Kubernetes v1.36: ハル (Haru)

Summary

Kubernetes v1.36 introduces 70 enhancements, including 18 features graduating to Stable, 25 entering Beta, and 25 entering Alpha. The release focuses on refining API authorization, improving hardware resource visibility, and advancing workload-aware scheduling capabilities.

Key Points

• Fine-grained kubelet API authorization has graduated to General Availability (GA), enabling least-privilege access control for the Kubelet's HTTPS API and removing the need for the broad nodes/proxy permission.
• The allocatedResourcesStatus field within the Pod .status has moved to Beta, providing a unified mechanism to report the health (Unhealthy or Unknown) of allocated specialized hardware.
• Volume group snapshots are now Stable, allowing for crash-consistent snapshots across multiple PersistentVolumeClaims (PVCs) simultaneously.
• The API for external signing of ServiceAccount tokens is now Stable, allowing clusters to offload JWT signing to external identity or key management systems.
• Workload Aware Scheduling (WAS) features have entered Alpha, introducing a new PodGroup API and a scheduling cycle that evaluates pod groups atomically to ensure all pods in a group are bound together or none are.
• The mutable CSINode allocatable feature has graduated to Stable, allowing CSI drivers to dynamically update the maximum number of volumes a node can handle without requiring a component restart.
• Key Dynamic Resource Allocation (DRA) features, including DRA admin access and prioritized lists, have graduated to Stable.

Technical Details

The release implements significant changes to the Kubelet's security and resource management models. The graduation of fine-grained kubelet API authorization (KEP #2862) allows for more precise access control over the Kubelet's HTTPS API, specifically targeting monitoring and observability use cases that previously required the nodes/proxy permission. For storage management, the stabilization of VolumeGroupSnapshot (KEP #3476) utilizes extension APIs to facilitate crash-consistent snapshots across a set of volumes, enabling more reliable recovery of workloads. Additionally, the stabilization of the mutable CSINode allocatable feature (KEP #4876) allows the kubelet to adjust volume limits and capacity information dynamically based on periodic checks or resource exhaustion errors reported by the CSI driver.

In terms of scheduling and hardware visibility, the transition of allocatedResourcesStatus to Beta allows administrators to use kubectl describe pod to diagnose container crash loops caused by hardware failures by surfacing the health status of allocated devices. Furthermore, the Alpha introduction of Workload Aware Scheduling (WAS) integrates the Job controller with a revised Workload API and a new decoupled PodGroup API. This new scheduling cycle enables the scheduler to treat related pods as a single logical entity, implementing a "gang scheduling" approach where the entire group is bound to nodes atomically to prevent resource fragmentation.

Impact / Why It Matters

Operators can implement more granular security policies and more efficient hardware-aware scheduling for complex workloads like AI/ML. The improvements in volume management and hardware health reporting also streamline the recovery and management of high-performance, multi-tenant clusters.