AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-03-30 · Documentation medium

File: eks/latest/userguide/kubernetes-versions-extended.md

Summary

Added documentation for Kubernetes 1.29, including deprecation notices and LegacyServiceAccountTokenCleanUp security feature

Security assessment

Documents the LegacyServiceAccountTokenCleanUp feature, which reduces attack surface by managing legacy tokens. This is a security enhancement but not a direct response to a disclosed vulnerability.

Diff

diff --git a/eks/latest/userguide/kubernetes-versions-extended.md b/eks/latest/userguide/kubernetes-versions-extended.md
index f02183e19..fb4f30c68 100644
--- a/eks/latest/userguide/kubernetes-versions-extended.md
+++ b/eks/latest/userguide/kubernetes-versions-extended.md
@@ -5 +5 @@
-Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26Kubernetes 1.25
+Kubernetes 1.29Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26Kubernetes 1.25
@@ -16,0 +17,22 @@ This topic gives important changes to be aware of for each Kubernetes version in
+## Kubernetes 1.29
+
+Kubernetes `1.29` is now available in Amazon EKS. For more information about Kubernetes `1.29`, see the [official release announcement](https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/).
+
+###### Important
+
+  * The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes version `1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to version `1.29`.
+
+
+
+
+  * The `.status.kubeProxyVersion` field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` \- which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you’ve been using this field in client software, stop - the information isn’t reliable and the field is now deprecated.
+
+  * In Kubernetes `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run:
+    
+        kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system
+
+
+
+
+For the complete Kubernetes `1.29` changelog, see [https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280).
+