★ 7/10 · Infra · 2025-12-17

Kubernetes v1.35: Timbernetes (The World Tree Release)

Kubernetes v1.35 introduces 60 enhancements, consisting of 17 stable, 19 beta, and 22 alpha features. This release focuses on improving resource management efficiency, automating workload identity, and enhancing...

Captured 2025-12-17 18:30

Kubernetes v1.35: Timbernetes (The World Tree Release)

Summary

Kubernetes v1.35 introduces 60 enhancements, consisting of 17 stable, 19 beta, and 22 alpha features. This release focuses on improving resource management efficiency, automating workload identity, and enhancing scheduling precision.

Key Points

  • In-place updates for Pod CPU and memory resources have graduated to General Availability (GA), allowing for vertical scaling without Pod or Container restarts (KEP #1287).
  • Pod certificates for workload identity have moved to Beta, enabling the kubelet to generate keys and manage certificate rotation via PodCertificateRequest without external controllers (KEP #4317).
  • The trafficDistribution field for Services now includes a PreferSameNode option, and the PreferClose option has been renamed to PreferSameZone (KEP #3015).
  • Node topology labels (e.g., topology.kubernetes.io/zone and region) can now be exposed via the Downward API in Beta (KEP #4742).
  • The .metadata.generation field for Pods is now stable, allowing for reliable tracking of spec updates via the .status.observedGeneration field (KEP #5067).
  • The max-allowable-numa-nodes configuration for the topology manager is now stable, enabling support for high-end servers with more than 8 NUMA nodes (KEP #4622).
  • An alpha feature (KEP #5328) allows nodes to report supported capabilities via a new .status.declaredFeatures field to assist the scheduler.

Technical Details

The v1.35 release introduces significant changes to how Pod resources and identities are managed. The GA in-place update functionality (KEP #1287) allows users to modify CPU and memory requests and limits for existing Pods, eliminating the need for Pod recreation which previously disrupted stateful or batch workloads. To support this and other updates, the stabilization of .metadata.generation (KEP #5067) ensures that controllers can verify if the kubelet has processed a specific version of a Pod spec by comparing the metadata generation to the .status.observedGeneration.

In terms of security and networking, the Beta implementation of Pod certificates (KEP #4317) utilizes the kubelet to generate keys and request certificates through PodCertificateRequest, writing credential bundles directly to the Pod's filesystem. This reduces reliance on external tools like cert-manager for basic rotation and enables mTLS flows without bearer tokens in the issuance path. Additionally, the networking API updates (KEP #3015) provide more granular control over traffic routing, specifically allowing services to prioritize endpoints on the local node via the PreferSameNode option.

Impact / Why It Matters

Developers can implement more efficient, non-disruptive vertical scaling and simplified zero-trust architectures using native workload identity. Cluster administrators benefit from improved hardware utilization on large NUMA-based servers and more accurate scheduling through node-declared feature sets.

kubernetes infrastructure devops

↳ Sources