Week Ending March 29, 2026

Developer News

A new Kubernetes policy requires GitHub Actions workflows to pin actions using full 40-character commit SHAs instead of mutable references like latest or main. Non-compliant workflows will fail after April 15, 2026, so maintainers should update workflows and use Dependabot to keep them up to date, see details.

The default branch of the kubernetes/community repository has been renamed from master to main. Open PRs were automatically retargeted and existing /master/ links will continue to work, but contributors should update local branches and forks to stay aligned, see tracking issue.

SIG Release has updated platform support tiers and artifacts documentation with clearer, measurable criteria and a simplified structure, with no changes to supported platforms or artifacts, see PR.

A high-severity ingress-nginx vulnerability (CVE-2026-4342) enables configuration injection and potential code execution, affecting versions below v1.13.9, v1.14.5, and v1.15.1 as outlined in the issue. With ingress-nginx now EOL, users should upgrade and migrate.

Release Schedule

Next Deadline: Docs Freeze, 9th April 2026

Code Freeze for v1.36 is now in effect. Enhancements that did not meet the freeze criteria have been removed from the milestone. Docs PRs and Release Highlights were due March 31, with Docs Freeze landing April 9 (AoE April 8).

Patch Releases

Kubernetes v1.36.0-beta.0, v1.35.3, v1.34.6, v1.33.10 were released last week, delivering the latest fixes and updates.

Featured PRs

137544: Promote NodeLogQuery to GA in v1.36 and lock default to true

jrvaldes has promoted the NodeLogQuery feature to General Availability in Kubernetes v1.36 as part of KEP-2258: Node Log Query Enhancements. The PR was reviewed and approved by maintainers including liggitt and contributors from SIG Node and SIG Windows.

NodeLogQuery allows cluster administrators to retrieve node-level system and service logs directly through the Kubernetes API by proxying requests through the kubelet. Instead of logging into nodes with SSH or RDP and manually searching logs with tools such as journalctl or the Windows Event Viewer, operators can query logs with a single kubectl command.

The feature was originally introduced in Kubernetes 1.27 as an alpha capability and progressed to beta in Kubernetes 1.30 before graduating to GA in v1.36. During this time the implementation matured with improvements to filtering, cross-platform support for both Linux and Windows nodes, and security hardening after the discovery of CVE-2024-9042 affecting the Windows implementation.

Under the hood, the kubelet exposes a /logs/ HTTP endpoint that queries the operating system’s native logging infrastructure (journalctl on Linux and Get-WinEvent on Windows), allowing Kubernetes to provide a unified interface for retrieving node logs regardless of operating system.

The feature originated from work led by Aravindh Puthiyaparambil and contributors across SIG Windows and SIG Node. With the GA promotion, the NodeLogQuery feature gate is now locked to enabled, making node log queries a stable part of the Kubernetes debugging and observability toolkit.

KEP of the Week

KEP-4815: DRA: Add support for partitionable devices

This KEP restores the ability of Dynamic Resource Allocation (DRA) to support on-demand device partitioning within the newer “structured parameters” framework, enabling more efficient utilization of resources like GPUs and other accelerators. It introduces mechanisms for vendors to represent both full devices and overlapping partitions compactly, allowing the scheduler to safely allocate non-conflicting partitions while enabling dynamic creation of those partitions after allocation—without changing the existing user-facing ResourceClaim workflow.

The proposal is driven by use cases such as GPU partitioning, multi-host TPU scheduling, SR-IOV, and ensuring valid device topologies across single and multi-node environments, while also supporting logical devices composed of multiple physical resources.

The feature is currently under proposal stage, with ongoing discussions focused on restoring lost flexibility from “classic” DRA and aligning it with structured parameters, and is expected to evolve through standard Kubernetes release stages (alpha, beta, GA) based on implementation maturity and community feedback.

Other Merges

• Switch PLEGOnDemandRelist default to false for 1.36
• Fixes a 1.35 regression in StatefulSet Parallel pod management by disabling the MaxUnavailableStatefulSet feature by default.
• Added alpha support for tracking PVC unused status via a new Unused condition on PersistentVolumeClaimStatus.
• Fix bug where users can't update HPAv2 resources that use object metrics with averageValue via the v1 HPA API.
• cri-client helper method NewLogOptions was removed and LogOptions must be constructed directly.
• Enables Prometheus native histogram support in kube-proxy,kubelet, KCM when feature gate is enabled.
• The "Failed to update lease optimistically" log message may not be shown to users anymore, depending on the log level they have set.
• Add tiered cgroup v2 memory protection for MemoryQoS: memory.min for Guaranteed pods, memory.low for Burstable pods, with node-level metrics and rollback reconciliation (KEP-2570).
• Writes to the ServiceCIDR main resource now ignore status field changes in the request, consistent with all other Kubernetes APIs.
• Fixed a bug preventing Pods sharing ResourceClaims from being scheduled with GangScheduling.
• Added a deletion protection mechanism for PodGroup objects KEP-5832.
• Fixed how image names are compared to the values from preloadedImagesVerificationAllowlist in Kubelet's configuration.
• kube-scheduler now updates PodGroup status with a PodGroupScheduled condition reflecting whether the group was successfully scheduled or is unschedulable.
• DRA allocation timeouts are now surfaced as visible scheduling failures and retried with per-pod exponential backoff, instead of silently skipping nodes or incorrectly marking pods unschedulable.
• When WorkloadAwarePreemption Feature Gate is enabled, and the Pod Group scheduling fails to find a place for the Pod Group, instead of running default preemption for each pod from the pod group, the workload aware preemption will be run for the whole group.
• MemoryReservationPolicy cgroup v2 MemoryQoS support to KubeletConfiguration for memory.min protection (KEP-2570).
• TAS logic to the pod group scheduling cycle behind TopologyAwareWorkloadScheduling feature gate. This feature supports scheduling pod groups on nodes with matching topology domains (KEP 5723).
• PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher pod counts within a group.
• admission plugin that validates PodGroup resources reference an existing Workload and match the declared PodGroupTemplate spec.
• Disallow setting a resize restart policy of RestartContainer on non-sidecar initContainers, as the resize of such containers has never been supported.
• DRA ResourceSlice controller: new optional ReconcilePoolWithName allows per-pool reconciliation without setting NodeName on slices.
• Support in-place pod resize of running non-sidecar initContainers.
• Fixed an issue where zero-valued PSI (Pressure Stall Information) metrics were emitted by the kubelet when the OS does not support PSI, even if the KubeletPSI feature gate was enabled.
• Warnings and deprecation for Service.spec.externalIPs
• SchedulingConstraints to express TAS constraints for pod group scheduling behind TopologyAwareWorkloadScheduling feature gate (KEP-5732).
• Alpha Introduce List Types for Attributes in DRA (KEP-5491).
• Fixed a bug where regular containers in a pod with a sidecar (initContainer with restartPolicy: Always) and a startupProbe failed to restart after crashing following a kubelet restart, leaving affected pods stuck with RestartCount: 0 indefinitely.
• Opt-in alpha support in kubeletplugin framework for DRA drivers to publish DRA Device metadata in pod CDI mounts.
• Integrate Workload and PodGroup APIs with the Job controllers to support gang-scheduling.
• ResourcePoolStatusRequest API (v1alpha1) for querying DRA resource pool availability.
• Capped nf_conntrack_max to 1,048,576 to prevent excessive memory consumption on high-core machines when using automatic calculation.
• Fixed redundant SSH command executions in the etcd failure e2e test.
• DRA: PodGroup resources can now make requests with ResourceClaims through a spec.resourceClaims field which can refer to ResourceClaims and ResourceClaimTemplates.
• New RuntimeService streaming RPCs (StreamPodSandboxes, StreamContainers, StreamContainerStats, StreamPodSandboxStats, StreamPodSandboxMetrics) and New ImageService streaming RPC (StreamImages).
• Extended NodeResourcesFit to implement the PlacementScore extension point.
• Introduce index-based naming in ResourceSlice controller and ensure ResourceSlices and pools are sorted lexicographically before allocation, allowing users to control allocation priority.
• DisruptionMode, PriorityClassName and Priority fields to Workload and PodGroup APIs to support workload-aware preemption when WorkloadAwarePreemption feature gate is enabled.
• Renamed metric 'etcd_bookmark_counts' to 'etcd_bookmark_total'.
• Introduce support of DRA for Native Resources.
• An admission plugin to perform the OS and node capacity checks
• The UserNamespacesHostNetwork runtime handler and integrates the UserNamespacesHostNetworkSupport feature gate with the NodeDeclaredFeatures feature gate.
• DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (Beta in 1.36).
• Kubelet now sets PodReadyToStartContainers condition immediately after sandbox creation rather than after image pull, reducing the time to condition True.
• A new gRPC service is added to the Kubelet that provides information about pods running on the node.
• kubectl: kubectl describe node now lists aggregated ResourceSlices when the ResourceSlice API is present, detailing slice name, driver, and pool.

Promotions

• Constrained impersonation to beta.
• NodeLogQuery to GA
• Device Binding Conditions (KEP #5007) to beta.
• InPlacePodLevelResourcesVerticalScaling feature to beta.
• ProcMountType to GA
• DRAPartitionableDevices to beta
• KubeletPSI FeatureGate to GA
• Job controller metrics to beta
• etcd metric 'apiserver_storage_events_received_total to beta
• scheduler metrics to beta

Subprojects and Dependency Updates

• etcd v3.6.10: patch release; also v3.5.29, v3.4.43: fixes several security vulnerabilities reported by community members; these vulns do not affect the Kubernetes control plane, but affect users of etcd Auth feature.
• nerdctl v2.2.2: updates BuildKit to v0.28.1 and CNI plugins to v1.9.1 with security fixes; full distribution includes containerd v2.2.1, runc v1.4.0, and RootlessKit v2.3.6
• cluster-api v1.13.0-beta.1: adds DevMachinePools for CAPD, optimizes cache configuration for core and KCP controllers, tunes concurrency for scale; fixes KCP label handling and ClusterRole conflicts; bumps cert-manager to v1.20.1
• cluster-api-provider-vsphere v1.16.0-beta.1: adds crypto configuration support, tunes controller concurrency for scale, fixes zone info fetch from VM conditions; bumps to CAPI v1.13.0-beta.1 and fixes gRPC CVE
• prometheus v3.11.0-rc.0: adds AWS Elasticache/RDS SD roles, Azure Workload Identity auth, new PromQL histogram operators and histogram_quantiles function, experimental fast-startup and ST storage flags; fixes EC2 SD endpoint regression, alert state reset bug, and multiple TSDB memory leaks
• cloud-provider-vsphere v1.35.1: fixes CVE-2026-33186 (CVSS 9.1) and CVE-2026-24051 (CVSS 7.0)
• gRPC v1.80.0: implements TLS private key offload, adds InMemoryCertificateProvider, enables EventEngine for Python by default with fork support, adds Ruby 4.0 build support; fixes PHP infinite recursion and Python AsyncIO concurrent RPC enforcement

Shoutouts

• pohly: Shoutout to @everpeace for getting their first KEP implemented as alpha.
• pohly: Shoutout to @Noureldin for another alpha DRA KEP implementation.
• pohly: Shoutout to @nojnhuh for getting their first KEP implementation merged as alpha for v1.36.