September 12, 2025

LWKD: Week Ending September 7, 2025

Week Ending September 7, 2025

Developer News

With the deepest regret, we must share that Kubernetes lost long-time contributor Han Kang last week. Share remembrances of Han on the CNCF memorial page.

The Kubernetes v1.35 Release Team shadow application is open till Sept 14, 2025, with results by Sept 22 and the release cycle running Sept 15–Dec 17. Learn more in the Release Team Overview, Shadows Guide, Role Handbooks, and Selection Criteria. Updates will be shared in the #sig-release Slack channel and kubernetes/sig-release repo

A medium-severity flaw (CVE-2025-7445) in secrets-store-sync-controller < v0.0.2 may expose service account tokens in logs, risking cloud vault access. Upgrade to v0.0.2+ and check logs for leaked or misused tokens. See Kubernetes CVE detailsKubernetes CVE details here.

Steering Committee Election

The nomination period for the Kubernetes Steering Committee Election has ended.

Now it's time for your vote! The Steering Committee Election begins on Friday, 12th September. You can check your eligibility to vote in the voting app, and file an exception request if you need to.

Release Schedule

Next Deadline: 1.35 Release Cycle Starts, September

The Kubernetes v1.35 Release Team shadow application opened on Sept 4 and will close on Sept 14, 2025 (midnight anywhere). Selected applicants will be notified by Sept 22, and the release cycle is expected to run from Sept 15 to Dec 17, 2025. This is a great opportunity to get involved with the release process!

The cherry pick deadlines closed on Sept 5 for Kubernetes 1.33.5, 1.32.9, and 1.31.13, all targeting release on Sept 9, 2025

Featured PRs

133097: Resolve confusing use of TooManyRequests error for eviction

This PR resolves an issue where pod eviction requests could return a TooManyRequests (429) error with an unrelated disruption budget message; The API server now reports a clearer error when eviction is blocked by the fail-safe mechanism in the DisruptionController, avoiding misleading responses.

133890: Fix missing kubelet_volume_stats_* metrics

This PR fixes a regression in v1.34 where kubelet_volume_stats_* metrics disappeared from the kubelet metrics endpoint; The bug was caused by multiple calls to Register(); The fix ensures the metrics are registered correctly and reported again.

KEP of the Week

KEP 740: Support external signing of service account tokens

This KEP enables Kubernetes to integrate with external key management solutions such as HSMs and cloud KMS for signing service account tokens. It supports out-of-process JWT signing and dynamic public key discovery, improving security and allowing key rotation without restarting kube-apiserver. Existing file-based key management remains supported as a fallback.

This KEP is tracked for beta in v1.34.

Other Merges

• DRA kubelet : Avoid deadlock when gRPC connection to driver goes idle
• Add k8s-long-name and k8s-short-name format validation tags
• Prevent missing kubelet_volume_stats metrics
• Show real error reason in pod STATUS when a pod has both Running and Error containers
• Migrate plugin-manager logs to contextual logging — improves developer diagnostics, no user-facing impact
• Add Close() API to remote runtime/image — enables graceful gRPC cleanup, prevents resource leaks
• Add the correct error when eviction is blocked due to the failSafe mechanism of the DisruptionController
• Configure JSON content type for generic webhook RESTClient
• Disable estimating resource size for resources with watch cache disabled
• Enforce that all resources set resourcePrefix
• Prevent error logs by skipping stats collection for resources missing resourcePrefix
• Add paths section to kubelet statusz endpoint
• Lock down the AllowOverwriteTerminationGracePeriodSeconds feature gate.
• Add +k8s:ifEnabled / +k8s:ifDisabled / +k8s:enumExclude tags for validation
• Add stress test for pod cleanup on VolumeAttachmentLimitExceeded

Deprecated

• Removed deprecated gogo protocol definitions from k8s.io/kubelet/pkg/apis/dra in favor of google.golang.org/protobuf.
• Drop SizeMemoryBackedVolumes after the feature GA-ed in 1.32
• Remove GA feature gate ComponentSLIs (now always on)

Version Updates

• Update CNI plugins to v1.8.0
• Bump gengo to v2.0.0-20250903151518-081d64401ab4

Subprojects and Dependency Updates

• cloud-provider-aws v1.34.0 resolves nil pointer dereferences, updates topology labels and EC2 SDK, adds a TG reconciler for NLB hairpinning, and refreshes Go deps
• coredns v1.12.4 fixes DoH context propagation, file plugin label offsets, gRPC/transfer leaks, and adds loadbalance prefer and metrics timeouts
• cri-o v1.34.0 moves to Kubernetes v1.34 dev, switches to opencontainers/cgroups with runc 1.3, improves container monitoring, and fixes deadlocks and terminal resize issues.
• minikube v1.37.0 adds krunkit driver for macOS GPU AI workloads, introduces kubetail addon, supports Kubernetes v1.34.0, deprecates HyperKit, and updates key addons and CNIs