LWKD: Week Ending October 26, 2025
Week Ending October 26, 2025
Developer News
The steering committee election voting period closed last week. The results will be announced in the public steering meeting next Wednesday.
Some reminders for folks attending KubeCon NA 2025 about the Kubernetes Contributor Hour and the SIG/WG Meet and Greet
Release Schedule
Next Deadline: Code Freeze, 7th November
With the feature blog freeze in place, KEP assignees are expected to open placeholder PRs for their blogs. Please reach out to the Release Comms team for more information. We're one week away from the v1.35 code freeze. Get your PRs ready and don't forget to file an early exception if you anticipate any delays!
October patch releases have been skipped altogether.
KEP of the Week
KEP-5007: DRA: Device Binding Conditions
This KEP introduces BindingConditions, enabling the scheduler to delay Pod binding until external resources such as fabric-attached GPUs or FPGAs are confirmed ready. This improves scheduling reliability by preventing premature bindings that could lead to Pod failures or require manual intervention. The mechanism also supports asynchronous or failure-prone scenarios, including remote accelerators and FPGA reprogramming.
This KEP is tracked for beta in v1.35.
Other Merges
- DRA resources use eachKey declarative validation to mirror map-key checks and keep generated DV in sync with handwritten rules
- CSI NodePublishVolumeRequest now carries pod service account tokens in the gRPC secrets field instead of volume_context
- DRA DeviceAttribute now declares its non-discriminated union with +k8s:unionMember, so declarative validation can enforce “exactly one value set”
- Add +k8s:maxLength (and +k8s:optional) to NetworkDeviceData so generated DV can cap interfaceName / hardwareAddress lengths and match handwritten validation
- Wire storage.k8s.io (StorageClass) into declarative validation and mark provisioner as +k8s:required, so generated DV now matches the old handwritten strategy on create/update
- StorageVersionMigration (SVM) graduates to v1beta1 and drops the old v1alpha1/unused fields, so clusters must clean up any storage.k8s.io/v1alpha1 SVM objects before upgrading
- kubectl finally drops support for the long-deprecated
certificates.k8s.io/v1beta1 CertificateSigningRequest. - Add
mtlsclientandmtlsserverfor the mtls validations apiservercacher’s lister_watcher now exposes WatchList semantics- Enable declarative validation for
resource.k8s.ioResourceSlice (v1/v1beta1/v1beta2) - Introduce
pod queuingin endpoint/slice controllers - Add
k8s-resource-fully-qualified-nameformat - Implements synthetic create authz permission check for exec, attach, and portforward
- Enable Declarative Validation(DV) support for ClusterRole and RoleBinding
- Replace HandleCrash and HandleError calls to use context-aware alternative
- Bump supported etcd version to v3.5.24 for release v1.32, v1.33, and v1.3
Promotions
- Pod Generation to GA
- ContainerRestartRules to beta
- RelaxedServiceNameValidation to beta
- PreferSameTrafficDistribution to GA
Version Updates
- etcd sdk to v3.6.5
- system-validators to v1.12.1
Subprojects and Dependency Updates
- containerd v2.2.0-rc.0 (pre-release) adds a mount manager, supports
conf.dincludes in the default config, and adds back-references in the garbage collector. It improves CRI with ListPodSandboxMetrics and image-volume subpaths, adds parallel image unpack and a referrers fetcher, updates EROFS snapshotter, enables OTEL traces and WASM plugin support in NRI, speeds shim reloads, and postpones some deprecations to 2.3.
- containerd API v1.10.0-rc.0 (pre-release) aligns with containerd 2.2, introducing the mount manager and parallel unpack support in the API.
- prometheus v3.7.3 fixes a UI redirect regression with
-web.external-urland-web.route-prefix, corrects federation for some native histograms, fixes apromtool check configfailure when--lint=noneis set, and resolves a remote-write queue resharding deadlock.