Kubernetes v1.36.0 is live!

73 views

Skip to first unread message

sreeramv...@gmail.com

unread,

Apr 22, 2026, 2:03:38 PM (3 days ago) Apr 22

to kubernetes-announce, dev

Kubernetes Community,

Kubernetes v1.36.0 has been built and pushed using Golang version 1.26.2.

The release notes have been updated in CHANGELOG-1.36.md, with a pointer to them on GitHub:

v1.36.0

Documentation

Downloads for v1.36.0

Source Code

filename	sha512 hash
kubernetes.tar.gz	`3c9b9225c75080950fdb53fdeb326606133eeb5efbc8ecdd7514c290f1aaf8fa247a6f6f5b34beb87658a0ba5533c1f3cc7a8c680fc30785775ad73702374834`
kubernetes-src.tar.gz	`0b2c28c5b9f58c3ac6286e892f0bfeb1dbf8bcb9a76dc6128c080ab4f39d861af9b0ae50bf4a819d6ec376b4e8d2a55122d51d5fb26a69dc8af29bcd2406fb48`

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	`4be41ab0e38d809fad076b2c811124d93a6b48d696843f5bd85e5c77e27a112ee526f95de82c57d9f59060b27a7d2e036d6989246510f9772862b9f2ca87c5ed`
kubernetes-client-darwin-arm64.tar.gz	`57b90606b066b6073362ee06ff8b00198abe2590ae89216f001a7d3bcd339dc8ede6616ad498eeaa65328a39834bc71e8c18944df0e90fc89139ac8d7290cfe9`
kubernetes-client-linux-386.tar.gz	`d1964452b0276b83933c1642743bb0058212bb88b41a5601e446ea49bb06fa1bb682d2cba4afd72896faf860a61e68494cb159db51c4c2ec5928de533f6cc9b9`
kubernetes-client-linux-amd64.tar.gz	`cac4ee270f7a5ca8e96f2b86f1b822bdc66168253b253f4838caf5bd16b8e314ae307c7ba718f32e9543d502f5d0c703bd3358449718c6956436969e125011cf`
kubernetes-client-linux-arm.tar.gz	`76117398c77401cb62303f765c6e42f93bff42d3f04d6501b282e14013fdce1ed57c743ed049995575c1326817c57db57523fdcca3ea3a7b7d58fe586d491bf1`
kubernetes-client-linux-arm64.tar.gz	`d669cc342059d88cf93db37d2bd41b444e352a9af64cc14767d77321e8e9bcdbdce886d605bf09b5dad09500a9d7b10023e3f07539915df4f175b56e0de8f5bb`
kubernetes-client-linux-ppc64le.tar.gz	`4245f7ec5bbc53b4b375c855110295d3e9640833e916ce83cdc9f610047442a705c17a641d8590c250d3c511771f478beab0f19d0258211d9fd1f97f7f00fcf3`
kubernetes-client-linux-s390x.tar.gz	`538b0b193767272ada79b832ec994d2172a7b88933c62711a117f6b0476902d7f4c771400e7468020dca8cb968d5ee220627a5249db2f16efb27bfa29e0570fc`
kubernetes-client-windows-386.tar.gz	`b97a5b7bcc96b42648fe9ea639742d05dc699a6394d3da246bfc72c810b650cb440f96319f0064e5479cd885aced8310640d5c8fcf6256fe5e88c0de93d27e9d`
kubernetes-client-windows-amd64.tar.gz	`d1d3ca9de4c5917538b0865aa28a1fa9b2c7cad46921ab85f661025f5ddc277755cda46d441359d2d5717b908d9bc3fd7fe2aae22d95deeb172b1fdd49b0c9b3`
kubernetes-client-windows-arm64.tar.gz	`4cbe90820c58892bf4327634dcfdca64c7db36cf09e2beae2f417248abe05fa01f8ae7a2edec08fa2ea28a368bc6e3bba7431be30a138bfaf78ba4e433bfa463`

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	`1c64da92575451c2c7ff97c79b772e603995f8e76da1371a6b0746aaa27b65dce81c4d734cbb50f40e71486a8e08df36f14e12974f97d4d29e41f23a172a6a25`
kubernetes-server-linux-arm64.tar.gz	`7f95e451baedd9368a2fa637afa84c9ed1b958736540ca27a379e5e292e1a10c5d9a29539f833047574bf5d3b6f907f32dee5735acecc11aa4686f078108dcf8`
kubernetes-server-linux-ppc64le.tar.gz	`4d3f6b70ccb785d3264acf6b3cf0565560bb3c2ba9db85a06fa10c020ee248318ee009f9cc5b6d7171bda7ec2f96cf0f9a1a57ba857a4fa5331022c9122692d9`
kubernetes-server-linux-s390x.tar.gz	`7c12c4c89522c449fcd96837c27659edef53245b7a39e4802a7c00c6497624eff15b2d53ec7a70328176681967fa7e22bbf5c4b0f3fc32996daaf696ca54bc25`

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	`8bba5bd0cb77997ad965739caff3c8839fd16f284cf28a0e46c44538ce0b6fd83c5f3c608dd86c4831c3de9306bbfd02ce26bbe9a426754b6253efa1d5cc030f`
kubernetes-node-linux-arm64.tar.gz	`10a4c3660e6e19fae998b04345dbe42711e61745bf374405c33e8604335b12ff55ce7b68f8a0d67d1f7ce4519f706fbd8d80781b7128369fe047c38915e8d189`
kubernetes-node-linux-ppc64le.tar.gz	`9eb7a4df4b518df4b846bd12ec25b50908b610b823f4d781094e0667e47d607209acbace2747955a373366a68b77f32170e2de71f0b2ee8a87723bac30c41d95`
kubernetes-node-linux-s390x.tar.gz	`492a71b292953ee5ccb603bf132a99fdbf6ae6fa8ae6c02139887b77ae6e1d7d77e65429bf37bb46eee33bf32cee3fe8ead03f74cd7b0f1f5a7c7126ba839800`
kubernetes-node-windows-amd64.tar.gz	`a4f2bdb613da646877aacae6a2c39cbb18d74f164973fa033b5f042f1ed8a4de0285e0d99f303d8fdd89cecaa341c6e29361d7677a6bde5bbfc956dd156ac55c`

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.36.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.36.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.36.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.36.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.36.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.36.0	amd64, arm64, ppc64le, s390x

Changelog since v1.35.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

ACTION REQUIRED: kube-controller-manager: Renamed metric volume_operation_total_errors to volume_operation_errors_total. If you are using custom monitoring dashboards or alerting rules based on the volume_operation_total_errors metric, update them to use the new volume_operation_errors_total metric. (#136399, @tico88612) [SIG Apps, Instrumentation, Storage and Testing]
Added support for running PreBind plugins in parallel in the scheduler framework to improve binding latency. ACTION REQUIRED: Plugins can opt-in to parallel execution by returning AllowParallel: true from the PreBindPreFlight method. PreBind plugin implementations need to be updated to return PreBindPreFlightResult from the PreBindPreFlight method; returning nil retains the existing sequential behavior. (#135393, @tosi3k) [SIG Node, Scheduling, Storage and Testing]

Changes by Kind

Dependency

Fixed a bug where pod lifecycle hooks could run for their full duration when pods are terminated. (#136598, @dgrisonnet) [SIG API Machinery, Auth, Cloud Provider, Node and Scheduling]
Updated etcd client library to v3.6.8. (#137225, @joshjms) [SIG API Machinery, Auth, Cloud Provider, Cluster Lifecycle, Etcd, Node, Scheduling and Testing]

Deprecation

Added warnings and deprecation for Service .spec.externalIPs. (#137293, @adrianmoisey) [SIG Apps, Network and Windows]
Direct access to the Raw field of metav1.FieldsV1 is deprecated. Code that constructs or reads FieldsV1 should migrate to the new NewFieldsV1(string), GetRawBytes(), GetRawString(), and SetRawBytes() accessor methods. (#137304, @aaron-prindle) [SIG API Machinery, Apps and Testing]
Disabled git-repo volume plugin by default, with no option to turn it back on. (#136400, @vinayakankugoyal) [SIG Storage]
Renamed AllowlistEntry.Name to AllowlistEntry.Command in the credential plugin allowlist. (#137272, @pmengelbert) [SIG API Machinery, Auth, CLI and Testing]

API Change

ACTION REQUIRED: DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (beta in v1.36). Schedulers and controllers must be granted update/patch on resourceclaims/binding. DRA drivers must be granted associated-node:update or arbitrary-node:update (or patch equivalents) on resourceclaims/driver, restricted by their specific resourceNames. (#134947, @aojea) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Scheduling and Testing]
ACTION REQUIRED: Removed the integrated support for flex-volumes in kubeadm. Users were advised to migrate away from flex-volumes as recommended by SIG Storage since v1.22. If kubeadm users wish to continue using the feature, they need a custom image for the KCM that is not based on distroless, pass the KCM flag --flex-volume-plugin-dir, and mount the directory /usr/libexec/kubernetes/kubelet-plugins/volume/exec in the KCM static pod using kubeadm's extraVolumes mechanism before upgrading to v1.36. Previously, kubeadm automatically did the mounting if the user passed the flag. (#136423, @neolit123) [SIG Cluster Lifecycle]
ACTION REQUIRED: Renamed metric etcd_bookmark_counts to etcd_bookmark_total. If you are using custom monitoring dashboards or alerting rules based on the etcd_bookmark_counts metric, update them to use the new etcd_bookmark_total metric. (#136483, @petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
Added SchedulingConstraints to express topology-aware scheduling (TAS) constraints for PodGroup scheduling behind the TopologyAwareWorkloadScheduling feature gate. Added the TopologyPlacement plugin implementing the PlacementGenerate extension point to take constraints into consideration during PodGroup scheduling. (#137271, @brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added DisruptionMode, PriorityClassName, and Priority fields to the Workload and PodGroup APIs to support workload-aware preemption when the WorkloadAwarePreemption feature gate is enabled. (#136589, @tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added ImageVolumeWithDigest which includes the digest of image volumes in the container status. (#132807, @iholder101) [SIG API Machinery, Apps, Node and Testing]
Added MemoryReservationPolicy cgroup v2 MemoryQoS support to KubeletConfiguration for memory.min protection. (#137584, @QiWang19) [SIG Node and Storage]
Added spec.stubPKCS10Request to the Pod Certificates beta API to improve compatibility with existing certificate authority implementations that expect a PKCS#10 certificate signing request. spec.pkixPublicKey and spec.proofOfPossession were deprecated in favor of this field. (#136729, @ahmedtd) [SIG API Machinery, Auth, Node and Testing]
Added a deletion protection mechanism for PodGroup objects. (#137641, @helayoty) [SIG API Machinery, Apps, Auth, Scheduling and Storage]
Added alpha support (behind the PersistentVolumeClaimUnusedSinceTime feature gate) for tracking PersistentVolumeClaim unused status via a new Unused condition on PersistentVolumeClaimStatus. When enabled, the PVC protection controller sets Unused=True with a lastTransitionTime when no non-terminal Pods reference the PersistentVolumeClaim. (#137862, @gnufied) [SIG Apps, Auth, Storage and Testing]
Added alpha support for manifest-based admission control configuration (KEP-5793). When the ManifestBasedAdmissionControlConfig feature gate is enabled, admission webhooks and CEL-based policies can be loaded from static manifest files on disk via the staticManifestsDir field in AdmissionConfiguration. These policies are active from API server startup, survive etcd unavailability, and can protect API-based admission resources from modification. (#137346, @aramase) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
Added an admission plugin that validates PodGroup resources reference an existing Workload and match the declared PodGroupTemplate spec. (#137464, @helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added list-type support for attributes in DRA (KEP-5491). The DRAListTypeAttributes feature gate (disabled by default) activates the following enhancements:
- DRA drivers can use list-type fields (bools/ints/strings/versions) for device attributes in ResourceSlice. The number of attribute values, including scalars and lists, per single device is limited to 48.
- The matchAttribute/distinctAttribute constraints in ResourceClaim now work on both scalar and list attributes. The matchAttribute constraint matches when the intersection of all list values among candidate devices is non-empty. The distinctAttribute constraint (behind the ConsumableCapacity feature gate) matches when all list values among candidate devices are pairwise disjoint. Scalar values are implicitly treated as a singleton set.
- Added a new CEL function .includes that works on both scalar and list attributes to test inclusion (e.g., device.attributes["dra.example.com"].model.includes("model-a")), supporting migration when a DRA driver changes an attribute value type from scalar to list or vice versa. (#137190, @everpeace) [SIG API Machinery, Node, Scheduling and Testing]
Added new concurrent-node-status-updates flag that is split from the concurrent-node-syncs flag. (#136716, @yonizxz) [SIG Cloud Provider]
Added opt-in alpha support in the kubeletplugin framework for DRA drivers to publish DRA Device metadata in Pod CDI mounts. (#137086, @alaypatel07) [SIG Apps, Network, Node and Testing]
Added opt-in scheduling behavior for CSI volumes. (#137343, @gnufied) [SIG API Machinery, Scheduling and Storage]
Added placement-based PodGroup scheduling algorithm to the scheduler. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136944, @brejman) [SIG Scheduling and Testing]
Added stability-based lifecycle for declarative validation (Alpha/Beta/Stable). Scheduling Workload v1alpha1 now uses explicit declarative enforcement. (#136793, @yongruilin) [SIG API Machinery and Scheduling]
Added the PlacementGenerate extension point to the scheduler. It is used to generate placements for placement-based PodGroup scheduling. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#137083, @brejman) [SIG Scheduling]
Added the PlacementScore extension point to the scheduler for scoring placements in placement-based PodGroup scheduling, guarded by the TopologyAwareWorkloadScheduling feature gate. Deprecated MinNodeScore and MaxNodeScore in favor of MinScore and MaxScore. (#137201, @brejman) [SIG Scheduling]
Added the ResourcePoolStatusRequest API (v1alpha1) for querying DRA resource pool availability. External schedulers can discover available devices across pools before submitting workloads. Requires the DRAResourcePoolStatus feature gate (alpha). (#137028, @nmn3m) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Scheduling, Storage and Testing]
Added the --concurrent-resourceclaim-syncs flag to kube-controller-manager to configure ResourceClaim reconcile concurrency. (#134701, @anson627) [SIG API Machinery, Apps, Node and Testing]
Added the --tls-curve-preferences flag for configuring TLS key exchange mechanism. (#137115, @damdo) [SIG API Machinery, Architecture, CLI, Cloud Provider, Node and Testing]
Added the PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher Pod counts within a group. (#137488, @vshkrabkov) [SIG Scheduling and Testing]
Added the tlsServerName field to EgressSelectorConfiguration TLSConfig to allow overriding the server name used for TLS certificate verification. (#136640, @kennangaibel) [SIG API Machinery, Apps, Auth, Storage and Testing]
Added the alpha DRANativeResources feature, which includes a new ResourceSlice.Spec.Devices[*].NativeResourceMappings field for DRA drivers to declare how device resources map to native Kubernetes resources (e.g., cpu, memory), changes in the DynamicResources plugin and the scheduler framework to correctly account for native resources requested through resource claims, and kubelet admission handler validation for native resource DRA requests along with standard requests in the Pod spec. (#136725, @pravk03) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Added topology-aware scheduling (TAS) logic to the PodGroup scheduling cycle behind the TopologyAwareWorkloadScheduling feature gate, supporting scheduling of PodGroups on nodes with matching topology domains. (#137489, @brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
Added validation to prevent negative duration values for imageMinimumGCAge. (#135997, @ngopalak-redhat) [SIG API Machinery and Node]
Changed deprecated sets.String with sets.Set[string] in apiserver admission subsystem. This is a breaking change for consumers of the NewLifecycle function. (#134044, @mcallzbl) [SIG API Machinery and Auth]
Clarified documentation and comments to indicate that the cpuCFSQuotaPeriod kubelet config field requires the CustomCPUCFSQuotaPeriod feature gate when using non-default values. No functional changes introduced. (#133845, @rbiamru) [SIG Node and Release]
Corrected OpenAPI schema union validation for the PodGroupPolicy struct in scheduling.k8s.io/v1alpha1. (#136424, @JoelSpeed) [SIG API Machinery and Scheduling]
DRA DeviceTaintRules: the TimeAdded field of the taint is now automatically updated when changing the effect. (#137167, @pohly) [SIG API Machinery, Node and Testing]
DRA: Added a spec.resourceClaims field to PodGroup resources for referencing ResourceClaims and ResourceClaimTemplates. Claims made by a PodGroup are reserved for the entire PodGroup instead of individual Pods, supporting more than 256 Pods sharing a single ResourceClaim. ResourceClaimTemplates referenced by a PodGroup's claim replicate into a ResourceClaim specific to that PodGroup, shared by all of the group's Pods. (#136989, @nojnhuh) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
DRA: Graduated Device Binding Conditions (KEP #5007) to beta, enabled by default in v1.36. (#137795, @ttsuuubasa) [SIG API Machinery, Node, Scheduling and Testing]
DRA: Graduated device taints and tolerations (KEP #5055) to beta. Support for DeviceTaints in ResourceSlices is on by default. Support for DeviceTaintRules depends on enabling resource.k8s.io/v1beta2 and the DeviceTaintRules feature gate. (#137170, @pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Etcd, Node, Scheduling and Testing]
Extended NodeResourcesFit to implement the PlacementScore extension point. The usage of the PlacementScore extension point is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136652, @brejman) [SIG Scheduling]
Fixed fake.NewClientset() to work properly with correct schema. (#131068, @soltysh) [SIG API Machinery]
Fixed a few log calls that did not properly format their parameters. (#137108, @pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Network, Node, Scheduling and Testing]
Fixed a potential nil pointer dereference in the scheduler's NodeResourcesFitArgs validation when using RequestedToCapacityRatio scoring strategy. (#132120, @flpanbin) [SIG Scheduling]
Fixed an issue in kube-apiserver, allowing it to recover from an established connection to an incorrect server that never returns the expected response during APIService availability checks. (#137157, @bsalamat) [SIG API Machinery]
For Pod resizes requested on nodes where the resize request exceeds the node's allocatable capacity or the node is running an OS that does not support resize, the request fails in admission rather than being marked as Infeasible in the Pod status later. (#136043, @natasha41575) [SIG API Machinery, Node, Release, Scheduling, Storage and Testing]
Generated fake.NewClientset which replaces the deprecated NewSimpleClientset for kube-aggregator and sample-apiserver. (#136537, @soltysh) [SIG API Machinery]
Graduated metric apiserver_storage_events_received_total to beta. (#136314, @petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
Graduated the ImageVolume feature to stable. (#136711, @saschagrunert) [SIG Apps, Architecture, Node and Testing]
Graduated the InPlacePodLevelResourcesVerticalScaling feature gate to beta, enabled by default. Pod-level CPU and memory resources can be resized in place for Pods with pod-level resources configured. (#137684, @ndixita) [SIG API Machinery, Apps, Autoscaling, Node, Release, Scheduling and Testing]
Graduated the UserNamespacesSupport feature gate to GA. (#136792, @rata) [SIG API Machinery, Apps, CLI, Node, Storage and Testing]
Graduated the config.k8s.io/flagz API to v1beta1. (#137174, @richabanker) [SIG API Machinery, Instrumentation, Node, Scheduling and Testing]
Graduated the config.k8s.io/statusz API to v1beta1. (#137173, @richabanker) [SIG API Machinery, Instrumentation, Scheduling and Testing]
HPA: Improved scaling to and from zero when the HPAScaleToZero feature gate is enabled. (#135118, @johanneswuerbach) [SIG Apps, Autoscaling and Testing]
Integrated Workload and PodGroup APIs with the Job controllers to support gang-scheduling. (#137032, @helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Instrumentation, Node, Scheduling and Testing]
Introduced scheduling.k8s.io/v1alpha2 Workload and PodGroup API to express workload-level scheduling requirements and let kube-scheduler act on those. Removed scheduling.k8s.io/v1alpha1 Workload API. (#136976, @tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling, Storage and Testing]
Kube-apiserver: The --audit-policy-file config file now supports specifying group: "*" in resource rules to match all API groups. (#135262, @cmuuss) [SIG API Machinery, Auth and Testing]
Kube-controller-manager: Added ALPHA gauge metric informer_queued_items for informer queue length, published as informer_queued_items{name=kube-controller-manager,group=<group>,resource=<resource>,version=<version>} <count>. (#135782, @richabanker) [SIG API Machinery, Architecture, Instrumentation and Testing]
Kubelet: Added tiered cgroup v2 memory protection for MemoryQoS: memory.min for Guaranteed pods and memory.low for Burstable pods, with node-level metrics and rollback reconciliation (KEP-2570). (#137719, @sohankunkerkar) [SIG Node, Storage and Testing]
Locked the VolumeAttributesClass feature gate to true and updated the preferred storage version to storage.k8s.io/v1. (#134556, @carlory) [SIG API Machinery, Apps, Etcd, Network, Node, Scheduling, Storage and Testing]
Marked the endpoints field as optional in the OpenAPI spec for discovery.k8s.io/v1 EndpointSlice. This matches server behavior and resolves validation issues. (#136111, @aojea) [SIG Network]
Promoted DRAPrioritizedList to GA. (#136924, @troychiu) [SIG Apps, Architecture, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Network, Node, Release, Scheduling, Storage and Testing]
Promoted NodeDeclaredFeatures to beta. (#136042, @pravk03) [SIG API Machinery, Apps, Cluster Lifecycle, Instrumentation, Node, Scheduling, Storage and Testing]
Promoted SnapshotMetadataService to v1beta1. Removed support for the v1alpha1 version. (#137564, @iPraveenParihar) [SIG Storage and Testing]
Promoted mutable CSI node allocatable count to GA. The MutableCSINodeAllocatableCount feature gate is locked to enabled. (#136230, @torredil) [SIG API Machinery and Storage]
Promoted several EndpointSlice metrics from alpha to beta stability. (#136368, @bhope) [SIG Instrumentation and Network]
Promoted several component-base metrics (kubernetes_build_info, rest_client_requests_total, rest_client_request_duration_seconds, running_managed_controllers) from Alpha to Beta stability, providing stronger API and label stability guarantees for consumers. (#136154, @bhope) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scalability, Scheduling, Storage and Testing]
Promoted several scheduler metrics (scheduler_goroutines, scheduler_permit_wait_duration_seconds, scheduler_plugin_evaluation_total, scheduler_plugin_execution_duration_seconds, scheduler_scheduling_algorithm_duration_seconds, scheduler_unschedulable_pods) from alpha to beta stability, providing stronger API and label stability guarantees for metric consumers. (#136155, @bhope) [SIG Instrumentation and Scheduling]
Promoted the DRA extended resource feature to beta in v1.36. (#135048, @yliaog) [SIG API Machinery, Architecture, Auth, Network, Node, Scheduling and Testing]
Promoted the ConstrainedImpersonation feature to beta, enabled by default. (#137609, @enj) [SIG API Machinery and Testing]
Promoted the DRAAdminAccess feature gate to GA. (#137373, @ritazh) [SIG API Machinery, Auth, Node, Scheduling and Testing]
Promoted the MutatingAdmissionPolicy to GA (v1) in Kubernetes v1.36. The feature is now enabled by default. (#136039, @lalitc375) [SIG API Machinery, Architecture, Etcd and Testing]
Promoted the NodeLogQuery feature gate to GA. (#137544, @jrvaldes) [SIG Node and Windows]
Promoted the ProcMountType feature to GA. (#137454, @haircommander) [SIG API Machinery, Apps, Auth, CLI, Node, Storage and Testing]
Promoted the watch_list_duration_seconds metric from ALPHA to BETA. (#136086, @richabanker) [SIG API Machinery, Instrumentation, Node and Testing]
Promoted two Job controller metrics from alpha to beta stability, providing stronger API and label stability guarantees for metric consumers. (#136367, @bhope) [SIG Apps and Instrumentation]
Promoted workqueue metrics from ALPHA to BETA. (#135522, @petern48) [SIG Architecture, Instrumentation and Testing]
Removed CustomResourceDefinition stored versions from status upon StorageVersionMigrator migration. (#135297, @michaelasp) [SIG API Machinery, Apps, Auth and Testing]
Removed the in-tree Portworx volume plugin, completing the migration to CSI. Removed the GA CSIMigrationPortworx feature gate (locked since v1.33) and alpha InTreePluginPortworxUnregister feature gate, with all operations now redirected to CSI. (#135322, @carlory) [SIG API Machinery, Apps, Auth, Node, Scalability, Scheduling, Storage and Testing]
Removed the temporary build-tagged ProtoMessage() marker method implementations from Kubernetes REST API types in k8s.io/api, which had incorrectly identified them as standard v1 proto messages. Protobuf serialization of Kubernetes API types should use k8s.io/apimachinery/pkg/runtime/serializer/protobuf. (#137084, @liggitt) [SIG API Machinery, Apps, Architecture, Auth, Node, Scheduling and Storage]
Slow requests that use impersonation can be tracked via the apiserver.latency.k8s.io/impersonation audit event annotation when the ConstrainedImpersonation feature is enabled. (#137523, @enj) [SIG API Machinery, Auth and Testing]
The DRAConsumableCapacity feature gate is enabled by default. (#136611, @sunya-ch) [SIG API Machinery, Cluster Lifecycle, Node, Scheduling and Testing]
The StrictIPCIDRValidation feature gate in kube-apiserver is enabled by default, meaning that API fields no longer allow IP or CIDR values with extraneous leading "0"s (e.g., 010.000.000.005 rather than 10.0.0.5) or CIDR subnet/mask values with ambiguous semantics (e.g., 192.168.0.5/24 rather than 192.168.0.0/24 or 192.168.0.5/32). (#137053, @danwinship) [SIG Network and Testing]
The kube-scheduler now updates PodGroup status with a PodGroupScheduled condition reflecting whether the group was successfully scheduled or is unschedulable. (#137611, @helayoty) [SIG API Machinery, Apps, Scheduling and Testing]
Updated API comments to reflect the stable state of Dynamic Resource Allocation (DRA). (#136441, @kannon92) [SIG API Machinery]
Updated API server internal API group to improve openapi schema correctness for fields being optional or required. (#134675, @JoelSpeed) [SIG API Machinery, Apps, Auth, Node and Storage]
Updated the /configz endpoint of kubelet, kube-scheduler, cloud controller manager, and kube-proxy to serialize the APIVersion and Kind fields and use public types instead of internal. (#136044, @SergeyKanzhelev) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Network, Node, Scheduling and Testing]

Feature

Added ALPHA counter metric scheduler_pod_scheduled_after_flush_total to track pods successfully scheduled after timeout flush from the unschedulablePods queue. (#135126, @mrvarmazyar) [SIG Scheduling]
Added ARCH column in the kubectl get node -o wide output. (#132402, @astraw99) [SIG CLI]
Added apiserver_peer_proxy_errors_total and apiserver_peer_discovery_sync_errors_total alpha metrics to apiserver to track errors encountered in peer proxying and peer discovery. (#137065, @richabanker) [SIG API Machinery]
Added kubectl explain -r flag as a shorthand for --recursive. (#135283, @laervn) [SIG CLI]
Added kubelet_metrics_provider metric to help users identify where kubelet's metrics are coming from. (#136952, @dgrisonnet) [SIG Node]
Added a PodGroup scheduling cycle to kube-scheduler's main scheduling loop, enabling all pods within a PodGroup to be scheduled within a single cycle. (#136618, @macsko) [SIG Scheduling and Testing]
Added a show-secret flag to the diff command to explicitly allow secret values to be displayed during the diff operation. (#137019, @olamilekan000) [SIG CLI]
Added a new gRPC service to the kubelet that provides information about Pods running on the node. (#134627, @briansonnenberg) [SIG Node and Testing]
Added a warning when kubectl rollout undo is used on resources managed with kubectl apply to prevent unexpected behavior from annotation mismatch. (#137064, @olamilekan000) [SIG CLI]
Added alpha counter metric route_controller_route_sync_total to Cloud Controller Manager to track route syncs with cloud providers. This metric is in alpha stage. (#136539, @lukasmetzner) [SIG API Machinery, Cloud Provider and Instrumentation]
Added alpha metrics tracking the resource version the cache layer of an informer is at. (#137419, @michaelasp) [SIG API Machinery, Architecture, Instrumentation and Testing]
Added an alpha informer_processing_latency_seconds histogram metric to measure event handler execution time in RealFIFO. (#137101, @richabanker) [SIG API Machinery, Architecture, Instrumentation and Testing]
Added metrics for constrained impersonation: apiserver_impersonation_attempts_total, apiserver_impersonation_attempts_duration_seconds, apiserver_impersonation_authorization_attempts_total, and apiserver_impersonation_authorization_attempts_duration_seconds (labels: mode, decision). (#137374, @enj) [SIG API Machinery, Auth and Testing]
Added missing flags to webhook serving options for k8s.io/cloud-provider. (#136816, @damdo) [SIG Cloud Provider]
Added multiple conditions support to the kubectl wait command. (#136855, @ardaguclu) [SIG CLI and Testing]
Added new RuntimeService streaming RPCs (StreamPodSandboxes, StreamContainers, StreamContainerStats, StreamPodSandboxStats, StreamPodSandboxMetrics) and new ImageService streaming RPC (StreamImages). (#136987, @bitoku) [SIG Cluster Lifecycle, Node and Testing]
Added support for in-place Pod resize of running non-sidecar initContainers. (#137352, @natasha41575) [SIG API Machinery, Apps, Autoscaling, Node, Scheduling, Storage and Testing]
Added support for the CRI (and NRI) to block Pod-level resizes. (#137555, @natasha41575) [SIG Node]
Added support for unknown (non-pod) references in ResourceClaim status.reservedFor. The controller now gracefully skips these entries instead of halting sync, ensuring stale pod references can still be cleaned up. (#136450, @MohammedSaalif) [SIG Apps and Node]
Added the ControllerManagerReleaseLeaderElectionLockOnCancel feature gate to gate leader election lock release on exit for kube-controller-manager. (#136279, @tchap) [SIG API Machinery and Cloud Provider]
Added the ExtendWebSocketsToKubelet feature gate (beta, default true in v1.36). When enabled, the API server proxies WebSocket exec/attach/portforward requests directly to the kubelet rather than translating or tunneling them at the API server. The kubelet handles WebSocket-to-SPDY stream translation (exec/attach) and WebSocket tunneling (portforward) using the same handlers previously used at the API server. The kubelet advertises support for this feature to the API server via the NodeDeclaredFeatures mechanism; the API server only proxies directly to a kubelet that has advertised support. Two new alpha metrics track routing decisions and WebSocket streaming volume: apiserver_websocket_streaming_requests_total (labels: subresource, proxy_type) and kubelet_streaming_websocket_requests_total (label: subresource). (#136256, @seans3) [SIG API Machinery, Autoscaling, Node, Scheduling and Testing]
Added the UserNamespacesHostNetwork runtime handler and integrated the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate. The UserNamespacesHostNetworkSupport feature gate only takes effect when the container runtime's UserNamespacesHostNetwork runtime handler returns true and the NodeDeclaredFeatures feature gate is enabled. (#135828, @HirazawaUi) [SIG Autoscaling, Node, Scheduling and Testing]
Added the appProtocol field to kubectl describe service output. (#135744, @ali-a-a) [SIG CLI]
Added the timezone field to the kubectl describe CronJob output. (#136663, @kfess) [SIG CLI]
Added the ability for the StatefulSet controller to read its own Pod and PVC writes. (#137254, @michaelasp) [SIG Apps]
Added the ability for the ReplicaSet controller to read its own writes, preventing spurious reconciliation loops while the cache catches up to recent updates. (#137212, @michaelasp) [SIG Apps]
Added the metric terminated_containers_total to track the number of failed or succeeded containers, broken down by exit code. (#137453, @rawsocket) [SIG Instrumentation, Node and Testing]
Added tracing for WatchList requests. (#137202, @serathius) [SIG API Machinery and Testing]
Added two scheduler metrics for Device Binding Conditions, covering allocation attempts and PreBind duration with status and driver labels. (#137284, @ttsuuubasa) [SIG Node and Scheduling]
Added write and read permissions for workloads to the admin cluster role, write permissions to the edit cluster role, and read permissions to the view cluster role. (#135418, @carlory) [SIG Auth]
Aligned the scheduler_preemption_victims metric definition between asynchronous and synchronous preemption modes. The metric now consistently reports the number of pods chosen as victims across both modes. (#135955, @utam0k) [SIG Scheduling]
CRI API: Added the image_id field to the PullImageResponse message, serving as a unique identifier for the image on the node as returned by the container runtimes. (#137217, @stlaz) [SIG Node]
Changed the default debug profile from legacy to general. The legacy profile is planned to be removed in v1.39. (#135874, @mochizuki875) [SIG CLI and Testing]
Client-go: Default informer behavior now updates store state with all the objects in a list or relist before calling handler OnDelete, OnAdd, or OnUpdate methods for individual items which were deleted, added, or removed. This ensures that the store state which can be inspected by handlers corresponds to a set of objects that existed at a particular resource version on the server. This behavior is guarded by the AtomicFIFO feature gate, which is enabled by default in v1.36 but can be disabled if needed to temporarily regain the previous behavior. (#135462, @michaelasp) [SIG API Machinery]
Client-go: Improved informer resync processing to reduce contention on store locks between incoming events and handler updates, which may result in observable timing differences of handler invocations. This behavior is guarded by the AtomicFIFO feature gate, which is enabled by default in v1.36 but can be disabled if needed to temporarily regain the previous behavior. (#136008, @michaelasp) [SIG API Machinery]
Client-go: Informers can now enqueue new watch events while already-queued events are being processed. This avoids dropping watches during a burst of incoming events due to contention on slow processing. This behavior is controlled by the UnlockWhileProcessing client-go feature gate, which is enabled by default. (#136264, @michaelasp) [SIG API Machinery and Scheduling]
Client-go: informer stores now keep track the resourceVersion they are synced to (via add/update/delete events, or replace calls, or bookmark events), and provide a LastStoreSyncResourceVersion method to obtain this resource version. This method can return "" if the store has not been synced to yet, and depends on the AtomicFIFO feature being enabled. (#134827, @michaelasp) [SIG API Machinery and Testing]
CustomResourceDefinition (CRD) validation now strictly enforces ranges for numeric formats (int32, int64, float, double) when specified in the schema. Existing objects with out-of-range values are preserved via validation ratcheting. (#136582, @yongruilin) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
DRA ResourceSlice controller: Added optional ReconcilePoolWithName to allow per-pool reconciliation without setting NodeName on slices, so the scheduler can use NodeSelector or allNodes for node-owned, cluster-visible resources (e.g. network-shared devices). "All nodes" is no longer the default. When publishing devices for the entire cluster, it must be set explicitly. (#137365, @yaroslavborbat) [SIG Node and Testing]
Enabled Prometheus native histogram support in kube-apiserver when the feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160). (#136763, @richabanker) [SIG API Machinery, Architecture, Cloud Provider, Instrumentation, Network, Node, Scheduling and Testing]
Enabled Prometheus native histogram support in kube-controller-manager when the feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160). (#137779, @richabanker) [SIG API Machinery, Instrumentation and Testing]
Enabled Prometheus native histogram support in kube-proxy when the feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160). (#137781, @richabanker) [SIG Network]
Enabled Prometheus native histogram support in kube-scheduler when the feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160). (#137466, @richabanker) [SIG API Machinery, Architecture, Instrumentation, Scheduling and Testing]
Enabled Prometheus native histogram support in kubelet when the feature gate is enabled. Histograms are exposed in both classic and native formats using exponential bucket configuration (factor=1.1, max buckets=160). (#137780, @richabanker) [SIG Node]
Enabled the Topology, CPU, and Memory managers to recognize and act upon pod.spec.resources, enabling two flexible resource management models. Both models support guaranteed Pods that contain a mix of containers that may be eligible to receive exclusive resource allocation or be part of the Pod-allocated shared resource pool. (#134768, @KevinTMtz) [SIG Node and Testing]
Enabled the WatchCacheInitializationPostStartHook feature gate by default. (#135777, @serathius) [SIG API Machinery]
Enabled workload-aware preemption for PodGroups when the WorkloadAwarePreemption feature gate is active. When PodGroup scheduling fails to find placement for a PodGroup, workload-aware preemption runs for the entire group instead of running default preemption for each individual Pod. (#137606, @Argh4k) [SIG Apps, Node, Scheduling, Storage and Testing]
Ensured single-container Pod can restart quickly with the RestartAllContainers action. (#136966, @yuanwang04) [SIG Node and Testing]
Fixed missing field conversions (BindsToNode, BindingConditions, BindingFailureConditions, AllowMultipleAllocations, Capacity) in DRA API v1beta1 hand-written conversion code. (#137240, @yykkibbb) [SIG Node]
Graduated ComponentFlagz to beta. (#137386, @richabanker) [SIG API Machinery, Architecture, Auth, Instrumentation, Node and Testing]
Graduated ComponentStatusz to beta. (#137384, @richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]
Graduated fine-grained kubelet API authorization to stable. (#136116, @vinayakankugoyal) [SIG Node]
Graduated the KubeletPSI feature to GA, enabled by default. The kubelet exposes Linux cgroup Pressure Stall Information (PSI) metrics, providing deeper visibility into system and Pod-level resource contention (CPU, Memory, and I/O) via the kubelet Summary API. (#136548, @mariafromano-25) [SIG Node]
Improved preemption behavior so that pods preempted during the PreBind phase are now re-queued into the backoff queue instead of being deleted via the API server, enabling more graceful handling of preemption during binding. (#135502, @Argh4k) [SIG Scheduling and Testing]
Instrumented /flagz and /statusz endpoints with apiserver request metrics (apiserver_request_total, apiserver_request_duration_seconds), with group and version labels reflecting the content-negotiated API version. (#137021, @yongruilin) [SIG API Machinery and Instrumentation]
Introduced index-based naming in the ResourceSlice controller and ensured ResourceSlices and pools are sorted lexicographically before allocation, allowing users to control allocation priority. (#136641, @troychiu) [SIG Node and Testing]
Introduced new staging modules k8s.io/streaming and k8s.io/cri-streaming for Kubernetes streaming transport and CRI streaming server code. k8s.io/apimachinery/pkg/util/httpstream (including spdy and wsstream) remains available as a deprecated compatibility wrapper backed by k8s.io/streaming. The extracted SPDY roundtripper preserves CIDR matching in NO_PROXY/no_proxy. (#137298, @dims) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
Kube-apiserver: Graduated the UnknownVersionInteroperabilityProxy feature gate to beta, enabled by default. The --peer-ca-file flag is required to turn on the proxy. (#137172, @richabanker) [SIG API Machinery]
Kube-apiserver: Promoted the ExternalServiceAccountTokenSigner feature gate to GA. (#136118, @HarshalNeelkamal) [SIG API Machinery and Auth]
Kube-controller-manager: The daemonset controller now defers syncing a DaemonSet object when the controller has not yet observed daemonset or pod writes from the last time the object was synced. This prevents spurious creation of duplicate pods for nodes when the controller's cache is stale. When a sync is deferred for this reason, a daemonset_controller_stale_sync_skips_total metric is incremented and a message is logged by the daemonset controller. This behavior can be temporarily disabled by setting the StaleControllerConsistencyDaemonSet feature gate to false. (#134937, @michaelasp) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Kube-controller-manager: The job controller now defers syncing a Job object when the controller has not yet observed job or pod writes from the last time the object was synced. This prevents spurious creation of duplicate pods for jobs when the controller's cache is stale. When a sync is deferred for this reason, a job_controller_stale_sync_skips_total metric is incremented and a message is logged by the job controller. This behavior can be temporarily disabled by setting the StaleControllerConsistencyJob feature gate to false. (#137210, @michaelasp) [SIG API Machinery and Apps]
Kubeadm: Added the --allow-deprecated-api flag to kubeadm config validate. By default the command prints a warning for deprecated APIs unless the flag is passed. Additionally, added missing support for v1beta4 UpgradeConfiguration to kubeadm config migrate and kubeadm config validate commands. (#135148, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: Changed Node object patching behavior to retry on unknown (non-allowlisted) API errors within the polling duration instead of exiting early. (#135776, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: Increased the timeout of the kubeadm upgrade CreateJob preflight check to 1 minute. This allows Windows worker nodes to have more time to run the preflight check. The check uses the pause image, so if you are experiencing slow pull times, you can either pre-pull the image on the worker using kubeadm config images pull --kubernetes-version TARGET or skip the preflight check with --ignore-preflight-errors. (#136273, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: Promoted the NodeLocalCRISocket feature gate to GA and locked it to enabled. (#135742, @HirazawaUi) [SIG Cluster Lifecycle]
Kubeadm: Removed the ControlPlaneKubeletLocalMode feature gate, which graduated to GA in v1.35 and was locked to enabled. (#135773, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: The preflight check ContainerRuntimeVersion validates if the installed container runtime supports the RuntimeConfig gRPC method. For older kubelet versions than v1.37, it will return a preflight warning. (#136898, @carlory) [SIG Cluster Lifecycle]
Kubeadm: When using --v=1 or higher log verbosity, prints information about the CA certificate used for discovery when using kubeadm join. (#137102, @sivchari) [SIG Cluster Lifecycle]
Kubelet: Deferred the removal of deprecated kubelet configuration flags (and their related fallback behavior) from version 1.36 to 1.37, aligning with the end of containerd v1.7 support. (#136846, @carlory) [SIG Node and Testing]
Kubelet: If the --client-ca-file is updated while kubelet is running, the updated root certificates are correctly used to advertise accepted authorities to TLS clients connecting to the kubelet endpoints. This behavior is guarded by the ReloadKubeletClientCAFile feature gate, which is enabled by default. (#136762, @HarshalNeelkamal) [SIG API Machinery, Auth, Node and Testing]
Kubernetes is now built using Go v1.26.2. (#138299, @xmudrii) [SIG Release and Testing]
Kubernetes is now built using Go v1.26.0. (#137080, @cpanato) [SIG Release and Testing]
Kubernetes is now built with Go v1.25.6. (#136257, @BenTheElder) [SIG Release]
Kubernetes is now built with Go v1.25.6. (#136465, @cpanato) [SIG Release and Testing]
Kubernetes is now built with Go v1.25.7. (#136750, @BenTheElder) [SIG Release]
Kubernetes is now built with Go v1.25.7. (#136982, @cpanato) [SIG Release and Testing]
Preserved the logs of restarted containers for containers restarted by the RestartAllContainers feature. (#136963, @yuanwang04) [SIG Node]
Promoted DRAPartitionableDevices to beta. (#137350, @mortent) [SIG Node, Scheduling and Testing]
Promoted kubectl kuberc commands to beta. (#136643, @ardaguclu) [SIG CLI and Testing]
Promoted the CSIServiceAccountTokenSecrets feature gate to GA. (#136596, @aramase) [SIG Auth and Storage]
Promoted the KubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to GA. (#136728, @guptaNswati) [SIG Node and Testing]
Promoted the RelaxedServiceNameValidation feature gate to beta and enabled it by default. Service names are now validated with NameIsDNSLabel(), relaxing the pre-existing validation. (#136389, @adrianmoisey) [SIG Network]
Promoted the RestartAllContainersOnContainerExits feature gate to beta, enabled by default. (#136681, @yuanwang04) [SIG Node and Testing]
Reduced the needs of the setcap build image for kube-apiserver by no longer requiring that image to contain a shell (sh or dash or bash). (#136633, @addyess) [SIG Release]
Reverted the addition of the image_id field to the CRI API PullImageResponse message. (#137574, @SergeyKanzhelev) [SIG Node]
Server images now use staging/src/k8s.io/component-base/logs/kube-log-runner instead of go-runner; full compatibility is maintained (including the same /go-runner executable path). In the future Kubernetes will use base-images without go-runner. (#136954, @BenTheElder) [SIG Instrumentation and Release]
Updated CoreDNS to v1.14.2. (#137605, @pacoxu) [SIG Cloud Provider and Cluster Lifecycle]
Updated kubectl describe node to list aggregated ResourceSlices when the ResourceSlice API is present, detailing slice name, driver, and pool. (#131744, @ArangoGutierrez) [SIG CLI]
Updated kubectl explain to display an EXTERNAL DOCS section when a schema or field includes an externalDocs section. This appears after the DESCRIPTION block for top-level resources and after the field description for individual fields. The section is omitted in short mode and when externalDocs is absent. (#136988, @pedjak) [SIG CLI]
Updated kubectl get ingressclass to display a (default) marker for the default IngressClass. (#134422, @jaehanbyun) [SIG CLI and Network]
Updated kubectl kuberc set with options for setting credentialPluginPolicy and credentialPluginAllowlist. (#137300, @pmengelbert) [SIG CLI]
Updated cAdvisor to v0.55.0 in vendor dependencies. (#135829, @dims) [SIG Node]
Updated feature gate MutablePodResourcesForSuspendedJobs and MutableSchedulingDirectivesForSuspendedJobs to be enabled by default. (#135965, @kannon92) [SIG Apps and Testing]
Updated node performance e2e tests to use PyTorch Wide-Deep workload instead of TensorFlow. (#136397, @dims) [SIG Testing]
Updated node performance e2e tests to use PyTorch Wide-Deep workload instead of TensorFlow. (#136398, @dims) [SIG Node and Testing]
Updated the ImageLocality scheduler plugin to consider ImageVolume images when scoring nodes for Pod scheduling. (#130231, @Barakmor1) [SIG Scheduling]
When kubectl exec or kubectl logs are run with a specified container name, and no container with that name is found, kubectl lists the names of containers that would be valid to specify. (#136973, @ardaguclu) [SIG CLI and Testing]

Documentation

Added metric component and endpoint to generated metric reference documentation. (#136360, @skl) [SIG Instrumentation and Testing]

Failing Test

Kubelet: Fixed device plugin test failures after kubelet restart. (#135485, @saschagrunert) [SIG Node and Testing]
The PLEGOnDemandRelist feature flag is kept at beta level, but switched off by default. (#137909, @dims) [SIG Node]

Bug or Regression

Added the --detach-keys flag to kubectl attach and kubectl run, allowing detach without terminating the container. (#134997, @yangjunmyfm192085) [SIG API Machinery and CLI]
Capped nf_conntrack_max to 1,048,576 to prevent excessive memory consumption on high-core machines when using automatic calculation. (#137002, @kairosci) [SIG Apps and Network]
Changed some error logs to info logs with verbosity level in controller/resourcequota and controller/garbagecollector. (#136040, @petern48) [SIG API Machinery and Apps]
Changed the nodeGetCapabilities method of csiDriverClient to return NewUncertainProgressError when receiving a non-final gRPC error. This resolves residual global mount paths during rapid pod creation-deletion cycles. (#135930, @249043822) [SIG Node and Storage]
Changed the behavior of default scheduler preemption plugin when preempting Pods that are in WaitOnPermit phase. They are now moved to the scheduler backoff queue instead of being marked as unschedulable. (#135719, @Argh4k) [SIG Scheduling and Testing]
Changed the runtime handlers list returned by the CRI runtime to be sorted, preventing unnecessary Node object updates when the order changes. (#135358, @harche) [SIG Node]
Client-go: Fixed an unlikely deadlock during informer startup. (#136509, @pohly) [SIG API Machinery]
CustomResourceDefinitions: Fixed server-side apply field ownership tracking so that metadata ownership is correctly tracked for writes to the /status subresource. Custom Resources: Fixed server-side apply field ownership to not update metadata from the /status subresource since these writes are wiped for custom resources. (#137689, @jpbetz) [SIG API Machinery, Network and Testing]
DRA BindingConditions: Fixed a panic in the scheduler when the DRABindingConditions feature was enabled and the same claim was reused among different Pods while deallocation happened in parallel. (#137371, @pohly) [SIG Node, Scheduling and Testing]
Disabled SchedulerAsyncAPICalls feature gate due to performance issues caused by API client throttling. (#135903, @macsko) [SIG Scheduling]
Disallowed setting a resize restart policy of RestartContainer on non-sidecar initContainers, as the resize of such containers has never been supported. (#137458, @natasha41575) [SIG Apps, Node and Testing]
Explicitly wrote memory.min=0 for QoS cgroups when the calculated requests are zero. (#137637, @QiWang19) [SIG Node]
Fixed SELinux warning controller to not emit events for completed Pods (Succeeded and Failed states). (#135629, @jsafrane) [SIG Apps, Storage and Testing]
Fixed StatefulSets to always count .status.availableReplicas at the correct time without delay, resulting in faster StatefulSet rollout progress. (#135428, @atiratree) [SIG Apps]
Fixed DRA manager not initializing sharedID from cache when DRAConsumableCapacity is enabled. (#136734, @sunya-ch) [SIG Node and Scheduling]
Fixed PodCertificateRequest OwnerReference using incorrect apiVersion "core/v1" instead of "v1", which prevented garbage collection of PodCertificateRequests when their owning Pod was deleted. (#137008, @srhppr) [SIG Auth and Node]
Fixed ReadWriteOncePod preemption e2e test to run as serial, preventing it from causing other random e2e tests to flake. (#135623, @jsafrane) [SIG Storage and Testing]
Fixed container_swap_usage_bytes in the /metrics/resource endpoint to correctly report container-level swap usage instead of always reporting 0. The root cause was missing logic in addCadvisorContainerCPUAndMemoryStats to propagate swap stats from cadvisor to the container stats object. (#137098, @yuanwang04) [SIG Apps, Node and Testing]
Fixed event_handling_duration_seconds, preemption_goroutines_duration_seconds, run_podsandbox_duration_seconds, and store_schedule_results_duration_seconds metrics incorrectly recording near-zero latency values instead of actual durations, caused by premature evaluation of SinceInSeconds(startTime) in a deferred call. (#135749, @novahe) [SIG Architecture, Instrumentation, Node and Scheduling]
Fixed kube-apiserver startup failure during upgrade when MultiCIDRServiceAllocator is enabled and the cluster has a large number of namespaces. The IP address repair controller retries on Forbidden errors from admission plugins that are not yet ready. (#137147, @haojiwu) [SIG Testing]
Fixed kube-proxy log spam when all of a Service's endpoints were unready. (#136743, @ansilh) [SIG Network]
Fixed kubectl delete to properly handle deletion of multiple StatefulSet pods and exit normally. (#135563, @yangjunmyfm192085) [SIG CLI, Network and Node]
Fixed kubectl describe node to correctly display resource requests and limits for Pods using Pod-level resources. (#137394, @Nikateen) [SIG CLI]
Fixed kubectl describe to correctly recognize uppercase acronyms as a single element when displaying Custom Resource field names. (#135683, @uozalp) [SIG CLI]
Fixed kubectl label output message to display modified when labels are both added and removed. (#134849, @tchap) [SIG CLI]
Fixed kubectl logs -f to wait for containers to start instead of failing immediately when pods are in ContainerCreating or PodInitializing states. (#136411, @olamilekan000) [SIG CLI]
Fixed a v1.29 regression in the apiserver_watch_events_sizes metric to report total outgoing watch traffic again. (#135367, @mborsz) [SIG API Machinery]
Fixed a v1.34 regression in ipvs and winkernel kube-proxy backends. These backends now revert to their pre-v1.34 behavior of regularly rechecking all rules even when no Services or EndpointSlices change. (#135631, @danwinship) [SIG Network and Windows]
Fixed a v1.34 regression when starting pods with environment variables containing a value with $ followed by a multi-byte character. (#136325, @AutuSnow) [SIG Architecture]
Fixed a v1.35 regression in StatefulSet parallel Pod management by disabling the MaxUnavailableStatefulSet feature by default. (#137904, @soltysh) [SIG Apps]
Fixed a bug causing clients to error out when decoding large CBOR encoded lists. (#135340, @ricardomaraschini) [SIG API Machinery]
Fixed a bug in DeepEqualWithNilDifferentFromEmpty where empty slices and maps were incorrectly considered equal to non-empty ones due to using OR (||) instead of AND (&&) logic. This could cause managed fields timestamps to not update when the only change was adding or removing all elements from a list or map. (#135636, @mikecook) [SIG API Machinery]
Fixed a bug in the dra_operations_duration_seconds metric where the is_error label was recording inverted values. Error operations now correctly report is_error=true, and successful operations report is_error=false. (#135227, @hime) [SIG Node]
Fixed a bug preventing Pods sharing ResourceClaims from being scheduled with GangScheduling. (#137647, @nojnhuh) [SIG Node, Scheduling and Testing]
Fixed a bug that caused EndpointSlice churn for headless services with no ports defined. (#136502, @tzneal) [SIG Network]
Fixed a bug where kubectl apply --dry-run=client would only output server state instead of merged manifest values when the resource already exists. (#135513, @grandeit) [SIG CLI]
Fixed a bug where kubectl plugin list failed to detect overshadowed plugins on Windows. (#136689, @kfess) [SIG CLI]
Fixed a bug where the Gated pods metric was not updated when a Pod transitioned from Unschedulable to Gated during an update. (#135368, @vshkrabkov) [SIG Scheduling]
Fixed a bug where the scheduler_unschedulable_pods metric could be artificially inflated (leak) when a pod fails PreEnqueue plugins after being previously marked unschedulable. (#135981, @vshkrabkov) [SIG Scheduling]
Fixed a bug where users could not update HPAv2 resources that use object metrics with averageValue via the v1 HPA API. (#137856, @adrianmoisey) [SIG Autoscaling]
Fixed a bug where, after a kubelet restart, regular containers in a Pod with a sidecar (initContainer with restartPolicy: Always) and a startupProbe failed to restart after crashing. Affected Pods remained stuck with RestartCount: 0 indefinitely. (#137146, @george-angel) [SIG Node and Testing]
Fixed a data race in the PopulateRefs function in k8s.io/apiserver/pkg/cel/openapi/resolver where concurrent goroutines could simultaneously modify shared pointer fields from a shallow-copied schema struct. (#136802, @pohly) [SIG API Machinery, Node and Testing]
Fixed a kubelet device manager bug where topology hint computation enumerated O(2^n) NUMA node combinations using all machine NUMA nodes. On systems with many NUMA nodes that carry no devices (e.g. NVIDIA GB200 with 36 NUMA nodes), this caused kubelet to stall indefinitely during pod admission. The device manager now restricts iteration to NUMA nodes that actually host devices for the requested resource, reducing the search space to O(2^k) where k is typically 1–2. (#138244, @fanzhangio) [SIG Node]
Fixed a loophole that allowed users to work around DRA extended resource quota set by system administrators. (#135434, @yliaog) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Fixed a race condition in CEL admission policy compilation that could cause kube-apiserver to crash with a concurrent map read and map write error under high load. (#135759, @Abhigyan-Shekhar) [SIG API Machinery and CLI]
Fixed a race condition in Dynamic Resource Allocation (DRA) where the same device could be allocated twice for different ResourceClaims when scheduling many pods very rapidly. Depending on whether DRA drivers check for this during NodePrepareResources (they should, but not all may implement this properly), the second pod using the same device could fail to start until the first one is done or (worse) run in parallel. (#136269, @pohly) [SIG Node, Scheduling and Testing]
Fixed an issue in the Windows kube-proxy (winkernel) where IPv4 and IPv6 Service load balancers could be incorrectly shared, causing broken dual-stack Service behavior. The kube-proxy now tracks load balancers per IP family, enabling correct support for PreferDualStack and RequireDualStack Services on Windows nodes. (#136241, @princepereira) [SIG Network and Windows]
Fixed an issue where zero-valued PSI (Pressure Stall Information) metrics were emitted by the kubelet when the OS does not support PSI, even if the KubeletPSI feature gate was enabled. (#137326, @amritansh1502) [SIG Node]
Fixed container restart policy validation error message to correctly show available actions when the RestartAllContainersOnContainerExits feature gate is enabled. (#137369, @kfess) [SIG Apps]
Fixed erroneously reporting a pod-level resize in progress on Pod creation when the InPlacePodLevelResourcesVerticalScaling feature gate is enabled. (#138049, @ndixita) [SIG Node and Testing]
Fixed feature gates ChangeContainerStatusOnKubeletRestart and StatefulSetSemanticRevisionComparison to be visible in --help output across different components. (#135515, @dims) [SIG Architecture]
Fixed goroutine hot-loop in client-go StartEventWatcher when the event broadcaster shuts down before the cancellation context fires. (#137398, @Rajneesh180) [SIG API Machinery]
Fixed how image names are compared to the values from preloadedImagesVerificationAllowlist in the kubelet's configuration. Previously, the use of "familiar" image names (e.g. "alpine") from a Pod did not properly match the same name in preloadedImagesVerificationAllowlist in the kubelet's configuration. (#137629, @stlaz) [SIG Auth, Node and Testing]
Fixed incorrect behavior when using AllocationModeAll with DRA PrioritizedList that prevented the allocator from successfully allocating a claim even when devices were available. (#137347, @mortent) [SIG Node]
Fixed informer-gen to generate SetTransform calls that correctly override per-informer transforms. (#137473, @jpbetz) [SIG API Machinery and Scheduling]
Fixed issues in server side apply and client-go's Extract{TypeName}() and Extract{TypeName}From() functions where empty arrays and maps were incorrectly treated as absent, and atomic elements from associative lists were incorrectly duplicated. (#135391, @jpbetz) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Network, Node, Scheduling and Storage]
Fixed kubeadm to skip appending the client URL of etcd learner members to c.Endpoints, since learners do not serve client traffic. (#137251, @pacoxu) [SIG Cluster Lifecycle]
Fixed link file ownership of projected serviceAccountToken. (#137332, @gavinkflam) [SIG Storage]
Fixed log verbosity for non-error messages in the SELinux warning controller so they are no longer logged at error level. (#136050, @ShaanveerS) [SIG Apps and Storage]
Fixed log verbosity for non-error messages in the storage version migrator so they are no longer logged at error level. (#136046, @Tanner-Gladson) [SIG API Machinery and Apps]
Fixed queue hint for certain plugins on change to pods with nominated nodes. (#135392, @brejman) [SIG Scheduling]
Fixed queue hint for inter-pod anti-affinity in case deleted pod's anti-affinity matched the pending pod, which might have caused delays in scheduling. (#135325, @brejman) [SIG Scheduling and Testing]
Fixed queue hint for the interpodaffinity plugin in case target pod labels change. (#135394, @brejman) [SIG Scheduling]
Fixed redundant SSH command executions in the etcd failure e2e test. (#137001, @kairosci) [SIG API Machinery and Testing]
Fixed running of DRA e2e tests in air-gapped clusters or with test images in private registries. (#138318, @jsafrane) [SIG Node and Testing]
Fixed static pod status displaying Init:0/1 when unable to retrieve init container status from container runtime. (#131317, @bitoku) [SIG Node and Testing]
Fixed the lastTerminationStatus to match the RestartAllContainers action if the container was restarted this way. (#136964, @yuanwang04) [SIG Node]
Fixed the total Pod resources computation. (#137683, @ndixita) [SIG CLI and Node]
Fixed unsupported Table object detection to cover all List and Watch operations, preventing the reflector from incorrectly processing resources returned in Table format. (#136937, @p0lyn0mial) [SIG API Machinery and Testing]
Fixed validation error messages for restartPolicyRules and exitCodes.values to report "items" instead of "bytes". (#137136, @kfess) [SIG Apps]
Improved CPU usage in the nftables mode of kube-proxy when loading very large rulesets. (#135800, @danwinship) [SIG Network]
Improved DRA scheduling performance by splitting ResourceSlice entries into shared and onNode categories, reducing Filter stage latency by ~50% in large clusters. (#136588, @abel-von) [SIG API Machinery, Apps, Auth, Node and Scheduling]
Improved a misleading error message when updating batch.Job's status.startTime. The error for unsuspended Jobs correctly indicates the field is immutable once set, instead of incorrectly referring to the action as a "removal". (#136585, @zhzhuang-zju) [SIG Apps]
Kube-apiserver: Fixed request latency annotation apiserver.latency.k8s.io/total in the audit log when request took more than 500ms. (#135685, @chaochn47) [SIG API Machinery]
Kube-apiserver: Fixed the log verbosity level in the unsafe delete authorization check that was incorrectly using Error level instead of Info level. (#136229, @thc1006) [SIG API Machinery]
Kube-apiserver: Liveness probes will now fail when the loopback client certificate expires. (#136477, @everettraven) [SIG API Machinery and Testing]
Kube-apiserver: Setting --audit-log-maxsize=0 now disables audit log rotation (the default remains 100 MB). To avoid outages due to filling disks with ever-growing audit logs, --audit-log-maxage now defaults to 366 (1 year) and --audit-log-maxbackup now defaults to 100. If retention of all rotated logs is desired, age and count-based pruning can be disabled by explicitly specifying --audit-log-maxage=0 and --audit-log-maxbackup=0. (#136478, @kairosci) [SIG API Machinery]
Kube-controller-manager: Fixed VolumeAttachment cleanup when CSI's attachRequired switches from true to false. (#129664, @hkttty2009) [SIG Storage and Testing]
Kube-proxy now correctly handles the case where a pod IP gets assigned to a newly-created pod when the pod that previously had that IP has been terminated but is not yet fully deleted. (#135593, @danwinship) [SIG Network]
Kube-proxy: Fixed nftables mode to work on systems with nft v1.1.3. (#137501, @danwinship) [SIG Network]
Kubeadm: Changed kubeadm join to wait for the etcd learner member to start before promoting it. (#136014, @SataQiu) [SIG Cluster Lifecycle]
Kubeadm: Fixed a bug where kubeadm upgrade failed if the content of the /var/lib/kubelet/kubeadm-flags.env file was KUBELET_KUBEADM_ARGS="". (#136127, @carlory) [SIG Cluster Lifecycle]
Kubeadm: Ignored EINVAL when unmounting /var/lib/kubelet peer mounts during reset. (#137494, @fuweid) [SIG Cluster Lifecycle]
Kubeadm: When applying user-provided overrides using extraArgs, the resulting list of arguments is no longer sorted alphanumerically. Only default arguments are sorted, while overrides preserve their order. This allows finer control for flags where order matters, such as --service-account-issuer for kube-apiserver. (#135400, @neolit123) [SIG Cluster Lifecycle]
Kubectl: Fixed kyaml output of kubectl get ... --output-watch-events -o kyaml. (#136110, @liggitt) [SIG CLI]
Kubectl: Fixed a panic in kubectl exec when the terminal size queue delegate is uninitialized. (#135918, @MarcosDaNight) [SIG CLI]
Kubectl: Fixed a panic when processing pods with nil resource requests but populated container status resources. (#136534, @dmaizel) [SIG CLI]
Kubectl: Fixed an issue where kubectl run -i/-it would miss container output written before the attach connection was established. (#136010, @olamilekan000) [SIG CLI]
Kubelet: Fixed Dynamic Resource Allocation (DRA) to correctly handle multiple ResourceClaims even if one is already prepared. (#135919, @rogowski-piotr) [SIG Node and Testing]
Kubelet: Fixed a data race in pod allocated resources. (#136226, @HirazawaUi) [SIG Node]
Kubelet: Fixed a data race in the container manager. (#136206, @HirazawaUi) [SIG Node]
Kubelet: Fixed a data race in the status manager. (#136205, @HirazawaUi) [SIG Node]
Kubelet: Fixed a data race in the volume manager's WaitForAllPodsUnmount that could cause errors to be lost during concurrent pod unmount operations. (#135794, @AutuSnow) [SIG Node and Storage]
Kubelet: Fixed a nil pointer dereference when handling pod updates of mirror pods with the NodeDeclaredFeatures feature gate enabled. (#136037, @pravk03) [SIG Node]
Kubelet: Fixed logging to properly respect verbosity levels. Previously, some debug/info messages using V().Error() would always be printed regardless of the configured log verbosity. (#136028, @thc1006) [SIG Node]
Kubelet: Fixed preservation of DRA NodeAllocatableResourceClaimStatuses in PodStatus. (#138030, @askervin) [SIG Node]
Kubelet: Fixed reloading of server certificate files when they are changed on disk and kubelet is dialed by IP address instead of DNS/hostname. (#133654, @kwohlfahrt) [SIG API Machinery, Auth, Node and Testing]
Kubelet: Relisted Pods on-demand for lower latency operations. Guarded by the beta feature gate PLEGOnDemandRelist. (#137362, @tallclair) [SIG Node]
Kubelet: The plugin manager now properly handles plugin registration failures by removing failed plugins from the actual state and retrying with exponential backoff (initial delay 500ms, doubling each failure up to ~2 minutes maximum) to protect against broken plugins causing denial of service while still allowing recovery from transient failures. (#133335, @bart0sh) [SIG Node, Storage and Testing]
Kubernetes is now built using Go v1.26.1. (#137474, @BenTheElder) [SIG Release and Testing]
Optimized kube-proxy conntrack cleanup logic, reducing the time complexity of deleting stale UDP entries. This significantly improves performance when there are many stale connections to clean up. (#135511, @aojea) [SIG Network]
Previously, when trying to allocate devices through DRA for a node timed out, scheduling would proceed with another node if any had the necessary resources. This potentially hid that a node was ignored. Worse, if scheduling was slow overall, the Pod was incorrectly moved to "unschedulable" and only retried after a periodic sweep. Timeouts are now errors that are always visible as Pod scheduling failures and get retried with per-Pod exponential backoff. (#137607, @0xMH) [SIG Node, Scheduling and Testing]
Reflected the expected replica count in the output of the kubectl scale command. (#136945, @ardaguclu) [SIG CLI and Testing]
Removed GuaranteedQoSPodCPUResize from node declared features. (#136759, @pravk03) [SIG Node and Testing]
Removed container_cpu_load_average_10s, container_cpu_load_d_average_10s, and cpu_tasks_state metrics from being reported by cadvisor. This is done because the values were always 0, because a flag was not enabled in the kubelet. (#134981, @haircommander) [SIG Node and Testing]
The k8s.io/client-go/transport package automatically reloads certificate authority roots from disk when they are supplied via a file path. This functionality is enabled by default and can be disabled via the ClientsAllowCARotation feature gate. (#132922, @yt2985) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Network, Node, Release, Scheduling and Testing]
The k8s.io/client-go/transport package garbage collects TLS cache entries and client certificate rotation goroutines when a transport is no longer used. This functionality is enabled by default and can be controlled via the ClientsAllowTLSCacheGC feature gate. Binaries embedding k8s.io/client-go but not wiring the feature gates can disable it by setting the KUBE_FEATURE_ClientsAllowTLSCacheGC=false environment variable. When the feature is disabled, the TLS cache can grow indefinitely and client certificate rotation goroutines are leaked. The new rest_client_transport_cert_rotation_gc_calls_total{} and rest_client_transport_cache_gc_calls_total{result: deleted/skipped} counter metrics can be used with the preexisting rest_client_transport_* metrics to help with debugging. (#136355, @enj) [SIG API Machinery, Architecture, Auth, Instrumentation, Node and Testing]
The kubelet_pod_start_sli_duration_seconds_bucket metric matches Pod startup latency SLI/SLO documentation. (#131950, @alimaazamat) [SIG Node]
The kubelet sets the PodReadyToStartContainers condition immediately after sandbox creation rather than after image pull, reducing the time to condition True. (#134660, @Priyankasaggu11929) [SIG Apps, Node and Testing]
The garbage collector correctly handles objects deleted externally, preventing spurious error logs. (#136817, @kairosci) [SIG API Machinery, Apps and Testing]
Updated NodeResourcesBalancedAllocation scoring algorithm to align with the documentation. The score will now take into consideration both balance with and without the requested pod. Previous algorithm only considered balance with the requested pod. This can change the scheduling decisions in some cases. (#135573, @brejman) [SIG Scheduling]
Updated the CDI spec for discoverable metadata to v0.5.0. (#138035, @alaypatel07) [SIG Node]
Updated the pause image to v3.10.2. (#138199, @neolit123) [SIG CLI, Cloud Provider, Cluster Lifecycle, Scheduling and Testing]
Validation messages for a Pod's status.resourceClaimStatuses[].resourceClaimName refer correctly to the resourceClaimName field instead of the name field. (#137321, @nojnhuh) [SIG Apps]
Writes to the ServiceCIDR main resource ignore status field changes in the request, consistent with all other Kubernetes APIs. The ServiceCIDRStatusFieldWiping feature gate can be disabled to restore the previous behavior; it will be locked to enabled in a future release. (#137715, @jpbetz) [SIG API Machinery, Network and Testing]

Other (Cleanup or Flake)

Added audit-id to the "Starting watch" log line. (#136084, @richabanker) [SIG API Machinery]
Added explicit logging when WatchList requests complete their initial listing phase. (#136085, @richabanker) [SIG API Machinery]
Added group, version, and resource labels to the existing alpha metric apiserver_rerouted_request_total. (#137063, @richabanker) [SIG API Machinery]
Added missing tests for client-go metrics. (#136052, @sreeram-venkitesh) [SIG Architecture and Instrumentation]
Client-go: Fake client-go (i.e., anything using k8s.io/client-go/testing) now supports separate List+Watch calls with checking of ResourceVersion in the Watch call. This closes a race condition where creating an object directly after an informer cache has synced (List call completed) and before the Watch call completed would cause that object to not be sent to the informer. A visible side-effect of adding that support is that List metadata contains a ResourceVersion (starting at 1 for the empty set, incremented by one for each add/update) and that Watch may return objects where it previously did not. Note that this List+Watch is not to be confused with the ListWatch feature, which uses a single call. That feature is still not supported by fake client-go. (#136143, @pohly) [SIG API Machinery, Apps, Auth and CLI]
Client-go: Fixed an issue where Reflector could get confused about the resource version it should use to restart a watch while receiving synthetic ADDED events at the beginning of a watch from resourceVersion 0 or empty string (""). (#136583, @michaelasp) [SIG API Machinery]
Deprecated the SeparateCacheWatchRPC feature gate. It is now locked to its default value (false) and can no longer be overridden. The feature gate will be removed in a future release. (#135808, @tico88612) [SIG API Machinery]
Enabled YAML support for /statusz and /flagz endpoints. (#135309, @richabanker) [SIG API Machinery, Instrumentation and Testing]
Fixed DRA device taint eviction controller to avoid confusing intermediate status messages by delaying status updates after pod eviction until the informer cache is updated. (#135611, @Karthik-K-N) [SIG Apps and Scheduling]
For performance reasons, kubectl describe defaults to showing related events only when describing a single object. Passing --show-events explicitly when describing multiple objects or fuzzy matching on prefix still shows related events if desired. (#137145, @mark-liu) [SIG CLI]
Improved stability by sorting containers by create time and ID in kubeGenericRuntimeManager.GetPods() and GetPod(). (#137566, @yangjunmyfm192085) [SIG Node]
Kubeadm: Removed the cleanup of the --pod-infra-container-image kubelet flag from /var/lib/kubelet/kubeadm-flags.env on upgrade. This cleanup was necessary when upgrading to v1.35. (#135807, @carlory) [SIG Cluster Lifecycle]
Kubeadm: Removed usage of the deprecated etcd flags --experimental-initial-corrupt-check and --experimental-watch-progress-notify-interval if the etcd version is < v3.6.0. In this version of kubeadm, etcd < v3.6.0 is no longer supported in terms of the Kubernetes / etcd version mapping. These deprecated flags have been replaced by --feature-gates=InitialCorruptCheck=true and --watch-progress-notify-interval. (#135701, @neolit123) [SIG Cluster Lifecycle]
Kubelet: Fixed admission to correctly handle DRA-backed extended resources, allowing Pods to be admitted even when these resources are not present in the node's allocatable capacity. (#135725, @bart0sh) [SIG Node, Scheduling and Testing]
Kubernetes is now built using Go v1.26.2. (#138261, @dims) [SIG Architecture and Testing]
Locked the DisableNodeKubeProxyVersion feature gate to enabled by default. (#136673, @HirazawaUi) [SIG CLI and Network]
Promoted HPA metrics reconciliations_total, reconciliation_duration_seconds, metric_computation_total, and metric_computation_duration_seconds to beta. (#136178, @omerap12) [SIG Apps, Autoscaling and Instrumentation]
Promoted InOrderInformers to GA via the usage of RealFIFO. This means that DeltaFIFO will gradually be deprecated in favor of RealFIFO in internal implementations. (#136601, @michaelasp) [SIG API Machinery]
Promoted SELinuxChangePolicy and SELinuxMountReadWriteOncePod to GA; they are enabled unconditionally. (#136912, @dfajmon) [SIG Apps, Storage and Testing]
Reduced get PV request from KCM pv-controller for CSI volumes. (#134290, @huww98) [SIG Apps and Storage]
Removed v1alpha1 WebhookAdmissionConfiguration. It was deprecated in v1.17 in favor of apiserver.config.k8s.io/v1. (#137379, @aramase) [SIG API Machinery and Testing]
Removed event listing behavior when describing a deleted Pod from file using kubectl describe -f, ensuring consistent NotFound error handling across all resource types. (#135281, @scaliby) [SIG CLI]
Removed misleading SuggestFor entries from kubectl wait so that it is no longer suggested when users type kubectl list or kubectl ps. (#137266, @kfess) [SIG CLI and Testing]
Removed the WatchFromStorageWithoutResourceVersion feature gate in v1.36. (#136066, @serathius) [SIG API Machinery]
Removed the cri-client helper method NewLogOptions; LogOptions must be constructed directly. This eliminates the unwanted dependency from cri-client to apimachinery. (#137827, @SergeyKanzhelev) [SIG Node and Release]
Removed the dead --bounding-dirs flag and BoundingDirs field from deepcopy-gen. (#137348, @Jefftree) [SIG API Machinery]
Removed the generally available feature gate HonorPVReclaimPolicy, which was locked and enabled since v1.33. (#135335, @carlory) [SIG Apps and Storage]
Renamed PodGroupInfo to PodGroupState, which may break custom scheduler plugins that use Handle.WorkloadManager. (#136344, @brejman) [SIG Scheduling]
Reverted graduation of maxLength property. (#137274, @lalitc375) [SIG API Machinery]
The "Failed to update lease optimistically" log message may not be shown to users anymore, depending on the log level they have set. (#137753, @adamkasztenny) [SIG API Machinery]
The GetPCIeRootAttributeByPCIBusID helper accepts a fs.ReadLinkFS optional argument to be filesystem-independent. (#137220, @ffromani) [SIG Node]
The cri-api client accepts a context instead of a logger on initialization. (#137248, @SergeyKanzhelev) [SIG Cluster Lifecycle, Node and Testing]
Truncated the watch cache RV metric to 15 digits to ensure precision. (#137615, @michaelasp) [SIG API Machinery and Instrumentation]
Updated cri-tools to v1.35.0. (#135694, @saschagrunert) [SIG Cloud Provider and Node]
Updated etcd client library to v3.6.6. (#135331, @yashsingh74) [SIG API Machinery, Auth, Cloud Provider, Etcd, Node and Scheduling]
Updated etcd client library to v3.6.7. (#136407, @ivanvc) [SIG API Machinery, Auth, Cloud Provider, Node and Scheduling]
Updated etcd images to v3.6.8. (#137107, @joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
Updated kube-dns to v1.26.7. (#134394, @toredash) [SIG Cloud Provider]
Updated kustomize dependency to v5.8.1. (#136892, @koba1t) [SIG Architecture and CLI]

Dependencies

Added

buf.build/go/protovalidate: v0.12.0
github.com/cenkalti/backoff/v5: v5.0.3
github.com/moby/moby/api: v1.52.0
github.com/moby/moby/client: v0.2.1
go.opentelemetry.io/otel/exporters/stdout/stdouttrace: v1.40.0
gonum.org/v1/gonum: v0.16.0

Changed

Removed

Contributors, the CHANGELOG-1.36.md has been bootstrapped with v1.36.0 release notes and you may edit now as needed.