Knative v1.21.2 is a small patch release with one TLS improvement and a heads-up that secure-pod-defaults will flip to AllowRootBounded in v1.22.
breakingAudit root-dependent workloads before v1.22 ships
The AllowRootBounded secure-pod-defaults setting is coming as the new default in v1.22. If any of your Knative Services run containers that require root (e.g., legacy apps, certain base images), they will break after that upgrade. Right now, while you're on v1.21, test those workloads with AllowRootBounded explicitly enabled. If they fail, set secure-pod-defaults to 'disabled' in your config-features ConfigMap before upgrading to v1.22 — don't wait until upgrade day.
enhancementConfigurable TLS via knative.dev/pkg/network/tls
The shift to the shared knative.dev/pkg/network/tls library gives operators more control over TLS settings in Serving. If you manage custom TLS configurations or have internal PKI requirements, review whether this change aligns your TLS behavior with expectations — particularly in environments where cipher suites or minimum TLS versions are enforced by policy.
Key changes (3)
- TLS configuration now uses knative.dev/pkg/network/tls for more flexible, configurable TLS behavior in Serving
- secure-pod-defaults remains disabled by default in v1.21, but AllowRootBounded will become the default in v1.22
- AllowRootBounded improves security posture while maintaining compatibility with most (but not all) images that expect root access