Week Ending May 10, 2026

Developer News

SIG Autoscaling has nominated Jack Francis as a new SIG Chair as Guy Templeton steps down from the role after years of leadership and contributions to the SIG. Thank you, Guy Templeton, for everything you’ve done for SIG Autoscaling. The proposal also names Omer Aplatony as Tech Lead and adds dedicated Node Autoscaling and Workload Autoscaling Tech Lead roles.

Next Tuesday is the monthly New Contributor Orientation. As part of a new SIG-focused format for NCOs, next week’s AMER session will be focused on SIG Release, hosted by @Kat Cosgrove. Join the AMER session to learn how SIG Release helps deliver Kubernetes releases and how you can get involved.

Release Schedule

Next Deadline: 1.37 Release Team Shadow Program, May 15th

Applications for the Kubernetes v1.37 Release Team shadow program closes on May 15, with selected applicants announced on May 22. If you want to learn how Kubernetes release team work and contribute to the release process, this is a great opportunity to get involved. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria.

Kubernetes Patches v1.33.12, v1.34.8, v1.35.5, and v1.36.1 have been released.

Featured PRs

138872: feat: Add declarative-validation test coverage guardrail

yongruilin has landed an in-process coverage gate for declarative-validation rules that fails CI when a +k8s: DV tag has no test exercising it. The PR spans SIG API Machinery, SIG Scheduling, and SIG Testing, and is targeted at the v1.37 milestone. Declarative validation moves API field validation rules out of hand-written Go code and into struct-tag annotations on the API types, generated into validators by validation-gen. The benefit is enormous; co-located rules, version-consistent validation, and a clear audit surface but until now there was no way to prove that every declared rule was actually being exercised by tests. A contributor could add a +k8s:maxBytes=64 tag to a field, regenerate validators, and merge a green PR even if no test ever fed that field a value over 64 bytes. This guardrail closes that gap.

138801: Conditional Authz [0/5]: Rename all usages of the authorizer.Authorizer interface to authorizer.UnconditionalAuthorizer

luxas has landed the kickoff of a five-part series introducing conditional authorization to Kubernetes by renaming every existing usage of authorizer.Authorizer to authorizer.UnconditionalAuthorizer, and renaming initializer.WantsAuthorizer to initializer.WantsUnconditionalAuthorizer. The PR spans SIG Auth, SIG API Machinery, SIG Node, SIG Scheduling, and WG Device Management, and is targeted at the v1.37 milestone. Today, the authorizer.Authorizer interface is the only authorization contract in tree, and any function that takes one can issue arbitrary authorization decisions even if it only ever needs to ask simple “is this principal allowed to do X” questions. The refactor splits this into two contracts: a small UnconditionalAuthorizer that callers ask for when they only need traditional unconditional decisions, and a fuller Authorizer interface (extended in #137204) that callers must explicitly opt into when they need to evaluate conditions on the request. This narrows the API surface receivers can use and makes it visible in the type system which call sites can take conditional logic.

KEP of the Week

KEP-127: Support User Namespaces

The Kubernetes User Namespaces KEP introduces support for Linux user namespaces to improve pod security and isolation by allowing processes inside containers to run with different user and group IDs than on the host system. This means a process can run as root inside the container while remaining an unprivileged user on the host, significantly reducing the impact of container breakout vulnerabilities. The feature strengthens defense-in-depth, improves multi-tenant security, and helps mitigate several known and future container escape vulnerabilities by limiting host-level privileges even if a workload escapes the container boundary.

User Namespaces became GA in 1.36.

Other Merges

• Use stable curl download for windows busybox testing image
• Switch StorageVersionMigration to use merge patch over SSA
• Add retrying for Bind API calls
• kubeadm: kubeadm join now returns a clear error message when the TLS bootstrap kubeconfig has a current-context that does not appear in the contexts list, instead of panicking with a nil pointer dereference.
• kubeadm: when fetching cluster-info over HTTPS during discovery, the HTTP response status code is now checked, so a non-200 response produces a clear error instead of a confusing kubeconfig parse failure.
• Functions and structs that take in authorizer.Authorizer might now choose to accept only a smaller interface, authorizer.UnconditionalAuthorizer, in case only the receiver only needs to perform unconditional authorization requests and wants to signal this in the code for clarity. Any authorizer implementation must still implement the full authorizer.Authorizer interface.
• Workload-aware preemption now preempts victims so that as many as possible of the preemptor pods can be scheduled.
• Fix the inconsistency between opportunistic batching and PodGroups that made the batching hints always infeasible during PodGroup scheduling cycle.
• Fix nil pointer dereference in Windows memory eviction threshold notifier when GetPerformanceInfo() fails.
• Added an alpha feature gate, [ConsistentListFromCacheSkipTimeoutFallback](https://github.com/kubernetes/kubernetes/pull/138701/changes) .When enabled, kube-apiserver returns HTTP 429 for consistent LIST requests that cannot be served from watch cache within the timeout window, instead of falling back to storage.
• Ensure stale cache does not impact the marking of nodes as unhealthyby checking with a live get.
• kubectl now sets its path in the KUBECTL_PATH environment variable when executing a plugin.
• kubeadm: skip LocalAPIEndpoint defaulting on ‘kubeadm join’ for worker nodes.
• kubelet no longer generates an event once per second for every image volume in a pod.
• client-go will request v2 for aggregated discovery and not fall back to v2beta1
• HPA controller now reconciles newly created and spec-changed HPAs immediately instead of waiting for the full resync period (default 15s).
• kubelet: enforce ephemeral-storage limits on restartable init containers.
• Metrics are now decremented for pods removed from the active or backoff queues before scheduling.
• kubelet no longer fails to start on ZFS due to a missing cadvisor plugin.
• kubectl drain --disable-eviction --dry-run=server no longer hangs indefinitely.
• StatefulSet with OnDelete update strategy now correctly updates Status.CurrentRevision after all pods are recreated with the new revision.

Promotions

• Volume Metrics to beta

Version Updates

• GO to 1.26.3
• grpc to v1.81.0, grpc-gateway/v2 to v2.29.0, containerd/api to v1.11.0, ttrpc to v1.2.8, genproto googleapis updated
• golang.org/x/mod to v0.35.0, oauth2 to v0.36.0, time to v0.15.0, tools to v0.44.0
• etcd sdk to v3.6.11

Subprojects and Dependency Updates

• cluster-api v1.13.2: fixes KCP in-place update with InfraMachine immutability webhooks, cleans up etcd members after machine remediation, bumps corefile-migration to v1.0.32; also v1.12.8, v1.11.11
• cloud-provider-aws v1.36.0: fixes ELB target deregistration ordering, adds nil check for instance state, adds AWS API metrics middleware for status codes and error tracking, adds explicit HTTP request timeouts to all AWS SDK clients, fixes security group leak on Service update; also v1.35.2, v1.34.3, v1.33.4, v1.32.8
• openstack-cloud-controller-manager v2.36.0: new Helm chart release; also openstack-cinder-csi v2.36.0, openstack-manila-csi v2.36.0

Shoutouts

• Seokho Son: Shoutout to @xirehat, @Moh0ps, @mamrezb, and @Behdin Talebi for initiating and driving the Persian (Farsi) localization of k8s.io, the first Right-To-Left language supported on the site. Thanks also to @LMKTFY for his support, and to SIG Docs leads @Natali, @Rey Lejano, and @Divya for their official backing. The Farsi localization site is live at kubernetes.io/fa, and there is still plenty of room to contribute — join #kubernetes-docs-fa to get involved.

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.