K8s 1.36 ships tomorrow — check IPVS now

Kubernetes v1.36 Ships April 22 — IPVS Removed, OCI Volumes Stable, New Alphas

  • v1.36.0-rc.1 tagged April 15 alongside patch releases v1.35.4, v1.34.7, v1.33.11; stable v1.36.0 ships tomorrow per the release schedule.
  • IPVS mode is permanently removed from kube-proxy in v1.36 — clusters using --proxy-mode=ipvs must migrate to iptables or nftables before upgrading per the v1.36 feature breakdown. (gitRepo volume removal and HPA Scale-to-Zero promotion were covered in Issue #7.)
  • OCI VolumeSource reaches stable — pods can now reference OCI images as read-only volumes for distributing model weights, config files, or datasets independently of application images (KEP-4639 per the v1.36 guide).
  • Workload-Aware Preemption alpha (KEP-137606) evicts entire lower-priority pod groups as a unit — enabling complete distributed training job eviction; HPA External Metrics Fallback (KEP-5679) provides a configurable fallback value when external metric sources are unavailable per Palark's alpha deep dive.
  • PVC Last-Used Tracking alpha (KEP-5541) adds status.lastUsedTime to PersistentVolumeClaims — enabling identification of orphaned volumes for cost management without manual audit per Palark's alpha deep dive.

Ubuntu 26.04 LTS Ships April 23 — Hard Upgrade Block, AMD64v3, dracut

  • Ubuntu 26.04 blocks upgrades on systems with cgroup v1 containers — cutover is immediate with no grace period per the Ubuntu release notes. Kubernetes nodes require cgroupDriver: systemd in kubelet config and SystemdCgroup = true in containerd's config.toml; Docker < 20.10 fails entirely.
  • AMD64 images default to AMD64v3 — Intel Ivy Bridge and Sandy Bridge CPUs are no longer supported per the release summary. Google Cloud N1 instances using those CPU generations cannot run 26.04 LTS images.
  • Direct upgrades from Ubuntu 24.04 LTS are blocked until the 26.04.1 point release ships in August 2026 per Serverspace's release guide.
  • dracut replaces initramfs-tools as the default initramfs generator; APT 3.1 removes apt-key entirely. Toolchain bumps: GCC 15.2, Golang 1.25, Rust 1.93, LLVM 21, Python 3.13.9 per the release summary.
  • PostgreSQL 18 ships as the new default with OAuth 2.0 auth and significant I/O improvements; OpenSSH 10.2p1 adds PerSourcePenalties for rate-based brute-force mitigation; DSA host keys are no longer generated on fresh installs.

Google Cloud Next Opens Tomorrow: DRANET Full GA, Managed OTel, Secret Sync

  • Google Cloud Next 2026 runs April 22–24 in Las Vegas; infrastructure highlights to watch: GKE Pod Snapshots (checkpoint/restore to eliminate GPU cold starts), GKE Agent Sandbox (runtime for untrusted agent-generated code), and GKE Cluster Autoscaler being open-sourced per the infrastructure session guide.
  • GKE managed DRANET is now GA for the full accelerator lineup — A3 Ultra, A4, A4X, A4X Max (NVIDIA) and TPU v6e and v7x per GKE release notes (previously confirmed for A4 nodes only in Issue #5).
  • Secret Manager Integrated Secret Synchronization reached GA — secrets auto-sync from Secret Manager into GKE clusters via the CSI driver, removing polling or manual refresh tooling per GKE release notes.
  • Managed OpenTelemetry for GKE entered preview — provides an in-cluster OTLP endpoint and an Instrumentation CRD for auto-instrumenting workload traces, metrics, and logs without a separately deployed collector per GKE release notes.
  • Cloud NAT default TCP TIME_WAIT timeout drops from 120 to 30 seconds for new gateways starting June 30, 2026 — reducing conntrack table pressure for high-connection-rate clusters per Google Cloud release notes.

AWS: C8in/C8ib GA, ECR OCI Referrer Sync, Post-Quantum Secrets for K8s

  • AWS C8in instances are GA with 600 Gbps network bandwidth — the highest of any enhanced-networking EC2 instance; C8ib delivers 300 Gbps EBS bandwidth (highest for non-GPU). Both are 43% faster than C6in on 6th-gen Intel Xeon Scalable processors with Nitro cards, targeting latency-sensitive HPC and ML inference workloads.
  • ECR pull through cache now auto-syncs OCI referrers — Cosign and Notation signatures, SBOMs, and attestations transfer alongside cached images per the AWS weekly roundup. Previously, attestations were silently dropped at the ECR cache boundary.
  • AWS Secrets Manager adds hybrid post-quantum TLS (ML-KEM) — enabled automatically in the Kubernetes Secrets Manager CSI driver, Lambda Extension, and Agent; upgrade the add-on to activate with no other configuration changes required per the AWS weekly roundup.

Get Platform and Infra Briefing in your inbox

Subscribe to receive new issues as they're published.