LWKD: Week Ending April 19, 2026

Developer News

Kubernetes 1.36 has been released, with features including fine-grained kubelet API authorization reaching GA, MutatingAdmissionPolicy graduating to stable for declarative request mutation, and new Workload Aware Scheduling features enabling group-based (PodGroup) scheduling; more details are available in the official release blog.

Kernel Module Management (KMM) operator v2.6.0 has been released with support for image rebuild triggers, host kernel module mounts, glob patterns for file signing, and hardened container security contexts.

SIG etcd has nominated Josh Berkus (@jberkus) for a new leadership role as a co-chair; lazy consensus is open on the dev mailing list.

The Kubernetes project’s new GitHub Actions security policy is now enforced at the enterprise level, so workflows using mutable action refs like tags, branches, or latest will fail and maintainers need to pin actions to full 40-character commit SHAs.

Release Schedule

Kubernetes v1.36.0 has been released 🎉

Kubernetes Patches for v1.33.11, v1.34.7, and v1.35.4 have been built and pushed using Golang version 1.25.9.

KEP of the Week

KEP-5538: CSI driver opt-in for service account tokens via secrets field

This KEP proposes an opt-in mechanism for CSI drivers to receive service account tokens through the dedicated secrets field in NodePublishVolumeRequest instead of the volume_context field. Currently, when TokenRequests is enabled in the CSIDriver spec, kubelet generates service account tokens and passes them via volume_context, which is intended for non-sensitive metadata like pod name and namespace. This design has led to security issues, including CVE-2023-2878 and CVE-2024-3744, where tokens were exposed in logs because tools like protosanitizer do not treat volume_context as sensitive data. As a result, individual CSI drivers have had to implement inconsistent and error-prone workarounds for sanitization. This proposal addresses the issue by allowing drivers to explicitly opt into receiving tokens via the secrets field, which is designed for sensitive information and ensures proper handling and sanitization, while keeping the default behavior unchanged for backward compatibility.

In Kubernetes v1.35, the feature is in Beta with the CSIServiceAccountTokenSecrets feature gate enabled by default, introducing the opt-in field in CSIDriver and ensuring backward-compatible behavior.

Other Merges

• Fixed running of DRA e2e tests in air-gaped clusters and with test images in private registries.
• Fixed scheduler bug where replacing a Pod with the same name during a failed scheduling attempt could leave stale in-flight queue state and unbounded growth of in-flight event tracking.

Version Updates

• go.opentelemetry.io/otel to v1.41.0, also on release-1.33, release-1.34, and release-1.35

Subprojects and Dependency Updates

• cluster-api v1.13.0-rc.1: fixes CVE-2026-39883, fixes KCP deletion when InfraTemplates are missing, marks CAPD docker resources as deprecated
• cluster-api-provider-vsphere v1.16.0-rc.1: bumps to CAPI v1.13.0-rc.1 and CPI v1.36.0-rc.0, fixes CVE-2026-39883
• csi-driver-nfs v4.13.2: fixes CVE-2026-33186, avoids VolumeAttributesClass error logs in CSI sidecar containers
• containerd v2.3.0-beta.2: introduces shim bootstrap protocol, adds transfer types for container filesystem copy, supports zstd-wrapped EROFS layers, allows containers to use user namespaces with host networking, propagates OpenTelemetry traces in outgoing RPCs; also v2.2.3, v2.1.7, v2.0.8

Shoutouts

• No shoutouts this week. Want to thank someone for special efforts to improve Kubernetes? Tag them in the #shoutouts channel.