AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-05-25 · Security-related medium

File: eks/latest/userguide/kubernetes-versions-extended.md

Summary

Removed documentation for Kubernetes 1.25 version support and associated security migration guidance

Security assessment

The removed section contained security-critical migration guidance including PodSecurityPolicy removal, SeccompDefault changes, and API deprecations that could lead to workload disruptions. Removing this documentation indicates end-of-life for 1.25 where security updates would no longer be provided, though the change itself is version deprecation rather than a direct vulnerability fix.

Diff

diff --git a/eks/latest/userguide/kubernetes-versions-extended.md b/eks/latest/userguide/kubernetes-versions-extended.md
index fb4f30c68..2323ca439 100644
--- a//eks/latest/userguide/kubernetes-versions-extended.md
+++ b//eks/latest/userguide/kubernetes-versions-extended.md
@@ -5 +5 @@
-Kubernetes 1.29Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26Kubernetes 1.25
+Kubernetes 1.29Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26
@@ -99,38 +98,0 @@ For the complete Kubernetes `1.26` changelog, see [https://github.com/kubernetes
-## Kubernetes 1.25
-
-Kubernetes `1.25` is now available in Amazon EKS. For more information about Kubernetes `1.25`, see the [official release announcement](https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/).
-
-###### Important
-
-  * Amazon EC2 `P2` instances aren’t supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier.
-
-  * `PodSecurityPolicy` (PSP) is removed in Kubernetes `1.25`. PSPs are replaced with [Pod Security Admission (PSA)](https://kubernetes.io/docs/concepts/security/pod-security-admission/) and Pod Security Standards (PSS). PSA is a built-in admission controller that implements the security controls outlined in the [PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). PSA and PSS are graduated to stable in Kubernetes `1.25` and are enabled in Amazon EKS by default. If you have PSPs in your cluster, make sure to migrate from PSP to the built-in Kubernetes PSS or to a policy-as-code solution before upgrading your cluster to version `1.25`. If you don’t migrate from PSP, you might encounter interruptions to your workloads. For more information, see the [Migrate from legacy Pod security policies (PSP)](./pod-security-policy-removal-faq.html).
-
-  * Kubernetes version `1.25` contains changes that alter the behavior of an existing feature known as API Priority and Fairness (APF). APF serves to shield the API server from potential overload during periods of heightened request volumes. It does this by placing restrictions on the number of concurrent requests that can be processed at any given time. This is achieved through the application of distinct priority levels and limits to requests originating from various workloads or users. This approach ensures that critical applications or high-priority requests receive preferential treatment, while simultaneously preventing lower priority requests from overwhelming the API server. For more information, see [API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) in the Kubernetes documentation or [API Priority and Fairness](https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#api-priority-and-fairness) in the EKS Best Practices Guide.
-
-These updates were introduced in [PR #10352](https://github.com/kubernetes/kubernetes/pull/103521) and [PR #118601](https://github.com/kubernetes/kubernetes/pull/118601). Previously, APF treated all types of requests uniformly, with each request consuming a single unit of the concurrent request limit. The APF behavior change assigns higher units of concurrency to `LIST` requests due to the exceptionally heavy burden put on the API server by these requests. The API server estimates the number of objects that will be returned by a `LIST` request. It assigns a unit of concurrency that is proportional to the number of objects returned.
-
-Upon upgrading to Amazon EKS version `1.25` or higher, this updated behavior might cause workloads with heavy `LIST` requests (that previously functioned without issue) to encounter rate limiting. This would be indicated by an HTTP 429 response code. To avoid potential workload disruption due to `LIST` requests being rate limited, we strongly encourage you to restructure your workloads to reduce the rate of these requests. Alternatively, you can address this issue by adjusting the APF settings to allocate more capacity for essential requests while reducing the capacity allocated to non-essential ones. For more information about these mitigation techniques, see [Preventing Dropped Requests](https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#preventing-dropped-requests) in the EKS Best Practices Guide.
-
-  * Amazon EKS `1.25` includes enhancements to cluster authentication that contain updated YAML libraries. If a YAML value in the `aws-auth` `ConfigMap` found in the `kube-system` namespace starts with a macro, where the first character is a curly brace, you should add quotation marks (`" "`) before and after the curly braces (`{ }`). This is required to ensure that `aws-iam-authenticator` version `v0.6.3` accurately parses the `aws-auth` `ConfigMap` in Amazon EKS `1.25`.
-
-  * The beta API version (`discovery.k8s.io/v1beta1`) of `EndpointSlice` was deprecated in Kubernetes `1.21` and is no longer served as of Kubernetes `1.25`. This API has been updated to `discovery.k8s.io/v1`. For more information, see [EndpointSlice](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#endpointslice-v125) in the Kubernetes documentation. The AWS Load Balancer Controller `v2.4.6` and earlier used the `v1beta1` endpoint to communicate with `EndpointSlices`. If you’re using the `EndpointSlices` configuration for the AWS Load Balancer Controller, you must upgrade to AWS Load Balancer Controller `v2.4.7` _before_ upgrading your Amazon EKS cluster to `1.25`. If you upgrade to `1.25` while using the `EndpointSlices` configuration for the AWS Load Balancer Controller, the controller will crash and result in interruptions to your workloads. To upgrade the controller, see [Route internet traffic with AWS Load Balancer Controller](./aws-load-balancer-controller.html).
-
-  * The beta API version (`autoscaling/v2beta1`) of HorizontalPodAutoscaler is no longer served as of Kubernetes `1.25`. This API was deprecated in version `1.23`. Migrate manifests and API clients to use the `autoscaling/v2` HorizontalPodAutoscaler API version. For more information, see [the Kubernetes documentation](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v125).
-
-
-
-
-  * `SeccompDefault` is promoted to beta in Kubernetes `1.25`. By setting the `--seccomp-default` flag when you configure `kubelet`, the container runtime uses its `RuntimeDefaultseccomp` profile, rather than the unconfined (`seccomp disabled`) mode. The default profiles provide a strong set of security defaults, while preserving the functionality of the workload. Although this flag is available, Amazon EKS doesn’t enable this flag by default, so Amazon EKS behavior is effectively unchanged. If you want to, you can start enabling this on your nodes. For more details, see the tutorial [Restrict a Container’s Syscalls with seccomp](https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads/) in the Kubernetes documentation.
-
-  * Support for the Container Runtime Interface (CRI) for Docker (also known as dockershim) was removed from Kubernetes `1.24` and later. The only container runtime in Amazon EKS official AMIs for Kubernetes `1.24` and later clusters is containerd. Before upgrading to Amazon EKS `1.24` or later, remove any reference to bootstrap script flags that aren’t supported anymore. For more information, see [Migrate from dockershim to containerd](./dockershim-deprecation.html).
-
-  * The support for wildcard queries was deprecated in CoreDNS `1.8.7` and removed in CoreDNS `1.9`. This was done as a security measure. Wildcard queries no longer work and return NXDOMAIN instead of an IP address.
-
-  * The [goaway-chance](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.25` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with [HTTP GOAWAY](https://www.rfc-editor.org/rfc/rfc7540#section-6.8), we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination.
-
-
-
-
-For the complete Kubernetes `1.25` changelog, see [https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240).
-