Introduction: Growing Stronger, Branch by Branch
The Kubernetes project closes 2025 with version 1.35, codenamed "Timbernetes" (The World Tree Release), inspired by Yggdrasil from Norse mythology—the tree of life connecting multiple realms. This release delivers 60 enhancements across 17 stable, 19 beta, and 22 alpha features, marking another significant growth ring in Kubernetes’ evolution as the industry-standard container orchestration platform.
Released on December 17, 2025, approximately four months after Kubernetes 1.34 (Of Wind & Will), version 1.35 addresses critical production needs while pruning technical debt. The rele…
Introduction: Growing Stronger, Branch by Branch
The Kubernetes project closes 2025 with version 1.35, codenamed "Timbernetes" (The World Tree Release), inspired by Yggdrasil from Norse mythology—the tree of life connecting multiple realms. This release delivers 60 enhancements across 17 stable, 19 beta, and 22 alpha features, marking another significant growth ring in Kubernetes’ evolution as the industry-standard container orchestration platform.
Released on December 17, 2025, approximately four months after Kubernetes 1.34 (Of Wind & Will), version 1.35 addresses critical production needs while pruning technical debt. The release focuses on zero-downtime operations, enhanced security, and AI/ML workload support—all while maintaining backward compatibility.
What’s New: The Big Picture
Release Statistics
-
60 total enhancements
-
17 features graduated to Stable (GA)
-
19 features promoted to Beta
-
22 new Alpha features
-
Release Team: Led by Drew Hagen with contributors from the global Kubernetes community
-
Supported Until: Approximately December 2026 (based on the standard 1-year support window)
Release Theme: The World Tree
The "Timbernetes" theme reflects:
- Deep Roots: Stable foundation maintained by global contributors
- Strong Trunk: Core features reaching maturity (GA status)
- Growing Branches: Beta and alpha features extending capabilities
- Global Canopy: Community spanning enterprises, startups, and open-source contributors
As Drew Hagen, the 1.35 release lead, explained: "The project keeps growing into branches, and the product is rooting itself to be a very mature foundation for things like AI and edge going into the future."
Top 5 Game-Changing Features in 1.35
1. In-Place Pod Resource Updates (STABLE) ⭐
KEP: KEP-1287: In-Place Update of Pod Resources Impact: Production game-changer
After 6 years in development (first proposed in 2019), you can now adjust CPU and memory resources without restarting Pods. This eliminates downtime for:
- AI/ML training jobs requiring dynamic resource scaling
- Stateful applications that can’t tolerate restarts
- Edge computing workloads with complex dependencies
# In-place update → zero downtime
spec:
containers:
- name: app
resources:
requests:
cpu: 200m # Updated live via cgroups!
Requirements: Nodes must use cgroups v2 (v1 is now deprecated in 1.35).
2. Pod Certificates for Workload Identity (BETA)
KEP: KEP-4317: Pod Certificates Impact: Simplifies service mesh and zero-trust architectures
Native workload identity without external dependencies like cert-manager or SPIFFE/SPIRE. The kubelet now:
- Generates keys inside Pods
- Requests certificates via
PodCertificateRequest - Writes credential bundles to Pod filesystem
- Handles automated rotation
Use Cases:
- Pure mTLS flows without bearer tokens
- Service mesh identity without sidecars
- Compliance-friendly workload authentication
Limitation: Beta feature requires enabling PodCertificates feature gate.
3. Node Declared Features (ALPHA)
KEP: KEP-5328: Node Declared Features Impact: Prevents scheduling failures due to feature mismatches
The Problem: When control planes enable new features but nodes lag (permitted by Kubernetes version skew policy), Pods requiring new features can land on incompatible older nodes.
The Solution: Nodes publish supported features via .status.declaredFeatures field. The scheduler and admission controllers validate compatibility before scheduling.
Example Scenario:
# Node reports its capabilities
apiVersion: v1
kind: Node
metadata:
name: node-1
status:
declaredFeatures:
- name: "UserNamespaces"
version: "1.35"
- name: "InPlacePodVerticalScaling"
version: "1.35"
Benefit: Eliminates "Pod scheduled but won’t start" failures.
4. Traffic Distribution: PreferSameNode (STABLE)
KEP: KEP-3015: PreferSameNode Traffic Distribution Impact: Explicit control over traffic routing
The trafficDistribution field gets clearer semantics:
- PreferSameNode: Route to local endpoints first (new in 1.35)
- PreferSameZone: Route within availability zone (renamed from
PreferClose)
Use Case: Latency-sensitive microservices requiring node-local communication.
apiVersion: v1
kind: Service
metadata:
name: redis-cache
spec:
trafficDistribution: PreferSameNode # New option!
selector:
app: redis
Backward Compatibility: PreferClose still works but PreferSameZone is the new standard.
5. Job API managedBy Field (STABLE)
KEP: KEP-4368: Job Managed By Mechanism Impact: Clean delegation for multi-cluster job orchestration
Allows external controllers (like Kueue’s MultiKueue) to handle Job status synchronization across clusters.
How It Works:
- Management cluster creates Job
- Worker cluster mirrors and executes Job
- Status updates propagate back
- Built-in Job controller doesn’t interfere (delegated via
managedBy)
Example:
apiVersion: batch/v1
kind: Job
metadata:
name: ml-training-job
spec:
managedBy: "kueue.x-k8s.io/multikueue" # External controller
template:
spec:
containers:
- name: trainer
image: ml-trainer:v2
6. Ensure Secret Pulled Images (BETA)
KEP: KEP-2535 Impact: Multi-tenancy security for cached container images
Prevents unauthorized access to cached private images in shared clusters. Kubelet now verifies credentials even with imagePullPolicy: IfNotPresent.
How It Works:
- Tenant A pulls private image using Secret credentials
- Image cached on node with access record
- Tenant B creates Pod with same image but NO credentials
- Kubelet checks image access records (persisted to disk)
- Kubelet verifies Pod credentials against cached image
- Access DENIED → Pod stuck in
ImagePullBackOff
Feature Gate: KubeletEnsureSecretPulledImages=true (enabled by default
7. Transition from SPDY to WebSockets
KEP: KEP-4006 Impact: Modern streaming protocol replacing deprecated SPDY
Replaces SPDY/3.1 with WebSockets (RFC 6455) for kubectl exec, kubectl attach, and kubectl port-forward. Improves security and long-term maintainability.
How It Works:
- User runs
kubectl exec -it pod-name -- /bin/bash - kubectl sends HTTP Upgrade request with
Upgrade: websocket - API server validates and establishes WebSocket connection
- Bidirectional streaming over WebSocket (stdin/stdout/stderr)
- Automatic fallback to SPDY for older clusters
- Synthetic RBAC
createcheck enforced
Feature Gates: TranslateStreamCloseWebsocketRequests=true, PortForwardWebsockets=true (enabled by default)
Deprecations and Removals: Spring Cleaning
Kubernetes 1.35 removes technical debt to enable future innovation:
❌ IPVS Proxy Mode Deprecated
Migration Target: nftables-based kube-proxy Timeline: Deprecation in 1.35, removal likely in 1.37+
Reason: IPVS (IP Virtual Server) is being replaced by nftables, the modern Linux packet filtering framework offering:
- Better performance
- Unified interface for filtering, NAT, and load balancing
- Active kernel development
Action Required: Test service mesh and network policies with nftables mode before migration deadline.
❌ cgroups v1 Support Deprecated
Migration Target: cgroups v2 Impact: Required for in-place Pod resource updates
Most modern distributions (RHEL 9+, Ubuntu 22.04+) use cgroups v2 by default. Older environments need OS upgrades.
Who Should Care About Kubernetes 1.35?
🎯 Platform Engineers
- In-place resource updates eliminate maintenance windows
- Node declared features prevent scheduling failures
- Traffic distribution provides fine-grained control
🎯 ML/AI Teams
- Dynamic vertical scaling for training jobs
- Gang scheduling (alpha) for distributed workloads (KEP-4671)
- Resource flexibility without restarts
🎯 Security Teams
- Pod certificates enable zero-trust architectures
- Constrained impersonation (alpha) prevents node spoofing (KEP-5284)
- Native mTLS without external certificate management
🎯 Edge Computing
- In-place updates for constrained environments
- OCI artifact volumes for read-only data (KEP-4639)
- Resource efficiency improvements
Upgrade Considerations
Pre-Upgrade Checklist
- Review official deprecations
- Verify cgroups v2 availability on nodes
- Test nftables kube-proxy mode in staging
- Check feature gates for beta features you want to enable
- Review version skew policy
Recommended Upgrade Path
1.33 → 1.34 → 1.35
Do not skip versions to maintain supportability.
Testing Strategy
- Upgrade one control plane node
- Verify API server health
- Upgrade remaining control plane nodes
- Drain and upgrade worker nodes (rolling update)
- Validate workload behavior
Table 1: Top 5 Production-Critical Stable Features
| Feature | Short Explanation | KEP Link |
|---|---|---|
| In-Place Pod Resource Updates | Adjust CPU/memory without Pod restarts. Zero-downtime vertical scaling for AI/ML and stateful workloads. | KEP-1287 |
| Pod Metadata Generation | .metadata.generation field enables reliable change tracking. Controllers can verify kubelet processed updates. | KEP-5067 |
| Traffic Distribution: PreferSameNode | Explicit node-local traffic routing. PreferSameZone replaces ambiguous PreferClose. | KEP-3015 |
Job API managedBy Field | External controllers (Kueue MultiKueue) can manage Job status. Enables multi-cluster job orchestration. | KEP-4368 |
| Configurable NUMA Node Limit | Topology Manager now supports 16+ NUMA nodes. Critical for modern high-end servers (AMD EPYC, Intel Xeon). | KEP-4622 |
Table 2: Complete List of 17 Stable (GA) Features in Kubernetes 1.35
| # | Feature Name | Short Explanation | KEP Link | SIG Owner |
|---|---|---|---|---|
| 1 | In-Place Pod Resource Updates | Modify CPU/memory requests/limits without recreating Pods. Requires cgroups v2. | KEP-1287 | SIG Node |
| 2 | Pod Metadata Generation | Pods now have .metadata.generation and .status.observedGeneration for reliable change tracking. | KEP-5067 | SIG Node |
| 3 | PreferSameNode Traffic Distribution | New Service traffic routing option for strict node-local endpoint preference. | KEP-3015 | SIG Network |
| 4 | PreferSameZone Traffic Distribution | Renamed from PreferClose for explicit zone-level routing semantics. | KEP-3015 | SIG Network |
| 5 | Job ManagedBy Mechanism | spec.managedBy field allows external controllers to own Job status synchronization. | KEP-4368 | SIG Apps |
| 6 | Topology Manager NUMA Node Limit | Configurable maxAllowableNUMANodes option (previously hard-coded to 8). | KEP-4622 | SIG Node |
| 7 | StatefulSet MaxUnavailable | rollingUpdate.maxUnavailable enables parallel Pod updates in StatefulSets. | KEP-961 | SIG Apps |
| 8 | PersistentVolume Last Phase Transition Time | .status.lastPhaseTransitionTime tracks when PV phase last changed. | KEP-3762 | SIG Storage |
| 9 | CSI Node Expansion Secret Support | CSI drivers can use Secrets during node-side volume expansion. | KEP-3107 | SIG Storage |
| 10 | Bound Service Account Token Volume | Service account tokens projected as volumes with configurable expiration. | KEP-1205 | SIG Auth |
| 11 | Pod Deletion Cost | controller.kubernetes.io/pod-deletion-cost annotation influences ReplicaSet scale-down priority. | KEP-2255 | SIG Apps |
| 12 | Non-Graceful Node Shutdown | Pods from shutdown nodes are force-deleted to enable rescheduling. | KEP-2268 | SIG Storage |
| 13 | Kubelet Credential Providers | External credential provider plugins for image pull authentication. | KEP-2133 | SIG Node |
| 14 | CPUManager Static Policy | CPU pinning for guaranteed QoS Pods with exclusive CPU allocation. | KEP-3570 | SIG Node |
| 15 | Device Manager | Framework for advertising and allocating node devices (GPUs, FPGAs, etc.). | KEP-3573 | SIG Node |
| 16 | Windows HostProcess Containers | Run privileged containers on Windows nodes for infrastructure workloads. | KEP-1981 | SIG Windows |
| 17 | Efficient SELinux Relabeling | Parallel SELinux volume relabeling using mount options instead of recursive chcon. | KEP-1710 | SIG Storage |
Table 3: Notable Beta Features in Kubernetes 1.35
| Feature Name | Short Explanation | KEP Link | SIG Owner |
|---|---|---|---|
| Ensure Secret Pulled Images | Multi-tenancy image access control. Verifies credentials even with IfNotPresent policy to prevent unauthorized access to cached images. | KEP-2535 | SIG Node, SIG Auth |
| WebSockets for Streaming | Replaces deprecated SPDY with modern WebSockets for kubectl exec, attach, and port-forward. Includes improved RBAC enforcement. | KEP-4006 | SIG API Machinery, SIG CLI |
| Pod Certificates | Native workload identity with automatic certificate generation and rotation by kubelet. Eliminates dependencies on external cert managers. | KEP-4317 | SIG Auth |
| Node Topology Downward API | Expose node topology labels (region, zone) directly to Pods via Downward API without API server queries. | KEP-4742 | SIG Node |
| Storage Version Migration | Native controller for automated storage version migration and re-encryption. No manual kubectl loops required. | KEP-4192 | SIG API Machinery |
| Mutable CSI Node Allocatable | Dynamic updates to CSI volume attachment capacity. Prevents pods from being scheduled to nodes with insufficient slots. | KEP-4876 | SIG Storage |
| Opportunistic Batch Scheduling | Batch scheduling for pods with identical signatures. Dramatically reduces scheduler overhead for large deployments. | KEP-5598 | SIG Scheduling |
Resources and Links
Official Documentation
- Kubernetes v1.35 Release Announcement
- Kubernetes 1.35 CHANGELOG
- Kubernetes Enhancement Proposals (KEPs)
Key KEPs Referenced
- KEP-1287: In-Place Update of Pod Resources (Stable)
- KEP-4317: Pod Certificates (Beta)
- KEP-5328: Node Declared Features (Alpha)
- KEP-3015: Traffic Distribution (Stable)
- KEP-4368: Job Managed By (Stable)
Community
Conclusion
Kubernetes 1.35 "Timbernetes" delivers on production-grade, zero-downtime operations while advancing AI/ML and edge computing capabilities. The graduation of in-place Pod resource updates alone justifies the upgrade for many production environments.
As the project matures, we see a shift from adding features to stabilizing existing capabilities and removing technical debt. The deprecation of IPVS and cgroups v1 reflects this maturity—Kubernetes is confident enough to prune old branches to strengthen the trunk.
Next up: Take the quiz!