Last Week in Kubernetes Development
Stay up-to-date on Kubernetes development in 15 minutes a week.
Week Ending June 21, 2026
Developer News
Naadir Jeewa proposed creating WG Node Identity, a new Working Group intended to coordinate cross-SIG efforts around secure node identity. The effort aims to develop a common approach to hardware-backed node attestation and node identity verification in Kubernetes.
The 2026 Kubernetes Steering Committee election season has begun, with nominations now open for three Steering Committee seats, each serving a two-year term. It is also time to submit voter exception requests.
Mario Fahlandt has been nominated to serve as an additional SIG ContribEx Co-Chair. He has contributed across several community initiatives, including Contributor Summits, New Contributor Orientation, and contributor outreach efforts. The leadership team is being expanded to help share the growing responsibilities of SIG ContribEx.
After serving as co-chair of Kubernetes SIG Storage for over 10 years, Saad has announced that he will be stepping down from the role. Hemant Kumar has been nominated as the new co-chair, bringing long-term involvement with the SIG and a strong understanding of its goals and direction.
Please sign-up for the KubeCon NA 2026 Project Pavilion and onsite PR support program.. SIGs, WGs, Committees, and Subprojects planning to showcase their work or announce major updates at KubeCon should apply for participation and communications support before July 19, 2026.
Release Schedule
Next Deadline: Docs placeholders, July 2nd
If you are responsible for an enhancement that requires documentation, you must create a placeholder PR by July 2. If your enhancement doesn’t require docs, make sure to tag that.
Patch releases v1.33.13, v1.34.9, v1.35.6, and v1.36.2 came out June 12. This includes a golang update and a multitude of bug fixes.
Featured PRs
139308: Introduce WatchListCompression (Beta)
In this pull request p0lyn0mial introduced the new WatchListCompression feature gate, bringing gzip compression support to Kubernetes WatchList responses when clients advertise Accept-Encoding: gzip. Since many controllers and operators perform an initial LIST before transitioning to WATCH, this feature can significantly reduce network bandwidth and improve efficiency in large clusters. Regular WATCH requests remain unchanged, making the rollout low risk for existing clients. This feature is enabled by default in Beta and is an important improvement for API server scalability.
139237: Evenly load balance admission webhook connections
aojea improved how the kube-apiserver communicates with admission webhooks when --enable-aggregator-routing=true is enabled. Previously, HTTP connection reuse could unintentionally direct most concurrent admission requests to a single webhook backend, creating uneven load across replicas. This PR introduces round-trip load balancing between webhook endpoints through the WebhookRoundTripLoadBalancing feature gate (Beta, enabled by default), improving availability and scalability for highly available webhook deployments.
139282: Relaxed DNS Names reaches General Availability
In this pull request adrianmoisey advanced Relaxed DNS Names to General Availability, completing the feature’s journey from Alpha through Beta to a stable Kubernetes API. The work is part of KEP-5311, which expands supported DNS naming rules while maintaining compatibility with existing workloads. Reaching GA signals that the feature is production-ready and no longer experimental, allowing users and downstream projects to rely on it without feature gate concerns.
KEP of the Week
KEP-5471: Extended Toleration Operators for Threshold-Based Placement
This enhancement extends Kubernetes taints and tolerations by adding numeric comparison operators (Lt, Gt) to core/v1 Tolerations, alongside the existing Equal and Exists operators. It enables threshold-based scheduling decisions, such as allowing workloads to run only on nodes with an SLA above a specified value (e.g., SLA ≥ 95%). The change only impacts the existing TaintToleration scheduler plugin and does not introduce new scheduling algorithms or stages.
The primary motivation is to support clusters with mixed-capacity nodes (e.g., on-demand and spot instances) through a node-centric policy model. Unlike NodeAffinity, which requires configuring every workload individually and lacks eviction capabilities, taints allow nodes to advertise risk levels while workloads explicitly opt in. This preserves existing taint semantics, including NoExecute-based eviction, provides centralized operational control, reduces configuration drift, and aligns with other Kubernetes safety mechanisms such as memory-pressure and disk-pressure taints. The KEP is currently in the Alpha stage.
Other Merges
- The internal Pod conversion refactor advances with a five-PR series (PodSpec 1–5) reorganizing PodSpec and PodStatus internals: ExpirationSeconds, Quobyte field order, PodSecurityContext fields, field reordering, and DeprecatedServiceAccount as groundwork for the next phase of declarative-validation generators.
- The watchcache interval source is refactored in
apiserver/storage, simplifying how the cacher pulls events from etcd watch streams. - Introduces the
WatchListCompressionfeature gate, enabling compressed responses for streamingLISTrequests served through the watch cache. - Fixes a scheduler bug where gated pods were not flushed at the same frequency as non-gated pods, eliminating a latency disparity for gated workloads.
- The scheduler now logs an error when the
GangSchedulingplugin is missing from aGenericWorkloadconfiguration, making misconfiguration easier to diagnose. - kubelet: the
--event-burstCLI flag description is updated to match its actual default, correcting documentation drift. - Fixes a DRA allocator bug where widening config was incorrectly scoped at the subrequest level, restoring expected allocation semantics for DRA requests with subrequests.
Subprojects and Dependency Updates
- containerd v2.3.2: fix CVE-2026-50195, fix CVE-2026-53488/53492/53489/47262, fix Windows shim log race, fix concurrent startup failures; also v2.2.5, v2.1.9, v2.0.10, v1.7.33
- nerdctl v2.3.3: fix CVE-2026-53488, update to containerd v2.3.2, compose run honors –workdir
- prometheus v3.13.0-rc.1: fix XSS CVE-2026-44990, credentials no longer forwarded on cross-host redirects, add experimental metric search API; also v3.5.4
- cluster-api v1.14.0-alpha.0: alpha release, 13 new features, 12 bug fixes, 7 breaking changes; also v1.13.3, v1.12.9
- cluster-api-provider-vsphere v1.17.0-alpha.0: alpha release
- vsphere-csi-driver v3.7.2: upgrade Go 1.26.3, fix CVE-2026-42504, fix CVE-2026-42501
Shoutouts
- subhasmita: Shoutout to @Karim Farid, @Lauri Apple, @Dhanisha Phadate, @ChengHao Yang (tico88612), and @Ofir Cohen (ofirc) for helping make the Enhancements Freeze a success. Their thorough reviews, timely follow-ups, and steady coordination with SIGs and enhancement owners ensured every enhancement was tracked, reviewed, and in the right state before the deadline. Notably, three of them were first-time shadows who did an amazing job. Great teamwork and dedication all.
Last Week In Kubernetes Development (LWKD) is a product of multiple contributors participating in Kubernetes SIG Contributor Experience. All original content is licensed Creative Commons Share-Alike, although linked content and images may be differently licensed. LWKD does collect some information on readers, see our privacy notice for details.
You may contribute to LWKD by submitting pull requests or issues on the LWKD github repo.