LWKD: Week Ending May 17, 2026

Developer News

The 2026 Steering Election cycle has officially begun, with ContribEx appointing Nina Polshakova, Sreeram Venkitesh, and Rey Lejano as this year’s Election Officers. Xander Grzywinski and Christopher Tineo will serve as Alternate Officers.

KubeCon North America CFP closes on May 31. Submit your talks before the deadline.

KubeCon North America Maintainer Track CFP is open until July 12. Maintainer Track speaking slots are reserved for SIG Chairs and Tech Leads; contributors interested in presenting should coordinate with their SIG Chair to submit through the SIG’s allocated slot.

Release Schedule

Kubernetes v1.37 Release Cycle Kicks Off, 18th May 2026

The v1.37 release schedule has been posted, with the release cycle beginning May 18.

Applications for the Kubernetes v1.37 Release Team shadow program closed on May 15, with selected applicants announced on May 22.

Kubernetes Patches v1.33.12, v1.34.8, v1.35.5, and v1.36.1 have been released.

Featured PRs

139010: Reduce numbers of conversions in CEL evaluation pipeline

Common Expression Language (CEL) admission evaluation pipeline has been optimized to avoid repeatedly converting the same API object during policy evaluation. The CEL admission plugin backs ValidatingAdmissionPolicy and related features, and converts each runtime.Object into a CEL-evaluable representation before a policy expression can run against it. When a request is subject to multiple policies or webhooks, the same object was being converted again for every evaluation, and that conversion became a measurable CPU bottleneck on busy API servers. Under a 200 QPS load test with five ValidatingAdmissionPolicies, the change reduces API server CPU usage from roughly 1.10 cores to 0.93 cores, an approximately 15% reduction, while leaving light-policy workloads functionally unchanged.

The fix introduces a LazyObject abstraction wrapping VersionedObject and VersionedOldObject in VersionedAttributes. LazyObject caches the CEL ref.Val representation on first use and automatically clears it whenever the underlying object is mutated via Set(), so the conversion cost is paid at most once per object per request, and not at all when CEL evaluation is skipped, such as for empty expression groups. Encapsulating the cache this way also resolves a class of desynchronization bugs where an object mutated during mutating admission could leave a stale CEL representation behind. The PR is scoped to SIG API Machinery, and is targeted at the v1.37 milestone.

KEP of the Week

KEP-2258: Node log query

This enhancement simplifies Kubernetes node troubleshooting by allowing cluster administrators to securely stream logs from control-plane and worker nodes through a kubelet API or kubectl plugin, eliminating the need to SSH into nodes or build custom log readers. In the past, debugging components such as the kubelet, kube-proxy, or API server often requires direct node access just to inspect logs, which can be cumbersome and operationally inefficient. This feature provides centralized access to logs from Linux nodes using systemd/journald, services writing to /var/log/, and supported Windows worker nodes logging to C:\var\log and Application logs. Since node logs may contain sensitive information, access would be restricted to cluster administrators. The KEP does not cover support for non-systemd Linux distributions, nodes with cluster connectivity or configuration issues, or services that do not log to standard locations like /var/log/.

KEP-2258 (Node Log Query) was introduced in Alpha in v1.27, moved to Beta in v1.30, and has now graduated to GA in v1.36.

Other Merges

• Fixed a bug in ImageLocality scoring where image volumes could receive a higher score than equivalent regular container images.
• kubeadm: fixed a panic in kubeadm PKI key loading when the private key type and public key type mismatch.
• Fixed a regression where kubelet did not clear stale cgroup v2 memory.min and memory.low values when the MemoryQoS feature gate was disabled after being previously enabled.
• kubelet: the eviction manager's monitoring goroutine now exits promptly when the kubelet's context is cancelled, fixing a goroutine leak on shutdown.
• Fixed a theoretical issue where nodes might have been denied access to synthesized ResourceClaims for pods using extended resources (e.g. nvidia.com/gpu), causing containers to get stuck in ContainerCreating. Not observed in practice.
• Add metric apiserver_watch_cache_initialization_duration_seconds recording the duration of the most recent watch cache initialization, labeled by group and resource.
• The scheduler now avoids redundant preemption attempts during PodGroup scheduling when terminating victim pods are already present on the nominated nodes.
• kube-controller-manager and kube-scheduler now both expose dynamic_resource_allocation_resourceclaim_creates_total as metric for number of ResourceClaims created, replacing differently names metrics in each component.
• Added net.ipv4.tcp_slow_start_after_idle and net.ipv4.tcp_notsent_lowat to the allowed safe sysctls list.
• API Go types switched the json tag for inlined TypeMeta fields from ",inline" to simply "".
• Removed an edge case that could allow malformed object deletion to bypass admission and graceful deletion of well-formed objects.
• Changed the PatchPodStatus API in the scheduler framework to accept a [slice of Pod conditions ([]*v1.PodCondition)(https://github.com/kubernetes/kubernetes/pull/135160) instead of a single condition (*v1.PodCondition). This allows scheduler plugins to update multiple Pod conditions in a single API call, preventing newer calls from overwriting older ones when multiple conditions need to be updated concurrently.

Version Updates

• etcd to v3.6.11

Subprojects and Dependency Updates

• etcd v3.7.0-beta.0 includes RangeStream RPC. Please test!

Shoutouts

• Rey Lejano: Huge thanks to @Seokho Son for supporting the Persian localization team!