrade Path

Version Difference

Self-Check

Upgraded to v1.28, v1.29, v1.30, v1.31, or v1.32

Pay attention to Kubernetes API changes. For details, see Deprecated APIs.

Check the API version used in the cluster. Do not use a deprecated API version. Change the API version to the one recommended in Deprecated APIs.

v1.23 or v1.25

Upgraded to v1.27

Docker is no longer recommended. Use containerd instead. For details, see Container Engines.

This item has been included in the pre-upgrade check.

v1.23 to v1.25

Since Kubernetes v1.25, PodSecurityPolicy has been replaced by pod Security Admission. For details, see Configuring Pod Security Admission.

  • To migrate PodSecurityPolicy capabilities to pod Security Admission, perform the following steps:

    1. Ensure that the cluster is of the latest CCE v1.23 version.

    2. Migrate PodSecurityPolicy capabilities to pod Security Admission. For details, see Configuring Pod Security Admission.

    3. After confirming that the functions are running properly after the migration, upgrade the CCE cluster to v1.25.

  • If you no longer need PodSecurityPolicy, delete PodSecurityPolicy from the cluster and upgrade the cluster to v1.25.

v1.19 to v1.21

The bug of exec probe timeouts is fixed in Kubernetes v1.21. Before this bug is fixed, the exec probe does not consider the timeoutSeconds field. Instead, the probe will run indefinitely, even beyond its configured deadline. It will stop until the result is returned. If this field is not specified, the default value 1 is used. This field takes effect after the upgrade. If the probe runs over 1 second, the application health check may fail and the application may restart frequently.

Before the upgrade, check whether the timeout is properly set for the exec probe.

kube-apiserver of CCE v1.19 or later requires that the Subject Alternative Names (SANs) field be configured for the certificate of your webhook server. Otherwise, kube-apiserver fails to call the webhook server after the upgrade, and containers cannot be started properly.

Root cause: X.509 CommonName is discarded in Go v1.15. kube-apiserver of CCE v1.19 is compiled using Go v1.15. If your webhook certificate does not have SANs, kube-apiserver does not process the CommonName field of the X.509 certificate as the host name by default. As a result, the authentication fails.

Before the upgrade, check whether the SAN field is configured in the certificate of your webhook server.

  • If you do not have your own webhook server, you can skip this check.

  • If the field is not set, use the SAN field to specify the IP address and domain name supported by the certificate.

Table 1 QoS class changes before and after the upgrade

Init Container (Calculated Based on spec.initContainers)

Service Container (Calculated Based on spec.containers)

Pod (Calculated Based on spec.containers and spec.initContainers)

Impacted or Not

Guaranteed

BestEffort

Burstable

Yes

Guaranteed

Burstable

Burstable

No

Guaranteed

Guaranteed

Guaranteed

No

BestEffort

BestEffort

BestEffort

No

BestEffort

Burstable

Burstable

No

BestEffort

Guaranteed

Burstable

Yes

Burstable

BestEffort

Burstable

Yes

Burstable

Burstable

Burstable

No

Burstable

Guaranteed

Burstable

Yes

Deprecated APIs

With the evolution of Kubernetes APIs, APIs are periodically reorganized or upgraded, and certain APIs are deprecated and finally deleted. The following tables list the deprecated APIs in each Kubernetes community version. For details about more deprecated APIs, see Deprecated API Migration Guide.

Note

When an API is deprecated, the existing resources are not affected. However, when you create or edit the resources, the API version will be intercepted.

Table 2 APIs deprecated in Kubernetes v1.32

Resource

Deprecated API Version

Substitute API Version

Change Description

FlowSchema and PriorityLevelConfiguration

flowcontrol.apiserver.k8s.io/v1beta3

flowcontrol.apiserver.k8s.io/v1

(This API has been available since v1.29.)

Significant changes in flowcontrol.apiserver.k8s.io/v1:

spec.limited.assuredConcurrencyShares of PriorityLevelConfiguration has been renamed spec.limited.nominalConcurrencyShares. The default value is 30 only when it is not specified, and the explicit value 0 does not change to 30.

Table 3 APIs deprecated in Kubernetes v1.29

Resource

Deprecated API Version

Substitute API Version

Change Description

FlowSchema and PriorityLevelConfiguration

flowcontrol.apiserver.k8s.io/v1beta2

flowcontrol.apiserver.k8s.io/v1

(This API has been available since v1.29.)

flowcontrol.apiserver.k8s.io/v1beta3

(This API has been available since v1.26.)

  • Significant changes in flowcontrol.apiserver.k8s.io/v1:

    spec.limited.assuredConcurrencyShares of PriorityLevelConfiguration has been renamed spec.limited.nominalConcurrencyShares. The default value is 30 only when it is not specified, and the explicit value 0 does not change to 30.

  • Key changes in flowcontrol.apiserver.k8s.io/v1beta3:

    spec.limited.assuredConcurrencyShares of PriorityLevelConfiguration has been renamed spec.limited.nominalConcurrencyShares.

Table 4 APIs deprecated in Kubernetes v1.27

Resource

Deprecated API Version

Substitute API Version

Change Description

CSIStorageCapacity

storage.k8s.io/v1beta1

storage.k8s.io/v1

(This API has been available since v1.24.)

None

FlowSchema and PriorityLevelConfiguration

flowcontrol.apiserver.k8s.io/v1beta1

flowcontrol.apiserver.k8s.io/v1beta3

(This API has been available since v1.26.)

None

HorizontalPodAutoscaler

autoscaling/v2beta2

autoscaling/v2

(This API has been available since v1.23.)

None

Table 5 APIs deprecated in Kubernetes v1.25

Resource

Deprecated API Version

Substitute API Version

Change Description

CronJob

batch/v1beta1

batch/v1

(This API has been available since v1.21.)

None

EndpointSlice

discovery.k8s.io/v1beta1

discovery.k8s.io/v1

(This API has been available since v1.21.)

Pay attention to the following changes:

  • In each endpoint, the topology["kubernetes.io/hostname"] field has been deprecated. Replace it with the nodeName field.

  • In each endpoint, the topology["kubernetes.io/zone"] field has been deprecated. Replace it with the zone field.

  • The topology field is replaced with deprecatedTopology and cannot be written in v1.

Event

events.k8s.io/v1beta1

events.k8s.io/v1

(This API has been available since v1.19.)

Pay attention to the following changes:

  • The type field can only be set to Normal or Warning.

  • The involvedObject field is renamed regarding.

  • The action, reason, reportingController, and reportingInstance fields are mandatory for creating a new events.k8s.io/v1 event.

  • Use eventTime instead of the deprecated firstTimestamp field (this field has been renamed deprecatedFirstTimestamp and is not allowed to appear in the new events.k8s.io/v1 event object).

  • Use series.lastObservedTime instead of the deprecated lastTimestamp field (this field has been renamed deprecatedLastTimestamp and is not allowed to appear in the new events.k8s.io/v1 event object).

  • Use series.count instead of the deprecated count field (this field has been renamed deprecatedCount and is not allowed to appear in the new events.k8s.io/v1 event object).

  • Use reportingController instead of the deprecated source.component field (this field has been renamed deprecatedSource.component and is not allowed to appear in the new events.k8s.io/v1 event object).

  • Use reportingInstance instead of the deprecated source.host field (this field has been renamed deprecatedSource.host and is not allowed to appear in the new events.k8s.io/v1 event object).

HorizontalPodAutoscaler

autoscaling/v2beta1

autoscaling/v2

(This API has been available since v1.23.)

None

PodDisruptionBudget

policy/v1beta1

policy/v1

(This API has been available since v1.21.)

If spec.selector is set to null ({}) in PodDisruptionBudget of policy/v1, all pods in the namespace are selected. (In policy/v1beta1, an empty spec.selector means that no pod will be selected.) If spec.selector is not specified, pod will be selected in neither API version.

PodSecurityPolicy

policy/v1beta1

None

Since v1.25, the PodSecurityPolicy resource no longer provides APIs of the policy/v1beta1 version, and the PodSecurityPolicy access controller is deleted.

Use Pod Security Admission instead.

RuntimeClass

node.k8s.io/v1beta1

node.k8s.io/v1 (This API has been available since v1.20.)

None

Table 6 APIs deprecated in Kubernetes v1.22

Resource

Deprecated API Version

Substitute API Version

Change Description

MutatingWebhookConfiguration

ValidatingWebhookConfiguration

admissionregistration.k8s.io/v1beta1

admissionregistration.k8s.io/v1

(This API has been available since v1.16.)

  • The default value of webhooks[*].failurePolicy is changed from Ignore to Fail in v1.

  • The default value of webhooks[*].matchPolicy is changed from Exact to Equivalent in v1.

  • The default value of webhooks[*].timeoutSeconds is changed from 30s to 10s in v1.

  • The default value of webhooks[*].sideEffects is deleted, and this field must be specified. In v1, the value can only be None or NoneOnDryRun.

  • The default value of webhooks[*].admissionReviewVersions is deleted. In v1, this field must be specified. (AdmissionReview v1 and v1beta1 are supported.)

  • webhooks[*].name must be unique in the list of objects created through admissionregistration.k8s.io/v1.

CustomResourceDefinition

apiextensions.k8s.io/v1beta1

apiextensions/v1

(This API has been available since v1.16.)

  • The default value of spec.scope is no longer Namespaced. This field must be explicitly specified.

  • spec.version is deleted from v1. Use spec.versions instead.

  • spec.validation is deleted from v1. Use spec.versions[*].schema instead.

  • spec.subresources is deleted from v1. Use spec.versions[*].subresources instead.

  • spec.additionalPrinterColumns is deleted from v1. Use spec.versions[*].additionalPrinterColumns instead.

  • spec.conversion.webhookClientConfig is moved to spec.conversion.webhook.clientConfig in v1.

  • spec.conversion.conversionReviewVersions is moved to spec.conversion.webhook.conversionReviewVersions in v1.

  • spec.versions[*].schema.openAPIV3Schema becomes a mandatory field when the CustomResourceDefinition object of the v1 version is created, and its value must be a structural schema.

  • spec.preserveUnknownFields: true cannot be specified when the CustomResourceDefinition object of the v1 version is created. This configuration must be specified using x-kubernetes-preserve-unknown-fields: true in the schema definition.

  • In v1, the JSONPath field in the additionalPrinterColumns entry is renamed jsonPath (patch #66531).

APIService

apiregistration/v1beta1

apiregistration.k8s.io/v1

(This API has been available since v1.10.)

None

TokenReview

authentication.k8s.io/v1beta1

authentication.k8s.io/v1

(This API has been available since v1.6.)

None

LocalSubjectAccessReview

SelfSubjectAccessReview

SubjectAccessReview

SelfSubjectRulesReview

authorization.k8s.io/v1beta1

authorization.k8s.io/v1

(This API has been available since v1.16.)

spec.group was renamed spec.groups in v1 (patch #32709).

CertificateSigningRequest

certificates.k8s.io/v1beta1

certificates.k8s.io/v1

(This API has been available since v1.19.)

Pay attention to the following changes in certificates.k8s.io/v1:

  • For an API client that requests a certificate:

    • spec.signerName becomes a mandatory field (see Known Kubernetes Signers). In addition, the certificates.k8s.io/v1 API cannot be used to create requests whose signer is kubernetes.io/legacy-unknown.

    • spec.usages now becomes a mandatory field, which cannot contain duplicate string values and can contain only known usage strings.

  • For an API client that needs to approve or sign a certificate:

    • status.conditions cannot contain duplicate types.

    • The status.conditions[*].status field is now mandatory.

    • The status.certificate must be PEM-encoded and can contain only the CERTIFICATE data block.

Lease

coordination.k8s.io/v1beta1

coordination.k8s.io/v1

(This API has been available since v1.14.)

None

Ingress

networking.k8s.io/v1beta1

extensions/v1beta1

networking.k8s.io/v1

(This API has been available since v1.19.)

  • The spec.backend field is renamed spec.defaultBackend.

  • The serviceName field of the backend is renamed service.name.

  • The backend servicePort field represented by a number is renamed service.port.number.

  • The backend servicePort field represented by a string is renamed service.port.name.

  • The pathType field is mandatory for all paths to be specified. The options are Prefix, Exact, and ImplementationSpecific. To match the behavior of not defining the path type in v1beta1, use ImplementationSpecific.

IngressClass

networking.k8s.io/v1beta1

networking.k8s.io/v1

(This API has been available since v1.19.)

None

ClusterRole

ClusterRoleBinding

Role

RoleBinding

rbac.authorization.k8s.io/v1beta1

rbac.authorization.k8s.io/v1

(This API has been available since v1.8.)

None

PriorityClass

scheduling.k8s.io/v1beta1

scheduling.k8s.io/v1

(This API has been available since v1.14.)

None

CSIDriver

CSINode

StorageClass

VolumeAttachment

storage.k8s.io/v1beta1

storage.k8s.io/v1

  • CSIDriver is available in storage.k8s.io/v1 since v1.19.

  • CSINode is available in storage.k8s.io/v1 since v1.17.

  • StorageClass is available in storage.k8s.io/v1 since v1.6.

  • VolumeAttachment is available in storage.k8s.io/v1 since v1.13.

Table 7 APIs deprecated in Kubernetes v1.16

Resource

Deprecated API Version

Substitute API Version

Change Description

NetworkPolicy

extensions/v1beta1

networking.k8s.io/v1

(This API has been available since v1.8.)

None

DaemonSet

extensions/v1beta1

apps/v1beta2

apps/v1

(This API has been available since v1.9.)

  • The spec.templateGeneration field is deleted.

  • spec.selector is now a mandatory field and cannot be changed after the object is created. The label of an existing template can be used as a selector for seamless migration.

  • The default value of spec.updateStrategy.type is changed to RollingUpdate (the default value in the extensions/v1beta1 API version is OnDelete).

Deployment

extensions/v1beta1

apps/v1beta1

apps/v1beta2

apps/v1

(This API has been available since v1.9.)

  • The spec.rollbackTo field is deleted.

  • spec.selector is now a mandatory field and cannot be changed after the Deployment is created. The label of an existing template can be used as a selector for seamless migration.

  • The default value of spec.progressDeadlineSeconds is changed to 600 seconds (the default value in extensions/v1beta1 is unlimited).

  • The default value of spec.revisionHistoryLimit is changed to 10. (In the apps/v1beta1 API version, the default value of this field is 2. In the extensions/v1beta1 API version, all historical records are retained by default.)

  • The default values of maxSurge and maxUnavailable are changed to 25%. (In the extensions/v1beta1 API version, these fields default to 1.)

StatefulSet

apps/v1beta1

apps/v1beta2

apps/v1

(This API has been available since v1.9.)

  • spec.selector is now a mandatory field and cannot be changed after the StatefulSet is created. The label of an existing template can be used as a selector for seamless migration.

  • The default value of spec.updateStrategy.type is changed to RollingUpdate (the default value in the apps/v1beta1 API version is OnDelete).

ReplicaSet

extensions/v1beta1

apps/v1beta1

apps/v1beta2

apps/v1

(This API has been available since v1.9.)

spec.selector is now a mandatory field and cannot be changed after the object is created. The label of an existing template can be used as a selector for seamless migration.

PodSecurityPolicy

extensions/v1beta1

policy/v1beta1

(This API has been available since v1.10.)

PodSecurityPolicy for the policy/v1beta1 API version will be removed in v1.25.

Upgrade Backup

The following table lists how to back up cluster data.

Backup Type

Backup Object

Backup Method

Backup Duration

Rollback Duration

Description

etcd data backup

etcd data

Automatic backup during an upgrade

1-5 minutes

2 hours

Mandatory. The data is automatically backed up during an upgrade.

CBR cloud server backup

Master node disks, including component images, configurations, logs, and etcd data

One-click backup on a web page (manually triggered)

20 minutes to 2 hours (based on the cloud backup tasks in the current region)

20 minutes

This function is gradually replaced by EVS snapshot backup.

EVS snapshot backup

Master node disks, including component images, configurations, logs, and etcd data

One-click backup on a web page (manually triggered)

1-5 minutes

20 minutes

This function is coming soon.

After this function is released, it will replace CBR cloud server backup.

last updated: 2025-10-29 10:02 UTC - commit: 221051222b674830e5a2ae5a9bedb20864cfc361