Kubernetes v1.35: Timbernetes Release Enhances Platform Capabilities

**Kubernetes v1.35: A Growing Community Achievement** Kubernetes continues to flourish, exemplified by the release of v1.35, which introduces a rich assortment of features across stability levels. This release not only highlights the ongoing evolution of Kubernetes but also reflects the dedicated efforts of its vibrant user and developer community. A noteworthy aspect of this particular version is the introduction of a total of 60 enhancements, distributed across 17 stable features, 19 in beta, and 22 classified as alpha. Such numbers reinforce Kubernetes' commitment to continuous improvement, showcasing a development cycle that delivers meaningful updates with each iteration. As with previous versions, any revisions include some deprecations and removals, and users are advised to familiarize themselves with these changes [here](#deprecations-removals-and-community-updates). Understanding these adjustments is crucial for those managing current deployments, as they can directly impact workflows and integration processes. **The Theme Behind the Release** This release is framed by a creatively inspired theme that draws on mythology, specifically Yggdrasil, the world tree from Norse traditions. The whimsical release logo features a majestic tree intertwined with a Kubernetes wheel that cradles the globe, symbolizing how Kubernetes underpins various realms of open-source development. The imagery also portrays three squirrels—each representing vital roles within the community: a wizard for code reviewers, a warrior for the release teams, and a rogue bringing visibility to issue resolution. This playful motif cleverly embodies the spirit of collaboration and stewardship prevalent in the Kubernetes ecosystem. The storytelling behind the release not only serves to engage the community but also emphasizes the importance of collective contribution. As Kubernetes grows, more hands and unique perspectives contribute to its development, ensuring that the project remains relevant and robust. The final message is clear: just like a tree that flourishes through nurturing, the Kubernetes ecosystem thrives through the commitment of its users and maintainers. **Highlighting Key Updates** Among the advancements in Kubernetes v1.35, a few stand out. The in-place update of Pod resources, now classified as General Availability, allows for modifications to CPU and memory settings without the disruptive need to recreate Pods. This change will particularly benefit users managing critical applications that require high availability. Another highlight is the introduction of native workload identity and security certificates for Pods. This feature simplifies service mesh setups and supports zero-trust frameworks by automating the process of certificate issuance and rotation, mitigating complexities that come from relying on external solutions. Lastly, the innovative framework that allows nodes to declare their supported features before scheduling represents a significant leap forward, focusing on compatibility and ensuring workloads are efficiently deployed to appropriate nodes based on their capabilities. If you're actively working within this space, these enhancements signal a strong shift towards improving operational efficiency and resource management in Kubernetes clusters. It’s a promising leap, echoing the community-driven ethos that makes Kubernetes a cornerstone of container orchestration.

Configurable Tolerance for Horizontal Pod Autoscalers

Historically, the Horizontal Pod Autoscaler (HPA) relied on a rigid 10% tolerance for scaling operations, which presented issues for workloads that needed highly sensitive adjustments. For example, a workload that should scale at a mere 5% increase in load was often hindered by this fixed threshold, while others could experience excessive scaling fluctuations. With the release of Kubernetes v1.35, this hardcoded tolerance received a significant overhaul. The new beta feature allows users to customize tolerance levels on an individual resource basis through the HPA’s `behavior` field. This means you can set more precise tolerances—like adjusting it to 0.05 for a 5% load increase—affording administrators greater control over autoscaling responsiveness. Such granularity is crucial for ensuring critical applications can react to minimal load changes without necessitating adjustments across the entire cluster. This development stems from the efforts of SIG Autoscaling and is encapsulated in KEP #4951.

Support for User Namespaces in Pods

Kubernetes is enhancing pod security through the introduction of user namespaces. This feature allows pods to utilize isolated user and group ID mappings, rather than operating with shared host IDs. Consequently, this means that containers can function with root privileges internally while being assigned to unprivileged users on the host system. This change significantly mitigates the risk of privilege escalation if a vulnerability occurs within a container. The implementation of user namespaces has expanded its reach, covering both stateless and stateful Pods via ID-mapped mounts. This is a notable step forward in pod security, particularly for workloads that require elevated permissions without exposing the host to unnecessary risks. Led by SIG Node and documented in KEP #127, this enhancement represents a critical evolution in how Kubernetes addresses security concerns in shared environments.

Fine-grained Container Restart Rules

In previous releases, the restartPolicy was confined to the Pod level, applying uniformly to all containers therein. This broad application often did not suit complex workloads, especially those in AI and machine learning, where a distinct approach to handling failures could enhance efficiency. For instance, while a job might need a Pod to be marked as restartPolicy: Never to appropriately manage completion, specific containers within it might benefit from the ability to restart in response to non-critical errors, such as transient network issues. Kubernetes v1.35 addresses this limitation by allowing users to specify restartPolicy and restartPolicyRules at the container level. This capability grants administrators the flexibility to set targeted restart strategies for individual containers, enabling in-place restarts without necessitating a full rescheduling of the Pod. As a result, the overall resource efficiency and recovery times for long-running workloads are markedly improved, providing operators with more granular control over their application lifecycles. This feature, which is enabled by default and led by SIG Node as part of KEP #5307, is poised to streamline the management of complex job scenarios.

Enforced Kubelet Credential Verification for Cached Images

The imagePullPolicy: IfNotPresent configuration traditionally allowed Pods to utilize cached container images without needing verified credentials. This practice posed a security concern in multi-tenant clusters. If a Pod pulled a private image, any subsequent Pods on that node could access it via the cached version, creating potential vulnerabilities. Kubernetes v1.35 introduces an enforced credential verification mechanism through the kubelet, ensuring that a Pod must possess valid credentials before it can leverage any locally cached images. This crucial update helps safeguard against unauthorized access to private images, particularly in environments where multiple entities share resources. While users can disable this feature via the KubeletEnsureSecretPulledImages feature gate, the inclusion of configurable security settings—under imagePullCredentialsVerificationPolicy—gives operators better oversight and choice about their security posture. This layer of security represents a proactive stance toward minimizing risks in shared cluster environments and was documented under KEP #2535 by SIG Node.### The Road Ahead with Kubernetes v1.35 Kubernetes v1.35 marks a pivotal evolution in how resource versioning is approached within the platform. While earlier versions allowed only for basic string comparisons of resource versions—essentially checking if two versions held identical values—the introduction of a new numerical definition in v1.35 fundamentally alters the game. This means clients can now conduct nuanced comparisons independently. Imagine a client reestablishing a connection after a crash being able to differentiate between lost updates and unmodified data. That shift is transformative for operational resilience and reliability, especially in complex environments where keeping track of changes is critical. Moreover, this change supports an entire suite of enhanced capabilities that go beyond simple version checking. For instance, it facilitates storage version migration, which is crucial for maintaining backward compatibility as features evolve. Performance improvements in informers—a handy client-side tool for managing Kubernetes objects—are also on the table. When a client needs to ascertain whether one resource version has superseded another, efficiency and clarity are paramount. All this stems from the groundwork laid by KEP #5504, led by SIG API Machinery, further showcasing the community's commitment to iterative progress. ### Key Changes and What They Mean In addition to new features like the robust revision tracking, Kubernetes v1.35 also brings a number of graduations and deprecations that users must keep in mind. Fifteen enhancements have graduated to stable status, offering a stronger foundation for building applications. However, alongside advancements, there come necessary retirements. Take the Ingress NGINX controller, for example—once a stalwart in traffic management but now facing a sustainability crisis due to a shortage of maintainers. This isn't just a technical shift; it's a wake-up call for the community to embrace the more modern Gateway API, which is being positioned as the future of ingress traffic management. The removal of cgroup v1 support further underscores a critical shift toward more efficient resource management with cgroup v2. For cluster administrators, this is a pressing reminder: if they persist with older Linux distributions that don't support cgroup v2, they may risk operational integrity. ### Looking Forward As you contemplate the implications of Kubernetes v1.35, consider this: while embracing new features and deprecations, ensure your infrastructure aligns with the shifts. The deprecation of features like `ipvs` mode in kube-proxy signals a broader intent to simplify and modernize Kubernetes. This focus on maintaining a clean codebase rather than accommodating outdated options could translate to more effective resource management in the long run. Whether you’re just starting with Kubernetes or are a seasoned admin, keeping abreast of these changes is crucial. Embrace the progress while preparing for the impending transitions and migrations ahead. Kubernetes isn’t just a platform; it’s a continuously evolving ecosystem that demands our attention and adaptation. If you're in this space, staying informed is not just beneficial—it's imperative for success. Explore the complete list of updates in the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.35.md) and consider diving into the tutorials available on the Kubernetes website for practical, hands-on experiences.