Week Ending May 24, 2026

Developer News

wg-batch co-chair Kevin Wang is stepping down to focus on workload-aware scheduling efforts and will become co-chair of wg-workload-aware-scheduling. He has nominated Amy Chen (@amy) as the new wg-batch co-chair, citing her work on Kueue observability, end-user advocacy, and community engagement.

KubeCon North America Maintainer Track CFP is open until July 12. Maintainer Track speaking slots are reserved for SIG Chairs and Tech Leads; contributors interested in presenting should coordinate with their SIG Chair to submit through the SIG’s allocated slot.

Release Schedule

Kubernetes v1.37 Release Schedule is out!

The v1.37 release schedule is now available. The cycle began May 18 and is targeting August 26 for the final release. Key milestones include Enhancements Freeze on June 17 and Code Freeze on July 23.

Dipesh Rawat will serve as Release Lead for v1.37 alongside the release team and shadows. The Call for Enhancements is now open, and SIGs should begin preparing KEPs for the upcoming cycle.

The cherry-pick deadline for the June patch releases is June 5.

Featured PR

139232: validation-gen: elide RegisterValidations for packages with no TypeMeta validations

The declarative-validation toolchain has been graduating quickly over the past several weeks, first the introduction of the +k8s:eachVal tag chain in #138629, then the coverage guardrail in #138872. One side effect of running validation-gen across every API package was a long tail of generated files that registered nothing; empty RegisterValidations functions whose bodies were just return nil. They added no behaviour, but they did add review burden, vendor noise, and confusion for contributors trying to understand which packages actually participate in declarative validation.

This change moves a hasRootTypesWithValidations() check into emitRegisterFunction itself so the generator simply no-ops when there's nothing to register, removing 26 empty generated files across pkg/apis/admission, pkg/apis/apps, pkg/apis/policy, and other API package directories. It is also a prerequisite now, for #139101, the next step in the same series. This is scoped to SIG API Machinery, and is targeted at the v1.37 milestone.

KEP of the Week

KEP-5237: Convert route controller to watch-based reconciliation

This enhancement introduces a watch-based reconciliation mechanism for the Kubernetes route controller using informers, replacing the previous fixed 10-second polling loop. The change reduces unnecessary API requests to infrastructure providers, improves responsiveness when nodes are added or updated, and aligns the route controller with other informer-driven Kubernetes controllers. Additional work also introduced route synchronization metrics along with supporting documentation and feature blog updates.

The watch-based route controller reconciliation enhancement is currently in Alpha stage.

Other Merges

• Exposes the error reason when invalid service CIDRs are configured.
• Fixes a 1.34+ regression handling containers with environment values set from Secret API objects containing binary non-utf8 data.
• Fixed queue hint for inter-pod anti-affinity in case there are multiple terms, which might have caused delays in scheduling.
• The apiserver_storage_list_* metrics now include storage and index labels to distinguish the storage backend and lookup path used to serve LIST requests.
• kubectl: filter top pod metrics using pod field selectors
• kubeadm: the preflight check ContainerRuntimeVersion validates if the installed container runtime supports the RuntimeConfig gRPC method.
• Fixed duplicate logs when trying to attach to a pod fails.
• kube-controller-manager: The HPA controller now defers syncing an HPA object when the controller has not yet observed HPA status writes from the last time the object was synced.
• Once group-level preemption succeeds, each pod in the PodGroup gets a tentative node assignment through nominatedNodeName, just like a normal preempting pod does.
• kubeadm: fixed a panic in kubeadm PKI key loading when the private key type and public key type mismatch.
• Optimized CEL admission policy evaluation by adopting a lazy zero-allocation reflection-based utility for object traversal, significantly reducing CPU usage and garbage collection overhead during request processing.
• Fixed a kube-proxy IPVS-mode performance bug where syncProxyRules could take tens of seconds in clusters with many Services because GetAllLocalAddressesExcept issued one full netlink address dump per interface. The function now issues a single dump per address family, reducing syncProxyRules latency by orders of magnitude on large clusters.
• Fixed a panic in the endpoint controller when processing services with empty IPFamilies field.
• Converts the DisruptionMode enum field to struct to support future extensibility.
• Fixed a bug where pods with multiple subPath volume mounts on Windows would get stuck in Terminating state because file handles from subPath preparation were leaked, preventing volume cleanup.
• Added AnnotatedEventf method to the new events API (EventRecorder and EventRecorderLogger interfaces in client-go/tools/events),
• Added ServiceName, PodManagementPolicy, and PersistentVolumeClaimRetentionPolicy to kubectl describe statefulset output.
• Fixed a DRA scheduling bug that could allow two Pods to be assigned conflicting partitions of the same shared device. The scheduler now correctly remembers shared device usage across scheduling cycles, preventing accidental double-allocation, potentially causing device conflicts, workload failures, crashes, or data loss.

Deprecated

• The deprecated ALPHA metrics apiserver_cache_list_total, apiserver_cache_list_fetched_objects_total, and apiserver_cache_list_returned_objects_total are no longer exposed by default. Should migrate to the unified apiserver_storage_list_* metrics with storage="watchcache" label.
• The no-op DefaultWatchCacheSize field of k8s.io/apiserver/pkg/server/options.EtcdOptions is now removed.

Promotions

• apiserver_watch_events_total and apiserver_watch_events_sizes to BETA
• serviceaccount_legacy_tokens_total, serviceaccount_stale_tokens_total, serviceaccount_valid_tokens_total to beta
• apiserver webhook apiserver_webhooks_x509_missing_san_total and apiserver_webhooks_x509_insecure_sha1_total metrics to BETA.

Version Updates

• golang.org/x/crypto to v0.52.0

Subprojects and Dependency Updates

• vsphere-csi-driver v3.7.1: fix PVC provisioning failures, fix CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32281, CVE-2026-32283
• containerd v2.3.1: fix CVE-2026-46680, block AF_ALG seccomp, fix gRPC plugin startup, fix sandbox task API; also v2.2.4, v2.0.9, v1.7.32
• nerdctl v2.3.1: promote to GA, add Compose healthcheck support, fix CNI config panic, update BuildKit v0.30.0
• prometheus v3.12.0-rc.0: fix remote write DoS, fix STACKIT secret exposure, add DigitalOcean/Outscale SD, add PromQL start/end/range/step functions, improve TSDB chunk lookup performance