Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending November 30, 2025
Developer News
CVE-2025-13281: the in-tree Portworxs CSI driver exposes a security hole in the kube-controller-manager, which was patched for other storage drivers but not for Portworx. Vulnerable users are ones who still haven’t migrated to the external CSI StorageClass.
SIG-Scheduling has published their technical plan for Kubernetes 1.36.
Wei Fu was nominated as SIG-Etcd Tech Lead.
Release Schedule
Next Deadline: Release Highlights Complete, Dec. 9
We are in Code Freeze. Release highlight items need to be finished and fully edited by next week. Also, please be on the alert for any blocking test failures, and get them debugged quickly so we can release on time.
Friday is the cherry-pick deadline for the next set of patch releases.
Other Merges
- Allow relaxed Ingress defaultBackend service names with RelaxedServiceNameValidation
- Eliminate spurious warning log messages about enabled alpha APIs while starting API server
- Prevent spurious namespace-not-found errors in admission
Version Updates
- Go to 1.24.10 and distroless iptables for 1.32
Subprojects and Dependency Updates
- cri-o v1.34.3 adds support for the external
crio-credential-providerplugin, fixes CVE-2025-58183 by updatinggithub.com/vbatts/tar-splitto v0.12.2, introduces a newhousekeepingoption for theirq-load-balancing.crio.ioannotation (surfacing housekeeping CPUs viaOPENSHIFT_HOUSEKEEPING_CPUSand adjusting IRQ affinity behaviour), and refreshes core dependencies including the Kubernetes 0.34.1 stack and new Podman image/storage libraries. - cri-o v1.33.7 and v1.32.11 are focused patch releases that backport the CVE-2025-58183
tar-splitupdate across the 1.33 and 1.32 lines, with v1.32.11 additionally fixing network cleanup failures when the network namespace path is empty on server teardown. - kops v1.35.0-alpha.1 advances the 1.35 line with etcd 3.5.23/3.5.24 updates, containerd v2.1.5, refreshed CNI plugin sources, AWS Karpenter v1.8.1 plus configurable feature gates, expanded scale and GCE/Azure testing, initial Ubuntu 25.10 support, tighter AWS IAM permissions, and deeper ClusterAPI integration including new toolbox commands and CAPI-oriented nodeup refactors.
- cluster-autoscaler 1.34.2, 1.33.3, and 1.32.5 align the 1.34, 1.33 and 1.32 branches with common fixes: more robust proactive scale-up handling for scheduling-gated pods, a
SimulateNodeRemovalpanic fix for missing node info, Azure LTS test updates and refreshed static SKU lists, CI/lint cleanups, and Kubernetes dependency bumps to v1.34.2, v1.33.6, and v1.32.10 respectively. - cluster-api v1.12.0-rc.1 continues the v1.12 line toward GA with in-place update support for KCP and MachineDeployments, chained multi-minor Kubernetes upgrades for managed topologies, new
InPlaceUpdates,MachineTaintPropagation, andReconcilerRateLimitingfeature gates, MachineHealthCheck condition-based health checks, plus a round of bugfixes across webhooks, e2e tests, runtime SDK, and condition handling on top of Go 1.24 and Kubernetes 0.34.x library bumps. - cluster-api-provider-vsphere v1.15.0-rc.0 tracks CAPI v1.12 and Kubernetes v1.35/cloud-provider-vsphere v1.35, introduces a dedicated CAPV ServiceAccount, and adds govmomi flags to tune CPU and memory shares, reservations, and limits, while also updating etcd/Kubernetes dependencies, bumping CPI/autoscaler versions, and hardening tests and CI (including network debug improvements and flake-focused timeouts).
- prometheus v3.8.0 is the first release to mark Native Histograms as a stable opt-in feature via the new
scrape_native_histogramconfig knob, updates Remote Write v2 to the 2.0-rc.4 spec, adds unified AWS service discovery (EC2, Lightsail, ECS), introduces OAuth2 JWT-bearer grant support, extends promtool with Remote Write 2.0 pushes, and delivers a broad set of PromQL, TSDB, and UI performance fixes (including faster large alerts/rules pages and improved NHCB handling).
Shoutouts
- Petr Mullar – Shoutout for organizing a meeting to support new contributors in Prow, gathering ideas to improve onboarding and reduce entry barriers for newcomers.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.