"User Namespaces reaching General Availability is the most prominent security graduation in this release. The feature maps a container's root user to a non-privileged user on the host, so that a process escaping a container does not gain administrative access to the underlying node. Also graduating to GA are Mutating Admission Policies, which allow teams to define mutation logic as a native Kubernetes object using the Common Expression Language (CEL), removing the requirement to maintain a separate webhook server."
"The release blog notes that this "provides a native, high-performance alternative to traditional webhooks" and reduces "the latency and operational complexity associated with managing custom admission webhooks". This is documented and pictured in a blog from Kloia. Fine-Grained Kubelet API Authorization also reaches GA in this release. First introduced as an alpha in v1.32, the feature enables more precise, least-privilege access control over the kubelet's HTTPS API."
"Fine-Grained Kubelet API Authorization replaces the overly broad nodes/proxy permission that monitoring and observability tooling has traditionally required. SELinux Volume Labeling reaches stable as well, replacing recursive file relabeling with a mount -o context=XYZ option that applies the correct SELinux lab"
Kubernetes 1.36 (Haru) is the first major Kubernetes release of 2026, delivering 70 enhancements across Stable, Beta, and Alpha. The release emphasizes security hardening, AI and machine learning workloads, and API scalability at scale. User Namespaces reach General Availability by mapping a container root user to a non-privileged host user, reducing the impact of container escape. Mutating Admission Policies reach General Availability, letting teams define mutation logic as native Kubernetes objects using CEL and avoiding separate webhook servers. Fine-Grained Kubelet API Authorization reaches General Availability to provide least-privilege access to the kubelet HTTPS API. SELinux Volume Labeling reaches Stable by using mount options to apply correct SELinux labels instead of recursive relabeling.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]