LegacyServiceAccountTokenNoAutoGeneration Feature Gate

With Kubernetes 1.24 the LegacyServiceAccountTokenNoAutoGeneration feature gate is now enabled by default. This affects the attachment of existing Kubernetes clusters, for which you now must manually create the token. We include instructions on how to do this in the Attach a GKE cluster and Attach an Amazon EKS cluster pages.

Furthermore, upgrading to 1.24 may affect some other components of your environment:

Before upgrading, we strongly recommend verifying your current setup against the information on this page and reading more about Kubernetes' new features in our blog https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24/, and in Kubernetes urgent upgrade notes.

Control Plane Node Label and Taint

A new label has been implemented called node-role.kubernetes.io/control-plane to be added to control plane nodes.

In an effort to migrate Kubernetes away from the usage of the word master in labels and taints, for new clusters, the label node-role.kubernetes.io/master will no longer be added to control plane nodes. The new label node-role.kubernetes.io/control-plane will be added. For upgraded clusters, the label node-role.kubernetes.io/master will be removed from existing control-plane nodes. For new clusters, both the old taint node-role.kubernetes.io/master:NoSchedule and new taint node-role.kubernetes.io/control-plane:NoSchedule will be added to control plane nodes. For clusters that are being upgraded, the command will add the new taint node-role.kubernetes.io/control-plane:NoSchedule to existing control plane nodes.

Before upgrading, modify your workloads that are currently relying on the label node-role.kubernetes.io/master to use node-role.kubernetes.io/control-plane instead for its nodeSelector and affinity. For any workloads that have a toleration for node-role.kubernetes.io/master , add a toleration for node-role.kubernetes.io/control-plane.

See the Kubernetes urgent upgrade notes for a full list of changes.