Kubeflow
26.03AI & MLKubeflow 26.03 is a manifests and version-alignment release that bumps most core platform components (Kubernetes 1.34+, Knative 1.20, Istio 1.29.0, cert-manager 1.19.4, oauth2-proxy 7.14.3, Dex 2.45.0, KFP 2.16.0, KServe 0.16.0, spark-operator 2.5.0) while tightening pod security enforcement to baseline and hardening network policies across core namespaces. Teams enforcing stricter PSS restricted policies should check Kubeflow Pipelines compatibility before upgrading.
breakingPod security standard default raised to baseline
Pod security enforcement across the manifests now defaults to the baseline profile rather than the prior looser setting. Review any workloads that relied on unrestricted pod security contexts before upgrading.
breakingNetwork policies tightened across core namespaces
Network policies for cert-manager, knative-serving, istio-system, dex, and oauth2-proxy have been tightened. Verify cross-namespace traffic still flows as expected after applying the new manifests, since previously permitted connections may now be blocked.
breakingKFP v1/v2 compatibility gap under PSS restricted
Kubeflow Pipelines v1 and v2 may not run cleanly in namespaces enforcing the PSS restricted profile. If you enforce restricted PSS on pipeline namespaces, test KFP workloads before rolling this out broadly.
Key changes (8)
- Pod security enforcement default raised to baseline, and network policies tightened for cert-manager, knative-serving, istio-system, dex, and oauth2-proxy
- Known compatibility gap: KFP v1/v2 pipelines may degrade under PSS restricted enforcement
- Core platform components bumped: Kubernetes 1.34+ support, Knative 1.20.0, Istio 1.29.0, cert-manager 1.19.4, oauth2-proxy 7.14.3, Dex 2.45.0
- ML platform components bumped: KFP manifests to 2.16.0, KServe to 0.16.0 (models web app 0.16.1), model-registry through 0.3.7, spark-operator 2.5.0, katib Helm chart 0.19.0
- Istio topology preference changed from PreferClose to PreferSameZone for Kubernetes 1.34 compatibility
- Knative PodDisruptionBudgets updated to allow node drain during in-place updates
- Installation simplified with automatic Kustomize/Kubectl version matching and SHA256 verification for installers, plus expanded KServe auth/authz and non-knative deployment test coverage
- Documentation refreshed for server-side apply workflows and ARM64/aarch64 support notes