Week Ending September 14, 2025

Developer News

The Steering Committee Election is underway. Please make sure to vote before October 25th, and request an exception if you need one before October 20th.

The Kubernetes Steering Committee reaffirmed that SIG Release and the Release Team have full authority to enforce policies, deadlines, and requirements, including blocking releases if needed. Steering does not override release execution but will back policy updates and clearer communication to ensure safe, stable, and predictable releases.

A medium-severity vulnerability (CVE-2025-9708) affects the Kubernetes C# client ≤ v17.0.13, where improper certificate validation could enable man-in-the-middle attacks. Users are advised to upgrade to v17.0.14+ and review any custom CA usage in kubeconfig files. See the GitHub issue. for more details.

Release Schedule

Next Deadline: 1.35 Release Cycle Starts, September 15

Kubernetes 1.35 release cycle kicks off on Sept 15, targeting final release on Dec 17, 2025, with key milestones including Enhancements Freeze on Oct 16 and Code Freeze on Nov 6.

Patch releases v1.34.1, v1.33.5, v1.32.9, v1.31.13 were out last week, delivering the latest fix and updates.

KEP of the Week

KEP-3243: Respect PodTopologySpread after rolling upgrades

This KEP introduces a complementary field, MatchLabelKeys, in TopologySpreadConstraint to enhance pod topology spread. It allows users to specify only label keys, with kube-apiserver resolving their values from the incoming pod and merging them with the existing LabelSelector to identify the target pod group. This simplifies skew calculation, supports revision-level spreading during Deployment rollouts, and is also handled by kube-scheduler when used in cluster-level default constraints.

This KEP is tracked for beta in v1.34.

Other Merges

• Remove container name from container event messages
• Replace NewIndexerInformerWatcher with NewIndexerInformerWatcherWithLogger
• Standardize not found error message of kubectl scale
• validation-gen uses JSON names for error paths
• Prevent ClusterIP load balancer loss with InternalTrafficPolicy: Local in kube-proxy
• Avoid deadlock when gRPC connection to driver goes idle
• validation-gen adds uuid format for string fields
• client-go/cli-runtime fixes config override when ClientKey/ClientCertificate are set
• Replace WaitForNamedCacheSync with WaitForNamedCacheSyncWithContext
• Update PodObservedGenerationTracking description in OpenAPI
• kubectl includes container fieldPath in event messages
• StorageVersionMigrator adds discovery check to avoid stuck migrations
• agnhost adds fake-registry-server for e2e image-pull tests
• Add E2e test for cleaning of terminated containers
• kube-apiserver protects against delete/finalizer race
• Update pod resize test to accept new cpu.weight conversion
• DRA accepts implicit device-class extended resource names even when extendedResourceName is set in the DeviceClass
• Skip creating storage for non-stored and non-served versions
• Allow OpenAPI model package names to be declared by APIs
• kubelet fixes negative pod startup duration values
• kube-scheduler statusz lists registered paths
• applyconfiguration-gen preserves struct and field comments in generated code
• Scheduler framework interfaces move to k8s.io/kube-scheduler
• CRD validation ratchets the max selectableFields limit
• apiserver storage only accesses keys under resourcePrefix
• apiserver storage replace SetKeysFunc with EnableResourceSizeEstimation

Subprojects and Dependency Updates

• grpc v1.75.0 introduces Spiffe verification, OTel C++ retry metrics, bug fixes, and Python and Ruby updates
• nerdctl v2.1.4 adds manifest, export, import commands, improves networking, and drops containerd 1.6 support
• vertical-pod-autoscaler v1.4.2 improves logging, fixes updater metrics, adjusts webhook CA, and falls back to eviction on failed updates

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.