In Part 1, I shared a few highlights from Kubernetes 1.30. But this release has a lot more to offer—especially if you like fine-tuned control, better ops visibility, or tighter security.
Here’s a continuation of practical features from Kubernetes 1.30, with real-world examples and practical use cases:
🔐 Fine-Grained Authorization with CEL in RBAC (Alpha)
You can now add logic to RBAC rules using CEL (Common Expression Language).
Imagine restricting pod deletion to only specific users and only for pods with certain labels. You can do that now, like this:
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete"]
condition:
expression: "request.user == 'alice' && object.metadata.labels.team == 'devops'"
Use Case: Perfect for multi-team clusters or secure environments where access should be tightly scoped.
📦 Sidecar Containers (Stable)
Feature: The SidecarContainers feature (now stable) allows sidecar containers to restart independently of the main application container.
Example:
Use Case: A logging sidecar that tails logs from the main application container.
YAML:
apiVersion: v1
kind: Pod
metadata:
name: logging-app
spec:
containers:
- name: main-app
image: nginx
- name: log-tailer
image: busybox
args: ["sh", "-c", "tail -f /var/log/nginx/access.log"]
restartPolicy: Always # Sidecar restarts independently
volumeMounts:
- name: logs
mountPath: /var/log/nginx
volumes:
- name: logs
emptyDir: {}
Sidecars no longer block pod termination, improving reliability for observability or proxy sidecars.
No more losing logs or metrics because your sidecar died too early.
✅ Use Case: Logging agents, monitoring proxies, or service meshes.
🔄 CSI Inline Volumes Are Now GA
You can define temporary volumes inside your pod spec—no need to create a separate PVC.
YAML:
volumes:
- name: ephemeral
csi:
driver: "ephemeral.csi.k8s.io"
volumeAttributes:
size: "1Gi"
✅ Use Case: CI jobs, temporary caches, scratch space in stateless jobs.
Service Account Token Improvements
Bound Service Account Tokens (BSAT) now support time-bound credentials.
Example:
Use Case: A CI/CD pipeline needing short-lived credentials to deploy to a cluster.
YAML:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-bot
automountServiceAccountToken: false
---
apiVersion: v1
kind: Pod
metadata:
name: ci-runner
spec:
serviceAccountName: ci-bot
containers:
- name: runner
image: ci-tool
env:
- name: KUBE_TOKEN
valueFrom:
secretKeyRef:
name: ci-bot-token
key: token
✅ Reduces the risk of credential leakage.
Advanced Network Policies (Port Ranges)
Network Policies now support port ranges in ingress/egress rules.
Example:
Use Case: A microservice allowing traffic on ports 3000-4000 for WebSocket connections.
YAML:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ws-ports
spec:
podSelector:
matchLabels:
app: websocket-server
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
portRange: 3000-4000
✅ Simplifies firewall rules for applications using dynamic ports.
Final Thoughts
Kubernetes 1.30 keeps improving developer experience and operational safety. These new features—while subtle—can really help streamline real-world clusters.
👉 Missed Part 1? Catch up here
https://github.com/rajeevchandra/kubernetes-1.30-examples
Top comments (0)