Week Ending March 15, 2026

Developer News

Kubecon Europe 2026 is next week! The KubeCon EU Maintainer Summit is now sold out, and the CNCF will not allow unregistered contributors to attend due to high demand. Regardless, do join us for the Kubernetes Meet & Greet on Wednesday, March 25, which is not sold out.

The NFS CSI Driver patched a security vulnerability which could allow unauthorized users to modify or delete files.

KubeCon Japan CFP (Maintainer Track + Lightning Talks) closes April 12. KubeCon Japan Regular CFP is open until 29 March 2026. KubeCon + CloudNativeCon + OpenInfra Summit + PyTorch Conference China CFP (Maintainer Track + Lightning Talks) closes May 3, 23:59 CST / 21:29 IST / 15:59 UTC / 11:59 EDT

ingress-nginx will reach End of Life (EOL) on March 31, concluding its best-effort maintenance period.

Release Schedule

Next Deadline: Code & Test Freeze, 19th March 2026

Code & Test Freeze for v1.36 starts tomorrow. Make sure your feature work is completed and merged before the deadline. After the freeze, only critical fixes will be accepted, and other changes will require an exception.

The March Kubernetes patch releases are delayed and are currently expected to be cut early this week.

Featured PRs

137454: KEP-4265: promote ProcMountType to GA

Joe Beda has promoted the ProcMountType feature to General Availability as part of KEP-4265. The change was reviewed and approved by contributors including Jordan Liggitt and members of SIG Auth, SIG Node, and SIG CLI.

ProcMountType allows Kubernetes workloads to control how the Linux /proc filesystem is mounted inside containers. The /proc filesystem exposes information about running processes on a host, which can be useful for debugging and monitoring but may also reveal sensitive host details. The feature allows containers to run with a more restricted /proc mount, helping isolate workloads from host process information and improving container security.

With this PR, the feature is considered stable and the associated feature gate has been removed from the API documentation. This means contributors and users can rely on the functionality as part of the core Kubernetes API going forward, without needing to enable experimental flags.

The work builds on earlier implementation and stabilization efforts, including related PRs such as #136792, which promoted the UserNamespacesSupport feature to GA and removed remaining feature-gate references across the codebase. These changes collectively advance Kubernetes’ support for stronger container isolation features in the Linux kernel.

The feature is relevant to multiple parts of the Kubernetes project, including kubelet behavior, container runtime interactions, and workload security configuration. Contributors working in areas such as pod security, container runtime integration, and node lifecycle management may encounter this functionality when configuring process namespace and /proc access within pods.

For more details, see the enhancement proposal in KEP-4265 and the discussion in the pull request above.

KEP of the Week

KEP-4671: Gang Scheduling using Workload Object

This KEP implements gang scheduling in kube-scheduler, proposed by SIG Scheduling, enabling Kubernetes to schedule groups of Pods as a single unit using an all-or-nothing model. It introduces the Workload and PodGroup APIs, allowing the scheduler to wait until a minimum number of Pods can be scheduled together before binding them, improving support for distributed workloads like AI/ML and batch jobs.

SIG Scheduling contributors are actively working on API refinements and scheduler behavior, with ongoing discussions around evolving toward a more workload-aware scheduling model.

KEP-4671 reached alpha in Kubernetes v1.35 behind the GenericWorkload feature gate, and is expected to progress to beta in a future release, subject to API stability and testing.

Other Merges

• Fixes the total pod resources computation
• Explicitly writes memory.min=0 for QoS cgroups when the calculated requests are zero.
• Truncates the watch cache RV metric to 15 digits to ensure precision.
• Improve stability by sorting containers by create time and ID in kubeGenericRuntimeManager.GetPods() and GetPod()
• Allow the CRI (and NRI) to block pod-level resizes.
• Slow requests that use impersonation can now be tracked via the apiserver.latency.k8s.io/impersonation audit event annotation when the ConstrainedImpersonation feature is enabled.
• Enables Prometheus native histogram support in scheduler when feature gate is enabled.
• Fix goroutine hot-loop in client-go StartEventWatcher when the event broadcaster shuts down before the cancellation context fires.
• With DRABindingConditions enabled, reusing the same claim across different Pods could rarely trigger a scheduler panic during parallel de-allocation due to a race condition.
• Add alpha support for manifest-based admission control configuration (KEP-5793).
• Allow users to opt-in to scheduling behaviour for CSI volume
• Fix link file ownership of projected serviceAccountToken.
• Validation messages for a Pod's status.resourceClaimStatuses[].resourceClaimName now refer correctly to the resourceClaimName field instead of the name field.
• Update kubectl kuberc set with options for setting credentialPluginPolicy and credentialPluginAllowlist.
• Introduces new staging modules k8s.io/streaming and k8s.io/cri-streaming for Kubernetes streaming transport and CRI streaming server code.
• Added two scheduler metrics for Device Binding Conditions, covering allocation attempts and PreBind duration with status and driver labels.
• Added PlacementScore extension point to the scheduler.
• For performance reasons, kubectl describe now defaults to showing related events only when describing a single object.
• Add --tls-curve-preferences flag for configuring TLS key exchange mechanism.
• Introduce scheduling.k8s.io/v1alpha2 Workload and PodGroup API.
• Reflecting the expected replica count to the output of kubectl scale command.
• Garbage collector now correctly handles objects deleted externally, preventing spurious error logs.
• Add tlsServerName field to EgressSelectorConfiguration TLSConfig to allow overriding the server name used for TLS certificate verification.
• Add ControllerManagerReleaseLeaderElectionLockOnCancel feature gate to gate leader election lock release on exit for kube-controller-manager.
• Extend WebSocket Streaming Protocol to the Kubelet for Exec/Attach/PortForward.
• Remove CRD stored versions from status upon SVM migration.
• Reduced get PV request from KCM pv-controller for CSI volumes.
• k8s.io/client-go/transport now automatically reloads certificate authority roots from disk when they are supplied via a file path.
• Allow the Topology, CPU, and Memory managers to recognize and act upon pod.spec.resources, enabling two flexible resource management models

Promotions

• ProcMountType feature to GA
• ComponentFlagz feature gate to Beta
• ComponentStatusz feature gate to Beta
• DRA device taints to Beta
• DRAPrioritizedList to GA
• UserNamespacesSupport to GA
• KubeletPodResourcesDynamicResources and KubeletPodResourcesGet feature gates to GA
• ImageVolume to GA
• RestartAllContainers to beta
• HPA metrics to beta
• NodeDeclaredFeatures to beta.

Version Updates

• coredns to v1.14.2

Subprojects and Dependency Updates

• Cluster API v1.13.0-beta.0: introduces significant updates with 25 new features and multiple breaking changes, including removal of deprecated APIs, adoption of v1beta2 contracts, improved ClusterClass and Machine handling, and enhanced rollout and caching mechanisms. The release also upgrades dependencies such as controller-runtime and Go, alongside extensive bug fixes and testing improvements. Additionally, v1.12.4 and v1.11.7 provide backported bug fixes, CVE patches, and stability improvements across supported branches.
• Cluster API Provider vSphere v1.16.0-beta.0: delivers major API alignment with Cluster API v1beta2, including multiple breaking changes, improved VM and infrastructure handling, enhanced testing, and support for new features like Node Auto Placement and extended VM configuration options. The release also includes dependency upgrades, improved caching, and stability fixes.
• containerd v2.3.0-beta.0: marks the next minor release aligned with Kubernetes cadence and introduces LTS support, improved CRI functionality, enhanced image handling (including EROFS support), expanded Node Resource Interface capabilities, and runtime improvements such as updated cgroup stats and OOM handling. The release also includes broad dependency updates and new plugin capabilities.
• gRPC v1.80.0-pre1: a pre-release focused on incremental improvements, refinements, and bug fixes in the gRPC core.
• kOps v1.35.0: introduces improvements such as warm pool enhancements, dependency upgrades (including Go and etcd-manager), networking and bootstrap fixes, and updated Kubernetes component integrations. Patch releases v1.34.2, v1.33.2, and v1.32.4 provide backported fixes, dependency bumps, Kubernetes component updates, and stability improvements across earlier supported versions.

Shoutouts

• No shoutouts this week. Want to thank someone for special efforts to improve Kubernetes? Tag them in the #shoutouts channel.