RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: KubernetesClear ×

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.36.2 is a patch release fixing critical bugs in Dynamic Resource Allocation (DRA) scheduler, CSI volume republishing, and endpoint controller, plus a Go 1.26.4 build update.

  • securityBinary non-UTF8 Secret data in container env vars now handled correctly

    Kubernetes 1.34+ had a regression where containers could not properly read environment variables set from Secret API objects containing binary non-UTF8 data. This is fixed in 1.36.2. If your workloads use non-text Secret data in environment variables, upgrade to prevent decode errors or silent failures.

  • breakingDRA device allocation bug affects multi-device workloads

    Kubernetes 1.36.0–1.36.1 has a scheduler bug that assigns mutually exclusive device partitions to multiple Pods when drivers use SharedCounters with multi-allocatable devices. This can cause workload failures, device conflicts, crashes, or data loss. If you use DRA with multi-allocatable devices (especially GPUs or custom accelerators with shared counters), upgrade to 1.36.2 immediately. Review recent Pod scheduling decisions for conflicts.

  • enhancementCSI volume republish failures no longer corrupt mount state

    Kubelet was incorrectly deleting CSI mount directories when periodic NodePublishVolume calls (triggered by requiresRepublish=true) failed, leaving pods with stale volume content. This is fixed in 1.36.2. If you run CSI drivers with requiresRepublish=true, this patch eliminates a data consistency risk—upgrade to prevent potential data issues on transient network or storage errors.

Key changes (7)
  • Built with Go 1.26.4 for improved runtime stability
  • Fixed DRA scheduler bug that could assign mutually exclusive device partitions to multiple Pods, risking workload failures or data loss
  • Fixed kube-scheduler panic when DRA ResourceClaim with allocationMode: All selects shared counter devices
  • Fixed kubelet incorrectly deleting CSI mount directories on periodic NodePublishVolume errors, leaving stale volume content
  • Fixed regression where suspended Job spec modifications were rejected if JobSuspended condition was not yet set
  • Fixed endpoint controller panic on services with empty IPFamilies field
  • Fixed container environment variable handling for binary non-UTF8 data from Secrets
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.35.6 fixes critical issues in pod scheduling with multi-node claims, DRA device selection, CSI volume republishing, and endpoint handling; includes a Go runtime upgrade and performance improvements.

  • securitySecret binary data in environment variables now handled correctly

    A 1.34+ regression broke environment variable injection from Secrets containing non-UTF8 binary data (e.g., certificates, keys in base64-encoded Secrets). If you inject Secrets as env vars and those Secrets contain binary data, upgrade to v1.35.6. Test this quickly if you run database credentials or keys via Secrets—the bug may have silently broken injection.

  • breakingUpgrade Go runtime to 1.25.11 in your build pipeline

    Kubernetes v1.35.6 is built with Go 1.25.11. If you run custom controllers or operators on the same Go version, verify compatibility and rebuild. If your CI/CD locks Go versions, update your build configuration. This is standard but must be done; old Go versions may have security gaps you're inheriting.

  • enhancementDRA scheduling and CSI republishing now reliable for dynamic resource allocation

    Three bugs are fixed: (1) scheduler no longer panics on DRA ResourceClaim with AllocationMode All and shared counters; (2) pods using multi-node and per-node claims no longer deadlock in Pending; (3) kubelet no longer deletes CSI mount directories on transient NodePublishVolume errors, preventing stale volume data. If you use DRA (dynamic resource allocation) or CSI with republish enabled, this release eliminates previously deadlocking scenarios. Upgrade to clear stuck pods and prevent future hangs.

Key changes (6)
  • Upgraded to Go 1.25.11 for runtime stability and security patches
  • Fixed pod scheduling deadlock when using both multi-node and per-node DRA claims
  • Fixed kube-scheduler panic with DRA ResourceClaim AllocationMode consuming shared counters
  • Fixed kubelet deleting CSI mount directories on periodic NodePublishVolume failures, causing stale volumes
  • Fixed endpoint controller panic on services with empty IPFamilies field (pre-dual-stack services)
  • Fixed environment variable handling for Secret objects containing binary non-UTF8 data
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.34.9 fixes volume handling in CSI mounts, binary secret data in containers, endpoint controller panics, and kubeadm certificate handling. Go 1.25.11 build improves runtime performance.

  • breakingUpgrade kubelet if running CSI drivers with requiresRepublish enabled

    A 1.34+ regression caused kubelet to delete CSI mount directories on republish failures, stranding pods with stale volume data. If you run CSI drivers with spec.requiresRepublish=true, upgrade immediately. Check your CSI driver specs and watch for failed republish attempts in kubelet logs before upgrading to confirm you hit this bug.

  • breakingTest binary Secret injection in container environment variables

    v1.34 broke environment variable parsing for containers referencing Secrets with binary (non-UTF8) data. If your workloads inject Secret data into environment variables, test them after upgrading. Check application startup logs for parsing errors; you may need to base64-encode binary Secret values instead.

  • enhancementUpdate Go runtime for performance and security

    v1.34.9 uses Go 1.25.11, which includes runtime optimizations and security patches. Upgrade when you next rotate your control plane and worker nodes. No code changes needed on your side, but the Go update may improve latency and reduce memory usage in your cluster.

Key changes (5)
  • Kubernetes now built with Go 1.25.11 for improved performance and security patches
  • Fixed kubelet CSI mount directory deletion that left pods with stale volume contents after republish errors
  • Fixed panic in endpoint controller when processing services with empty IPFamilies field
  • Fixed regression in container environment variable parsing when values reference Secrets containing binary non-UTF8 data
  • Kubeadm certificate dry-run mode now correctly copies existing CA files
Source

Kubernetes

Kubernetes CoreMay 12, 2026

Kubernetes v1.36.1 is a focused patch release fixing 8 bugs across networking, node, and cluster lifecycle — most impacting Windows environments, ZFS nodes, and kubeadm-managed clusters.

  • breakingZFS nodes: upgrade immediately if running v1.36.0

    kubelet fails to start on ZFS-backed nodes in v1.36.0 due to a missing cadvisor plugin. If you deployed v1.36.0 on ZFS storage, those nodes are likely not running. Patch to v1.36.1 before any further ZFS node rollouts.

  • breakingWindows L2Bridge users: DNS timeouts are fixed but require upgrade

    Stale HNS endpoints caused traffic to route to wrong nodes when pod IPs were reused, producing silent DNS failures. This is hard to diagnose and easy to misattribute to DNS config. If you run Windows nodes with L2Bridge networking, treat this as a high-priority patch.

  • enhancementkubeadm bootstrap is more resilient against slow load balancers

    Previously, kubeadm init could fail or behave unexpectedly when the control plane load balancer wasn't ready yet. The fix makes bootstrap use the local API endpoint first, then defer to the LB endpoint — a meaningful improvement for cloud environments where the LB provisions asynchronously. Worth upgrading before your next cluster init or upgrade cycle.

Key changes (5)
  • kubelet now starts correctly on ZFS nodes after a missing cadvisor plugin broke it in v1.36.0
  • Windows L2Bridge networks: stale HNS endpoint cleanup fixed, preventing DNS timeouts when pod IPs are reused across nodes
  • kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints)
  • kubeadm init now uses LocalAPIEndpoint instead of controlPlaneEndpoint during bootstrap, fixing timing issues with slow load balancers
  • kubeadm now uses a quorum-based etcd health check instead of requiring all members healthy, and assigns a dedicated ClusterRole for kube-apiserver's kubelet client
Source

Kubernetes

Kubernetes CoreMay 12, 2026

Kubernetes v1.35.5 is a focused patch release fixing scheduler state corruption, Windows networking, kube-proxy large-cluster behavior, and several kubeadm initialization issues.

  • breakingKubeadm users: review kubeconfig generation behavior after upgrade

    The kubeadm init change to use localAPIEndpoint for admin.conf and super-admin.conf is a behavioral fix, but clusters with custom controlPlaneEndpoint setups should validate that kubeconfigs are generated correctly after upgrading. If you rely on the controlPlaneEndpoint in generated configs for post-init tooling, test in staging first.

  • enhancementLarge clusters: upgrade kube-proxy to stop unnecessary full-syncs

    If you're running 1000+ endpoints, kube-proxy was previously triggering full-sync operations it shouldn't. This patch stops that. The fix directly reduces CPU and network overhead on busy clusters — upgrade kube-proxy as part of your next maintenance window.

  • enhancementScheduler memory leak fix — prioritize this patch if you see scheduling instability

    The scheduler bug with in-flight state tracking could cause unbounded growth in memory usage when pods with reused names fail scheduling repeatedly. If you've observed scheduling delays or growing scheduler memory consumption, this patch addresses the root cause directly.

Key changes (5)
  • Scheduler bug fixed: stale in-flight queue state when a Pod is replaced with the same name during a failed scheduling attempt, which could cause unbounded memory growth
  • Windows L2Bridge networking fix: stale HNS endpoint cleanup now prevents DNS timeouts when pod IPs are reused across nodes
  • Kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints), reducing control plane churn
  • Kubeadm init now uses localAPIEndpoint instead of controlPlaneEndpoint for admin kubeconfigs, fixing bootstrap failures behind slow load balancers
  • Kubeadm etcd health check now uses quorum-based logic instead of requiring all members healthy, improving upgrade resilience
Source

Kubernetes

Kubernetes CoreMay 12, 2026

v1.34.8 is a focused bug-fix patch addressing IPv6 CIDR allocation errors, a scheduler memory leak, Windows DNS routing failures, and several kubeadm cluster lifecycle issues.

  • securitykubeadm now uses a dedicated ClusterRole for kube-apiserver kubelet access

    The kube-apiserver's kubelet client is now bound to 'system:kubelet-api-admin' instead of a shared role. For kubeadm-managed clusters, re-running 'kubeadm init phase bootstrap-token' or upgrading via kubeadm will apply this change. Existing clusters upgraded in-place will get this tighter RBAC scoping automatically — verify with 'kubectl get clusterrolebinding' post-upgrade.

  • breakingIPv6 clusters: audit ServiceCIDR allocations before upgrading

    The 64-bit IPv6 ServiceCIDR bug means some clusters may have services with IPs that technically fall outside the configured subnet. After upgrading to v1.34.8, check whether any existing service IPs are out-of-range and consider recreating affected services. This primarily impacts clusters using /64 IPv6 service CIDRs.

  • enhancementLarge clusters: kube-proxy full-sync elimination reduces control plane pressure

    If you're running clusters with 1000+ endpoints, kube-proxy was performing expensive full-sync operations unnecessarily in large-cluster mode. This patch stops that. The benefit is lower CPU and latency spikes during endpoint churn. No config changes needed — upgrade and monitor kube-proxy CPU usage to confirm the improvement.

Key changes (5)
  • IPv6 ServiceCIDRs with 64-bit prefixes were allocating addresses outside the valid subnet range — now fixed
  • Scheduler could accumulate unbounded in-flight event state when a pod with the same name replaced a failed scheduling attempt, causing memory growth
  • Windows L2Bridge networks: stale HNS endpoints from reused pod IPs caused DNS timeouts by routing traffic to wrong nodes
  • kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints)
  • kubeadm init now uses LocalAPIEndpoint in kubeconfigs during bootstrap, avoiding failures with delayed load balancers; etcd health check now uses quorum logic instead of requiring all members healthy
Source

Kubernetes

Kubernetes CoreApr 22, 2026

Kubernetes v1.36 is a large release with multiple GA promotions, significant DRA expansions, new gang-scheduling APIs, and several metric renames that require immediate action before upgrading.

  • breakingUpdate monitoring before upgrading: two metric renames

    The metrics `volume_operation_total_errors` and `etcd_bookmark_counts` have been renamed to `volume_operation_errors_total` and `etcd_bookmark_total` respectively. Any Prometheus alerts or Grafana dashboards using the old names will silently stop firing after upgrade. Audit your monitoring stack and update all references before rolling out v1.36 to production.

  • breakingDRA RBAC changes required if using DRAResourceClaimGranularStatusAuthorization

    The `DRAResourceClaimGranularStatusAuthorization` feature gate is beta and on by default in v1.36. DRA schedulers and controllers now need explicit `update`/`patch` on `resourceclaims/binding`, and DRA drivers need `associated-node:update` or `arbitrary-node:update` on `resourceclaims/driver` scoped to their specific `resourceNames`. If you run DRA drivers, audit and update their RBAC manifests before upgrading, or pods will fail to schedule.

  • breakingflex-volume and git-repo volume plugin removals

    kubeadm no longer mounts the flex-volume plugin directory automatically, and the git-repo volume plugin is permanently disabled. If any workloads still use git-repo volumes, they will stop working — there's no flag to re-enable it. Migrate to an init container pattern or a CSI driver. For flex-volumes in kubeadm environments, you must manually configure extraVolumes and a non-distroless KCM image before upgrading to v1.36.

  • breakingStrictIPCIDRValidation on by default — check your IP/CIDR fields

    API fields now reject IPs with leading zeros (e.g., `010.0.0.1`) and CIDRs with host bits set (e.g., `192.168.1.5/24` instead of `192.168.1.0/24`). Existing objects are preserved via validation ratcheting, but new creates and updates will fail if they use these formats. Audit your manifests, Helm charts, and automation for non-canonical IP/CIDR values before upgrading.

  • enhancementMutatingAdmissionPolicy is now GA — consider replacing webhook boilerplate

    MutatingAdmissionPolicy (CEL-based mutation) is now v1 and enabled by default. If you're running simple mutating webhooks that set defaults or inject labels/annotations, this is a good time to evaluate replacing them with MutatingAdmissionPolicy resources. CEL-based policies eliminate the need to maintain webhook servers, certificates, and availability concerns. Start with low-risk, stateless mutations.

Key changes (7)
  • Two metric renames require dashboard/alert updates before upgrade: `volume_operation_total_errors` → `volume_operation_errors_total` and `etcd_bookmark_counts` → `etcd_bookmark_total`
  • flex-volume support removed from kubeadm; git-repo volume plugin disabled permanently — migrate to CSI if still using either
  • DRA gets major expansions: device taints/tolerations to beta, DRAAdminAccess and DRAPrioritizedList to GA, new list-type attributes, NativeResourceMappings, and granular RBAC for ResourceClaim status updates now required
  • UserNamespacesSupport graduates to GA; MutatingAdmissionPolicy reaches GA (v1) and is enabled by default
  • StrictIPCIDRValidation is now on by default — API fields reject IPs/CIDRs with leading zeros or ambiguous subnet masks
  • New scheduling.k8s.io/v1alpha2 Workload/PodGroup APIs introduced for gang-scheduling; v1alpha1 Workload API removed
  • InPlacePodLevelResourcesVerticalScaling graduates to beta (on by default), enabling in-place CPU/memory resize at the pod level
Source

Kubernetes

Kubernetes CoreApr 15, 2026

v1.33.11 is a targeted patch fixing two networking bugs — apiserver startup failures with MultiCIDRServiceAllocator and kube-proxy nftables breakage on nft 1.1.3 — plus a Go 1.25.9 compiler bump.

  • breakingUpgrade now if using MultiCIDRServiceAllocator with large clusters

    If you have MultiCIDRServiceAllocator enabled and a large namespace count, apiserver can fail to start during an upgrade — it was hitting Forbidden errors from admission plugins that weren't ready yet and not retrying. This patch makes that retry happen. If you've been deferring upgrades to 1.33 because of this, you're now unblocked. Check your apiserver logs for 'Forbidden' errors from the IP repair controller as a diagnostic signal.

  • breakingkube-proxy nftables mode is broken on nft 1.1.3 — patch immediately

    Systems running nft 1.1.3 (which ships in some recent distro releases) will have silently broken kube-proxy nftables mode. Traffic may appear to work at first but rule updates won't apply correctly. If your nodes run nft 1.1.3, either pin to an older nft version as a workaround or — better — upgrade to this patch release. Run 'nft --version' on your nodes to check.

  • enhancementOTel dependency jump to v1.41.0 — validate your observability pipeline

    The OpenTelemetry Go SDK went from v1.33.0 to v1.41.0 in this patch, which is a substantial version range. If you're consuming Kubernetes telemetry data or running sidecars that interact with the OTel SDK, verify compatibility with your collectors and backends after upgrading. No functional changes are documented for Kubernetes itself, but the jump is large enough to warrant a smoke test of your tracing and metrics pipelines in a non-prod environment first.

Key changes (5)
  • Go compiler updated to 1.25.9 (security and runtime improvements baked in)
  • Fixed apiserver startup crash during upgrades when MultiCIDRServiceAllocator is enabled in clusters with many namespaces — the IP repair controller now retries on Forbidden errors from not-yet-ready admission plugins
  • Fixed kube-proxy nftables mode compatibility with nft 1.1.3, which was silently broken
  • OpenTelemetry dependencies bumped from v1.33.0 to v1.41.0 — a large jump for observability consumers
  • knftables library updated from v0.0.17 to v0.0.21, directly tied to the nftables fix
Source

Kubernetes

Kubernetes CoreApr 15, 2026

v1.34.7 is a focused patch release fixing two regressions — audit log latency annotations and nftables kube-proxy compatibility — plus a Go 1.25.9 rebuild.

  • breakingAudit log latency data was silently missing — patch if you rely on it

    Any 1.34.x cluster prior to this patch has been dropping the request latency annotation from audit logs whenever a request exceeded 500ms. If your security or compliance tooling parses these annotations for SLO tracking or anomaly detection, your data has gaps. Upgrade to v1.34.7 and consider whether historical audit logs need to be flagged as incomplete for that window.

  • breakingnftables kube-proxy is broken on nft 1.1.3 — don't skip this patch

    Clusters running kube-proxy in nftables mode on nodes with nft 1.1.3 (common in newer distros like Fedora 42 or Ubuntu 25.04) have non-functional networking. This isn't a performance issue — it's a hard failure. Either pin nft to an older version as a workaround or upgrade to v1.34.7 immediately. The fix is in the knftables library bump (v0.0.17 → v0.0.21).

  • enhancementOTel dependency jump to v1.41.0 — verify your tracing integrations

    The OpenTelemetry Go packages moved from v1.35.0 to v1.41.0, which is a substantial jump. If you have custom instrumentation or sidecars that interact with Kubernetes' OTel spans, test in staging first. The change is backward-compatible in the API but internal behavior around span propagation and metric collection has evolved.

Key changes (5)
  • Rebuilt with Go 1.25.9, picking up upstream language and runtime fixes
  • Fixed 1.34+ regression where audit log was missing request latency annotations for requests over 500ms
  • Fixed kube-proxy nftables mode broken on systems running nft 1.1.3
  • Fixed device plugin test failures after kubelet restart (test stability, not a runtime bug)
  • OpenTelemetry dependencies bumped from v1.35.0 to v1.41.0 across otel, metric, and trace packages
Source

Kubernetes

Kubernetes CoreApr 15, 2026

v1.35.4 is a focused patch fixing five real-world bugs: sidecar container restart failure, StatefulSet parallel scaling regression, kube-proxy nftables breakage, and audit log latency annotation errors.

  • breakingCheck StatefulSet workloads if you rely on MaxUnavailable rolling behavior

    The MaxUnavailableStatefulSet feature gate is now disabled by default in 1.35.4, reversing behavior introduced earlier in 1.35. If you upgraded to 1.35.x expecting parallel pod management with maxUnavailable, that behavior is gone until the feature stabilizes. Audit your StatefulSet specs: if you set maxUnavailable, it will be silently ignored. Plan accordingly before upgrading, and watch for the gate to re-enable in a future minor.

  • breakingSidecar + startupProbe combination was silently broken — upgrade promptly

    Any pod using an initContainer with restartPolicy: Always alongside a startupProbe would silently fail to restart crashed containers after a kubelet restart, showing RestartCount: 0 forever. This affects production workloads relying on sidecars (e.g., service mesh proxies, log shippers). If you've seen pods stuck in this state, upgrading to 1.35.4 and then manually deleting/recreating affected pods is the remediation path.

  • enhancementUpgrade kube-proxy if running nft 1.1.3 on nodes

    Systems with nft (nftables) version 1.1.3 were broken in kube-proxy's nftables mode. This is a quiet but hard failure — networking simply doesn't work. If you're on newer distros shipping nft 1.1.3 (some recent Debian/Ubuntu variants), prioritize this patch upgrade for your node components.

Key changes (5)
  • StatefulSet regression fix: MaxUnavailableStatefulSet feature disabled by default to restore stable parallel pod management behavior from pre-1.35
  • Sidecar container bug: pods with initContainers (restartPolicy: Always) and startupProbes no longer get stuck at RestartCount: 0 after kubelet restarts
  • kube-proxy nftables mode now works correctly on systems running nft 1.1.3
  • Audit log fix: apiserver request latency annotation now correctly reported for requests exceeding 500ms (regression since 1.34)
  • Built with Go 1.25.9; OpenTelemetry libraries bumped to v1.41.0
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.33.10 is a small patch fixing a kube-controller-manager nil pointer crash in ValidatingAdmissionPolicy and two kubeadm operational bugs. No dependency changes.

  • breakingPatch immediately if you use ValidatingAdmissionPolicy with open schemas

    Any ValidatingAdmissionPolicy referencing an object schema with `additionalProperties: true` will crash kube-controller-manager outright — not degrade gracefully. If you're running v1.33.x and using VAP, check your policies now. Upgrade to v1.33.10 before deploying any new policies with open schemas, or you risk taking down the controller manager.

  • enhancementkubeadm etcd learner fix matters for HA cluster joins

    When adding control plane nodes, etcd temporarily registers new members as learners. The previous behavior incorrectly included learner endpoints in the etcd client pool, which could cause client errors during promotion. If you run kubeadm-managed HA clusters and have experienced intermittent etcd client failures during control plane joins, this patch resolves it. Upgrade before your next control plane scaling operation.

  • enhancementkubeadm reset now handles stubborn bind mounts cleanly

    On nodes with bind-mounted /var/lib/kubelet directories, `kubeadm reset` previously failed with EINVAL during unmount, leaving cleanup incomplete. The fix silently ignores EINVAL — which is expected for peer mounts — so resets complete cleanly. Useful if you automate node decommissioning with kubeadm reset in scripts.

Key changes (3)
  • ValidatingAdmissionPolicy: schemas with `additionalProperties: true` no longer crash kube-controller-manager with a nil pointer exception
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now gracefully handles EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding false failures
Source