Top 8 Security Enhancements and Other Cool Features in Kubernetes 1.33

Apr 20, 2025

Matthias Bertschy
Senior Kubernetes Developer

Oshrat Nir
Head of Product Marketing

Kubernetes 1.33 marks another exciting milestone in the evolution of this widely adopted container orchestration platform. A big shoutout to the release team for their hard work and contributions!

In this update, Kubernetes continues to enhance its capabilities to meet the ever-evolving demands of modern cloud-native environments. Let’s take a closer look at the key security improvements and other features that caught our attention.

Security enhancements in Kubernetes 1.33

Kubernetes 1.33 brings several impactful security updates aimed at strengthening cluster integrity and reducing attack surfaces. Here are the most noteworthy security-related enhancements:

Fine-Grained Kubelet API Authorization (Beta)

This enhancement improves node security by providing more granular authorization controls for the Kubelet API, limiting potential attack vectors and ensuring tighter access management.

ClusterTrustBundles (Beta)

Previously known as Trust Anchor Sets, this feature improves cluster security by enhancing certificate validation processes. It is now easier to manage trust anchors for secure communication within clusters.

Bound Service Account Token Improvements (Stable)

Strengthened service account tokens reduce risks of unauthorized access by tying tokens more securely to specific pods, enhancing traceability and usability.

Projected Service Account Tokens for Kubelet Image Credential Providers (Alpha)

This enhancement secures how the Kubelet retrieves image credentials, mitigating risks associated with credential exposure during image pulls.

API for External Signing of Service Account Tokens (Alpha)

By enabling external signing of service account tokens, this feature improves key management and auditing capabilities for better security practices.

Ensure Secret Pulled Images (Alpha)

This update ensures that images requiring secrets are securely handled during pulls, reducing vulnerabilities tied to image access mechanisms.

ProcMount Option (Beta)

Fine-grained control over the /proc filesystem enhances container isolation, addressing critical security concerns tied to system-level access.

Support for User Namespaces in Pods (Beta)

User namespaces provide an additional layer of isolation by separating user IDs and group IDs within pods, significantly improving workload security.

These enhancements collectively address key areas such as authentication, authorization, credential management, and pod isolation, making Kubernetes clusters more secure against evolving threats.

Other cool features in Kubernetes 1.33

As a cloud-security company, we lead with security improvements. However, there are many more features in Kubernetes 1.33, some of which we found particularly noteworthy. This version introduces several features designed to enhance functionality, scalability, and user experience:

Taints/Tolerations in PodTopologySpread Skew (Stable)

Improved scheduling logic now accounts for taints and tolerations when calculating pod topology spread skew, optimizing resource allocation for high availability deployments.

MatchLabelKeys for Pod Affinity/Anti-Affinity (Stable)

This feature enhances pod affinity rules. It provides greater granularity in pod placement, improving application performance through smarter affinity configurations.

Generic Data Populators (Stable)

Simplifies pre-populating volumes with data, streamlining application deployment processes that require initial datasets.

Multiple Service CIDRs (Stable)

Enables flexible network configurations for large-scale deployments by supporting multiple service CIDRs within a cluster.

Topology-Aware Routing (Stable)

Enhances network performance by routing traffic based on topology awareness, reducing latency and improving responsiveness for applications.

nftables Kube-Proxy Backend (Stable)

Introduces significant performance improvements to kube-proxy by leveraging nftables for faster and more efficient network proxying.

Sidecar Containers (Stable)

Brings sidecar containers to stable status, benefiting application designs that rely on auxiliary processes running alongside main containers. Full disclosure, we have a personal interest in this one.

These updates focus on enhancing Kubernetes’ ability to manage complex workloads, including high-availability applications, data-intensive processing, and multi-tenant environments.

Welcome Kubernetes 1.33!

Kubernetes 1.33 brings important improvements made by the community, for the community. Whether it’s improving core functionality for a better user experience and greater operational efficiency or enhancing security for sensitive components like service account tokens or optimizing scheduling and networking, this release shows a strong commitment to the continued success of the project.