Week Ending May 31, 2026

Developer News

The Kubernetes Node Lifecycle Working Group is seeking community feedback on node lifecycle use cases where components need node-state information that is not currently available through a common API. The collected feedback will help the group scope KEPs for the next Kubernetes release cycle.

SIG-etcd has nominated Fu Wei as a co-Tech Lead, recognizing his sustained technical contributions, leadership, and commitment to the etcd project and community

Release Schedule

Next Deadline: Production Readiness Freeze, 10th June 2026

Production Readiness Freeze for Kubernetes v1.37 lands on 10th June. Ensure all required Production Readiness Reviews are completed and any outstanding issues are addressed before the deadline.

Cherry-picks for the June patch releases are due June 5th. The release is expected on the 9th.

Featured PRs

139218: Wrap errors from pod group preemption

Argh4k has landed a reader-facing improvement to kube-scheduler error messages: every error emitted by the pod-group preemption path is now prefixed with pod group preemption: so operators can immediately tell which preemption flow produced a given SchedulerError. This mirrors the existing behavior of the default per-pod preemption path, which already prefixes errors with preemption:, and is part of the v1.37 milestone under SIG Scheduling.

The change is part of KEP-5710: Workload-Aware Preemption, which introduces a parallel preemption path for pod groups (gang-scheduled workloads) alongside the existing per-pod preemption. With two preemption flows now writing into the same SchedulerError stream, error logs that previously could only have come from default per-pod preemption can now come from either path, and without a prefix, it was effectively impossible to tell which one. This is especially painful when triaging gang-scheduling failures in batch and AI/ML workloads, where pod-group preemption is the common case.

139251: Rename Signal enum keys in CRI API

SergeyKanzhelev has renamed all enum keys in the Signal type within api.proto to carry a SIGNAL_ prefix (e.g., SIGABRT becomes SIGNAL_SIGABRT). This resolves a long-standing naming collision between the CRI API’s enum identifiers and standard C signal macros, which caused build failures in environments where C signal headers were present.

The change is part of KEP-4960: ContainerStopSignals (introduced in v1.33, currently Alpha). Because the feature hasn’t yet reached Beta, the rename was done directly without a deprecation period. While this is a breaking change for developers, anyone building against cri-api will need to update their code and rebuild binaries; the underlying integer values are unchanged, so the wire format remains compatible and cross-version communication is unaffected. Downstream projects like containerd and CRI-O will need to update their internal references to match the new names.

KEP of the Week

KEP-2535: Ensure Secret Pulled Images

This enhancement improves Kubernetes image security by ensuring that access to container images is authenticated even when images are already present on a node. It introduces kubelet-based image verification for IfNotPresent and Never pull policies, allowing administrators to enforce authorization checks without requiring the Always pull policy. The feature provides configurable verification modes, strengthens control over private image access, and addresses long-standing security concerns around image reuse while reducing dependence on registry availability during container startup.

KEP-2535 graduated to Beta in Kubernetes v1.35, strengthening image access security through credential-aware verification of previously pulled images and enhanced kubelet credential caching.

Other Merges

• The MaxUnavailableStatefulSet feature is now enabled by default.
• kubeadm: fixed kubeadm init phase certs –dry-run to correctly copy existing CA files.
• Errors coming from pod group preemption are now prefixed with pod group preemption: message.
• Enum keys of Signal are now prefixed with SIGNAL_ in api.proto definition to avoid conflicts with C++ macroses.
• Fixed a regression in 1.36 where modifications to scheduling directives (nodeSelector, tolerations, node affinity) on suspended Jobs were rejected if the JobSuspended condition had not yet been set by the job controller.
• Fixed a race condition in preemption, where a preemptor pod could get stuck in unschedulable state.
• Fixed a bug where Pods that share multi-node claims and also have per-node claims can get stuck in Pending.
• Kubelet now recovers from corrupted subpath mount points (e.g. stale NFS file handle) during container restart instead of leaving the pod stuck in CreateContainerConfigError.
• kube-scheduler: Added PlacementCycleState to the scheduling framework, providing per-placement state to PlacementScore plugins under the alpha TopologyAwareWorkloadScheduling feature gate.

Promotions

• WatchCacheInitializationPostStartHook to GA
• GA in 1.37

Deprecated

• Remove RelaxedDNSSearchValidation feature gate

Version Updates

• etcd image to v3.7.0-rc.0
• go.opentelemetry.io/otel to v1.44.0
• etcd to v3.7.0-rc.0
• upgrade go to 1.26.4

Subprojects and Dependency Updates

• SIG-etcd has released v3.7-rc.0 to allow users to test the next version of the Kubernetes database.
• etcd v3.4.45 will be the final update to v3.4, which is now EOL. v3.5 and v3.6 have also been patched, closing a number of golang upstream security vulnerabilities.

Shoutouts

• No shoutouts this week. Want to thank someone for special efforts to improve Kubernetes? Tag them in the #shoutouts channel.

Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.

You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.