























The Kubernetes project closes 2025 with version 1.35, codenamed "Timbernetes" (The World Tree Release), inspired by Yggdrasil from Norse mythology—the tree of life connecting multiple realms. This release delivers 60 enhancements across 17 stable, 19 beta, and 22 alpha features.
Released on December 17, 2025, approximately four months after Kubernetes 1.34 (Of Wind & Will), version 1.35 addresses critical production needs while pruning technical debt. The release focuses on zero-downtime operations, enhanced security, and AI/ML workload support—all while maintaining backward compatibility.
The "Timbernetes" theme reflects:
As Drew Hagen, the 1.35 release lead, explained: "The project keeps growing into branches, and the product is rooting itself to be a very mature foundation for things like AI and edge going into the future."
KEP: KEP-1287: In-Place Update of Pod Resources
Impact: Production game-changer
After 6 years in development (first proposed in 2019), you can now adjust CPU and memory resources without restarting Pods. This eliminates downtime for:
# In-place update → zero downtime
spec:
containers:
- name: app
resources:
requests:
cpu: 200m # Updated live via cgroups!
Requirements: Nodes must use cgroups v2 (v1 is now deprecated in 1.35).
KEP: KEP-4317: Pod Certificates
Impact: Simplifies service mesh and zero-trust architectures
Native workload identity without external dependencies like cert-manager or SPIFFE/SPIRE. The kubelet now:
PodCertificateRequestUse Cases:
Limitation: Beta feature requires enabling PodCertificates feature gate.
KEP: KEP-5328: Node Declared Features
Impact: Prevents scheduling failures due to feature mismatches
The Problem: When control planes enable new features but nodes lag (permitted by Kubernetes version skew policy), Pods requiring new features can land on incompatible older nodes.
The Solution: Nodes publish supported features via .status.declaredFeatures field. The scheduler and admission controllers validate compatibility before scheduling.
Example Scenario:
# Node reports its capabilities
apiVersion: v1
kind: Node
metadata:
name: node-1
status:
declaredFeatures:
- name: "UserNamespaces"
version: "1.35"
- name: "InPlacePodVerticalScaling"
version: "1.35"
Benefit: Eliminates "Pod scheduled but won't start" failures.
KEP: KEP-3015: PreferSameNode Traffic Distribution
Impact: Explicit control over traffic routing
The trafficDistribution field gets clearer semantics:
PreferClose)Use Case: Latency-sensitive microservices requiring node-local communication.
apiVersion: v1
kind: Service
metadata:
name: redis-cache
spec:
trafficDistribution: PreferSameNode # New option!
selector:
app: redis
Backward Compatibility: PreferClose still works but PreferSameZone is the new standard.
managedBy Field (STABLE)KEP: KEP-4368: Job Managed By Mechanism
Impact: Clean delegation for multi-cluster job orchestration
Allows external controllers (like Kueue's MultiKueue) to handle Job status synchronization across clusters.
How It Works:
managedBy)Example:
apiVersion: batch/v1
kind: Job
metadata:
name: ml-training-job
spec:
managedBy: "kueue.x-k8s.io/multikueue" # External controller
template:
spec:
containers:
- name: trainer
image: ml-trainer:v2
KEP: KEP-2535
Impact: Multi-tenancy security for cached container images
Prevents unauthorized access to cached private images in shared clusters. Kubelet now verifies credentials even with imagePullPolicy: IfNotPresent.
How It Works:
ImagePullBackOffFeature Gate: KubeletEnsureSecretPulledImages=true (enabled by default
KEP: KEP-4006
Impact: Modern streaming protocol replacing deprecated SPDY
Replaces SPDY/3.1 with WebSockets (RFC 6455) for kubectl exec, kubectl attach, and kubectl port-forward. Improves security and long-term maintainability.
How It Works:
kubectl exec -it pod-name -- /bin/bashUpgrade: websocketcreate check enforcedFeature Gates: TranslateStreamCloseWebsocketRequests=true, PortForwardWebsockets=true (enabled by default)
Kubernetes 1.35 removes technical debt to enable future innovation:
Migration Target: nftables-based kube-proxy
Timeline: Deprecation in 1.35, removal likely in 1.37+
Reason: IPVS (IP Virtual Server) is being replaced by nftables, the modern Linux packet filtering framework offering:
Action Required: Test service mesh and network policies with nftables mode before migration deadline.
Migration Target: cgroups v2
Impact: Required for in-place Pod resource updates
Most modern distributions (RHEL 9+, Ubuntu 22.04+) use cgroups v2 by default. Older environments need OS upgrades.
Do not skip versions to maintain supportability.
| Feature | Short Explanation | KEP Link |
|---|---|---|
| In-Place Pod Resource Updates | Adjust CPU/memory without Pod restarts. Zero-downtime vertical scaling for AI/ML and stateful workloads. | KEP-1287 |
| Pod Metadata Generation | .metadata.generation field enables reliable change tracking. Controllers can verify kubelet processed updates. |
KEP-5067 |
| Traffic Distribution: PreferSameNode | Explicit node-local traffic routing. PreferSameZone replaces ambiguous PreferClose. |
KEP-3015 |
Job API managedBy Field |
External controllers (Kueue MultiKueue) can manage Job status. Enables multi-cluster job orchestration. | KEP-4368 |
| Configurable NUMA Node Limit | Topology Manager now supports 16+ NUMA nodes. Critical for modern high-end servers (AMD EPYC, Intel Xeon). | KEP-4622 |
| # | Feature Name | Short Explanation | KEP Link | SIG Owner |
|---|---|---|---|---|
| 1 | In-Place Pod Resource Updates | Modify CPU/memory requests/limits without recreating Pods. Requires cgroups v2. | KEP-1287 | SIG Node |
| 2 | Pod Metadata Generation | Pods now have .metadata.generation and .status.observedGeneration for reliable change tracking. |
KEP-5067 | SIG Node |
| 3 | PreferSameNode Traffic Distribution | New Service traffic routing option for strict node-local endpoint preference. | KEP-3015 | SIG Network |
| 4 | PreferSameZone Traffic Distribution | Renamed from PreferClose for explicit zone-level routing semantics. |
KEP-3015 | SIG Network |
| 5 | Job ManagedBy Mechanism | spec.managedBy field allows external controllers to own Job status synchronization. |
KEP-4368 | SIG Apps |
| 6 | Topology Manager NUMA Node Limit | Configurable maxAllowableNUMANodes option (previously hard-coded to 8). |
KEP-4622 | SIG Node |
| 7 | StatefulSet MaxUnavailable | rollingUpdate.maxUnavailable enables parallel Pod updates in StatefulSets. |
KEP-961 | SIG Apps |
| 8 | PersistentVolume Last Phase Transition Time | .status.lastPhaseTransitionTime tracks when PV phase last changed. |
KEP-3762 | SIG Storage |
| 9 | CSI Node Expansion Secret Support | CSI drivers can use Secrets during node-side volume expansion. | KEP-3107 | SIG Storage |
| 10 | Bound Service Account Token Volume | Service account tokens projected as volumes with configurable expiration. | KEP-1205 | SIG Auth |
| 11 | Pod Deletion Cost | controller.kubernetes.io/pod-deletion-cost annotation influences ReplicaSet scale-down priority. |
KEP-2255 | SIG Apps |
| 12 | Non-Graceful Node Shutdown | Pods from shutdown nodes are force-deleted to enable rescheduling. | KEP-2268 | SIG Storage |
| 13 | Kubelet Credential Providers | External credential provider plugins for image pull authentication. | KEP-2133 | SIG Node |
| 14 | CPUManager Static Policy | CPU pinning for guaranteed QoS Pods with exclusive CPU allocation. | KEP-3570 | SIG Node |
| 15 | Device Manager | Framework for advertising and allocating node devices (GPUs, FPGAs, etc.). | KEP-3573 | SIG Node |
| 16 | Windows HostProcess Containers | Run privileged containers on Windows nodes for infrastructure workloads. | KEP-1981 | SIG Windows |
| 17 | Efficient SELinux Relabeling | Parallel SELinux volume relabeling using mount options instead of recursive chcon. |
KEP-1710 | SIG Storage |
| Feature Name | Short Explanation | KEP Link | SIG Owner |
|---|---|---|---|
| Ensure Secret Pulled Images | Multi-tenancy image access control. Verifies credentials even with IfNotPresent policy to prevent unauthorized access to cached images. |
KEP-2535 | SIG Node, SIG Auth |
| WebSockets for Streaming | Replaces deprecated SPDY with modern WebSockets for kubectl exec, attach, and port-forward. Includes improved RBAC enforcement. |
KEP-4006 | SIG API Machinery, SIG CLI |
| Pod Certificates | Native workload identity with automatic certificate generation and rotation by kubelet. Eliminates dependencies on external cert managers. | KEP-4317 | SIG Auth |
| Node Topology Downward API | Expose node topology labels (region, zone) directly to Pods via Downward API without API server queries. | KEP-4742 | SIG Node |
| Storage Version Migration | Native controller for automated storage version migration and re-encryption. No manual kubectl loops required. | KEP-4192 | SIG API Machinery |
| Mutable CSI Node Allocatable | Dynamic updates to CSI volume attachment capacity. Prevents pods from being scheduled to nodes with insufficient slots. | KEP-4876 | SIG Storage |
| Opportunistic Batch Scheduling | Batch scheduling for pods with identical signatures. Dramatically reduces scheduler overhead for large deployments. | KEP-5598 | SIG Scheduling |
Kubernetes 1.35 "Timbernetes" delivers on production-grade, zero-downtime operations while advancing AI/ML and edge computing capabilities. The graduation of in-place Pod resource updates alone justifies the upgrade for many production environments.
As the project matures, we see a shift from adding features to stabilizing existing capabilities and removing technical debt. The deprecation of IPVS and cgroups v1 reflects this maturity—Kubernetes is confident enough to prune old branches to strengthen the trunk.
Next up: Take the quiz!
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。