KubeCon EU: Velero joins CNCF, Kubescape 4.0 GA, K8s 1.35 ships

Broadcom donated Velero to the CNCF Sandbox at KubeCon EU 2026, removing VMware-controlled governance perception and positioning it as a vendor-neutral standard for Kubernetes backup, restore, and migration.
Kubescape 4.0 is GA with Runtime Threat Detection powered by CEL-based rules that access Application Profiles as baselines — monitoring process/syscall events, Linux capabilities, network/HTTP, and filesystem activity. Rules and RuleBindings are now first-class Kubernetes CRDs.
Kubescape 4.0 breaking change: the host-sensor DaemonSet is removed (previously flagged as intrusive/overprivileged); its capabilities are merged into the node-agent. Kubescape Storage is also GA, using the K8s Aggregated API to store Application Profiles, SBOMs, and vuln manifests outside etcd.
Kubescape 4.0 adds AI agent scanning via KAgent-native plug-in with 15 new Rego controls targeting RBAC issues, missing NetworkPolicies, and over-privileged namespace watching in AI agent CRDs.
Red Hat contributed llm-d to the CNCF to standardize distributed LLM inference on Kubernetes, implementing a specialized data-plane orchestration layer for portable, high-performance AI inference across hybrid cloud.

VMware vSphere Kubernetes Service (VKS) 3.6 ships with Kubernetes 1.35 and adds RHEL 9 as a supported node OS alongside Photon OS 5, Ubuntu 22.04/24.04, and Windows Server 2022.
VKS 3.6 supports pluggable CNI (Antrea default; Calico Enterprise via Tigera supported), integrates Pinniped for auth, and bundles Velero for backup. Third-party ecosystem support includes F5 BIG-IP and Kong API Gateway.
Broadcom is promoting AVI Load Balancer as the replacement for the retiring NGINX Ingress Controller in VKS, with a conversion kit available for migration.

CloudNativePG 1.29.0 is released with Image Catalogs integration for PostgreSQL extensions — operators can now add extensions without building custom container images.
Dynamic network access via podSelectorRefs allows pg_hba.conf rules to resolve ephemeral pod IPs using label selectors, eliminating manual CIDR management for pod-to-database access control.
Shared ServiceAccount support across Cluster/Pooler resources simplifies cloud IAM integration. Supply chain additions: signed artifacts, SLSA provenance, SBOM generation, and OpenSSF scanner integration.
EOL notices: 1.27.x reaches end-of-life now; 1.28.x EOL is set for June 30, 2026.

Red Hat OpenShift is now accessible directly from the Google Cloud console, and OpenShift Virtualization on GCP hit GA — enabling unified VM and container management on a single platform, announced at KubeCon EU 2026.
Red Hat launched RHEL Extended Life Cycle Premium, a new subscription tier providing a predictable 14-year support lifecycle for major RHEL releases, targeting regulated industries with change-averse, mission-critical workloads.

The dominant KubeCon EU 2026 theme (Amsterdam) was GPU management, Kubernetes abstraction layers, and automation for moving AI workloads from pilot to production.
New SLIs for LLM inference — time-to-first-token, decode speed, and KV-cache hit rates — are emerging as infrastructure concerns for platform teams operating model serving at scale.
A new observability pattern surfaced at the conference: embedding OpenTelemetry trace context into HTML <meta /> tags to enable end-to-end frontend-to-backend distributed tracing without instrumentation gaps at the browser boundary.

Get Platform and Infra Briefing in your inbox