Inspired by Yggdrasil, the World Tree from Norse mythology, this release emphasizes growth through new features (”grafting”) and maintenance by removing outdated ones (”pruning”). Below is a comprehensive overview, including key highlights, feature graduations, new additions, and notable changes.

Release Cycle

The Kubernetes v1.35 release cycle lasted 14 weeks, from September 15, 2025, to December 17, 2025. It delivered 60 enhancements in total, comprising 17 stable, 19 beta, and 22 alpha features. The process focuses on maintaining high-quality, consistent releases through a collaborative global community effort, including the addition of new features, removal of outdated APIs, and overall project maintenance.

Contributors

This release involved contributions from 85 companies and 419 individuals specifically for v1.35. Across the wider cloud native ecosystem, 281 companies and 1,769 contributors participated. Contributions encompassed code commits, reviews, issue creation, PR handling (including documentation and blogs), and discussions.

Ecosystem

The release draws inspiration from Yggdrasil (the World Tree), symbolizing community growth through “grafting” new features and “pruning” old ones. It highlights integrations with projects like MultiKueue for advanced Job handling and Gateway API as a successor to the retiring Ingress NGINX. There’s a final reminder to upgrade from containerd v1.X to v2.0+. Community engagement includes events such as KubeCon and Kubernetes Community Days (KCD), with invitations to join Special Interest Groups (SIGs) or community forums for involvement.

Key Spotlight Features

In-place update of Pod resources

• Short description: Allows adjusting CPU and memory resources without restarting Pods or Containers, enabling nondisruptive vertical scaling.

• Details: Kubernetes has graduated in-place updates for Pod resources to General Availability (GA). This feature allows users to adjust CPU and memory resources without restarting Pods or Containers. Previously, such modifications required recreating Pods, which could disrupt workloads, particularly for stateful or batch applications. Earlier Kubernetes releases allowed you to change only infrastructure resource settings (requests and limits) for existing Pods. The new in-place functionality allows for smoother, nondisruptive vertical scaling, improves efficiency, and can also simplify development. (GA)

• KEP #1287

Pod certificates for workload identity and security

• Short description: Enables native workload identity with automated certificate rotation via kubelet and PodCertificateRequest, simplifying service mesh and zero-trust architectures.

• Details: Previously, delivering certificates to pods required external controllers (cert-manager, SPIFFE/SPIRE), CRD orchestration, and Secret management, with rotation handled by sidecars or init containers. Kubernetes v1.35 enables native workload identity with automated certificate rotation, drastically simplifying service mesh and zero-trust architectures. Now, the kubelet generates keys, requests certificates via PodCertificateRequest, and writes credential bundles directly to the Pod’s filesystem. The kube-apiserver enforces node restriction at admission time, eliminating the most common pitfall for third-party signers: accidentally violating node isolation boundaries. This enables pure mTLS flows with no bearer tokens in the issuance path. (Beta)

• KEP #4317

Node declared features before scheduling

• Short description: Allows nodes to declare supported Kubernetes features via .status.declaredFeatures, enabling scheduler and admission controllers to enforce compatible scheduling.

• Details: When control planes enable new features but nodes lag behind (permitted by Kubernetes skew policy), the scheduler can place pods requiring those features onto incompatible older nodes. The node-declaration features framework allows nodes to declare their supported Kubernetes features. With the new alpha feature enabled, a Node reports the features it supports, publishing this information to the control plane via a new .status.declaredFeatures field. Then, the kube-scheduler, admission controllers, and third-party components can use these declarations. For example, you can enforce scheduling and API validation constraints to ensure that Pods run only on compatible nodes. (Alpha)

• KEP #5328

Features Graduating to Stable (17 total)

PreferSameNode traffic distribution

• Short description: Introduces PreferSameNode option for Services to prioritize local node endpoints, and renames PreferClose to PreferSameZone for clarity.

• Details: The trafficDistribution field for Services has been updated to provide more explicit control over traffic routing. A new option, PreferSameNode, has been introduced to let services strictly prioritize endpoints on the local node if available, falling back to remote endpoints otherwise. Simultaneously, the existing PreferClose option has been renamed to PreferSameZone. This change makes the API self-explanatory by explicitly indicating that traffic is preferred within the current availability zone. While PreferClose is preserved for backward compatibility, PreferSameZone is now the standard for zonal routing, ensuring that both node-level and zone-level preferences are clearly distinguished. (Stable)

• KEP #3015

Job API managed-by mechanism

• Short description: Adds managedBy field to Job API for external controllers like MultiKueue to handle status synchronization without built-in Job controller interference.

• Details: The Job API now includes a managedBy field that allows an external controller to handle Job status synchronization. This feature, which graduates to stable in Kubernetes v1.35, is primarily driven by MultiKueue, a multi-cluster dispatching system where a Job created in a management cluster is mirrored and executed in a worker cluster, with status updates propagated back. To enable this workflow, the built-in Job controller must not act on a particular Job resource so that the Kueue controller can manage status updates instead. The goal is to allow clean delegation of Job synchronization to another controller. It does not aim to pass custom parameters to that controller or modify CronJob concurrency policies. (Stable)

• KEP #4368

Reliable Pod update tracking with .metadata.generation

• Short description: Adds metadata.generation and status.observedGeneration to Pod API for verifying spec updates and kubelet processing.

• Details: Historically, the Pod API lacked the metadata.generation field found in other Kubernetes objects such as Deployments. Because of this omission, controllers and users had no reliable way to verify whether the kubelet had actually processed the latest changes to a Pod’s specification. This ambiguity was particularly problematic for features like In-Place Pod Vertical Scaling, where it was difficult to know exactly when a resource resize request had been enacted. Kubernetes v1.33 added .metadata.generation fields for Pods, as an alpha feature. That field is now stable in the v1.35 Pod API, which means that every time a Pod’s spec is updated, the .metadata.generation value is incremented. As part of this improvement, the Pod API also gained a .status.observedGeneration field, which reports the generation that the kubelet has successfully seen and processed. Pod conditions also each contain their own individual observedGeneration field that clients can report and / or observe. Because this feature has graduated to stable in v1.35, it is available for all workloads. (Stable)

• KEP #5067

Configurable NUMA node limit for topology manager

• Short description: Makes max-allowable-numa-nodes option configurable to support servers with more than 8 NUMA nodes.

• Details: The topology manager historically used a hard-coded limit of 8 for the maximum number of NUMA nodes it can support, preventing state explosion during affinity calculation. (There’s an important detail here; a NUMA node is not the same as a Node in the Kubernetes API.) This limit on the number of NUMA nodes prevented Kubernetes from fully utilizing modern high-end servers, which increasingly feature CPU architectures with more than 8 NUMA nodes. Kubernetes v1.31 introduced a new, beta max-allowable-numa-nodes option to the topology manager policy configuration. In Kubernetes v1.35, that option is stable. Cluster administrators who enable it can use servers with more than 8 NUMA nodes. Although the configuration option is stable, the Kubernetes community is aware of the poor performance for large NUMA hosts, and there is a proposed enhancement (KEP-5726) that aims to improve on it. (Stable)

• KEP #4622

Comparable resource version semantics

• Short description: Updates resource version comparison to support numeric operations.

• Details: Resource versions are now decimal numbers, allowing client-side comparisons (e.g., newer/older). Enables use cases like storage migration and informer performance. (Stable)

• KEP #5504

Add CPUManager policy option to restrict reservedSystemCPUs to system daemons and interrupt processing

• Short description: Policy option for CPUManager to reserve CPUs.

• Details: Enhances resource management for daemons. (Stable)

• KEP #4540

Invariant Testing

• Short description: Supports testing invariants in Kubernetes components.

• Details: Improves reliability. (Stable)

• KEP #5468

Fine-grained SupplementalGroups control

• Short description: Better control over supplemental groups in Pods.

• Details: Enhances security and flexibility. (Stable)

• KEP #3619

Add support for a drop-in kubelet configuration directory

• Short description: Supports drop-in configuration for kubelet.

• Details: Simplifies management. (Stable)

• KEP #3983

Remove gogo protobuf dependency for Kubernetes API types

• Short description: Removes dependency to modernize API.

• Details: Reduces maintenance overhead. (Stable)

• KEP #5589

Pod Generation

• Short description: Tracks Pod spec updates via generation fields.

• Details: Part of broader Pod API improvements. (Stable)

• KEP #5067

In-Place Update of Pod Resources

• Short description: Supports nondisruptive resource adjustments for Pods.

• Details: Highlighted in spotlight. (Stable)

• KEP #1287

Add a TopologyManager policy option for MaxAllowableNUMANodes

• Short description: Configurable limit for NUMA nodes in topology manager.

• Details: As above. (Stable)

• KEP #4622

PreferSameNode Traffic Distribution (aka PreferLocal)

• Short description: Node-level traffic prioritization in Services.

• Details: As above. (Stable)

• KEP #3015

Job API managed-by mechanism

• Short description: As above.

• Details: As above. (Stable)

• KEP #4368

Add support for a drop-in kubelet configuration directory

• Short description: Supports drop-in configuration for kubelet.

• Details: Simplifies management. (Stable)

• KEP #3983

Remove gogo protobuf dependency for Kubernetes API types

• Short description: Removes dependency to modernize API.

• Details: Reduces maintenance overhead. (Stable)

• KEP #5589

New Features in Beta (19 total)

Expose node topology labels via Downward API

• Short description: Injects topology labels like zone and region into Pods as environment variables or projected volumes for safer topology awareness.

• Details: Accessing node topology information, such as region and zone, from within a Pod has typically required querying the Kubernetes API server. While functional, this approach creates complexity and security risks by necessitating broad RBAC permissions or sidecar containers just to retrieve infrastructure metadata. Kubernetes v1.35 promotes the capability to expose node topology labels directly via the Downward API to beta. The kubelet can now inject standard topology labels, such as topology.kubernetes.io/zone and topology.kubernetes.io/region, into Pods as environment variables or projected volume files. The primary benefit is a safer and more efficient way for workloads to be topology-aware. This allows applications to natively adapt to their availability zone or region without dependencies on the API server, strengthening security by upholding the principle of least privilege and simplifying cluster configuration. Note: Kubernetes now injects available topology labels to every Pod so that they can be used as inputs to the downward API. With the v1.35 upgrade, most cluster administrators will see several new labels added to each Pod; this is expected as part of the design. (Beta)

• KEP #4742

Native support for storage version migration

• Short description: Integrates migration logic into core control plane for automatic handling of updates and conflicts.

• Details: In Kubernetes v1.35, the native support for storage version migration graduates to beta and is enabled by default. This move integrates the migration logic directly into the core Kubernetes control plane (”in-tree”), eliminating the dependency on external tools. Historically, administrators relied on manual “read/write loops”—often piping kubectl get into kubectl replace—to update schemas or re-encrypt data at rest. This method was inefficient and prone to conflicts, especially for large resources like Secrets. With this release, the built-in controller automatically handles update conflicts and consistency tokens, providing a safe, streamlined, and reliable way to ensure stored data remains current with minimal operational overhead. (Beta)

• KEP #4192

Mutable Volume attach limits

• Short description: Makes CSINode.spec.drivers[*].allocatable.count mutable for dynamic volume attachment capacity updates, with configurable refresh interval.

• Details: A CSI driver is a Kubernetes plugin that provides a consistent way for storage systems to be exposed to containerized workloads. The CSINode object records details about all CSI drivers installed on a node. However, a mismatch can arise between the reported and actual attachment capacity on nodes. When volume slots are consumed after a CSI driver starts up, the kube-scheduler may assign stateful pods to nodes without sufficient capacity, ultimately getting stuck in a ContainerCreating state. Kubernetes v1.35 makes CSINode.spec.drivers[*].allocatable.count mutable so that a node’s available volume attachment capacity can be updated dynamically. It also allows CSI drivers to control how frequently the allocatable.count value is updated on all nodes by introducing a configurable refresh interval, defined through the CSIDriver object. Additionally, it automatically updates CSINode.spec.drivers[*].allocatable.count on detecting a failure in volume attachment due to insufficient capacity. Although this feature graduated to beta in v1.34 with the feature flag MutableCSINodeAllocatableCount disabled by default, it remains in beta for v1.35 to allow time for feedback, but the feature flag is enabled by default. (Beta)

• KEP #4876

Opportunistic batching

• Short description: Improves scheduler performance by batching compatible Pods based on scheduling signatures for shared filtering and scoring.

• Details: Historically, the Kubernetes scheduler processes pods sequentially with time complexity of O(num pods × num nodes), which can result in redundant computation for compatible pods. This KEP introduces an opportunistic batching mechanism that aims to improve performance by identifying such compatible Pods via Pod scheduling signature and batching them together, allowing shared filtering and scoring results across them. The pod scheduling signature ensures that two pods with the same signature are “the same” from a scheduling perspective. It takes into account not only the pod and node attributes, but also the other pods in the system and global data about the pod placement. This means that any pod with the given signature will get the same scores/feasibility results from any arbitrary set of nodes. The batching mechanism consists of two operations that can be invoked whenever needed - create and nominate. Create leads to the creation of a new set of batch information from the scheduling results of Pods that have a valid signature. Nominate uses the batching information from create to set the nominated node name from a new Pod whose signature matches the canonical Pod’s signature. (Beta)

• KEP #5598

maxUnavailable for StatefulSets

• Short description: Adds maxUnavailable field to StatefulSet rollingUpdate for controlling unavailable Pods during updates, enabling faster rollouts.

• Details: A StatefulSet runs a group of Pods and maintains a sticky identity for each of those Pods. This is critical for stateful workloads requiring stable network identifiers or persistent storage. When a StatefulSet’s .spec.updateStrategy.<type> is set to RollingUpdate, the StatefulSet controller will delete and recreate each Pod in the StatefulSet. It will proceed in the same order as Pod termination (from the largest ordinal to the smallest), updating each Pod one at a time. Kubernetes v1.24 added a new alpha field to a StatefulSet’s rollingUpdate configuration settings, called maxUnavailable. That field wasn’t part of the Kubernetes API unless your cluster administrator explicitly opted in. In Kubernetes v1.35 that field is beta and is available by default. You can use it to define the maximum number of pods that can be unavailable during an update. This setting is most effective in combination with .spec.podManagementPolicy set to Parallel. You can set maxUnavailable as either a positive number (example: 2) or a percentage of the desired number of Pods (example: 10%). If this field is not specified, it will default to 1, to maintain the previous behavior of only updating one Pod at a time. This improvement allows stateful applications (that can tolerate more than one Pod being down) to finish updating faster. (Beta)

• KEP #961

Configurable credential plugin policy in .kuberc

• Short description: Adds credentialPluginPolicy and allowlist fields to kuberc for controlling credential plugins.

• Details: The optional kuberc file is a way to separate server configurations and cluster credentials from user preferences without disrupting already running CI pipelines with unexpected outputs. As part of the v1.35 release, kuberc gains additional functionality which allows users to configure credential plugin policy. This change introduces two fields credentialPluginPolicy, which allows or denies all plugins, and allows specifying a list of allowed plugins using credentialPluginAllowlist. (Beta)

• KEP #3104

KYAML

• Short description: Promotes KYAML to beta for safer YAML subset in Kubernetes, enabled by default, with optional disable via KUBECTL_KYAML=false.

• Details: KYAML is a less ambiguous subset of YAML designed for Kubernetes, addressing issues like whitespace and type coercion. Introduced as opt-in alpha in v1.34, it graduates to beta in v1.35 and is enabled by default (can be disabled via KUBECTL_KYAML=false). All KYAML files remain valid YAML. (Beta)

• KEP #5295

Configurable tolerance for HorizontalPodAutoscalers

• Short description: Allows custom tolerance in HPA behavior field for per-resource scaling sensitivity control.

• Details: Replaces the fixed 10% global tolerance with a configurable value in the HPA behavior field on a per-resource basis (e.g., 0.05 for 5%). Graduates to beta and enabled by default, preventing unnecessary scaling or blocking sensitive workloads. (Beta)

• KEP #4951

Support for user namespaces in Pods

• Short description: Enables isolated user and group ID mappings in Pods for improved security.

• Details: Allows pods to run with isolated IDs, mapping root containers to unprivileged host users, reducing privilege escalation risks. Supports stateless and stateful pods via id-mapped mounts. (Beta)

• KEP #127

VolumeSource: OCI artifact and/or image

• Short description: Supports pulling OCI images into volumes for data-only artifacts, requiring compatible runtime like containerd v2.1+.

• Details: Allows declarative pulling of OCI artifacts (e.g., configs, binaries) into volumes, separating data from container images. In beta since v1.33, enabled by default in v1.35; requires compatible runtime like containerd v2.1+. (Beta)

• KEP #4639

Enforced kubelet credential verification for cached images

• Short description: Requires credential checks for cached images to prevent unauthorized access in multi-tenant clusters.

• Details: For imagePullPolicy: IfNotPresent, the kubelet verifies pod credentials before allowing cached image use, preventing unauthorized access to private images. Graduates to beta, enabled by default; configurable via feature gate and policy flag. (Beta)

• KEP #2535

Fine-grained Container restart rules

• Short description: Allows restartPolicy and rules at container level for independent restarts based on error codes.

• Details: Introduces restartPolicy and restartPolicyRules in container specs for granular control (e.g., restart on specific error codes). Graduates to beta, enabled by default; optimizes recovery for complex workloads like AI/ML jobs without pod rescheduling. (Beta)

• KEP #5307

CSI driver opt-in for service account tokens via secrets field

• Short description: Enables secure ServiceAccount token delivery via secrets field in NodePublishVolume, opt-in via CSIDriver.

• Details: Drivers set serviceAccountTokenInSecrets to true in CSIDriver objects to get tokens via the secrets field in NodePublishVolume requests, avoiding exposure in volume_context. Maintains backward compatibility. (Beta)

• KEP #5538

Deployment status: count of terminating replicas

• Short description: Adds terminatingReplicas field to Deployment status for counting Pods in deletion process.

• Details: Introduces terminatingReplicas in Deployment status (beta) to show Pods with deletion timestamps but not yet removed. Improves observability for lifecycle management and rollouts. (Beta)

• KEP #3973

New Features in Alpha (22 total)

Gang scheduling support in Kubernetes

• Short description: Introduces Workload API and PodGroup for all-or-nothing scheduling of interdependent workloads.

• Details: Ensures groups of interdependent Pods (e.g., AI/ML jobs) schedule only if all fit, preventing deadlocks and waste. (Alpha)

• KEP #4671

Constrained impersonation

• Short description: Adds secondary authorization check for impersonation with fine-grained verbs like impersonate-on:<mode>:<verb>.

• Details: With ConstrainedImpersonation feature gate, verifies impersonators for specific actions via new verb prefixes (e.g., impersonate-on:<mode>:<verb>), enforcing least privilege. (Alpha)

• KEP #5284

Flagz for Kubernetes components

• Short description: Enhances /flagz endpoint to support structured JSON output for component configurations.

• Details: Allows versioned JSON responses via HTTP content negotiation for automated parsing and auditing of command-line options. (Alpha)

• KEP #4828

Statusz for Kubernetes components

• Short description: Enhances /statusz endpoint to support structured JSON output for component status and health.

• Details: Supports machine-readable JSON for health indicators and versions via content negotiation, improving automated debugging. (Alpha)

• KEP #4827

CCM: watch-based route controller reconciliation using informers

• Short description: Introduces event-driven reconciliation for route updates in Cloud Controller Manager using informers.

• Details: Uses informers to watch Node events instead of polling, reducing API calls and improving responsiveness for route updates. (Alpha)

• KEP #5237

Extended toleration operators for threshold-based placement

• Short description: Adds numeric comparison operators to tolerations for SLA-aware node placement.

• Details: Allows Pods to match/avoid nodes based on SLA taints using comparisons, enhancing scheduler precision for reliability and cost. (Alpha)

• KEP #5471

Mutable container resources when Job is suspended

• Short description: Allows updating resource requests and limits for suspended Jobs via feature gate.

• Details: Via MutableJobPodResourcesForSuspendedJobs feature gate, allows pausing Jobs, modifying Pod templates, and resuming with fixes (e.g., for OOM errors). (Alpha)

• KEP #5440

Extended Resource Requests via DRA

• Short description: Addresses gaps in Extended Resource requests for Device Plugins in DRA.

• Details: Improves scoring and reuse of devices in init containers under DRA (core stable in v1.34, always enabled in v1.35). Part of continued DRA innovations. (Alpha)

• KEP #4381

Device Taints and Tolerations

• Short description: Introduces “None” effect for DeviceTaintRule to report issues without eviction.

• Details: Allows dry-run eviction checks via status; supports ongoing eviction status. Part of DRA improvements. (Alpha)

• KEP not specified

Partitionable Devices

• Short description: Allows defining partitionable devices across multiple ResourceSlices.

• Details: Enhances flexibility in DRA for device partitioning. (Alpha)

• KEP not specified

Consumable Capacity, Device Binding Conditions

• Short description: Fixes bugs and adds tests for consumable capacity and binding conditions in DRA.

• Details: Improves reliability in DRA resource management. (Alpha)

• KEP not specified

Deprecations and Removals

• Ingress NGINX retirement: Best-effort maintenance until March 2026, after which it will be archived; users should migrate to Gateway API.

• Removal of cgroup v1 support: The kubelet will fail to start on nodes without cgroup v2; migration to cgroup v2 is required.

• Deprecation of ipvs mode in kube-proxy: Emits warnings upon use; transition to nftables mode is recommended.

• Final call for containerd v1.X: Last supported in v1.35; upgrade to containerd 2.0 or later is necessary.

For more details, refer to the official Kubernetes v1.35 release blog post.