惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
云风的 BLOG
云风的 BLOG
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
爱范儿
爱范儿
Stack Overflow Blog
Stack Overflow Blog
WordPress大学
WordPress大学
GbyAI
GbyAI
雷峰网
雷峰网
P
Proofpoint News Feed
IT之家
IT之家
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
aimingoo的专栏
aimingoo的专栏
小众软件
小众软件
T
The Blog of Author Tim Ferriss
月光博客
月光博客
V
Visual Studio Blog
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
T
Troy Hunt's Blog
Project Zero
Project Zero
U
Unit 42
T
Tor Project blog
Scott Helme
Scott Helme
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
I
InfoQ
Cloudbric
Cloudbric
P
Proofpoint News Feed
The Cloudflare Blog
H
Heimdal Security Blog
Google DeepMind News
Google DeepMind News
The GitHub Blog
The GitHub Blog
Attack and Defense Labs
Attack and Defense Labs
有赞技术团队
有赞技术团队
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
J
Java Code Geeks
博客园 - 【当耐特】
Security Latest
Security Latest
The Register - Security
The Register - Security
F
Fortinet All Blogs
I
Intezer
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MongoDB | Blog
MongoDB | Blog
N
Netflix TechBlog - Medium
NISL@THU
NISL@THU
T
Tenable Blog

Devoriales - DevOps and Python Tutorials

Cloud & DevOps & AI Digest: The Week of Jun 28, 2026 Cloud & DevOps & AI Digest: The Week of Jun 20, 2026 Ansible for DevOps Engineers: Architecture, Core Concepts, and Hands-On Lab Login Must-Have Kubernetes CLI Tools Every Platform Engineer Should Know Login Login Login Why Your Best Engineers Are Quitting (And How to Stop It) Login ArgoCD Vulnerability: How the ServerSideDiff Feature Exposes Kubernetes Secrets Login How Kubernetes Controls What Your Containers Can Do Login Multi-AZ Is Not Disaster Recovery: What the AWS Bahrain Outage Finally Proved Trivy Supply Chain Attack: When Your Security Scanner Becomes the Threat Is Claude Opus 4.6 Fast Mode Really Worth 6× the Price? Login Unlocking Higher Pod Density in EKS with Prefix Delegation AWS Regional NAT Gateway: What It Is and Why You Should Care Kubernetes 1.35 Timbernetes Release AWS re:Invent 2025: The Future of Kubernetes on EKS Debate Series: How Do We Control Deployment Order in Kubernetes? Debate Series: Should We Eliminate Kubernetes Secrets Entirely? Kubernetes CRDs Explained: A Beginner-Friendly Guide to Extending the Kubernetes API Reduce Cloud Cross-Zone Data Transfer Costs with Kubernetes 1.33 trafficDistribution Building Custom Bitnami Images: A Guide for Self-Hosted Container Images From Free to Fee: How Broadcom's Bitnami Monetization Disrupts DevOps Infrastructure Claude Code Cheat Sheet: The Reference Guide Kubernetes Loses Enterprise Slack Status: Discord Among Platforms Being Considered Understanding Container Security: A Guide to Docker and Pod Security Container Patterns in Kubernetes: Init Containers, Sidecars, and Co-located Containers Explained AWS Launches Serverless MCP Server: AI-Powered Development Gets a Serverless Boost Valve Responds to Alleged Steam Data Breach Reports: What Users Need to Know ArgoCD 3.0: The Evolution Toward Secure GitOps Redis Returns to Open Source: The AGPLv3 Licensing Decision New Features in Kubernetes 1.33: An Overview Prometheus: How We Slashed Memory Usage IngressNightmare: Critical Ingress-NGINX Vulnerabilities and How to Check Your Exposure New Features in Kubernetes 1.32: An Overview What to Consider If You're Not Signing Up for Bitnami Premium Certified Kubernetes Administrator (CKA) Exam Updates for 2025 DeepSeek AI and the Question of the AI Bubble Python Tops the Tiobe Index: The Most Popular Programming Languages - January 2025 2024 in Review: IT Trends, Startups, and What’s Next Inside Argo: The Open-Source Journey Captured in a CNCF Documentary Running Docker on macOS Without Docker Desktop - updated with Kubernetes installation HashiCorp Rolls Out Terraform 2.0 at HashiConf, Keeps IBM Acquisition in the Shadows Is the EU Falling Behind in the Global AI Race? Prometheus Essentials: Node Exporter And System Monitoring Prometheus Essentials: Install and Start Monitoring Your App Prometheus Essentials: Introduction To Metric Types Kubernetes Pod Scheduling Explained: Taints, Tolerations, and Node Affinity Retrieval Augmented Generation (RAG) Explained for Beginners Like Me Using Sealed Secrets with Your Kubernetes Applications
New Features in Kubernetes 1.34: An Overview
Aleksandro Matejic · 2025-08-10 · via Devoriales - DevOps and Python Tutorials

Kubernetes 1.34 release

Kubernetes 1.34 brings 59 enhancements with zero deprecations, making this a pretty upgrade path.

Scheduled for release on August 27, 2025, this version delivers production-ready GPU management, enhanced security controls, and significant performance improvements.

The release represents a maturity milestone with 23 features graduating to stable and 12 new alpha capabilities, emphasizing production stability while introducing functionality for AI workloads, advanced scheduling, and declarative policy.

OCI Artifact Volumes simplify secure artifact distribution

#4639

Kubernetes 1.34 introduces OCI Artifact Volumes, enabling Pods to mount artifacts directly from OCI-compliant registries into containers as read-only volumes. Unlike container images, which bundle application code and runtime dependencies, OCI artifacts can be used to distribute non-image resources such as:

  • Configuration files

  • Seccomp, AppArmor, or SELinux profiles

  • Machine learning models

  • Binary executables or policy bundles

This feature provides a secure, standardized way to deliver cluster-wide content without resorting to custom init containers, sidecar downloaders, or baked-in application images.

PodCertificateRequest enables native Pod X.509 certificates

#4317

Kubernetes 1.34 (Alpha) introduces a new resource, PodCertificateRequest, which allows Pods to obtain short-lived X.509 certificates directly from the Kubernetes API server.

How it works

  • A Pod creates a PodCertificateRequest object specifying identity requirements (for example, DNS names).

  • The kube-apiserver issues a signed, short-lived certificate.

  • The certificate is delivered into the Pod via a projected volume.

This feature provides a Kubernetes-native way for Pods to obtain X.509 certificates without relying on external certificate distribution mechanisms. It simplifies workload identity management and enables secure Pod-to-Pod communication using short-lived credentials.

Dynamic resource allocation reaches production readiness

Stable

Dynamic Resource Allocation (DRA) core functionality graduates to stable in 1.34, transforming how Kubernetes handles specialized hardware like GPUs, FPGAs, and custom devices. This marks a significant shift from the rigid node-level resource model to flexible, workload-specific allocation.

The stable DRA implementation introduces the resource.k8s.io/v1 API with four new resource types: ResourceClaim, DeviceClass, ResourceClaimTemplate, and ResourceSlice. Unlike traditional resource requests that rely on simple quantity-based allocation, DRA uses structured parameters and CEL expressions for sophisticated device filtering and selection.

Example:

apiVersion: resource.k8s.io/v1
kind: ResourceClaim
metadata:
  name: gpu-request
spec:
  devices:
    requests:
    - name: gpu
      deviceClassName: nvidia-a100
      selectors:
      - cel:
          expression: 'device.driver == "nvidia.com/gpu" && device.attributes["memory"] >= "80GB"'

For teams managing AI/ML workloads, this enables precise hardware matching based on memory capacity, compute capabilities, or vendor-specific features. The centralized device categorization through DeviceClass resources simplifies resource management across heterogeneous clusters.

Device Binding Conditions (Alpha - KEP-5007) complement stable DRA by preventing premature Pod scheduling before fabric-attached devices become ready. The new BindingConditions mechanism ensures GPU initialization completes before application startup, eliminating the manual intervention previously required for complex hardware configurations.

Read about the user stories that will demonstrate how the logic works.

ServiceAccount tokens improves image pull security

ServiceAccount token integration for kubelet credential providers graduates to beta and enables by default in 1.34, addressing a long-standing security concern with static image pull secrets. This enhancement automatically provides short-lived, Pod-scoped authentication tokens that rotate without manual intervention.

The implementation leverages OIDC-compliant ServiceAccount tokens, with each token scoped to a single Pod and automatically managed by the kubelet. This eliminates the operational overhead of managing long-lived registry credentials while significantly improving security posture.

Example:

apiVersion: v1
kind: Pod
spec:
  serviceAccountName: image-puller
  containers:
  - name: app
    image: private-registry.com/my-app:latest
  # No imagePullSecrets required - handled automatically via ServiceAccount token

CEL-based policies eliminate webhook complexity

CEL-based Mutating Admission Policies introduce declarative resource modification capabilities that can replace many external admission webhooks. Graduating from alpha to beta in 1.34, this feature uses Common Expression Language to define resource mutations directly within Kubernetes API machinery.

Feature Gate Required: MutatingAdmissionPolicy=true (enabled by default in beta)

The updated admissionregistration.k8s.io/v1beta1 API provides MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding resources that eliminate the operational overhead of maintaining external webhook services while improving policy lifecycle management.

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: add-security-context
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE"]
      apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
  mutations:
  - patchType: JSONPatch
    jsonPatch:
      expression: |
        [
          {
            "op": "add",
            "path": "/spec/securityContext/runAsNonRoot",
            "value": true
          }
        ]

This approach simplifies debugging and policy management compared to external webhooks while providing better integration with Kubernetes RBAC and audit systems. The declarative nature makes policies more transparent and easier to version control alongside other cluster configurations.

Production-grade observability with native tracing

Kubelet Tracing (KEP-2831) and API Server Tracing (KEP-647) both graduate to stable in 1.34, providing production-ready OpenTelemetry integration for comprehensive cluster observability. These components instrument critical operations including gRPC calls to the Container Runtime Interface and API request processing.

The implementation supports end-to-end trace propagation from control plane components through kubelet operations to container runtime interactions. This visibility proves invaluable for debugging complex scheduling decisions, node-level performance issues, and container lifecycle problems

# Enable kubelet tracing (now stable, no feature gate required)
kubelet --tracing-config=/etc/kubernetes/tracing-config.yaml

# Example tracing configuration
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
tracing:
  endpoint: "http://jaeger-collector:14268/api/traces"
  samplingRatePerMillion: 100000

The stable status means these tracing capabilities can be safely enabled in production environments without concerns about API stability or performance impact. For teams debugging node-level issues or optimizing cluster performance, this provides unprecedented visibility into Kubernetes internal operations.

KYAML addresses configuration safety concerns

KYAML output format (Alpha - KEP-5295) introduces a Kubernetes-specific YAML dialect designed to eliminate common configuration errors caused by YAML's type coercion behavior. Available through kubectl get -o kyaml, this format addresses the notorious "Norway problem" and other YAML parsing edge cases.

KYAML always double-quotes string values, uses explicit {} for mappings and [] for sequences, and employs flow-style syntax to reduce whitespace sensitivity issues. All KYAML files remain valid YAML while being significantly safer to parse and modify. 

Example:

# Traditional YAML output (problematic)
kubectl get service my-app -o yaml
# country: NO    # Parsed as boolean false
# version: 3.10  # Parsed as float 3.1

# KYAML output (safe)
kubectl get service my-app -o kyaml  
# country: "NO"   # Explicitly a string
# version: "3.10" # Explicitly a string

For teams managing complex configurations, KYAML provides safer defaults for automated processing and reduces the likelihood of configuration drift caused by YAML parsing inconsistencies.

kubectl and kubeadm improvements

kubectl gains several productivity enhancements including the KYAML output format and .kuberc configuration file support (Beta). The .kuberc file separates user preferences from cluster configurations, enabling shareable user settings across different cluster contexts.

Example:

# Enable .kuberc support
export KUBECTL_KUBERC=true
kubectl config set-preference editor vim
kubectl config set-preference output yaml

kubeadm introduces External Key Management Integration (Alpha) supporting HSMs and cloud KMS services through a new gRPC API (ExternalJWTSigner). This enhancement enables ServiceAccount JWT signing without requiring kube-apiserver restarts, improving certificate lifecycle management in security-conscious environments.

Enhanced deployment control and autoscaling precision

Pod Replacement Policy for Deployments (Alpha - KEP-3973) introduces fine-grained control over rolling update behavior through a new spec.podReplacementPolicy field. This feature addresses the trade-off between rollout speed and resource consumption during deployments. 

The TerminationStarted policy creates new pods immediately when old pods begin terminating, enabling faster rollouts at the cost of temporary resource spikes. The TerminationComplete policy waits for full pod termination before replacement, providing controlled resource consumption but slower updates.

Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  podReplacementPolicy: TerminationStarted  # Fast rollouts
  replicas: 100
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%

HPA Configurable Tolerance graduates to beta with the HPAConfigurableTolerance feature gate enabled by default. This enhancement allows per-HPA tolerance configuration, overriding the cluster-wide 10% default that often proves inadequate for large deployments.

Example:

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
spec:
  behavior:
    scaleUp:
      tolerance: 0.05  # 5% tolerance instead of default 10%
    scaleDown:
      tolerance: 0.15  # 15% tolerance for scale-down operations

Asynchronous API Calls (Alpha - KEP-5229) addresses scheduler bottlenecks in large clusters by eliminating synchronous API call dependencies. The new APIQueue component manages asynchronous operations through a hybrid cache-mediated approach, allowing operations to be skipped or combined when circumstances change. Palark

This optimization particularly benefits clusters experiencing scheduler delays during high Pod churn periods. Operations like unschedulable status updates can be cancelled if a Pod gets successfully bound before the update completes, reducing unnecessary API server load. 

Enhanced NominatedNodeName field (Alpha - KEP-5278) improves scheduling predictability by creating bidirectional communication between the scheduler and external components like Cluster Autoscaler or Karpenter. This prevents resource waste during long Pod binding processes by maintaining scheduling decisions throughout the binding cycle.

Network and storage enhancements for modern workloads

Traffic Distribution Preferences are now generally available, with options like PreferSameZone and PreferSameNode for Service.spec.trafficDistribution fields. The PreferSameNode preference optimizes latency by prioritizing endpoints on the same node as the client, while PreferSameZone maintains the existing PreferClose behavior but with clearer semantics.

apiVersion: v1
kind: Service
spec:
  trafficDistribution: PreferSameNode  # Optimize for node-local traffic
  selector:
    app: cache-service

VolumeAttributesClass introduces dynamic, cloud-provider-agnostic management of volume performance attributes. This new resource type enables non-disruptive performance updates by switching volume classes without recreating persistent volumes, addressing the previous limitation of immutable StorageClass performance parameters.

Security improvements and upgrade considerations

No breaking changes or deprecations

Kubernetes 1.34 introduces zero deprecations or breaking changes, making it the safe major release. This design decision reflects the project's focus on stability and operational continuity while delivering substantial enhancements.

Container runtime requirements

Kubernetes 1.34 requires CRI-compliant container runtimes with full support for containerd and CRI-O. Docker support remains deprecated, requiring containerd or CRI-O as the runtime interface. 

Anonymous authentication enhancements

New granular control over anonymous authentication paths reduces security risks from misconfigured RBAC policies. The enhancement allows anonymous access only to specific endpoints (/healthz, /readyz, /livez) while blocking unauthorized access to sensitive APIs.

More Features Worth Highlighting in Kubernetes 1.34

Beyond the headline items, Kubernetes 1.34 also introduces a set of important but less-publicized changes:

  • Selector-based Authorization (Stable): RBAC now supports field/label selectors to limit access more precisely (ARMO).

  • Windows Enhancements: Graceful node shutdown (Beta) and networking improvements (DSR/overlay) bring Windows support closer to Linux parity (Kubernetes Docs).

  • PodCertificateRequest (Alpha): A new API for short-lived Pod TLS certificates, paving the way for built-in workload identity (01Cloud).

  • Arbitrary FQDN Hostnames (Alpha): Support for setting custom FQDNs inside Pods (Palark).

  • DRA Device Health Visibility (Alpha → Beta): Device plugins can now report health directly into Pod status (Datadog).

  • Recursive Read-Only Mounts (Stable): A stronger safeguard for container file systems (Kubernetes Blog).

Conclusion

Kubernetes 1.34 delivers a combination of production-ready enhancements without operational disruption. The graduation of DRA to stable status positions Kubernetes for the AI/ML workload demands of modern infrastructure, while security improvements like ServiceAccount token integration and CEL-based policies reduce operational overhead and attack surface.

For engineering teams, this release offers immediate value through improved scheduler performance, enhanced observability, and safer configuration management via KYAML. The emphasis on production stability, combined with features for AI workloads and advanced policy management, establishes 1.34 as a foundational release for the next phase of Kubernetes adoption in enterprise environments.

Official Kubernetes Sources

  1. Kubernetes v1.34 Sneak Peek - https://kubernetes.io/blog/2025/07/28/kubernetes-v1-34-sneak-peek/
  2. Kubernetes v1.34 Release Information - https://www.kubernetes.dev/resources/release/

Enhancement Proposals (KEPs)

  1. Mutating Admission Policies KEP - https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3962-mutating-admission-policies
  2. KYAML Enhancement - https://github.com/kubernetes/enhancements/issues/5295

Third-Party Analysis

  1. Cloudsmith: Kubernetes 1.34 Release Notes - https://cloudsmith.com/blog/kubernetes-1-34-what-you-need-to-know
  2. Palark: Kubernetes 1.34 Deep Dive - https://blog.palark.com/kubernetes-1-34-release-features/
  3. Modul8: Top Kubernetes 1.34 Changes - https://modul8.dev/top-kubernetes-1-34-changes-devops-teams-cant-miss-in-2025/
  4. Pet2cattle: Mutating Admission Policy - https://pet2cattle.com/2025/02/mutating-admission-policy