Kubernetes v1.36 Sneak Peek
Summary
Kubernetes v1.36, scheduled for release on April 22, 2026, introduces significant API removals, the retirement of the Ingress NGINX project, and advancements in Dynamic Resource Allocation (DRA). These updates focus on hardening cluster security and improving the efficiency of hardware resource utilization.
Key Points
Service.spec.externalIPsis deprecated in v1.36, with full removal planned for v1.43 to mitigate man-in-the-middle attack risks (CVE-2020-8554).- The
gitRepovolume driver is permanently disabled in v1.36 to prevent unauthorized code execution as root on nodes. - The Ingress NGINX project was officially retired on March 24, 2026, and no longer receives security updates or bugfixes.
- SELinux volume labeling has reached General Availability (GA), replacing recursive file relabeling with the
mount -o context=XYZoption to reduce Pod startup delays. - External signing of ServiceAccount tokens is expected to reach GA, allowing
kube-apiserverto delegate token signing to external systems like cloud KMS or HSMs. - Dynamic Resource Allocation (DRA) introduces support for partitionable devices and device-specific taints and tolerations (Beta).
Technical Details
The v1.36 release implements several low-level changes to volume management and resource scheduling. The transition of SELinux labeling to GA replaces the resource-intensive recursive relabeling process with a mount-time context application, which improves performance on SELinux-enforcing systems. However, developers must manage seLinuxChangePolicy and spec.SELinuxMount settings carefully to prevent conflicts when Pods share volumes.
In terms of resource management, the expansion of Dynamic Resource Allocation (DRA) allows for more granular hardware control. The introduction of DeviceTaintRule enables administrators to mark specific hardware as tainted, ensuring specialized resources are only used by workloads that explicitly request them. Furthermore, the new support for partitionable devices allows a single hardware accelerator, such as a GPU, to be split into multiple logical units, enabling higher workload density and better utilization of expensive infrastructure.
Impact / Why It Matters
Developers must migrate workloads using externalIPs or gitRepo volumes to modern alternatives like the Gateway API or init containers to prevent service disruption. Platform engineers can leverage the new DRA features to optimize hardware costs through device partitioning and more precise scheduling controls.