Rate limits arrive on unary and streaming gRPC requests, alongside client-side bandwidth controls.
Where it bites you on upgrade
Two pieces of operational debt to absorb. The deprecated V1 preheat API endpoints are gone in 2.5; pipeline scripts still calling them stop working on upgrade. Health checks consolidate to /healthy, so probes wired to old paths need to move with that.
The project framing on the webhook is zero-rebuild rollout. The catch is operational: a mutating admission webhook is a runtime dependency at pod-creation time, and a webhook outage fans out across every workload that needs the injection. The CNCF post does not break out a migration path off V1 preheat; the release notes are the place to read before running the upgrade.