wg-batch co-chair Kevin Hannon is stepping down to focus on workload-aware scheduling efforts and will become co-chair of wg-workload-aware-scheduling. He has nominated Amy Chen (@amy) as the new wg-batch co-chair, citing her work on Kueue observability, end-user advocacy, and community engagement.
KubeCon North America Maintainer Track CFP is open until July 12. Maintainer Track speaking slots are reserved for SIG Chairs and Tech Leads; contributors interested in presenting should coordinate with their SIG Chair to submit through the SIG’s allocated slot.
Kubernetes v1.37 Release Schedule is out!
The v1.37 release schedule is now available. The cycle began May 18 and is targeting August 26 for the final release. Key milestones include Enhancements Freeze on June 17 and Code Freeze on July 23.
Dipesh Rawat will serve as Release Lead for v1.37 alongside the release team and shadows. The Call for Enhancements is now open, and SIGs should begin preparing KEPs for the upcoming cycle.
The cherry-pick deadline for the June patch releases is June 5.
139232: validation-gen: elide RegisterValidations for packages with no TypeMeta validations
The declarative-validation toolchain has been graduating quickly over the past several weeks, first the introduction of the +k8s:eachVal tag chain in #138629, then the coverage guardrail in #138872. One side effect of running validation-gen across every API package was a long tail of generated files that registered nothing; empty RegisterValidations functions whose bodies were just return nil. They added no behaviour, but they did add review burden, vendor noise, and confusion for contributors trying to understand which packages actually participate in declarative validation.
This change moves a hasRootTypesWithValidations() check into emitRegisterFunction itself so the generator simply no-ops when there’s nothing to register, removing 26 empty generated files across pkg/apis/admission, pkg/apis/apps, pkg/apis/policy, and other API package directories. It is also a prerequisite now, for #139101, the next step in the same series. This is scoped to SIG API Machinery, and is targeted at the v1.37 milestone.
KEP-5237: Convert route controller to watch-based reconciliation
This enhancement introduces a watch-based reconciliation mechanism for the Kubernetes route controller using informers, replacing the previous fixed 10-second polling loop. The change reduces unnecessary API requests to infrastructure providers, improves responsiveness when nodes are added or updated, and aligns the route controller with other informer-driven Kubernetes controllers. Additional work also introduced route synchronization metrics along with supporting documentation and feature blog updates.
The watch-based route controller reconciliation enhancement is currently in Alpha stage.
apiserver_storage_list_* metrics now include storage and index labels to distinguish the storage backend and lookup path used to serve LIST requests.ContainerRuntimeVersion validates if the installed container runtime supports the RuntimeConfig gRPC method.nominatedNodeName, just like a normal preempting pod does.syncProxyRules could take tens of seconds in clusters with many Services because GetAllLocalAddressesExcept issued one full netlink address dump per interface. The function now issues a single dump per address family, reducing syncProxyRules latency by orders of magnitude on large clusters.DisruptionMode enum field to struct to support future extensibility.AnnotatedEventf method to the new events API (EventRecorder and EventRecorderLogger interfaces in client-go/tools/events),kubectl describe statefulset output.apiserver_cache_list_total, apiserver_cache_list_fetched_objects_total, and apiserver_cache_list_returned_objects_total are no longer exposed by default. Should migrate to the unified apiserver_storage_list_* metrics with storage="watchcache" label.DefaultWatchCacheSize field of k8s.io/apiserver/pkg/server/options.EtcdOptions is now removed.apiserver_watch_events_total and apiserver_watch_events_sizes to BETAserviceaccount_legacy_tokens_total, serviceaccount_stale_tokens_total, serviceaccount_valid_tokens_total to betaapiserver_webhooks_x509_missing_san_total and apiserver_webhooks_x509_insecure_sha1_total metrics to BETA.The 2026 Steering Election cycle has officially begun, with ContribEx appointing Nina Polshakova, Sreeram Venkitesh, and Rey Lejano as this year’s Election Officers. Xander Grzywinski and Christopher Tineo will serve as Alternate Officers.
KubeCon North America CFP closes on May 31. Submit your talks before the deadline.
KubeCon North America Maintainer Track CFP is open until July 12. Maintainer Track speaking slots are reserved for SIG Chairs and Tech Leads; contributors interested in presenting should coordinate with their SIG Chair to submit through the SIG’s allocated slot.
Kubernetes v1.37 Release Cycle Kicks Off, 18th May 2026
The v1.37 release schedule has been posted, with the release cycle beginning May 18.
Applications for the Kubernetes v1.37 Release Team shadow program closed on May 15, with selected applicants announced on May 22.
Kubernetes Patches v1.33.12, v1.34.8, v1.35.5, and v1.36.1 have been released.
Common Expression Language (CEL) admission evaluation pipeline has been optimized to avoid repeatedly converting the same API object during policy evaluation. The CEL admission plugin backs ValidatingAdmissionPolicy and related features, and converts each runtime.Object into a CEL-evaluable representation before a policy expression can run against it. When a request is subject to multiple policies or webhooks, the same object was being converted again for every evaluation, and that conversion became a measurable CPU bottleneck on busy API servers. Under a 200 QPS load test with five ValidatingAdmissionPolicies, the change reduces API server CPU usage from roughly 1.10 cores to 0.93 cores, an approximately 15% reduction, while leaving light-policy workloads functionally unchanged.
The fix introduces a LazyObject abstraction wrapping VersionedObject and VersionedOldObject in VersionedAttributes. LazyObject caches the CEL ref.Val representation on first use and automatically clears it whenever the underlying object is mutated via Set(), so the conversion cost is paid at most once per object per request, and not at all when CEL evaluation is skipped, such as for empty expression groups. Encapsulating the cache this way also resolves a class of desynchronization bugs where an object mutated during mutating admission could leave a stale CEL representation behind. The PR is scoped to SIG API Machinery, and is targeted at the v1.37 milestone.
This enhancement simplifies Kubernetes node troubleshooting by allowing cluster administrators to securely stream logs from control-plane and worker nodes through a kubelet API or kubectl plugin, eliminating the need to SSH into nodes or build custom log readers. In the past, debugging components such as the kubelet, kube-proxy, or API server often requires direct node access just to inspect logs, which can be cumbersome and operationally inefficient. This feature provides centralized access to logs from Linux nodes using systemd/journald, services writing to /var/log/, and supported Windows worker nodes logging to C:\var\log and Application logs. Since node logs may contain sensitive information, access would be restricted to cluster administrators. The KEP does not cover support for non-systemd Linux distributions, nodes with cluster connectivity or configuration issues, or services that do not log to standard locations like /var/log/.
KEP-2258 (Node Log Query) was introduced in Alpha in v1.27, moved to Beta in v1.30, and has now graduated to GA in v1.36.
apiserver_watch_cache_initialization_duration_seconds recording the duration of the most recent watch cache initialization, labeled by group and resource.dynamic_resource_allocation_resourceclaim_creates_total as metric for number of ResourceClaims created, replacing differently names metrics in each component.net.ipv4.tcp_slow_start_after_idle and net.ipv4.tcp_notsent_lowat to the allowed safe sysctls list.",inline" to simply "".PatchPodStatus API in the scheduler framework to accept a [slice of Pod conditions ([]*v1.PodCondition)(https://github.com/kubernetes/kubernetes/pull/135160) instead of a single condition (*v1.PodCondition). This allows scheduler plugins to update multiple Pod conditions in a single API call, preventing newer calls from overwriting older ones when multiple conditions need to be updated concurrently.SIG Autoscaling has nominated Jack Francis as a new SIG Chair as Guy Templeton steps down from the role after years of leadership and contributions to the SIG. Thank you, Guy Templeton, for everything you’ve done for SIG Autoscaling. The proposal also names Omer Aplatony as Tech Lead and adds dedicated Node Autoscaling and Workload Autoscaling Tech Lead roles.
Next Tuesday is the monthly New Contributor Orientation. As part of a new SIG-focused format for NCOs, next week’s AMER session will be focused on SIG Release, hosted by @Kat Cosgrove. Join the AMER session to learn how SIG Release helps deliver Kubernetes releases and how you can get involved.
Next Deadline: 1.37 Release Team Shadow Program, May 15th
Applications for the Kubernetes v1.37 Release Team shadow program closes on May 15, with selected applicants announced on May 22. If you want to learn how Kubernetes release team work and contribute to the release process, this is a great opportunity to get involved. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria.
Kubernetes Patches v1.33.12, v1.34.8, v1.35.5, and v1.36.1 have been released.
yongruilin has landed an in-process coverage gate for declarative-validation rules that fails CI when a +k8s: DV tag has no test exercising it. The PR spans SIG API Machinery, SIG Scheduling, and SIG Testing, and is targeted at the v1.37 milestone. Declarative validation moves API field validation rules out of hand-written Go code and into struct-tag annotations on the API types, generated into validators by validation-gen. The benefit is enormous; co-located rules, version-consistent validation, and a clear audit surface but until now there was no way to prove that every declared rule was actually being exercised by tests. A contributor could add a +k8s:maxBytes=64 tag to a field, regenerate validators, and merge a green PR even if no test ever fed that field a value over 64 bytes. This guardrail closes that gap.
authorizer.Authorizer interface to authorizer.UnconditionalAuthorizerluxas has landed the kickoff of a five-part series introducing conditional authorization to Kubernetes by renaming every existing usage of authorizer.Authorizer to authorizer.UnconditionalAuthorizer, and renaming initializer.WantsAuthorizer to initializer.WantsUnconditionalAuthorizer. The PR spans SIG Auth, SIG API Machinery, SIG Node, SIG Scheduling, and WG Device Management, and is targeted at the v1.37 milestone. Today, the authorizer.Authorizer interface is the only authorization contract in tree, and any function that takes one can issue arbitrary authorization decisions even if it only ever needs to ask simple “is this principal allowed to do X” questions. The refactor splits this into two contracts: a small UnconditionalAuthorizer that callers ask for when they only need traditional unconditional decisions, and a fuller Authorizer interface (extended in #137204) that callers must explicitly opt into when they need to evaluate conditions on the request. This narrows the API surface receivers can use and makes it visible in the type system which call sites can take conditional logic.
KEP-127: Support User Namespaces
The Kubernetes User Namespaces KEP introduces support for Linux user namespaces to improve pod security and isolation by allowing processes inside containers to run with different user and group IDs than on the host system. This means a process can run as root inside the container while remaining an unprivileged user on the host, significantly reducing the impact of container breakout vulnerabilities. The feature strengthens defense-in-depth, improves multi-tenant security, and helps mitigate several known and future container escape vulnerabilities by limiting host-level privileges even if a workload escapes the container boundary.
User Namespaces became GA in 1.36.
StorageVersionMigration to use merge patch over SSAauthorizer.Authorizer might now choose to accept only a smaller interface, authorizer.UnconditionalAuthorizer, in case only the receiver only needs to perform unconditional authorization requests and wants to signal this in the code for clarity. Any authorizer implementation must still implement the full authorizer.Authorizer interface.GetPerformanceInfo() fails.[ConsistentListFromCacheSkipTimeoutFallback](https://github.com/kubernetes/kubernetes/pull/138701/changes) .When enabled, kube-apiserver returns HTTP 429 for consistent LIST requests that cannot be served from watch cache within the timeout window, instead of falling back to storage.KUBECTL_PATH environment variable when executing a plugin.v2 for aggregated discovery and not fall back to v2beta1kubectl drain --disable-eviction --dry-run=server no longer hangs indefinitely.OnDelete update strategy now correctly updates Status.CurrentRevision after all pods are recreated with the new revision.The Agent Sandbox subproject has published a Kubernetes blog post, Running Agents on Kubernetes with Agent Sandbox, and progressed to v0.4.3 since v0.1.1. Updates include default network isolation, persistent storage support, Python SDK improvements, a new Go client, and controller stability enhancements.
The Kubernetes v1.37 Release Team shadow application is open until May 15, 2026, with results announced on May 22. The release cycle is expected to run from May 18 to August 26. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria. Updates will be shared in the #sig-release Slack channel and kubernetes/sig-release repository.
KubeCon North America CFP closes on May 31. Submit your talks before the deadline.
KubeCon North America Maintainer Track CFP is also open. Submit your sessions by July 12.
Next Deadline: Release Cycle Starts, soon
Cherry-picks for the next patch releases are due this Friday, May 8.
aaron-prindle has migrated handwritten per-item byte-length validation for ResourceSlice.spec.devices[*].attributes[*].strings[*] to declarative validation as part of KEP-5073: Declarative Validation with validation-gen. The PR was reviewed and approved by thockin and contributors from SIG API Machinery and WG Device Management, and is the first use of the +k8s:eachVal tag in the kubernetes/kubernetes API surface.
Declarative validation moves API field validation from hand-written Go code into machine-generated code driven by struct-tag annotations on the API types themselves. The benefit for contributors is that validation rules become co-located with the field they validate, far easier to audit, and consistent across all API versions. The benefit for users is reduced surface area for subtle validation drift between API versions and improved API server performance over time.
This PR adds the +k8s:alpha(since: "1.37")=+k8s:eachVal=+k8s:maxBytes=64 tag chain to the v1, v1beta1, and v1beta2 resource API types, regenerates the declarative validation code, and adds equivalence coverage tests verifying the byte-count semantics on both create and update boundary cases. Notably, the PR uses +k8s:maxBytes rather than +k8s:maxLength because the existing handwritten validation enforces a byte limit via Go’s len(string) and field.TooLong, so the tests use the two-byte UTF-8 character é to confirm byte-count behaviour. The handwritten validation remains authoritative; this migration begins the soak period required to graduate the +k8s:eachVal tag to StabilityLevelBeta.
KEP-5710: Workload-aware preemption
This KEP proposes enhancing the Kubernetes scheduler with workload-aware preemption, shifting from a pod-centric to a workload-centric approach. Building on KEP-4671’s Workload and PodGroup APIs, it introduces concepts like pod group priority and defining preemption units at the workload level, starting with a simple implementation based on existing pod preemption. The motivation stems from tightly coupled workloads such as AI training and multihost inference that depend on continuous coordination across multiple pods, where disruption of even a single pod halts overall progress. Current preemption mechanisms fail to account for this, especially in resource constrained environments where prioritization and efficient hardware utilization are critical. By standardizing workload-aware preemption within core Kubernetes, this proposal aims to better support such workloads, improve resource utilization, and enable deeper integration with other features like autoscaling and disruption management.
This KEP is currently in Alpha stage for Kubernetes v1.36.
kubeadm init, if the default admin.conf and super-admin.conf paths are used, load the files but construct in-memory kubeconfigs that point to the InitConfiguration.localAPIEndpoint instead of the ClusterConfiguration.controlPlaneEndpoint, resolving issues with delayed load balancers provisioned only after the first kube-apiserver instance startsorValue() and has()The AI Conformance subproject has moved to the SIG Architecture mailing list; contributors should join sig-architecture@kubernetes.io for future AI Conformance meeting invites and announcements.
There is an active discussion on the AI usage policy’s interaction with GitHub Copilot and CLA mechanics; contributors using Copilot-generated commits should review the thread before submitting PRs.
Kubernetes v1.36: ハル (Haru) has been released last week along with Kubernetes v1.33.11, v1.34.7, and v1.35.4 patches.
Kubernetes 1.33 entered maintenance mode on Apr 28, 2026.
KEP-4781: Restarting kubelet does not change pod status
This KEP proposes improving how kubelet handles Pod readiness during restarts by preserving the existing Started and Ready states instead of resetting them to False. Currently, when kubelet restarts, it loses prior probe results and marks all pods as not ready, even if they were functioning correctly. This can cause unnecessary service disruptions, incorrect health signals, and trigger avoidable alerts or load balancing changes. The goal is to ensure pod status more accurately reflects real runtime conditions, improving reliability and availability during kubelet restarts.
KEP-4781 is currently in the Alpha stage, with the feature implemented behind the ChangeContainerStatusOnKubeletRestart feature gate. It is not yet scheduled for an active release and is expected to progress in a future release cycle once further validation and iteration are completed.
.status.resourceClaimStatuses could flap between partial lists of claims when multiple claims were used in the pod.localAPIEndpoint.address or --bind-address extraArgs) instead of all interfaces, for kube-apiserver, kube-scheduler, kube-controller-manager, and etcd.metadata.generation and status.observedGeneration fields.kubectl exec.--advertise-address IP when using --endpoint-reconciler-type master-count or lease, ensuring the IP can be persisted to an Endpoints API object.MakeMountArgsSensitiveWithMountFlags.kubeproxydaemonset patch target to allow patching the kube-proxy DaemonSet during kubeadm init and kubeadm upgrade, consistent with the existing corednsdeployment patch target.MultiLock, UnknownLeader, and ConcatRawRecord in the client-go leader election resourcelock package.CauseType values in PodDisruptionBudget-related Forbidden errors, so clients can distinguish PDB invalid-state errors without string-matching on the message.kubectl get crd now displays additional columns — GROUP, SCOPE, VERSIONS, and CREATED AT — providing at-a-glance visibility into each CRD’s API group, scope, served versions, and creation timestamp.kubectl get storageclass to show only the effective default StorageClass as (default) when multiple StorageClasses have the default annotation.image.reference fields in Pod templates across Deployment, StatefulSet, DaemonSet, Job, and similar resources.maxUnavailable budget.AssignedPod, UnscheduledPod, and TargetPod — allowing plugins to register only for the specific pod events they need, improving performance.AnyVolumeDataSource, locked and enabled since v1.33.--concurrent-service-syncs kube-controller-manager flag, which has been a no-op since v1.31.KubeletMinVersion gate from the DRA multiple ResourceClaims e2e test, as the feature is now sufficiently available.Kubernetes 1.36 has been released, with features including fine-grained kubelet API authorization reaching GA, MutatingAdmissionPolicy graduating to stable for declarative request mutation, and new Workload Aware Scheduling features enabling group-based (PodGroup) scheduling; more details are available in the official release blog.
Kernel Module Management (KMM) operator v2.6.0 has been released with support for image rebuild triggers, host kernel module mounts, glob patterns for file signing, and hardened container security contexts.
SIG etcd has nominated Josh Berkus (@jberkus) for a new leadership role as a co-chair; lazy consensus is open on the dev mailing list.
The Kubernetes project’s new GitHub Actions security policy is now enforced at the enterprise level, so workflows using mutable action refs like tags, branches, or latest will fail and maintainers need to pin actions to full 40-character commit SHAs.
Kubernetes v1.36.0 has been released 🎉
Kubernetes Patches for v1.33.11, v1.34.7, and v1.35.4 have been built and pushed using Golang version 1.25.9.
KEP-5538: CSI driver opt-in for service account tokens via secrets field
This KEP proposes an opt-in mechanism for CSI drivers to receive service account tokens through the dedicated secrets field in NodePublishVolumeRequest instead of the volume_context field. Currently, when TokenRequests is enabled in the CSIDriver spec, kubelet generates service account tokens and passes them via volume_context, which is intended for non-sensitive metadata like pod name and namespace. This design has led to security issues, including CVE-2023-2878 and CVE-2024-3744, where tokens were exposed in logs because tools like protosanitizer do not treat volume_context as sensitive data. As a result, individual CSI drivers have had to implement inconsistent and error-prone workarounds for sanitization. This proposal addresses the issue by allowing drivers to explicitly opt into receiving tokens via the secrets field, which is designed for sensitive information and ensures proper handling and sanitization, while keeping the default behavior unchanged for backward compatibility.
In Kubernetes v1.35, the feature is in Beta with the CSIServiceAccountTokenSecrets feature gate enabled by default, introducing the opt-in field in CSIDriver and ensuring backward-compatible behavior.
The Steering Committee has published an updated AI usage policy where contributors must disclose AI use in PR descriptions, and AI tools may not be listed as co-authors or co-sign commits.
CVE-2026-3865 is a Medium-severity path traversal vulnerability in the CSI Driver for SMB; upgrade to v1.20.1 or later.
WG AI Integration has been disbanded after its active projects (agent-sandbox, mcp-lifecycle-operator, kube-agentic-networking) moved to their respective SIGs.
Viktória Spišaková is stepping down from WG Checkpoint-Restore with Andrey Velichkevich nominated as her replacement; lazy consensus deadline is April 17 2026.
The New Contributor Orientation is next week on Tuesday April 21. This week is the first of the new SIG-run format; SIG-CLI is offering this one, so if you wanted to get started contributing to kubectl, join them.
Next Deadline: Kubernetes v1.36.0 Release, April 22
Kubernetes v1.36.0-rc.0 is now available, built with Go 1.26.0.
Docs Freeze for v1.36 landed last week, and the release-1.36 branch has been created as we move into the final stages of the release cycle.
Cherry-picks for the April patch releases closed April 10, with the release targeted for April 14.
KEP-740: Support external signing of service account tokens
This KEP allows kube-apiserver to use external key management systems (such as HSMs or cloud KMS) for service account JWT signing instead of static on-disk keys. Currently, keys are loaded at startup and require a restart for rotation, making key management inflexible. By integrating external signers, the system enables seamless key rotation without restarts and improves security by ensuring that sensitive signing material is not stored on disk or exposed, reducing the risk of key exfiltration.
The feature was introduced as alpha in v1.32, promoted to beta in v1.34 and is graduating to GA in v1.36.
The KEP is authored by @micahhausler and @harshaln, with reviews and approvals from contributors in the SIG Auth community.
The NVIDIA DRA Driver for GPUs has been officially onboarded as a SIG Node subproject in kubernetes-sigs, formally moving community governance of the GPU DRA driver that NVIDIA donated at the 2026 KubeCon+CloudNativeCon EU into upstream Kubernetes.
A CPU DRA Driver v0.1.0 has been released, enabling exclusive CPU pinning for workloads via the DRA framework with support for aligning CPU allocations with other DRA-managed resources such as NICs and GPUs.
The Kubernetes contributor guide has been updated with a new AI usage and disclosure policy; all contributors should review the changes before using AI tools in their Kubernetes contributions.
The ingress-nginx and ingate Slack channels have been archived following the project’s retirement in March; contributors should migrate to #gateway-api or other relevant channels.
The Kubernetes Steering Committee will move all Kubernetes meeting management to the LFX Platform to address broken invites and limited access for subproject leads. The system centralizes scheduling, enables subprojects to manage meetings, and syncs with the Kubernetes calendar. Community leads will be required to create LFX accounts.
Steering added mandatory requirements to the Kubernetes AI policy. Contributors must disclose AI usage in pull requests. AI tools cannot be listed as co-authors or co-sign PRs due to Linux Foundation legal restrictions. Also, do not add mentions like “assisted by AI” in commit trailers, to prevent third-party marketing misuse.
The GitHub Admin Team introduced a per-repo opt-in policy for AI code review tools. It defines the lifecycle: request, security review, 90-day trial, and evaluation. Please review and provide feedback.
To improve onboarding, ContribEx will replace the current NCO presentations with a SIG-focused format, as they were too general. This updated approach aims to make sessions more relevant and actionable, with SIG leads playing a key role in delivering them.
Next Deadline: Docs Freeze, 9th April 2026
We’re heading into Docs Freeze for v1.36, landing April 9. The release-1.36 branch will be created alongside Docs Freeze, marking the final stages of the release cycle.
Cherry-picks for the next round of patch releases are due April 10.
KEP-5075: DRA Consumable Capacity
This KEP introduces support for consumable capacity in Dynamic Resource Allocation (DRA), enabling multiple independent resource claims to allocate and share portions of the same underlying device. Unlike the traditional exclusive allocation model, this approach allows efficient device sharing across unrelated pods and namespaces while ensuring that total allocated capacity remains within device limits through a scheduler-enforced consumable capacity model.
This approach supports shared network devices via CNI, virtual GPU memory allocation, and other multi-allocatable devices. It introduces mechanisms for capacity-aware scheduling, per-request capacity requirements, consumed capacity tracking, and safeguards to prevent unintended duplicate allocations within a single claim.
The feature became alpha in Kubernetes 1.34 should become beta in 1.36.
UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate.Pod.Status.InPlacePodLevelResourcesVerticalScaling is enabled.A new Kubernetes policy requires GitHub Actions workflows to pin actions using full 40-character commit SHAs instead of mutable references like latest or main. Non-compliant workflows will fail after April 15, 2026, so maintainers should update workflows and use Dependabot to keep them up to date, see details.
The default branch of the kubernetes/community repository has been renamed from master to main. Open PRs were automatically retargeted and existing /master/ links will continue to work, but contributors should update local branches and forks to stay aligned, see tracking issue.
SIG Release has updated platform support tiers and artifacts documentation with clearer, measurable criteria and a simplified structure, with no changes to supported platforms or artifacts, see PR.
A high-severity ingress-nginx vulnerability (CVE-2026-4342) enables configuration injection and potential code execution, affecting versions below v1.13.9, v1.14.5, and v1.15.1 as outlined in the issue. With ingress-nginx now EOL, users should upgrade and migrate.
Next Deadline: Docs Freeze, 9th April 2026
Code Freeze for v1.36 is now in effect. Enhancements that did not meet the freeze criteria have been removed from the milestone. Docs PRs and Release Highlights were due March 31, with Docs Freeze landing April 9 (AoE April 8).
Patch Releases
Kubernetes v1.36.0-beta.0, v1.35.3, v1.34.6, v1.33.10 were released last week, delivering the latest fixes and updates.
jrvaldes has promoted the NodeLogQuery feature to General Availability in Kubernetes v1.36 as part of KEP-2258: Node Log Query Enhancements. The PR was reviewed and approved by maintainers including liggitt and contributors from SIG Node and SIG Windows.
NodeLogQuery allows cluster administrators to retrieve node-level system and service logs directly through the Kubernetes API by proxying requests through the kubelet. Instead of logging into nodes with SSH or RDP and manually searching logs with tools such as journalctl or the Windows Event Viewer, operators can query logs with a single kubectl command.
The feature was originally introduced in Kubernetes 1.27 as an alpha capability and progressed to beta in Kubernetes 1.30 before graduating to GA in v1.36. During this time the implementation matured with improvements to filtering, cross-platform support for both Linux and Windows nodes, and security hardening after the discovery of CVE-2024-9042 affecting the Windows implementation.
Under the hood, the kubelet exposes a /logs/ HTTP endpoint that queries the operating system’s native logging infrastructure (journalctl on Linux and Get-WinEvent on Windows), allowing Kubernetes to provide a unified interface for retrieving node logs regardless of operating system.
The feature originated from work led by Aravindh Puthiyaparambil and contributors across SIG Windows and SIG Node. With the GA promotion, the NodeLogQuery feature gate is now locked to enabled, making node log queries a stable part of the Kubernetes debugging and observability toolkit.
KEP-4815: DRA: Add support for partitionable devices
This KEP restores the ability of Dynamic Resource Allocation (DRA) to support on-demand device partitioning within the newer “structured parameters” framework, enabling more efficient utilization of resources like GPUs and other accelerators. It introduces mechanisms for vendors to represent both full devices and overlapping partitions compactly, allowing the scheduler to safely allocate non-conflicting partitions while enabling dynamic creation of those partitions after allocation—without changing the existing user-facing ResourceClaim workflow.
The proposal is driven by use cases such as GPU partitioning, multi-host TPU scheduling, SR-IOV, and ensuring valid device topologies across single and multi-node environments, while also supporting logical devices composed of multiple physical resources.
The feature is currently under proposal stage, with ongoing discussions focused on restoring lost flexibility from “classic” DRA and aligning it with structured parameters, and is expected to evolve through standard Kubernetes release stages (alpha, beta, GA) based on implementation maturity and community feedback.
Unused condition on PersistentVolumeClaimStatus.MemoryQoS: memory.min for Guaranteed pods, memory.low for Burstable pods, with node-level metrics and rollback reconciliation (KEP-2570).preloadedImagesVerificationAllowlist in Kubelet’s configuration.PodGroupScheduled condition reflecting whether the group was successfully scheduled or is unschedulable.PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher pod counts within a group.RestartContainer on non-sidecar initContainers, as the resize of such containers has never been supported.ReconcilePoolWithName allows per-pool reconciliation without setting NodeName on slices.nf_conntrack_max to 1,048,576 to prevent excessive memory consumption on high-core machines when using automatic calculation.spec.resourceClaims field which can refer to ResourceClaims and ResourceClaimTemplates.StreamPodSandboxes, StreamContainers, StreamContainerStats, StreamPodSandboxStats, StreamPodSandboxMetrics) and New ImageService streaming RPC (StreamImages).DisruptionMode, PriorityClassName and Priority fields to Workload and PodGroup APIs to support workload-aware preemption when WorkloadAwarePreemption feature gate is enabled.UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate.DRAResourceClaimGranularStatusAuthorization feature gate is enabled (Beta in 1.36).PodReadyToStartContainers condition immediately after sandbox creation rather than after image pull, reducing the time to condition True.kubectl describe node now lists aggregated ResourceSlices when the ResourceSlice API is present, detailing slice name, driver, and pool.Kubecon Europe 2026 is next week! The KubeCon EU Maintainer Summit is now sold out, and the CNCF will not allow unregistered contributors to attend due to high demand. Regardless, do join us for the Kubernetes Meet & Greet on Wednesday, March 25, which is not sold out.
The NFS CSI Driver patched a security vulnerability which could allow unauthorized users to modify or delete files.
KubeCon Japan CFP (Maintainer Track + Lightning Talks) closes April 12. KubeCon Japan Regular CFP is open until 29 March 2026. KubeCon + CloudNativeCon + OpenInfra Summit + PyTorch Conference China CFP (Maintainer Track + Lightning Talks) closes May 3, 23:59 CST / 21:29 IST / 15:59 UTC / 11:59 EDT
ingress-nginx will reach End of Life (EOL) on March 31, concluding its best-effort maintenance period.
Next Deadline: Code & Test Freeze, 19th March 2026
Code & Test Freeze for v1.36 starts tomorrow. Make sure your feature work is completed and merged before the deadline. After the freeze, only critical fixes will be accepted, and other changes will require an exception.
The March Kubernetes patch releases are delayed and are currently expected to be cut early this week.
137454: KEP-4265: promote ProcMountType to GA
Joe Beda has promoted the ProcMountType feature to General Availability as part of KEP-4265. The change was reviewed and approved by contributors including Jordan Liggitt and members of SIG Auth, SIG Node, and SIG CLI.
ProcMountType allows Kubernetes workloads to control how the Linux /proc filesystem is mounted inside containers. The /proc filesystem exposes information about running processes on a host, which can be useful for debugging and monitoring but may also reveal sensitive host details. The feature allows containers to run with a more restricted /proc mount, helping isolate workloads from host process information and improving container security.
With this PR, the feature is considered stable and the associated feature gate has been removed from the API documentation. This means contributors and users can rely on the functionality as part of the core Kubernetes API going forward, without needing to enable experimental flags.
The work builds on earlier implementation and stabilization efforts, including related PRs such as #136792, which promoted the UserNamespacesSupport feature to GA and removed remaining feature-gate references across the codebase. These changes collectively advance Kubernetes’ support for stronger container isolation features in the Linux kernel.
The feature is relevant to multiple parts of the Kubernetes project, including kubelet behavior, container runtime interactions, and workload security configuration. Contributors working in areas such as pod security, container runtime integration, and node lifecycle management may encounter this functionality when configuring process namespace and /proc access within pods.
For more details, see the enhancement proposal in KEP-4265 and the discussion in the pull request above.
KEP-4671: Gang Scheduling using Workload Object
This KEP implements gang scheduling in kube-scheduler, proposed by SIG Scheduling, enabling Kubernetes to schedule groups of Pods as a single unit using an all-or-nothing model. It introduces the Workload and PodGroup APIs, allowing the scheduler to wait until a minimum number of Pods can be scheduled together before binding them, improving support for distributed workloads like AI/ML and batch jobs.
SIG Scheduling contributors are actively working on API refinements and scheduler behavior, with ongoing discussions around evolving toward a more workload-aware scheduling model.
KEP-4671 reached alpha in Kubernetes v1.35 behind the GenericWorkload feature gate, and is expected to progress to beta in a future release, subject to API stability and testing.
apiserver.latency.k8s.io/impersonation audit event annotation when the ConstrainedImpersonation feature is enabled.status.resourceClaimStatuses[].resourceClaimName now refer correctly to the resourceClaimName field instead of the name field.kubectl kuberc set with options for setting credentialPluginPolicy and credentialPluginAllowlist.k8s.io/streaming and k8s.io/cri-streaming for Kubernetes streaming transport and CRI streaming server code.kubectl describe now defaults to showing related events only when describing a single object.pod.spec.resources, enabling two flexible resource management modelsKubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to GANodeDeclaredFeatures to beta.