Kubernetes v1.36 is here—and it is the first major release of 2026, packing 80 tracked enhancements including 18 features graduating to stable, 18 moving to beta, and 26 new alpha experiments. With a release date of April 22, 2026, this version brings significant security, storage, and operational improvements that platform engineers have been waiting years for.
User Namespaces Support Reaches GA
Four years after its alpha debut in Kubernetes v1.25, user namespaces support for pods is finally production-ready. This feature gives each pod its own isolated user ID namespace, meaning a process that appears as root (UID 0) inside a container is actually mapped to an unprivileged user on the host. The security implications are substantial: even if a container escape occurs, the attacker gains minimal privileges on the underlying node.
Before v1.36, achieving true rootless containers required third-party tools like gVisor or Kata Containers. Now it is native Kubernetes. Enable it with hostUsers: false in your pod spec:
spec:
hostUsers: false
containers:
- name: app
image: my-app
Mutating Admission Policies Go Stable
Remember the complexity of maintaining mutating admission webhooks? The TLS certificates, the latency concerns, the failure modes that could block your entire API server? Mutating Admission Policies bring CEL-based mutation directly into Kubernetes objects—no external server required.
Platform teams can now define mutations as version-controlled Kubernetes objects using GitOps workflows, eliminating webhook server dependencies entirely. This follows the same pattern that made Validating Admission Policies popular for validation, now extended to mutations.
OCI VolumeSource Hits Stable
Getting non-code artifacts into containers used to be awkward: expand the main image, write init containers to pull things down, or fight with ConfigMap size limits. The OCI VolumeSource feature, graduating from alpha in v1.31 to stable in v1.36, lets you reference any OCI image as a volume.
Kubernetes pulls the image and mounts its contents into the pod just like pulling a container image—but used as a volume. This enables packaging model weights, config files, datasets, or binary tools as standalone OCI artifacts and distributing them through your normal image registry, completely independent of your application image.
External Signing of ServiceAccount Tokens
For organizations with strict compliance requirements around key custody, this is a game-changer. Kubernetes now supports delegating ServiceAccount token signing to external systems—cloud KMS, HSM, or centralized signing services. Short-lived tokens get signed by keys that live in your existing key management infrastructure, under your existing audit and rotation policies.
This hits GA in v1.36, making it the path to Kubernetes-native token signing that fits compliance frameworks like PCI-DSS, FedRAMP, and SOC 2.
DRA Integration Deepens
Dynamic Resource Allocation (DRA) continues its march toward mainstream adoption. The KubeletPodResources API now exposes DRA resource allocations, allowing monitoring tools, billing systems, and operators to reliably query per-pod GPU and accelerator assignments without worrying about API instability.
Additionally, DRA support for partitionable devices moves to beta (enabled by default). Modern GPUs like the NVIDIA A100 can now be divided and allocated at the hardware level through Kubernetes-native abstractions—a significant win for AI/ML workloads running on shared infrastructure.
Accelerated SELinux Label Changes
If you have ever watched pod startup times spike on SELinux-enabled nodes (common in RHEL and Rocky Linux environments), this one is for you. Instead of relabeling files one by one on large volumes—a process that could take minutes with millions of files—Kubernetes now uses SELinux mount options to apply the correct label to the entire volume at mount time.
This feature, in beta since v1.27, finally reaches stable. For teams that have struggled with slow pod startup on SELinux nodes, this upgrade largely eliminates the problem.
HPA Scale to Zero Goes Beta
Here is a feature that has been waiting in the wings since 2019. The Horizontal Pod Autoscaler can now scale deployments to zero replicas when there is no workload, and back up when demand returns. While you still need an external metric source like KEDA to tell Kubernetes when to scale back up from zero, the feature gate is now enabled by default.
Staging environments, test clusters, and batch workloads with predictable idle windows can now scale to zero without any extra configuration—bringing real cost savings to organizations running Kubernetes at scale.
New Alpha Features Worth Watching
Beyond the stable and beta features, Kubernetes 1.36 introduces 26 new alpha experiments. Standouts include device attributes in the Downward API for DRA (enabling workloads to read GPU metadata without querying the Kubernetes API), a new kubelet gRPC API for local pod information (reducing control plane load and improving reliability on disconnected nodes), CRI list streaming for garbage collection on busy nodes, and resource availability visibility for DRA pools.
These alpha features point toward a future where Kubernetes clusters handle AI/ML workloads more efficiently, scale to larger node counts more gracefully, and provide better observability into resource allocation.
The Bottom Line
Kubernetes 1.36 is a security and operational maturity release. User namespaces, external token signing, and accelerated SELinux operations address long-standing enterprise concerns. OCI VolumeSource and deeper DRA integration make the platform more suitable for AI/ML and specialized hardware workloads. Meanwhile, stable HPA scale-to-zero and mutating admission policies reduce operational complexity for platform teams.
If your platform engineering team has been waiting for user namespaces to hit GA—or if you are still running mutating webhooks for simple default injection—this is the release that justifies your upgrade planning.