Kubernetes v1.36: Security Defaults Tighten and AI Workload Support Matures

Kubernetes v1.36: Security Defaults Tighten and AI Workload Support Matures

Kubernetes 1.36, codenamed Haru, has arrived as the first major release of 2026. The project shipped 70 enhancements across three maturity tiers: 18 features graduating to Stable (GA), 25 entering Beta, and 25 new Alpha features. This release is defined by two dominant themes — security hardening through long-anticipated feature graduations, and the maturation of Kubernetes as a platform for AI and machine learning workloads.

If you are running production clusters or evaluating where Kubernetes is heading in 2026, here is what actually matters in v1.36.

User Namespaces Reach General Availability

The headline GA feature in v1.36 is User Namespaces — a security primitive that has been in development across multiple release cycles before finally reaching maturity. This feature maps a container's root user to a non-privileged user on the host node, meaning that even if a process escapes its container, it does not gain administrative access to the underlying host.

For teams running multi-tenant clusters or workloads with untrusted code, this is a genuine security improvement: container breakout vulnerabilities no longer automatically grant root on the node. This changes the threat model for shared infrastructure significantly.

To enable it, set userNamespace to true in your Pod's security context and ensure the host kernel supports user namespace remapping. Works with cgroup v2, now default on most modern Linux distributions.

Mutating Admission Policies Go GA

Mutating Admission Policies reaching GA is another significant milestone. Previously, teams that needed to mutate incoming requests had to deploy and maintain separate webhook servers — extra infrastructure, extra latency, extra operational burden.

With v1.36, you define mutation logic as a native Kubernetes object using Common Expression Language (CEL). This provides a high-performance alternative to traditional webhooks and eliminates managing custom admission controllers.

A practical example: you can write a policy that automatically injects sidecar containers based on resource annotations:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingAdmissionPolicy
metadata:
  name: auto-sidecar-inject
spec:
  matchConstraints:
    resources:
      - apiGroups: [""]
        kinds: ["Pod"]
  conditions:
    - expression: "has(object.metadata.annotations['inject-sidercar'])"
  mutations:
    - patchSet:
        jsonPatches:
          - path: "/spec/containers/-"
            operation: Add
            value: '{"name": "observability-sidecar", "image": "otel/injector:v1"}'

Fine-Grained Kubelet API Authorization

Before v1.36, monitoring tooling required the overly broad nodes/proxy permission. Fine-Grained Kubelet API Authorization replaces that with precise, least-privilege controls.

Prometheus scrape endpoints can now read pod metrics without modifying or deleting resources — a meaningful reduction in blast radius if those credentials are compromised.

AI Workload Support: DRA and Preemption

The AI story in v1.36 is about defaults catching up to two years of accumulated requirements from teams running distributed training jobs. Several Dynamic Resource Allocation (DRA) enhancements reach Beta and ship enabled by default.

DRA Partitionable Devices, DRA Consumable Capacity, and DRA Device Taints and Tolerations all flip on without requiring explicit feature gate configuration. Together these replace the integer-GPU device plugin model where a single card was allocated wholesale regardless of actual utilization. The new primitives express how modern accelerators are partitioned, shared, and recovered when they fail.

The most impactful new Alpha feature for AI workloads is Workload-Aware Preemption. Before this change, the scheduler would preempt individual pods when making room for higher-priority workloads. For a distributed training job with eight ranks, this could leave seven of eight nodes running but unable to make progress — a partial preemption failure mode that has frustrated teams for years.

The new behavior treats a PodGroup as a single preemption unit and only proceeds with eviction after verifying that the high-priority group can actually fit. This eliminates the wasted compute scenario entirely.

Other Notable Beta Features

Mutable Pod Resources for Suspended Jobs moves to Beta and is enabled by default. This allows a queue controller to suspend a running job, adjust its CPU, memory, GPU, or extended resource requests to match available cluster capacity, and then unsuspend it without destroying and recreating pods.

In-Place Vertical Scaling for Pod-Level Resources also reaches Beta with default enablement. You can now resize a pod's CPU and memory envelope without restarting containers. A new ResizeDeferred event type ensures that when a resize cannot be applied immediately due to insufficient node capacity, the pod continues running at its existing size while the kubelet retries the resize once capacity becomes available.

On API scalability, v1.36 introduces sharded list and watch streams as Alpha. Large clusters encounter watch stream bottlenecks because all watchers receive updates through a single connection per resource type. The sharded approach distributes load across multiple streams — critical for deployments managing thousands of resources.

Upgrade Considerations

Teams planning an upgrade should be aware of several removals. The gitRepo volume plugin is permanently removed after being deprecated since v1.11; it allowed attackers to run code as root on a node, and teams should migrate to init containers or external git-sync tooling before upgrading.

IPVS mode in kube-proxy is also removed. Switch to the default iptables or eBPF-based proxy mode. Flex-volume support in kubeadm and the Portworx in-tree driver are also removed in this release.

Take-aways

Kubernetes v1.36 is a maturity release. The security improvements — User Namespaces and fine-grained kubelet authorization — are meaningful for multi-tenant deployments. AI workload primitives signal Kubernetes settling as the default orchestration layer for ML infrastructure.

If you are running GPU workloads or managing large clusters, v1.36 delivers features addressing real operational pain points. The upgrade path is straightforward for most teams.