Kubernetes v1.35.0-alpha.3 is live!

[daniel chan]

Kubernetes Community,

Kubernetes v1.35.0-alpha.3 has been built and pushed using Golang version 1.25.3.

The release notes have been updated in CHANGELOG-1.35.md, with a pointer to them on GitHub:

---

v1.35.0-alpha.3

Downloads for v1.35.0-alpha.3

Source Code

filename	sha512 hash
kubernetes.tar.gz	054e77631e6a17dcb1589e14aaf215672c054a3315de0e72fad066d5f4392ff09288dc0ead2e9667c65c3c7c770d81206abb94eaf2615b1ef0cc99fbf3a5c793
kubernetes-src.tar.gz	fe30a5b352bb1656d7306aec0f491fde6f874af7d749fa31fe75ac5035c98d3c63d95db1b0c0024b30c55eadf7b60a1c3513a343eff2d6b0793147112940c82b

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	ca86f0ff39c9ee9ddf75674369cac952652afb3d36c11d8b761d00e9a6f9827adda24d87db6d936ab4ff54cd3d65afcc1e8b77868bc8054837d36cc9725a0fe8
kubernetes-client-darwin-arm64.tar.gz	b5a6772bfd7fd59ad18d0ccd6cece28d316613c1364607bdcb6389b2be1e911297b8ea3fb4b0ced7c38e66be36bf3f42898e4a5fade67add6a29cc5caec0f449
kubernetes-client-linux-386.tar.gz	8ecf519056385911fcec30039c8c3bf8537726c35ad9637602444dc6f1c5cc4f34fd2b924641b64b5a94b81935deff3a1445bc161fa3c3887a26b6a572e5a126
kubernetes-client-linux-amd64.tar.gz	499d946c3baf4bf55cc12ae0166ebbd3ae2c0c383d0f0cabca18cdc843b101e4fe0a972117f01d59e6eb61056471bdf5ff7b1c124e42298a4d758c01f8d888dc
kubernetes-client-linux-arm.tar.gz	fc240f0e23fad7578330cfb65ee271b3dfee099fd4fea3df6e5bd6cd5c50d8d398915d3c1dd735593b96ed1f3d30a800dd3ee6b1553c32bbc46428823ff68d6d
kubernetes-client-linux-arm64.tar.gz	ee4a49a4c55d9fce0cddf8150fa506df2c498abb257bb87c773260c26dc32fcb14be97630a27a22dd7406207778c7111f95751dc80b5dfabdf0755757b9c7082
kubernetes-client-linux-ppc64le.tar.gz	758eab71ab6435a689ac081bad27270967b6f8a09532b2dbc1c45b16eb8cc9ee24d317c4c8adf4345c569e89a1edeea8fb6f1bf97f7f84604fc17a7459f9a59f
kubernetes-client-linux-s390x.tar.gz	13947dfc8a67de7805e2e0818452d287079f9f382c8e36e8501b0871c5083f3eef1ac0461ca3570abeb39f84391b75843236a98f56f17a75f01a3d88cbfc6998
kubernetes-client-windows-386.tar.gz	813f670f33f20dfbec2dfd53136831f1117b5d172fa381fb1f69348d9f2e1cdda5eff2f807529924d1751d31011f3ba0a9dfd2e395114f8c289cbc3a262a207b
kubernetes-client-windows-amd64.tar.gz	6cfafe20404a2d6d8d7f9ed923eabc59360ba16454db8602de7aaaf3f40af7ff0429f54c3a34fd8c94d4a2e83bffeab29de5eed78f45f3cbe4027a8ae23a25c9
kubernetes-client-windows-arm64.tar.gz	dc4f018a9d7182c32f82727e42624f6b5883e944a730855ab0dd9ab9e8a5eea0766c5214ce5bf63c3bafc795d28bc335a94c9e50f1c4c80887c944780bb7811a

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	741bc1b0cb536ae82284b299fbb27c466e7ce3b54ba879a40631c5c00d822bce76dbb927d51ccb50383f22e115c4f0a5d22d8157cd9ea69da797f2fae2229b50
kubernetes-server-linux-arm64.tar.gz	26d073a93c26511aa3ec2e47954193175a87426d6f489370cbc5d2cbc636e98785a8c065d3cee1e3fcd52f4ee2b37e3137ade65739704b4aa3582c41d9e69341
kubernetes-server-linux-ppc64le.tar.gz	2ce67d08040129bc1d290faf63573f7e1881f2ec7eaf02a4a27cbd48285fc315ff336d245c63f6bb8dd5b2e82821beed731bf9e9f807a4d5a0fadac355413183
kubernetes-server-linux-s390x.tar.gz	6b12151c9ab895a9c51f7e17b067d165b511f8c7e32c5ee2cb9924087314bcacd74826e1b18bccd1e06b85a9a3c26e151c38fed9a4f40794777bd06f68cb3e95

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	f13943abe46974a701c1de6a20f76a2ade96db4795de7f6615680c3a360d602d5efca1d062c206f5154e3c3f504c0e51fda10e96ed31e20b3bd3d711be3600f8
kubernetes-node-linux-arm64.tar.gz	b7b664dde1dea0469dcab0a8f30032c583210d008621580930feb4a56353f9d51b732643fb41600febae3da3f2f17617c7914487539e4d7be8b4942c52219c85
kubernetes-node-linux-ppc64le.tar.gz	38cc958f6bc855b9fb6da6dbe1dd4eda874916865b030b929eab5f4110fa9554d7531757992e54ad912ca41d7eee6f01e6a299132c023199d7751491ae5456da
kubernetes-node-linux-s390x.tar.gz	c32b6d753f1c76bfcac7c37d5986d243cb5b7ad6bd01596b84d4262250ba31d875005302e8b92f7b8bac9ad30a85a6a60f99609fbbcceb0df1d08dfad8539488
kubernetes-node-windows-amd64.tar.gz	c5dfdcf501f39003ff818fa66c90e3874d9db21afc74ce9d6fe20de6f074d755ee0a90e18e47ffebda0da5685e9b42e8385f6e7e3d518b08a911c019686257d9

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.35.0-alpha.3	amd64, arm64, ppc64le, s390x

Changelog since v1.35.0-alpha.2

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• ACTION REQUIRED

vendor: updated k8s.io/system-validators to v1.12.1. The cgroups validator will now throw an error instead of a warning if cgroups v1 is detected on the host and the provided KubeletVersion is 1.35 or newer.

kubeadm: started using k8s.io/system-validators v1.12.1 in kubeadm 1.35. During kubeadm init, kubeadm join and kubeadm upgrade, the SystemVerification preflight check will throw an error if cgroups v1 is detected and if the detected kubelet version is 1.35 or newer. For older versions of kubelet, there will be just a preflight warning.

To allow cgroups v1 with kubeadm and kubelet version 1.35 or newer, you must:

• Ignore the error from the SystemVerifcation preflight check by kubeadm.
• Edit the kube-system/kubelet-config ConfigMap and add the failCgroupV1: false field, before upgrading. (#134744, @neolit123) [SIG Cluster Lifecycle and Node]
• Removed the --pod-infra-container-image flag from kubelet's command line. For non-kubeadm clusters, users must manually remove this flag from their kubelet configuration to prevent startup failures before they upgrade kubelet. (#133779, @carlory) [SIG Node]

Changes by Kind

API Change

• Add ObservedGeneration to CustomResourceDefinition Conditions. (#134984, @michaelasp) [SIG API Machinery]

• Add StorageVersionMigration v1beta1 api and remove the v1alpha API.

  Any use of the v1alpha1 api is no longer supported and users must remove any v1alpha1 resources prior to upgrade. (#134784, @michaelasp) [SIG API Machinery, Apps, Auth, Etcd and Testing]

• CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting spec.serviceAccountTokenInSecrets: true in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the CSIServiceAccountTokenSecrets feature gate (Beta in v1.35). (#134826, @aramase) [SIG API Machinery, Auth, Storage and Testing]

• DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. (#134152, @pohly) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]

• DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. (#134452, @pohly) [SIG Auth, Node, Scheduling and Testing]

• Forbid adding resources other than CPU & memory on pod resize. (#135084, @tallclair) [SIG Apps, Node and Testing]

• Implement constrained impersonation as described in https://kep.k8s.io/5284 (#134803, @enj) [SIG API Machinery, Auth and Testing]

• Introduces a structured and versioned v1alpha1 response for flagz (#134995, @yongruilin) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• Introduces a structured and versioned v1alpha1 response for statusz (#134313, @richabanker) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]

• New --min-compatibility-version flag for apiserver, kcm and kube scheduler (#133980, @siyuanfoundation) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]

• Promote PodObservedGenerationTracking to GA. (#134948, @natasha41575) [SIG API Machinery, Apps, Node, Scheduling and Testing]

• Promoted Job Managed By to general availability. The JobManagedBy feature gate is now locked to true, and will be removed in a future release of Kubernetes. (#135080, @dejanzele) [SIG API Machinery, Apps and Testing]

• Promoted ReplicaSet and Deployment .status.terminatingReplicas tracking to beta. The DeploymentReplicaSetTerminatingReplicas feature gate is now enabled by default. (#133087, @atiratree) [SIG API Machinery, Apps and Testing]

• Scheduler: added a new bindingTimeout argument to the DynamicResources plugin configuration. This allows customizing the wait duration in PreBind for device binding conditions. Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. (#134905, @fj-naji) [SIG Node and Scheduling]

• The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. (#134624, @yt2985) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]

• The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed (#134994, @liggitt) [SIG API Machinery, Auth, Node and Testing]

• The PreferSameZone and PreferSameNode values for Service's trafficDistribution field are now GA. The old value PreferClose is now deprecated in favor of the more-explicit PreferSameZone. (#134457, @danwinship) [SIG API Machinery, Apps, Network and Testing]

Feature

• Add the ChangeContainerStatusOnKubeletRestart feature gate. The feature gate defaults to disabled. When the feature gate is disabled, the kubelet does not change the pod status upon restart, and pods will not re-run startup probes after kubelet restart. (#134746, @HirazawaUi) [SIG Node and Testing]

• Added a new source label in resourceclaim_controller_resource_claims. Added a new metrics for DRAExtendedResource scheduler_resourceclaim_creates_total. (#134523, @bitoku) [SIG Apps, Instrumentation, Node and Scheduling]

• Added support for tracing in kubectl with --profile=trace (#134709, @tchap) [SIG CLI]

• Adding new kuberc view/set commands in kubectl to perform operations against kuberc file (#135003, @ardaguclu) [SIG CLI and Testing]

• Enable MutableCSINodeAllocatableCount by default. (#134647, @torredil) [SIG Storage]

• Improved throughput in the real-FIFO queue used by informer/controllers by adding batch handling for processing watch events. (#132240, @yue9944882) [SIG API Machinery, Scheduling and Storage]

• Introducing new flag --as-user-extra persistent flag in kubectl that can be used to pass extra arguments during the impersonation (#134378, @ardaguclu) [SIG CLI and Testing]

• Kube-apiserver: JWT authenticator now report the following metrics:

  • apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
  • apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info

  when StructuredAuthenticationConfiguration feature is enabled. (#123642, @aramase) [SIG API Machinery, Auth and Testing]

• Kubeadm: added a new preflight check ContainerRuntimeVersion to validate if the installed container runtime supports the RuntimeConfig gRPC method. If the container runtime does not support the RuntimeConfig gRPC method, kubeadm will print a warning message.

  Once Kubernetes 1.36 is released, the kubelet might refuse to start if the CRI runtime does not support this feature. More information can be found in https://kubernetes.io/blog/2025/09/12/kubernetes-v1-34-cri-cgroup-driver-lookup-now-ga/. (#134906, @carlory) [SIG Cluster Lifecycle]

• New counter metric exposing details about kubelet ensuring an image exists on the node is added - kubelet_image_manager_ensure_image_requests_total{present_locally, pull_policy, pull_required} (#132644, @stlaz) [SIG Auth and Node]

• Promote InPlacePodVerticalScaling to GA. (#134949, @natasha41575) [SIG API Machinery, Node and Scheduling]

• Promote Relaxed validation for Services names to beta (enabled by default)

  Promote RelaxedServiceNameValidation feature to beta (enabled by default) The names of new Services names are validation with NameIsDNSLabel(), relaxing the pre-existing validation. (#134493, @adrianmoisey) [SIG Network]

• Promote kubectl command headers to stable (#134777, @soltysh) [SIG CLI and Testing]

• The SchedulerAsyncAPICalls feature gate has been re-enabled by default after fixing regressions detected in v1.34. (#135059, @macsko) [SIG Scheduling]

• The scheduler clears the nominatedNodeName field for Pods upon scheduling or binding failure. External components, such as Cluster Autoscaler and Karpenter, should not overwrite this field. (#135007, @ania-borowiec) [SIG Scheduling and Testing]

Bug or Regression

• BlockOwnerDeletion is removed from resource claims created from resource claim templates, and extended resource claims created by scheduler (#134956, @yliaog) [SIG Apps, Node and Scheduling]
• Drop DeviceBindingConditions fields if the DRADeviceBindingConditions is not enabled and not in-use (#134964, @sunya-ch)
• Fix a very old issue where kubelet rejects pods with NodeAffinityFailed due to a stale informer cache. (#134445, @natasha41575) [SIG Node]
• Fix issue in asynchronous preemption: Scheduler checks if preemption is ongoing for a pod before initiating new preemption calls (#134730, @ania-borowiec) [SIG Scheduling and Testing]
• Fix panic on kubectl api-resources (#134833, @rikatz) [SIG CLI]
• Fix setting distinctAttribute=nil when DRAConsumableCapacity is disabled (#134962, @sunya-ch) [SIG Node]
• Fix the bug which could result in Job status updates failing with the error: status.startTime: Required value: startTime cannot be removed for unsuspended job The error could be raised after a Job is resumed, if started and suspended previously. (#134769, @dejanzele) [SIG Apps and Testing]
• Fix: The requests for a config FromClass in the status of a ResourceClaim were not referenced. (#134793, @LionelJouin) [SIG Node]
• Fixed a bug that caused a deleted pod staying in the binding phase to occupy space on the node in the kube-scheduler. (#134157, @macsko) [SIG Scheduling and Testing]
• Fixed a bug that prevent allocating the same device that was previously consuming the CounterSet when enabling both DRAConsumableCapacity and DRAPartitionableDevices. (#134103, @sunya-ch) [SIG Node]
• Fixed a bug where the health of a DRA resource was not reported in the Pod status if the resource claim was generated from a template or used a different local name in the pod spec. (#134875, @Jpsassine) [SIG Node and Testing]
• Fixes an issue where the kubelet /configz endpoint reported incorrect value for kubeletconfig.cgroupDriver when the cgroup driver setting is received from the container runtime. (#134743, @marquiz) [SIG Node]
• Fixes bug where AllocationMode: All would not succeed if a resource pool contained ResourceSlices that wasn't targeting the current node. (#134466, @mortent) [SIG Node]
• Kube-controller-manager: Fixes a 1.34 regression, which triggered a spurious rollout of existing statefulsets when upgrading the control plane from 1.33 → 1.34. This fix is guarded by a StatefulSetSemanticRevisionComparison feature gate, which is enabled by default. (#135017, @liggitt) [SIG Apps]
• Kube-scheduler: Pod statuses no longer include specific taint keys or values when scheduling fails because of untolerated taints (#134740, @hoskeri) [SIG Scheduling]
• Namespace is added to the output of dry-run=client of HPA object (#134263, @ardaguclu) [SIG CLI and Testing]

Other (Cleanup or Flake)

• Added a new filed Step in the testing framework to allow volume expansion in configurable step sizes for tests. (#134760, @Rishita-Golla) [SIG Storage and Testing]
• Dropped support for certificates/v1beta1 CertificateSigningRequest in kubectl (#134782, @scaliby) [SIG CLI]
• Dropped support for discovery/v1beta1 EndpointSlice in kubectl (#134913, @scaliby) [SIG CLI]
• Dropped support for networking/v1beta1 IngressClass in kubectl (#135108, @scaliby) [SIG CLI]
• Eliminate use of md5 and prevent future use of md5 in favor of more appropriate hashing algorithms. (#133511, @BenTheElder) [SIG Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Security, Storage and Testing]
• Kubeadm: removed the kubeadm-specific feature gate WaitForAllControlPlaneComponents which graduated to GA in 1.34 and was locked to enabled by default. (#134781, @neolit123) [SIG Cluster Lifecycle]
• Kubeadm: updated the supported etcd version to v3.5.24 for supported control plane versions v1.32, v1.33, and v1.34. (#134779, @joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
• Migrate the cpumanager to contextual logging (#125912, @ffromani) [SIG Node]
• Removed the UserNamespacesPodSecurityStandards feature gate. The minimum supported Kubernetes version for a kubelet is now v1.31, so the gate is not needed. (#132157, @haircommander) [SIG Auth, Node and Testing]
• The FeatureGate SystemdWatchdog is locked to default and will be removed. The Systemd Watchdog functionality in kubelet can be turned on via Systemd without any feature gate set up. See https://kubernetes.io/docs/reference/node/systemd-watchdog/ for information. (#134691, @SergeyKanzhelev) [SIG Node]
• Updates the etcd client library to v3.6.5 (#134780, @joshjms) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/goccy/go-yaml: v1.18.0
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5
• go.uber.org/automaxprocs: v1.6.0

Changed

• github.com/google/pprof: d1b30fe → 27863c8
• github.com/onsi/ginkgo/v2: v2.21.0 → v2.27.2
• github.com/onsi/gomega: v1.35.1 → v1.38.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/mod: v0.27.0 → v0.28.0
• golang.org/x/sync: v0.16.0 → v0.17.0
• golang.org/x/sys: v0.35.0 → v0.37.0
• golang.org/x/term: v0.34.0 → v0.36.0
• golang.org/x/text: v0.28.0 → v0.29.0
• k8s.io/system-validators: v1.11.1 → v1.12.1
• k8s.io/utils: 4c0f3b2 → bc988d5

Removed

Nothing has changed.

---

Contributors, the CHANGELOG-1.35.md has been bootstrapped with v1.35.0-alpha.3 release notes and you may edit now as needed.

Published by your Kubernetes Release Managers.