Kubernetes · 3 min read

Exploring Kubernetes 1.29: A Deep Dive into the Latest Features and Enhancements

THNKBIG Team

Engineering Insights

Exploring Kubernetes 1.29: A Deep Dive into the Latest Features and Enhancements

Kubernetes 1.29 (Mandala) shipped with significant improvements across scheduling, storage, networking, and security. This deep dive summarizes the most impactful changes and what they mean for engineering teams running production clusters.

Release Highlights at a Glance

  • KMS v2 encrypted Secrets reached stable (GA) status
  • ReadWriteOncePod PersistentVolume access mode now stable
  • Node lifecycle improvements via Pod Disruption Conditions
  • ClusterTrustBundles alpha introduced for certificate distribution
  • Sidecar container native support moved to beta

KMS v2: Stable Secrets Encryption

KMS v2 encryption for Kubernetes Secrets reached stable (GA) status in 1.29. This is a major security milestone for compliance-focused clusters. KMS v2 eliminates the key caching issues of v1 and supports HSM-backed key providers from AWS KMS, Azure Key Vault, and HashiCorp Vault directly.

What this means in practice: Secrets stored in etcd are encrypted using an envelope encryption scheme. The data encryption key (DEK) is encrypted by your KMS provider. If etcd is ever stolen or accessed directly, Secret values remain protected. This is required for FedRAMP Moderate/High and HIPAA compliance where PHI may be stored in Secrets.

Storage: ReadWriteOncePod Access Mode Stable

The ReadWriteOncePod (RWOP) PersistentVolume access mode graduated to stable. Before RWOP, ensuring a volume was mounted to exactly one pod — not just one node — required application-level coordination. RWOP enforces this at the Kubernetes scheduler level: only one pod in the entire cluster can mount the volume at a time, regardless of which node schedules it.

This is critical for workloads that cannot tolerate concurrent access — certain database installations, license-locked applications, and stateful workloads requiring exclusive file locks.

Native Sidecar Container Support (Beta)

Kubernetes 1.29 promoted native sidecar container support to beta. Before this feature, sidecar containers (logging agents, service mesh proxies, secret injection agents) were regular containers with startup ordering enforced by application logic. The new native sidecar support adds an initContainer with restartPolicy: Always, which:

  • Starts and stays running before the main application container begins
  • Restarts independently if it crashes, without killing the main pod
  • Terminates gracefully after the main container exits, allowing log flushing and connection draining

This eliminates the most common sidecar race conditions that affect service mesh and log agent deployments in production.

Pod Disruption Conditions for Better Node Lifecycle

Pod Disruption Conditions expose why a pod was disrupted — eviction, node pressure, drain, or preemption — as structured conditions on the pod status. Before this, operators had to infer disruption cause from events that were often already garbage-collected. Disruption conditions make post-incident analysis and cluster autoscaler feedback loops significantly more reliable.

ClusterTrustBundles: Native Certificate Distribution (Alpha)

ClusterTrustBundles landed as an Alpha feature in 1.29. They provide a Kubernetes-native way to distribute trust anchors (CA certificates) to workloads without relying on ConfigMaps or custom tooling. This is the groundwork for a future where workloads can discover and verify the certificate authority chain of services they connect to — a building block for zero-trust networking that doesn't require a full service mesh.

Upgrading to 1.29: What to Watch

  • Review removed API versions: check your manifests and Helm charts for deprecated API versions using Pluto or kubectl-convert
  • Test KMS v2 migration if upgrading from KMS v1 encryption — follow the migration guide carefully to avoid Secret decryption failures
  • Validate admission webhooks are compatible with new API behaviors before upgrading production clusters

THNKBIG's Kubernetes consulting team manages cluster lifecycle upgrades for enterprise clients, including pre-upgrade compatibility testing, upgrade runbooks, and rollback planning. Contact us if you're planning a Kubernetes version upgrade and want expert support.

TB

THNKBIG Team

Engineering Insights

Expert infrastructure engineers at THNKBIG, specializing in Kubernetes, cloud platforms, and AI/ML operations.

Ready to make AI operational?

Whether you're planning GPU infrastructure, stabilizing Kubernetes, or moving AI workloads into production — we'll assess where you are and what it takes to get there.

US-based team · All US citizens · Continental United States only