ACK Kubernetes 1.36 release notes

VolumeGroupSnapshot — Allows creating consistent snapshots across multiple persistent volume claims (PVCs) simultaneously, reducing the risk of data inconsistency caused by asynchronous snapshots.

Mutable CSINode allocatable — Allows CSI drivers to dynamically update the number of mountable volumes on a node, avoiding inaccurate scheduling or mount failures caused by outdated volume mount limit information.

MutatingAdmissionPolicies — Allows administrators to define resource mutation rules using Common Expression Language (CEL) directly in the API server, providing a native alternative to traditional admission webhooks for many scenarios. Compared to custom webhooks, it reduces network and operational overhead and delivers more predictable cluster behavior.

UserNamespacesSupport — Enables Linux user namespace support for pods to enhance security. This capability does not affect existing pods. Manually specify pod.spec.hostUsers to opt in.

Dynamic Resource Allocation (DRA) capabilities — Key DRA capabilities including admin access and prioritized lists enter Stable, providing a long-term stable API foundation for hardware resource management and consistent, predictable resource selection. Several additional features have been upgraded to Beta. For more information, see the Kubernetes 1.36 DRA Updates.

KubeletPSI — Allows you to gather Pressure Stall Information (PSI) metrics from kubelet using Summary API and Prometheus endpoints.

StrictIPCIDRValidation — Strengthens validation of IP and CIDR fields in the API, allowing earlier detection of malformed addresses and network segments. This helps avoid configuration issues or security risks caused by invalid IPs or CIDRs in Services, Pods, and NetworkPolicies.

MutablePodResourcesForSuspendedJobs — Enabled by default. Allows modifying the CPU, memory, GPU, and extended resource requests and limits of a container when its Job is suspended.

ConstrainedImpersonation — Makes the user impersonation mechanism more compliant with the principle of least privilege. When enabled, the impersonator must have both the permission to impersonate an identity and the permission to perform specific actions as that identity.

ComponentStatusz — Enabled by default. Provides a /statusz endpoint for core Kubernetes components that displays build and version information in real time, such as startup time, uptime, Go version, binary version, and compatible versions.

ComponentFlagz — Enabled by default. Provides a unified /flagz endpoint for core Kubernetes components that displays the actual command-line parameters in effect when the component started. This helps troubleshoot configuration issues or verify that parameter changes take effect after a restart.

Staleness mitigation for controllers — Reduces incorrect operations, conflicting updates, or data corruption caused by controllers acting on stale local cache based on outdated cluster states.