Kubernetes v1.35.0 is live!

51 views

Skip to first unread message

Angelos Kolaitis

unread,

Dec 17, 2025, 3:15:32 PM (2 days ago) Dec 17

to dev

Kubernetes Community,

Kubernetes v1.35.0 has been built and pushed using Golang version 1.25.5.

The release notes have been updated in CHANGELOG-1.35.md, with a pointer to them on GitHub:

v1.35.0

Documentation

Downloads for v1.35.0

Source Code

filename	sha512 hash
kubernetes.tar.gz	`478ae8101675fa873a3ad84c81c91604e70bdb947e3379564907916c8a3a1d4a0b7d2077e1d2701f18f2509a6fce0997d93a441ef6d1a17a2e90fdffdd4c13ec`
kubernetes-src.tar.gz	`dc9fc72736999bc40fdf28a7668c8e183effe135893c98f0773b0a50fe018c2f49156026c490f201def57645bf6172c81e07c1c6cb2d80bfb6b246c94fb4c5aa`

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	`e7d510566442afd96dd3759764b573719469bb0ef00086d536bd7af0b8af29ddf150e6ece5ae95856daaaf7f2454f45755ac300648c692508e445aca7a8bd0de`
kubernetes-client-darwin-arm64.tar.gz	`cd3b216a5418ef2eb00aeb74bf0ebae34c41aa16419bd5bbe5cbb5d394570a38f54c88294aaa5bd7c27ef28c4f1aee2b5658beb4cd025258b6bbd522e8d499bc`
kubernetes-client-linux-386.tar.gz	`50250aefecc03afe5a6b1be8dffbd58efb4814fed2aae299ac3bbd3b32a40b47697897bafcc36f31f226c5fd2b185cb970e64674aa9ee60412e122128487598d`
kubernetes-client-linux-amd64.tar.gz	`a1469924896411ab3365628b301d2bbacaf235908cea47308498c9c351a17462ab4154928ef6f91cee849ff52600e394f2abe70f5165371ccfe6638446699d2c`
kubernetes-client-linux-arm.tar.gz	`df921ad2702a8bc90b8797d97e5ddba5d7d077d18f3b9e53a4594a432f628f52842ee5e26f70c16a82b4decf7c72cba1d04c43163c85026f9b0610fbde63e183`
kubernetes-client-linux-arm64.tar.gz	`0b332e13c9bb52093f57c4f2ae4ab103bc7f51e4c5dad2859300e7ece09ef303a9345ed3aea4d050b287f52dd8ed8d7cf9185c9e40ea5cc900c8d34e63eec83d`
kubernetes-client-linux-ppc64le.tar.gz	`07789dc2ec7e8439774d88437f0b1ee35d6b60a8bd23055b93dcf1461de5ae69aba0e0e99a0202892f6c70217388646e1592b087f048bb57e5ab10b1b0dfa956`
kubernetes-client-linux-s390x.tar.gz	`6563b8d452d29e7f155563294478e39dba7311dd086cf9fb0bc62c94a139b7f5d81a5716880d8072cd864948988e68f2dcd607a8ec79e339224ed5f4bcd48dc9`
kubernetes-client-windows-386.tar.gz	`522f96799bdaacdd1d10ab4c3a58d8fd86e45e6326c3b6538cc079ca951c28916bd1c8c9bb1d98f6257be0ba1ed91e97614407fe11a1c4bbea2c2052ba0feca7`
kubernetes-client-windows-amd64.tar.gz	`149145263071c8e1a4d73efe4d1c868286e7cea37629f1c076d2f2683e6b63fb3387d867f3283c9950a3b5b830f005019fa03874e4d53dfa9ad489aaaa9f535b`
kubernetes-client-windows-arm64.tar.gz	`2cffd56e01eaf24ace819cf9f4ef94187185978c8fa1192fd9d47236824ccfe745fe649d38c4351a016e0406bcfd1944178cb93af67b5e69015c04ab2ca5bf7c`

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	`23af53c49de841a0d5c19d9525d820cecc9d55367c132296a5f381d051438bf06dcddff3d0236df8ba6011a6aa5d0ffc31960d277c7f53a0ad98e66d6f8d6a0a`
kubernetes-server-linux-arm64.tar.gz	`fd245273c6ace20abc893f868d678c4a24c0dbe7d5340087f852d245e59329e66f79afce489dc1b396908d2f005b132eca8d15a7664508fe923627bb2eddee18`
kubernetes-server-linux-ppc64le.tar.gz	`68c48db8537c0470d2245740b8cdf3225efafc48a96646e369137e35931bd43324caf1394ee4b31774b0f43d44e6a4eaa5976186248a114d0e0feb2cb8953edc`
kubernetes-server-linux-s390x.tar.gz	`dd71c4b5ab213452d41059772de3b0db2c71fc6f958280694b2c1b20151bded5b6beb1b03a40dc683ce2d587e9a8bbf3bf486b3965064945803af4f10557558e`

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	`179278fecb65d246443f58cef00ca2f2a9d0ac6fbdb310994f0ac7fca249f7bdc1c79ea7f3e5455c1e2d2460f5447d006bfa579f97b502ee7034b2a1927f934a`
kubernetes-node-linux-arm64.tar.gz	`01178703c84e0f671770e53024e3cc53f540c0cf93b0804d35884a777c3e3bc44c44d62b6fd25204348986fa589969a9255c0ef04235a0bb9d5560b09867aa0b`
kubernetes-node-linux-ppc64le.tar.gz	`05d1ae963d5c4a382d380cb4f4cdfa924fa8a311953b5eaefe66b8696cebf14bffb13bda8ea784ca5fa1dd073c82ee148faa9a50911449cefad16fe2e800d7c1`
kubernetes-node-linux-s390x.tar.gz	`b7501e91153d062c7c545ef9900faf9b29826b6ff5ec5320f6a799d3d3b479f6ae79092909a1905e055b72dd540a9c8fb02b2d0655f6957cd0b4b7b2e9c18909`
kubernetes-node-windows-amd64.tar.gz	`f54c606e8ecc29b4ba4ef4570f679352f66cbae1f1bd4f49db5e18227b00ed0e6d8dd47422390fd2a3b87d837cf39dae58a260208096169a3aabef9e874c7586`

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.35.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.35.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.35.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.35.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.35.0	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.35.0	amd64, arm64, ppc64le, s390x

Changelog since v1.34.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

ACTION REQUIRED:
Removed the --pod-infra-container-image flag from kubelet command line. For non-kubeadm clusters, users must manually remove this flag from their kubelet configuration to prevent startup failures before upgrading kubelet. For kubeadm clusters, if users pass extra arguments to the kubelet like --pod-infra-container-image, it will be written to the kubelet env file during the init phase. kubeadm does not remove it during the init or join phase, so users must manually remove it from extraArgs in the kubelet configuration file. (#133779, @carlory)
ACTION REQUIRED:

vendor: Updated k8s.io/system-validators to v1.12.1. The cgroups validator now throws an error instead of a warning if cgroups v1 is detected on the host and the provided KubeletVersion is v1.35 or newer.

kubeadm: Started using k8s.io/system-validators v1.12.1 in kubeadm v1.35. During kubeadm init, kubeadm join, and kubeadm upgrade, the SystemVerification preflight check throws an error if cgroups v1 is detected and the detected kubelet version is v1.35 or newer. For older versions of kubelet, a preflight warning is displayed.

To allow cgroups v1 with kubeadm and kubelet version v1.35 or newer, you must:

Ignore the error from the SystemVerification preflight check by kubeadm.
Edit the kube-system/kubelet-config ConfigMap and add the failCgroupV1: false field before upgrading. (#134744, @neolit123) [SIG Cluster Lifecycle and Node]

Changes by Kind

Deprecation

ACTION REQUIRED: failCgroupV1 will be set to true from 1.35. This means that nodes will not start on a cgroup v1 by default. This puts cgroup v1 into a deprecated state. (#134298, @kannon92)
Marked ipvs mode in kube-proxy as deprecated, which will be removed in a future version of Kubernetes. Users are encouraged to migrate to nftables. (#134539, @adrianmoisey)

API Change

Added ObservedGeneration to CustomResourceDefinition conditions. (#134984, @michaelasp)
Added WithOrigin within apis/core/validation with adjusted tests. (#132825, @PatrickLaabs)
Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. (#134711, @mortent) [SIG Node, Scheduling and Testing]
Added the --min-compatibility-version flag to kube-apiserver, kube-controller-manager, and kube-scheduler. (#133980, @siyuanfoundation) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
Added the StorageVersionMigration v1beta1 API and removed the v1alpha1 API.
ACTION REQUIRED: The v1alpha1 API is no longer supported. Users must remove any v1alpha1 resources before upgrading. (#134784, @michaelasp) [SIG API Machinery, Apps, Auth, Etcd and Testing]
Added validation to ensure log-flush-frequency is a positive value, returning an error instead of causing a panic. (#133540, @BenTheElder) [SIG Architecture, Instrumentation, Network and Node]
All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind RestartAllContainersOnContainerExit. (#134345, @yuanwang04) [SIG Apps, Node and Testing]
CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting spec.serviceAccountTokenInSecrets: true in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the CSIServiceAccountTokenSecrets feature gate (beta in v1.35). (#134826, @aramase) [SIG API Machinery, Auth, Storage and Testing]
Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, credPluginPolicy and credPluginAllowlist. This is documented in KEP-3104 and documentation is added to the website by kubernetes/website#52877 (#134870, @pmengelbert) [SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
DRA device taints: DeviceTaintRule status provides information about the rule, including whether Pods still need to be evicted (EvictionInProgress condition). The newly added None effect can be used to preview what a DeviceTaintRule would do if it used the NoExecute effect and to taint devices (device health) without immediately affecting scheduling or running Pods. (#134152, @pohly) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
DRA: The DynamicResourceAllocation feature gate for the core functionality (GA in v1.34) has now been locked to enabled-by-default and cannot be disabled anymore. (#134452, @pohly) [SIG Auth, Node, Scheduling and Testing]
Enabled kubectl get -o kyaml by default. To disable it, set KUBECTL_KYAML=false. (#133327, @thockin)
Enabled in-place resizing of pod-level resources.
- Added Resources in PodStatus to capture resources set in the pod-level cgroup.
- Added AllocatedResources in PodStatus to capture resources requested in the PodSpec. (#132919, @ndixita) [SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
Enabled the NominatedNodeNameForExpectation feature in kube-scheduler by default.
- Enabled the ClearingNominatedNodeNameAfterBinding feature in kube-apiserver by default. (#135103, @ania-borowiec) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
Enhanced discovery responses to merge API groups and resources from all peer apiservers when the UnknownVersionInteroperabilityProxy feature is enabled. (#133648, @richabanker) [SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
Extended core/v1 Toleration to support numeric comparison operators (Gt,Lt). (#134665, @helayoty) [SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that AllAlpha=true will no longer work without enabling disabled-by-default beta features that are depended on (either with AllBeta=true or explicitly enumerating the disabled dependencies). (#133697, @tallclair) [SIG API Machinery, Architecture, Cluster Lifecycle and Node]
Generated OpenAPI model packages for API types into zz_generated.model_name.go files, accessible via the OpenAPIModelName() function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. (#131755, @jpbetz) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
Implemented constrained impersonation as described in KEP-5284. (#134803, @enj) [SIG API Machinery, Auth and Testing]
Introduced a new declarative validation tag +k8s:customUnique to control listmap uniqueness. (#134279, @yongruilin) [SIG API Machinery and Auth]
Introduced a structured and versioned v1alpha1 response for the statusz endpoint. (#134313, @richabanker) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
Introduced a structured and versioned v1alpha1 response format for the flagz endpoint. (#134995, @yongruilin) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the scheduling.k8s.io/v1alpha1 Workload API. (#134722, @macsko) [SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
Introduced the Node Declared Features capability (alpha), which includes:
- A new Node.Status.DeclaredFeatures field for publishing node-specific features.
- A component-helpers library for feature registration and inference.
- A NodeDeclaredFeatures scheduler plugin to match pods with nodes that provide required features.
- A NodeDeclaredFeatureValidator admission plugin to validate pod updates against a node's declared features. (#133389, @pravk03) [SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
Introduced the scheduling.k8s.io/v1alpha1 Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. (#134564, @macsko) [SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
Introduced the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended. It also updates the Job controller to clears the status.startTime field for suspended Jobs. (#135104, @mimowo) [SIG Apps and Testing]
Kube-apiserver: Fixed a v1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties. (#133896, @yongruilin) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
Kube-apiserver: Fixed a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a status property in the openAPIV3Schema. (#133721, @fusida) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement ProtoMessage() by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a kubernetes_protomessage_one_more_release build tag, but will be removed in v1.36. (#134256, @liggitt) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
Made node affinity in Persistent Volume mutable. (#134339, @huww98) [SIG API Machinery, Apps and Node]
Moved the ImagePullIntent and ImagePulledRecord objects used by the kubelet to track image pulls to the v1beta1 API version. (#132579, @stlaz) [SIG Auth and Node]
Pod resize now only allows CPU and memory resources; other resource types are forbidden. (#135084, @tallclair) [SIG Apps, Node and Testing]
Prevented Pods from being scheduled onto nodes that lack the required CSI driver. (#135012, @gnufied) [SIG API Machinery, Scheduling, Storage and Testing]
Promoted HPA configurable tolerance to beta. The HPAConfigurableTolerance feature gate has now been enabled by default. (#133128, @jm-franc) [SIG API Machinery and Autoscaling]
Promoted ReplicaSet and Deployment .status.terminatingReplicas tracking to beta. The DeploymentReplicaSetTerminatingReplicas feature gate is now enabled by default. (#133087, @atiratree) [SIG API Machinery, Apps and Testing]
Promoted PodObservedGenerationTracking to GA. (#134948, @natasha41575) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Promoted the JobManagedBy feature to general availability. The JobManagedBy feature gate was locked to true and will be removed in a future Kubernetes release. (#135080, @dejanzele) [SIG API Machinery, Apps and Testing]
Promoted the MaxUnavailableStatefulSet feature to beta and enabling it by default. (#133153, @helayoty) [SIG API Machinery and Apps]
Removed the StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, which were locked since v1.32. (#134994, @liggitt) [SIG API Machinery, Auth, Node and Testing]
Scheduler: Added the bindingTimeout argument to the DynamicResources plugin configuration, allowing customization of the wait duration in PreBind for device binding conditions. Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. (#134905, @fj-naji) [SIG Node and Scheduling]
The DRA device taints and toleration feature received a separate feature gate, DRADeviceTaintRules, which controlled support for DeviceTaintRules. This allowed disabling it while keeping DRADeviceTaints enabled so that tainting via ResourceSlices continued to work. (#135068, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
The Pod Certificates feature moved to beta. The PodCertificateRequest feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in v1beta1 and enable the PodCertificateRequest feature gate. The UserAnnotations field was added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations field was added to the PodCertificateRequest API. (#134624, @yt2985) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
The KubeletEnsureSecretPulledImages feature was promoted to Beta and enabled by default. (#135228, @aramase) [SIG Auth, Node and Testing]
The PreferSameZone and PreferSameNode values for the Service trafficDistribution field graduated to general availability. The PreferClose value is now deprecated in favor of the more explicit PreferSameZone. (#134457, @danwinship) [SIG API Machinery, Apps, Network and Testing]
Updated ResourceQuota to count device class requests within a ResourceClaim as two additional quotas when the DRAExtendedResource feature is enabled:
- requests.deviceclass.resource.k8s.io/<deviceclass> is charged based on the worst-case number of devices requested.
- Device classes mapping to an extended resource now consume requests.<extended resource name>. (#134210, @yliaog) [SIG API Machinery, Apps, Node, Scheduling and Testing]
Updated storage version for MutatingAdmissionPolicy to v1beta1. (#133715, @cici37) [SIG API Machinery, Etcd and Testing]
Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. (#134189, @mortent) [SIG API Machinery, Node, Scheduling and Testing]
Upgraded the PodObservedGenerationTracking feature to beta in v1.34 and removed the alpha version description from the OpenAPI specification. (#133883, @yangjunmyfm192085)

Feature

Added k8s-short-name and k8s-long-name format validation tags to enforce DNS label and DNS subdomain compliance. (#133894, @lalitc375)
Added kubectl kuberc view and kubectl kuberc set commands to perform operations against the kuberc file. (#135003, @ardaguclu) [SIG CLI and Testing]
Added kubelet stress test for pod cleanup when rejection due to VolumeAttachmentLimitExceeded. (#133357, @torredil) [SIG Node and Storage]
Added paths section to kubelet statusz endpoint. (#133239, @Peac36)
Added a source label to the resourceclaim_controller_resource_claims metric. Added the scheduler_resourceclaim_creates_total metric for DRAExtendedResource. (#134523, @bitoku) [SIG Apps, Instrumentation, Node and Scheduling]
Added a counter metric kubelet_image_manager_ensure_image_requests_total{present_locally, pull_policy, pull_required} that exposes details about kubelet ensuring an image exists on the node. (#132644, @stlaz) [SIG Auth and Node]
Added additional event emissions during Pod resizing to provide clearer visibility when a Pod’s resize status changes. (#134825, @natasha41575)
Added configurable per-device health check timeouts to the DRA health monitoring API. (#135147, @harche) [SIG Node]
Added metrics for the MaxUnavailable feature in StatefulSet. (#130951, @Edwinhr716) [SIG Apps and Instrumentation]
Added paths section to scheduler statusz endpoint. (#132606, @Peac36) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
Added remote runtime and image Close() method to be able to close the connection. (#133211, @saschagrunert) [SIG Node]
Added support for tracing in kubectl with the --profile=trace flag. (#134709, @tchap)
Added support for validating UUID format. (#133948, @lalitc375)
Added the -n flag as a shorthand for --namespace in the kubectl config set-context command. (#134384, @tchap) [SIG CLI and Testing]
Added the ChangeContainerStatusOnKubeletRestart feature gate, which defaults to disabled. When the feature gate is disabled, kubelet does not change the Pod status upon restart, and Pods do not re-run startup probes after the kubelet restarts. (#134746, @HirazawaUi) [SIG Node and Testing]
Added the CloudControllerManagerWatchBasedRoutesReconciliation feature gate. (#131220, @lukasmetzner) [SIG API Machinery and Cloud Provider]
Added the UserNamespacesHostNetworkSupport feature gate. This gate is disabled by default, and when enabled, allowed hostNetwork pods to use user namespaces. (#134893, @HirazawaUi) [SIG Apps, Node and Testing]
After fixing regressions detected in v1.34, the SchedulerAsyncAPICalls feature gate was re-enabled by default. (#135059, @macsko)
Changed WaitForNamedCacheSync to WaitForNamedCacheSyncWithContext. (#133904, @aditigupta96) [SIG API Machinery, Apps, Auth and Network]
DRA: the resource.k8s.io API now uses the v1 API version (introduced in 1.34) as default storage version. Downgrading to 1.33 is not supported. (#133876, @kei01234kei) [SIG API Machinery, Etcd and Testing]
Enabled the MutableCSINodeAllocatableCount feature gate by default in beta. (#134647, @torredil)
Enabled the WatchListClient feature gate. (#134180, @p0lyn0mial) [SIG API Machinery, Apps, Auth, CLI, Instrumentation, Node and Testing]
Enabled the feature gate ContainerRestartRules by default. The ContainerRestartRules feature has been promoted to beta. Fixed a bug in this feature that caused probes to continue to run even if the container has terminated and is not restartable. (#134631, @yuanwang04)
Graduated the PodTopologyLabelsAdmission feature gate to Beta and enabled it by default. Pods now receive topology.kubernetes.io/zone and topology.kubernetes.io/region labels automatically when their assigned Node has these labels. (#135158, @andrewsykim)
Graduated the fine-grained supplemental groups policy (KEP-3619) to GA. (#135088, @everpeace) [SIG Node and Testing]
Graduated the image volume source feature to Beta and enabled it by default. (#135195, @haircommander) [SIG Apps, Instrumentation, Node and Testing]
Implemented opportunistic batching (KEP-5598) to optimize scheduling for pods with identical scheduling requirements. (#135231, @bwsalmon) [SIG Node, Scheduling, Storage and Testing]
Implemented scoring for DRA-backed extended resources. (#134058, @bart0sh) [SIG Node, Scheduling and Testing]
Improved throughput in the real-FIFO queue used by informers and controllers by adding batch handling for processing watch events. (#132240, @yue9944882) [SIG API Machinery, Scheduling and Storage]
Introduced end-to-end tests to verify component invariant metrics across the entire test suite. (#133394, @BenTheElder)
Introduced new kubelet metrics for the Ensure Secret Pulled Images KEP, including: - kubelet_imagemanager_ondisk_pullintents for tracking pull intent records on disk - kubelet_imagemanager_ondisk_pulledrecords for tracking pulled image records on disk - kubelet_imagemanager_image_mustpull_checks_total{result} for counting image must-pull verification checks. (#132812, @stlaz) [SIG Auth and Node]
Introduced the --as-user-extra persistent flag in kubectl, which allows passing extra arguments during impersonation. (#134378, @ardaguclu) [SIG CLI and Testing]
K8s.io/apimachinery: Introduced a helper function to compare resourceVersion strings between two objects of the same resource. (#134330, @michaelasp) [SIG API Machinery, Apps, Auth, Instrumentation, Network, Node, Scheduling, Storage and Testing]
KEP-5440: Enabled support for resizing resources while a Job is suspended. This feature is alpha. (#132441, @kannon92) [SIG Apps and Testing]
Kube-apiserver: Made the subresources pods/exec, pods/attach, and pods/portforward require create permission for both SPDY and Websocket API requests. Previously, SPDY requests required create permission, but Websocket requests only required get permission. This change is gated by the AuthorizePodWebsocketUpgradeCreatePermission feature-gate, which is enabled by default.
Before upgrading to 1.35, ensure any custom ClusterRoles and Roles intended to grant pods/exec, pods/attach, or pods/portforward permission include the create verb. (#134577, @seans3) [SIG API Machinery, Auth, Node and Testing]
Kubeadm: Added error printing during retries related to the WaitForAllControlPlaneComponents functionality at verbosity level 5. (#134433, @neolit123)
Kubeadm: Added the HTTPEndpoints field to ClusterConfiguration.Etcd.ExternalEtcd to configure HTTP endpoints for etcd communication in v1beta4. This separates HTTP traffic (e.g., /metrics, /health) from gRPC traffic, improving access control. Mirrors etcd’s --listen-client-http-urls behavior; if not set, the Endpoints field handles both traffic types. (#134890, @SataQiu)
Kubeadm: Graduated the kubeadm-specific feature gate ControlPlaneKubeletLocalMode to GA and locked it to enabled by default. To opt out, patch the server field in /etc/kubernetes/kubelet.conf. Deprecated the subphase of kubeadm join phase control-plane-join called etcd, which is now hidden and replaced by subphase with identical functionality etcd-join. The etcd subphase will be removed in a future release. The subphase kubelet-wait-bootstrap of kubeadm join is no longer experimental and will now always run. (#134106, @neolit123)
Kubernetes is now built using Go 1.25.1 (#134095, @dims) [SIG Release and Testing]
Kubernetes is now built using Go 1.25.4 (#135492, @cpanato) [SIG Release and Testing]
Kubernetes now uses Go Language Version 1.25, including https://go.dev/blog/container-aware-gomaxprocs (#134120, @BenTheElder) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling and Storage]
Locked down the AllowOverwriteTerminationGracePeriodSeconds feature gate. (#133792, @HirazawaUi)
Locked the (generally available) feature gate ExecProbeTimeout to true. (#134635, @vivzbansal) [SIG Node and Testing]
Metrics: Excluded dryRun requests from apiserver_request_sli_duration_seconds. (#131092, @aldudko) [SIG API Machinery and Instrumentation]
Migrated validation in resource.k8s.io to declarative validation. When the DeclarativeValidation feature gate is enabled, mismatches with existing validation are reported via metrics. when DeclarativeValidationTakeover feature gate is enabled, declarative validation becomes the primary source of errors for migrated fields. (#134072, @yongruilin) [SIG API Machinery, Apps and Auth]
Moved the Pod Certificates feature to beta. Added UserAnnotations to the PodCertificateProjection API and UnverifiedUserAnnotations to the PodCertificateRequest API. The PodCertificateRequest feature gate remains disabled by default and requires enabling the v1beta1 certificates API groups. (#134790, @yt2985) [SIG Auth, Instrumentation and Testing]
Promoted ImageGCMaximumAge to stable. (#134736, @haircommander) [SIG Node and Testing]
Promoted InPlacePodVerticalScaling to GA. (#134949, @natasha41575) [SIG API Machinery, Node and Scheduling]
Promoted kubectl command headers to stable. (#134777, @soltysh) [SIG CLI and Testing]
Promoted the EnvFiles feature gate to beta and is enabled by default. Additionally, the syntax specification for environment variables has been restricted to a subset of POSIX shell syntax (all variable values must be wrapped in single quotes). (#134414, @HirazawaUi) [SIG Node and Testing]
Promoted the HostnameOverride feature gate to beta and enabled it by default. (#134729, @HirazawaUi) [SIG Network and Node]
Promoted the KubeletCrashLoopBackOffMax feature gate to beta and enabled it by default. (#135044, @hankfreund)
Selected a single device class deterministically when multiple device classes were available for an extended resource. (#135037, @yliaog) [SIG Node, Scheduling and Testing]
The JWT authenticator in kube-apiserver now reports the following metrics when the StructuredAuthenticationConfiguration feature gate is enabled:
- apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
- apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info. (#123642, @aramase) [SIG API Machinery, Auth and Testing]
The scheduler now clears the nominatedNodeName field for Pods upon scheduling or binding failure. External components, such as Cluster Autoscaler and Karpenter, should not overwrite this field. (#135007, @ania-borowiec) [SIG Scheduling and Testing]
Updated applyconfiguration-gen to generate extract functions for all subresources. (#132665, @mrIncompetent)
Updated applyconfiguration-gen to preserve struct and field comments from source types in the generated code. (#132663, @mrIncompetent)
Updated kubectl describe pods to include the involved object’s fieldPath (e.g., container name) in event messages, providing better context for debugging multi-container Pods. Note: This changes the previous message format for events that include a fieldPath. (#133627, @itzPranshul)
Updated sandbox ordering to use by attempt count or creation time. (#130551, @yylt)
Updated the Kubernetes build to use Go 1.25.4. (#135187, @BenTheElder)
Updated underlying images and dependencies to be compatible with Go version1.25.3. (#134611, @cpanato) [SIG Architecture, Cloud Provider, Etcd, Release, Storage and Testing]
kubeadm: Added a preflight check ContainerRuntimeVersion to validate if the installed container runtime supports the RuntimeConfig gRPC method. If unsupported, kubeadm prints a warning message.
Starting with Kubernetes v1.36, kubelet might refuse to start if the CRI runtime does not support this feature. More information can be found at the Kubernetes blog. (#134906, @carlory)
Kubernetes is now built using Go 1.25.5. (#135609, @cpanato) [SIG Release and Testing]

Documentation

Promoted the --chunk-size flag to stable. The kubectl describe, get, drain, and events commands can use --chunk-size flag to set chunk size. (#134481, @soltysh)

Bug or Regression

Added support for Pods to reference the same PersistentVolumeClaim across multiple volumes. (#122140, @huww98) [SIG Node, Storage and Testing]
Added support for the ShareID field of the DRAConsumableCapacity feature in the Kubelet Plugin API. (#134520, @sunya-ch) [SIG Node and Testing]
Added the correct error when eviction is blocked due to the failSafe mechanism of the DisruptionController. (#133097, @kei01234kei) [SIG Apps and Node]
Changed kubectl exec syntax to require -- before the command. The form kubectl exec [POD] [COMMAND] is no longer supported; use kubectl exec [POD] -- [COMMAND] instead. (#133841, @yangjunmyfm192085)
DRA API: Fixed the tolerations field in exact and sub requests to drop properly when the DRADeviceTaints API is disabled. (#132927, @pohly)
DRA Device Taints: Fixed toleration of NoExecute. Prior to this enhancement, tolerating a NoExecute did not work because the scheduler did not inform the eviction controller about the toleration, so the scheduled pod got evicted almost immediately. (#134479, @pohly) [SIG Apps, Node, Scheduling and Testing]
Deprecated metrics will be hidden as per the metrics deprecation policy. https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-a-metric . (#133436, @richabanker) [SIG Architecture, Instrumentation and Network]
Disabled the SchedulerAsyncAPICalls feature gate to mitigate a bug where its interaction with asynchronous preemption could degrade kube-scheduler performance, especially under high kube-apiserver load. (#134400, @macsko)
Dropped DeviceBindingConditions fields when the DRADeviceBindingConditions feature gate is not enabled and not in use. (#134964, @sunya-ch)
Extended resources requested by initContainers which are allocated using an automatic ResourceClaim now match the behavior of legacy device plugins, reusing the same resources requested by later sidecar initContainers or regular containers when possible, to minimize the total number of devices requested by the pod. (#134882, @yliaog) [SIG Apps, CLI, Node, Scheduling and Testing]
Fixed SELinux warning controller not emitting events on some SELinux label conflicts. (#133425, @jsafrane) [SIG Apps, Storage and Testing]
Fixed replicaCount calculation exceeding max int32. (#126979, @omerap12) [SIG Apps and Autoscaling]
Fixed a Windows kube-proxy (winkernel) issue where stale RemoteEndpoints remained when a Deployment was referenced by multiple Services due to premature clearing of the terminatedEndpoints map. (#135146, @princepereira) [SIG Network and Windows]
Fixed a bug in ValidatingAdmissionPolicy where schemas with additionalProperties: true could cause the kube-controller-manager to crash with a nil pointer exception. (#135155, @jpbetz)
Fixed a bug in kube-proxy nftables mode (GA as of v1.33) which fails to determine if traffic originates from a local source on the node. The issue was caused by using the wrong meta iif instead of iifname for name based matches. (#134024, @jack4it)
Fixed a bug in kube-scheduler where pending pod preemption caused preemptor pods to be retried more frequently. (#134245, @macsko) [SIG Scheduling and Testing]
Fixed a bug that caused apiservers to send an inappropriate Content-Type request header to authorization, token authentication, imagepolicy admission, and audit webhooks when the alpha client-go feature gate "ClientsPreferCBOR" is enabled. (#132960, @benluddy) [SIG API Machinery and Node]
Fixed a bug that caused duplicate validation when updating PersistentVolumeClaims, VolumeAttachments and VolumeAttributesClasses. (#132549, @gavinkflam)
Fixed a bug that caused duplicate validation when updating Role and RoleBinding resources. (#132550, @gavinkflam)
Fixed a bug that prevented allocating the same device that was previously consuming the CounterSet when both DRAConsumableCapacity and DRAPartitionableDevices were enabled. (#134103, @sunya-ch)
Fixed a bug that prevents scheduling the next pod when using the DRAConsumableCapacity feature. (#133706, @sunya-ch)
Fixed a bug to prevent segmentation fault from occurring when updating deeply nested JSON fields. (#134381, @kon-angelo) [SIG API Machinery and CLI]
Fixed a bug where 64-bit IPv6 ServiceCIDRs allocated addresses outside the subnet range. (#134193, @hoskeri)
Fixed a bug where Job status updates fail after resuming a Job that was previously started and suspended. The error message was: status.startTime: Required value: startTime cannot be removed for unsuspended job. (#134769, @dejanzele) [SIG Apps and Testing]
Fixed a bug where AllocationMode: All would not succeed if a resource pool contained ResourceSlices that were not targeting the current node. (#134466, @mortent)
Fixed a bug where a deleted Pod in the binding phase continued to occupy space on the node in kube-scheduler. (#134157, @macsko) [SIG Scheduling and Testing]
Fixed a bug where high latency kube-apiserver caused scheduling throughput degradation. (#134154, @macsko)
Fixed a bug where the health of a DRA resource was not reported in the Pod status if the resource claim was generated from a template or used a different local name in the Pod spec. (#134875, @Jpsassine) [SIG Node and Testing]
Fixed a long-standing issue where kubelet rejected Pods with NodeAffinityFailed due to a stale informer cache. (#134445, @natasha41575)
Fixed a panic in kubectl api-resources that occurred when the Discovery Client failed. (#134833, @rikatz)
Fixed a possible data race during metrics registration. (#134390, @liggitt) [SIG Architecture and Instrumentation]
Fixed a spurious namespace not found error in default v1.30+ configurations when using ValidatingAdmissionPolicy or MutatingAdmissionPolicy to intercept namespaced objects in newly-created namespaces. (#135359, @liggitt)
Fixed a startup probe race condition that caused main containers to remain stuck in "Initializing" state when sidecar containers with startup probes had failed initially but succeeded on restart in pods with restartPolicy=Never. (#133072, @AadiDev005) [SIG Node and Testing]
Fixed an issue in asynchronous preemption: Scheduler now checks if preemption is ongoing for a Pod before initiating new preemption calls. (#134730, @ania-borowiec) [SIG Scheduling and Testing]
Fixed an issue that prevented restart policies and restart rules from being applied to static pods. (#135031, @yuanwang04)
Fixed an issue where requests for a config FromClass in the ResourceClaim status were not referenced. (#134793, @LionelJouin)
Fixed an issue where the kubelet /configz endpoint reported an incorrect value for kubeletconfig.cgroupDriver when the cgroup driver setting was received from the container runtime. (#134743, @marquiz)
Fixed an issue where the default serviceCIDR controller did not log events because the event broadcaster was shutdown during initialization. (#133338, @aojea)
Fixed an issue with setting distinctAttribute=nil when the DRAConsumableCapacity feature gate is disabled. (#134962, @sunya-ch)
Fixed broken shell completion for API resources. (#133771, @marckhouzam)
Fixed incorrect behavior of preemptor pod when preemption of the victim takes long to complete. The preemptor pod should not be circling in scheduling cycles until preemption is finished. (#134294, @ania-borowiec) [SIG Scheduling and Testing]
Fixed missing kubelet_volume_stats_* metrics. (#133890, @huww98) [SIG Instrumentation and Node]
Fixed occasional schedule delays when a static PersistentVolume is created. (#133929, @huww98) [SIG Scheduling and Storage]
Fixed resource claims deallocation for extended resource when Pod completes. (#134312, @alaypatel07) [SIG Apps, Node and Testing]
Fixed the kubelet to honor the userNamespaces.idsPerPod configuration, which was previously ignored. (#133373, @AkihiroSuda) [SIG Node and Testing]
Fixed the replacement tag in APIs so it no longer acted as a selector for storage version. (#135197, @Jefftree)
Fixed validation error when ConfigFlags includes CertFile and/or KeyFile while the original configuration also contains CertFileData and/or KeyFileData. (#133917, @n2h9) [SIG API Machinery and CLI]
Improved performance of Endpoint and EndpointSlice controllers when there are a large number of services in a single namespace by making pod-to-service lookup asynchronous. (#134739, @shyamjvs) [SIG Apps and Network]
Improved the FreeDiskSpaceFailed warning event to provide more actionable details when image garbage collection fails to free enough disk space. Example: Insufficient free disk space on the node's image filesystem (95.0% of 10.0 GiB used). Failed to free sufficient space by deleting unused images. Consider resizing the disk or deleting unused files.. (#132578, @drigz)
Introduced support for using an implicit extended resource name derived from the device class (deviceclass.resource.kubernetes.io/<device-class-name>) to request DRA devices matching that class. (#133363, @yliaog) [SIG Node, Scheduling and Testing]
Kube-apiserver: Fixed a v1.34 regression with spurious "Error getting keys" log messages. (#133817, @serathius) [SIG API Machinery and Etcd]
Kube-apiserver: Fixed a possible v1.34 performance regression calculating object size statistics for resources not served from the watch cache, typically only Events. (#133873, @serathius) [SIG API Machinery and Etcd]
Kube-apiserver: Improved validation error messages for custom resources with CEL validation rules to include the value that failed validation. (#132798, @cbandy)
Kube-apiserver: Made sure that when --requestheader-client-ca-file and --client-ca-file contain overlapping certificates, --requestheader-allowed-names must be specified so that regular client certificates cannot set authenticating proxy headers for arbitrary users. (#131411, @ballista01) [SIG API Machinery, Auth and Security]
Kube-apiserver: Resolved an issue causing unnecessary warning log messages about enabled alpha APIs during API server startup. (#135327, @michaelasp)
Kube-controller-manager: Fixed a possible data race in the garbage collection controller. (#134379, @liggitt) [SIG API Machinery and Apps]
Kube-controller-manager: Resolved potential issues handling pods with incorrect uids in their ownerReference. (#134654, @liggitt)
Kubeadm: Added missing cluster-info context validation to prevent panics when the user has a malformed kubeconfig in the cluster-info ConfigMap that excludes a valid current context. (#134715, @neolit123)
Kubeadm: Ensured waiting for apiserver uses a local client that doesn't reach to the control plane endpoint and instead reaches directly to the local API server endpoint. (#134265, @neolit123)
Kubeadm: Fixed KUBEADM_UPGRADE_DRYRUN_DIR not honored in upgrade phase when writing kubelet config files. (#134007, @carlory)
Kubeadm: Fixed a bug where ClusterConfiguration.APIServer.TimeoutForControlPlane from v1beta3 was not respected in newer kubeadm versions where v1beta4 is the default. (#133513, @tom1299)
Kubeadm: Fixed a bug where the node registration information for a given node was not fetched correctly during kubeadm upgrade node and the node name can end up being incorrect in cases where the node name is not the same as the host name. (#134319, @neolit123)
Kubeadm: Fixed a preflight check that could fail hostname construction in IPv6 setups. (#134588, @liggitt) [SIG API Machinery, Auth, Cloud Provider, Cluster Lifecycle and Testing]
Kubelet: Fixed a concurrent map write error when creating a pod with an empty volume while the LocalStorageCapacityIsolationFSQuotaMonitoring feature gate is enabled. (#135174, @carlory)
Kubelet: Fixed an internal deadlock that caused the connection to a DRA driver to become unusable after being idle for 30 minutes. (#133926, @pohly)
Made legacy watch calls (ResourceVersion = 0 or unset) that generate init-events weigh higher in API Priority and Fairness (APF) seat usage. Properly accounting for their cost protects the API server from CPU overload. Users might see increased throttling of such calls as a result. (#134601, @shyamjvs)
Namespace is now included in the --dry-run=client output for HorizontalPodAutoscaler (HPA) objects. (#134263, @ardaguclu) [SIG CLI and Testing]
Populated involvedObject.apiVersion on Events created for Nodes and Pods. (#134545, @novahe) [SIG Cloud Provider, Network, Node, Scalability and Testing]
Promoted VAC API test to conformance. (#133615, @carlory) [SIG Architecture, Storage and Testing]
Removed BlockOwnerDeletion from ResourceClaim created from ResourceClaimTemplate and from extendedResourceClaim created by the scheduler. (#134956, @yliaog) [SIG Apps, Node and Scheduling]
Removed an incorrect SessionAffinity warning that appeared when a headless service was created or updated. (#134054, @Peac36)
Slow container runtime initialization no longer causes the System WatchDog to kill the kubelet. The Device Manager was treated as unhealthy until it began listening on its port. (#135153, @SergeyKanzhelev)
Typed workqueue now cleans up goroutines before shutting down (#135072, @Jefftree) [SIG API Machinery]
Updated kubectl scale to return a consistent error message when a specified resource is not found. Previously, it returned: error: no objects passed to scale <GroupResource> "<ResourceName>" not found. It now matches the format used by other commands (e.g., kubectl get): Error from server (NotFound): <GroupResource> "<ResourceName>" not found. (#134017, @mochizuki875)
kube-controller-manager: Fixed a v1.34 regression that triggered a spurious rollout of existing StatefulSets when upgrading the control plane from v1.33 to v1.34. This fix is guarded by the StatefulSetSemanticRevisionComparison feature gate, which is enabled by default. (#135017, @liggitt)
kube-scheduler: Pod statuses no longer include specific taint keys or values when scheduling fails due to untolerated taints. (#134740, @hoskeri)
Fixes a bug where MutatingAdmissionPolicy would fail to apply to objects with duplicate list items (like env vars). (#135560, @lalitc375 [SIG API Machinery]
K8s.io/client-go: Fixes a regression in 1.34+ which prevented informers from using configured Transformer functions. (#135580, @serathius [SIG API Machinery]

Other (Cleanup or Flake)

Added the Step field to the testing framework to allow volume expansion in configurable step sizes for tests. (#134760, @Rishita-Golla) [SIG Storage and Testing]
Bumped addon manager to use kubectl version v1.32.2. (#130548, @Jefftree) [SIG Cloud Provider, Scalability and Testing]
Dropped support for certificates/v1beta1 CertificateSigningRequest in kubectl. (#134782, @scaliby)
Dropped support for discovery/v1beta1 EndpointSlice in kubectl. (#134913, @scaliby)
Dropped support for networking/v1beta1 Ingress in kubectl. (#135108, @scaliby)
Dropped support for networking/v1beta1 Ingress in kubectl. (#135176, @scaliby)
Dropped support for policy/v1beta1 PodDisruptionBudget in kubectl. (#134685, @scaliby)
Eliminated and prevented future use of the md5 algorithm in favor of more appropriate hashing algorithms. (#133511, @BenTheElder) [SIG Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Security, Storage and Testing]
Fixed nfacct test cases on s390x. (#133603, @saisindhuri91)
Fixed formatting of various Go API deprecations for GoDoc and pkgsite, and enabled a linter to detect misformatted deprecations. (#133571, @BenTheElder) [SIG API Machinery, Architecture, CLI, Instrumentation and Testing]
Improved HPA performance when using container-specific resource metrics by optimizing container lookup logic to exit early once the target container is found, reducing unnecessary iterations through all containers in a pod. (#133415, @AadiDev005) [SIG Apps and Autoscaling]
Increased the coverage to 89.8%. (#132607, @ylink-lfs)
Kube-apiserver: Fixed an issue where passing invalid DeleteOptions incorrectly returned a 500 status instead of 400. (#133358, @ostrain)
Kubeadm: Updated the supported etcd version to v3.5.23 for supported control plane versions v1.31, v1.32, and v1.33. (#134692, @joshjms) [SIG Cluster Lifecycle and Etcd]
Kubeadm: stopped applying the --pod-infra-container-image flag for the kubelet. The flag has been deprecated and no longer served a purpose in the kubelet as the logic was migrated to CRI (Container Runtime Interface). During upgrade, kubeadm will attempt to remove the flag from the file /var/lib/kubelet/kubeadm-flags.env. (#133778, @carlory) [SIG Cloud Provider and Cluster Lifecycle]
Migrated the CPUManager to contextual logging. (#125912, @ffromani)
Moved Types in k/k/pkg/scheduler/framework: Handle, Plugin, PreEnqueuePlugin, QueueSortPlugin, EnqueueExtensions, PreFilterExtensions, PreFilterPlugin, FilterPlugin, PostFilterPlugin, PreScorePlugin, ScorePlugin, ReservePlugin, PreBindPlugin, PostBindPlugin, PermitPlugin, BindPlugin, PodActivator, PodNominator, PluginsRunner, LessFunc, ScoreExtensions, NodeToStatusReader, NodeScoreList, NodeScore, NodePluginScores, PluginScore, NominatingMode, NominatingInfo, WaitingPod, PreFilterResult, PostFilterResult, Extender, NodeInfoLister, StorageInfoLister, SharedLister, ResourceSliceLister, DeviceClassLister, ResourceClaimTracker, SharedDRAManager
to package k8s.io/kube-scheduler/framework. Users should update import paths. The interfaces don't change.
Type Parallelizer in k/k/pkg/scheduler/framework/parallelism has been split into interface Parallelizer (in k8s.io/kube-scheduler/framework) and struct Parallelizer (location unchanged in k/k). Plugin developers should update the import path to staging repo. (#133172, @ania-borowiec) [SIG Node, Release, Scheduling, Storage and Testing]
Moved the CPU Manager static policy option strict-cpu-reservation to the GA version. (#134388, @psasnal)
Promoted the Topology Manager policy option max-allowable-numa-nodes to GA version. (#134614, @ffromani)
Reduced event spam during volume operation errors in the Portworx in-tree driver. (#135081, @gohilankit)
Removed rsync as a dependency to build Kubernetes. (#134656, @BenTheElder) [SIG Release and Testing]
Removed container name from messages for container created and started events. (#134043, @HirazawaUi)
Removed deprecated gogo protocol definitions from k8s.io/kubelet/pkg/apis/dra in favor of google.golang.org/protobuf. (#133026, @saschagrunert) [SIG API Machinery and Node]
Removed general available feature-gate SizeMemoryBackedVolumes. (#133720, @carlory) [SIG Node, Storage and Testing]
Removed the ComponentSLIs feature gate, as it was promoted to stable in the Kubernetes v1.32 release. (#133742, @carlory) [SIG Architecture and Instrumentation]
Removed the KUBECTL_OPENAPIV3_PATCH environment variable, as aggregated discovery has been stable since v1.30. (#134130, @ardaguclu)
Removed the UserNamespacesPodSecurityStandards feature gate. The minimum supported Kubernetes version for kubelet is now v1.31, so the gate is no longer needed. (#132157, @haircommander) [SIG Auth, Node and Testing]
Removed the VolumeAttributesClass resource from the storage.k8s.io/v1alpha1 API in v1.35. (#134625, @liggitt) [SIG API Machinery, Etcd, Storage and Testing]
Specified the deprecated version of apiserver_storage_objects metric in metrics docs. (#134028, @richabanker) [SIG API Machinery, Etcd and Instrumentation]
Substantially simplified building Kubernetes by making the process run a pre-built container image directly without running rsyncd. (#134510, @BenTheElder) [SIG Release and Testing]
Tests: Switched to https://go.dev/doc/go1.25#container-aware-gomaxprocs from go.uber.org/automaxprocs. (#133492, @BenTheElder)
The AggregatedDiscoveryRemoveBetaType feature gate was deprecated and locked to true. (#134230, @Jefftree)
The SystemdWatchdog feature gate has been locked to default and will be removed in future release. The systemd watchdog functionality in kubelet can be enabled via systemd without any feature gate configuration. See the systemd watchdog documentation for more information. (#134691, @SergeyKanzhelev)
Updated CNI plugins to v1.8.0. (#133837, @saschagrunert) [SIG Cloud Provider, Node and Testing]
Updated etcd to v3.6.5. (#134251, @joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
Updated kubectl auth reconcile to retry reconciliation when a conflict error occurs. (#133323, @liggitt) [SIG Auth and CLI]
Updated kubectl get and kubectl describe human-readable output to no longer show counts for referenced tokens and secrets. (#117160, @liggitt) [SIG CLI and Testing]
Updated cri-tools to v1.34.0. (#133636, @saschagrunert) [SIG Cloud Provider]
Updated the Go version of Kubernetes to 1.25.3. (#134598, @BenTheElder)
Updated the /statusz page for kube-proxy to include a list of exposed endpoints, making debugging and introspection easier. (#133190, @aman4433) [SIG Network and Node]
Updated the kubectl wait command description by removing the Experimental prefix, as the command has been stable for a long time. (#133731, @ardaguclu)
Updated the etcd client library to v3.6.5. (#134780, @joshjms) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
Updated the short description of the kubectl wait command by removing the Experimental prefix, as the command has been stable for a long time. (#133907, @ardaguclu)
Upgraded CoreDNS to v1.12.4. (#133968, @yashsingh74) [SIG Cloud Provider and Cluster Lifecycle]
Upgraded CoreDNS to v1.12.3. (#132288, @thevilledev) [SIG Cloud Provider and Cluster Lifecycle]
kubeadm: Removed the WaitForAllControlPlaneComponents feature gate, which graduated to GA in v1.34 and was locked to enabled by default. (#134781, @neolit123)
kubeadm: Updated the supported etcd version to v3.5.24 for control plane versions v1.32, v1.33, and v1.34. (#134779, @joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
etcd: Update etcd to v3.6.6`. (#135271, @bzsuni) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
Fix a bug in the kube-apiserver where a malformed Service without name can cause high CPU usage. The bug is present on the new Cluster IP allocators enabled with the feature MultiCIDRServiceAllocator (enabled by default since 1.33)

Dependencies

Added

Changed

cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
github.com/aws/aws-sdk-go-v2/config: v1.27.24 → v1.29.14
github.com/aws/aws-sdk-go-v2/credentials: v1.17.24 → v1.17.67
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.9 → v1.16.30
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.13 → v1.3.34
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.13 → v2.6.34
github.com/aws/aws-sdk-go-v2/internal/ini: v1.8.0 → v1.8.3
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.11.3 → v1.12.3
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.11.15 → v1.12.15
github.com/aws/aws-sdk-go-v2/service/sso: v1.22.1 → v1.25.3
github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.26.2 → v1.30.1
github.com/aws/aws-sdk-go-v2/service/sts: v1.30.1 → v1.33.19
github.com/aws/aws-sdk-go-v2: v1.30.1 → v1.36.3
github.com/aws/smithy-go: v1.20.3 → v1.22.3
github.com/containerd/containerd/api: v1.8.0 → v1.9.0
github.com/containerd/ttrpc: v1.2.6 → v1.2.7
github.com/containerd/typeurl/v2: v2.2.2 → v2.2.3
github.com/coredns/corefile-migration: v1.0.26 → v1.0.29
github.com/cyphar/filepath-securejoin: v0.4.1 → v0.6.0
github.com/docker/docker: v26.1.4+incompatible → v28.2.2+incompatible
github.com/go-logr/logr: v1.4.2 → v1.4.3
github.com/google/cadvisor: v0.52.1 → v0.53.0
github.com/google/pprof: d1b30fe → 27863c8
github.com/onsi/ginkgo/v2: v2.21.0 → v2.27.2
github.com/onsi/gomega: v1.35.1 → v1.38.2
github.com/opencontainers/cgroups: v0.0.1 → v0.0.3
github.com/opencontainers/runc: v1.2.5 → v1.3.0
github.com/opencontainers/runtime-spec: v1.2.0 → v1.2.1
github.com/opencontainers/selinux: v1.11.1 → v1.13.0
github.com/prometheus/client_golang: v1.22.0 → v1.23.2
github.com/prometheus/client_model: v0.6.1 → v0.6.2
github.com/prometheus/common: v0.62.0 → v0.66.1
github.com/prometheus/procfs: v0.15.1 → v0.16.1
github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
github.com/spf13/cobra: v1.9.1 → v1.10.0
github.com/spf13/pflag: v1.0.6 → v1.0.9
github.com/stretchr/testify: v1.10.0 → v1.11.1
go.etcd.io/bbolt: v1.4.2 → v1.4.3
go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
go.opentelemetry.io/otel/metric: v1.35.0 → v1.36.0
go.opentelemetry.io/otel/sdk/metric: v1.34.0 → v1.36.0
go.opentelemetry.io/otel/sdk: v1.34.0 → v1.36.0
go.opentelemetry.io/otel/trace: v1.35.0 → v1.36.0
go.opentelemetry.io/otel: v1.35.0 → v1.36.0
go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
golang.org/x/crypto: v0.36.0 → v0.45.0
golang.org/x/mod: v0.21.0 → v0.29.0
golang.org/x/net: v0.38.0 → v0.47.0
golang.org/x/oauth2: v0.27.0 → v0.30.0
golang.org/x/sync: v0.12.0 → v0.18.0
golang.org/x/sys: v0.31.0 → v0.38.0
golang.org/x/telemetry: bda5523 → 078029d
golang.org/x/term: v0.30.0 → v0.37.0
golang.org/x/text: v0.23.0 → v0.31.0
golang.org/x/tools: v0.26.0 → v0.38.0
google.golang.org/genproto/googleapis/rpc: a0af3ef → 200df99
google.golang.org/grpc: v1.72.1 → v1.72.2
google.golang.org/protobuf: v1.36.5 → v1.36.8
gopkg.in/evanphx/json-patch.v4: v4.12.0 → v4.13.0
k8s.io/gengo/v2: 85fd79d → ec3ebc5
k8s.io/kube-openapi: f3f2b99 → 589584f
k8s.io/system-validators: v1.10.1 → v1.12.1
k8s.io/utils: 4c0f3b2 → bc988d5
sigs.k8s.io/json: cfa47c3 → 2d32026

Removed

gopkg.in/yaml.v2: v2.4.0

Contributors, the CHANGELOG-1.35.md has been bootstrapped with v1.35.0 release notes and you may edit now as needed.