Week Ending April 12, 2026

Developer News

The Steering Committee has published an updated AI usage policy where contributors must disclose AI use in PR descriptions, and AI tools may not be listed as co-authors or co-sign commits.

CVE-2026-3865 is a Medium-severity path traversal vulnerability in the CSI Driver for SMB; upgrade to v1.20.1 or later.

WG AI Integration has been disbanded after its active projects (agent-sandbox, mcp-lifecycle-operator, kube-agentic-networking) moved to their respective SIGs.

Viktória Spišaková is stepping down from WG Checkpoint-Restore with Andrey Velichkevich nominated as her replacement; lazy consensus deadline is April 17 2026.

The New Contributor Orientation is next week on Tuesday April 21. This week is the first of the new SIG-run format; SIG-CLI is offering this one, so if you wanted to get started contributing to kubectl, join them.

Release Schedule

Next Deadline: Kubernetes v1.36.0 Release, April 22

Kubernetes v1.36.0-rc.0 is now available, built with Go 1.26.0.

Docs Freeze for v1.36 landed last week, and the release-1.36 branch has been created as we move into the final stages of the release cycle.

Cherry-picks for the April patch releases closed April 10, with the release targeted for April 14.

KEP of the Week

KEP-740: Support external signing of service account tokens

This KEP allows kube-apiserver to use external key management systems (such as HSMs or cloud KMS) for service account JWT signing instead of static on-disk keys. Currently, keys are loaded at startup and require a restart for rotation, making key management inflexible. By integrating external signers, the system enables seamless key rotation without restarts and improves security by ensuring that sensitive signing material is not stored on disk or exposed, reducing the risk of key exfiltration.

The feature was introduced as alpha in v1.32, promoted to beta in v1.34 and is graduating to GA in v1.36.

The KEP is authored by @micahhausler and @harshaln, with reviews and approvals from contributors in the SIG Auth community.

Other Merges

• Fixed running of DRA e2e tests in air-gaped clusters or with test images in private registries.
• The device manager now restricts iteration to NUMA nodes that actually host devices for the requested resource, reducing the search space to O(2^k) where k is typically 1–2.
• Fix apiserver startup failure during upgrade when MultiCIDRServiceAllocator is enabled and the cluster has a large number of namespaces.

Version Updates

• Go bumped to 1.25.8 in Kubernetes v1.34
• Go bumped to 1.26.2 in Kubernetes v1.36
• Pause image to 3.10.2

Subprojects and Dependency Updates

• containerd v2.2.3: fixes CVE-2026-35469 (spdystream), preserves cgroup mount options for privileged containers, fixes TOCTOU race in tar extraction, updates runc to v1.3.5, fixes whiteout handling in parallel unpack; also v2.1.7, v2.0.8, v1.7.31
• cluster-api v1.13.0-rc.1: fixes CVE-2026-39883, fixes KCP deletion when InfraTemplates are missing, marks CAPD docker resources as deprecated
• cluster-api-provider-vsphere v1.16.0-rc.1: bumps to CAPI v1.13.0-rc.1 and CPI v1.36.0-rc.0, fixes CVE-2026-39883
• cloud-provider-vsphere v1.36.0-rc.0: bumps Kubernetes dependencies to v0.36.0-rc.0 and etcd to v3.6.10; also v1.35.1
• prometheus v3.11.2: fixes stored XSS via unescaped metric names and labels in UI (CVE-2026-40179), fixes Consul SD filter parameter handling; also v3.5.2
• csi-driver-nfs v4.13.2: fixes CVE-2026-33186, avoids VolumeAttributesClass error logs in CSI sidecar containers
• kubespray v2.26.1: defaults to Kubernetes v1.30.6 and containerd v1.7.23, updates runc to v1.1.14 and ingress-nginx to v1.11.5; fixes etcd cert handling and PodSecurity Admission

Shoutouts

• pohly: Shoutout to @Antti Kervinen for testing the new 1.36 DRA native resources alpha feature before the release, finding a real issue, tracking down the root cause and submitting the fix in his first Kubernetes PR.