Kubernetes v1.35 Sneak Peek

Summary

Kubernetes v1.35 introduces critical breaking changes, including the removal of cgroup v1 support and the end of support for containerd v1.x. The release also features significant functional advancements, such as the graduation of in-place Pod resource updates to General Availability and the introduction of numeric comparison operators for taints.

Key Points

• Removal of cgroup v1 support: Linux nodes must use cgroup v2; otherwise, the kubelet will fail to start.
• Deprecation of kube-proxy ipvs mode: The ipvs mode is being deprecated in favor of nftables for Linux nodes to reduce technical debt.
  / - End of containerd v1.x support: Kubernetes v1.35 is the final release to support containerd 1.7 and earlier; users must migrate to containerd 2.0 or later.
• In-place Pod resource updates (GA): Users can now adjust CPU and memory resources for existing Pods without requiring a restart.
• Numeric taints and tolerations: New Gt (Greater Than) and Lt (Less Than) operators allow for SLA-based scheduling and automated eviction via NoExecute.
• Pod certificates (Beta): A new mechanism allows the kubelet to request and mount certificates via projected volumes to provide native workload identity.
• User Namespaces (Beta): Continued progress in Linux User Namespace support allows remapping container root (UID 0) to unprivileged host UIDs.

Technical Details

The v1.35 release focuses on modernizing the underlying infrastructure and improving scheduling precision. The removal of cgroup v1 support necessitates that all Linux nodes run distributions with cgroup v2 enabled to maintain kubelet functionality. Regarding container runtimes, the transition away from containerd 1.x is driven by the need for automated cgroup driver detection; administrators can monitor the kubelet_cri_losing_support metric to identify nodes running unsupported versions.

New scheduling capabilities include the node declared features framework (Alpha), which utilizes a new .status.declaredFeatures field on nodes to report supported Kubernetes features to the control plane, reducing version skew issues. Furthermore, the expansion of taints and tolerations to include numeric comparison operators (Gt, Lt) enables more complex scheduling logic, such as ensuring Pods only run on nodes meeting specific reliability thresholds. For resource management, the graduation of in-place updates to GA leverages the UpdateContainerResources API, allowing for vertical scaling of CPU and memory without disrupting workloads.

Impact / Why It Matters

Cluster administrators must prioritize upgrading Linux distributions and container runtimes to prevent node failure during the v1.35 upgrade. For developers, these updates provide more efficient vertical scaling and enhanced security through native workload identity and improved user namespace isolation.