SIG Autoscaling has nominated Jack Francis as a new SIG Chair as Guy Templeton steps down from the role after years of leadership and contributions to the SIG. Thank you, Guy Templeton, for everything you’ve done for SIG Autoscaling. The proposal also names Omer Aplatony as Tech Lead and adds dedicated Node Autoscaling and Workload Autoscaling Tech Lead roles.
Next Tuesday is the monthly New Contributor Orientation. As part of a new SIG-focused format for NCOs, next week’s AMER session will be focused on SIG Release, hosted by @Kat Cosgrove. Join the AMER session to learn how SIG Release helps deliver Kubernetes releases and how you can get involved.
Next Deadline: 1.37 Release Team Shadow Program, May 15th
Applications for the Kubernetes v1.37 Release Team shadow program closes on May 15, with selected applicants announced on May 22. If you want to learn how Kubernetes release team work and contribute to the release process, this is a great opportunity to get involved. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria.
Kubernetes Patches v1.33.12, v1.34.8, v1.35.5, and v1.36.1 have been released.
yongruilin has landed an in-process coverage gate for declarative-validation rules that fails CI when a +k8s: DV tag has no test exercising it. The PR spans SIG API Machinery, SIG Scheduling, and SIG Testing, and is targeted at the v1.37 milestone. Declarative validation moves API field validation rules out of hand-written Go code and into struct-tag annotations on the API types, generated into validators by validation-gen. The benefit is enormous; co-located rules, version-consistent validation, and a clear audit surface but until now there was no way to prove that every declared rule was actually being exercised by tests. A contributor could add a +k8s:maxBytes=64 tag to a field, regenerate validators, and merge a green PR even if no test ever fed that field a value over 64 bytes. This guardrail closes that gap.
authorizer.Authorizer interface to authorizer.UnconditionalAuthorizerluxas has landed the kickoff of a five-part series introducing conditional authorization to Kubernetes by renaming every existing usage of authorizer.Authorizer to authorizer.UnconditionalAuthorizer, and renaming initializer.WantsAuthorizer to initializer.WantsUnconditionalAuthorizer. The PR spans SIG Auth, SIG API Machinery, SIG Node, SIG Scheduling, and WG Device Management, and is targeted at the v1.37 milestone. Today, the authorizer.Authorizer interface is the only authorization contract in tree, and any function that takes one can issue arbitrary authorization decisions even if it only ever needs to ask simple “is this principal allowed to do X” questions. The refactor splits this into two contracts: a small UnconditionalAuthorizer that callers ask for when they only need traditional unconditional decisions, and a fuller Authorizer interface (extended in #137204) that callers must explicitly opt into when they need to evaluate conditions on the request. This narrows the API surface receivers can use and makes it visible in the type system which call sites can take conditional logic.
KEP-127: Support User Namespaces
The Kubernetes User Namespaces KEP introduces support for Linux user namespaces to improve pod security and isolation by allowing processes inside containers to run with different user and group IDs than on the host system. This means a process can run as root inside the container while remaining an unprivileged user on the host, significantly reducing the impact of container breakout vulnerabilities. The feature strengthens defense-in-depth, improves multi-tenant security, and helps mitigate several known and future container escape vulnerabilities by limiting host-level privileges even if a workload escapes the container boundary.
User Namespaces became GA in 1.36.
StorageVersionMigration to use merge patch over SSAauthorizer.Authorizer might now choose to accept only a smaller interface, authorizer.UnconditionalAuthorizer, in case only the receiver only needs to perform unconditional authorization requests and wants to signal this in the code for clarity. Any authorizer implementation must still implement the full authorizer.Authorizer interface.GetPerformanceInfo() fails.[ConsistentListFromCacheSkipTimeoutFallback](https://github.com/kubernetes/kubernetes/pull/138701/changes) .When enabled, kube-apiserver returns HTTP 429 for consistent LIST requests that cannot be served from watch cache within the timeout window, instead of falling back to storage.KUBECTL_PATH environment variable when executing a plugin.v2 for aggregated discovery and not fall back to v2beta1kubectl drain --disable-eviction --dry-run=server no longer hangs indefinitely.OnDelete update strategy now correctly updates Status.CurrentRevision after all pods are recreated with the new revision.The Agent Sandbox subproject has published a Kubernetes blog post, Running Agents on Kubernetes with Agent Sandbox, and progressed to v0.4.3 since v0.1.1. Updates include default network isolation, persistent storage support, Python SDK improvements, a new Go client, and controller stability enhancements.
The Kubernetes v1.37 Release Team shadow application is open until May 15, 2026, with results announced on May 22. The release cycle is expected to run from May 18 to August 26. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria. Updates will be shared in the #sig-release Slack channel and kubernetes/sig-release repository.
KubeCon North America CFP closes on May 31. Submit your talks before the deadline.
KubeCon North America Maintainer Track CFP is also open. Submit your sessions by July 12.
Next Deadline: Release Cycle Starts, soon
Cherry-picks for the next patch releases are due this Friday, May 8.
aaron-prindle has migrated handwritten per-item byte-length validation for ResourceSlice.spec.devices[*].attributes[*].strings[*] to declarative validation as part of KEP-5073: Declarative Validation with validation-gen. The PR was reviewed and approved by thockin and contributors from SIG API Machinery and WG Device Management, and is the first use of the +k8s:eachVal tag in the kubernetes/kubernetes API surface.
Declarative validation moves API field validation from hand-written Go code into machine-generated code driven by struct-tag annotations on the API types themselves. The benefit for contributors is that validation rules become co-located with the field they validate, far easier to audit, and consistent across all API versions. The benefit for users is reduced surface area for subtle validation drift between API versions and improved API server performance over time.
This PR adds the +k8s:alpha(since: "1.37")=+k8s:eachVal=+k8s:maxBytes=64 tag chain to the v1, v1beta1, and v1beta2 resource API types, regenerates the declarative validation code, and adds equivalence coverage tests verifying the byte-count semantics on both create and update boundary cases. Notably, the PR uses +k8s:maxBytes rather than +k8s:maxLength because the existing handwritten validation enforces a byte limit via Go’s len(string) and field.TooLong, so the tests use the two-byte UTF-8 character é to confirm byte-count behaviour. The handwritten validation remains authoritative; this migration begins the soak period required to graduate the +k8s:eachVal tag to StabilityLevelBeta.
KEP-5710: Workload-aware preemption
This KEP proposes enhancing the Kubernetes scheduler with workload-aware preemption, shifting from a pod-centric to a workload-centric approach. Building on KEP-4671’s Workload and PodGroup APIs, it introduces concepts like pod group priority and defining preemption units at the workload level, starting with a simple implementation based on existing pod preemption. The motivation stems from tightly coupled workloads such as AI training and multihost inference that depend on continuous coordination across multiple pods, where disruption of even a single pod halts overall progress. Current preemption mechanisms fail to account for this, especially in resource constrained environments where prioritization and efficient hardware utilization are critical. By standardizing workload-aware preemption within core Kubernetes, this proposal aims to better support such workloads, improve resource utilization, and enable deeper integration with other features like autoscaling and disruption management.
This KEP is currently in Alpha stage for Kubernetes v1.36.
kubeadm init, if the default admin.conf and super-admin.conf paths are used, load the files but construct in-memory kubeconfigs that point to the InitConfiguration.localAPIEndpoint instead of the ClusterConfiguration.controlPlaneEndpoint, resolving issues with delayed load balancers provisioned only after the first kube-apiserver instance startsorValue() and has()The AI Conformance subproject has moved to the SIG Architecture mailing list; contributors should join sig-architecture@kubernetes.io for future AI Conformance meeting invites and announcements.
There is an active discussion on the AI usage policy’s interaction with GitHub Copilot and CLA mechanics; contributors using Copilot-generated commits should review the thread before submitting PRs.
Kubernetes v1.36: ハル (Haru) has been released last week along with Kubernetes v1.33.11, v1.34.7, and v1.35.4 patches.
Kubernetes 1.33 entered maintenance mode on Apr 28, 2026.
KEP-4781: Restarting kubelet does not change pod status
This KEP proposes improving how kubelet handles Pod readiness during restarts by preserving the existing Started and Ready states instead of resetting them to False. Currently, when kubelet restarts, it loses prior probe results and marks all pods as not ready, even if they were functioning correctly. This can cause unnecessary service disruptions, incorrect health signals, and trigger avoidable alerts or load balancing changes. The goal is to ensure pod status more accurately reflects real runtime conditions, improving reliability and availability during kubelet restarts.
KEP-4781 is currently in the Alpha stage, with the feature implemented behind the ChangeContainerStatusOnKubeletRestart feature gate. It is not yet scheduled for an active release and is expected to progress in a future release cycle once further validation and iteration are completed.
.status.resourceClaimStatuses could flap between partial lists of claims when multiple claims were used in the pod.localAPIEndpoint.address or --bind-address extraArgs) instead of all interfaces, for kube-apiserver, kube-scheduler, kube-controller-manager, and etcd.metadata.generation and status.observedGeneration fields.kubectl exec.--advertise-address IP when using --endpoint-reconciler-type master-count or lease, ensuring the IP can be persisted to an Endpoints API object.MakeMountArgsSensitiveWithMountFlags.kubeproxydaemonset patch target to allow patching the kube-proxy DaemonSet during kubeadm init and kubeadm upgrade, consistent with the existing corednsdeployment patch target.MultiLock, UnknownLeader, and ConcatRawRecord in the client-go leader election resourcelock package.CauseType values in PodDisruptionBudget-related Forbidden errors, so clients can distinguish PDB invalid-state errors without string-matching on the message.kubectl get crd now displays additional columns — GROUP, SCOPE, VERSIONS, and CREATED AT — providing at-a-glance visibility into each CRD’s API group, scope, served versions, and creation timestamp.kubectl get storageclass to show only the effective default StorageClass as (default) when multiple StorageClasses have the default annotation.image.reference fields in Pod templates across Deployment, StatefulSet, DaemonSet, Job, and similar resources.maxUnavailable budget.AssignedPod, UnscheduledPod, and TargetPod — allowing plugins to register only for the specific pod events they need, improving performance.AnyVolumeDataSource, locked and enabled since v1.33.--concurrent-service-syncs kube-controller-manager flag, which has been a no-op since v1.31.KubeletMinVersion gate from the DRA multiple ResourceClaims e2e test, as the feature is now sufficiently available.Kubernetes 1.36 has been released, with features including fine-grained kubelet API authorization reaching GA, MutatingAdmissionPolicy graduating to stable for declarative request mutation, and new Workload Aware Scheduling features enabling group-based (PodGroup) scheduling; more details are available in the official release blog.
Kernel Module Management (KMM) operator v2.6.0 has been released with support for image rebuild triggers, host kernel module mounts, glob patterns for file signing, and hardened container security contexts.
SIG etcd has nominated Josh Berkus (@jberkus) for a new leadership role as a co-chair; lazy consensus is open on the dev mailing list.
The Kubernetes project’s new GitHub Actions security policy is now enforced at the enterprise level, so workflows using mutable action refs like tags, branches, or latest will fail and maintainers need to pin actions to full 40-character commit SHAs.
Kubernetes v1.36.0 has been released 🎉
Kubernetes Patches for v1.33.11, v1.34.7, and v1.35.4 have been built and pushed using Golang version 1.25.9.
KEP-5538: CSI driver opt-in for service account tokens via secrets field
This KEP proposes an opt-in mechanism for CSI drivers to receive service account tokens through the dedicated secrets field in NodePublishVolumeRequest instead of the volume_context field. Currently, when TokenRequests is enabled in the CSIDriver spec, kubelet generates service account tokens and passes them via volume_context, which is intended for non-sensitive metadata like pod name and namespace. This design has led to security issues, including CVE-2023-2878 and CVE-2024-3744, where tokens were exposed in logs because tools like protosanitizer do not treat volume_context as sensitive data. As a result, individual CSI drivers have had to implement inconsistent and error-prone workarounds for sanitization. This proposal addresses the issue by allowing drivers to explicitly opt into receiving tokens via the secrets field, which is designed for sensitive information and ensures proper handling and sanitization, while keeping the default behavior unchanged for backward compatibility.
In Kubernetes v1.35, the feature is in Beta with the CSIServiceAccountTokenSecrets feature gate enabled by default, introducing the opt-in field in CSIDriver and ensuring backward-compatible behavior.
The Steering Committee has published an updated AI usage policy where contributors must disclose AI use in PR descriptions, and AI tools may not be listed as co-authors or co-sign commits.
CVE-2026-3865 is a Medium-severity path traversal vulnerability in the CSI Driver for SMB; upgrade to v1.20.1 or later.
WG AI Integration has been disbanded after its active projects (agent-sandbox, mcp-lifecycle-operator, kube-agentic-networking) moved to their respective SIGs.
Viktória Spišaková is stepping down from WG Checkpoint-Restore with Andrey Velichkevich nominated as her replacement; lazy consensus deadline is April 17 2026.
The New Contributor Orientation is next week on Tuesday April 21. This week is the first of the new SIG-run format; SIG-CLI is offering this one, so if you wanted to get started contributing to kubectl, join them.
Next Deadline: Kubernetes v1.36.0 Release, April 22
Kubernetes v1.36.0-rc.0 is now available, built with Go 1.26.0.
Docs Freeze for v1.36 landed last week, and the release-1.36 branch has been created as we move into the final stages of the release cycle.
Cherry-picks for the April patch releases closed April 10, with the release targeted for April 14.
KEP-740: Support external signing of service account tokens
This KEP allows kube-apiserver to use external key management systems (such as HSMs or cloud KMS) for service account JWT signing instead of static on-disk keys. Currently, keys are loaded at startup and require a restart for rotation, making key management inflexible. By integrating external signers, the system enables seamless key rotation without restarts and improves security by ensuring that sensitive signing material is not stored on disk or exposed, reducing the risk of key exfiltration.
The feature was introduced as alpha in v1.32, promoted to beta in v1.34 and is graduating to GA in v1.36.
The KEP is authored by @micahhausler and @harshaln, with reviews and approvals from contributors in the SIG Auth community.
The NVIDIA DRA Driver for GPUs has been officially onboarded as a SIG Node subproject in kubernetes-sigs, formally moving community governance of the GPU DRA driver that NVIDIA donated at the 2026 KubeCon+CloudNativeCon EU into upstream Kubernetes.
A CPU DRA Driver v0.1.0 has been released, enabling exclusive CPU pinning for workloads via the DRA framework with support for aligning CPU allocations with other DRA-managed resources such as NICs and GPUs.
The Kubernetes contributor guide has been updated with a new AI usage and disclosure policy; all contributors should review the changes before using AI tools in their Kubernetes contributions.
The ingress-nginx and ingate Slack channels have been archived following the project’s retirement in March; contributors should migrate to #gateway-api or other relevant channels.
The Kubernetes Steering Committee will move all Kubernetes meeting management to the LFX Platform to address broken invites and limited access for subproject leads. The system centralizes scheduling, enables subprojects to manage meetings, and syncs with the Kubernetes calendar. Community leads will be required to create LFX accounts.
Steering added mandatory requirements to the Kubernetes AI policy. Contributors must disclose AI usage in pull requests. AI tools cannot be listed as co-authors or co-sign PRs due to Linux Foundation legal restrictions. Also, do not add mentions like “assisted by AI” in commit trailers, to prevent third-party marketing misuse.
The GitHub Admin Team introduced a per-repo opt-in policy for AI code review tools. It defines the lifecycle: request, security review, 90-day trial, and evaluation. Please review and provide feedback.
To improve onboarding, ContribEx will replace the current NCO presentations with a SIG-focused format, as they were too general. This updated approach aims to make sessions more relevant and actionable, with SIG leads playing a key role in delivering them.
Next Deadline: Docs Freeze, 9th April 2026
We’re heading into Docs Freeze for v1.36, landing April 9. The release-1.36 branch will be created alongside Docs Freeze, marking the final stages of the release cycle.
Cherry-picks for the next round of patch releases are due April 10.
KEP-5075: DRA Consumable Capacity
This KEP introduces support for consumable capacity in Dynamic Resource Allocation (DRA), enabling multiple independent resource claims to allocate and share portions of the same underlying device. Unlike the traditional exclusive allocation model, this approach allows efficient device sharing across unrelated pods and namespaces while ensuring that total allocated capacity remains within device limits through a scheduler-enforced consumable capacity model.
This approach supports shared network devices via CNI, virtual GPU memory allocation, and other multi-allocatable devices. It introduces mechanisms for capacity-aware scheduling, per-request capacity requirements, consumed capacity tracking, and safeguards to prevent unintended duplicate allocations within a single claim.
The feature became alpha in Kubernetes 1.34 should become beta in 1.36.
UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate.Pod.Status.InPlacePodLevelResourcesVerticalScaling is enabled.A new Kubernetes policy requires GitHub Actions workflows to pin actions using full 40-character commit SHAs instead of mutable references like latest or main. Non-compliant workflows will fail after April 15, 2026, so maintainers should update workflows and use Dependabot to keep them up to date, see details.
The default branch of the kubernetes/community repository has been renamed from master to main. Open PRs were automatically retargeted and existing /master/ links will continue to work, but contributors should update local branches and forks to stay aligned, see tracking issue.
SIG Release has updated platform support tiers and artifacts documentation with clearer, measurable criteria and a simplified structure, with no changes to supported platforms or artifacts, see PR.
A high-severity ingress-nginx vulnerability (CVE-2026-4342) enables configuration injection and potential code execution, affecting versions below v1.13.9, v1.14.5, and v1.15.1 as outlined in the issue. With ingress-nginx now EOL, users should upgrade and migrate.
Next Deadline: Docs Freeze, 9th April 2026
Code Freeze for v1.36 is now in effect. Enhancements that did not meet the freeze criteria have been removed from the milestone. Docs PRs and Release Highlights were due March 31, with Docs Freeze landing April 9 (AoE April 8).
Patch Releases
Kubernetes v1.36.0-beta.0, v1.35.3, v1.34.6, v1.33.10 were released last week, delivering the latest fixes and updates.
jrvaldes has promoted the NodeLogQuery feature to General Availability in Kubernetes v1.36 as part of KEP-2258: Node Log Query Enhancements. The PR was reviewed and approved by maintainers including liggitt and contributors from SIG Node and SIG Windows.
NodeLogQuery allows cluster administrators to retrieve node-level system and service logs directly through the Kubernetes API by proxying requests through the kubelet. Instead of logging into nodes with SSH or RDP and manually searching logs with tools such as journalctl or the Windows Event Viewer, operators can query logs with a single kubectl command.
The feature was originally introduced in Kubernetes 1.27 as an alpha capability and progressed to beta in Kubernetes 1.30 before graduating to GA in v1.36. During this time the implementation matured with improvements to filtering, cross-platform support for both Linux and Windows nodes, and security hardening after the discovery of CVE-2024-9042 affecting the Windows implementation.
Under the hood, the kubelet exposes a /logs/ HTTP endpoint that queries the operating system’s native logging infrastructure (journalctl on Linux and Get-WinEvent on Windows), allowing Kubernetes to provide a unified interface for retrieving node logs regardless of operating system.
The feature originated from work led by Aravindh Puthiyaparambil and contributors across SIG Windows and SIG Node. With the GA promotion, the NodeLogQuery feature gate is now locked to enabled, making node log queries a stable part of the Kubernetes debugging and observability toolkit.
KEP-4815: DRA: Add support for partitionable devices
This KEP restores the ability of Dynamic Resource Allocation (DRA) to support on-demand device partitioning within the newer “structured parameters” framework, enabling more efficient utilization of resources like GPUs and other accelerators. It introduces mechanisms for vendors to represent both full devices and overlapping partitions compactly, allowing the scheduler to safely allocate non-conflicting partitions while enabling dynamic creation of those partitions after allocation—without changing the existing user-facing ResourceClaim workflow.
The proposal is driven by use cases such as GPU partitioning, multi-host TPU scheduling, SR-IOV, and ensuring valid device topologies across single and multi-node environments, while also supporting logical devices composed of multiple physical resources.
The feature is currently under proposal stage, with ongoing discussions focused on restoring lost flexibility from “classic” DRA and aligning it with structured parameters, and is expected to evolve through standard Kubernetes release stages (alpha, beta, GA) based on implementation maturity and community feedback.
Unused condition on PersistentVolumeClaimStatus.MemoryQoS: memory.min for Guaranteed pods, memory.low for Burstable pods, with node-level metrics and rollback reconciliation (KEP-2570).preloadedImagesVerificationAllowlist in Kubelet’s configuration.PodGroupScheduled condition reflecting whether the group was successfully scheduled or is unschedulable.PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher pod counts within a group.RestartContainer on non-sidecar initContainers, as the resize of such containers has never been supported.ReconcilePoolWithName allows per-pool reconciliation without setting NodeName on slices.nf_conntrack_max to 1,048,576 to prevent excessive memory consumption on high-core machines when using automatic calculation.spec.resourceClaims field which can refer to ResourceClaims and ResourceClaimTemplates.StreamPodSandboxes, StreamContainers, StreamContainerStats, StreamPodSandboxStats, StreamPodSandboxMetrics) and New ImageService streaming RPC (StreamImages).DisruptionMode, PriorityClassName and Priority fields to Workload and PodGroup APIs to support workload-aware preemption when WorkloadAwarePreemption feature gate is enabled.UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate.DRAResourceClaimGranularStatusAuthorization feature gate is enabled (Beta in 1.36).PodReadyToStartContainers condition immediately after sandbox creation rather than after image pull, reducing the time to condition True.kubectl describe node now lists aggregated ResourceSlices when the ResourceSlice API is present, detailing slice name, driver, and pool.Kubecon Europe 2026 is next week! The KubeCon EU Maintainer Summit is now sold out, and the CNCF will not allow unregistered contributors to attend due to high demand. Regardless, do join us for the Kubernetes Meet & Greet on Wednesday, March 25, which is not sold out.
The NFS CSI Driver patched a security vulnerability which could allow unauthorized users to modify or delete files.
KubeCon Japan CFP (Maintainer Track + Lightning Talks) closes April 12. KubeCon Japan Regular CFP is open until 29 March 2026. KubeCon + CloudNativeCon + OpenInfra Summit + PyTorch Conference China CFP (Maintainer Track + Lightning Talks) closes May 3, 23:59 CST / 21:29 IST / 15:59 UTC / 11:59 EDT
ingress-nginx will reach End of Life (EOL) on March 31, concluding its best-effort maintenance period.
Next Deadline: Code & Test Freeze, 19th March 2026
Code & Test Freeze for v1.36 starts tomorrow. Make sure your feature work is completed and merged before the deadline. After the freeze, only critical fixes will be accepted, and other changes will require an exception.
The March Kubernetes patch releases are delayed and are currently expected to be cut early this week.
137454: KEP-4265: promote ProcMountType to GA
Joe Beda has promoted the ProcMountType feature to General Availability as part of KEP-4265. The change was reviewed and approved by contributors including Jordan Liggitt and members of SIG Auth, SIG Node, and SIG CLI.
ProcMountType allows Kubernetes workloads to control how the Linux /proc filesystem is mounted inside containers. The /proc filesystem exposes information about running processes on a host, which can be useful for debugging and monitoring but may also reveal sensitive host details. The feature allows containers to run with a more restricted /proc mount, helping isolate workloads from host process information and improving container security.
With this PR, the feature is considered stable and the associated feature gate has been removed from the API documentation. This means contributors and users can rely on the functionality as part of the core Kubernetes API going forward, without needing to enable experimental flags.
The work builds on earlier implementation and stabilization efforts, including related PRs such as #136792, which promoted the UserNamespacesSupport feature to GA and removed remaining feature-gate references across the codebase. These changes collectively advance Kubernetes’ support for stronger container isolation features in the Linux kernel.
The feature is relevant to multiple parts of the Kubernetes project, including kubelet behavior, container runtime interactions, and workload security configuration. Contributors working in areas such as pod security, container runtime integration, and node lifecycle management may encounter this functionality when configuring process namespace and /proc access within pods.
For more details, see the enhancement proposal in KEP-4265 and the discussion in the pull request above.
KEP-4671: Gang Scheduling using Workload Object
This KEP implements gang scheduling in kube-scheduler, proposed by SIG Scheduling, enabling Kubernetes to schedule groups of Pods as a single unit using an all-or-nothing model. It introduces the Workload and PodGroup APIs, allowing the scheduler to wait until a minimum number of Pods can be scheduled together before binding them, improving support for distributed workloads like AI/ML and batch jobs.
SIG Scheduling contributors are actively working on API refinements and scheduler behavior, with ongoing discussions around evolving toward a more workload-aware scheduling model.
KEP-4671 reached alpha in Kubernetes v1.35 behind the GenericWorkload feature gate, and is expected to progress to beta in a future release, subject to API stability and testing.
apiserver.latency.k8s.io/impersonation audit event annotation when the ConstrainedImpersonation feature is enabled.status.resourceClaimStatuses[].resourceClaimName now refer correctly to the resourceClaimName field instead of the name field.kubectl kuberc set with options for setting credentialPluginPolicy and credentialPluginAllowlist.k8s.io/streaming and k8s.io/cri-streaming for Kubernetes streaming transport and CRI streaming server code.kubectl describe now defaults to showing related events only when describing a single object.pod.spec.resources, enabling two flexible resource management modelsKubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to GANodeDeclaredFeatures to beta.Next Tuesday is the monthly New Contributor Orientation. Join at one of two times to learn all about starting your contribution journey.
SIG Testing chair Brian McQueen moved to emeritus due to lack of recent activity. Thank you Brian McQueen for helping lead SIG Testing and for his contributions to the community.
We are hosting the Kubernetes Meet & Greet for Wednesday March 25th lunch at Kubecon Europe. Kubernetes contributors, as well as people interested in becoming contributors, should join us.
Next Deadline: Code & Test Freeze, 19th March 2026
We’re heading into Code & Test Freeze for v1.36 next week. Make sure your feature work is wrapped up and merged before the deadline. After the freeze, only critical fixes land, and anything else will need an exception.
The March Kubernetes patch releases are delayed and now expected early next week. The cherry-pick deadline has been extended to Friday, March 13 at 5 PM PT.
Introduces scheduling.k8s.io/v1alpha2 Workload and PodGroup APIs as part of ongoing workload-aware scheduling work. This replaces the previous v1alpha1 Workload API and updates Pods to reference scheduling groups through a new SchedulingGroup field, decoupling PodGroups from Workloads and enabling more flexible workload-level scheduling.
This proposal aims to improve observability, troubleshooting, and debugging for core Kubernetes components by introducing a flagz endpoint for each component. The endpoint would expose the command-line flags used to start a component, giving users real-time visibility into its active configuration and helping diagnose misconfigurations or unexpected behavior. Building on ideas from the Component Statusz KEP but introducing a dedicated endpoint, the flagz interface would allow users to dynamically inspect and understand the flags currently applied to running Kubernetes components, making it easier to detect configuration issues that could lead to instability or outages. However, the proposal does not intend to replace existing monitoring mechanisms such as metrics, logs, or traces, nor does it aim to provide information about components that are inaccessible due to network restrictions.
This KEP graduated to alpha in v1.35.
v1alpha1 WebhookAdmissionConfiguration has been removed. It was deprecated in v1.17 in favor of apiserver.config.k8s.io/v1.--bounding-dirs flag and BoundingDirs field from deepcopy-gen.Raw field of metav1.FieldsV1 is deprecated.SuggestFor entries from kubectl wait so that it is no longer suggested when users type kubectl list or kubectl ps.fs.ReadLinkFS optional argument to be filesystem-independent.image_id.kubectl exec or kubectl logs are run with a specified container name, and no container with that name is found, kubectl now lists the names of containers that would be valid to specify.--client-ca-file is updated while kubelet is running, the updated root certificates are now correctly used to advertise accepted authorities to TLS clients connecting to the kubelet endpoints. This behavior is guarded by the ReloadKubeletClientCAFile feature gate, which is enabled by default.timezone field to the cronjob describe output.--detach-keys flag to kubectl attach and kubectl run, allowing detach without terminating the container.proxyproto plugin to support Proxy Protocol and preserve client IPs behind load balancers, improves DNS logging metadata, strengthens randomness for loop detection, and fixes issues including TLS+IPv6 forwarding, CNAME rewriting behavior, ACL bypass prevention, and a Kubernetes plugin crash. The release also updates the build to Go 1.26.1 with multiple upstream security fixes.KubeCon Japan Regular CFP is open until 29 March 2026. Submit your proposal here.
Don’t forget to register for Maintainer Summit EU 2026.
Next Deadline: Code & Test Freeze, 19th March 2026
Code and Test Freeze for v1.36 is coming up. All feature work must be completed and merged before the freeze. After this point, only critical bug fixes will be considered, and approved exceptions will be required for any additional changes.
Out-of-band patch releases v1.35.2, v1.34.5, v1.33.9, and v1.32.13 were published last week, built with Go 1.25.7 / 1.24.13 and including fixes for recent CVEs.
Additionally, Kubernetes v1.36.0-alpha.2 is now live and built with Go 1.25.7.
KEP-5004: DRA: Handle extended resource requests via DRA Driver
Extended resources offer a simple and concise way to represent resource capacity and consumption, whereas Dynamic Resource Allocation (DRA) provides greater flexibility and expressiveness at the cost of added complexity. This KEP proposes a mechanism for cluster administrators to advertise dynamic resources defined in ResourceSlice as extended resources through DeviceClass. It allows application developers and operators to continue requesting resources using the familiar extended resource model. At the same time, it supports dynamic allocation for requests made via either extended resources or DRA resource claims. The proposal ensures that existing applications can run without modification. It also enables both application teams and cluster administrators to adopt DRA gradually, including scenarios where device plugins and DRA drivers coexist on different nodes for the same hardware.
This KEP graduated to alpha in v1.35.
AllowlistEntry.Name to AllowlistEntry.Command in the credential plugin allowlist.apiserver_peer_proxy_errors_total and apiserver_peer_discovery_sync_errors_total to apiserver to track errors encountered in peer proxying and peer discovery.fill() modifiers and OpenAPI 3.2 API specification support, improves service discovery modularity via build tags, and delivers multiple performance improvements and bug fixes across PromQL, TSDB, OTLP ingestion, and the web UI.LMKTFY: Thanks to @Prasanth Baskar for implementing dedicated web pages for each KEP, bringing together the rendered KEP, tracking issue, and related links in one place to make enhancements easier to navigate and track. *
]]>