LWKD: Week Ending September 28, 2025
Week Ending September 28, 2025
Developer News
Instead of reviving the WG API Expression working group, a new SIG API Machinery subproject meeting on Declarative APIs and Linters was held on Sept 23, 2025, at 9 AM PST. The subproject carried the same goals as the proposed WG, and meeting details were shared in the Agenda & Notes document.
The WG AI Gateway has officially launched with a Slack channel, #wg-ai-gateway, and a mailing list. Meetings will begin next week, and the community is encouraged to join and participate.
Release Schedule
Next Deadline: PRR Freeze, October 9
Kubernetes v1.35 is moving along — APAC friendly meetings are running and enhancement opt ins are open.
Starting from v1.35, PRR Freeze is a hard deadline. No new KEPs may be opted in after the PRR Freeze deadline. Read more about about the new PRR Freeze rules here. If your KEP misses the PRR Freeze deadline, you need to submit an exception for your KEP within 3 days after PRR Freeze. Read more about the exception process here. If you have any questions, feel free to reach out in the #sig-release or the #prod-readiness channels in Slack.
If you’re an enhancement owner, make sure your KEP is up to date (status: implementable,milestone: v1.35, test plan + PRR filled) before PRR Freeze on Oct 9 (AoE) / Oct 10, 12:00 UTC.
The next cherry-pick deadline for patch releases is Oct 10.
Featured PRs
134330: Add resource version comparison function in client-go along with conformance
This PR introduces a helper function for comparing Kubernetes resource versions; Resource versions are used for concurrency control and watch operations, but until now, they could only be compared as opaque strings; The new function allows direct comparison of resource versions for objects of the same type; Alongside this, conformance tests have been added to ensure consistent handling across GA resources, making resource version behavior clearer and more reliable.
KEP of the Week
KEP-4412: Projected service account tokens for Kubelet image credential providers
This KEP proposes a secret-less image-pull flow that leverages ephemeral Kubernetes Service Account (KSA) tokens instead of long-lived ImagePullSecrets or node-wide kubelet credential providers. A pod-bound, short-lived KSA token would be used (or exchanged) to obtain transient, workload-scoped image-pull credentials before the pod starts, avoiding persisted secrets in the API or node and allowing external validators to rely on OIDC-like token semantics. This ties image-pull authorization to the workload identity, simplifies secret rotation and management, and reduces the security risk posed by long-lived, hard-to-rotate credentials.
This KEP is tracked for beta in v1.34.
Other Merges
- Deallocate extended resource claims on pod completion
- Introduce k8s:customUnique tag to control listmap uniqueness validation
- Add
+enum tagto DeviceAllocationMode type - kubeadm: wait for apiserver using a local client, not the control-plane endpoint
- Revert async preemption corner-case fix — undoes prior change to scheduler preemption behavior
- kubeadm removes the RootlessControlPlane feature gate as UserNamespacesSupport becomes the replacement
- Enable SSATags linter to enforce
+listTypeon lists in APIs - API Dispatcher drops goroutine limit to avoid throughput regression under high latency
- Kubelet and controller: enable more asynchronous node status updates and improve tracing/logging
- DRA: allocator selection uses correct “incubating” implementation by default
- kube-proxy: list available endpoints in /statusz
- Restore partial functionality of AuditEventFrom
- Add explicit feature gate dependencies with validation
- Kubernetes is now built with Go v1.24.7
Promotions
- Graduate ControlPlaneKubeletLocalMode to GA
Version Updates
- Update publishing rules to use Go v1.24.7
Subprojects and Dependency Updates
- cluster-autoscaler v1.34.0 promotes In-Place Updates to Beta, adds Capacity Buffer CRD/controller, improves scale-up logic across multiple providers, and deprecates older flags/APIs
- cluster-autoscaler-chart v0.1.0 automatically adjusts resources for workloads
- gRPC v1.75.1 adds Python 3.14 support, fixes Python async shutdown race, and refines interpreter exit handling
- helm-chart-aws-cloud-controller-manager v0.0.10 installs Cloud Controller Manager for AWS Cloud Provider
- ingress-nginx helm-chart v4.13.3 updates Ingress-Nginx to controller v1.13.3
- nerdctl v2.1.6 reserves ports in rootful mode to prevent conflicts
Shoutouts
- No shoutouts this week. Want to thank someone for special efforts to improve Kubernetes? Tag them in the #shoutouts channel.